CYBRARY PODCASTS

Ep.25 Josh Lospinoso | Encryption and Backdoors Pt 2

podcast default

In this episode of the Cybrary Podcast, we sit down with Josh Lospinoso, the CSO of Shift5. Speaking with Mike Gruen, the CISO of Cybrary and Jonathan Meyers, the Head of Infrastructure for Cybrary, they talk about a wide range of subjects including encryption and government backdoors.

Hosted by: Mike Gruen, Jonathan Meyers, Josh Lospinoso
Length: 35 minutes
Released on: July 1st, 2020
podcast default

Listen to the Audio

Watch the Video

Enjoyed this podcast?
Share it with friends now!

Summary

Josh Lospinoso, CSO at Shift5, Mike Gruen, CISO at Cybrary, and Johathan Meyers, Head of Infrastructure at Cybrary, are here in the second part of a talk about encryption and backdoor, and there are some speeches about Josh’s new C++ Crash Course and his company.

IoT is one of the hot topics among other topics these days. One thing is for sure, that it makes people’s life convenient, but its security is not taken seriously from both the manufacturer and the user side. According to Josh, IoT based devices are exposed more to security issues because they are based on wifi. Wifi signals could be captured almost anywhere between the sender and the receiver on the air. Wireshark and Ramsey Box, which are the ideal ones for Josh, are two of the tools that can capture packets and signal on the air. This can be way useful to get packets from wifi signals. It can give critical information to the attacker about the communication, about the sender and about the\ receiver, and much more. One of the security points from the users’ view is they don’t have security understanding at a basic level, so they can’t imagine if their device is owned by an attacker, what wrongs can be done. They only think about the convenience they get. So, this is also considered a reason why people are so careless about their IoT devices’ security. The communication must be encrypted, so no information can be gained in case the packets are captured.

Another common security issue is phone numbers. This is because Sim cards can be cloned and taken over, so any account which is created based on that Sim will be taken over. A clear example of it can be the Revolut which is a banking app. Recently, someone’s account was taken over and emptied because his phone number was spoofed and the two-factor authentication was stolen. This type of attack is a common thing at the moment, and it is a security concern.

The talks go over the C++ Crash Course which is available on Amazon, and it is the 17th most popular book among C++ books. Josh basically wrote this book collecting different stuff together to make it a great one. He says, most people think C++ is dead, but according to him the modern C++ is more like Python and will have some new incredible features in it like the module systems. This makes dependency management easy and important. Josh has started a company that has above ten developers in it now, but he has plans of hiring more developers for the next year.

Transcript

Josh: Hey

Jonathan: Hey, favorite tool offensive or defensive that you can talk about or?

Josh: That's a really good question.

Jonathan: Your donut things, your dough.

Josh: Yeah. I would have to say, there's a collection of like reverse engineering sales tools that are super useful for analyzing operational technology. So right now it's a software defined radio with canoe radio, a Ramsey box is like RF enclosures, uh, and Wireshark. You can find some really interesting things going over LTE from consumer devices. There's one that actually recently came out about the ring video doorbell. So, like we were talking about on these tiny devices, like computer’s getting really powerful, but there are still limitations to what a five or $10 chip you do. And so oftentimes I'm kind of tying this all together like when one of these devices reaches out to a web server, they'll do it over TLS because that's fairly straightforward to do these days. The tools that are available, the problem is they won't check the certificates. Yeah, cause math, Right?

Mike: Right.

Josh: It's like, it's like hard to

Mike: Wait, why are you putting it?

Jonathan: It's hard to compute that.

Josh: It is hard to compute that. Yeah.

Jonathan: I mean you can precompute it and save it. But then what happens when it changes? Well, I mean the expiration dates in 999 years, right?

Josh: Yeah, exactly. Yeah. So you'd be surprised how many people do that kind of stuff.

Yeah, I mean, it's, it's hard, so the way, like,

Jonathan: Is that what ring doorbell did.

Josh: Yeah. Yes. So they actually just were not checking for TLS certificate authority, um, validation.

Jonathan: So you could just curl dash K and be good.

Josh: So, what you could do is like, you can force a D off with the doorbell, like various ways and like, someone's gonna be like, what the hell am I like doorbell wasn't working well, I have to like re authenticate it. And so if you man in the middle that connection, which if you have their wifi password or whatever that's starting to do, or actually, I think the one, I think it's even worse, the wifi connection between the doorbell and the phone was just like, totally un-encrypted, you can just sniff those packets cause it's wifi, and like you get there like wifi password, you can do all kinds of stuff.

Mike: Right, right, cause In order for me to configure the IOT, I always, whenever I'm configuring some sort of IOT device, I always feel like this is the point at which if somebody is there, is their van outside my house, and this is the point at which they're going to get access to whatever it is.

Josh: Yep, exactly.

Jonathan: Yeah. Cause I remember like I was doing a hardware startup in Korea and we were using Nest thermostats, but like none of that stuff was encrypted. Well, I mean, I guess it was, no, I don't even think it was encrypted like it was just cause it was like, Oh, well you're on the wifi must be secure and I could just make calls to the thermostat.

Josh: exactly.

Jonathan: And so like we were using that as a thermostat, so we didn't have to make our own. And we were just saying like, no, adjust the temperature nest, adjust the temperature.

Mike: I mean, I think that's the lesson, right? Like, so, Hey, we already made this mistake with cars. We have this hard outer shell and then this compass, right? Smart houses, I feel like are going down the exact same pattern, right? Because yeah. Hey, and it's even worse because at least a car is mostly closed system by the manufacturer's standpoint, right? They built all the things. They should be able to know every device and be able to know like, yeah, that is actually our device that's talking on that, right? Well, the smart house,

Jonathan: it also takes like a certain level of skill to like do things with car.

Mike: Right. But the bigger difference is, right. with a house people, the whole point of it is that you're adding one more thing. It's like, yeah. Oh, hey, now I can get a smart vent that will close this or do that. And you had a, it's, the whole point is extensibility interoperability. And so how do you even, how do you make sure that like the owner of the house is saying like, Oh yeah, we've authentic. I am confirming that this is, this device is something that should be here.

Josh: Yeah. Right, and I mean, it's like, again to the eggshell security, like we have home routers now that kind of NAT all your devices right behind them. And so there's some level of like, well, you can't access this stuff from the outside,

Mike: Except for the fact that it's all wifi from way far away

Jonathan: when they all phone home.

Josh: when they all phone home.

Mike: when they all phone home.

Josh: And a lot of those connections are not. Secured and like, you know who the heck knows what's on the firmware on a lot of these devices? So ,yeah, it's a, I completely agree with you.

Mike: So when I locked myself out, I can give you a call to open my garage door.

Josh: Exactly. There's a really interesting talk about how insecure garage doors are. So like there’s just guy Sammy Kamkar. Have you ever seen some of the stuff he does? He's the guy behind the Sammy worm on MySpace.

Mike: Yeah, yeah, yeah.

Josh: This guy. Yeah. I think he caught like a felony for that. Neither here nor there. Anyway, he's doing some really fascinating stuff in the RF space and, basically most modern garage door openers, you can just like crack the code in like eight seconds,

Mike: yeah. I mean, the fact,

Jonathan: And that's the advanced ones that do the cyclings of codes. Yeah. So my dad's like the original OGsecurity guy for garage door hacking. So he, when they built their house, he put a power switch right next to the garage door opener. So that when he goes to bed at night, he turns off power to the actual garage door arms. So nobody can be scanning code

Mike: when I go on vacation or when I, if I'm going to be gone for, I just unplug it.

Jonathan: Oh yeah. That's what we used to do. But then when we built the house, he was like, yeah, I'm tired of getting up and unplugging it, or taking that like lever and like sliding it in, but it's like it's an aluminum track. So like

Mike: Yeah, right. I do the lever and I was like, I feel like I should do more.

Jonathan: Yeah, because that motor up there, like when you stop that motor, that's not going anywhere.

Mike: Your other options and one, they actually, people probably don't realize this is one of the easiest, alike the physical attacks, right. So there's an emergency pull handle on a garage to disabled to disengage the

Jonathan: Break the window.

Mike: Right. So you just go through and you pull up, you can hook that from, you can slide a thing under the door. There's lots of ways to pull that thing. And now the garage door just lifts right up. Yeah.

Josh: So I got a deadbolt here, a garage door, the interior

Mike: The little thing, and there's lots of things.

Jonathan: I mean, now they're all connected to wifi anyway. Probably not, probably not secure anyway. So I'm just going to craft in, which is great which is great. Yeah. Knows what I'm pulling up and just unlocks.

Josh: This is the siren's call of it all though. Is that like OT, operational technology, smart homes, IOT devices, like it's so convenient. It's so convenient, but like manufacturers, stop it, getting it working. They don't, the security of it doesn't yet make them a market.

Mike: Yeah. So that's why if I'm law enforcement, I think that's where I'd be attacking. Right. If I want to know what somebody is, you know, it's the same sort of thing. I get a warrant.

Josh: Do it the old fashioned way. Get a warrant. And then you have really all these things.

Mike: Backdoors and a bunch of insecure devices.

Josh: that is it, right?

Mike: Yeah. Game over man!

Josh: I agree. Game over man.

Jonathan: Yeah. What's interesting is like, it's like somebody thought about this early on, right? Like didn't what was that thing that they shipped on routers that nobody uses a WPS or whatever?

Josh: Yeah.

Jonathan: They like encrypt, it was like, Oh, well, we'll do all the configuration for you. Like we'll securely connect everything. All you have to do is push this button. Like that's died. Right. Cause people were like, no, I don't want to add a button. I just want to type in my password.

Mike: Yeah. Well, awesome. Like when I first saw it, my first reaction was like, Oh, this can't be secure. Like if they've made it this easy, it can't possibly be like, I'll do it the old way.

Josh: Yeah, totally, totally. I mean I think there is an imagination problem with this stuff too. It's like, you know, it's a psychology thing. It's like, you can't be afraid of the things that you can't imagine. Right. And If you just don't understand security at a basic level, like you don't, you can't imagine. It is all magic to you. And so like you don't have an intuition for like, Oh Jesus. Like somebody could totally do XYZ to my home router if I don't, you know, do this thing. And so I think that lack of education and the ability to imagine the downsides is like, Why people don't emphasize security more in the front.

Mike: well, I think, I mean, we're a herd animal, right? So there's safety in numbers.

Josh: right.

Mike: Fact is I don’t actually have to have a super secure network at home. I just have to one that's harder to crack than my neighbor to a certain extent.

Josh: Sure.

Mike: Although what the nice thing about computers is that you can attack them all at once.

Josh: Yeah.

Jonathan: A slightly changed subject. I saw this interesting hack that took place on, there's a couple of banking apps that are out there now. I don't know the new one, the hot one in Europe right now. It's called Revolut. They've been around for a couple of years, but they're growing really fast and they are expanding to Asia and stuff I was browsing the Reddit the other day and this. It's crazy that this one guy basically had his Revolut account taken over and emptied and how they did it was they basically spoofed cell phone and took his two factor code. And it was like, and I was like, Holy shit. Like this is like become commonplace, right? Cause like we saw that like Twitter guys, like Jack Dorsey's Twitter account got hacked because like his two factor. You're like, Oh, well that's like a high profile target. Like you know, like that seems like he had some, like, it was like a lot of people could go to that and it was like worth it. But like, I was like interesting that like, they're basically bulk doing this to people's Revolut account as long as they know that phone number is a Revolut account. They also just go in and take it.

Mike: Right.

Jonathan: And it's that quick now. And it's like so low effort and yet two factor, text messages are still a thing.

Mike: So I got really frustrated. My bank got acquired. I had a different bank or I had a bank, they had a secure system that was using Google off like instead of the text message thing because we, several years ago, the warning went out that like, Hey, by the way, people can spoof phone numbers. And this is really not a good multifactor,

Jonathan: which is crazy. Cause it's all in Hollywood. Like we see it all the time. People are like, Oh, I cloned your SIM card, I have your phone.

Mike: Well that is because Hollywood, It's like, Oh, you know, like, look at Jurassic park. It is a unique system. So it's hard to know what's actually reality. Right. But, so my bank got acquired by another bank and they pushed me onto a different platform. And I was like, are you kidding me? You're going to text me my multifactor. So, that like, yeah. I am Now shopping, I think for a new bank.

Josh: I honestly don't know how long phone numbers are going to be around. Like with the combination of how annoying it is to have a phone number these days.

Jonathan: Well, it doesn’t matter. it's like, it doesn't matter anymore.

Mike: Right.

Josh: Right. Millennials, like, honestly speaking for my generation, like I really dislike when people call me because it's like, it's a synchronous communication. It's an intrusion. It's like I'm scheduling my day.

Jonathan: Your time is more important than my time.

Josh: That's what you're saying. When you make a phone call, right.

Jonathan: Okay, but I mean saying like phone numbers are more relevant than.

Mike: Can I just put, can I just say, I mean, I'm gen X. Okay. I'll come bloomer side like, Oh my God. But like, it takes forever to have a communication asynchronously. That could be a five minute conference.

Josh: I'm not being normative here. I'm just being descriptive.

Jonathan: I always attest. I'm always like, can you talk?

Mike: Oh yeah, exactly.

Jonathan: And then if you respond, yes, then I'll call you. Right?

Mike: Can you call, like, hey, we can have a 45 minute text conversation, or do you have time for a five minute conversation that I totally get, right.

Josh: Sure, I am with it.

Jonathan: I do it with you all the time.

Mike: I do it too. I do that too.

Josh: I'm just stating descriptively that this is how a lot of people, my age feel about it.

Mike: Yeah. No, I would never call somebody out of the bloom, but except for my mom, who's a bloomer,

Jonathan: Except like for cell phones. For cell phones, the numbers are irrelevant now cause you immediately say you have an iPhone. You immediately get in, you log in with your iCloud. And then I message is all based on your iCloud ID has nothing to do with your phone number. And so like now you're doing this whole...

Mike: Wait, you guys use whatever.

Jonathan: Okay. So say you use signal. Why is signal, signal uses your phone number, which I don't like it

Josh: To make it easy.

Jonathan: To make it easy. I get that, but like, Yeah. It's like, it doesn't matter. I should be able to log in with a username and password and use a second factor to verify that that's my diet like key base. It's like, Oh, do you have one of your other vices schools scan a barcode that you generate in your app? Right. Awesome. And so it's like, why is there a phone number? Like, it seems like it's a more restrictive number than an IP4 address.

Josh: Totally.

Jonathan: And so like, why are we like...

Mike: So many systems are built on having a phone number.

Josh: They are just built on the phone numbers

Jonathan: Yeah, but I mean, I guess we're seeing it now with data only Sims.

Josh: Sure.

Jonathan: You can get your data only ones that don't, hey have no phone. It just data only like, Why do you need a phone number?

Josh: We can totally move to like a key base model of the web of trust with your devices and like, you know, you just carry those things with you, so your life and like

Jonathan: it's interesting. Yeah. recently, I spent a bunch of time in Bali and so like, phone thefts are pretty common there, because people have their phones on them and they're all wealthier people, as opposed to the people that like natively from Bali and things like that. But like, it's, it's like, when people are out drinking and partying, there's pickpockets going around just stealing phones. And a lot of people ran into this problem is that was their only like Apple device. Yes.

Mike: Ooh.

Jonathan: And so now how do you get into iCloud?

Mike: Right.

Josh: Right. It's not your iCloud anymore.

Jonathan: Yeah. Right. Cause Apple has a way for you to go around it where they have to verify your actual like identity identity. But that takes like 30 to 90 days, I think it is what they now quote.

Mike: Oh really,Cause...

Jonathan: Because they have to do a physical, like verification of our stuff.

Mike: I know, I know this, but it only took three days for one of our developers who forgot his iCloud, like had no way. And it was only hooked up to an old laptop that no longer.

Josh: Interesting.

Jonathan: I wonder if they've just started getting cause

Mike: So there was like some phone number and some thing, and then they had to call him back and it was three days to get back into his iCloud because the only device it was registered with was a laptop that we wiped and put back into inventory. Cause he wanted a different one.

Jonathan: Yeah and, so it is like, It's now think of it as I had a bunch of my laptop and iPads stolen out of an apartment like two years ago. And so imagine those were my only two Apple devices. How can I verify? I mean, luckily I had my, not luckily, but I had my phone on me, so now I still have that. And I think now they do the watch, but it's like, they're basically, it's like how many devices can I own? And so what's crazy is like YubiKeys aren't like a super common thing where everybody should just have a backup YubiKey, locked in the safe and been like, this is my, yeah, this is my final thing. I need to verify my identity.

Josh: And yeah, I mean, I think we're always going to have some hybrid of like human and technological solutions for like identity management.

We have to, because people aren't going to, they're not going to do the YubiKey thing. It's just like...

Jonathan: Facebook used to have an interesting one. I don't know if you guys ever like back in Facebook's Heyday,

Mike: I never use Facebook.

Jonathan: If you used to forget your password, I remember, but they couldn't do this now cause people would throw a fit, they would show you pictures of your friends and you had to correctly identify your friends.

Josh: That's interesting.

Jonathan: which I was like, Oh, that's genius like, I'll definitely be like, Oh no, that's Josh. That's my like, and you just have to name them correct. It's kinda like when you do the credit check and it's like, what kind of car did you want to own and stuff like that?

Mike: Yeah when you’re trying to get your information from social security or whatever. And you have to verify the stuff that by the way is like, it's not what you remember. It is impossible.

Josh: Right, right.

Jonathan: Yeah. Especially like, as time goes on and it's like, you've had more and more cars, like you've had more and more addresses, like, and so, but yeah, and I thought that was super interesting. And I think that would be like an interesting play. Nobody would go for it because it's facial recognition, but let's be honest, Google and Apple, and all of them are already doing it locally on your phone. I think that would be like an interesting iCloud recovery thing to be like, Oh, like here's some of data that might be yours or might not be yours. Can you correctly identify it?

Mike: But why not? Why do? I mean, I could see a different solution because one of the weaknesses there, right, is that anyone who kind of knows you, this is the problem with those stupid security questions, aside from the fact that everybody's favorite color is blue and everybody drove a Toyota, Corolla. But if someone knows you reasonably well, which is also going to be the same people who have access to your computer, they probably know your friends. They probably know enough information about you that there's a pretty good chance that they could get in.

Jonathan: Right But I'm saying like, this should be like down the road after like you've tried to do. I mean,

Mike: Oh no, no, I'm not feeling, but I think that there's an interesting idea there. And also the notion of like, well, we know Josh, Josh and Mike have already established a relationship. Josh has established a relationship with this thing. Is there some way for Josh to say, yeah, Mike lost his phone?

Jonathan: Yeah. That's interesting.

Josh: I was just going to say, like, you know, I feel like listing four, five people,

Mike: emergency contacts?

Jonathan: like emergency unlocked contacts,

Josh: having them attest that this person lost the...

Mike: One of them is the FBI.

Josh: And one of them is the FBI.

Jonathan: That's the back door.

Josh: That's the back door and we've solved all of the problems.

Jonathan: It's just like this guy named Ted, it's just a guy named Ted and a bow tie, smiling, like.

Josh: who was the MySpace guy? It was like,

Jonathan: Tom,

Josh: Tom.

Mike: Yeah. We all just trust Tom.

Jonathan: Tom was everybody's friend. Yeah, you can do no wrong.

Josh: Yeah. He had the whiteboard and.

Jonathan: Yeah. I don't know why the whole like, friend trusting reminded me of that. I don't know why there's probably some correlation, but like the, the payment system where like people pay somebody they know, and then that person like registers, like, it's how they're doing, like microtransactions in like developing countries. It's like, I know you, Mike, so I give you money. And do you know how this works?

Mike: I have no idea what you're talking about.

Josh: Yeah, the old, I mean, so there's a guy who won like a Nobel prize for essentially that the issue is in like very unbanked, like low wealth.

Mike: This is what Facebook is solving, right, with their whole money thing, so pay people and

Jonathan: I think Libra coins absolutely interesting.

Josh: Yeah. The whole economic thesis is like people that basically don't have any money or capital, like, are very inefficient with their labor. And so like, if you give a group of 20 people, like sewing machines, they can have multiples of their output, like just by a simple investment. And that like the more capital you put on something, it becomes less and less of a, like it's a diminishing returns to your, your money. so the question is always like why don't more investment dollars go into these like very low wealth areas. And the answer's generally like risk, right? Banks don't want to lend money to people that like don't have ID, you know, like formalized identities and all this kinda stuff.

And so, you know, micro, they call it micro, micro investing. I think the whole idea is that you can use a person's like network to attest. So they're like credit worthiness essentially. And that like you, I think some variants of it, like basically you have a group of people that kind of get together and they pool risks so that if one person doesn't pay the loan back, everyone in that group gets punished by like losing their access to capital and like you rely on the social dynamics of that group to like force people to be credit worthy. Right. I don't know if that's related.

Mike: Yeah. Yeah.

Josh: I can't remember the guy's name that...

Mike: but that's the very interesting thing because whatever. It's probably down in the weeds, but like if you look at, um, poverty in impoverished areas, my wife has a master's in psychology.

She did some, everything I'm about to say might be wrong because, because I didn't know, because I didn't directly. Right. So this is hearsay.

Josh: So you're an expert.

Mike: So I am an expert. Absolutely. No, but the idea is that there's the, one of the dynamics that happens in these is there such a community because everybody has to rely on everybody, which has its, which is great. But at the same time, it also is what kind of keeps people in an improper state. Because as soon as I get something. There's a lot of social dynamic pressure on me to share it with everybody, which makes it very difficult for me to get out rather than get out and then help people back. But that seems it's awesome that same social dynamic of trust and reliance on each other is being used in a very positive way to help the entire community get out sort of at once.

Josh: right. That's super fascinating.

Mike: Yeah.

Josh: Yeah. I mean, I think there's some interesting research into like totally not security related, but, like yeah. Why people who grew up in a state where resources were scarce, you know, like have a difficult time accumulating wealth? Because the mentality is there's like a hyperbolic discounting rate. Like you just everything, when you have resources, you consume them because that's what you, how you of I grew up.

Mike: Right. I mean, they, look at this, I mean, I remember studying the civil war and that was one of the biggest problems was that the officers could, you know, anybody who could afford boots could afford boots. That would last more than a couple of days, right? And the people who couldn't were constantly just throwing more and more money. Right,

Josh: Look at the dollar three or payday lending or all these like very predatory things that like crop up around.

Jonathan: Dollar tree is predatory.

Josh: Yeah. I think so. Yeah, like...

Jonathan: The market cap though.

Josh: Yeah, I know. Right. It's insane. yeah, so, I mean, if you look at

Jonathan: like billion dollars or something

Josh: Yeah. Like it's wild, but like, if you look at the unit, but I mean, just to G's point, if you look at the unit price of things that you're buying, it's like, yeah. Like you buy a shampoo for a dollar, but like compared to buying a bottle of shampoo, it's seven times as expensive by volume.

Mike: Right.

Josh: Right.

Jonathan: Right, Interesting.

Mike: Yeah. Definitely, very security related, but yeah, it is. I mean, it's, it's funny how security, how we got there. Right. I mean, what did you say? Social security?

Josh: Resource security, Yeah. Totally, totally.

Jonathan: Alright. C++ crash course book, where can I buy it?

Josh: You can buy it on Amazon. I hear it.

Mike: I heard it is about the 17th.

Josh: It's no big deal. It's like, you know, the 17th most popular like C++ tutorial that come out.

Jonathan: How is your book different?

Josh: So there are a lot of really high quality C++ books out there. When I was learning C++ , as an experienced programmer. I had a really difficult time and I like bounced between conference talks and like exhausted colleagues and like blog posts and had a difficult time piecing the whole language together as a whole.

Mike: So you decided just to hire somebody who knew it, that would have been like the non pigheaded way to do it, so I just ended up, you know, slamming my head against the wall for three years until I figured it out and in that process You know, the way I like to learn things is like a brick by brick linear approach. You know, I don't like in a code example for there to be any magic. Like I want to know line by line what's going on. And it's really difficult to chart a course through C++ that presents the language in that way. I think I figured that out for modern C++ and so that's the stick of the book. And if you like science fiction references and Easter eggs, also maybe worth a read for that because writing is a lonely endeavor and injecting some like levity into, you know, tough passages.

Jonathan: And this is your first book.

Josh: This is the first and last.

Mike: I predict another one.

Josh: I don't know, man. I don't know. Maybe it's like having kids, like you just get amnesia!

Mike: Like at some point you're going to decide like, no, it wasn't that bad.

Josh: Yeah, it wasn’t that bad. You know, I might, I would consider, I mean, so C++ is fascinating. People think of this as a super old language, which it is, but it's undergone a revolution since like 2011. So, yeah, it really , this is going to sound crazy, but it looks more and more like Python. When you look at modern C++, there's this whole. Idea of a, they call it zero overhead abstractions. Basically like you, as a programmer, get to a write in a higher level. But what the compilers are so good these days and the language is written in a way where the compilers can essentially reduce out all that abstraction and you end up with code at machine code that's as efficient as possible like you, you couldn't have done it better by hand and most people shouldn't try to. And so, there's been a revolution in the language and it's basically every three years, there's this like huge and vibrant community that like improves the language and every three years they're releasing new ones, C++ 20 is going to be a huge deal. So it's coming out next year. It adds all sorts of really incredibly useful features like a module system finally, because it's the 21st century. And it turns out like dependency management is like an important thing.

Mike: My first, I mean, like I'm old and 1996 doing C programming for CGIs for the internet, for the web. That was just, you know, right? one of our biggest problems was there was no open source and the whole dependency management and all of that. Yeah. Well it nonexistent at least other languages, more modern languages that grew up in this world have solutions to that. It's awesome. That C++ is.

Josh: Yeah, I mean, NPM probably takes it to the other extreme, like left pad and like, you know

Mike: Is null.

Josh: Is null, exactly like that's probably too far.

Mike: Right. There is a happy medium.

Josh: But yeah, I mean, for sure, I think this helps to bring, you know, one of the bad parts of not having package management of which there are many, is that you sometimes think it's easier to just roll your own thing. You're just like, I would rather not deal with like bringing this math library and I'll just like, write this function myself, right. And that's no good so I think having like good module system's going to be incredible. There's a couple of other, really great language features.

Mike: How are they securing that module system?

Josh: Yeah, it's interesting. So you have kind of two elements to it. One is like what happens at the compiler and linker level, right?

So like when you're building your program and linking it against objects, um, really no security at that layer, right? Like it's just. Your file system. And so if someone like has control of your file system, you're kind of having other problems.

Mike: It is like somebody having your email account.

Josh: Totally. Yeah. Which is why I like to vet it's really important for developers to secure the computers. Right? Like there was actually a really interesting series of very critical vulnerabilities and Git, which are really fascinating. This isn't one of them that came out last week, but, for example, on a windows, it's not a case sensitive, file path system. So, if you,

Mike: Actually, in Linux x isn't either. It drives me nuts.

Josh: So, if you end up...

Mike: Case preserving

Josh: Case preserving, that's interesting.

Mike: They switched it. It used to be case sensitive, and then they switched it to case preserving. And if you put it back in the case sensitive mode, tons of things break.

Josh: Interesting. Yeah. I mean, it's a huge, I mean, hugely important distinction. And, as it turns out so if you have like they've patched this, but it used to be that if you created a folder called “.GIT” get in caps and check that in to a repository that someone on windows, when they pulled it down, like you can write things into the Git sub folder, like hooks, so basically you get remote code execution on somebody like developer machine through like. Really important to secure developer workstations Mike: Right.

Josh: But for dependency management, this is like a really interesting, so outside of the file system, you talk about remote repositories and these sorts of things, like a lot of really interesting research around how do you secure DevSecOps? Like, how do you secure the dependencies that you rely on, right? Web security is great, you know, like defending against cross site scripting and using cores and all this kind of stuff. And, but what it does, none of that matters if someone gets execution on your server, because you pulled in some ways, is null, and the developer decided to push, you know, an update

Mike: Or the developer sort of abandoned it and somebody, or maybe gave it to somebody. And right now somebody else is in control of that library that you don't know.

Josh: Yeah. And it's really hard to tell whether code's nefarious. There's this, I don't know if you've seen this contest. It's called underhanded C. They haven't run it in a few years. We'll have to put like a link in the description, but it's a fascinating concept. So, every year they'll have a prompt that you have to write like a function or a class or something that notionally does something, right? It has some supported functionality. And it also has some other really interesting functionality that is completely not apparent where you just read the source code, like it's got some sort of remotely triggerable condition or some sort of vulnerability that you introduce and

Jonathan: Which you are having to hide it,

Josh: But you hide in plain sight.

Mike: That's awesome. I mean, I feel like there's a lot of

Jonathan: it's scary, but also

Mike: There's a lot of developers I've worked with that are really good at doing that just

Josh: Unintentional,

Mike: Unintentionally. This code is so elegant and it has all of these side effects. Like you don't, you can't figure out. I mean, like it's actually, there's a creative aspect to software engineering. I think that's one of the places where really elegant code versus what we really want code to be can sort of go off the rails and yeah, there is some. There's definitely.

Josh: Yeah. Yeah.

Mike: But yeah, no, that's really interesting. I might have to take a look at that.

Josh: Yeah. Underhanded seed. They haven't run it in a couple of years, but it's fascinating to read about how much time people spend on the pretty frivolous contest. But, yeah,

Jonathan: Yeah, they probably haven't run in a couple of years because although past winners got hired by a company

Josh: Yeah, that's right. Yeah, I will. Just say

Mike: because everyone ,you know, C is dead,

Jonathan: Not Mike, not dead.

Mike: Right. So how large is your company about?

Josh: So we are just over 10 now. Also we raised a seed round in June

Jonathan: Congratulation.

Josh: Thank you very much. We've got some really interesting stuff in the pipeline. And so we're hiring like crazy for next year. Yeah, we've got a, I mean, one of our pitches we have, like people say fullstack developer, like we're, we like program micro-controllers all the way through to like CSS. So, you know, pretty much like wherever you are on that.

Mike: Yeah, to me fullstack is totally, there's very few people who can be fullstack at this point.

Josh: Right.

Mike: The stack is so deep.

Josh: Yeah. It is insane. It really is.

Mike: But definitly being able to do two or three parts of the stack. That's at this point, that's what qualifies as full stack. I can do a front end and I can do a little back end. I'm not full stack, but there's all the DevSecOps. There's all that. So, interesting.

Josh: We like to hire a T-shaped developers. So these are, you know, people that have one skill set that they're like really, really strong in. And, you know, that can manifest in a lot of ways, if it's like open source involvement or they like have a blog about it, or, you know, people that are really active in it. And then they have like a really good understanding of a lot of other things. Maybe it would take them some time to spin up on stuff, but like, you know, one of my pet peeves is when I see these job descriptions that have like, you know, seven years with Apache struts and whatever, I'm like, that's stupid. Like don't, you shouldn't be looking for people with like a specific framework, like hire smart people that get along with the culture of your company. Right. And you can teach them because the right people are going to want to learn new stuff.

Mike: Right. Or, and for me, it's also self-aware right, so when I'm interviewing people asking them, like when they say, Oh yeah, I can do. This is all the stuff I can do, but I really prefer working on the front-end or I really prefer working on the back-end, you know. And that's what I always would say on my interviews. Right. Like, Hey, yeah, I can do front-end code. If you're asking me to do front-end code, you're probably asking the wrong person. You're not going to get what you want. Sure. But I can do it. Because I have enough exposure to it, but I'd Much prefer working on anything that’s the same sort of thing. That's the type of people I look for as well, which is, you know, something really well. You have a breadth of knowledge about how other things work. So even if you're not working in it, when you're working with those people, Those people,

Josh: That's it.

Mike: You can, you can work really well with those people and you're attacking a problem.

Josh: And I think people like that are definitely strong candidates for like increased levels of managerial responsibility. And that can mean a lot of things, right? Like, you know, individual contributors are super important. You have to have like,

Mike: So, it's funny cause that's what the T-shaped versus, so in my mind, I've always actually pictured as almost a V, right. They have a big breadth of knowledge and it just, and it's like, and then it just gets more and more focused as you go down. Where's the T shape I feel like is the more individual contributor. They have some ideas across the board, but then it sort of drops off very quickly into a

Josh: it makes a lot of sense.Yeah. That makes a lot of sense for sure.

Mike: Sorry. I sort of totally rails you there.

Josh: It makes ton of sense. I think you're seeing this in a lot of companies is like a recognition that it's okay to be an individual contributor for your entire career and you get paid just the same as like the managers and you can just kick ass at like what you do and you make things happen.

Mike: Yeah. One of the jobs I had a number of years ago, the first one where I got promoted into manager, well, as soon as I like real manager, and then I was privy to salary ranges and stuff. What was awesome to me was that as a senior engineer when I moved into manager, they're like, normally that comes with a pay cut because our senior engineers are paid at the director level, like that was their tiering. Right. And that I've always maintained the same sort of notion of like, okay, if you can be super tight, like I want people to be able to stay in a super technical track that the path to a higher salary should not be management.

Josh: Exactly.

Mike: It should be staying in whatever you want. So I have this notion of principle and director Senior and manager and like the same sort of tiering. Yeah. I think that’s, and I do think that that's pretty common in a lot of areas. Not necessarily across the board.

Josh: Yeah. Yeah. And I mean maybe I've just become aware of it recently, but like, I love that model. I think it's fantastic. It's exactly unlike the military.

Mike: maybe that's and maybe that's right.

Josh: Yeah. I wrote an article about this and we're on the rocks actually. Like why the military is kind of like an impossible place for very technical people. And that's like the essence of it.

Mike: I thought the essence of it was that, well, whatever. I feel like this is a whole nother conversation. Maybe we should save it for another time

Josh: Maybe we should save it for another time. Yeah.

Jonathan: Awesome. Well, thanks for coming in Josh bringing your book.

Josh:Thanks for having us

Mike: Great catching up.

Josh: All right.

Jonathan: Thanks. Bye.

Mike: Bye.