The McAlvany Weekly Commentary
with David McAlvany and Kevin Orrick
Kevin: David, you’ve been on the road, you’ve been meeting with clients with these conferences with your dad – Palo Alto, and then later Agoura Hills. You’re working your way across the West Coast, but you also had a chance to attend an economic forum that is an invitation only. I’d like to hear about some of the people you met there, as well, Dave.
David: Kevin, this has been a fantastic week-and-a-half to two weeks, and I can’t wait to get some of the other locations and meet with clients, because what we’re experiencing – my father and I – when we are in the room with our clients is a real interest to know, uncover, and discover, and get into the meat of what is happening in the global economy and the most critical elements. These are people who are tuned in, these are people who care, these are people who are looking for actionable items, and when we get to the Q&A at the very end you can feel the electricity in the air. You can tell that these are folks who are invested, not just with dollars and cents, but invested in the future of our country. They care about public policy, they care about world events. It is absolutely energizing for me.
One of the things I would say is a common theme with the questions that we encounter at the last two conferences in Palo Alto and Agoura Hills – what do we think about cryptocurrencies? What do we think about bitcoin? What do we think about ethereum? We had some interesting comments, and I’ll be honest, I learned a lot in the last couple of weeks, interacting with some folks in the Palo Alto area, specifically relating to the cryptocurrencies – bitcoin, ethereum, and the others.
Kevin: One of the themes that brought your dad back from the Philippines to speak here in America with you was the push toward a cashless society. It is interesting how this crypto currency and cashless society is all overlapping. It is amazing to me how the general public right now is just distracted with Trump and the Russian ties and those types of things, when in reality, they have been lulled to sleep with a much larger movement, which has to do with a change, worldwide, in our currency. Cryptography and cryptocurrencies play a key role.
David: The first thing I wanted to mention was a gentleman that I spent some time with in Palo Alto just after our conference – his profession, his job, what he has been passionate about since he was a young boy is computer hacking. And that is what he does for a living today, legitimately and legally, with a security firm in Palo Alto. He is paid to break into systems and help them become more stable.
I asked him what he thought about the cryptocurrencies with his insight into systems, networks and vulnerability. It was his belief that ultimately the crypt currencies and block chain would be co-opted by a government – ours or some other government. I can’t say that I agree or disagree, I’m just in the process of learning, and it is interesting, someone who understands better than I do, the one’s and zero’s that go into the block chain field, that there is ultimately some vulnerabilities with it. It will either last and be here for a long, long time, or it will come to an abrupt end. And so, it does still represent a rank speculation, in his opinion, as a professional cryptographer.
Kevin: Given the nature of where you were there in California, and of course, that is a technology hub. He wasn’t the only hacker or cryptography expert that you talked to, was he?
David: No, the economic conference that I attended immediately after, one of the panel discussions, one of the contributors was also a professional cryptographer, runs a security firm in Southern California, PKC Security. Becker Polverini, a very interesting young man, very accomplished for his age, involved in everything from literally attacking the Great Wall, if you will, war games with Beijing, to helping commercial enterprises figure out how to better handle their security. We started with a similar set of questions that we asked Nazli Choucri at MIT a couple of years ago and then progressed on to discuss meta data, big data, and some of the things developing in that world.
A conclusion that he came to – you should be worried about tomorrow. You should be worried about tomorrow, and be cognizant of what you are putting into the internet today, because it is permanently there. It is not going away. The cost of storage is such that corporations are storing everything. It costs them virtually nothing to do so. And ultimately, I think the thing that was shocking to me is the conclusion that he came to – you are the product. When you interact with anything online, you are creating a composite picture which allows companies to then monetize you. You are the product. You think you are interacting with a program, a platform, or what have you, but actually, you are developing the next product, which is you. You can be marketed to more effectively if they have a complete and total profile of who you are.
So what we are giving up in terms of privacy it something that this generation doesn’t really think much of, mainly because of all the free stuff that we get for us. But as Becker says so well, “We don’t yet understand the other side of the Faustian bargain. We don’t know what we’re giving up for all the free stuff that we’ve just gotten.” And he says that is really a future tense issue. We should be worried about tomorrow. We should be worried about what the world of tomorrow looks like in light of the information we are so freely giving up.
So, I want to invite you into that conversation, but a fascinating several weeks here as we have met with clients, as we have interacted with some of the top minds in economics and business from around the world, and in this interview we get to talk to Becker Polverini about the nature of cyber security, insecurity, and some things that you should be cognizant of in terms of personal security.
Kevin: I think the timing of this conversation is fabulous, Dave, because we are also going to be talking to Richard Bookstaber here in the next week or two. Richard Bookstaber has written a book called The End of Theory, and it is actually about how big data, and how this analysis online can actually affect markets, and either stabilize markets artificially, or create the next disaster. So we’re not just living in a world right now online, that you are worried about your own personal security, but the actual nature of the environment, itself, is continually being changed by the inputs of all the users.
* * *
David: Becker, I have whole lot of questions for you and I wondered if you might be able to tell us a little bit about yourself and what puts you in the position to speak to cyber security, and cryptography, and the many other things that you are interested in and expert with.
Becker: Yes, sure. Currently I’m the CEO of PKC Security. We’re a cyber security consultancy in South Los Angeles in Southern California. My background is in nation state cyber warfare, so I cut my teeth on China, in particular, how China does censorship and surveillance, the algorithms behind it, how it is analyzed, and I’ve published some research in that area.
Currently, I do the three classic pillars of cyber security consulting – risk assessment, code audits, and custom software development. Specifically, my background is in cryptography – applied cryptography – designing ciphers and basically creating secure channels, trying to make sure that the data between point A to point B is as it should be and hasn’t been tampered with.
The kind of work we do is, we work a lot with companies that have something worth protecting. Sometimes that is personnel, sometimes that is intellectual property, but we take the time to understand what is happening with our clients and try to come up with a custom solution for their context, which varies a lot based on region and on industry, and we try to use our knowledge to bear on their context.
David: A conversation I had about two years ago with a gal from MIT, Nazli Choucri – the big question on the table was, who controls the Internet?
David: I wonder how you would respond to that?
Becker: That’s a great question. I would probably say, no one. But if anyone had to control it, I would probably guess the United States, but that is probably because of the large incumbent tech powers that are right here in Silicon Valley. The real answer, though, I would say, is no one, if you really think about it. The technology that undergirds the Internet really has no security model to it, so we started to see now that cyber warfare is becoming mainstream, and as nations like Russia are using it in conjunction with kinetic warfare, that the Internet was based on a simpler time, a happier time, when everyone was an academic and roughly agreed that we should all follow the rules.
And the technologies haven’t really changed. It is just now instead of academics it is Internet service providers. But when your government controls the Internet service providers and they become a tech vector for everybody else. And we have already seen this happening. A key example – I think it was maybe a year or two ago, the People’s Republic of China messed with a critical part of the Internet infrastructure and routed a bunch of traffic from the West Coast through China.
It just goes to show how vulnerable a lot of this infrastructure is, particularly the Internet, when you talk about the Internet as we conceive of it, like going to Amazon and buying something, or your mobile phone, going to the New York Times. That Internet is very much a trust-based cabal of people that for the longest time have just decided there is a decorum that they are going to have about how it is run. But if that changes then the Internet is going to look very different.
David: The Internet of things still runs on that same information highway.
Becker: Yes, that’s right. So that gets especially spooky when you start thinking about, “Well, I’ve got a water filtration plant that is hooked up across the wide Internet to maybe some monitoring facility or what not. Then you start running into all kinds of different issues. Generally, there is the Internet of things, too, where you talk about maybe a security system in your home, or your thermostat. It gets spooky when you start thinking about what happens when China can start spamming everybody’s home security system, and hot-miking their house or something.
The scenarios can get pretty apocalyptic, but the truth of the matter is, the Internet is not designed for security or privacy, really. It is designed for the least amount of work to keep it connected. But I think that is where information security professionals can leverage their skills, is trying to make sure that data that is running over this non-secure medium can still do what it is supposed to and not what it is not supposed to.
David: So you are a cryptographer.
Becker: That’s right.
David: And you know how to get into things and maybe even protect things, and maybe that is two sides of the same coin, so this is more of a sociological question, but why is there so much privacy indifference today?
Becker: That’s a great question, and I think it is mostly psychological. I don’t think it is technical, and I think it is highly generational. I’m a millennial. When I think of millennials I think, we have grown up in a generation where exchanging privacy for free stuff has been very much in our favor. And I think the Faustian bargain of giving up our privacy – we haven’t seen what the other side of that deal is yet.
We give up our privacy and we have free Facebook. We give up our privacy and we have free unlimited email with unlimited storage. And we think, “Boy these are all fantastic. It’s just my privacy.” But I think a generation or two, particularly when millennials are going to try to run for elected office and all of the dumb things they have done have come to the forefront they are going to have a very different attitude, a very different conception of privacy.
I think we’re already seeing with Gen Z, the generation after millennials. They’ve grown up with social media as just totally omnipresent, so they are much more keenly aware of the fact that there is a trade-off that is being made, whereas millennials have had the life of Riley in terms of making these privacy trade-offs.
David: There is a company I am familiar with out of Virginia which now is owned by Chase. The predictive technologies that they use gather information and allow for Chase to figure out how to market what products to whom. It is all commercial, but it is this huge information dragnet. It is very interesting and it is for commercial purposes so you think, “Well, it’s benign, and maybe it’s annoying, and maybe it’s spam, and who cares?” Not to go to the dark side, but it just seems to me that there is something about big data that is very good and helpful and something that is actually a little dangerous, too. In the circles I run in, we don’t hear a lot of conversation about the dark side of it.
Becker: With big data, the problem is not so much in one person having all the data, but all of the different parts of our lives that are being categorized in some way. So, to make it real, for example, roughly the same algorithm that is used to detect the likelihood that you are pro-ISIS on Facebook is roughly the same algorithm for how match.com and some of these other websites actually use their machine learning to figure out whether or not somebody is likely to be a strong match.
These algorithms are all interconnected and these different data sources are collecting very similar data, but when you mix those different data sets together you get tremendous predictive power into someone’s life. If you know what they buy, what they read, what they think, who they know, eventually you start having a very concrete picture of a person.
I think for me, for big data, I am less afraid of one person having a pool of some part of my life, than all of the different people having little tiny pieces that are very well formulated because I wonder if there will come a time when, say, a government or a regime, not just here, but really, in any country anywhere, is able to go to these companies and mandate that they turn it over, and now all of a sudden they have a unique fingerprint that very clearly identifies the kind of person I am.
And the question is, are we okay with that? Some people might be. They might look at the positive side and say, “Well, that’s good. I want my health care company to know that I am much more at risk for heart disease. Or yes, I’m totally okay with Apple recommending the new Lady Gaga album. But it’s a very different question when you say, “Well, now I get screened by TSA twice as hard every time I fly because I have tripped some indicator that I am a little bit more susceptible to ISIS propaganda than other people.
David: Francis Fukiyama wrote a book called The End of History, and said the end of conflict, that’s historical. There will be peace in our future, we will all live in a liberal democratic society where votes are respected and freedom of speech is there. That was his idea. And a short little book, I think it was by Robert Kagan, was The Return of History and the End of Dreams, as a short response to it a few years later. It turns out that we haven’t entered a brave new world where governments are always generous, and always kind, and always have their citizens’ best interest in mind. Governmental leviathans do what they have always done through the course of history. And we may have a positive view of our government today, but the reality is, if Lord Acton from Cambridge University knew anything – “Power corrupts, and absolute power corrupts absolutely.” So if that is the case, we look and we say, “All this information that is out there is not being used against us today, but it is information that is out there. It doesn’t mean that it can’t be used against us tomorrow.”
David: So you trust your government today, you just hope they don’t change tomorrow. But that is the problem, democracy sometimes goes the wrong direction. So what are some practical things that you would suggest? I know you live in the 21st century. I’m sure that you live a wired life and stay connected to clients and friends and family, but at the same time I bet there are some cautions and precautions that you employ that are just totally common sense to you, knowing what you know about security.
Becker: Yes, you’re right in saying that we have to be worried about tomorrow. As storage costs get cheaper and cheaper for data, data is not getting deleted, it is sticking around forever. The Internet is forever. And as a result of that, the issue of how I relate to my government, or how I relate to anything is a question of your entire lifetime because something you have done today could come back to haunt you tomorrow because that data will never leave. It will always be sold. It is a very precious resource to the tech industry, and to governments in general, and it is so precious they will port it. They will keep it forever.
So your question of what you do. There are simple things that I believe people should be doing in order to protect themselves from the unexpected loss of their privacy. I think a lot of our privacy is going away just by virtue of the things we interact with. You can’t read a newspaper without having a tracker track where you came from, where you are going, so there is some element of what you look at that is unstoppable. But there are some things that you can prevent, I think some good things you can do. If you really want to take your privacy seriously, use a VPN. If the Internet looks at you, what they are going to see is that you are coming from some address that lots and lots of people are coming from. They are not going to be able to fingerprint you as well because your traffic will be mixed in with the traffic of everyone else on the VPN.
David: So use a virtual private network.
Becker: Yes, use a VPN, even if you’re not at a café, even if you’re at work, consider using a VPN. If that is a principled stance you would like to take on your privacy, that’s a good way to do it. The second thing I would say is, understand your supply chain. Understand what you are procuring in terms of applications or services that you are using to improve your life. Make sure you understand their privacy policies. Sometimes they can read like stereo instructions or like legalese, but it is beneficial to at least understand what is the Faustian bargain you are making. Maybe there isn’t one. If you are paying, you shouldn’t give up your privacy. But if you’re not paying, you should be a little suspicious because you’re probably the product.
David: You are probably the product.
Becker: You are the product.
Becker: You are being sold to somebody else.
David: Explore that a little bit, because that’s obvious to you. I don’t think that’s obvious to everyone.
Becker: Google is not a nonprofit. Facebook is not a nonprofit. These are companies that are worth billions and billions of dollars. And the way that the do that is, they curate, and they manage, and they expose your data in ways that advertisers, or whomever, can use to do their own industry. So the more people they have, the more hooks they have into your life, the more that they understand about you as a consumer, as a voter, or as a father, the more that they can turn around and sell that data to other people.
So for example, we use a lot of what Facebook exposes, or what LinkedIn exposes to do war games. Companies will pay us to go hack them and tell them what their security is like. We don’t need any tool beyond LinkedIn. We look at LinkedIn, we get your network, we get what articles you read, who you know, who is in your organization, who your family members are. That is enough information to engineer anything. So when I say you are the product, if we are using it for evil for a small amount of time, ultimately for good – there are companies out there that are using it just strictly for evil.
Let’s say you’re going up against a nation state, or for gray, if you’re thinking about being sold a product you’re textual advertising. So that’s what I mean when I say you’re the product. They are literally turning around and selling your data, and they’re selling your data for a ton of money. Look at Google. Look at all the stuff that Google gets for free – their operating system, search, Google Plus, Google Voice. They’re doing video for free, and video is one of the most expensive things you can transmit over the Internet. They’re doing it for free because if they know who you’re talking to that is totally worth it.
David: So maybe I’m not millennial enough for that not to kind of give me the chills.
Becker: It gives me the chills, as somebody who is in this field. But what I can tell you is, the generational question – when I talk with other millennials and I say something like this, they just kind of blink and they say, “Yeah, but what do I really have to hide? How bad could it really be?” I think it really boils down to the fact that, in the same way that Upton Sinclair wrote The Jungle and it changed how Americans approached food, there needs to be an Upton Sinclair’s The Jungle for how data is managed, for how people interact with these large tech companies.
David: Do you have any literary aspirations?
Becker: (laughs) Jeez. No. I’m definitely an engineer. I think it would come out reading like a white paper.
Becker: But maybe one day, I hope there is an aspiring writer out there who understands these tech challenges and the politics and the sociology to create a compelling narrative that convinces people that this Faustian bargain does have a cost. And just to understand, maybe some people, when they understand how the sausage is made, are still willing to make that trade, but my gut tells me that they will think twice.
David: So computer science – what was your lead-in to cryptography and cyber security?
Becker: It’s sort of nonlinear. When I was an undergrad I was always interested in computer networks and I was also fascinated with East Asia. I wanted to learn Mandarin. This was a little bit before China was the next big thing. I grew up in a neighborhood with a lot of Chinese-American friends. It was just always something that I grew up around. So I figured, “Well, I’ll learn Chinese.” I studies networks. I studied Chinese. I lived in Beijing. Anyone who has lived in Beijing knows that there is an incredible amount of censorship and surveillance there. It sort of triggered in me this desire to understand – how does this happen, how does it work, how do you stop it? What are the sociological impacts of it?
I sort of became kind of obsessed with it, and just started researching it and researching it. I researched the history of how China stumbled across their great firewall, stumbled across the algorithms that compose it. And I got excited about ways to design systems, not just for China but for the rest of the world since China exports it now – ways of getting Internet users in these places where the censorship and surveillance apparatus exists, trying to get them through it, trying to get them to free information and access to it.
That was how that started. Cryptography came as almost a side effect. If you want to hide data or understand how to make data flow across things that are not trustworthy, then you have to start pulling out these primitives. And those primitives that allow you to build these systems come out of cryptography.
David: Is there a sense of reward in breaking through the Great Wall of China?
Becker: Oh yes, definitely.
Becker: It has gotten harder. To their credit, they have exceeded my wildest expectations in what they are able to do in terms of analysis. I never thought they would be able to do de-pack and inspection like what they are doing now. It is astonishing. And they are selling it over the counter – stuff that was just space age is now being sold over the counter. But yes, it is incredibly rewarding to stick it to a censor, I guess, or stick it to somebody doing surveillance.
Becker: It’s nice to know that you can keep a secret. Not all secrets are good, but a lot of times you need to have that quiet room sometimes to just have a thought to yourself. And it would be a real shame if we could never use technology and keep a secret at the same time.
David: That’s the other side of the psychology of privacy indifference is, why do we presume as a society, or maybe just on a generational basis, that it implies that we have something to hide when we want privacy? That there is something wrong with that? I even recognize the difference when I travel to Europe of the conversations that Americans have amongst themselves. At the end of a conversation two people know everything, including the name of their dog, and maybe even their passcode.
I’m exaggerating, but you sit two Europeans next to each other and they may have exchanged names, but they might not have even exchanged glances. They certainly have not exchanged any personal information. And there is kind of an assumption of, “I’m in my space, and in my mind, and I’m not compelled to tell you. If you ask me a question I can answer you in a very simple, but distant way, and move along.” We presume it’s wrong to have privacy. I don’t know why that is.
Becker: I don’t why that is either. What I can tell you is, I’m half Mexican, and Mexican culture is kind of a shame culture. If you do something in public that is shameful you should feel ashamed. I think America, because it is more of a guilt culture, it’s more litigious. It’s not so much about, “Oh, I’m so ashamed that I did X, Y, and Z,” it’s, “Well, if I didn’t break the law, then that’s how it is.” And I think that translates, sociologically, into the privacy space in terms of, “Well, I’m not breaking the law, so what do I have to hide?” Which is a ludicrous thought to somebody who grew up in West Germany, or East Germany, for that matter. That notion is just asinine. But in America, it’s almost the token answer, and I think it has become the almost reflexive answer because, try prying a millennial away from Facebook. Good luck. They will not give it up. It is perceived as their social lifeline and it’s kind of a terrifying thought to believe that your social life is dependent on a for-profit company.
David: What else would be a practical means by which Becker says, “This just makes sense.”
Becker: Yes. We talked about the ones that are privacy-specific. There are ones that are just cyber security general knowledge that I think are very helpful, particularly if you’re a person with resources or means that is afraid of a targeted attack. And that would be, use a password manager. The more services we plug into, the more accounts you have, the more passwords you have, the more the complexity grows and the harder it is to keep track of all of the different accounts. Statistically, what ends up happening is your password strength degrades. They get worse and worse. It becomes password123!FB if it’s Facebook, password123!bank if it’s your bank. And you’re not fooling anyone.
But if you use a password manager it will auto-generate a password for you. It’s like an encrypted Excel spreadsheet where you can store the list of accounts, user names and passwords. And the passwords are automatically generated, they’re automatically filled out for you. So you don’t know these passwords, but that’s okay. You have one very strong password that you use to protect all of the other passwords. It eliminates a high degree of the human element from how people lose their privacy.
The last thing that I would recommend – use two-factor authentication, or multi-factor authentication, or that thing that your bank does where they try to send you a text message. Anytime you see that, that is a good thing. It’s friction, like all security. Security, unfortunately, is friction, but it is appropriately placed friction. Right there, when you receive that text message or that code, even if an attacker has your password they also have to steal a physical – they have to steal your cell phone. And if you’re in Belarus or Estonia, trying to break into somebody’s bank, that’s not going to be possible. And that is another way to protect your privacy.
David: Becker, who is your ideal client?
Becker: I won’t describe it in terms of market or market cap or industry because we have totally diverse clients – size, industry – it’s totally different. I would say the ideal client is a client where the C suite has buy-in. So many times we go on site with a client after they have agreed to do an audit or do a risk assessment or do an intrusion – have us break in and try to analyze what their organization is like – only to have them pull the ripcord too early, or to have them kind of abandon us and not get executive level buy-in.
And people in the middle and the lower parts of an organization smell that blood in the water. They smell that lack of alignment with the executives, and it absolutely destroys our ability to implement sound cyber security policy. So my ideal client is one where the CEO and the CIO or the CTO are 100% bought in and committed to investing real time and real cost to actually change habits because cyber security is ultimately about habits. Habits are very difficult and very expensive to change, but it is totally worth it. But you have to have that buy-in in order to change those habits.
David: And how does somebody get in touch with you at PKC?
Becker: They can email me at becker@PKCsecurity.com and I would be happy to start a conversation. They’re inviting us into the inner sanctum. We will find everything, and that is why people pay us – to find everything. So, we’re ready to start the conversation with trust. The have to trust us because we’re going to be in there, and we understand that that trust takes time and we’re open to questioning and open to conversation before getting to the nitty gritty.
David: I appreciate you sharing your insights on everything we have talked about today, and I wish you well with your endeavors at PKC.
Becker: Thank you so much. Appreciate it.