In this episode of the podcast (#187), sponsored by Virsec, we talk with journalist and author Cory Doctorow of BoingBoing.net about the recent GE Filtergate incident and how DRM is invading our homes. Also, Satya Gupta the Chief Technology Officer of the firm VirSec joins us to talk about how application runtime monitoring is gaining traction in the age of DevSecOps and left-shifted security.
DRM: An Invitation to Mischief
Back when it passed in the 1990s the Digital Millennium Copyright Act was about protecting songs, video games and movies from digital piracy. Thirty years later, however, the DMCA’s prohibition on tampering with digital locks has been used by manufacturers of all kinds of devices to create de-facto digital monopolies on parts and services/ The same digital rights management (or DRM) technology that more or less dictates what kind of replacement ink cartridge you can put in your printer may soon compel you to only use your automakers preferred tire when you get a flat or manufacturer-approved bread for your smart toaster. That’s a scenario our guest this week has posited. Cory Doctorow is a journalist, the editor of the site Boing Boing and an author of books like Homeland, Down and Out in the Magic Kingdom and Little Brother.
In this conversation Corey and I talk about the insidious spread of DRM and digital monopolies. We discuss one recent example of this, the so-called GEFiltergate incident, which saw a fridge owner going to great lengths to circumvent GE implanted RFID tags in GE-approved water filters.
To start off, Corey talks about how we got here and how the notion of digital rights has evolved in the last thirty years – essentially criminalizing circumventing copyright protections. That, Corey says, is an “invitation to mischief.”
Shifting Left with Application Runtime Monitoring
In our second segment: information security has a scale problem. Simply put: there are too many threats, and too many threat actors for cyber defenders to keep up. Despite vast improvements in defensive technologies and so-called “incident response,” the bad guys are adapting as well – and staying one step ahead.
Many propose the solution to this is more automation: using computers guided by machine learning and artificial intelligence to do the work fo scarce human operators. But such approaches carry real risks. Among them: false positives and false negatives, not to mention the unplanned down time each creates.
Our next guest says a better approach may be to stop playing whack a mole with attackers and instead focus on what matters: ensuring that code behaves as it was intended to. Satya Gupta is the CTO at the firm VirSec. In this conversation, he and I talk about how the firm started- in the wake of the SQL Slammer outbreak – and how technologies like application runtime mapping are taking on new relevance in the age of DEVSECOPS and “shift left.”
(*) Disclosure: This podcast was sponsored by VirSec. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Transcription Episode 187
PAUL: This episode of The Security Ledger podcast is brought to you by VirSec Systems. VirSec was founded on the belief that a new model is needed to counter todayís advanced cyber-threats. VirSec’s technology pinpoints threats at the source within business critical applications. The VirSec platform maps correct application behavior and instantly detects and blocks deviations caused by attacks. This deterministic approach stops threats in real-time, delivering unprecedented accuracy without false positives. VirSec protects any application, patched or unpatched, across the full application stack from web threats to binary memory-based attacks. Check them out at virsec.com.
INTRO: [MUSIC] This is The Security Ledger Podcast. Iím Paul Roberts, Editor in Chief at The Security Ledger. In this episode of the podcast, number 187
SATYA: You know, if I do get breached, I canít turn around and say hey, my AI engine told me that this was the best way to go. Itís too late.
PAUL: Information security has a Whac-A-Mole problem. For a long time now, the number of threats and attacks has outstripped the ability of security firms to identify and block them. Maybe they should stop trying. In the second segment of our show this week, we talk with Satya Gupta, the Chief Technology Officer of the firm VirSec, about his companyís technology which provides deterministic security for application runtimes.
But first, when it passed in the 1990s, the Digital Millennium Copyright Act was about protecting songs, video games, and movies from digital piracy. Thirty years later, however, the DMCAís prohibitions on tampering with digital locks have been used by manufacturers of all types of devices to create de facto digital monopolies on parts and service.
The same digital rights management, or DRM technology that more or less dictates what kind of replacement ink cartridge you can put in your printer, may soon compel you to use only your automakerís preferred tire when you get a flat on your car or manufacturer-approved bread for your smart toaster. It sounds dystopian but itís a scenario that our guest this week thinks is very possible. Corey Doctorow is a journalist, the editor of this website, boingboing.net, and an author of books like Homeland, Down and Out in the Magic Kingdom, and Little Brother. In this conversation, Corey and I talk about the insidious spread of digital rights management and digital monopolies. We discuss one recent example of this; this so-called GE Filtergate incident. To start off, Corey and I talked about how we got to the point of DRM water and how the notion of digital rights has evolved over the past forty years.
COREY: I think that to really understand whatís going on here, you have to have some historic perspective. I suppose your listenership is familiar with the argument about open-source versus free software and this idea that we can stress that having source publication makes code better or we can talk about how having source publication gives you more freedom. But the context that I think weíre missing is that when all this stuff started in the 80s, what free software or open-source licensing got you was a slightly more convenient way of being able to make an add-on product or service, an interoperable product or service. There were no software copyrights to speak of, no software patents to speak of, trade secrecy was pretty thin, there wasnít a rule against circumvention, none of those things. You could just copy stuff. You could make interoperable products.
AT&T could make UNIX and twenty-five companies can make UNIXs, some under licenses and some not. It was very competitive and it was very vibrant. It also meant that there was a great deal of technological self-determination. If a thing didnít work the way you wanted it to, you could just change it, right? Just pull it apart and change it, and put it back together again. What software licensing was was not like forbearance, right? Today, the thing that free and open-source software license gets you is a guarantee from the company that they will not exercise the rights that they have been given to sue people who compete with them in ways they don’t like. All of these to get you back then was a reprieve from the tedious work of reverse-engineering their technology before you got on with the important work of figuring out how to improve it, right? Thatís a huge shift.
Over the decades, what has happened is that things that have software in them have acquired a kind of thicket of exclusive rights that allow manufacturers to decide who can make interoperable products and how those interoperable products can work. There’s software patents and software copyright, there’s enforceable terms of service, [00:05:00] there’s trade secrecy, and then there’s a whole bunch of exotic forms of copyright. The most notable of these is the anti-circumvention rule. Anti-circumvention comes in in 1998 with the Digital Millennium Copyright Act. Itís embodied in Section 1201 of that act. What it says is if you have to defeat a copyright lock to do something, then whatever it is you’re doing, even if you never violate someoneís copyright, is a crime. Trafficking in a tool that allows someone to bypass a copyright lock under the DMCA is a felony punishable by a five-year prison sentence and a $500,000 fine. In 1998, that was mostly used to stop people from making their own SEGA Dreamcast games without paying for the duplication fees for the CDs, and it made sure that if you bought a DVD in France, you couldnít watch it in America.
You had to wait for the American release window ëcause the DVD players were all region-locked. But that stuff was small potatoes. Today, you get a system on a chip for like, $0.26 that has a full [inaudible] NX install and BusyBox, right? Network drivers and device drivers; itís basically youíve got a mini-computer, right? Youíve got a Silicon Graphics IRIX, basically, on a $0.26 chip that comes with your smart light bulb. What that means is that if you design a product so that you have to bypass a lock in order to use it in ways that maximize your value at the expense of the manufacturer shareholders, that the manufacturer can make it a felony to use your own property in ways that benefit you instead of them, that they can create what amounts to Felony Contempt of Business Model. Weíve seen this massive explosion of digital rights management, of software locks in insulin pumps and in car engine parts, and in iPhone screens and in John Deer tractors and in all these different classes of devices.
These digital locks, they don’t really do any copyright work. Itís not like John Deer is worried about people pirating their tractor OS and running it in rival tractors. But because they protect a copyrighted work, the firmware for the tractor, and because the tractor is designed so that using it in any way that displeases John Deer requires bypassing the lock, John Deer can force you to do things like pay $170 for a technician to come and type an unlock key code into your tractorís keyboard after you swap a new part into the engine which is a thing John Deer does. If the hail storm is coming and you have to bring your crop in and your tractor is there and it has working parts, it will not drive out into your field to harvest your crop unless a John Deer technician makes it out in time. If they don’t make it out in time, your crop fails. This has become an invitation to mischief and this is where we get to GE.
GE looks at this commodity fridge they make, and GE Appliances, it should be said, is no longer part of GE. Itís part of some private equity deal. Theyíre now owned by another company thatís trying to justify the premium price they pay to buy this division off of GE. They look at this fridge and theyíre like oh, the fridge has got consumables, right? Itís got a water filter. Well, the water filterís just charcoal, right? Itís carbon, the most abundant element on earth. Itís so abundant that we canít figure out how to get rid of it or it might kill us all. Itís the most commodity of any commodity. But if we put an RFID chip in there that monitors how much water has flowed through the filter and will not let you use that filter after the water has gone through it and will not accept any device that doesn’t — any filter that doesn’t have ours — cryptographically-signed RFID, then we can force you to pay $55 for an $18 cartridge. Who wouldnít do that?
PAUL: Which is literally — which is about the difference, right?
COREY: Yeah. That is the actual difference.
PAUL: Itís $54 for the — yeah, for the GE filter and then — yeah.
COREY: On the one hand, we can condemn GE for doing this, and we should. Itís just terrible moustache-twirling movie villain crap. But at the same time, what manager, what CEO, what product designer if presented with the opportunity to force your customer to behave as a kind of meek, ambulatory wallet would not seize that opportunity, right? How much forbearance would you have to have to not take advantage of this? Look, I am not — I am by no means a true believer in markets as the one, true solution to all problems, but there is actually a thing that markets are pretty good at which is that if you figure out a thing that commands, say, a [00:10:00] 5,000% margin, that someone might come along and say you know what? Iíd settle for a 3,000% margin, and they will enter the market.
What these rules do, and you know, DRM and the DMCA is one of them but really, we should be thinking about the whole suite of rules that allow firms to decide who can compete with them and how, what they do is they eliminate that corrective measure and when you combine that with another trend that has taken place over the same period which is lax enforcement of antitrust law, and itís a long story, but the short version is Ronald Reagan had a darling — a guy named Robert Bork, who — he had this bizarre idea about monopoly enforcement where he said the only thing that antitrust and pro-competition regulators should worry about is whether a merger will result in immediately-raised prices for consumers. So long as that doesn’t happen immediately, then there’s no reason to block a merger. Of course, what that gets you is a web that is like, five giant websites filled with screenshots of the other four, where every eyewear brand youíve ever heard of is owned by one company, a PE backed company in Luxottica that also owns LensCrafters and Sunglass Hut and every other eyewear retailer youíve ever heard of, and the largest lab in the world, Essilor, and the largest insurer in world, I-MED, and there used to be thirty pro wrestling leagues and now there’s one.
The same is true in every industry, so when you have this massive market concentration, you have these two things that happen; one is that firms are able to abuse these rules to decide who may compete with them and how, who can enter the market with a competitive offering, and there are so few firms that itís possible for them to arrive at a collusive consensus that they will all partake in the same bad conduct so that you canít just say oh, Iíll just find a better fridge. Thatís kind of the trajectory, right? Thatís the thing that we should be worried about. Thatís why we should be really up in arms about GE and surrounding the factory with pitchforks and torches, is because if it works for GE, then KitchenAid is next. If it works for filters, then the next thing that goes is your butter dish. Itíll be like, Iím sorry — yeah, did you buy authorized butter? Because this butter dish is designed to optimally soften manufacturer-approved butters. We want to make sure that you have the optimal user experience of butter.
PAUL: Oh, yeah, you canít — right. You canít just put any butter. There could be rat poison in that butter.
COREY: Right, and I wrote a novella about this, Unauthorized Bread, that you can read on Ars Technica. Itís being turned into a TV show by the people who own The Intercept, Topic, but really, why — if weíre willing to say Iím sorry you canít install an app of your choosing on your phone because it might be bad for you and it might endanger you, then why wouldnít we say Iím sorry you canít put bread of your choosing in your toaster? Kitchen fires have killed a lot more people than bad apps, right? You stick a bagel in your toaster; the next thing you know, you’re sticking a knife in there to get it out. The next thing you know, you’re dead on the floor. Why should we let you put any old bread in there? Besides that, think of the user experience we could guarantee if we could tell you which bread went in the toaster.
PAUL: Right. Well, and we could monitor when your bread is getting low and we could order you new bread so you don’t have to do that.
COREY: All of the above. We can certify that itís fair trade. We can do all kinds of really beneficial things if only you allow us to make it a felonyÖ
PAUL: Surrender agency.
COREY: Öfor you to use your property this way. Yeah.
PAUL: One thing that confuses me and I know you’re not a lawyer and Iím not a lawyer, so this is gonna be one of those conversations where two people who arenít lawyers talk about the law, but it would seem to me that mandating that you have to buy a GE OEM Approved filter is illegal under antitrust law, under — I don’t know if it ís the Clayton Act or the Sherman Antitrust Act, but itís a tying arrangement where in order to — if you buy this fridge, you have to buy a certain filter, and that would seem to be pretty clearly illegal but yet, it is being done right now as we speak.
COREY: I think that ship — I don’t know if that ship has sailed but that ship has sailed for now. Remember that there really isnít a private right of action here. You don’t get to decide which rules the FTC or the DOJ is gonna enforce. They decide, and their institutional priorities do not, at present time, reach to that kind of activity. Nor have they for a very long time primarily because of this Borkian theory of antitrust. I said Ronald Reagan was — had this darling Robert Bork, but it wasnít just Reagan who adopted Borkian ideas of monopoly enforcement. In fact, Reagan got very little of Borkís agenda through. It was [00:15:00] every president afterwards; democrat and republican, who expanded the laissez-faire approach to anti-monopoly and antitrust enforcement in the years since.
I do think that winds are changing and when you look back to the gilded age and the trust-busting, the Sherman Act was passed decades before trust-busting started. The Sherman Act was a toothless tiger for decades. What change was the political climate? Hereís my message of hope to you, which is that before the termicology was coined in the 1970s, there were people who were really upset about the plight of owls, and other people who really cared about the ozone layer, and still more people who cared about acid rain. But they did not see themselves as working in the same movement. They saw themselves as working on different issues, maybe issues that they could all get behind, but it wasnít part of the same cause. The termicology took every one of those causes and welded them together into a movement.
There are people today who are sad because their favorite wrestlers are begging for medical money on GoFundMe because after Vince McMahon bought all the leagues, he took away their health insurance and now theyíre all dying in their fifties with no medical insurance. There are people who are angry because all the eyewear brands are owned by one company, and there’s people who are angry because all the oil companies are down to like, three or four, and there are people who are angry about shipping, and there’s people who are angry about every other industry including tech, including appliances, including automotive. All of those people right now think that what theyíre angry about is cars or computers or the web or eyeglasses or wrestling. But theyíre really angry about monopolies.
PAUL: Well, here in Massachusetts, in fact, there’s a ballot initiative sponsored by Triple A and independent auto repair companies to basically expand the stateís auto Right to Repair bill to include wireless telematics which kind of got carved out of the original bill.
COREY: Yeah. I did some work on that ballot initiative.
PAUL: You did; oh, good. But if you try and talk to the people organizing that campaign about digital Right to Repair, theyíre like oh, we don’t want to talk about that. Like, thatís not our issue. We don’t want to talk about phones. Itís like, but itís the same issue.
COREY: Hereís what I think about those people, ëcause I do know them reasonably well; I don’t think Iím telling any tales out of school here, is that they are leery of being accused of being the camelís nose under the tent or the thin edge of the wedge, right? First cars, next, iPhones.
PAUL: Facking right. Yeah, exactly.
COREY: Well, sure, right? But Apple killed twenty Right to Repair bills in twenty states in one year.
PAUL: Yeah, yeah.
COREY: Right? So, what they want to do — maybe they will be the camelís nose and maybe they wonít. I don’t want to — I don’t think that history runs on these rails of inevitability, but if they want very much not to say hey Apple, there’s an initiative here that [inaudible] and by the way, youíve got however many hundreds of billions of dollars stashed overseas that you can use to destroy it. Thatís what theyíre leery of and thatís why — if you ask them about phones, theyíll say itís not phones; itís cars. Yeah, of course. All a car is is a computer in a fancy case, of course. A plane is a flying UNIX box, of course. Right? I get it. But a nuclear power plant is a computer in a very fancy, very volatile case, right? Itís the worldís greatest case mod. All of that said, I understand where theyíre — like, tactically, I understand why they don’t want to.
PAUL: Well, right, because the huge amount of money on the other side forces you to be atomized. Nobody wants to get beat with that cudgel and they don’t want Apple coming into their fight. Theyíd rather just take on the auto manufacturers who don’t have Appleís money or savvy. I get it. But the fact that weíre atomized is — thatís by design. Anyway, so along comes the GE Filtergate and there have been other people who have done this same exact hack and didnít set up a website about it, but — so, itís not exactly new. I kind of love this and it reminds me of the Terry Gilliam film Brazil, which centered on a rogue air conditioning repairman.
COREY: Yup, Archibald Tuttle.
PAUL: Archibald Tuttle. Thatís right. You kind of thrill at these pretty ingenious workarounds and hacks to defeat this DRM. There’s part of me also that thinks that I shouldnít be so excited about them, that itís kind of a maladaptation, but Iíd be interested in your thoughts.
COREY: Okay, well, look; you’re right that the fact that companies invest in anti-features, that things that nobody wants — nobody ever went to the store and said do you have a fridge that makes it really hard for me to use independently-produced filters? ëCause thatís what Iím here for. No salesman who extols the virtue of the proprietary filter when you’re thinking about buying a fridge, right? It is perverse that firms are [00:20:00] investing in garbage anti-features, but the equilibrium that produces that investment is that there is no opportunity for a counter-investment from a third party that would undermine the excess margins that you’re collecting, the excess rents that you’re collecting. Let me give you an example of how this can go wrong for a firm. In the early 2000s, Lexmark was a division of IBM and they, too, had invented a former proprietary carbon. It was the carbon powder in their laser printer cartridges and their toner cartridges.
It was the very early days of embedded computing and they had an embedded system chip, and because computers were expensive back then, it had twelve bytes of main memory and they had a twelve-byte program in it. What it did is when all the toner was empty, it flipped a bit that went — that told the printer ëI am a full cartridgeí to ëI am an empty cartridgeí. If you put more carbon powder in the cartridge, the chip would still say ëI am emptyí. Along comes a company called Static Controls, and Static — I believe they were Taiwanese — they cloned the chip which is not hard; it was a twelve-byte operating environment, right? They cloned the chip and they made a chip that would just say, ëI am always fullí. ëI am here and ready to printí. Lexmark sued them and they said you violated the Digital Millennium Copyright Act. The court said, so the Digital Millennium Copyright Act protects copyrighted works. Are you saying your carbon powder is a copyrighted work?
They were like, no. They said well, whereís the copyrighted work here? They said oh, itís the twelve-byte program on our chip. The court said look, software can be copyrightable, but this software, twelve bytes of it, is not even a haiku. This is not copyrightable code. It doesn’t rise to the standard of copyrightability. Hereís the kicker; Static used the revenues that it generated from raiding the margins that Lexmark was charging on carbon to build up such a war chest that Lexmark is currently a division of Static Controls. Thatís what shifts when you take away a firmís right to decide who can compete with them because competitors will come in and they can outrun you. They can just do a complete lap around you while you are trying to convince customers to buy anti-feature products.
PAUL: Right, right. There is mortal risk for these companies even if they don’t — if their eyes are kind of glazed over with the dollar signs that theyíre going to be able to basically extort from their customers in the short term.
COREY: Back to how markets are supposed to work; your margin is my opportunity. If youíve got a 5,000% margin on carbon, I know where I can get some carbon and Iíll take — Iíll happily take 2,000%. Itís only the presence of the law that shifts the equilibrium.
PAUL: Yeah. You’re listening to The Security Ledger Podcast. This episode of the podcast is sponsored by VirSec Systems. How come and are these types of features — my sense is — are becoming more and more common? I mean, weíve seen obviously Apple get more and more aggressive with its anti-repair features. Iíd say anti-tampering but theyíre basically anti-repair features. Are other device-makers following suit? Is GE the exception of the rule?
COREY: Oh no, there’s tons. I mean, we talked about Inkjet printers, also embedded systems in car engines, alsoÖ
PAUL: Medical devices for sure, yeah.
COREY: Yeah, insulin pumps. There’s just so much proprietary consumable stuff out there, proprietary spares as well. Firms have always thought of the service market as a really important market to corner. We tend to think of the major effect of cornering the market as being able to gouge on service and parts, but I think that thatís actually just the icing on the cake. The real cake is being able to decide when no repair is possible. You mentioned iFixit. iFixit routinely — its customers, the people who buy its repair manuals and its tools — routinely fix iPhones that Apple says cannot be repaired.
Now, itís not a coincidence that in the first shareholder meeting of 2019, Tim Cook told his shareholders that the biggest threat to the companyís profitability is that people were holding onto their devices for longer rather than replacing them every couple of years. If a manufacturer gets to decide when your device is e-waste, they get to decide when you buy a new device. If they have an ecosystem that locks you in, like for example, if all your apps are tethered to your platform, then they can be pretty sure that youíll buy a device from them. Yeah, there’s tons of manufacturers who see this as a beneficial way to go.
PAUL: Yeah, indeed, indeed. I guess one question [00:25:00] is whatís the fix here? There’s part of me that thinks well, the laws are already on the books to prevent a lot of this egregious behavior; the anti-tying laws and other things in the Clayton Act and the Sherman Antitrust Act. Those are already on the books; theyíre just not being enforced. At the same time, itís very, very difficult to get consumers to have situational awareness about this. Itís kinda like weíre all frogs in the pot of boiling water. What is to be done?
COREY: Well, Larry Lessig talks about there being these four forces that regulate our world. There’s code, whatís technologically possible; law, whatís lawfully permissible; norms, whatís socially acceptable, and markets, whatís profitable. They all work in harmony. Sometimes when you run out of headroom, say with a law because no one wants to enforce the laws, then you have to go for norms, right? You have to start telling people that it wasnít a vast impersonal force that decided that you should buy $55 carbon for your fridge; it was a named individual and hereís where they live. Maybe we have to have a normative shift that makes those companies beyond the pale, makes them pariahs, and maybe that will spur either or a competitor that decides to enter the market and dare them to sue or action from congress to strengthen the law, or possibly action from an attorney general. Attorney generals are kind of a secret engine of progress, here.
They say AG stands for Aspiring Governor. These pocketbook issues, like I want to make it so that you have permission to decide which carbon goes in your fridge because you’re getting ripped off by this big, impersonal PE-backed appliance company, thatís the kind of thing that everybody loves. I don’t know if you remember the Sony rootkit when they — when Sony poisoned millions of computers with audio CDs, the FTC — we got almost nothing out of them. But the AEGs just tore Sony a new a-hole because why wouldnít they, right? Itís within their power. Sony was absolutely egregious to do what they did and it affected the people that they have jurisdiction over, and everyone can understand that Sony giving your computer a virus on the off-chance that you’re a music pirate is not cool. Not to mention that Sony infected 200,00 – 300,000 US military and government networks with malware with that stunt.
PAUL: Yeah. We have seen scores, literally, of state-level Right to Repair laws. Iíve lobbied on behalf of a couple of them, and theyíve all been shot down. This year, covid took them all out so we canít really say it was lobbying by Apple, but in past years, itís been lobbying by CTIA and Apple and others. Should we be encouraged by this, that eventually one of these things is gonna make it through so many states bringing this up year after year? Eventually, are we gonna — is it gonna slip through and is there — obviously, thatís evidence of a grassroots support for this, but what do you think is gonna happen?
COREY: Well, in some states, you’re seeing ballot initiatives to circumvent the fallibility or the corruptibility of their state legislatures, so that might be the next phase. The other thing that I think is that you will see people become increasingly radicalized, that the failure of the procedural escape valve here thatís supposed to stop us from boiling over by allowing people to petition for redress for bad laws thatís just being trumped and trumped again by big money, it shifts peopleís view from the problem being a legislative oversight to the problem being legislative corruption.
Once that happens, then you start to see people losing elections, you see people being made vulnerable on those issues, you see donations, you see people who take it up as a matter of principle, and as I was saying before, I think that we are ripe for a moment in which people start to recognize that a bunch of seemingly disparate issues actually have a common root cause which is monopolism and that monopolism in all its guises and expressions will be in bad odor especially after covid, right, because after covid you’re gonna see everyone with dry powder. Everyone with a lot of money is gonna be buying up distressed firms like crazy. Weíre gonna see even more market concentration and more dysfunction as a consequence.
PAUL: Oh, interesting. Yeah, thatís a really interesting idea. Is there a better word than monopolism, though? You’re creative and ecology is great, but I don’t know, monopolism doesn’t roll off the tongue.
COREY: I mean, I like — monopolism — think about monopolism is itís what we don’t want. Itís actually anti-monopolism, which sucks. I like pluralism.
PAUL: Right, [00:30:00] anti-monopolism. Yeah, yes. Yeah, of course. Right. Itís a good one. Itís all-encompassing.
COREY: Yeah, and I think itís corollary or corollary for Americans — is self-determination.
PAUL: Even better.
COREY: Lots of firms out there, lots of centers of power, lots of places you can get stuff, lots of places you can use stuff, and why do you want lots of places? So you can decide how the stuff that you rely on work.
PAUL: Corey Doctorow, that is a great note to end it on. I totally agree. Thank you so much for coming on and speaking to us again on The Security Ledger Podcast.
COREY: Alright, well, Iíll talk to you later.
Up next, information security has a scale problem. Simply put, there are too many threats and too many threat actors for cyber-defenders to keep up. Despite vast improvements in defensive technologies and so-called incident response, the bad guys are adapting their methods as well and staying one step ahead. Many think the solution to this is more automation; use computers guided by machine learning and artificial intelligence to do the work of scarce human operators.
But such approaches carry real risk. Among them, false positives and false negatives as well as the unplanned downtime that each creates. Our next guest says a better approach might be to stop playing Whac-A-Mole with attackers and threats and focus on what matters; ensuring that developed code behaves as it was intended to. Satya Gupta is a Chief Technology Officer at the firm VirSec. In this conversation, he and I talk about how the firm started in the wake of the SQL Slammer outbreak in the early 2000s and how technologies like application runtime mapping are taking on new relevance in the age of DevSecOps and shift-left.
SATYA: Yes, my name is Satya Gupta and I am the CTO at VirSec.
PAUL: Satya, welcome to The Security Ledger Podcast.
SATYA: Thank you. Very nice talking to you.
PAUL: Itís nice talking to you as well. Satya, for the listeners — Security Ledger Podcast listeners we have who arenít familiar with VirSec as a company, could you tell us a little bit about VirSec and also, in the CTO role, what you do there?
SATYA: Yeah, so as I mentioned earlier, I am the CTO. I am [inaudible] with the founder of this company and this technology, a very close friend of mine whoís a professor at University of Massachusetts in Amherst. We were having coffee at a Starbucks and we were watching with a little bit of anxiety about the Slammer worm, this MS sequenced Slammer worm that was taking down hundreds of thousands of machines on an hourly basis. We were very dismayed to see that Symantec, McAfee, a whole bunch of other security control providers were sending out signature after signature ëcause the Slammer worm was a polymorphic worm. It kept changing its signature, essentially, on the network. It became really a game of arcade, where you — on all those — where you lean on one frog, and it shows up, another one pops up somewhere else, and all.
PAUL: That game would be Whac-A-Mole.
SATYA: Yes, exactly right. We were sitting there and we were trying to figure out what would be a good way — and everybody has been — all the security controls that we see so far have been chasing data thatís coming in, and theyíre looking for bad stuff inside that data. The reality is that itís really the code. The developer is trying to run a piece of code and the attacker is trying to run a piece of code. If it turns out that the developerís code has a vulnerability in it, then the attackerís code will start running. Thatís what the very first thing that the attacker is looking to do, is to be able to run their own code on something that they can influence. What we decided to do is we have this concept that we call AppMap. What it does is basically projects how an application is likely to execute. If I had source code available to me, I would be able to see all of this very easily, that this particular function required this other function. I can see that.
But when it turns into machine code, it turns out that if you know what you’re doing, then you know where you can follow the same logic to be able to predict where — how the CPU will be executing. If you think of a journey that you might be taking in your car; follow — let’s say there are ten instructions or ten turns that you have to make from your starting point from your source to the destination, then what we do is we make sure that at the time that you are about to make that turn, we make sure that the application is performing, doing the right thing. We are almost like the GPS that makes sure that the application is proceeding along the line that you thought you would be doing. By just following these addresses, memory, and by extracting those linkages ahead of time that we call AppMaps, we are able to make sure that the application stays on its guardrails.
PAUL: You [00:35:00] mentioned Schneider Electric and your work with industrial control system vendors, OEMs; thatís a really interesting space first of all because we know from the headlines and whatís been reported and so on that critical infrastructures, ICS, and SCADA systems are absolutely a target of sophisticated cyber-adversaries, actors, nation state and otherwise, and also because the rap that the SCADA industry has is — there’s a lot of Legacy equipment, maybe not a great track record of secure coding and secure application development, a lot of ëset it and forget ití deployments where youíve got infrastructure owners who really have very geographically, physically distributed networks and just are very reluctant to be aggressively updating and patching and managing assets that are working, you know? Whatís been VirSec’s experience working within that vertical and are those things changing? Is that industry getting more savvy about — both on the application security side and also about the active management piece that you — we no longer can set it and forget it and leave something configured the same way for a year or five years or ten years?
SATYA: Absolutely. You know, I have to say that the industry itself, the — Schneider, Aviva, and all are really very savvy companies and they produce really high-quality code. But really, the trouble comes from the operation side, the folks who use the product and all, are kind of reluctant to cause business disruptions. They really have no ability or very poor ability to upgrade even though some really good code is available from the vendors. Itís all about the business disruption. What we noticed is that the reason why a lot of those operators like us a lot is because even if your code is vulnerable, when you run VirSec with it, it cannot be exploited. Thatís good news. You get almost like this concept of virtual patching. The code is really resilient in many ways. It doesn’t need to be patched on an emergency basis. You can plan your upgrades and all, essentially. Thatís one good thing that we notice out there. The way we kind of protect it is that — protect the ICUís infrastructure is that a lot of these attacks that you might see; WannaCry is a great — very good example, but now there’s been other famous ones like Stuxnet, Industroyer, and such like NotPetya and stuff like that.
PAUL: Blackout, yeah.
SATYA: Yeah, absolutely. They all start now either from the IT side of the fence or they do start from the — in the industrial control system, they follow a model called Purdue Enterprise Representative Architecture, PERA model, for short. They have divided these tiers of applications that they have in their PERA model into levels. The OTE starts off at Level 3 which is where all the historian that are going to get exposed to the internet are located. Their HMI is Human-Machine Interface and then things like those, but then there are these apps; there was database, there wasnít all that in Level 2. Its weaknesses in these — there was a library injection capability in these servers that sort of allow bad things to get downloaded onto Level 1 which is where all the PLCs and all are running. The goal of the attacker is somehow to be able to reach the PLC, but with VirSec sitting in the middle to protect PLCs from being accessed directly, we are able to keep — lock them out. With PL3 and PL — Iím sorry, Level 3 and Level 2 servers being very well-protected, itís just very, very difficult to get to the PLCs directly.
PAUL: These days, you canít have a conversation and not talk about the covid pandemic and all the changes that have gone along with that. Iíd be interested in your thoughts on how youíve seen covid have an impact just maybe within VirSec but also within your customer base, and if we were to look in the crystal ball out two or three years, what you think the long-term change is that will result from covid are; what types of practices and new normal are we likely to see once weíve got the virus under control?
SATYA: Thatís absolutely a great question. What we are seeing here is that there’s this whole notion of digital transformation that everybodyís been talking about. What does it mean? [00:40:00] It means even those people who are very reluctant to put up a digital or software application that can help with productivity or let people work from home and are now making a beeline to deploying those kind of applications is helter-skelter. What we are seeing here is that there’s a whole bunch of companies who are rushing out to deploy software. We feel that there will be a great rush to deploy applications that were — people were sort of semi-reluctant to deploy previously, but now there is no choice out here because this is a new normal here.
More and more people will like to work from home and would like to make sure that they don’t get impacted by — this is a nasty disease, as we all know. It doesn’t show any sign of abating at all. I have family members who work with other companies who have been told to work from home from — until the end of this year. That leads me to think that itís the — this age-old notion that software eats the world is going to actually come true here, that we will see more and more software and more and more hardware being deployed, and the need to keep yourself safe as software becomes mainstream in everybodyís life. If, let’s say, for 13%, 16% people before, now itís got to be close to 90%, and there’s going to be subtle changes in how we all think of digital transformation and all happening in different parts of our lives and all.
PAUL: Maybe we should change that to software and viruses eat the world.
SATYA: Absolutely. You’re absolutely right.
PAUL: Silicon and virology, yeah. Final question; from your perch as the Chief Technology Officer at VirSec, what has caught your interest both in terms of threats and threat trends out there within the VirSec customer base, and also what is coming down the road in terms of new defenses or protections from VirSec?
SATYA: Absolutely. We see that typically, the — if I were a burglar and if I had a choice; I could go to my next door neighbor or go to the ATM, I would actually focus on the ATM, right? There’s more money to be had out there, essentially. Not that I would do it, but thatíd be a juicier target. What we see is there’s a whole sector in the business security control that are trying to protect the endpoints, and thatís a good thing because thatís where credentials are stolen and all, but the real target is these servers, essentially, where there’s IP and high-value assets that are — your information assets that are stored on the servers. Those are the big, juicy targets and all. What we do see is that there are more and more focus on having mechanisms that are very precise.
The existing security control, one of the biggest downsides of many of these security controls is because they sort of resort to projections. They end up with false positives. People are now moving — the boardroom is now thinking about zero-tolerance kind of a thing, zero-risk. People are looking for how to reduce that risk. We see exact technologies like VirSec which are very deterministic, which are not driven by AI and ML and all. If I do get breached, I canít turn around and say hey, my AI engine told me that this was the best way to go. Itís too late. There’s more and more room for exact and deterministic technology that I see out here. Applications have to become self-resilient. They should be able to defend themselves.
We see that the technologies like VirSec which are running inline inside the application are going to displace technology that are running outside because of the lack of precision and the lack of visibility that those kind of technologies do not have inside the application. More and more, the big trend, itíll become harder and harder for the attacker, I would think, because now theyíre relying today on vulnerabilities that are present in the application. But if the application were not being able to get exploited, then it just makes life easier and weíll see, as you rightly mentioned before, the software and viruses of malware is eating the world; itíll turn towards — more towards software being able to keep you safe, essentially.
PAUL: Okay, so if somebodyís listening and theyíre an application developer, maybe theyíre working on some Legacy code base, might be years old or longer or theyíre in some greenfield startup, can they equally approach VirSec? Is it better for one or the other, and how do they contact you if they are intrigued by what you have been talking about?
SATYA: Absolutely. Because we don’t require source code and we kind of do things at a much granular level, we are basically [00:45:00] keeping the application safe, there’s always been this whole hot process that somehow you could write better code and all, and weíve been talking about this for the last fifty years now, I would say. The Morris worm came up, but itís not really a practical approach, right? The developer will do what the developer does and having been one, I can tell you if you came up to me and said hey, better write some more secure code, Iíd look at you and say, what does this mean? With VirSec, you are to quit — thatís not — itís how the GPS changed everybody’s world, right?
In the past, Iíve been driving with — before the GPSs were around, youíd actually have a map in your hand and your colleague was sitting next to you, might be telling you — or your partner might be telling you go left, and you say no, no, I think I have to go right, kind of thing, right? None of that matters anymore at that point with — to VirSec and working to help the developer. It is also possible that there are all these tools at work that kind of embed themselves in the source code directly, but in my mind there will always be a case where youíll be using third party code. Itís not just necessary to embed security into your own code, but you’re so dependent on third party code that you are to somehow be able to secure that.
You canít really — if you have five doors in your home, then you canít put a guard at two doors and leave the other three open. Technology that kind of work agnostic into the code are inherently going to be more useful than control that work in your first party code. They have a bigger canvas. They are able to protect the application, a larger part of the applications the attacker will surface. I feel this would be a good thing for developers where you can just focus on writing good — your functionality and making sure you have a control like VirSec with you that will keep you safe no matter what happens.
PAUL: Satya Gupta, co-founder and CTO at VirSec, thank you so much for coming on and speaking to us on The Security Ledger Podcast.
SATYA: Absolutely. My pleasure.
PAUL: Satya Gupta is the Chief Technology Officer at VirSec Systems. Youíve been listening to The Security Ledger Podcast. This episode of the podcast was sponsored by VirSec Systems. VirSec was founded on the belief that a new model is needed to counter todayís advanced cyber-threats. VirSec’s technology pinpoints threats at the source within business critical applications. The VirSec platform maps correct application behavior and instantly detects and blocks deviations caused by attacks. This deterministic approach stops threats in real-time, delivering unprecedented accuracy without false positives. VirSec protects any application, patched or unpatched, across the full application stack from web threats to binary memory-based attacks. Check them out at virsec.com.
[END OF RECORDING]
Transcription by: www.leahtranscribes.com