In this episode of the podcast, I speak with Window Snyder (@window), the founder and CEO of Thistle Technologies about the (many) security challenges facing Internet of Things (IoT) devices and her idea for making things better: Thistle’s platform for secure development and deployment of IoT devices.

[Video Podcast] | [MP3] | [Transcript]

---

The growth of the Internet of Things is one of the most significant developments in information technology over the last two decades. During that time our homes, workplaces and public spaces have become populated with a wide range of smart, software driven, and Internet connected devices ranging from printers to cameras and home appliances. 

It’s no surprise that cyber threats and attacks followed. A recent report from Cisco found that the growth of the internet of things (IoT) and connected devices was the biggest contributing factors to organizations’ expanding attack surfaces. 

The Future of IoT Security Standards

IoT security: old-school in the worst way

Part of the reason that IoT insecurity is such a big problem is that device makers and the development organizations that serve them have struggled to learn the lessons of the last 30 years. Embedded software running smart devices in everything from homes and businesses to critical infrastructure repeat many of the same mistakes – from buffer overflows and SQL injection to weak authentication schemes – that characterized earlier generations of software and services. 

Episode 241: If Its Smart, Its Vulnerable a Conversation with Mikko Hyppönen

Given how widespread the issues are with device security, how can we possibly hope to fix this urgent problem? Our guest on this week’s podcast thinks she has a solution. Rather than wagging a finger at IoT device makers (tempting though that is), why not provide them with the tools, technology and support to make developing secure, embedded devices easier? 

Making IoT security easier

Window Snyder is the CEO and founder of Thistle Technologies, a start-up seeking to help secure Internet of Things devices. In February, Thistle announced the launch of the Thistle Security Platform, a set of tools and services that bring software updates and other security functionality to the world of embedded devices. While there is no “silver bullet” to securing the IoT, Window argues, giving development organizations the tools and support they need to make smart security decisions about things like using memory-safe languages or deploying secure updates will pay huge dividends.

Episode 244: ZuoRAT brings APT Tactics to Home Networks

She should know. Window is a security industry veteran and former Chief Security Officer at Square, Fastly and Mozilla. She previously spent five years at Apple responsible for security and privacy strategy and features for OS X and iOS. Other roles include Chief Software Security Officer at Intel, Chief Security Something-or-Other at Mozilla and a founder at Matasano, a security services and product company based in New York City, acquired by NCC Group in 2012.

In this conversation, Window and I talk about the idea behind Thistle, the company she founded, her lng history in information security and what inspired her to dive into the IoT security problem. 

---

Video Podcast

You can also watch my interview with Window on Security Ledger’s YouTube channel.

---

Transcript

Paul Roberts, Security Ledger: ​[00:00:00] Each month a security ledger podcast informs and entertains an audience of thousands of information technology and cybersecurity professionals. If that sounds like an audience your company’s trying to reach, consider becoming a security ledger podcast sponsor. We offer per episode sponsors ships of our regular podcast, which features news analysis and discussion of the most important security topics of the day.

Or you can commission a custom podcast that highlights your executives, researchers, and subject matter experts. To learn more, point your browser to security ledger.com/sponsor.[00:01:00]

Hello and welcome to the Security Ledger podcast. I’m Paul Roberts, editor-in-chief at the Security Ledger. In this episode of the podcast Number 250, the growth of the Internet of Things is one of the most significant developments in information technology over the last decade. During that time, our homes, workplaces, and public spaces have become populated with a wide range of smart.

Software driven and internet connected devices ranging from printers and cameras to home appliances and heavy machinery. Cyber threats and attacks have followed. However, a recent report from Cisco found that the growth of the Internet of things and connected devices were the biggest contributing factors to organizations expanding attack surface.

Part of the reason is that device makers and the development organizations that serve them have struggled to learn the lessons of the last 30 [00:02:00] years. Embedded software, running smart devices and everything from homes and businesses to critical infrastructure. Repeat many of the same mistakes that have plagued earlier generations of software and services.

From buffer overflows to SQL injection to weak authentication schemes. Our guest on this week’s podcast thinks she has a solution to that problem. Rather than wagging a finger at iot device makers, why not provide them with the tools, technology, and support to make developing secure embedded devices easier?

Windows Snyder is the CEO and founder of. Thistle Technologies In February, thistle announce the launch of Thistle Security platform, a set of tools and services that brings software updates and other security functionality to the world of embedded devices. Windows of security industry, veteran and former chief security officer at Square, Fastly and Mozilla.

She spent five years at Apple responsible for security and privacy strategy [00:03:00] and features for OS 10 and iOS. Windows. Other roles include Chief Software Security Officer at Intel Security, something or other at Mozilla, and founder of montesano, a security services and product company based in New York City that was acquired by NCC Group.

To start off our conversation, I asked Window to tell us a little bit about her latest Project Thistle and what inspired her to dive into the IOT security problem. Okay, welcome back to the Security Ledger podcast. And I’m really thrilled to have with us in the studio Window Snyder, who is the founder and CEO at Thistle Technologies. Window for the folks who aren’t familiar with you and with Thistle. Just tell us a little bit about yourself and about your company.

Window Snyder, Thistle Inc.: Sure. So I started Thistle Technologies because I saw a [00:04:00] problem in the industry that it’s been bothering me actually for a long time, for having worked on…

a number of different operating systems, a number of different platforms. A lot of the security work that went into these general purpose operating systems hasn’t made its way to devices and In my work at Apple I got to see, you know, what it takes to make update, for example, a reliable mechanism for, for the phone, which is really different than trying to do, update reliably for web browser, for what it’s worth for a web browser. If update fails as an example the user can mostly get themselves back into a good state, right? They can either try it again or they can reboot the machine or one, one way or another, the, the user. You can mostly figure it out, but for hardware device, right? You’ve got. A much lower tolerance for failures in these spaces.

So reliability ends up being a critical piece of it because for a, a device, if a, if an update fails, right, that’s a [00:05:00] phone that’s gotta come back to the mobile store, or it’s a car that’s gotta come back to the dealership, or it’s a technician that’s gotta visit the television in your house. Or it’s a factory manufacturing line that’s shut down until a technician can get there.

Or if it’s a satellite, it’s just gone forever. Right? So the tolerance for failure in these spaces is really low. And then what I was seeing was that for the most part, even if they had update mechanisms, they weren’t being updated because the The, the, the analysis between whether to deliver an update versus the possibility of failure was, was this calculus that they, they, these device manufacturers had to consider every single time.

So reliability was a really critical piece of it, but I was also seeing, especially my role at Intel Where I was the chief software security officer, I got to see like this industry scale perspective of, of, of what device security looked like everywhere. And I, you know, honestly, I was seeing things like a lack of separation of privilege, a lack of separation between code and data.

And for what it’s worth, you know, that that’s, That that means, you know, without memory, corruption, mitigation, you start to see things like, like [00:06:00] exploitation. Looks like it did in the nineties mid nineties on general purposes, offering systems before we had memory corruption mitigation on these devices.

So it really felt like a lot of the, the problems that we had seen really early on just hadn’t made the, the solutions had to make their way onto devices. And it’s, it’s not surprising because these are you know, much more constrained in, in resources whether it’s it’s space or comp comput power or, or, Battery.

Like the, the, the amount, the amount of energy you use to to, to power up a radio is, is, is, is considered for these devices. And and then of course they’re attached to like, critical systems that you know, it’s national infrastructure. It’s, it’s everything, right? So the, the combination of high security requirements and then low tolerance for any, anything that’s going to mess with reliability combines to, to, to, to keep the simple, the systems as simple as possible, but they’re not. Resilient enough against the security threats that we see today. And in addition to that, they’re deployed in, in on [00:07:00] a completely different timeline.

Like how long is that MRI in place in the county hospital? How long is, is a car running around on, on, on, on our road? Like the, the lifespan of these devices is so long, so not, they’re not up to the security threats that they are. Dealing with today, the on the day that they’re deployed, but additionally, they have a much longer lifespan, so they need to be resilient against security threads, you know, 10, 20 plus years out.

And so it seemed like, you know, this, this, this massive space in the industry where there was an opportunity to, to, to make it easier for folks to, to get to a modern

Paul Roberts, Security Ledger: Yeah, Was there an aha moment for you with IOT and security? You mentioned you were at Intel before that, you were at Apple, you were at Mozilla, you were at Microsoft going all the way back to sort of @stake.

So you’ve worked for both traditional software publishers, some of the largest in the world as well as device makers and Everything in between. You worked at Square. So when did this sort of [00:08:00] idea of wow, IoT is, really where the problem is that I wanna, that I want to dive in on.

Window Snyder, Thistle Inc.: Sure. So in my role as a CISO, both at Fastly and And more recently at Square, I would be considered, I considered these devices that were being deployed in our environment and they were unmanageable, but just, frankly, devices were unmanageable. And so if you even get a response back from the security, the, from the vendor about the security of the device, not only was it unsatisfying, like we use military grade encryption.

Fantastic. Thank you. That, that tells me nothing. Right. Or if you, if you get it back, it’s, it’s definitely not up to the same security requirements as the rest of, of the of the, the environment. But then it’s very often sitting on the same networks. Like for example, your printer is in order to be able to use it, it’s gotta be the same networks with your workstations, right?

And if you have a devices network to try and isolate them, then eventually [00:09:00] you have all your devices. On this device network. And so the device network still has access to all these incredibly important and critical resources. So there’s, there’s a degree of completely like just lack of manageability.

And then additionally just seeing how, or knowing how how, how, how vulnerable a lot of these devices are. And then And of course for, for running teams that, that build the security features that go into these devices with high security requirements. Seeing how much it costs to build that organization to to, to build security, resilience into these devices at a degree, to a degree that’s appropriate for the threat that they’re up against.

And I was like, We don’t have 20 plus years for the rest of the device industry to catch up. And we definitely know that they can’t spend what those big companies that have done well with device security or platform security that’s not scalable. It, it’s like, it’s just not available to everyone. And and then you’ve got all these really cool startups, really cool [00:10:00] smart engineering teams that don’t necessarily have any security engineering folks on board, but they’re building devices that are, you know, Taking over logistics.

They are space startups that are building new devices off a shelf components. There are a lot of teams that just don’t even have the security engineering organization that, that they needed in order to build these, this, this kind of security resilience. And then for the teams, large companies that do have sophisticated security engineering teams, I know that there’s a laundry list, you know, a mile long of the set of things that they need to get, they need to get to.

So the aha moment for me was, Was seeing just how, how, how big the problem was, how widespread it was and, and realizing that like the things that that I’ve, I’ve, I’ve built into other platforms are, are things that would benefit the device industry as a whole. If we could find a way to generalize some of these.

These problems. So that’s what we’re building. We’re building tools, libraries and backend services that allow these device manufacturers to put together the security components that [00:11:00] are appropriate for their project and leverage it within their existing technology investments so they don’t have to move to a whole other operating system, do a forklift upgrade to get modern security work on their, on their project.

And so that’s what we’re building and it’s It, it’s, it’s, it’s really gotten such a wonderful response. We have this one company that we’ve talked to that like kind ships, hardware, that has this low level security capabilities that’s got security element that they wanna be able to leverage.

They just didn’t have anyone on board that was equipped to, to, to build. To, to this, this hardware capability. So they’ve already paid for it and they, they’re not able to leverage it in their product. Or at least not right now, is something they wanted to get to. So anyways, being able to make it easy to incorporate this kind of security work, these discreet security sensitive components into your project, allows these device makers to quickly get

Paul Roberts, Security Ledger: And, is this platform, is this the Thistle platform about the, [00:12:00] development side of things, the software development side of things? Is it about deploy build and deployment supporting devices post-deployment? Like where do you guys fit in, the whole dev pipeline?

Window Snyder, Thistle Inc.: Yeah, so it’s definitely developer tools. It allows developers to incorporate these, these tools, send them as libraries into their build. And then on the back end there are services to allow folks to manage, those services. So if you take update as an example, there’s a component that’s built into the device that’s all there.

On the, on the actual device itself, there are developer tools that make it easy. So things like you partitioning the drives and and, and deploying it onto the device. There are developer tools that allow you to incorporate, let’s say, a memory allocator with modern memory corruption mitigation, that makes it more difficult to exploit memory corruption issues that might be present in, in low level code on the, on the device. And then a, a TLS stack that is implemented in a memory safe language, which means that you can [00:13:00] get to a place where you can say, all of my network facing attack surface is implemented in a memory safe language, which means something that’s a tangible security improvement that’s measurable, right?

So being able to say that you’ve, you’ve, you’ve mitigated the the network facing attack service in that way is meaningful, especially to a, to a smart security buyer. So those are, those are developable tool developer tools, and then we’ve got. The backend components, the services that allow you to deploy your updates and manage your updates which can also be white labeled for your customers so that your customers can use that to manage your to manage the devices in their environment independently of however you might be you know, managing devices from the, from the cloud or on-prem, if there’s, there’s definitely some providers that are, some, some folks who are deploying devices that have security requirements that don’t allow them to connect to the internet, right? So for those folks who wanna go, make sure that they’re able to do updates leverage these security features …

Paul Roberts, Security Ledger: Over the air updates is [00:14:00] it’s big security risk for iot devices. Also an important security feature of them being able to push out software updates, firmware updates, keep them patched and also push out new features if that’s what you’re doing. Thistle just release a OTA, product to help, secure updates.

Can you just talk a little bit about how that works?

Window Snyder, Thistle Inc.: Sure. So there’s a developer tool that you as a developer used to build the client into the interior device. The partition, the drive, so you have a failover helps you do your key management so that your updates can be recognized as coming from you, the developer and not from, you know, who knows where to validate updates.

It allows you to deploy your updates and. Manage them. So you can set device groups, you can, you can do A/B testing, you can do a slow rollout. You can also use it as a [00:15:00] developer for just continuous integration, right? You’ve got like six or seven devices on your workbench, and your current plan is to go around with a, a cable to deploy your new build.

Every time you, you make a change, that’s a pain of course. So being able to create a device group with just your, your, your devices and deploy the the, the build to the device or even, you know, a single one build to this device, another build to that device and, and so on allows you to very quickly get to to testing on your actual device instead of testing the simulator, which we all know is not, they’re not as similar as we hope.

For, for this testing, testing on the actual device. There’s nothing that, that can replace that. So it’s it’s very useful for

Paul Roberts, Security Ledger: We often talk about the need for iot device makers. Really anybody to make security part of the design process, right?

To have security as a consideration from the early stages of conceptualizing a product or service versus bolting it on Do you work with companies on, [00:16:00] that right? To even know what questions to ask or what problems to solve and, help guide them in, that part of the product design process.

Window Snyder, Thistle Inc.: Yeah, we hope, we hope that our developer tools allow folks to, to identify security features that they maybe hadn’t considered or didn’t know that they could do easily. And so discoverability is a human part of this. We want, we wanna be a partner to our developers. That like we’re a great place to find security functionality that maybe hadn’t considered that.

Maybe it’s adding something that the, their customers appreciate. Maybe their customers expect what’s not in place. That if you’ve got a small team that maybe doesn’t know where to get started, this is a great set of things to take care of. Update memory allocator and your network facing attack surface.

To implement it in a memory safe language as a, as a starting point. That’s great. In terms of, you know, overall reducing risk to, to your device, but then the next level, and we have this coming out in, in a, in [00:17:00] a, in short order here as secure boot and Leveraging a, a well key management, leveraging secure a security element if you’ve got that present on the device.

And, you know, that’s kind of like the, that’s more sophisticated in terms of the security work that, that would otherwise have to be done by these developers. So they might not even be considering it for their D device because they, they haven’t been able to even address like, The basics and then being able to put together a compelling security story for their, their customers when they get that question or they get that 200 question question question questionnaire about what they’re doing in terms of security.

They’ve actually got some good answers now about like their key management program for, for, for signing updates and how updates are signed and what their network facing attack surface looks like and what they’re doing to mitigate that. And so yeah, our, our, our goal is to really be a partner to these developers and help them both address the security needs that they know about and help ’em identify new, new ways for them to make their security [00:18:00] resilience

Paul Roberts, Security Ledger: So when I think like common IoT hacks or incidents. Often the ones that make headlines are the, webcam nanny cam the smart doorbell or the home router broadband router. And the problems are often week authentication default admin, password.

It’s the exposed Telnet port or the out of date firmware with the RCE vulnerability and it that just device never got updated. Is, that a lot of what you see out there in the sort of IoT threat landscape? Or what, are the, what do you consider the, biggest and most common risks that, that you all come across just in this IOT t space and that thistle is looking to address nip in the bud?.[00:19:00]

Window Snyder, Thistle Inc.: Yeah, I’m there are. Honestly in the entire, like history of, of, of application security or product security, I would say present in devices is the entire spectrum, like from the nineties on out, like the, the, like if it, if it ever happened on any kind of platform. It’s absolutely present on devices today. I would say the worst is security feature just not implemented. No one thought about it, nobody put it in place. So nevermind a vulnerability, more just like, it’s just not present. That’s, that’s like the, the first and most significant chunk here. And then the next is insufficient to the threat that like you’ve got more of like a nineties or early odds style security solution for 2023 plus.

Security problems and adversaries. So there’s a lot of that. And then you’ve got, okay, we made an attempt, like we built an update mechanism. We, we signed our updates, or we attempted to, and we, we failed in validation. And we see that one quite a lot. Or we implemented everything and it was reasonable.

And then like, like Hyundai had [00:20:00] this problem where they implemented codesigning…invalidation, but then they used the key for signing that was part of the example code on the the NIST website. Right? The, like that sort of thing where it’s just like clear that the developers didn’t understand the security considerations around the implementation.

So even if they get the implementation right, there’s, there’s there’s more, there’s more to it than just the implementation. There’s also building to resilience, right? Like building a security feature so that it’s functional. Okay? The thing is encrypted is really different than answering the question about like, okay, how is someone gonna try and circumvent this?

And what do I do to mitigate the ways that people are trying to attack this system that’s designed to secure? Exactly, and like even just basic questions like, okay, where’s the key start? How is the key generated? Where’s my source of randomness coming from? Is it sufficiently random? And things like that.

And that’s just like really basic security question. So I’d say it’s attempted a security feature or a feature that has security considerations, but [00:21:00] Implemented it to a, from a functional perspective and not necessarily from a resilience perspective. There’s a lot of that. And then there’s memory corruption.

Cause a lot of these devices are implemented in very low level languages. And with memory allocators and memory management that. Doesn’t have let’s say all the work, the benefit of the work that we’ve done in this space to mitigate this. Although moving to memory safe languages will really mitigate that.

And that’s getting a little bit of traction. And I’m really excited to see more folks implementing device code in, in memory safe languages. I wouldn’t say it’s widespread enough to mitigate that as a, as a threat. So there’s that. And then of course there is the, the. The, the way that they’re connected and the services that they use in order to move data around that’s absolutely a, vector.

Paul Roberts, Security Ledger: One of the things we’re seeing in the broader threat and attack space is a big shift in focus to software supply chain. [00:22:00] Attackers setting up typo, squatting modules on npm or GitHub and just hoping to trick developers to using some malicious component or trolling around looking for leak secrets or, credentials that they can leverage in, some kind of an attack. Is, that as much of an issue in the IoT space in the device space as it is in the more general kind of app AppSec world or not?

Window Snyder, Thistle Inc.: I would say that if, if it’s a security problem that developers have, then it’s gonna be present on, on devices. I think devices get a lot less inspection but it doesn’t mean that they’re completely opaque. They’re just, you know, maybe they’re opaque to the IT team that’s deploying it. They’re not opaque to attackers.

Paul Roberts, Security Ledger: The Biden Administration has made some really interesting announcements and moved the needle a little bit [00:23:00] on cybersecurity in general and supply chain security with the executive order. And they’ve had guidance that’s come out subsequently. There have been rumblings that there might be some IoT-specific guidance or standards that the administration might float.

Although we haven’t seen anything, we’ve heard comments from people like Jen Easterly certainly calling out device makers to, raise the bar on security for their devices. I’m really interested obviously your, CEO of a startup that’s in this space. Have you seen any increased Interest or attention in, like thistles technology as a result of the noises coming outta DC.

you have any thoughts on whether we might see some IoT security mandates really coming from the administration?

Window Snyder, Thistle Inc.: I don’t know, but the, the pressure is building. Whether [00:24:00] it’s coming from regulatory or if it’s coming from customers as security researchers demonstrate the problems. Folks get more uncomfortable that like, oh, is this present on my device? Or this is a device that I deploy. What does that mean for my device?

And once you have any device in your environment that has a problem like this, then you start looking at all your other devices and you see how little information you have about them and how they’re bells. And it’s hard to evaluate what degree of confidence you should have in, in these devices.

So it can come from regulatory pressure, it can come from customers, it can come from security researchers. And I am thrilled that there are more and more security researchers both sharing their work and, you know, calling attention to these kinds of problems because it is, it’s

Paul Roberts, Security Ledger: Yeah.

Window Snyder, Thistle Inc.: we’re not in a great state.

I’d say it’s it’s a, it’s a huge area of vulnerability that it isn’t getting the same degree of investigation that we’ve, we’ve fortunately been able to have for web applications and for [00:25:00] services and so on. So I think it’s gonna be a little painful for a bit. And then, you know, hopefully we will see things start to improve.

But it’s hard to justify making an investment for a lot of these companies until they recognize that there’s a problem. So I would say consumer devices. Yeah, those folks. Probably aren’t feeling the same kind of pressure that the kinds of folks that we’re talking to, the folks that we’re talking to already know that they’ve got security requirements.

Those folks know that they’re their customers have security expectations. And so for those folks, they know they’re protecting medical data, financial transactions. Those folks know that they’ve got security work that they have to do. So that’s, that’s over overwhelmingly who we are, who we’re talking to. But I think it’s just a matter of time before consumer devices wake up and realize that they’ve got all the same security requirements devices and that it, it’s it’s not

Paul Roberts, Security Ledger: Okay. Two more questions.

Window Snyder, Thistle Inc.: to kick down the road.

Paul Roberts, Security Ledger: Thistle sounds like an amazing platform if you’re in the planning stages of launching a new IoT [00:26:00] device. Product, definitely wanna work with Thistle right. They’ve got all this great security functionality. But man, what about all the companies that have already built their connected product, have it out there and are maintaining, updating it. Do you have something to, offer to them or is it sort of the horse has left the barn? So that’s the first question.

Window Snyder, Thistle Inc.: You can absolutely continue to improve the security devices that are deployed. So, you know, update’s just one of the features. You can. You can over time add security functionality to these devices or security resilience to these devices? I guess depending on how well you are to ship an update based on your existing update mechanism.

There even some devices out there that have like completely changed operating systems in, in deployment once they’re in the field. So it really just depends on how important it is for that device? It depends on the, their existing confidence and their update mechanism. But yeah, if it’s, if they don’t, if they’re not able to [00:27:00] ship updates, then there’s improve the security of that existing device in the field.

They might be able to do some work on the back end, for

But that’s, that’s a different story. So I’d say overwhelmingly there are devices out there that have update mechanisms that will allow them to continue to, to improve their security.

Paul Roberts, Security Ledger: One of the questions I think obviously I do a lot of work with like right to repair as well and and repairability and serviceability of connected devices. And one of the things I think about a lot is the sort of, what I’ve written about is the Internet of Zombies, right?

Which is as. The IoT ages, right? Companies are increasingly walking away from products that they may have launched and supported either because the products are end of life or because the company has been acquired or gone out of business and isn’t interested in maintaining this product or can’t support, maintain this product anymore.

That creates kind of a public health issue on the IoT, right? Which is abandoned unsupported, unsupportable [00:28:00] devices. I’m really interested in your thoughts on what is there a, either a technology or a policy or a technology plus policy fix to that problem given that it’s only gonna be a problem that gets bigger over time?

Window Snyder, Thistle Inc.: I, I do think it’s a problem that’s gonna get bigger over time. I, I do think it’s incredibly difficult to ship updates for. Someone else’s product without having having an idea of how it works. But there are also a number of you know, communities out there, device hackers who wanna take something and make it useful again, so you can deploy a new operation on your existing router if your router manufacturer has stopped shipping updates for it.

And this is actually, we, we, we, we actually did a blog post on, enabling update into OpenWRT. And the reasons we wanna do this is because, first of all, we love open W R T. And then second of all that if one of the reasons it’s difficult to use is that they don’t have an [00:29:00] update mechanism that allows you to do over the air and it makes sense cause they support 400 devices and that’s hard.

They don’t want you know, to ship an update that’s gonna like brick your devices, require you to go out there by hand. But this is a, a platform that allows you to bring some of those old devices back to life. And so I think we’ll see some of those kinds of things like you know, a community of sewing machine hackers who you know, take the existing firmware and make it more useful than it has been in the past.

And so I, I, I think some of those devices will get a, a longer life because of this. And some devices are going to be mad obsolete long before the, the, the, the mechanical components of the device are, are, are, are going to fail. And I think that’s a crime that is just awful because it is so wasteful.

Wasteful to have like a car that had, that’s perfectly functional, but like, is.

Incredibly vulnerable that

feel safe driving it,

because

Human

Paul Roberts, Security Ledger: Yeah.

Window Snyder, Thistle Inc.: that we’re talking about, right? So they stop shipping updates. Now we’re talking about human safety as, [00:30:00] as, as the, the potential outcome of somebody compromising that device.

So, yeah, no, I, I, I don’t know how things are gonna go here, but I do think that there’s a really serious conversation to be had here about the, you know, is it ethical to, to make these devices completely unsupportable.

Paul Roberts, Security Ledger: Or I always think about the, kitchen appliance, right? So the, person in Best Buy is yeah, I’m buying this refrigerator for it’s gonna last me 15, 20 years small print we’re only gonna support updates for this thing for five years. And it’s like the consumer, some level needs to understand that.

Hey you’re gonna get five years of software updates with this after this. You’re

on your own. Can you shut off the connected features? And if not and in doing so, are you gonna somehow cripple the device or features on the device that you’re paying money for now?

And all these kind of conversations are not happening. And I think they they need to be,

Window Snyder, Thistle Inc.: The manufacturer is actually even making a statement about how long they’re gonna support updates. Very often it’s like quiet. You have no idea if they’re gonna support you for 10 minutes or [00:31:00] 10 years you

like. And these devices have a really long lifespan. The refrigerator’s gonna be in place for a very long

time.

Paul Roberts, Security Ledger: Indeed. Window. Is there anything that I didn’t ask you that you wanted to say that’s a negative construction of that sentence? I’m trying to think of the opposite of,

Window Snyder, Thistle Inc.: No, I really enjoyed being here. Paul. Thank you so much for having me.

Paul Roberts, Security Ledger: We really enjoyed having you and I’d love to have you back and, talk some more. Really excited to see where you go with Thistle.

Window Snyder, Thistle Inc.: Thank you. I would love that.

Paul Roberts, Security Ledger: All right.