 from the Hard Rock Hotel in Las Vegas. It's theCUBE, covering Hoshokon 2018. Brought to you by Hoshok. Okay, welcome back everyone. We're here live in Las Vegas for the first security blockchain conference, it's inaugural event, Hoshokon. And it's all about the top brains in the industry coming together with experience and tech chops to figure out the future in security. I'm John Furrier, the host of theCUBE and ex-cast Andre, Gregor who's the partner and head of global security for TLDR. Welcome to theCUBE, thanks for joining me. Thank you for having me. So you have a background, we're just talking off camera, FBI, you've been doing cyber for a long time, cyber security, mostly enterprise grade, large scale. Now we're in crypto, where you have small set of teams running massive scale with money involved. Correct. So guess what, money attracts. Right. People who want that money, a lot of hacks, $500 million in Japan plus 60 million over here. You add it all up, it's a billion so far this year. Who knows what really the number is? It's pretty big. It is, and what's concerning and the reason why I came over in this space was, you know, the number of hacks that were happening. My company, we get probably a call a week, whether it's a high network individual, CEO, exchanges, we've helped a couple, some that you know of, if I told you who they were. Kind of get out of a very bad situation and instant response has been big, but what we've learned is that it's the same old fraud, the same old security tactics that are being used against some of these crypto companies. And we've seen it all the time, everyone's had fraud alerts on their credit card. This is like classic blocking and tackling at a whole nother level. It is because if you think about it from like a traditional startup, you have a company that's small, they have time to develop their MVP, they go out and they do maybe a seed round, friends and family, they're sort of, you know, ramping up over time, whereas we've basically flipped the model upside down. These same, you know, six founders now have $10 million worth of crypto and they're not protecting it in the ways that they think they should because they're in hyper growth mode. So the bad guys have determined that as a, you know, great place to target and now as we see in the news, it's actually happening. Yeah, in a hard cash co-founder of HoShows just on talking about physical security in the sense of you got to watch out where you go too now. It's not just, you know, online security, it's physical security. So startups have that kind of fast and lose kind of culture. Well, if you think about it, you know, traditional security and corporations, I can put everyone in a building, I have this, you know, similar or same network, egress points, I can protect those. I can do the gates, guards, guns, perimeters around. But I got people working from home now and in the crypto space, you know, everyone's got their own setup. You know, if someone's in an audience, they say, oh, I've been in the blockchain space since 2010 or 11, I can make assumptions about them and about their financial worth and other people are doing the same, but having a fair of a reason. You can connect the dots, okay. It was 22 cents in 2011. So therefore, they had kept a little bit of Bitcoin. They were doing very well and therefore they're a target now. So when you think about it, you put all those scams together, it becomes sort of a hot topic for... I just got into crypto. Good answer, good answer. All right, so let's talk about the security hack because obviously, you know, in the enterprise tech, we cover a lot of those events across the year. IoT edge is a huge topic, cloud computing booming. So now you have a lot of compute, which is good and for bad actors too. Now a surface area, it's now no perimeter, there's no egress points to manage. Is there a digital way to kind of map this out and does blockchain give us any advantages or anything on the horizon that you see where we can in digital form? Well, I mean, the true reason I came in the blockchain space having worked hundreds of victim notifications and several dozen actual intrusions from large intrusions at banks that are top five in the world all the way down to the small clear defense contractors, you realize it's always a server you didn't know about, credentials that had more access than they should, obviously gaining access to a centralized server that then gets exposed and allows that data to be leaked out. So the idea of blockchain and being able to decentralize, distribute that data, own it and keep it cryptographically pure and also being able to essentially remove the single source of failure that we saw in a lot of these hacks is exciting. Obviously, blockchain is also not the answer to everything. So in some ways, the spreadsheet is still a spreadsheet and the MongoDB will still be the MongoDB. The post next to your computer, your private key on it. But at the same point in time, it all comes down to cyber hygiene, right? I mean, the stuff that we're looking at, the hacks that we're seeing, the hacks that I'm dealing with and my company dealing with day in, day out are not sophisticated. They may be sophisticated actors, but they're using unsophisticated means and of course, I hate to harp on it, but email is still the number one intrusion vector. We all have it, we all use it. You can take stats from the FBI, it says 92%. You can take stats from Verizon that says 93%. But that will still be the classic attack point. It will always be, because I can manipulate people. I find the right opportunity. I always say, even I've been phished. It happens, the way your mind is, just how you react is what we need to teach people. It's really clicking on that one thing that just takes one time. A PDF that you think is a document from work or potentially a job opportunity or a new thing, sports scores, your favorite team, girlfriend, boyfriend, whatever. I mean, you don't know. But I'm going to challenge you on this. You get, you click on that bad link or you feel like your computer's been hacked. Who do you call? Do you actually have someone that you can call? There's no Cyber 911, unless you are a high net worth individual or being targeted by a nation state, you're not calling the FBI. So who do you call? And that's the problem that we have in our industry right now. And I mean, I guess I've been the person that people have been calling, which is fine. I want to help them. 12 years as a firefighter on top of my FBI career, I'm used to helping people in time of need. But really, in the grand scheme of things, there's not enough Mandians or Verizon's are too big. So for these smaller six person companies that don't have $500,000 spent on an instant response, they actually have no one to call when they actually do click something bad. And the people they pension to call, the ones that aren't actually there to help them. Sometimes they get honeypotted into another vector, which is, hey, I'm going to help you. Or I even challenge it a bit further. You call any of these companies when your phone has been hacked. Do you SIM swap, whatever it is, and you need to sign a master services agreement. You need to go through all the legalese. Well, you're actively being hacked. Like it's happening hour after hour and you're seeing it. Your accounts are being compromised and being taken over. And you're trying to find outside counsel to do red lines. So in emergency services, we say, don't exchange business cards at the disaster site. It's not the time that you should be saying, hi, I'm introducing myself. We should figure out all the retainers instant response legal questions beforehand so that at two o'clock in the morning, someone calls and you'll have someone pick up the phone. Yeah, and you know what the cost is going to be because it's solve the problem at hand, put out that fire if you will. Okay, so I got to ask you a question on how do people protect themselves? Because we know Michael Turpin's doing a fireside chat. It's well known that he sued AT&T. He had his phone SIM swapped out. This is a known vector in the crypto community. Most people may be in the mainstream might not know it, but you know, your phone can be hacked. Yes. Simple two factor authentication is not enough. Correct. What is the state of the art solution for people who want to hold crypto? Any meaningful amount, it could be, you know, casual money to hide net worth individual wants to have a lot of crypto. I mean, I spent a good amount of my time talking about custody. We've sort of pivot off to a new part of our business line that deals specifically around institutional custody solutions and helping people get through this particular process. But we all know, especially from that particular case, that SMS compromises, you know, after account takeover of a phone is high. You know, hardware tokens are always going to be something that I'm going to harp or, you know, a UB key or something like that, where I'm still having the ability to keep a remote adversary away from being able to attack my system that has my private keys or whatever high value data I have on it. But if I think about it at the end of the day, I'm going to need to transfer that risk. You know, I would like to say that we could transfer all risk, but instead for the people that have a lot of crypto, you're going to need to look for a good custody solution. You're going to need to look and trust the team. You're going to need to look and trust the technology that they have, and you're going to have to get insurance. You know, because there are so many vectors in and at a certain point in time, you, we can't go back to the Wild West where we're at. The insider job is really popular now too. It is, but there are ways around the collusion, counterparty, third-party risk of ensuring that not one person can, you know, take the billion dollars worth of crypto and run away off to Venezuela and never appear again. But again, it comes down to basic hygiene. I asked people, I've surveyed hundreds of people in the crypto space and I asked simple questions like VPNs and I'm still getting, you know, a third to a half of people are using VPNs, you know, very simple things that people are not doing. When you look at passwords, for example, if anyone still has a password under 12 characters, then game over. I mean, you know, there are a variety of ways of hacking them. I can use, you know, GPU servers to do them very quickly. I won't go into all the different options that are there. So 12 characters, alphanumeric, obviously. With special characters as well, but the assumption, let's just make the assumption that either those passwords have been cracked already because they've already been dumped. People share passwords, they get used again. And then the entropy is exponentially higher with every single character after 12. So, you know, my password is 22 characters. Sure, it's a pain to type it in. But when you think about it at the end of the day, when I combine that with a password manager, that also is a UB key that's a hardware token and I require that access all the time, then I don't run into the problem that someone's going to compromise a single system to get into multiple systems. And then also, you know, I know just a lot of Google people as well, they're looking at security at the hardware level down to the firmware. Sure, sure. All kinds of. I mean, obviously, you know, if you could use the TPM chip as well, and you know, that's something that we should be, you know, better at as a society. So while I got you here, I might as well ask you about the China super micro, mod chip, base board, management controller, BMC that was reported on Bloomberg. Debunked Apple and Amazon both came out and said, you know, that's been confirmed. They shift their story a little bit to the reality. Probably there is some mods going on. It's been factored in China. I mean, it's a zero margin business going to zero. Why not just let the Chinese continue to develop and have a higher value security solution somewhere else? That's what some people are discussing like, okay, like the DRAM market was, let the Japanese own that they did. And then Intel makes the Pentium. Wall Street Journal reported that Andy Kessler. So those shifts in the industry, certainly China's manufacturing the devices. There's no surprise when you go to China and if you turn on your iPhone, it says Apple would like to push an update, but that's not Apple. It's a Ford certificate. And pretty much what public knowledge, the DNS is controlled by China and a certificate. These are things that they can control. This is the new normal. So if you know the hardware, you can exploit it. We've been dealing with supply chain issues since Mac Store hard drives in Indonesia. So was I shocked when I hear stories about that? No, I'm sort of scared myself into a corner working in skiffs over the years and reading the various reports that come out about supply chain poisoning. Certainly possible. It's happening. I mean, it's just to what extent is still something that may or may not be known to its full extent, but it's something that will happen, always happens and will continue to happen. And so at a certain point in time, capitalism does step in and says, all right, well, guess what, China, the way I see it is, China wants to be a superpower. At a certain point, they know that people are looking at them and saying, we can't trust you. So they're going to clean up their house just like anyone else. It's inevitable. It is inevitable because they need to actually show that they can be a trusting force in the world economy. And at the same time, we're going to have competition out there that's essentially going to say, all right, we can actually prove to have a much better, stronger, validated supply chain that you'll use. I mean, IoT and blockchain, great solutions for supply chain. 100%. I mean, so this is where we're- We're talking, I mean, I was actually on a plane flying from Phoenix to Santa Fe, New Mexico. And I was sitting next to a guy who was just like, I just want to use the blockchain to be able to deal with supply chain around compromised food. So in the sense that if you think about it, fish, for example, there's a lot of fake fish, fake type of tuna and other stuff that's out there that people don't know the difference. But the restaurants are paying double triple the amount of money for it. You start taking things like elephant tusks. You take things like, you know, it's being able to track things that no one's really thinking about. And you're just like, I never thought of it that way. So at the end of the day, I still get surprised with what people are thinking about that they can do with the blockchain. So Andre, question for you here, this event, what's the impact of this event and for the industry in your opinion? Obviously a lot of smart people here talking candidly, sometimes maybe a little bit contentious about philosophies, regulation, no-regulate, self-governance, a lot of different things being discussed as an exploration to a new proficiency level that we need to get to. What are some of the hallway conversations you're hearing and involved in? A lot of mine are obviously around custody. That is a topic of the moment. And for me, I'm in learning mode. I recognize that I've spent a lot of time on cybersecurity. However, as it relates to the blockchain and digital asset custody, whether it's utility tokens or security tokens, I'm on the CFTC Technology Advisory Committee, specifically with cybersecurity and custody. And so I want to take in as much information as I can, bring it back to the committee, bring it back to the commissioners and help them create the proper regulations and standards, whether it's through an SRO or through the government itself. For the folks that may watch this video later that are new to the area, what is custody actually mean, honestly, holding crypto? But to find custody in context of these conversations, what is it, what's the threshold issues that are being discussed? Sure. I mean, to break it down, custody is very similar to a bank. So you're saying I have a lot of X, it could be baseball cards, it could be gold bars, it could be fiat cash. And I want to have someone hold it and I'm going to trust them with that. Of course, I'm transferring that risk. And with that, I have an expectation as a qualified custodian that has rules and regulations of how they're going to actually manage it, how they're going to control it, ensure that the risks that people aren't going to take it, it could be again, the Monet, it could be the Johnny Benz rookie card, it could be 100 million bucks of gold. But I also want to have a level of insurance that insurance could come from the insurance industry themselves and allowing me to protect it in case something does happen to that. Or the government, FDIC, $250,000 for your bank account is a type of insurance that people are using. By the end of the day, from an institutional perspective, you want a pure custodian that takes all the risk. The government wants to say a certain point that that custodian can allow for a margin call so that the client can't come in and say, well, I'm not going to pay out $100 million worth of crypto or seizure of funds as well. And that's what's being set up right now. Traditional banks are not ready to handle that. Traditional auditing firms like PWC and Ernst & Young are still trying to figure out how they'd even give a qualified opinion as it relates to how crypto is. It's not so much that they're not have the appetite to do it. They don't have systems. They don't have expertise. They don't have expertise. And right now, things are so new and so volatile that they're sort of almost putting their toe in the water, but really not sure what the temperature is yet of the water to hop in. If someone wants to go to court, you say, hey, I prove it. Well, it's encrypted. I don't know who did it. Well, and the thing is is that when you have 53 states and territories with different money transmitting laws on top of the countless federal agencies and departments that are managing that, it is hard to come to consensus. It is much easier in a place like Bermuda where the government is small enough where everyone can get together pretty quickly, have consensus on an opinion of how they want to deal with the crypto market, deal with custody, pass a regulation. And what's nice about Bermuda, it has crown ascendancy, so the UK government still will prove it. And they move fast on the regulation side. They literally just passed. They are the only jurisdiction that has a fully complete law surrounding cryptocurrency. You're bullish on Bermuda. I am, because I saw the efficiency there. And I expressed my same opinion with the CFTC when I was doing my hearing last week that it's nice to see the speed, but it's also a small island that allows for that speed. And they have legitimate practices that have been going on for years in other industries. Right, so there's no dirty money. There's no anything that people are concerned with. They have the same AML, KYC, anti-money laundering and know your customer regulations that you would expect if you had your money in the United States. Yeah, we had a chance to interview the honorable charge there. Permit Burt? Yeah, very nice. Very nice. And Toronto, so it's awesome. Nice. All right, so final takeaway for this show here. What's your takeaway about this event, the impact of the industry? This is a very important event because I think people are still trying to get their footing around blockchain. They're still trying to get their footing around digital asset protections. And if we can get the smart people in one room and they can share knowledge and then we can come together as a community and create some standards that make sense, then we're protecting the world. Wander, I'm glad you're in the industry because your expertise and background on the commercial side and government side certainly lend well to the needs, so to speak. We need you. We need more of you. Thanks for coming on theCUBE. We appreciate your commentary and your insight. It's theCUBE, bringing the insights here. We are live in Las Vegas for Hoshokan. I'm John Furrier with theCUBE. We'll be back with more coverage after this short break.