Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a Privacy Consultant and Certified Informational Privacy Professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hello, Justin Daniels here. I am an equity partner at the law firm Baker Donelson, and I practice technology law. However, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  1:00  

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in various fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform how companies do business together. We’re creating a future with greater trust between companies and consumers. To learn more, and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello, hello.

Justin Daniels  1:38  

How are you feeling today? You’re tired?

Jodi Daniels  1:40  

I’m rather tired. Our dog is acting like as an older dog. He’s acting like a newborn in the sleeping schedule.

Justin Daniels  1:48  

I see. Understand.

Jodi Daniels  1:51  

No you don’t. You’re sleeping. I’m tired.

Justin Daniels  1:55  

Fair enough. Well, my side of the floor? Yes, he does.

Well, he’s very loyal to the person that has saved him twice.

Jodi Daniels  2:03  

Hmm, it’s true. But we’re not going to talk about Basil the dog though that would be a really fun episode.

Justin Daniels  2:07  

Maybe we’ll let him be the guest. Speaking of our guests, we have an interesting show. Today. We have Roderic Deichler, who is a cybersecurity industry veteran. He’s led pentesting engagements at Mandiant and smart contract audits at both Coinbase and OpenZeplin. He has several top CTF hackathon and competitive audit placements and several assigned CVE and bug bounties he co-founded AfterDark to help fill the security gap in Web3. Roderic, welcome to the show.

How are you today?

Roderic Deichler  2:42  

Thanks. Thanks. Pleasure to be here. Thanks for having me on. And I couldn’t have said it better myself. Perfect intro.

Jodi Daniels  2:48  

Well we’re excited that you’re here. And we’d love to dive a little bit deeper into that insurance. So we always ask people to share a little bit more about their career journey to how they got to where they are today. And we’d love to hear yours.

Roderic Deichler  3:02  

Absolutely, yeah. So you know, I’ll go back I guess to Part A to the start, I really got first interested in cybersecurity space. In college, I studied computer science undergraduate over at UC Santa Barbara, where they really have a strong cybersecurity research lab. So one day, I just went check out the hacking club. And the rest is kind of history. From there. Fast forward. I did some work in pentesting. And I did some red team consulting, which I think you touched on over at Mandiant. And over there, you know, really, we’re doing the full gamut of cybersecurity, at least on the offensive end of work, doing web application tests, even mobile tests, cloud tests, internals, externals, all the way to red teaming, which is you know, you’re fishing into these companies and then trying to go undetected for the entire time of the engagement and go all the way through their internal network, steal their crown, jewels, etc. Really enjoyed my time there, I learned quite a bit, but I sort of got pulled into this crypto space where I think I was just really excited at the idea of of contributing to something that’s this credibly neutral and sort of sufficiently decentralized platform for you know, one sending money but to you know, everything beyond I think we’re looking at potentially building all sorts of different applications on top of it, that could offer social media replacements, etc. So that’s kind of what brought me over to working at Coinbase internally, and then externally again, as a as an auditor and consultant over at Open Zeppelin, where I really got to help secure some very large protocols in the space. And finally co-founded after dark where we’re trying to, as you mentioned, you know, fill the gap in security needs in web three.

Jodi Daniels  4:43  

I find it so fascinating that there’s a hacking club at college when I went to school it was you know, the like, French club, Spanish club, finance club, save the world club. It’s the hacking club.

Justin Daniels  4:57  

You understand the hackers of the world get together at DEF CON and they got kicked out of a hotel because they kept hacking the Wi-Fi and people’s phones in hotels, like, we can’t have you doing this.

Jodi Daniels  5:08  

I have heard that rumor before.

Roderic Deichler  5:12  

So it was small. It’s a small hacking club.

Jodi Daniels  5:17  

It just shows the evolution of where we are today.

Justin Daniels  5:21  

So where I kind of wanted to begin, Roderick, we haven’t had a guest on in a while to talk about Web3. But maybe you could talk to us a little bit about what security risks we have in smart contracts, which, you know, are the basis for most blockchain applications.

Roderic Deichler  5:41  

Sure, yeah. Happy to dive in there. I won’t go way too much into the weeds because there is definitely a lot we could talk about on this topic. But I think you know, something worth touching on is sort of the difference maybe between traditional applications and building on top of blockchain. Right? And currently, you have, you have a couple major things to think about. One of them is the way that transactions are sort of processed currently. And the way code is executed, if you will, is roughly every node on this distributed system actually is currently running the code itself, and then sending out saying, like, here, here are the results of all of these state changes. And every other node is like, Yes, that makes sense. Or no, it doesn’t. And that can be a little bit confusing. One, because you’re spending actual compute power across everybody is actually going through the set of transactions here. And two, you have to assume the order of those transactions can’t really be trusted, because how do you know who’s processing it first, and which one’s going to come out first. So that leads to a couple of different interesting issues. One of them is it’s what we call gas and gas is how users are actually paying for all this compute. And in smart contracts, you have to make sure that you’re not using way too much gas, otherwise, either your users are going to pay for it, or they have this kind of block space limit, which means that you won’t even be able to include your transaction, the code, sure, it’ll be tested to try to be executed, but it won’t actually post the changes to the chain. So for all intents and purposes, you know, it’s not going to go through. And then you also have this idea of touching on a little bit where transactions are coming in different orders. So if you assume like, oh, I, you know, I’m going to send money to person A, but only if they had already sent me money, it’s not really a great assumption to make, because that it could come in in a completely different order, and then your payments not going to go through. So in terms of the smart contract risk, right, there’s two interesting things there that are really quite different. There’s also another classic issue, which is called reentrancy. And that’s, you know, I think a fun way to think about this one is, it’s like you’re playing a video game, and you hit pause in the middle of a video game, and then you’re just giving your controller off to someone else. You don’t even though who and you’re saying go play, go play this game, and then return it to me paused again. And so you need to have a lot of guardrails on what they can or can’t do when you hand that controller over. Because, you know, you could come back to the game and you’ve completely lost your save, maybe even you know, your your characters died, or what have you, depending on the game. So it’s, it’s really, you know, kind of a dangerous thing that happens with these smart contracts. But that’s called an external call, and they’re calling into something else that’s untrusted, and then they can go back and, and call back in and change the state just the same. So those are a few issues, I will say, we’re still seeing a lot of business logic, which is something that’s a lot more normal to any web to traditional security folks. And that’s just, you know, implementations of things that you’re not expecting, maybe you’re an NFT lending protocol. And you say, Okay, I’m expecting someone to put up their NFT for collateral someone else to borrow, etc. But you don’t expect someone to lend to themselves. And you know, now you’ve given them out more money than you actually have a thing, for example. So without getting way too much in the weeds, you know, there are really a lot of differences to think about. It’s pretty interesting. And it’s a fun space, and I’ll pass it back to you.

Jodi Daniels  9:17  

We just had fun and security risk in the same conversation. Well,

Justin Daniels  9:22  

Roderick, I guess one of the things I wanted to kind of follow up and ask you is, you know, what you do is you go in and you find bugs in code. And I wonder if you could give us, based on your experience, kind of get us in the head of the software developer, and what their thought process is to either create an NFT or take any kind of software application, what is their thought process? And how do they go about this? And what are some of the gaps because obviously, the bugs in code, particularly on new types of technology, seem to be more and more prevalent, and yet these things make it to the market without having someone like Do you take a look at it? Is it just simply market forces and these companies are under a lot of pressure to get an MVP? And if there’s bugs in it, hey, we’ll just figure that out later, we just want to get it in the customers hands.

Roderic Deichler  10:11  

Sure, yeah, I think, you know, thought process wise, especially for Web3, like you said, new technology, you’re seeing a lot of developers from the Web2 side that want to come in and want to participate. And, you know, like I mentioned, there’s a few nuances that are a little bit unexpected and distributed systems, let alone blockchains, that can be really hard for you to get in, in the state of mind, and to make sure your code is free of those issues. In terms of the market forces, I think that’s absolutely an issue. I really like that I think in the web free world, we are trying to make it a standard to kind of get security before a lot of projects, they will do an audit at least and that’s you know, we’re someone like me, will come and review their code and look for bugs before they kind of do their initial deployment to production. But still, you know, there’s really a race to be early to market right and benefit from the network effects. And so if you’re a project that’s a little bit lower funded, or Bootstrap, maybe you might consider deploying, first attracting some users. And then once you actually start to accrue some value and make yourself a larger target, only then will you start to go through the security procedures. Or the second thing, you know, that people will do to kind of capture the momentum and move quickly, is they’ll take on what are called like centralization risk. And that means, basically, you know, as opposed to slacking on having like bugs or vulnerabilities directly in the contracts, they’ll just say, we have the ability at any time to kind of upgrade these contracts. Or even you know, if you’re an L2 protocol, for example, maybe you don’t have what they call fraud proofs or disputes. But But basically, it’s a little bit against the ethos of the ecosystem, I say where decentralization is kind of king and you’re saying we’re going to give ourselves some keys and some controls to be able to change things on the fly. So I hope that answered the question. I know I threw a couple of things out there.

Jodi Daniels  12:10  

Well, sure, I think it did. You know, since we’re talking about security risks, many people are familiar with good old-fashioned phishing been around for a long time. But why is phishing even more devastating to those looking at not looking at those holding Bitcoin or other assets in a digital wallet?

Roderic Deichler  12:33  

Yes, yes. So, phishing is definitely a huge problem. And I think there’s there’s a few things and a few reasons for that, right? Like, unlike in traditional banking, the transactions, they’re really irreversible. There’s not kind of this like underlying payment structure that might process in a few days, or, you know, these credit protections where you can have chargebacks, there really aren’t chargebacks. So once the transaction and the funds are gone from your wallet, effectively, they are gone, they are they’re owned by someone else, and you can try to take legal procedures, it gets really difficult for a number of reasons. One, you know, if it’s a small amount, like just your own personal savings, there’s probably not much you can do on that it’s a really high intensive, and capital intensive thing to try and track someone down and figure out, you know, whether you can even get the funds back in the second is, you know, that’s because it’s a little bit synonymous or anonymous, right, we don’t necessarily who’s tied on the other end, where the funds went to. And again, if they’re smaller amount of funds, they’re also things like money laundering, Chip, mixers, etc. Where you might have a real difficult time tracking down where the funds actually went. I would also say that, you know, on the phishing and it’s, you’re really conditioned as a user, if you’ve ever played with any of these wallets, like Metamask, et cetera, you don’t really get too much info coming your way as to, you’re kind of just like, Yeah, I’m at a website interacting with this. And yes, I intended to swap. So click swap. And then you know, little do you know, you got phished into sending your funds over to someone who knows where and I think it’s, it’s a really difficult thing to protect against. And I think we have a long way from like a user experience perspective to make that better.

Justin Daniels  14:19  

So, Roderic, on the point of phishing, I was reading an article this morning about how artificial intelligence is going to make phishing, even more robust from the threat actor standpoint, because they can really tailor the emails and make them look authentic. How if at all, is AI impacting the kind of work that you do or the kinds of code that you are finding the bugs in?

Roderic Deichler  14:45  

Yeah, I would say you know, AI is it’s a really big place of investment in our space. Right now. I’ve talked to quite a few different founders who are building tooling that’s basically supposed to help find a lot of these whether it’s pattern matching to find the bugs. or just, you know, general we’ll call them like lower hanging fruit. And I’m seeing that AI is able to find a lot of extra bugs, which is great on my end, because that means instead of spending a lot of my time looking for what I’ll call the lower-hanging fruit, we can look for stuff that really takes a more thorough manual review and understanding of the system. But I would say AI is quickly, quickly helping the work that we do. And it’s it’s impressive. How much has really changed the landscape in the past year on this.

Jodi Daniels  15:32  

Justin, earlier you were talking about design and how security is considered in the design of different projects. And so Roderic, I’m curious, are you seeing is there an appetite to go slower? These are some really big risks. I mean, I have to be honest, you mentioned phishing, I can’t get my money back. I, I’m not excited about that idea. So I would imagine other companies have a variety of serious concerns, while at the same time trying to move their projects, quickly out the door. And balancing that security piece with what we’ve been talking about. What have you been seeing from how companies are either changing their security mindset? Or maybe not at all? Because there’s cool people like you who can find all the problems?

Roderic Deichler  16:22  

Well, I would not say I can find them all, I always strive to find them all. But to answer your question, yeah, I’d say generally speaking, yes, there is an appetite to go slower, it’s really important to kind of bake security into the process. I also think you know, that’s largely a product of the ramifications are very obvious. Like, if you get hacked, you’re seeing millions, hundreds of millions of dollars, you know, in the headlines, and it really is happening. Some of these protocols are holding a lot, a lot of money, and a single bug can lead to all of that being drained in a single transaction. So it’s really difficult to stop. And then you have to hope that you can recover some of it right. So there’s definitely an appetite for going a little bit, you know, low and slow, if you will, I’d still say that. Unfortunately, there are market forces pushing people to get products out. And I think that’s something we talked about a little bit earlier. But you’re seeing either projects that want to deploy immediately, and figure out if they have product market fit before they kind of invest in the security, or you’re seeing people who will will cut corners a little bit to kind of take on this centralization risk. But I will say happily, that I do believe, you know, security is kind of being prioritized a little bit more even for these early stage startups.

Jodi Daniels  17:48  

That is promising to hear, like by security by design, people.

Justin Daniels  17:53  

Well, it’s much like privacy by design now, but

Jodi Daniels  17:55  

we’re talking about security. So I didn’t include privacy. I included security. I say that was very nice of you to include privacy.

Justin Daniels  18:02  

Well, it is the privacy and security podcast. I know sometimes we learn a little bit

Jodi Daniels  18:06  

more one way than the other way.

Justin Daniels  18:07  

Yes. This is my Yes. So Roderic, I apologize for that interlude. We’re having to apologize.

Jodi Daniels  18:14  

That’s part of the fun.

Justin Daniels  18:15  

I see. I get a smile. So, Roderic. From your perspective with all the years of your pentesting and hackathon, what is your best cyber tip if we’re at a cocktail party, and we want to learn more about that?

Roderic Deichler  18:34  

Yes, if we’re at a cocktail party, you know, honestly, I think it’s, it’s keeping it simple. Back to Basics, there’s two things I’ll throw in a double tip here. One of them is definitely throwing an MFA onto basically any important thing that you’re logging into. And specifically don’t don’t do the SMS ones don’t do the ones that text you a code and then you enter the code. And the reason for that is it’s really easy to do sim swapping with the caller. But essentially, you’re taking over someone’s number for a short period of time. And I’ve had people that I know that have done this, you can just walk into even an 18 T or T Mobile and convince them that you know you need you need to have your name change to a new phone really quickly, immediately, some emergency came up and create a compelling story. Anyway, they will do that and all it takes is one second for that to happen and your your MFA is no longer NSA. It’s just if they had your original password, they had it. The second one is I really am a proponent of password managers. And that’s because you know, it’s just one it’s really common to not use a strong enough password. And that’s, you know, going to open your account up to being brute forced or what have you. If someone gets a hold of your account. Again, not a great situation. The second is people will definitely reuse passwords and I can totally understand why you would want to do that. It’s it’s a pain to have 40 passwords for one thing, and that’s kind of what the Password Manager is great for you have one very complex password. And then you don’t really have to worry about what you have, or you know, the 30 different websites you have to log into these days, you just literally roll the dice. And that’s going to create a very complex string of characters for every individual website that you log into. Those are my two tips.

Justin Daniels  20:19  

So Roderic, I actually wanted to ask you a follow-up with those two tips to for the benefit of our audience. And it’s this. So let’s say you’re using one of the password managers, and one of them has been hacked repeatedly. It’s been in the news. Can you talk to us about how having the MFA with let’s say, a token-based second factor will help you have good cybersecurity because once the hacker gets in, and let’s assume they have your password. However, what is stopping them from using that password to completely change your account when they’ve taken over your phone? Can you just explain that a little bit in layman’s term to our audience, please?

Roderic Deichler  21:04  

Yeah, absolutely. And so that’s why that’s why it’s two for one you need both right. And so the MFA, that’s, you know, I would advise using an application like authenticator, or even a YubiKey is fantastic. But the whole idea is, you know, you go to login, let’s pretend it to your bank account credentials. Maybe, maybe use the password manager, like you mentioned, if it’s breached, and now you someone else has password to it. When they go there, they’re expecting a second form of authentication. And really, that’s a fancy way of saying, you know, either through this application, you’re going to get a specific code that lasts for, you know, 30 seconds, and you need to enter that. Or, you know, you could use a YubiKey. Again, not entirely important to the concept, but you cannot just log in from anywhere in the world with just a user’s password, you need to have control of a second form of authentication, hence the MFA. And doing that, you know, tying that to something like your physical phone, or a physical key card makes it really difficult for someone who tried to steal your password from you know, across the world, they, they need to physically have that second component there.

Justin Daniels  22:14  

And to drive your point home, even if they still even if they went to the local wireless store and got my phone number ported to their phone, they would literally have to have the applicator that’s on my physical phone to get that set can factor. So without that they’ve breached one level of my security. But that second factor is my extra layer of defense. It’s protecting that account. Is that Is that accurate?

Roderic Deichler  22:39  

Yes. Yeah, absolutely. And that’s why, you know, I’m definitely not an advocate for using SMS as your second factor. Because if someone is able to get that sim swapped, which seems to be not too difficult these days, you really only have one factor.

Jodi Daniels  22:54  

Well, when you’re not talking about

losing millions of dollars and attack, and MFA, what do you like to do for fun?

Justin Daniels  23:10  

When you’re not losing helping people losing your hair? Well,

Jodi Daniels  23:16  

I mean, we’re talking about really significant consequences that can happen. Yes. And when you’re not dealing with those types of very big things, I drink my tea doing something fun, okay.

Roderic Deichler  23:31  

Yes, there definitely are some things that I could use my free time. One of them is I’ve recently become a really big foodie. And so my girlfriend I came back from a trip from the south of France a few weeks ago, and we did at least a small tour hitting up some some local restaurants there and the food was really fantastic. So I think at least in my heart, France’s won its title as the culinary capital of the world. But also we really like to get outdoors, have been doing some kayaking as well. So we’re local to the Atlanta area. So we’ve been to Allatoona and Lake Lanier and definitely open to recommendations. If either you have a need for the next spot to check out.

Jodi Daniels  24:10  

I’m gonna leave that one to Justin. Okay.

Justin Daniels  24:15  

There’s always Lake Akoni is a fun place to go for kayaking.

Jodi Daniels  24:19  

I’ve never been but Hartwell is all the way on the other side.

Justin Daniels  24:23  

Yes, Hartwell, too.

There you go. There you go.

Jodi Daniels  24:26  

If people would like to learn more about you, and AfterDark, where can they go?

Roderic Deichler  24:33  

Yes, so we’re very active on Twitter, as well as LinkedIn, and our website, which is afterdarklabs.xyz. And that’ll have all the info for anybody who’s interested.

Jodi Daniels  24:47  

Wonderful. Well, thank you so much for joining us. Justin, any parting thoughts?

Justin Daniels  24:52  

I thought Roderic gave an excellent explanation of why we want MFA that’s not SMS-based. So thank you for that.

Jodi Daniels  25:01  

Well, thank you again. Thanks for having me.

Outro 25:08  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.