Ralph Echemendia, a world-renowned cybersecurity specialist, who is known as “The Ethical Hacker”, and chief executive officer of security firm Seguru, shares his views on the evolving blockchain technology landscape and the future of hacking and identity.
Here is the transcript:
Emmanuel Daniel (ED): Very pleased to be able to speak with Ralph Echemendia, one of the world’s renowned experts on cybersecurity and where it’s taking us all. But also your blurb – your tagline – says technical advisor to Oliver Stone. What were the movies that you worked on and how much of that sort of required you to sort of imagine a little bit into the future about how cybersecurity would evolve?
Ralph Echemendia (RE): Well, I’ve worked on two movies with Oliver. Savages was the first movie that I worked on, and that movie was mainly about two weed dealers in the Mexican cartel, and it was more of a crime drama type of film, but it had an element of hacker in there in a couple of different places. And a lot of it is Oliver’s very – from his perspective as far as how he works because he wants things to be very legitimate and very much like real life.
So, that was – it’s not just a matter of the stuff you see on the screen, but in working with the script itself and the writing and making sure that the kind of language being used is –
RE: The way we speak. And then the other aspect of it was with Snowden – and that on, I was a lot more involved than Savages, obviously, because of the nature of the content itself. So, very early on, even before Snowden – before the Snowden disclosures happened – Oliver already knew that he wanted to do something in that direction. So, I took him to –
ED: So, I guess the people who watched Snowden wanted to know that you were technically correct about how he –
RE: Well, yeah, we were conscious of the fact that people are going to go watch it who worked at the NSA and worked for the U.S. government and those we didn’t really – he didn’t really want it to be – like it looks like Star Trek.
But at the same time, there’s a balance to be reached with entertainment because – and I think that was the main thing for me to start work with Oliver, with Kieran Fitzgerald, who was the writer – to work with the art direction production design to make sure that it wasn’t too far off into the future as far as how it looked because the reality of it is that most of these facilities are very boring.
ED: Okay, and what about Nerve?
RE: Nerve was actually more of a – let’s think up something – because Nerve was a movie where they came to me and said, “Look, we’re –” This is the producer who actually passed away recently, unfortunately, but she did Hunger Games. And, so, in this case, they had the storyline – this idea – to make this movie about an app. And the first thing they told me is, “We want you to approach it as if we were actually creating this app for real even though it’s for this storyline.”
ED: The story, right.
RE: And, so, it was the concept of a truth or dare – without the truth – just a dare app. And then they would come up with the story. And they basically had certain things like, “We want you to come up with a way to design it that would not be – that would make it so it would be impossible to take it down.” So, we had to be – it can’t be centralized. It had to be a de-centralized application – interestingly enough, as we’re talking about money and cryptocurrency and all this – de-centralized app that teenagers would use to dare other teenagers.
And one would be a player and one would be a watcher. And the watchers watch to pay to watch, and the players get paid to play. And that was kind of very interesting since we’re talking cryptocurrency. And, so, that was the concept. And as it went through different iterations of the script and then it came back to, “Okay, now we need you to come up with a way to take it down.”
Open source platforms and blockchain
ED: Okay. So, let’s keep our imaginations going on that one. All the apps today are created on open platforms – on open programming tools – open source. And then you don’t want them to take it down. So, what is the average app developer up against in terms of creating platforms which allow kids to develop apps around that, and at the same time not take it down?
RE: Well, the adoption of development for languages and for projects has to do – The reason open source I think exists – and it’s an interesting model – is because if you make it where everyone can see the code – unlike a lot of the commercial software which does not allow you to do that; you can’t see the compiled code – with open source the idea was that will attract more programmers. And then whatever they put in –
Why? Because a lot of the same functionality that I need, you probably need, but then you might need some additional functionality which only adds to the value of the product. And because it’s transparent, because it’s open source, and because you can see it, that would also allow people to look at it and find flaws.
And, so, the argument is made that with open source – with certain open source projects – it actually is better security-wise than commercially closed software because you can see the flaw and you can fix the flaw and you can report the flaw and it’s all part of the open source process.
ED: So, how much of that is the community policing the flaw?
RE: It is all about the community policing the community.
ED: It’s like a village in Cuba. Like every neighbour knows what the other neighbour’s doing, so –
RE: It’s the old peeping –
ED: Yeah. Looking out the window and –
RE: Looking out the window –
ED: And if you came home at 3:00 and not 4:00, something’s not right, so –
RE: Yeah, and that’s the CCTV. That’s the cameras. And it is that way. And where if everything was closed and you don’t have that and it’s just the buildings have a door but no windows, then you don’t really have that kind of viewing point and vantage point. And, so, that’s the value of open source.
And now we’ve seen it over the last 20 years where it’s led from initially starting in the open source realm, and then taking a commercial approach to – so, companies like Red Hat, for example, with Linux. Where Linux is an open source kernel, but Red Hat is a commercial company that provides the other mechanisms that corporations and companies need. You need to hold somebody accountable. You can’t just go, “Oh, I’m going to –”
ED: Right. Linux worked because eventually it became the critical – it had its own critical mass – it became the de facto open source platform. And all of the others sort of tapered off and disappeared in the background. But what if you get a situation where you have multiple –
RE: Well, you can have that with Linux, for example. So, Linux isn’t really an operating system. Linux is the kernel. It’s the thing that talks to the hardware. But then you have several dozen different versions of Linux – some that are completely open source with no commercial entity involved and some that are like Red Hat and a lot of others that have the commercial entity within – that’s built around it to provide the maintenance, support, and certain things that are required to do business with it.
Technically they can all do the same business, but there are things required by business to have in place. So, that’s why Linux took off. And it just, again, it had the adoption of the development community more so than other ones. Again, you have BSD – you have other operating systems that also are similar in that way and also have a pretty large adoption.
ED: So, if I give you a sentence and said, “Linux is a lot more robust because it’s open source and, therefore, less –”
RE: It’s not to say it’s more secure or less secure than saying something like Windows, right? It’s not –
ED: Windows is interesting because Windows is a monolith. It’s structured. You’ve got to take it as it’s been given. And that’s where the hackers go in there and they look for the holes, right?
ED: Whereas Linux is more like a living organism. If you find a hole, it’s someone plugs it and keeps it going.
RE: It’s – I mean ultimately it’s become the – both of them – you could argue both because the truth is that there’s more vulnerabilities found in Linux than there is found in Windows these days. But at the same time, because of that sort of open source community environment, they also are plugged and reported much faster, right?
So, if you took a – somebody’s knowledge of let’s say a Windows environment and somebody’s knowledge of a Linux environment, they can probably both build just as a secure version of their own operating system. The problem is that oftentimes you have people who are not so knowledgeable with Linux and by default it’s too wide open. So, they don’t know exactly what they’re doing. And the same could be said if you brought somebody from a UNIX or Linux environment to a Windows environment. So, it really isn’t about as much the technology as much as it is the people behind it.
Developing applications on top of blockchain
ED: Now, let’s deploy that thinking into blockchain, right? Now, we’ve only started to see – the initial iterations of blockchain where the players are – a lot of activities on the blockchain itself.
But there will come a point where the applications will be developed on top of the blockchain, and then it starts beginning to look like an API platform.
RE: Yep. Well, yes, blockchain is really just a backbone, if you will, to the beastie animal that feeds the application that it’s going to run on top of it. And, so, it’s utility versus application, and blockchain is the utility – sort of like the power –
How are you going to use the power – to turn on a light? So, then, do we make light bulbs? Or do we make – what – TVs? What is the application of that power? In this case, we’re using electricity as an analogy to blockchain. So, blockchain is really a utilitarian type of technology that then now is being – the application right now is cryptocurrency. That’s what everybody knows.
ED: Yes, but it wouldn’t – you’re trying to put on smart contracts. And then after that there will be applications on top of it. There’ll be communities of blockchains.
RE: Absolutely. There’ll be – I mean it’s very much where I think we are today with blockchain is where we were 25 years ago with the internet – is the truth. It’s – I could remember when you could watch a TV programme like this and basically the reporter would be laughing about this thing called an email. And you can actually find this stuff on YouTube. And they’re making a joke about, “What is this symbol?” They didn’t even know to say “at” and everybody joked about it. And now we can’t live without email. So, blockchain is that –
We are – blockchain right now is what email was 20 to 25 years ago – which not many people got it and not many people had one and not many people knew how to use one. But into – I think the difference is that here we are 20 years later; now we all have one, if not ten. And that’s what’s happening with blockchain. The only thing is it ain’t going to happen in ten or 20 years; it’s going to happen in two.
ED: Okay. I want to talk to you about three things here. One is how much of the intelligence should sit on open platforms? You were talking about kernels. Is the idea to keep the core small and simple and then have the applications take a lot more of the intelligence so that if there is a break-in or a fraud, that it’s contextualised – it doesn’t affect the whole lot? How do you make it less brittle?
RE: Well, yeah, I mean – I’ll put it in real simple terms. And I’m sure you’ve all this before. Blockchain is just a general ledger – just a ledger. It’s – I’ll put it in even simpler terms. It’s just a log, okay. So, you may have those doors when you badge in. And they have a log of who budged in at what time. That’s how blockchain really is, right?
And, of course, it’s a lot more powerful than that – than what you can do with it. But ultimately it’s using that technology to use it to badge in. And, so, it’s really as complex as its math is. It’s really a simple utility like electricity. So, yes, the intelligence, if you will, will be built upon that from the perspective of its application and usage. So, yeah, most of the – let’s call it heavier code – will happen in the application layers than in the blockchain itself.
ED: The reason I asked you this question is because all the different blockchain initiatives at the moment are very proprietary. Everybody wants to be the final determinant of blockchain. Everyone’s trying to win that first prize of being the Linux blockchain kind of thing – that there will be – they’ll be – you’ll be conversed in all that. So, we’re not there yet. So, right now – so, the intelligence is still being maintained at the core, so –
RE: I mean – again, coming from the sort of hacker subculture and very much for open source technology from a very early age – I think that’s not the right step to move in. There’s a saying that often comes to mind when we start getting into the rights or wrongs of things which is: regardless of your background, upbringing, religious, whatever it may be, the truth is it’s just an evolutionary process.
So, evolutionarily speaking, if you will – scientifically speaking – there is no right or wrong. It’s just part of the process of evolving. And I think blockchain is definitely a technology that is helping us evolve. But the mentality of proprietary, as you put it, is not in the best interest of anyone.
ED: Okay. Second point is frictionless, right? The whole idea is to make a lot of the applications as frictionless as possible – get the pass codes out of the way – get all the authentication process out of the way. What gives and what needs to be protected in that process?
RE: Well, I think the biggest – the main thing is to verify identity because that’s really it – I mean how the whole idea behind what blockchain can do was to keep, again, that ledger – to keep that log of who’s done what. And one thing that I can tell you – certainly from doing hacking of, penetration of all kinds of different systems – including financial systems – is that it’s very easy to modify that log. Now, therein lays the value of blockchain. So, blockchain is written to be more secure than non-blockchain technology.
ED: And that’s because the identity is non-reputable. You can’t repudiate an identity.
RE: Yes, but as we get into frictionless – which really has more to do with the user experience of the use of the application – not so much in blockchain, right, so –
ED: Right. And at that point, the user – and then there we’re getting to this whole, “Where’s identity going?” because the user can have multiple identities. And there’s also this big philosophical war that the user protects his own identity, like he gives it to who he wants and stuff like that, right, so –
RE: Well, it’s what I like to refer to as selective disclosure because what I believe is private to me, may be different to you, and is different to every individual. They may believe or they may see certain things to be quote-unquote private. But privacy is really about what I select to be – to disclose and not disclose. Obviously, to be able to operate – to be able to have a conversation with you – I must disclose something. But you might ask a question I might choose not to answer. So, that simple issue right there is exactly what –
The future of identity
ED: So, as a hacker, what are you seeing? What are you thinking about where identity is going? Like hacking someone’s identity or even promoting a personal identity out there – well, what’s happening on that?
RE: Well, the problem is – at least right now, okay – and, again, that’s where the power lies of how this technology will – and, again, keep in mind this is not even a baby yet; it’s a fetus, right – so, it’s – but the power lies in – and right now identity management or identity theft is very simple because all we’re doing is throwing it in a database.
And, so, if I have every single piece of information that is required for me to open a bank account, buy a car, and so on and so forth, right? Any of the financial mechanisms that exist – if it allows me to use any of those financial mechanisms, right now most of data required for me to be you, I can answer if I have access to that database.
And your data is in so many places right now that you can’t even really fathom. So, if I hacked into these places and if I had all this data, and it really came down to the challenge of “prove you’re you,” how would you prove you’re you? Because I can even change your fingerprints – even my fingerprints in that database – and say that my name is yours. So, therein lays the problem right now. And I think that the hope is that the solution lies in blockchain.
ED: Is there – is blockchain an interim solution?
RE: I don’t think it’s an interim solution. I think it is a – it’s a means to a means in the sense that the idea behind – the science and math behind blockchain – is what is supposed to allow it to be not so easily modifiable. And it really isn’t.
ED: So, blockchain is a deployment issue which as a purist – as a hacker – you probably see this – it’s just that – it is that the institutions that are trying to promote blockchain have got a big back-end – like a compliance, and a KYC, and a –
RE: Well, they have common legacy problems.
ED: And tell us a little bit about institutions that you work with and how they’re sort of trying to deal with it.
RE: Well, obviously, the bigger institutions here – For example, we’re at a banking conference for the most part. This is a financial technology conference. And we’re talking about major players here that are responsible for so much of our transaction ability on a daily basis. Well, those are big animals, and they’re going to move very slowly to the – they are – they have figured out they have to move with the adoption of this technology because it’s already happened, but then they’re not fully understanding.
I love that we tend to use the word “new” and almost immediately – the second after – try to fit it into the old. This is new. And what is coming is completely new. So, I think money as we know it today, is going away. And I’m not necessarily qualified to say what it’s going to be. I don’t think even an executive of a bank is qualified to say what it’s going to be – in fact, more the contrary. I think the visionaries are in these small start-up companies who are figuring out how to add this application layer to the blockchain.
ED: So, there – the philosophical, conceptual issue that – not just the big companies, but businesses in general – have to get over is that blockchain puts the entire authentication – legitimacy – of the transaction on the front-end where everyone is playing. There is no back-end to talk about. So, it’s like you have to – you’re to give up –
RE: Yeah, there’s no centralised back-end which is kind of what we’re used to with even the concept of your money being in a bank. Your money’s in your wallet. And your wallet goes with you unless you put your wallet up somewhere which is called an exchange. And that’s it. And, so, technically speaking, a lot of people with all these PACs and ICOs and all these different things – and they – it’s a very simple answer where for the conventional money as we know it now, it’s not that simple of an answer.
How do I keep this – how do I be more safe and secure? Well, don’t take your wallet out. Don’t carry your wallet, and only use your wallet for when you need to use your wallet, so –
ED: And legislation that protects the data that is – well, there is legislation that you, for example, where the data belongs to the customer, right? And the customer decides who he wants to give it to, when he wants to give it to, and this whole thing about the right to be forgotten –
RE: I think that – well, I believe in the – to some degree – in the right to be forgotten. But I think the concepts – We are not aware enough – we’re not educated – at least right now – and, again, things are evolving alongside with it – but you give the power to the people that – of something they don’t quite understand, then chances are that they’ll give that power away. And that’s what the problem is.
ED: And they’ve been doing that all the time from the days of the password.
RE: And they’re still doing it. That’s the whole thing. They’re doing it with something as simple as a password. So, without enough of an understanding – and like I said – of – honestly, we can’t even properly on a global scale identify or describe what privacy means. So, there’re a lot of cultural issues involved. So, I think there’re a number of things that we have to overcome to define these things. And then once people really understand that –
This isn’t a microwave. You don’t need to know how the food got hot. You just hit the buttons and hit start. And this isn’t that – you have to have some level of understanding because this is your identity – your life. And as we move forward – like I said, I can become you very easily right now. I think blockchain does have the potential to make that risk less.
ED: As a hacker – as a proud hacker – top three hacks that you found very interesting lately.
RE: Well, that I’ve done or that I’ve thought of in general?
ED: Yeah, what you’ve done last – I guess I ought to pay you for that or something.
RE: Well, they vary. I think back to – there’re the technical hacks that if we got into that specifically, it’s not digestible by most people. But I think, like I said, that the big problem here is the people. The weakest link in this chain is the humans. It’s what we call wetware. And as I had mentioned in my talk today, there’s no patch for human stupidity. You can patch hardware and you can patch the software, but you can’t patch the fact that life –
ED: Like leaving the door open and stuff, right, so –
RE: Yeah, it’s just the way we’re wired, so, and the way we work. So, yes, you can bring awareness and all that kind of stuff, but, again, there’s the kind of a default way, I mean –
ED: Is that what a hacker looks for – I mean consciously looks for? Or is there a way a hacker can program a process where –
RE: It’s not all programming. I mean it’s a method of – it’s kind of a way of thinking more than anything else. I think there are many people who by our definition are hackers in different areas like legal or psychology or even finance. But it’s really more of a way of thinking and it’s about learning how to learn about something you know nothing about.
One way to explain it is – the traits that make up – there’re four kinds of people in the world. The whole world is made of only four types: people who know and do, people who don’t know and do, people who don’t know and don’t do, and people who know and don’t do. And hackers are made up of people who don’t know and do and people who know and do.
They’re doers – and they start usually off by knowing nothing. What hackers are really good at is getting very deep into a subject, a technology, a person – whatever it is – very quickly and reverse-engineering that to a level that most people don’t do in that timeframe. They can do it in an hour – whether it’s in two weeks or two months – to learn a programming language on your own is – that’s the mentality.
ED: And the gratification?
RE: The gratification is you’re bored, and you need to spend your time on something. That’s it. That’s generally what it’s about is that you are – I think – we –
ED: That’s why –
RE: We’re supposed to give it names like ADD. And it’s, no, you’re bored. You’re just bored and you have that kind of mentality where if your mind isn’t working on something – figuring something out – then it’s bored, and –
ED: And that’s why the best hackers come out of Siberia in the middle of winter or Pakistan in the middle of the desert.
RE: Yeah, they’ve got nothing to do, their brains are working, and their computer is connected to the entire world, so –
ED: Thank you very much, Ralph.