Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:10
Okay . Today on CyberWork , zareek
1:12
Meghadichian , co-founder of personal privacy
1:14
controller company Loop8 , joins me to
1:17
break down the recent Roku breach , which landed
1:19
hackers a whopping 15,000 user
1:21
treasure chests filled with their vital data
1:23
. Zareek and I discuss the failings of
1:25
the current data collection and storage model , while
1:27
moving to a model in which biometrics is the
1:29
primary identification method , coupled
1:32
with a system of contacts who can vouch for you
1:34
in the event that your device is lost or stolen
1:36
. It's another interesting approach to privacy
1:38
and online identity in the age of the never-ending
1:40
breach announcement parade , so I hope you'll keep
1:42
it here for today's episode of Cyber Work . Hello
1:49
and welcome to this week's episode
1:52
of the Cyber Work podcast . My
1:54
guests are a cross-section of cybersecurity industry
1:56
thought leaders , and our goal is to help you learn
1:58
about cybersecurity trends , the way
2:00
those trends affect the work of infosec professionals
2:03
, and leave you with some tips and advice for
2:05
breaking in or moving up the ladder
2:07
in the cybersecurity industry . My
2:10
guest today , zarek Magradićian , is
2:12
the founder and CEO of Loop8
2:14
, a personal privacy controller
2:17
designed to work for the masses . The passwordless
2:19
system uses biometric identity verification
2:21
, eliminating the forgot password routine
2:23
while offering highly encrypted data
2:25
storage and digital privacy . Zarek
2:28
is a globally recognized entrepreneur
2:30
and investor in crypto and technology and
2:33
venture capitalism . Zarek has co-founded
2:35
and held multiple technical positions
2:37
at leading technology companies and is
2:39
known for his vehement belief in the importance of
2:41
giving back to the community . So today's
2:44
episode we're going to be talking with Zareek
2:46
about the recent Roku hack
2:48
of data and just talk
2:51
a little bit about the increasing
2:54
commonness of data breaches and what we're
2:56
going to do all about it . So
2:58
again , thank you very much for joining me today , zarek
3:00
, and welcome to CyberWork .
3:02
Thank you for having me , Chris .
3:04
My pleasure . So , Zarek , to help our
3:06
listeners get to know you a little better , I was
3:08
wondering if you could tell us about
3:10
when you first got interested in computers technology
3:13
, cybersecurity . It seems like your
3:15
tech focus goes way back , so
3:17
what was the initial spark ? What was the thing that got
3:19
you interested in the first place ?
3:21
Yeah , so I'm not your typical
3:24
tech guy . Starting early
3:26
on , I'm a graphic designer , got
3:28
into the internet business in 1998
3:31
, designing websites , and
3:34
from that point I fell into a printing
3:36
business which I use the technology
3:39
in our advantage and I build the
3:41
largest wholesale printer in North
3:43
America . And
3:46
then I started a high
3:48
rise investment in , I
3:50
want to say , 2017 or 18
3:52
. And my focus was
3:54
to be around tech people , startups and
3:57
to fund them , and also
4:00
I have a passion for mentorship
4:02
, mentoring and coaching
4:04
. So that was high-rise
4:07
investments . Finally
4:09
, in December of 2019
4:12
, my daughter , my 14-year-old daughter
4:14
hacks into my computer and
4:17
that's how I got into cybersecurity
4:20
. So that's
4:22
how I started .
4:24
Can you talk about that day ? I mean , did
4:26
she tell you that it was coming , or did you
4:28
just suddenly get kind of a pop-up notification
4:30
like , oh look , who's here .
4:33
So it's December of 2019 . And we're in a holiday
4:35
party . Look who's here . No , so . So it's it's December of 2019 and
4:37
we're in a holiday party . It's loud , people
4:40
are all speaking , there's a music and
4:42
my daughter calls me and she asked
4:44
me for our Netflix username and password
4:47
. And I said honey , I can't think
4:49
it's so loud over here , I'll give it to you . Tomorrow
4:51
and next
4:53
day I go to her room and go like here's
4:56
our username and password . She goes like oh
4:58
, don't worry , I hacked your computer
5:00
. I
5:02
ran the computer , brought it up . I
5:04
go like show me how . And then I realized
5:07
how having a password
5:09
is a problem and
5:11
how , if someone gets
5:14
their hands on my password , they have
5:16
access to my computer . They have access to everything
5:18
. So that's how Loop8
5:20
was born . Fast forward , three
5:23
months later , covid hits
5:25
us all and we're in a lockdown and I
5:27
cannot think of anything else
5:29
except how can
5:31
we solve this password problem ? Except
5:39
how can we solve this password problem . Finally , I came up with an idea . I ran some
5:41
tests , talked to some cybersecurity professionals and filed a patent
5:43
in May and in July I
5:46
registered LuPaid . And
5:48
fast forward to today
5:51
. Why am I telling you this story ? Because we
5:55
started kind of on a path
5:57
of eliminating passwords and create a
5:59
passwordless system and user
6:01
authentication , which is a great
6:03
subject for today's conversation as well
6:05
.
6:06
Yeah , I think so . Now I
6:08
definitely will keep moving on to your career
6:10
experience here , but I just have to ask again
6:12
regarding the hack , do you remember what
6:14
she did specifically ? Did she like , do
6:16
you like , like you say , like a password reset or something
6:19
and then have access to your email to grab it
6:21
, or do you , did she tell you ?
6:23
It was simpler than that . My daughter is not
6:25
a tech and a hacker kind of a thing
6:27
, so she had access to my computer
6:29
and because I was using Chrome
6:32
, all of my passwords were already
6:34
in Chrome and we have
6:36
it today also . And if I have
6:38
an access to your computer , I can
6:40
see all of your passwords . And that's what
6:42
we try to change . And she knew
6:45
how to do it . She actually looked on social
6:47
media , I guess , and figured that out , and
6:49
that's how she got into my
6:51
computer and took the username and password
6:54
out .
6:55
Interesting , okay , interesting , okay . Yeah , I mean , that's
6:57
a pretty primal one , and I think a lot of people are
6:59
probably running home to scrub
7:02
their Chrome browser to make sure that there's
7:04
nothing going on , or at least restrict its
7:06
usage . So yeah , so
7:08
yeah , I mean this is a very interesting
7:10
development . So I guess my second question
7:13
for you , I guess , is maybe
7:15
a little bit different , but you know , certainly you've been
7:17
striking out on your own path . Based
7:19
on your LinkedIn experience , you know from the beginning . So
7:21
you were the founder in 2001
7:23
of the company for over Inc and you
7:26
remain there to this day , and you're the founder and inventor
7:28
of . Was it a higher in set ? Sign V
7:30
I don't know how to pronounce that , I'm sorry . Yes , oh , I rise . Okay
7:32
, got , is it Hire ? And SignV I don't know how to pronounce that , I'm sorry . Hireize
7:34
yes , oh , hireize . Okay , got
7:36
it , got it . And then , of course , loop 8 . So
7:46
I mean , it seems like startups are kind of in your blood at the very least
7:48
, even if security is kind of a newer development . Can you talk
7:51
about some of the problems you are trying to fill in the space
7:53
with each of these companies ?
7:55
you were trying to fill in the space
7:57
with each of these companies , sure
8:03
, so when I got into printing obviously I always loved startups
8:05
from a very early age , but when I got into printing , my philosophy is
8:07
always how can I disrupt , how can I change things for
8:09
better ? How can I change things for better ? So
8:12
in early days I'm talking about 2001
8:15
, things
8:17
as simple as sending an artwork
8:19
over the email or FTP
8:21
didn't exist . It was
8:23
something so new , and so
8:26
I took the advantage of the technology
8:28
background that I had . So I
8:30
brought that into the printing industry and
8:34
I just grew that business . And
8:47
one thing that was very interesting , a side effect of that technology move was my business was
8:49
in California and my customers were all locally in California , but the moment we opened the Internet
8:51
, all of a sudden I had customers from New York , florida and
8:53
everywhere else , and
8:55
that opened up all the borders for us . That's
8:57
the technology on that side and
9:00
with High Rise , obviously
9:02
it's a passion project . I
9:05
wanted to surround myself with
9:07
startups tech
9:09
startups only and
9:11
just learn from them and not give
9:14
them the ropes . I was
9:16
a 20 year CEO
9:18
, run a company which is 1600
9:20
employees , 12 locations in the United
9:22
States and Canada and
9:25
and and I could teach them kind
9:28
of how things to
9:30
watch for , things not to do
9:32
and best practices
9:34
as well . So that's the
9:37
high-rise part and LuPaid
9:39
. Obviously , my passion is
9:41
passwords need to go
9:43
. Passwords are going to
9:45
go . Someone's going to change them and
9:48
we built something that is passwordless
9:50
. We built a community base and
9:52
we also try
9:54
to stay away from a subject of today's
9:56
conversation , which is data collection
9:58
. We don't collect your data . We
10:01
collect some data . We collect only only
10:03
your email and a phone number . That's
10:05
it . We don't want to know your name , your gender
10:08
, your address .
10:10
Yeah , all the security question type data
10:12
yeah .
10:13
Other things , and we built the technology
10:15
that we don't even store your passwords
10:18
or your encrypted
10:20
vault , and that's very
10:22
unique to us , because we build a community
10:24
model that people that know you , they
10:27
can vouch for you and
10:30
your ID comes back . There is no passwords
10:32
to be phished and
10:36
that's what the loop aid is all about
10:38
.
10:39
Okay , Well , yeah , let's talk our topic then
10:41
. As we said at the top of the show , I wanted
10:43
to talk with you today about the recent
10:46
Roku data breach . So from
10:48
as early as January 4th until the reports
10:50
that started coming in in mid-March , it
10:53
sounds that hackers were able to infiltrate the
10:55
streaming service Roku and
10:57
get access to more than 15,000 Roku
10:59
accounts , including passwords , stored credit cards
11:01
though no , fortunately no social
11:04
security numbers , full account numbers
11:06
or date of birth , which , again , not sure why
11:08
they would have those . Roku reported that
11:10
the hackers obtained log information and tried to
11:12
buy streaming subscription on stolen
11:14
credit cards . So do
11:17
we know more about the breach than that
11:19
? Do we know about the group responsible ? Or
11:21
, like the attack path ? And you know , I was
11:23
going basically on a couple of press
11:25
releases . I think that , basically , that Roku gave out but
11:27
do you do we have a better sense of , like , the sort of technical
11:30
aspects of this breach ?
11:33
Unfortunately , the group is unknown and
11:37
Roku is claiming credential
11:39
stuffing . What that means
11:41
for users is , when
11:44
hackers are stealing data
11:46
from some other company and they go to Roku
11:49
and try that same username and password
11:51
, chances are they
11:53
get in . And that's what Roku claimed
11:55
. However , just three days ago
11:57
they had a new
11:59
breach , which is 570,000
12:03
accounts
12:06
were compromised , and they claim
12:08
credential stuffing on
12:11
those also . In my view
12:13
, credential stuffing is
12:16
someone else's problem . It's not ours . So
12:18
it's very difficult to tell if the systems were
12:20
compromised or what exactly happened . But
12:25
that's as far as I
12:27
know about this and I can get about
12:29
this .
12:30
Yeah , yeah , yeah , no , I think that's . You
12:32
know . Maybe that would happen with a few
12:34
, but the idea that you could , you know
12:36
, grab 15,000 , there's 15,000
12:39
, you know duplicate passwords
12:41
that could be credential stuff seems suspect
12:44
, I suppose . Or you know whatever else
12:46
there about
12:49
the
12:51
ubiquity of data
12:53
breaches and the ubiquity of
12:55
announcements about them at
12:57
these days . I mean , obviously breaches at this point are
12:59
sort of inevitable sooner or later , but with
13:02
some data security and private practices
13:04
we can do a little post-mortem
13:07
on the event . So I want to talk about
13:10
the type of data they collected . So Roku was happy
13:12
to tell its attackers that
13:15
the attackers quote didn't get any social security numbers
13:17
or dates of birth , personal account numbers . You
13:20
know the account numbers are neither here nor
13:22
there but , like I said , I don't know why Roku needed
13:24
social security numbers to provide user with
13:26
their service . You know this
13:28
is a question that comes up sometimes . We talk about
13:30
things like you know . Again
13:33
, like you said , you want the death of passwords , but also
13:35
the death of the security question , especially as
13:37
like a resetting mechanism when you
13:39
lose your passwords . But you
13:42
know , I don't know why Roku would need to know
13:44
my birthday , because I don't recall getting any gifts or
13:46
offers from them on my birthday . It's probably more
13:48
likely an opportunity to do more selling to me , but
13:59
I want to just talk to you , zarek , about the state of data collection and some of the things that could
14:01
and should be changed across e-commerce . So what are some of the worst tendencies that you've seen of
14:03
companies in terms of data collection and what are your recommendations of stopping
14:06
this over-collection of data ?
14:08
So , unfortunately , data
14:11
is the new currency and
14:13
companies are collecting
14:16
this data and they're making that
14:19
data available for their organization
14:21
or they're selling it to data brokers . The
14:24
bad news is it impacts the
14:26
users and if their data
14:28
protection is not to
14:31
a par and they don't have solid
14:33
systems , not to a par and they don't have a solid
14:35
systems If they get breached and hackers now have access to user
14:38
information , and
14:40
that's a problematic thing . Social
14:43
securities and data birds these
14:45
are very private information
14:48
and should not be ever asked . I
14:50
think companies have to be saving
14:53
information at the very limited
14:56
level as long as they can function . I
14:58
was playing a little game Candy
15:00
Crush kind of like game that
15:03
forced me to pop up saying
15:05
I want your date of birth . I
15:07
ignored and I couldn't continue . For some
15:09
reason , they decided after a very long
15:11
time that they should be in the business
15:14
of collecting data . It's
15:17
very difficult to manage those , considering
15:20
how attackers can get into your database
15:22
and compromise and sell it in
15:24
an open market .
15:26
Yeah , now I've had a previous
15:28
guest on that , you know , assured
15:31
me , or that we discussed the idea
15:33
that this sort of what we called the Wild West
15:35
era of data collection is starting
15:37
to come to an end . You know , back in you
15:40
know the early mid 2000s , I
15:42
think , the sort of , you
15:46
know , the way people
15:48
thought about data collection was get everything
15:50
, we'll decide what to do with it later
15:53
. And so it was . You know , every form
15:55
just had an abundance of . We'll ask about your
15:57
birthday , we'll ask about your home
15:59
address , we'll ask , you know , security questions , all this
16:01
data you know , and we
16:04
seem to be leaning toward the
16:06
idea that regulations were coming that
16:09
would sort of put this Wild West
16:11
notion of data collection in
16:14
excess to the end here . But I
16:16
don't know if that's necessarily proving
16:19
to be the case here now . I mean , you
16:23
know , the fact that you know a game like
16:26
this is telling has suddenly
16:28
decided that it wants more data from you mid-game
16:31
indicates that some people are like
16:33
some companies are not going to go quietly into this
16:35
good night . I mean , what are your , what are your thoughts on this ? Are
16:37
you seeing like an upswing in in sort
16:39
of like the last minute , kind of like cash
16:41
grab of of data collection there
16:43
or absolutely , absolutely
16:46
.
16:46
I've seen , uh , in few places
16:48
that are they're collecting information that are absolutely
16:51
unnecessary for them , and I
16:53
think , at the end of the day , if I
16:55
have an organization , I have to
16:57
monetize . I have to make money . Sometimes
16:59
selling ads is critical
17:01
, but knowing the demographics of
17:04
the users is gonna
17:06
make me sell ads much more
17:08
effectively . And now people
17:11
are joining this kind
17:13
of data game . In
17:16
my view , web 3.0
17:18
, which is the future of ours , it
17:20
should be opt-in . Only Anyone who wants
17:23
to get advertised . They can kind
17:25
of opt-in and give their information
17:28
. Everyone else should be staying
17:30
out , but I think we're
17:32
still ways away from getting
17:34
there .
17:36
Yeah , yeah , absolutely yeah . The idea
17:38
of you know involuntary
17:41
opt-in and then you have to voluntarily opt
17:43
out and the hopes that we can
17:45
flip that for whatever comes next
17:47
is a
17:49
good one . I hope I don't know what the about the you
17:52
know the mechanism of Loop 8 here . Is
18:02
there anything in the actual data security system
18:05
around the data
18:07
you know storage by Roku that you think could have been
18:09
done better ? You know , I mean , obviously the horse
18:12
is out of the barn now , but are there methods of data
18:14
storage coming in the future you think that might be able to
18:16
render wholesale data grabs like this obsolete
18:18
?
18:19
So unfortunately , no matter the encryption
18:22
and layer of security , there
18:25
will be always human error , and
18:29
every company is as strong
18:31
as all the connected links . Companies
18:33
like Roku have third parties , maybe
18:36
a shipping company , maybe a payment company
18:38
. These are all third parties and if
18:41
their security is not up to the standard
18:43
, the hackers can come through that
18:45
channel and attack any
18:47
organization . So
18:50
it's difficult . A
18:52
lot of companies have been trying very
18:55
hard to solve this
18:57
issue , but the human error
18:59
remains the biggest problem
19:01
, because we make mistakes
19:03
and hackers are banking on
19:06
that .
19:06
Yeah , yeah , and there's just , there's just not really
19:08
a way , if you know , even
19:11
if you briefly let someone in , like there's just no
19:13
way to unlet them in at this point . It seems like
19:15
once they're in , they're in . So
19:17
, yeah , I mean , you know , this is maybe just a venting
19:19
point I've had with a couple other guests , but I want to just
19:22
kind of talk about it
19:24
. Just seems like at this point in 2024
19:26
, you know , every other week I'm getting
19:28
a notification from you know
19:30
, a utility company , a streaming
19:32
service , my CPAP , my
19:34
, you know , bank We've been breached
19:37
, We've been breached , We've been breached , we've been breached , we've been breached
19:39
. You know , and it's one thing to say , oh , your , your password
19:41
got compromised , please change your account , your
19:43
password that you can usually do that fast enough
19:46
that nothing really happens . But we're hearing so
19:48
much about , well , we got vital
19:50
data from the users . I didn't really
19:52
realize that , like my CPAP
19:55
machine was giving out my home address
19:57
and my social security number and you
20:00
know , and then they all kind of it's
20:02
all just kind of gets wiped over with like , hey , have a free year
20:04
of credit monitoring on us and maybe freeze all
20:06
your credit lines in the meantime . But you
20:08
know . I mean , is this something that
20:10
we're just finding ourselves
20:13
getting used to , Because it just seems like
20:15
it's really accelerated in the last couple of years
20:18
and , you know , obviously a loss of trust
20:20
is coming . Do you think that this is going to be
20:22
a mechanism towards , you
20:25
know , consumers not
20:27
working with companies that are this sort of like
20:30
flagrant in their data collection ? Do you
20:32
see like a sea change coming ?
20:34
Well , it's unfortunate . We have to be
20:36
careful not to let people get used to
20:38
these breaches , because we lose sensitivity
20:41
towards all of those things . We
20:44
need the industry leaders , apple's
20:46
, google's and Microsoft's and
20:49
all the top players to get together
20:51
and work on this data privacy
20:53
issues . The bad news
20:55
is Apple is really trying to create
20:57
a security around their own
20:59
ecosystem , google is Microsoft
21:03
and until these guys get together , we're
21:06
going to have these breaches . One of the biggest
21:08
thing is we used to
21:10
talk about MFA
21:13
, two-factor authentication and
21:16
the latest MGM attack
21:18
, which was a seam swapping . They
21:22
called and
21:25
they stole the phone number and they
21:27
bypassed the multi-factor
21:30
authentication and they attacked the entire
21:32
network . So something fundamental
21:35
needs to change and I think this larger
21:37
organization have
21:39
to kind of get together and think
21:41
of something other than firewalls
21:44
we were building for four decades
21:46
. We're building firewalls , we're building
21:48
seams , we're
21:50
building honeypots , all kinds of
21:52
stuff but at the end , the
21:55
users are humans and
21:57
humans make mistakes .
21:59
Yeah , now , at this point I
22:01
was going to move over into the
22:03
career aspect and career tips
22:05
and so forth , but I want to . You've talked a little
22:07
bit about Loop 8 and your sort
22:09
of alternative to passwords , and this
22:12
seems like the place here if you would like to tell
22:14
us about the sort of mechanism
22:16
of what Loop 8 does and how it sort of goes
22:18
beyond passwords . As you said , there's a
22:20
biometric aspect to it , but can you sort
22:23
of walk our listeners through how
22:26
it actually works ?
22:27
Sure , so in Loop
22:29
8 , my first
22:31
goal was I
22:33
don't want to collect data . I'm
22:36
only going to collect data that I need
22:38
to make sure I can
22:40
empower the user . So we collect emails
22:43
and phone numbers . Today we
22:45
have a plan by before end of
22:47
the year that we don't even collect phone numbers , only
22:49
emails . The
22:51
system works is also your username
22:53
and your encrypted vault sits
22:57
on your own personal drive
22:59
. We kind of went to that route
23:01
. You have an iCloud or you have a Google Drive
23:04
, unlike 1Password
23:06
or LastPass companies that
23:08
collect all of your encrypted data and
23:10
keep them on their server and they
23:12
become a massive target
23:14
for the attacks . Lupin's system
23:17
is a passwordless biometric
23:19
and what we built , which is
23:21
very unique to us , is called
23:24
TrueAid . What you do is you
23:26
designate eight people and
23:28
all you need is three of the eight
23:30
saying I know Chris and
23:34
Chris's identity is going to get
23:36
restored , entity
23:44
is going to get restored , and that's what kind of how we built this technology , which is very
23:46
user-centric . We build a cookie killer and a history
23:48
cleaner . So when you're traveling
23:50
through the websites , you don't want anyone
23:52
to know where you went after
23:54
you left their site . So the cookie
23:57
killer is included , is part of our suite
23:59
. We build a safe which
24:01
is very unusual encrypted
24:03
safe for computers which
24:06
only opens up with your biometrics
24:08
. There is no password . In our world , there
24:10
is no password , it's only biometrics
24:12
. And we
24:15
also have a dark web monitoring . So
24:17
every time you're browsing through an internet
24:19
, if you're going to Netflix , we
24:21
can trigger saying hey , your
24:23
username and password was compromised
24:26
. Go ahead and change this to
24:28
something that takes maybe two million
24:30
years to be broken , instead
24:32
of a simple first name
24:34
and your date of birth
24:37
and those kind of stuff . So that's
24:39
our story of Lupe .
24:41
Yeah , that's interesting . I feel like that was
24:44
certainly something that
24:47
other types of file sharing things
24:49
got right
24:51
in the mid-2000s in terms of making everything
24:54
on each person's individual
24:56
computer and obviously an attacker , obviously , if
24:59
you're you know , you know
25:01
an attacker can attack one person's
25:03
vault and maybe they bypass that person's
25:06
phone or whatever and are able
25:08
to do some other things . But there's
25:10
not . It really cuts down on that idea
25:13
of like this treasure chest of 10s
25:15
, of 1000s of sets of credentials
25:17
. All you need is that one sort of attack space . Now
25:19
, again , you know we talked about we use the metaphor of like remote you need is that one sort of attack space . Now , again , you know we talk about , we use the metaphor
25:22
of like remote work versus an
25:24
on-prem work , of being the difference between defending
25:26
a castle versus defending a , you know
25:28
, a village of tents , and so here you
25:30
know , I think the opposite is true . You can only
25:32
attack one person at a time like that . So
25:34
am I getting that right , that you know
25:36
that there's not that sort of like war chest
25:38
at the beginning , at the center of
25:41
your sort of file management
25:43
?
25:43
That's . You nailed
25:46
it , chris . That's
25:49
absolutely the case . Our
25:51
design was look at LastPass as a company 35
25:54
million users , bunch of encrypted files
25:56
and they became a target , because
25:58
imagine a bank that has $35 million
26:00
in there . Now imagine a bank
26:03
that has only $8 in there
26:05
. That still can be targeted
26:07
, but there is not a whole
26:09
lot of incentives for hackers
26:11
. That's what we're building . If they want
26:13
to come after you , they have to find
26:16
eight other people , break
26:18
their keys it's all
26:20
sharded and and then they
26:23
get to you . Only that's one person
26:25
. Yep , this it's not . So
26:27
. That's our , that's our vision . That's our
26:29
vision for the future as well .
26:31
So , and uh , that's
26:33
the difference in lupate and you talk
26:35
about the , uh , the sort of recovery
26:38
aspect of it , because I mean , mean , I know that obviously
26:40
biometrics , you know is , is a
26:42
very effective certainly every time I , you
26:44
know , have my face in front of the phone here and
26:46
it's doing the little doobly-doo thing
26:49
and then suddenly I'm in , I'm in my bank or whatever
26:51
, like , um , you know , I , I
26:53
understand empirically why that that
26:55
works . But like , if you lose your phone
26:57
, if you lose your device , um
27:00
, and you said you have sort of like eight connections
27:03
that vouch for you , how does that work in terms
27:05
of like , recovering yourself ? Obviously
27:07
, the whole thing is to get away
27:09
from the whole security questions aspect and
27:11
the whole , you know , reset my password with
27:14
the IT department or whatever . So what , how
27:16
does that work with regards to the , the sort of eight
27:18
connections ?
27:19
Sure . So the way it works is you
27:21
only need three of the eight . The reason
27:23
with eight ? Because when you
27:25
lose your phone , you have to recover
27:28
as fast as possible . You can't wait , and if
27:30
someone's on a plane going somewhere , you
27:33
can't wait for them to land . So
27:35
the way it works is when you
27:37
sign up for LuPaid , you
27:40
assign the people you trust could
27:42
be family members , friends , siblings , anyone
27:45
and what happens
27:47
is in their app , they
27:50
accept to be a recovery person
27:53
and if you lose your phone
27:55
, all you do is you get a new phone
27:57
, you go back to LuPaid
27:59
, we'll recognize you coming back by
28:02
the phone number and email
28:04
and we'll send the information
28:06
to your true aid and all you
28:08
need is three people saying
28:10
yes , this is Chris , and your identity
28:13
comes back . So we're going back hundreds
28:16
of years to a village
28:18
. When people came into a village , they
28:20
knew each other and we want
28:22
to stay away from stealing your
28:24
password . And and and
28:26
that old cartoon I
28:28
had , la times or it was new york
28:30
times that no one knows on the
28:32
internet . You're a dog . Two dogs are
28:34
talking to each other , right , right , that's that 1996
28:39
. Four decades later , we're still
28:42
on that stage of
28:44
no one knows , on the internet you're a dog
28:46
, so we're trying to change
28:48
that .
28:49
Yeah . Now again
28:51
, I just want to drill in a little more on the sort of mechanics
28:54
of that . So when you get a new phone
28:56
you put Loop 8 back on , you
28:58
sort of say of say I lost , you
29:01
know , I I lost access
29:03
to this previously . And then
29:05
you send out a notification and so like those
29:07
eight people all get kind of like a
29:09
notification on their phone or device saying
29:12
chris wants you to vouch for
29:14
him , will you do it , or whatever . And
29:16
then you talk to them on the phone . They say yeah , it's me and I did
29:18
. I asked for that . Is that the idea ?
29:20
that's absolutely the idea , and
29:22
one thing is , when we contact
29:25
your , your users , we
29:28
we actually send them a message saying
29:30
do not say okay until
29:32
you talk to chris right , yes , okay
29:35
that's good , or someone else is not coming
29:37
in pretending to be Chris and
29:40
trying to recover Chris's identity
29:42
and get in there . So
29:44
that's the message we're sending , and
29:46
when they talk to you , you
29:49
say , yeah , it's me . All they do
29:51
is they push a button . We have an amazing
29:53
test that we have done
29:55
over here . It takes 10 seconds and
29:58
your entire passwords . You
30:00
have all the . Everything kind
30:02
of gets recovered , okay . So
30:05
so that's that's that's . It goes
30:07
back into your , your sort of vault , phone
30:09
vault or your device vault and
30:12
and one of the things that lupate does , which is different
30:15
, and and my daughter's hack
30:17
is a great example uh
30:19
, right now , if you have access to my
30:21
computer , if you can find a way to
30:23
get into my computer , you can see all
30:25
of my passwords in Chrome extension
30:27
. But with LoopAid
30:30
, we created a tunnel with
30:33
phone and Chrome
30:35
and when you open the tunnel , which is
30:37
just a face ID , your passwords
30:39
are available for a limited time and
30:42
the moment you close the tunnel , you hit lock
30:44
, your passwords are back on your phone
30:46
. They're not in your computer and they're
30:49
protected by your face ID . So
30:51
, very different approach . And
30:53
the side effect of
30:55
this , the cool side effect of this is I
30:58
can walk to anyone's computer , borrow
31:02
their computer , scan a QR code and
31:05
all of my passwords will be available on
31:07
their computer . I can do my work
31:09
and lock . Everything
31:11
is back on my phone . I walk away
31:13
and they cannot access any one
31:16
of my accounts . So it gives us a mobility
31:18
, yeah .
31:19
Yeah , love that . Well , okay , so
31:22
I want to sort of divide
31:24
my next question a little bit in half . So
31:26
first , you know I wanted to ask you
31:28
about your advice for people
31:30
who want to get into this
31:33
particular field of you know
31:35
, for LoopAid or you
31:37
know other things like that . If
31:47
you have any advice on you
31:49
know , the types of training or work or projects
31:52
that you want to see on a person's resume to
31:54
indicate that they would be a good fit for
31:56
doing this kind of work . And then I guess my second
31:58
part of that question that I didn't ask before is have
32:01
there been any recent like challenges
32:04
that your team , in terms of like implementation
32:06
or you know an unexpected
32:08
, uh , you know tech consequences
32:11
around putting loop eight together that
32:13
they were solving ? Like , what are the kind of problems
32:15
, uh , you know , that need to be
32:17
solved to put this in place ? And then , what kind
32:19
of people , uh , do you think are
32:21
good at doing that kind of work ?
32:23
Okay , so first is
32:26
anyone with a security
32:28
background is a great
32:30
candidate for a company like ours , because
32:33
all of my co-founders and I have
32:35
six of them . They're also security
32:38
specialists , pen testers , cisos
32:40
, and these guys are
32:42
specialized in protecting
32:45
data . Those are good type
32:47
of candidates . But my
32:50
favorite candidate is a person
32:52
who thinks outside of the box . When
32:54
I was starting this project , I
32:57
met a lot of people in Silicon Valley area
32:59
to get this project going and
33:01
I could see people didn't
33:03
really believe in this . So
33:06
I called this project Project Impossible
33:08
back in 2001,
33:10
. Posted on LinkedIn saying I'm
33:12
starting a project impossible because anyone
33:14
I talked to they said it's impossible
33:16
. So having an open mind
33:19
, getting into a
33:21
new tech business , will
33:24
get you in a different level
33:26
. You're going to grow in the business , you're going to thrive
33:28
and and you hopefully
33:31
develop a
33:33
technology that it's
33:35
good for 2024 and beyond , and
33:38
it's not one of those maintenance
33:40
areas . So that's
33:42
that's my recommendation . So that's my recommendation
33:44
People can do . Pen testing is
33:46
usually the best one I really
33:49
like data privacy
33:51
and data governance , working with lawyers
33:53
. The cloud engineering
33:56
is a big thing because
34:02
we
34:06
use Amazon or Google or
34:09
Microsoft . They don't guarantee
34:11
the security , so we have to be responsible
34:13
for our own security , so
34:15
that is very important . So that's what I
34:17
recommend for new starters
34:19
.
34:20
Yeah , yeah , well , yeah , ok , so go back to my question
34:22
again . Were there any particular and I'm
34:24
not doing this as a way of like interrogating loop eight
34:26
, but
34:33
rather like I know that , for example , using a password manager or whatever , that
34:35
certain websites will do certain security workarounds with them ? You
34:37
know your emails on one page and then your
34:39
password gets asked on the next , and sometimes
34:41
that makes things go a little wonky . Or
34:43
you know they do certain things
34:46
that if you're trying to , like you know , add a new
34:48
, you know new password or whatever . Were
34:50
there any kind of like implementation challenges with
34:53
regards to the sort of websites that you were interfacing
34:55
with or the sites that you were attempting
34:57
to sort of move credentials through ?
34:59
Yes , yes , we always have
35:01
those , always
35:11
have those and we're still fighting them today because lots of companies develop software
35:13
in a different standard . Some of them are very , very organized and standards and
35:16
some just name , password
35:18
, fields , something else and
35:20
and it's very difficult to detect
35:22
those . So we definitely have that . Our
35:24
team is identifying
35:28
and fixing as we go forward . All
35:31
major organizations are
35:33
covered . I think we have 1,000 , tested
35:36
, 1,000 sites , but we still come across
35:38
a lot of missed
35:40
password that doesn't show up in
35:42
the right place and we're
35:45
still seeing those things and , as we
35:47
see it , we document it for our quality
35:49
assurance so we can add that
35:51
to our list and correct the problem . So , yes
35:53
, we do have some of those challenges
35:55
.
35:56
So you were mentioning that your six co-founders all
35:59
have specializations . Do you have
36:01
any thoughts on specialization in
36:03
the industry specifically
36:06
, and within that , are there any like
36:08
big skills gaps that you're seeing
36:10
amongst candidates who might be trying to work for
36:13
you ? Are there things that you think you
36:15
know ? Either people are not , you
36:18
know , going wide enough in their knowledge or
36:20
they're being too specialized , or they just don't
36:22
understand . Maybe soft skills or other
36:24
things Like . What are some of the blind
36:26
spots that you've seen , if any ?
36:29
Unfortunately , when it comes
36:31
to the world of security , there are too many roles
36:33
and too many systems , so finding
36:35
a person that can come in and work on your
36:38
security stack is difficult
36:40
. So my advice
36:42
for anyone who's interested in this is
36:44
educate yourself . There's a lot of good information
36:47
out there . Try to learn as
36:49
much as possible , because any organization
36:52
you get into you
36:55
can learn on the job , but
36:57
at the same time , you have to have some background
37:00
. So that's the biggest issue right
37:02
now , which is because the field is too large
37:04
. My favorite functions
37:07
I kind of briefly talked about
37:09
is high-level architecture
37:12
of security , testing
37:14
is great , cloud engineering
37:16
is good and data privacy
37:19
. These are areas that I
37:21
highly recommend for anyone
37:24
who wants to get started into this field .
37:26
Yeah , I think that's all fantastic
37:28
. Advice and I think it's also always
37:31
worth remembering
37:33
is that if you have an
37:35
even moderate level to
37:38
medium high level of security knowledge
37:41
whatever you're missing in it you're
37:43
going to be able to get on the job fairly quickly
37:45
, as long as you can sort of demonstrate that
37:47
you understand the concepts and , like
37:49
you said , across a sort of a wide spectrum of things
37:51
. I imagine it's probably more appealing
37:54
even if you're hiring someone you know in pen
37:56
testing that they also have a
37:58
rudimentary knowledge of cloud or a rudimentary
38:00
knowledge of , like you say , architecture
38:02
. There's this understanding that
38:04
you're not going to like self silo too much
38:06
.
38:08
Absolutely .
38:09
Yeah , now , um , I want
38:11
to ask you , of course , uh , you clearly uh
38:13
love what you do Can you talk about your favorite part
38:15
of the work that you do and what it is
38:17
that makes you excited to keep pushing and learning every day ?
38:21
Uh , it's . It's
38:23
one of the greatest feeling , chris , to
38:26
wake up every day and and think about
38:28
I'm doing something that , hopefully
38:30
, will change the way
38:32
we do business we did , the way we work
38:34
, the way we enjoy our , our digital
38:37
life , which is now getting bigger and bigger
38:39
. So , uh , so that's , that's
38:41
the most exciting part about , uh
38:43
, this business , uh , thinking outside of the
38:45
box , doing the impossible
38:47
projects , and
38:50
then that's what gets me out of the bed
38:52
every day . So that's the exciting part
38:54
about doing something different .
38:56
Love it Before we go
38:58
here . I know we're getting close to the end
39:00
, but you mentioned the importance
39:02
of mentorship to you . Can
39:04
you talk a bit about your history
39:06
as a mentor or a mentee and
39:09
why you think it's important for there
39:11
to be a robust sort of mentor mentality
39:13
in security ?
39:15
Yeah . So when I was starting my business
39:17
, I learned a
39:20
lot of things the hard way and I
39:22
wish that there was somebody there
39:24
to help me kind of get there faster . That's
39:26
why I always recommend
39:28
find a good mentor . Look
39:30
for a person that can shorten
39:34
the distance from where you want to start
39:36
and when you want to end by giving you
39:38
guidance . So mentorship is huge
39:40
. What I do
39:42
with my startups that I mentor
39:44
is I teach them not
39:47
only today , when you're starting
39:49
, think about the exit , how
39:51
to structure your business so you can sell it
39:53
one day hopefully . And those are some
39:56
decisions that people don't know . They think , oh , we're
39:58
going to sell one day . But
40:00
having some guidance on early days is
40:02
going to put you in the right direction and
40:05
that's very critical . So I highly recommend
40:08
find a person
40:10
. If you're a startup , find
40:12
a positive person too . So
40:14
because a startup life is difficult
40:17
, it's complicated and it's hard
40:19
, but when you have good friends
40:21
and positive friends , then the
40:23
journey becomes much easier .
40:25
Now can you talk about for someone
40:27
you know , if you're kind of early
40:29
, mid into your career , you know
40:32
certain people might be of a mindset
40:34
of like , well , I don't you know who would want me for
40:36
a mentor . I don't you know , what do I know ? Or whatever
40:38
Like . Can you give me some indications of like , what
40:42
indications you would , you know , know
40:44
about yourself that say , okay , I'm , I'm
40:46
a , I'm a worthy mentor ? You know , I need
40:49
to start looking for mentees Like what , what's
40:51
, what's the sort of like , what , what's , what's the
40:53
Rubicon that you cross ? I guess .
40:55
So what I'm looking for is people
40:58
with experience and and
41:00
that's usually a person that's gone
41:02
this this path and
41:05
and they have experience and anything
41:07
they can share with me that
41:09
would be useful . One thing
41:11
that I'm noticing with people that I mentor
41:13
is I have two different types of
41:15
people . One they don't
41:17
listen . They think just
41:20
by being in a room they may gain
41:22
some wisdom . But listening
41:24
is a key because what
41:26
I'm sharing is an experience from my side
41:29
. But what you do is you collect
41:31
those information and you use them
41:33
in your business models , which is
41:35
could be very different business model , but
41:37
overall , most of these rules
41:39
are set for businesses
41:41
. So , but that's
41:43
usually surround yourself
41:46
with people that have
41:49
business experience , have success
41:51
and and that's the
41:53
type of advice you want to get Don't
41:56
get it from a guy who never ran
41:58
a business , because he
42:01
may not know some of these things , challenges
42:03
that you may be facing . So that's
42:05
how I would say find the next mentor . Get
42:08
yourself close to anyone who
42:10
has experience and is willing to
42:12
share with you .
42:13
Yeah , Now , clearly you've had a very
42:16
successful career and it's still
42:18
going on , but can you tell our
42:21
listeners what's the best piece of career advice
42:23
you ever received ? What's the
42:25
?
42:25
best piece of career advice you ever received ? Well , I think I just
42:27
gave one of them , which is
42:29
very , very important Surround
42:31
yourself with positive people . That's
42:33
one of the key points
42:36
. My biggest advice
42:39
that I received in my career that helped
42:43
me a lot was delegating
42:46
. As a human , we're
42:48
very , very much I'll do it myself
42:50
kind of . We do a lot of micromanagement
42:53
, but last I
42:55
had a good mentor . He
43:01
said Zarek , last I checked , god only gave you two hands , and when you delegate
43:03
, you can multiply that . But when you delegate
43:05
, you can multiply that . And that's how I built an organization
43:08
with 1,600 people in
43:10
12 states and Canada
43:12
and I only had two
43:14
hands . And that's the best
43:17
advice I can give that we have a
43:19
natural tendency to hold on to
43:21
issues . By
43:23
delegating , not
43:30
only we're building a very good team , we're also expediting
43:32
, we're going with a super fast speed towards
43:35
our goal .
43:35
Yeah , yeah , I think that's such a great piece of advice
43:37
and so hard for people of
43:39
a certain mindset to let go of that
43:41
. The idea that , like , if I let
43:43
someone else take part in the work
43:46
, then they get to take part in the glory , you
43:48
know , like I think there's , there's a part of that . If
43:50
I do it all myself , then it was all
43:52
me , you know , and I don't . I don't think that's
43:55
ever feasible and I think it does . Like you said , I think
43:57
it kind of narrows your
43:59
, your possibility for success .
44:01
Yeah , absolutely , and
44:03
, chris , I had because
44:05
of the organization . I had countless managers
44:07
and I was fortunate to be able to
44:09
see good practices and bad
44:11
practices . And I saw a person that
44:14
would come in at 5 am and leave at
44:16
8 pm and was
44:18
micromanaging everything and was always
44:20
behind for two weeks and
44:22
the team really didn't enjoy working with
44:24
this person . And then
44:26
I saw another person that would come in , had
44:28
a team standing like soldiers
44:30
and delegating the process and
44:33
the best performance , and
44:35
so that's a difference Delegate
44:38
. Your life is easier , you work less and
44:41
you reach your goal much faster .
44:43
Yeah , love that . Okay , so one
44:45
last question . You
44:50
talked quite eloquently about the Loop 8 platform . If
44:52
people want to learn more about it or how to check it
44:54
out for themselves , where should they look online
44:56
?
44:57
We are at loop8.ai
45:01
, okay . However
45:04
, we're still in a stealth
45:06
mode . We are open , but
45:08
we have a limited VIP invitation
45:11
. We're doing a lot of user testing , but
45:13
loop8.ai is
45:16
where you can enter your email and we'll notify
45:18
you in a month or so
45:20
to start
45:23
downloading .
45:24
Nice and if people want to learn more about you .
45:30
Zarek , where should they look online ? Are you on LinkedIn ? Yes , I'm on LinkedIn
45:32
, zarek Megadichian , I'm pretty active on LinkedIn , so you can message me
45:34
on LinkedIn and usually that's the best place
45:36
for me to get to know you .
45:38
Our listeners are very LinkedIn oriented . I'm sure you'll
45:41
be getting some connections after this episode .
45:43
Fantastic Looking forward to it .
45:44
All right . Well , thank you so much for joining me today , Zarek , and
45:47
for helping me to kind of lower my
45:49
blood pressure about my Roku account .
45:52
I'm glad I could do that . Chris , Thank you for having
45:55
me on .
45:55
Absolutely . And as always , as we close
45:57
off here , thank you to everyone who is watching and listening
46:00
and writing into the podcast with their feedback
46:02
. If you have any topics you'd like us to cover or
46:04
guests you'd like to see on the show , feel free to drop them in the
46:06
comments below . And , as always
46:08
, before we go , please check out infosecinstitutecom
46:11
slash free , where you can get a whole
46:13
bunch of free and exclusive stuff for CyberWorks listeners
46:15
. This includes our new security
46:18
awareness training series , work Bites smartly
46:20
scripted and hilariously active set of videos in
46:22
which a very strange office staffed by a pirate , a
46:25
zombie , an alien , a fairy princess , a vampire and others
46:27
navigate their way through age-old
46:29
struggles of yore . This is a great security
46:31
awareness training tool and it's very funny
46:33
. Go check out the trailer on our site . This
46:36
is also still the best place to go for
46:38
your free cybersecurity talent development
46:40
ebook . You'll find our in-depth training
46:42
plans and strategies for the 12 most common security
46:44
roles , including SOC analyst , pen tester
46:47
, cloud security engineer , information risk
46:49
analyst , privacy manager , secure coder
46:51
, ics professional and more Quite . A few
46:53
of those roles were talked about in today's episode
46:55
. You want to know more about them ? Go to infosecinstitutecom
46:58
slash free and yes , the link is always in the description
47:00
below . One last time before
47:02
we go . Thank you so much to Zurich
47:04
, magrideshian and Lupate , and thank you
47:06
all for watching and listening Until
47:16
next
47:19
week . This is Chris Senko signing off , saying happy
47:21
learning .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More