1:10

Okay . Today on CyberWork , zareek

1:12

Meghadichian , co-founder of personal privacy

1:14

controller company Loop8 , joins me to

1:17

break down the recent Roku breach , which landed

1:19

hackers a whopping 15,000 user

1:21

treasure chests filled with their vital data

1:23

. Zareek and I discuss the failings of

1:25

the current data collection and storage model , while

1:27

moving to a model in which biometrics is the

1:29

primary identification method , coupled

1:32

with a system of contacts who can vouch for you

1:34

in the event that your device is lost or stolen

1:36

. It's another interesting approach to privacy

1:38

and online identity in the age of the never-ending

1:40

breach announcement parade , so I hope you'll keep

1:42

it here for today's episode of Cyber Work . Hello

1:49

and welcome to this week's episode

1:52

of the Cyber Work podcast . My

1:54

guests are a cross-section of cybersecurity industry

1:56

thought leaders , and our goal is to help you learn

1:58

about cybersecurity trends , the way

2:00

those trends affect the work of infosec professionals

2:03

, and leave you with some tips and advice for

2:05

breaking in or moving up the ladder

2:07

in the cybersecurity industry . My

2:10

guest today , zarek Magradićian , is

2:12

the founder and CEO of Loop8

2:14

, a personal privacy controller

2:17

designed to work for the masses . The passwordless

2:19

system uses biometric identity verification

2:21

, eliminating the forgot password routine

2:23

while offering highly encrypted data

2:25

storage and digital privacy . Zarek

2:28

is a globally recognized entrepreneur

2:30

and investor in crypto and technology and

2:33

venture capitalism . Zarek has co-founded

2:35

and held multiple technical positions

2:37

at leading technology companies and is

2:39

known for his vehement belief in the importance of

2:41

giving back to the community . So today's

2:44

episode we're going to be talking with Zareek

2:46

about the recent Roku hack

2:48

of data and just talk

2:51

a little bit about the increasing

2:54

commonness of data breaches and what we're

2:56

going to do all about it . So

2:58

again , thank you very much for joining me today , zarek

3:00

, and welcome to CyberWork .

3:02

Thank you for having me , Chris .

3:04

My pleasure . So , Zarek , to help our

3:06

listeners get to know you a little better , I was

3:08

wondering if you could tell us about

3:10

when you first got interested in computers technology

3:13

, cybersecurity . It seems like your

3:15

tech focus goes way back , so

3:17

what was the initial spark ? What was the thing that got

3:19

you interested in the first place ?

3:21

Yeah , so I'm not your typical

3:24

tech guy . Starting early

3:26

on , I'm a graphic designer , got

3:28

into the internet business in 1998

3:31

, designing websites , and

3:34

from that point I fell into a printing

3:36

business which I use the technology

3:39

in our advantage and I build the

3:41

largest wholesale printer in North

3:43

America . And

3:46

then I started a high

3:48

rise investment in , I

3:50

want to say , 2017 or 18

3:52

. And my focus was

3:54

to be around tech people , startups and

3:57

to fund them , and also

4:00

I have a passion for mentorship

4:02

, mentoring and coaching

4:04

. So that was high-rise

4:07

investments . Finally

4:09

, in December of 2019

4:12

, my daughter , my 14-year-old daughter

4:14

hacks into my computer and

4:17

that's how I got into cybersecurity

4:20

. So that's

4:22

how I started .

4:24

Can you talk about that day ? I mean , did

4:26

she tell you that it was coming , or did you

4:28

just suddenly get kind of a pop-up notification

4:30

like , oh look , who's here .

4:33

So it's December of 2019 . And we're in a holiday

4:35

party . Look who's here . No , so . So it's it's December of 2019 and

4:37

we're in a holiday party . It's loud , people

4:40

are all speaking , there's a music and

4:42

my daughter calls me and she asked

4:44

me for our Netflix username and password

4:47

. And I said honey , I can't think

4:49

it's so loud over here , I'll give it to you . Tomorrow

4:51

and next

4:53

day I go to her room and go like here's

4:56

our username and password . She goes like oh

4:58

, don't worry , I hacked your computer

5:00

. I

5:02

ran the computer , brought it up . I

5:04

go like show me how . And then I realized

5:07

how having a password

5:09

is a problem and

5:11

how , if someone gets

5:14

their hands on my password , they have

5:16

access to my computer . They have access to everything

5:18

. So that's how Loop8

5:20

was born . Fast forward , three

5:23

months later , covid hits

5:25

us all and we're in a lockdown and I

5:27

cannot think of anything else

5:29

except how can

5:31

we solve this password problem ? Except

5:39

how can we solve this password problem . Finally , I came up with an idea . I ran some

5:41

tests , talked to some cybersecurity professionals and filed a patent

5:43

in May and in July I

5:46

registered LuPaid . And

5:48

fast forward to today

5:51

. Why am I telling you this story ? Because we

5:55

started kind of on a path

5:57

of eliminating passwords and create a

5:59

passwordless system and user

6:01

authentication , which is a great

6:03

subject for today's conversation as well

6:05

.

6:06

Yeah , I think so . Now I

6:08

definitely will keep moving on to your career

6:10

experience here , but I just have to ask again

6:12

regarding the hack , do you remember what

6:14

she did specifically ? Did she like , do

6:16

you like , like you say , like a password reset or something

6:19

and then have access to your email to grab it

6:21

, or do you , did she tell you ?

6:23

It was simpler than that . My daughter is not

6:25

a tech and a hacker kind of a thing

6:27

, so she had access to my computer

6:29

and because I was using Chrome

6:32

, all of my passwords were already

6:34

in Chrome and we have

6:36

it today also . And if I have

6:38

an access to your computer , I can

6:40

see all of your passwords . And that's what

6:42

we try to change . And she knew

6:45

how to do it . She actually looked on social

6:47

media , I guess , and figured that out , and

6:49

that's how she got into my

6:51

computer and took the username and password

6:54

out .

6:55

Interesting , okay , interesting , okay . Yeah , I mean , that's

6:57

a pretty primal one , and I think a lot of people are

6:59

probably running home to scrub

7:02

their Chrome browser to make sure that there's

7:04

nothing going on , or at least restrict its

7:06

usage . So yeah , so

7:08

yeah , I mean this is a very interesting

7:10

development . So I guess my second question

7:13

for you , I guess , is maybe

7:15

a little bit different , but you know , certainly you've been

7:17

striking out on your own path . Based

7:19

on your LinkedIn experience , you know from the beginning . So

7:21

you were the founder in 2001

7:23

of the company for over Inc and you

7:26

remain there to this day , and you're the founder and inventor

7:28

of . Was it a higher in set ? Sign V

7:30

I don't know how to pronounce that , I'm sorry . Yes , oh , I rise . Okay

7:32

, got , is it Hire ? And SignV I don't know how to pronounce that , I'm sorry . Hireize

7:34

yes , oh , hireize . Okay , got

7:36

it , got it . And then , of course , loop 8 . So

7:46

I mean , it seems like startups are kind of in your blood at the very least

7:48

, even if security is kind of a newer development . Can you talk

7:51

about some of the problems you are trying to fill in the space

7:53

with each of these companies ?

7:55

you were trying to fill in the space

7:57

with each of these companies , sure

8:03

, so when I got into printing obviously I always loved startups

8:05

from a very early age , but when I got into printing , my philosophy is

8:07

always how can I disrupt , how can I change things for

8:09

better ? How can I change things for better ? So

8:12

in early days I'm talking about 2001

8:15

, things

8:17

as simple as sending an artwork

8:19

over the email or FTP

8:21

didn't exist . It was

8:23

something so new , and so

8:26

I took the advantage of the technology

8:28

background that I had . So I

8:30

brought that into the printing industry and

8:34

I just grew that business . And

8:47

one thing that was very interesting , a side effect of that technology move was my business was

8:49

in California and my customers were all locally in California , but the moment we opened the Internet

8:51

, all of a sudden I had customers from New York , florida and

8:53

everywhere else , and

8:55

that opened up all the borders for us . That's

8:57

the technology on that side and

9:00

with High Rise , obviously

9:02

it's a passion project . I

9:05

wanted to surround myself with

9:07

startups tech

9:09

startups only and

9:11

just learn from them and not give

9:14

them the ropes . I was

9:16

a 20 year CEO

9:18

, run a company which is 1600

9:20

employees , 12 locations in the United

9:22

States and Canada and

9:25

and and I could teach them kind

9:28

of how things to

9:30

watch for , things not to do

9:32

and best practices

9:34

as well . So that's the

9:37

high-rise part and LuPaid

9:39

. Obviously , my passion is

9:41

passwords need to go

9:43

. Passwords are going to

9:45

go . Someone's going to change them and

9:48

we built something that is passwordless

9:50

. We built a community base and

9:52

we also try

9:54

to stay away from a subject of today's

9:56

conversation , which is data collection

9:58

. We don't collect your data . We

10:01

collect some data . We collect only only

10:03

your email and a phone number . That's

10:05

it . We don't want to know your name , your gender

10:08

, your address .

10:10

Yeah , all the security question type data

10:12

yeah .

10:13

Other things , and we built the technology

10:15

that we don't even store your passwords

10:18

or your encrypted

10:20

vault , and that's very

10:22

unique to us , because we build a community

10:24

model that people that know you , they

10:27

can vouch for you and

10:30

your ID comes back . There is no passwords

10:32

to be phished and

10:36

that's what the loop aid is all about

10:38

.

10:39

Okay , Well , yeah , let's talk our topic then

10:41

. As we said at the top of the show , I wanted

10:43

to talk with you today about the recent

10:46

Roku data breach . So from

10:48

as early as January 4th until the reports

10:50

that started coming in in mid-March , it

10:53

sounds that hackers were able to infiltrate the

10:55

streaming service Roku and

10:57

get access to more than 15,000 Roku

10:59

accounts , including passwords , stored credit cards

11:01

though no , fortunately no social

11:04

security numbers , full account numbers

11:06

or date of birth , which , again , not sure why

11:08

they would have those . Roku reported that

11:10

the hackers obtained log information and tried to

11:12

buy streaming subscription on stolen

11:14

credit cards . So do

11:17

we know more about the breach than that

11:19

? Do we know about the group responsible ? Or

11:21

, like the attack path ? And you know , I was

11:23

going basically on a couple of press

11:25

releases . I think that , basically , that Roku gave out but

11:27

do you do we have a better sense of , like , the sort of technical

11:30

aspects of this breach ?

11:33

Unfortunately , the group is unknown and

11:37

Roku is claiming credential

11:39

stuffing . What that means

11:41

for users is , when

11:44

hackers are stealing data

11:46

from some other company and they go to Roku

11:49

and try that same username and password

11:51

, chances are they

11:53

get in . And that's what Roku claimed

11:55

. However , just three days ago

11:57

they had a new

11:59

breach , which is 570,000

12:03

accounts

12:06

were compromised , and they claim

12:08

credential stuffing on

12:11

those also . In my view

12:13

, credential stuffing is

12:16

someone else's problem . It's not ours . So

12:18

it's very difficult to tell if the systems were

12:20

compromised or what exactly happened . But

12:25

that's as far as I

12:27

know about this and I can get about

12:29

this .

12:30

Yeah , yeah , yeah , no , I think that's . You

12:32

know . Maybe that would happen with a few

12:34

, but the idea that you could , you know

12:36

, grab 15,000 , there's 15,000

12:39

, you know duplicate passwords

12:41

that could be credential stuff seems suspect

12:44

, I suppose . Or you know whatever else

12:46

there about

12:49

the

12:51

ubiquity of data

12:53

breaches and the ubiquity of

12:55

announcements about them at

12:57

these days . I mean , obviously breaches at this point are

12:59

sort of inevitable sooner or later , but with

13:02

some data security and private practices

13:04

we can do a little post-mortem

13:07

on the event . So I want to talk about

13:10

the type of data they collected . So Roku was happy

13:12

to tell its attackers that

13:15

the attackers quote didn't get any social security numbers

13:17

or dates of birth , personal account numbers . You

13:20

know the account numbers are neither here nor

13:22

there but , like I said , I don't know why Roku needed

13:24

social security numbers to provide user with

13:26

their service . You know this

13:28

is a question that comes up sometimes . We talk about

13:30

things like you know . Again

13:33

, like you said , you want the death of passwords , but also

13:35

the death of the security question , especially as

13:37

like a resetting mechanism when you

13:39

lose your passwords . But you

13:42

know , I don't know why Roku would need to know

13:44

my birthday , because I don't recall getting any gifts or

13:46

offers from them on my birthday . It's probably more

13:48

likely an opportunity to do more selling to me , but

13:59

I want to just talk to you , zarek , about the state of data collection and some of the things that could

14:01

and should be changed across e-commerce . So what are some of the worst tendencies that you've seen of

14:03

companies in terms of data collection and what are your recommendations of stopping

14:06

this over-collection of data ?

14:08

So , unfortunately , data

14:11

is the new currency and

14:13

companies are collecting

14:16

this data and they're making that

14:19

data available for their organization

14:21

or they're selling it to data brokers . The

14:24

bad news is it impacts the

14:26

users and if their data

14:28

protection is not to

14:31

a par and they don't have solid

14:33

systems , not to a par and they don't have a solid

14:35

systems If they get breached and hackers now have access to user

14:38

information , and

14:40

that's a problematic thing . Social

14:43

securities and data birds these

14:45

are very private information

14:48

and should not be ever asked . I

14:50

think companies have to be saving

14:53

information at the very limited

14:56

level as long as they can function . I

14:58

was playing a little game Candy

15:00

Crush kind of like game that

15:03

forced me to pop up saying

15:05

I want your date of birth . I

15:07

ignored and I couldn't continue . For some

15:09

reason , they decided after a very long

15:11

time that they should be in the business

15:14

of collecting data . It's

15:17

very difficult to manage those , considering

15:20

how attackers can get into your database

15:22

and compromise and sell it in

15:24

an open market .

15:26

Yeah , now I've had a previous

15:28

guest on that , you know , assured

15:31

me , or that we discussed the idea

15:33

that this sort of what we called the Wild West

15:35

era of data collection is starting

15:37

to come to an end . You know , back in you

15:40

know the early mid 2000s , I

15:42

think , the sort of , you

15:46

know , the way people

15:48

thought about data collection was get everything

15:50

, we'll decide what to do with it later

15:53

. And so it was . You know , every form

15:55

just had an abundance of . We'll ask about your

15:57

birthday , we'll ask about your home

15:59

address , we'll ask , you know , security questions , all this

16:01

data you know , and we

16:04

seem to be leaning toward the

16:06

idea that regulations were coming that

16:09

would sort of put this Wild West

16:11

notion of data collection in

16:14

excess to the end here . But I

16:16

don't know if that's necessarily proving

16:19

to be the case here now . I mean , you

16:23

know , the fact that you know a game like

16:26

this is telling has suddenly

16:28

decided that it wants more data from you mid-game

16:31

indicates that some people are like

16:33

some companies are not going to go quietly into this

16:35

good night . I mean , what are your , what are your thoughts on this ? Are

16:37

you seeing like an upswing in in sort

16:39

of like the last minute , kind of like cash

16:41

grab of of data collection there

16:43

or absolutely , absolutely

16:46

.

16:46

I've seen , uh , in few places

16:48

that are they're collecting information that are absolutely

16:51

unnecessary for them , and I

16:53

think , at the end of the day , if I

16:55

have an organization , I have to

16:57

monetize . I have to make money . Sometimes

16:59

selling ads is critical

17:01

, but knowing the demographics of

17:04

the users is gonna

17:06

make me sell ads much more

17:08

effectively . And now people

17:11

are joining this kind

17:13

of data game . In

17:16

my view , web 3.0

17:18

, which is the future of ours , it

17:20

should be opt-in . Only Anyone who wants

17:23

to get advertised . They can kind

17:25

of opt-in and give their information

17:28

. Everyone else should be staying

17:30

out , but I think we're

17:32

still ways away from getting

17:34

there .

17:36

Yeah , yeah , absolutely yeah . The idea

17:38

of you know involuntary

17:41

opt-in and then you have to voluntarily opt

17:43

out and the hopes that we can

17:45

flip that for whatever comes next

17:47

is a

17:49

good one . I hope I don't know what the about the you

17:52

know the mechanism of Loop 8 here . Is

18:02

there anything in the actual data security system

18:05

around the data

18:07

you know storage by Roku that you think could have been

18:09

done better ? You know , I mean , obviously the horse

18:12

is out of the barn now , but are there methods of data

18:14

storage coming in the future you think that might be able to

18:16

render wholesale data grabs like this obsolete

18:18

?

18:19

So unfortunately , no matter the encryption

18:22

and layer of security , there

18:25

will be always human error , and

18:29

every company is as strong

18:31

as all the connected links . Companies

18:33

like Roku have third parties , maybe

18:36

a shipping company , maybe a payment company

18:38

. These are all third parties and if

18:41

their security is not up to the standard

18:43

, the hackers can come through that

18:45

channel and attack any

18:47

organization . So

18:50

it's difficult . A

18:52

lot of companies have been trying very

18:55

hard to solve this

18:57

issue , but the human error

18:59

remains the biggest problem

19:01

, because we make mistakes

19:03

and hackers are banking on

19:06

that .

19:06

Yeah , yeah , and there's just , there's just not really

19:08

a way , if you know , even

19:11

if you briefly let someone in , like there's just no

19:13

way to unlet them in at this point . It seems like

19:15

once they're in , they're in . So

19:17

, yeah , I mean , you know , this is maybe just a venting

19:19

point I've had with a couple other guests , but I want to just

19:22

kind of talk about it

19:24

. Just seems like at this point in 2024

19:26

, you know , every other week I'm getting

19:28

a notification from you know

19:30

, a utility company , a streaming

19:32

service , my CPAP , my

19:34

, you know , bank We've been breached

19:37

, We've been breached , We've been breached , we've been breached , we've been breached

19:39

. You know , and it's one thing to say , oh , your , your password

19:41

got compromised , please change your account , your

19:43

password that you can usually do that fast enough

19:46

that nothing really happens . But we're hearing so

19:48

much about , well , we got vital

19:50

data from the users . I didn't really

19:52

realize that , like my CPAP

19:55

machine was giving out my home address

19:57

and my social security number and you

20:00

know , and then they all kind of it's

20:02

all just kind of gets wiped over with like , hey , have a free year

20:04

of credit monitoring on us and maybe freeze all

20:06

your credit lines in the meantime . But you

20:08

know . I mean , is this something that

20:10

we're just finding ourselves

20:13

getting used to , Because it just seems like

20:15

it's really accelerated in the last couple of years

20:18

and , you know , obviously a loss of trust

20:20

is coming . Do you think that this is going to be

20:22

a mechanism towards , you

20:25

know , consumers not

20:27

working with companies that are this sort of like

20:30

flagrant in their data collection ? Do you

20:32

see like a sea change coming ?

20:34

Well , it's unfortunate . We have to be

20:36

careful not to let people get used to

20:38

these breaches , because we lose sensitivity

20:41

towards all of those things . We

20:44

need the industry leaders , apple's

20:46

, google's and Microsoft's and

20:49

all the top players to get together

20:51

and work on this data privacy

20:53

issues . The bad news

20:55

is Apple is really trying to create

20:57

a security around their own

20:59

ecosystem , google is Microsoft

21:03

and until these guys get together , we're

21:06

going to have these breaches . One of the biggest

21:08

thing is we used to

21:10

talk about MFA

21:13

, two-factor authentication and

21:16

the latest MGM attack

21:18

, which was a seam swapping . They

21:22

called and

21:25

they stole the phone number and they

21:27

bypassed the multi-factor

21:30

authentication and they attacked the entire

21:32

network . So something fundamental

21:35

needs to change and I think this larger

21:37

organization have

21:39

to kind of get together and think

21:41

of something other than firewalls

21:44

we were building for four decades

21:46

. We're building firewalls , we're building

21:48

seams , we're

21:50

building honeypots , all kinds of

21:52

stuff but at the end , the

21:55

users are humans and

21:57

humans make mistakes .

21:59

Yeah , now , at this point I

22:01

was going to move over into the

22:03

career aspect and career tips

22:05

and so forth , but I want to . You've talked a little

22:07

bit about Loop 8 and your sort

22:09

of alternative to passwords , and this

22:12

seems like the place here if you would like to tell

22:14

us about the sort of mechanism

22:16

of what Loop 8 does and how it sort of goes

22:18

beyond passwords . As you said , there's a

22:20

biometric aspect to it , but can you sort

22:23

of walk our listeners through how

22:26

it actually works ?

22:27

Sure , so in Loop

22:29

8 , my first

22:31

goal was I

22:33

don't want to collect data . I'm

22:36

only going to collect data that I need

22:38

to make sure I can

22:40

empower the user . So we collect emails

22:43

and phone numbers . Today we

22:45

have a plan by before end of

22:47

the year that we don't even collect phone numbers , only

22:49

emails . The

22:51

system works is also your username

22:53

and your encrypted vault sits

22:57

on your own personal drive

22:59

. We kind of went to that route

23:01

. You have an iCloud or you have a Google Drive

23:04

, unlike 1Password

23:06

or LastPass companies that

23:08

collect all of your encrypted data and

23:10

keep them on their server and they

23:12

become a massive target

23:14

for the attacks . Lupin's system

23:17

is a passwordless biometric

23:19

and what we built , which is

23:21

very unique to us , is called

23:24

TrueAid . What you do is you

23:26

designate eight people and

23:28

all you need is three of the eight

23:30

saying I know Chris and

23:34

Chris's identity is going to get

23:36

restored , entity

23:44

is going to get restored , and that's what kind of how we built this technology , which is very

23:46

user-centric . We build a cookie killer and a history

23:48

cleaner . So when you're traveling

23:50

through the websites , you don't want anyone

23:52

to know where you went after

23:54

you left their site . So the cookie

23:57

killer is included , is part of our suite

23:59

. We build a safe which

24:01

is very unusual encrypted

24:03

safe for computers which

24:06

only opens up with your biometrics

24:08

. There is no password . In our world , there

24:10

is no password , it's only biometrics

24:12

. And we

24:15

also have a dark web monitoring . So

24:17

every time you're browsing through an internet

24:19

, if you're going to Netflix , we

24:21

can trigger saying hey , your

24:23

username and password was compromised

24:26

. Go ahead and change this to

24:28

something that takes maybe two million

24:30

years to be broken , instead

24:32

of a simple first name

24:34

and your date of birth

24:37

and those kind of stuff . So that's

24:39

our story of Lupe .

24:41

Yeah , that's interesting . I feel like that was

24:44

certainly something that

24:47

other types of file sharing things

24:49

got right

24:51

in the mid-2000s in terms of making everything

24:54

on each person's individual

24:56

computer and obviously an attacker , obviously , if

24:59

you're you know , you know

25:01

an attacker can attack one person's

25:03

vault and maybe they bypass that person's

25:06

phone or whatever and are able

25:08

to do some other things . But there's

25:10

not . It really cuts down on that idea

25:13

of like this treasure chest of 10s

25:15

, of 1000s of sets of credentials

25:17

. All you need is that one sort of attack space . Now

25:19

, again , you know we talked about we use the metaphor of like remote you need is that one sort of attack space . Now , again , you know we talk about , we use the metaphor

25:22

of like remote work versus an

25:24

on-prem work , of being the difference between defending

25:26

a castle versus defending a , you know

25:28

, a village of tents , and so here you

25:30

know , I think the opposite is true . You can only

25:32

attack one person at a time like that . So

25:34

am I getting that right , that you know

25:36

that there's not that sort of like war chest

25:38

at the beginning , at the center of

25:41

your sort of file management

25:43

?

25:43

That's . You nailed

25:46

it , chris . That's

25:49

absolutely the case . Our

25:51

design was look at LastPass as a company 35

25:54

million users , bunch of encrypted files

25:56

and they became a target , because

25:58

imagine a bank that has $35 million

26:00

in there . Now imagine a bank

26:03

that has only $8 in there

26:05

. That still can be targeted

26:07

, but there is not a whole

26:09

lot of incentives for hackers

26:11

. That's what we're building . If they want

26:13

to come after you , they have to find

26:16

eight other people , break

26:18

their keys it's all

26:20

sharded and and then they

26:23

get to you . Only that's one person

26:25

. Yep , this it's not . So

26:27

. That's our , that's our vision . That's our

26:29

vision for the future as well .

26:31

So , and uh , that's

26:33

the difference in lupate and you talk

26:35

about the , uh , the sort of recovery

26:38

aspect of it , because I mean , mean , I know that obviously

26:40

biometrics , you know is , is a

26:42

very effective certainly every time I , you

26:44

know , have my face in front of the phone here and

26:46

it's doing the little doobly-doo thing

26:49

and then suddenly I'm in , I'm in my bank or whatever

26:51

, like , um , you know , I , I

26:53

understand empirically why that that

26:55

works . But like , if you lose your phone

26:57

, if you lose your device , um

27:00

, and you said you have sort of like eight connections

27:03

that vouch for you , how does that work in terms

27:05

of like , recovering yourself ? Obviously

27:07

, the whole thing is to get away

27:09

from the whole security questions aspect and

27:11

the whole , you know , reset my password with

27:14

the IT department or whatever . So what , how

27:16

does that work with regards to the , the sort of eight

27:18

connections ?

27:19

Sure . So the way it works is you

27:21

only need three of the eight . The reason

27:23

with eight ? Because when you

27:25

lose your phone , you have to recover

27:28

as fast as possible . You can't wait , and if

27:30

someone's on a plane going somewhere , you

27:33

can't wait for them to land . So

27:35

the way it works is when you

27:37

sign up for LuPaid , you

27:40

assign the people you trust could

27:42

be family members , friends , siblings , anyone

27:45

and what happens

27:47

is in their app , they

27:50

accept to be a recovery person

27:53

and if you lose your phone

27:55

, all you do is you get a new phone

27:57

, you go back to LuPaid

27:59

, we'll recognize you coming back by

28:02

the phone number and email

28:04

and we'll send the information

28:06

to your true aid and all you

28:08

need is three people saying

28:10

yes , this is Chris , and your identity

28:13

comes back . So we're going back hundreds

28:16

of years to a village

28:18

. When people came into a village , they

28:20

knew each other and we want

28:22

to stay away from stealing your

28:24

password . And and and

28:26

that old cartoon I

28:28

had , la times or it was new york

28:30

times that no one knows on the

28:32

internet . You're a dog . Two dogs are

28:34

talking to each other , right , right , that's that 1996

28:39

. Four decades later , we're still

28:42

on that stage of

28:44

no one knows , on the internet you're a dog

28:46

, so we're trying to change

28:48

that .

28:49

Yeah . Now again

28:51

, I just want to drill in a little more on the sort of mechanics

28:54

of that . So when you get a new phone

28:56

you put Loop 8 back on , you

28:58

sort of say of say I lost , you

29:01

know , I I lost access

29:03

to this previously . And then

29:05

you send out a notification and so like those

29:07

eight people all get kind of like a

29:09

notification on their phone or device saying

29:12

chris wants you to vouch for

29:14

him , will you do it , or whatever . And

29:16

then you talk to them on the phone . They say yeah , it's me and I did

29:18

. I asked for that . Is that the idea ?

29:20

that's absolutely the idea , and

29:22

one thing is , when we contact

29:25

your , your users , we

29:28

we actually send them a message saying

29:30

do not say okay until

29:32

you talk to chris right , yes , okay

29:35

that's good , or someone else is not coming

29:37

in pretending to be Chris and

29:40

trying to recover Chris's identity

29:42

and get in there . So

29:44

that's the message we're sending , and

29:46

when they talk to you , you

29:49

say , yeah , it's me . All they do

29:51

is they push a button . We have an amazing

29:53

test that we have done

29:55

over here . It takes 10 seconds and

29:58

your entire passwords . You

30:00

have all the . Everything kind

30:02

of gets recovered , okay . So

30:05

so that's that's that's . It goes

30:07

back into your , your sort of vault , phone

30:09

vault or your device vault and

30:12

and one of the things that lupate does , which is different

30:15

, and and my daughter's hack

30:17

is a great example uh

30:19

, right now , if you have access to my

30:21

computer , if you can find a way to

30:23

get into my computer , you can see all

30:25

of my passwords in Chrome extension

30:27

. But with LoopAid

30:30

, we created a tunnel with

30:33

phone and Chrome

30:35

and when you open the tunnel , which is

30:37

just a face ID , your passwords

30:39

are available for a limited time and

30:42

the moment you close the tunnel , you hit lock

30:44

, your passwords are back on your phone

30:46

. They're not in your computer and they're

30:49

protected by your face ID . So

30:51

, very different approach . And

30:53

the side effect of

30:55

this , the cool side effect of this is I

30:58

can walk to anyone's computer , borrow

31:02

their computer , scan a QR code and

31:05

all of my passwords will be available on

31:07

their computer . I can do my work

31:09

and lock . Everything

31:11

is back on my phone . I walk away

31:13

and they cannot access any one

31:16

of my accounts . So it gives us a mobility

31:18

, yeah .

31:19

Yeah , love that . Well , okay , so

31:22

I want to sort of divide

31:24

my next question a little bit in half . So

31:26

first , you know I wanted to ask you

31:28

about your advice for people

31:30

who want to get into this

31:33

particular field of you know

31:35

, for LoopAid or you

31:37

know other things like that . If

31:47

you have any advice on you

31:49

know , the types of training or work or projects

31:52

that you want to see on a person's resume to

31:54

indicate that they would be a good fit for

31:56

doing this kind of work . And then I guess my second

31:58

part of that question that I didn't ask before is have

32:01

there been any recent like challenges

32:04

that your team , in terms of like implementation

32:06

or you know an unexpected

32:08

, uh , you know tech consequences

32:11

around putting loop eight together that

32:13

they were solving ? Like , what are the kind of problems

32:15

, uh , you know , that need to be

32:17

solved to put this in place ? And then , what kind

32:19

of people , uh , do you think are

32:21

good at doing that kind of work ?

32:23

Okay , so first is

32:26

anyone with a security

32:28

background is a great

32:30

candidate for a company like ours , because

32:33

all of my co-founders and I have

32:35

six of them . They're also security

32:38

specialists , pen testers , cisos

32:40

, and these guys are

32:42

specialized in protecting

32:45

data . Those are good type

32:47

of candidates . But my

32:50

favorite candidate is a person

32:52

who thinks outside of the box . When

32:54

I was starting this project , I

32:57

met a lot of people in Silicon Valley area

32:59

to get this project going and

33:01

I could see people didn't

33:03

really believe in this . So

33:06

I called this project Project Impossible

33:08

back in 2001,

33:10

. Posted on LinkedIn saying I'm

33:12

starting a project impossible because anyone

33:14

I talked to they said it's impossible

33:16

. So having an open mind

33:19

, getting into a

33:21

new tech business , will

33:24

get you in a different level

33:26

. You're going to grow in the business , you're going to thrive

33:28

and and you hopefully

33:31

develop a

33:33

technology that it's

33:35

good for 2024 and beyond , and

33:38

it's not one of those maintenance

33:40

areas . So that's

33:42

that's my recommendation . So that's my recommendation

33:44

People can do . Pen testing is

33:46

usually the best one I really

33:49

like data privacy

33:51

and data governance , working with lawyers

33:53

. The cloud engineering

33:56

is a big thing because

34:02

we

34:06

use Amazon or Google or

34:09

Microsoft . They don't guarantee

34:11

the security , so we have to be responsible

34:13

for our own security , so

34:15

that is very important . So that's what I

34:17

recommend for new starters

34:19

.

34:20

Yeah , yeah , well , yeah , ok , so go back to my question

34:22

again . Were there any particular and I'm

34:24

not doing this as a way of like interrogating loop eight

34:26

, but

34:33

rather like I know that , for example , using a password manager or whatever , that

34:35

certain websites will do certain security workarounds with them ? You

34:37

know your emails on one page and then your

34:39

password gets asked on the next , and sometimes

34:41

that makes things go a little wonky . Or

34:43

you know they do certain things

34:46

that if you're trying to , like you know , add a new

34:48

, you know new password or whatever . Were

34:50

there any kind of like implementation challenges with

34:53

regards to the sort of websites that you were interfacing

34:55

with or the sites that you were attempting

34:57

to sort of move credentials through ?

34:59

Yes , yes , we always have

35:01

those , always

35:11

have those and we're still fighting them today because lots of companies develop software

35:13

in a different standard . Some of them are very , very organized and standards and

35:16

some just name , password

35:18

, fields , something else and

35:20

and it's very difficult to detect

35:22

those . So we definitely have that . Our

35:24

team is identifying

35:28

and fixing as we go forward . All

35:31

major organizations are

35:33

covered . I think we have 1,000 , tested

35:36

, 1,000 sites , but we still come across

35:38

a lot of missed

35:40

password that doesn't show up in

35:42

the right place and we're

35:45

still seeing those things and , as we

35:47

see it , we document it for our quality

35:49

assurance so we can add that

35:51

to our list and correct the problem . So , yes

35:53

, we do have some of those challenges

35:55

.

35:56

So you were mentioning that your six co-founders all

35:59

have specializations . Do you have

36:01

any thoughts on specialization in

36:03

the industry specifically

36:06

, and within that , are there any like

36:08

big skills gaps that you're seeing

36:10

amongst candidates who might be trying to work for

36:13

you ? Are there things that you think you

36:15

know ? Either people are not , you

36:18

know , going wide enough in their knowledge or

36:20

they're being too specialized , or they just don't

36:22

understand . Maybe soft skills or other

36:24

things Like . What are some of the blind

36:26

spots that you've seen , if any ?

36:29

Unfortunately , when it comes

36:31

to the world of security , there are too many roles

36:33

and too many systems , so finding

36:35

a person that can come in and work on your

36:38

security stack is difficult

36:40

. So my advice

36:42

for anyone who's interested in this is

36:44

educate yourself . There's a lot of good information

36:47

out there . Try to learn as

36:49

much as possible , because any organization

36:52

you get into you

36:55

can learn on the job , but

36:57

at the same time , you have to have some background

37:00

. So that's the biggest issue right

37:02

now , which is because the field is too large

37:04

. My favorite functions

37:07

I kind of briefly talked about

37:09

is high-level architecture

37:12

of security , testing

37:14

is great , cloud engineering

37:16

is good and data privacy

37:19

. These are areas that I

37:21

highly recommend for anyone

37:24

who wants to get started into this field .

37:26

Yeah , I think that's all fantastic

37:28

. Advice and I think it's also always

37:31

worth remembering

37:33

is that if you have an

37:35

even moderate level to

37:38

medium high level of security knowledge

37:41

whatever you're missing in it you're

37:43

going to be able to get on the job fairly quickly

37:45

, as long as you can sort of demonstrate that

37:47

you understand the concepts and , like

37:49

you said , across a sort of a wide spectrum of things

37:51

. I imagine it's probably more appealing

37:54

even if you're hiring someone you know in pen

37:56

testing that they also have a

37:58

rudimentary knowledge of cloud or a rudimentary

38:00

knowledge of , like you say , architecture

38:02

. There's this understanding that

38:04

you're not going to like self silo too much

38:06

.

38:08

Absolutely .

38:09

Yeah , now , um , I want

38:11

to ask you , of course , uh , you clearly uh

38:13

love what you do Can you talk about your favorite part

38:15

of the work that you do and what it is

38:17

that makes you excited to keep pushing and learning every day ?

38:21

Uh , it's . It's

38:23

one of the greatest feeling , chris , to

38:26

wake up every day and and think about

38:28

I'm doing something that , hopefully

38:30

, will change the way

38:32

we do business we did , the way we work

38:34

, the way we enjoy our , our digital

38:37

life , which is now getting bigger and bigger

38:39

. So , uh , so that's , that's

38:41

the most exciting part about , uh

38:43

, this business , uh , thinking outside of the

38:45

box , doing the impossible

38:47

projects , and

38:50

then that's what gets me out of the bed

38:52

every day . So that's the exciting part

38:54

about doing something different .

38:56

Love it Before we go

38:58

here . I know we're getting close to the end

39:00

, but you mentioned the importance

39:02

of mentorship to you . Can

39:04

you talk a bit about your history

39:06

as a mentor or a mentee and

39:09

why you think it's important for there

39:11

to be a robust sort of mentor mentality

39:13

in security ?

39:15

Yeah . So when I was starting my business

39:17

, I learned a

39:20

lot of things the hard way and I

39:22

wish that there was somebody there

39:24

to help me kind of get there faster . That's

39:26

why I always recommend

39:28

find a good mentor . Look

39:30

for a person that can shorten

39:34

the distance from where you want to start

39:36

and when you want to end by giving you

39:38

guidance . So mentorship is huge

39:40

. What I do

39:42

with my startups that I mentor

39:44

is I teach them not

39:47

only today , when you're starting

39:49

, think about the exit , how

39:51

to structure your business so you can sell it

39:53

one day hopefully . And those are some

39:56

decisions that people don't know . They think , oh , we're

39:58

going to sell one day . But

40:00

having some guidance on early days is

40:02

going to put you in the right direction and

40:05

that's very critical . So I highly recommend

40:08

find a person

40:10

. If you're a startup , find

40:12

a positive person too . So

40:14

because a startup life is difficult

40:17

, it's complicated and it's hard

40:19

, but when you have good friends

40:21

and positive friends , then the

40:23

journey becomes much easier .

40:25

Now can you talk about for someone

40:27

you know , if you're kind of early

40:29

, mid into your career , you know

40:32

certain people might be of a mindset

40:34

of like , well , I don't you know who would want me for

40:36

a mentor . I don't you know , what do I know ? Or whatever

40:38

Like . Can you give me some indications of like , what

40:42

indications you would , you know , know

40:44

about yourself that say , okay , I'm , I'm

40:46

a , I'm a worthy mentor ? You know , I need

40:49

to start looking for mentees Like what , what's

40:51

, what's the sort of like , what , what's , what's the

40:53

Rubicon that you cross ? I guess .

40:55

So what I'm looking for is people

40:58

with experience and and

41:00

that's usually a person that's gone

41:02

this this path and

41:05

and they have experience and anything

41:07

they can share with me that

41:09

would be useful . One thing

41:11

that I'm noticing with people that I mentor

41:13

is I have two different types of

41:15

people . One they don't

41:17

listen . They think just

41:20

by being in a room they may gain

41:22

some wisdom . But listening

41:24

is a key because what

41:26

I'm sharing is an experience from my side

41:29

. But what you do is you collect

41:31

those information and you use them

41:33

in your business models , which is

41:35

could be very different business model , but

41:37

overall , most of these rules

41:39

are set for businesses

41:41

. So , but that's

41:43

usually surround yourself

41:46

with people that have

41:49

business experience , have success

41:51

and and that's the

41:53

type of advice you want to get Don't

41:56

get it from a guy who never ran

41:58

a business , because he

42:01

may not know some of these things , challenges

42:03

that you may be facing . So that's

42:05

how I would say find the next mentor . Get

42:08

yourself close to anyone who

42:10

has experience and is willing to

42:12

share with you .

42:13

Yeah , Now , clearly you've had a very

42:16

successful career and it's still

42:18

going on , but can you tell our

42:21

listeners what's the best piece of career advice

42:23

you ever received ? What's the

42:25

?

42:25

best piece of career advice you ever received ? Well , I think I just

42:27

gave one of them , which is

42:29

very , very important Surround

42:31

yourself with positive people . That's

42:33

one of the key points

42:36

. My biggest advice

42:39

that I received in my career that helped

42:43

me a lot was delegating

42:46

. As a human , we're

42:48

very , very much I'll do it myself

42:50

kind of . We do a lot of micromanagement

42:53

, but last I

42:55

had a good mentor . He

43:01

said Zarek , last I checked , god only gave you two hands , and when you delegate

43:03

, you can multiply that . But when you delegate

43:05

, you can multiply that . And that's how I built an organization

43:08

with 1,600 people in

43:10

12 states and Canada

43:12

and I only had two

43:14

hands . And that's the best

43:17

advice I can give that we have a

43:19

natural tendency to hold on to

43:21

issues . By

43:23

delegating , not

43:30

only we're building a very good team , we're also expediting

43:32

, we're going with a super fast speed towards

43:35

our goal .

43:35

Yeah , yeah , I think that's such a great piece of advice

43:37

and so hard for people of

43:39

a certain mindset to let go of that

43:41

. The idea that , like , if I let

43:43

someone else take part in the work

43:46

, then they get to take part in the glory , you

43:48

know , like I think there's , there's a part of that . If

43:50

I do it all myself , then it was all

43:52

me , you know , and I don't . I don't think that's

43:55

ever feasible and I think it does . Like you said , I think

43:57

it kind of narrows your

43:59

, your possibility for success .

44:01

Yeah , absolutely , and

44:03

, chris , I had because

44:05

of the organization . I had countless managers

44:07

and I was fortunate to be able to

44:09

see good practices and bad

44:11

practices . And I saw a person that

44:14

would come in at 5 am and leave at

44:16

8 pm and was

44:18

micromanaging everything and was always

44:20

behind for two weeks and

44:22

the team really didn't enjoy working with

44:24

this person . And then

44:26

I saw another person that would come in , had

44:28

a team standing like soldiers

44:30

and delegating the process and

44:33

the best performance , and

44:35

so that's a difference Delegate

44:38

. Your life is easier , you work less and

44:41

you reach your goal much faster .

44:43

Yeah , love that . Okay , so one

44:45

last question . You

44:50

talked quite eloquently about the Loop 8 platform . If

44:52

people want to learn more about it or how to check it

44:54

out for themselves , where should they look online

44:56

?

44:57

We are at loop8.ai

45:01

, okay . However

45:04

, we're still in a stealth

45:06

mode . We are open , but

45:08

we have a limited VIP invitation

45:11

. We're doing a lot of user testing , but

45:13

loop8.ai is

45:16

where you can enter your email and we'll notify

45:18

you in a month or so

45:20

to start

45:23

downloading .

45:24

Nice and if people want to learn more about you .

45:30

Zarek , where should they look online ? Are you on LinkedIn ? Yes , I'm on LinkedIn

45:32

, zarek Megadichian , I'm pretty active on LinkedIn , so you can message me

45:34

on LinkedIn and usually that's the best place

45:36

for me to get to know you .

45:38

Our listeners are very LinkedIn oriented . I'm sure you'll

45:41

be getting some connections after this episode .

45:43

Fantastic Looking forward to it .

45:44

All right . Well , thank you so much for joining me today , Zarek , and

45:47

for helping me to kind of lower my

45:49

blood pressure about my Roku account .

45:52

I'm glad I could do that . Chris , Thank you for having

45:55

me on .

45:55

Absolutely . And as always , as we close

45:57

off here , thank you to everyone who is watching and listening

46:00

and writing into the podcast with their feedback

46:02

. If you have any topics you'd like us to cover or

46:04

guests you'd like to see on the show , feel free to drop them in the

46:06

comments below . And , as always

46:08

, before we go , please check out infosecinstitutecom

46:11

slash free , where you can get a whole

46:13

bunch of free and exclusive stuff for CyberWorks listeners

46:15

. This includes our new security

46:18

awareness training series , work Bites smartly

46:20

scripted and hilariously active set of videos in

46:22

which a very strange office staffed by a pirate , a

46:25

zombie , an alien , a fairy princess , a vampire and others

46:27

navigate their way through age-old

46:29

struggles of yore . This is a great security

46:31

awareness training tool and it's very funny

46:33

. Go check out the trailer on our site . This

46:36

is also still the best place to go for

46:38

your free cybersecurity talent development

46:40

ebook . You'll find our in-depth training

46:42

plans and strategies for the 12 most common security

46:44

roles , including SOC analyst , pen tester

46:47

, cloud security engineer , information risk

46:49

analyst , privacy manager , secure coder

46:51

, ics professional and more Quite . A few

46:53

of those roles were talked about in today's episode

46:55

. You want to know more about them ? Go to infosecinstitutecom

46:58

slash free and yes , the link is always in the description

47:00

below . One last time before

47:02

we go . Thank you so much to Zurich

47:04

, magrideshian and Lupate , and thank you

47:06

all for watching and listening Until

47:16

next

47:19

week . This is Chris Senko signing off , saying happy

47:21

learning .