Transcripts

This Week in Google 692, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for TWiG This Week in Google. We're gonna break format today for I think, one of the most important shows we've ever done. Jeff Jarvis is here. Ant Pruitt is here, and our special guest filling in for Stacy this week. She'll be back next week. Our special guest is Alex Stamos. This guy has been on the front lines of the security battle, starting at Yahoo, then Facebook. He worked at Zoom and helped bring them into compliance. He's right now the Stanford Internet Observatory. He is the security guru. He's next on TWiG!

(00:00:48):
This is TWiG This Week in Google. Episode 692 recorded Wednesday, November 30th, 2022. Alex Stamos. This Week in Google is brought to you by Nureva. Nureva has simplified everything about meetings and classroom audio. You get great audio and systems that are easy to install and manage. Visit Nureva.com/twit and get 50% off one Nureva HDL 300 system for mid-sized rooms when you get live online, demo and buy before December 16th, 2022. And by Rocket Money formally known as TrueBill. Are you wasting money on subscriptions? Cancel your unnecessary subscriptions right now at rocketmoney.com/TWiG. Seriously, it could save you hundreds per year and by SecureWorks. Are you ready for inevitable cyber threats? Secureworks detects evolving adversaries and defends against them with a combination of security, analytics, and threat intelligence directly from their own counter threat unit. Visit secureworks.com/twit to get a free trial of Taegis Extended detection and response, also known as XDR. It's time for TWiG. This Week in Google the show, we cover the latest news from everybody, but Google pretty much these days certainly been a lot of Twitter, maybe a little Facebook, but this week is a very, very special show. Before I introduce our special guest, let me say hello to Jeff Jarvis, the Leonard Tow professor for journalistic innovation at the Craig Newmark Graduate School of Journalism at the City University of New York. Hello, Jeff.

Jeff Jarvis (00:02:34):
Hello. Hello. Hello. I'm very

Leo Laporte (00:02:35):
Excited about. I know, and you're the blame for it, so I thank you. I am, I am. It's my fault. I think it was your idea. The Christmas tree

Jeff Jarvis (00:02:40):
Lights are on you know, and celebration of

Leo Laporte (00:02:43):
Today. Yeah. Oh, we gotta decorate. This is the last day. November. It means we can put up the uhoh bows of Holly. Oh. <laugh>. Last time. Do you remember we doing that last time on TWiT <laugh>, Ant Pruitt's also here from Hands on Photography. Last year, I I just issued an edict and it all came in in, and it literally just got Santa, just threw up on the studio. <Laugh>, hands off photography. Also, very important, our community manager at Oh yeah. Club Twi. Now Jeff, do you wanna introduce Alex or Shall I? No, no, no, no. You should introduce Alex. So, we have been Alex. It's, it's rare. We get the subject of many of our stories actually sitting in the studio with us <laugh>, which makes us, really, makes me really nervous. I hope he tell us where we're wrong. I hope I haven't been too off base. But you know the name Alex Stamos. We talk about Alex a lot. He's a principal in Krebs Stamos, which is a security consultancy. But we've been talking about you, Alex, since you were at Yahoo. Were you, CISO? What was your title there? Yeah,

Alex Stamos (00:03:44):
I was CISO at Yahoo and CISO at Facebook.

Leo Laporte (00:03:46):
And Facebook where you famously got in a tussle with management over Russian entities invading Facebook.

Alex Stamos (00:03:55):
That is how it's been reported. Yes. I guess we'll get into it.

Leo Laporte (00:03:58):
<Laugh>. I can't wait. Oh gosh. I can't, we Okay. We now have permission to dish. Oh, no. We now have permission to dish. When zoom got in trouble because they were claiming end to end encryption, it turned out it wasn't end to end encryption. They said, we gotta call in the pros from Dover. The pro from Dover was Alex Stamos sent up the bad signal. And I have to tell you, as a user I was very relieved. No, your reputation precedes you. Yep. and currently you are teaching at Stanford, which is kind of cool. And a fellow tell us about what, what this is the internet observatory. What is that? Yeah,

Alex Stamos (00:04:34):
So that's a, a cross-disciplinary program that I'm the director of. We're part of the Cyber Policy Center and Stanford Law School. And we look at abuse of the internet that causes harm outside of core cybersecurity. Right? So, core cyber information security belongs to computer science. It already has a home in academia, what we're trying to do is to create a home for trust and safety, right? So, studying hate speech, the use of the internet to support terrorism. Bullying and harassment, child exploitation. We do a lot of work in that area. Research, we teach a bunch of classes, have a book coming out, a textbook on trust and safety. So that's, that's kinda stuff we do there.

Leo Laporte (00:05:12):
Trust and safety is a phrase you hear a lot nowadays. Most particularly attached the name of Yoel Roth. Yes. <laugh>, who is the chief of trusted safety at Twitter, when Elon bought it, Yoel tweeted extensively about, don't worry, everything's gonna be fine. And was fired. Yeah. Yeah. What is a trusted safety? No, Yoel was fired if he quit. I think he walked out. Yoel walked out because he said, there's no point in having a trusted safety officer if one man is making all the decisions. Right.

Alex Stamos (00:05:43):
Your point. Yeah. Cuz usually trusted safety, you have policy people who think about what are the rules we want. Right? Like, let's define a basic rule around hate speech and then something like hate speech turns out to be incredibly complicated to figure out just in English in the United States, what hate

Leo Laporte (00:05:57):
Speech is. You can't just set up a list of keywords that you're looking for.

Alex Stamos (00:06:00):
No, no. That's like that. When I teach my class, we talk exactly about people who have tried that, and what happens when you're like, these are just racial slurs that you, you aren't allowed to, to

Leo Laporte (00:06:08):
Say, I can't say the N word. Oh, that's easy. We'll just get rid of all those.

Alex Stamos (00:06:10):
Right. Right. And then every rap lyric and, you know, half, you know, half the movie, you know but sort stuff. But also you can't,

Leo Laporte (00:06:16):
The people who troll are very subtle sometimes Yes. And sophisticated. Right. And they can say things like Hunter Biden's laptop in 12 different ways. Right. And suddenly you've got a problem.

Alex Stamos (00:06:26):
Right. Trust and safety is a naturally adversarial process. You can't just come up with some kind of static rule. You are plain chess against people who sometimes it's the emergent behavior of millions of people, or billions of people.

Leo Laporte (00:06:38):
Not intentional necessarily.

Alex Stamos (00:06:40):
Right. And sometimes it is intentional. Right. So in some of these abuse types, you're talking about professional who are making money or trying to cause harm or, or manipulate the political

Leo Laporte (00:06:48):
Sphere. And sometimes it's an individual who's just a troll and sometimes it's a government. That's

Alex Stamos (00:06:53):
Right. Yeah. And that's something our work we do a lot of at Stanford io is we write reports on government influence operations. We do a lot of work to try to understand how is the Russian government manipulating the internet? How is the Indian government this year we won't wrote one about the US government. We were part of analyzing a take down on both Twitter and Facebook that turned out to be a five year campaign targeted at Iran and other places in the Middle East in North Africa. That was paid for by the US Department of Defense. And so that triggered a series of articles in the Washington Post. And apparently from what I've heard now, a review at the top levels of the Pentagon of like what our policy should be as a government about doing Russian style influence operations.

Leo Laporte (00:07:32):
I'm sure the one argument is, well, we gotta fight fire with fire.

Alex Stamos (00:07:35):
I'm sure that's the argument they made. Unfortunately, they were fighting a forest fire with a match because they really sucked at it. Right. Like, this is one of the outcomes of, of looking at this is one, it's just from my perspective, ethically wrong for, for a democracy like the US

Leo Laporte (00:07:49):
Yeah. We should not engage in that behavior. Right.

Alex Stamos (00:07:51):
Like creating fake Iranians and fake pressure.

Leo Laporte (00:07:52):
It's like torture. It's like so many other things that others do. Doesn't mean we should do it.

Alex Stamos (00:07:57):
Right. Just as an American, I don't think it's right. But if I didn't care about that, I would also just say it was stupid. Because it turns out our tweet announcing our report ended up getting more engagement than anything else that the US government paid for the period of time somebody made some government contractor. And we can't, I can't say who I think it is because we haven't totally proved who it is. There are some contracts like the DOD database you could try to pull, you know, figure it all out. But that contractor made tens of millions of dollars to do worse than we could do with like a couple of undergrads. If, if that was what we were trying to do.

Leo Laporte (00:08:29):
Elon has taking a call that he psyops Yes. This is his new thing.

Alex Stamos (00:08:33):
Yeah. I mean, he's using it in the kind of red pill troll way of any time that somebody says something he disagrees with. It's psyop. But yeah, I mean, PSYOP, you could use that term. We use influence operation is the term we use because, you know, fake news is a term that got taken over immediately by President Trump and, and meant nothing anymore.

Leo Laporte (00:08:53):
That's by the way, a smart adversarial maneuver. If you don't like something, you can co-opt that phrase and make it meaningless.

Alex Stamos (00:08:59):
Yeah, absolutely. Yeah. Oh, he took that and owned it, right? Yeah. and it's not really dis disinformation misinformation are based upon something being false, and a lot of this stuff is not necessarily factually false. A lot of it's not falsifiable. Right? Like, even if you look at Russian behavior in 2016 on Twitter and Facebook, a lot of the stuff they were saying were were kind of radical political statements that don't have a falsifiable fact in them. Right? So we have too many immigrants and that's ruining America. Is that true or false? We all have opinions on that. Right? But you can't really have a fact check right on that. And that's the kinda stuff that often these propaganda outlets push.

Leo Laporte (00:09:33):
Is that the flooding the zone thing that we talk about?

Alex Stamos (00:09:35):
Yeah. Yeah. And definitely that's part of the goal for these folks is to try to create the idea that you might have this radical position, or you're trying to push a radical position in a democratic adversary. You wanna make it look like the position is supported by a, a huge number of people when it's actually a minor minority. Right. But you can try to create all that noise and intimidate people who have more mainstream opinions to perhaps push themselves to the outside because it's what the crowd is

Leo Laporte (00:10:01):
Doing. It's also trivially easy because we're naturally built to, well, I see it all over the place. It must be true. Everybody's saying it. Yeah.

Alex Stamos (00:10:09):
Yeah, yeah. I mean, it, one of the reasons influence operations work is it plays on some really natural human behavior. Yeah. We, we seek out information that makes us feel good about ourselves, that makes us feel that we are right. That we're part of the good group. The

Leo Laporte (00:10:22):
Group serves our beliefs.

Alex Stamos (00:10:23):
Yeah. Yeah. And so that's like a natural thing that human beings have always done. The internet just makes it so much easier, right. Like, we're not in the era where, you know, your prototypical mad men, you know, the, the, the man comes home from work and puts his fifties hat up on the, the coat rack and has like a Wall Street Journal and you know, a New York Times and then can

Leo Laporte (00:10:44):
Turn That's you and me, Jeff, by the way, <laugh> right? Yeah.

Alex Stamos (00:10:46):
Can turn on Walter Cronkite and then two other stations.

Leo Laporte (00:10:49):
Now I know. What's the

Alex Stamos (00:10:50):
Truth? Right? Right. It's like your choices were from five or six commercial outlets. Yeah. And now the fact that you have 10,000 different outlets you could choose from, you can self select yourself into those kinds of, it should

Leo Laporte (00:11:00):
Be good too. I mean, Jeff's often argued against the Eli Pariser filter bubble argument saying, but we do have all these other sources. We are exposed to other information.

Alex Stamos (00:11:09):
Right. And there is, there is real empirical evidence that people are exposed to way more information now than they were Yes. In those eras. And That's

Leo Laporte (00:11:15):
Right. Could be as beneficial as it

Alex Stamos (00:11:17):
Is. Right. So I, there, there, there are certain Harvard professors that Jeff has mentioned multiple times on this show who are completely and totally incorrect in their books. And you can tell, like there's a whole, there's a whole strain of kind of academic tech criticism that's not at all empirical. It's not based upon any evidence. It's just based upon what, and it's a great example because they are believing the things they've been told. Yes. Yes. That make them feel like this is a good guys. Yeah. So it's,

Jeff Jarvis (00:11:39):
I just read a great paper, Alex, by Pitter Turnberg. Okay. he read a couple of them talking about sorting as, as, as the way to look at this mm-hmm. <Affirmative>. That that, that it's not about disagreement, it's about identity. And we put ourselves into a certain identity and then it leeches out from politics into the rest of life. What car you drive, how you drink your coffee, everything else Yeah. Becomes a way to sort yourself in society. And that's not really filter bumbling. It's not about information and disinformation. It's about identity. As much as I,

Leo Laporte (00:12:12):
It's incredible. It's not only how we think of ourselves tribalism, it's how advertisers think about us. I remember 30, 20, 30 years ago, a company called CLA to coming in and doing an interview guy saying, well, tell me your zip code. I'll tell you what kind of car you drive, what magazines you subscribe to. We

Jeff Jarvis (00:12:27):
Sort of, it's a little bitch. Started

Leo Laporte (00:12:28):
It all. Yeah. there was a recent act apparently operation on Twitter from the Chinese government Right. To hide both city names and hashtags and accounts, talking about the protests going on in China. Right. By flooding those with pornography.

Alex Stamos (00:12:48):
Yeah. So we're looking into this right now. So I don't wanna scoop my team too much, but I'll give a little preview, which is, there seems to be a spam operation that we can't attribute to the Chinese government. Things have just gone bad at Twitter. So the truth is, is the number of people working on spam there is falling apart. Yeah. Effectively, the entire team that worked on government influence operations is gone. It is evaporated. There's a two people left on the team that do child safety. It's just a, the trust and safety teams there have been decimated first by the layoffs and then by their naming people quitting. Cuz you know, just like with ul, if you work in trust and safety, if you're somebody who works in child safety, you have to expose yourself to the worst of humanity every single day. Yeah.

(00:13:27):
You're clearly a person who doesn't do that for money. You are mission driven and if you feel that person who sits at the top does not share your mission, you're not gonna last long. And that's true for all these folks who work on hate speech, who work on on government influence ops. They just don't believe Elon's got their back. And so they've quit. And it's also effectively a 0% employ unemployment rate for trust and safety professionals right now. Right. Because everybody has this problem. That's the other thing that people haven't really thought about too much is we have this huge long tail of new social media companies and they all have the same kind of issues except they don't get to grow up with the bad guys like Facebook did. Right. they have to deal with the people who have been cutting their teeth against Facebook for 15 years. Yeah. and so all the tricks, right. And so like if you're, if you're working at Twitter, if you've seen the worst of the worst, you're gonna have 10 job offers by the end of the week if, if you end up quitting. So anyway, so what's going on in China, there is a massive spam issue that is involved with cities. There's no evidence that that's actually been driven by the Chinese government.

Leo Laporte (00:14:25):
Oh, interesting.

Alex Stamos (00:14:26):
It, it's a hell of a coincidence, but you can, we have looked back and have found other explosions of this kind of spam before it's escort spam mostly. Yeah. and what they're doing is they're doing photos of women with QR codes. You scan the QR code, it does a couple redirects and sends you to a WeChat channel or a phone number that you can

Leo Laporte (00:14:46):
Arrange for. So it's Chinese, Chinese citizens.

Alex Stamos (00:14:48):
It's intended for Chinese citizens and overseas Chinese. Now Twitter is blocked for most Chinese citizens. Right. And so it's an interesting place to do Chinese

Leo Laporte (00:14:54):
Spam. Yeah. Seems like it'd be not productive.

Alex Stamos (00:14:56):
There's, I mean, there's a decent, obviously there's a pretty good size Chinese diaspora, right. Of people who live either in Macau or Hong Kong of, you know, Chinese sar where they have less of a great firewall or that are, you know Mandarin speakers simplified Chinese readers who live elsewhere. Right. so that's going on At the same time, there is a trolling campaign along the lines of what we've seen outta the PRC in the past, which is they have a, a, a capability that's referred to as the 50 cent army, which is a huge number of patriotic individuals that they're able to mobilize in these situations traditionally. So the, the best paper on this is we're in by one of my Stanford colleagues as part of her PhD dissertation, Jen Pan who you know, explored this whole thing. And it's changed a decent amount since her time since she wrote that, because now their ability in English is much improved. And so you've seen that effort for them to invest in not just trolling in a variety of Chinese dialects, but able to troll in English. And so that, that is going on. But I think we can't really tie the spam to that. I think the spam just demonstrates that Twitter's falling apart. Right. That like, if, if you, because what happens is if, if you have a hashtag that's a big deal, the spammers flock to that hashtag

Leo Laporte (00:16:04):
Regardless. It's not politics. Yeah. Right. It's just No,

Alex Stamos (00:16:07):
It's conferences. It might even be automated. Right. It might not even be them making a decision. And so the fact that we're in like day three or four of, if you look up these cities, I was looking at Wie, like just one Chinese city in Chinese characters, it's completely dominated by the spam. Like you can't see anything legitimate. And so no matter what it, there's a breakdown at Twitter and clearly whether or not it's an intentional thing, which again, I, I can't say it's not, but I also can't say there's evidence that it is in either way. It demonstrates a real failure there. Things are kind of really coming off. The wheels are coming off with Twitter cuz they, they don't have people who can have basic control over this kind

Leo Laporte (00:16:41):
Of stuff. I I dominate this interview, so I wanna encourage and, and and Jeff to, to get in. This is not triangulation. This is a panel conversation. Go ahead Jeff. Your conversation was fascinated. Yeah. Oh, I, but like I said, we could do 18 hours with, oh

Alex Stamos (00:16:57):
My God, Alex, am I trapp here

Leo Laporte (00:16:59):
18 hours. You trapped your stuff and there's no bathroom. Alex. I do worry though, and I don't worry too. You know, one of the problems with being a police officer is you see the worst of humanity and pretty much colors your perception Yeah. Of the world. Has that happened to you?

Alex Stamos (00:17:12):
Yeah. I mean, <laugh>, I I I have my entire career has been dealing with people trying to cause harm. How did you, can I, how did you start in

Leo Laporte (00:17:21):
This? I'm, I'm, I'm eager for that kind of

Alex Stamos (00:17:23):
Context. Yeah. so I started in the eighties when my Santa Claus brought me a Kilo 64 when I was believe I was seven or eight years old at a 300 bod modem. And so I did a lot of stuff as a kid and teenager that for which the statute of limitations has run out.

Leo Laporte (00:17:39):
<Laugh> <laugh>, you're happy to say I might add.

Alex Stamos (00:17:42):
Yeah. And then but I was fortunate, you know, went to a nice, I grew up in Sacramento the Midwest of California which means I can both ski and duck hunt, right? Mm-Hmm. <affirmative>, that's how you can tell <laugh>. And you know, went to like a nice public high school in Sacramento, was able to go to Cal you know, did electrical engineering, studied under Dave Patterson kind of famous guy who did some incredible work and then was able to get a career doing legit stuff. So, you know, I had the economic opportunities and the educational opportunities that if I was growing up in Poland or, you know, an ex Soviet state at the same time, would not have had,

Leo Laporte (00:18:16):
You'd be in a ransomware gang. You'd be,

Alex Stamos (00:18:18):
I'd be wearing a de distract suits. Yeah.

Leo Laporte (00:18:20):
<Laugh>. I'd be, but see, that's, I see that so much, and maybe it's your generation. Maybe the younger generation won't be like this, but, but, you know, I think of people like Kevin Mitnick who took a career as a hacker and, and, and, and made a career as a security professional. Yeah. That seems to be the usual career path. Well,

Alex Stamos (00:18:37):
It's a fun one because you can go and actually hack stuff all day and then get paid and not go to jail. Right. You can go home at night and have a family and a real life and not live. Yeah. You know, not live day to day thinking you're gonna, what

Leo Laporte (00:18:46):
Is it that attracts though your mind to that that, that penetrating systems?

Alex Stamos (00:18:52):
Yeah. I mean, it's just fun to break things, right? Like, it's, it's fun to, it. I, I like doing security both attack and defense. Like, I, I really enjoy doing instant response when it's not my incident. I really enjoy it as a consultant. It's fun. When you're a ceo, it's

Leo Laporte (00:19:04):
Like forensics. It's like you're, the guy comes in, there's a murder scene, right. You gotta solve it.

Alex Stamos (00:19:07):
Right? Yeah. I mean, I bet if you ask cops, they could never say this publicly, but privately, they're like, I kind of like being a murder detective. Yeah. It sucks that somebody died, but like, they enjoy the work. Right? So fortunately nobody, generally, people aren't dying when we're talking about it. Something bad's happened and you get to investigate and understand and you, unlike other forms of engineering, you have an adversary, right? So like, you build a golden gate bridge, your adversary is earthquakes and corrosion and wind. Right. Non intelligent things. Right. That you figure out how, and you build the bridge and then you're like, okay, we're done. Right. You, you never build a bridge in security. You're playing chess and you, whatever you do, you can't just read a bunch of books and play the perfect chess game. Your opponents always get better. And so I, I always found that from a attacker and defender perspective, it's a lot of fun to be planned against real people.

Leo Laporte (00:19:55):
That's how close. How

Jeff Jarvis (00:19:56):
About, how about the psychology,

Leo Laporte (00:19:57):
The cuckoo's egg? Yeah. That was what that whole book was about. That's a great book. We talked to Bill Cheswick, same thing. He, he was just an innocent, you know, engineer who had to solve a problem built, you know the first honey pot. And that's how you get into it. Yeah. Yeah. But I bet because the human mind loves solving problems. These are some of the best, most interesting problems because it's a human adversary.

Alex Stamos (00:20:17):
Right? Right. I mean, if we were growing up in classical Rome, you'd have to be a philosopher or like, you know, solve math or you know, a philosoph or whatever they called scientists. It's like, but if you grow up in the latter 20th, early 21st century and you wanna pull things apart and figure out how they work, hacks a pretty good way

Leo Laporte (00:20:35):
These days. It's the great,

Jeff Jarvis (00:20:36):
But you're also hacking into the

Leo Laporte (00:20:37):
Human brain. Yes. Right.

Alex Stamos (00:20:38):
Yeah.

Jeff Jarvis (00:20:39):
And I, I've

Leo Laporte (00:20:40):
Always wonder psychology

Jeff Jarvis (00:20:41):
Involved Matt Cutts our friend Matt Cutts dealing with, you know, spam you, you'd think he'd be just a growly, nasty, miserable person. And he's the nicest person I practically know. And how does it affect, cuz cuz you origin both the engineering part of it, but also the human part of it, right? And seeing this part of humanity always, you know, trying to be a step ahead of you. Is it, is it, does it ever get you

Alex Stamos (00:21:06):
Down? Yeah, well, so I mean that's the, the change I made in my career. So when I joined, before I joined Yahoo, I was just pure InfoSec, right? So I was a professional hacker. I worked as a consultant. I started my own consulting company. We did a lot of work for Microsoft. So if you remember those early trustworthy computing days, I spent a bunch of the early days of our marriage and several years up in Redmond breaking Microsoft products. And that's

Leo Laporte (00:21:31):
What I, did You remember that? Yeah, yeah, yeah, yeah,

Alex Stamos (00:21:32):
Yeah. And so, you know, I did kind of just pure InfoSec, right? Right. Which is about the programs, it's about the bugs, it's about the computers. And then when I, when I joined Yahoo, obviously that was a huge part of my job. A huge part of it in any executive position is just human management, right? Yeah. Like one of the challenges with Yahoo is it, it's, it was a very important company that was dying. Right? and by the time I got there, they hadn't had a CSO for about 18 months.

Leo Laporte (00:21:56):
They'd already, and we wanna make this clear, cause I misstated this last week, they'd already had that billion user breach. That's right. That was in the history. That was in the past.

Alex Stamos (00:22:03):
Right. We did have a breach.

Leo Laporte (00:22:04):
Had to clean up, you had to clean it up.

Alex Stamos (00:22:05):
Right. So that billion user breach was something that we, we figured out was likely, but we never figured out the, the root cause, right. Partially. Cuz Yahoo didn't have any logging at all. Effectively, <laugh> we had figured out because when I got there, the number one security problem was there's a massive account takeover issue. Yes.

Leo Laporte (00:22:21):
And so we did.

Alex Stamos (00:22:21):
I remember that. Yeah. And, and people, people knew the accounts getting taken over all the time and then spammed. Yep. And it seemed to me, just from all my consulting work, this is totally statistically improbable compared to every other

Leo Laporte (00:22:33):
People would call the radio show all the time. My Yahoo email's been taken over. Yeah. They're sending out spam asking for money. Yeah. How did this happen?

Alex Stamos (00:22:40):
Right. And so my, I asked my team, Hey, I want you to do a statistical analysis of these accounts. And I gave them a bunch of cuts I want them to take. And we had this young lady who was an intern at the time, is now a, a lawyer. She went to law school and she does great work. And I, I got to run into her professional. It was just really cool. And she did all this data science of just cutting all the data. And one of the most interesting graphs was if you looked at the, the date of last password change for the accounts that were taken over. Oh, it was like this. And then there was a super dropoff. Yeah. And when you look at that graph that dropoff happened at the exact month, the resolution was only to the month.

(00:23:15):
So we couldn't do to the day the exact month that Yahoo had changed the way that passwords were stored. Oh. And so that was a pretty clear indication that there had been a breach of that. The older system, and this has happened before, like over a year before I had gone to Yahoo, that there was a change in how passwords are stored and secured. That when that happened, they had closed the vulnerability that somebody had used. Now we didn't have actual logs of how the data was stolen. We didn't have direct evidence. And so when we took this to Marisa and the other executive team from their perspective was like, can you prove it? And my answer is no. It's just highly suggestive evidence. And from their perspective, they're like, okay, well we're not gonna disclose anything because you can't prove anything. Right. And at that time, you know, Marissa, if you remember, Marissa took over because of an activist veer by the time I joined, it was like a year and a half after she'd been there. The honeymoon was over. She had her own activist investor who's now pushing them to make money. She didn't want any kind of negative publicity at all. Mm-Hmm. <affirmative>. And so my relationship with her was mostly just her saying, can you absolutely, totally prove something is true?

Leo Laporte (00:24:17):
You're always the bad news guy, Alex

Alex Stamos (00:24:19):
<Laugh>. Yeah. I mean that, and that's what sucks about being a ciso, right? Yeah. Like, I would literally walk into a room and either Yahoo or Facebook and people think, oh, STA is here. Yeah.

Leo Laporte (00:24:27):
Yeah. Can I say that or did I just get you tan? No, no, we'll just sleep it. Okay.

Alex Stamos (00:24:30):
Right. But like, and I swear all you want, I don't think it was because of my personality or how I smelled or something. I think it's, I was the grim reaper. Right? Like, if I was in the room, something bad had happened.

Leo Laporte (00:24:39):
We've actually been talking about this. What is the liability of a ciso? Yes. And why CISO's my might leave. And I think it was probably on a twi the conclusion was, well, the CISO's not liable. The CISO does have to bring this information to the board, does have to bring this information to the sea level. Right. But if they don't act, if they don't budget, are you

Alex Stamos (00:24:59):
Liable? Well, that's your position. The US Attorney's Office for the Northern District of California has a slightly different opinion on

Leo Laporte (00:25:05):
This was remembered. This was at the very first thing that happened when Elon took over Twitter was that memo went out from the, the council saying, you're on your own now with this FTC consent decree.

Alex Stamos (00:25:19):
Right. Because after like a week, I think the same day, the day that they were supposed to write a letter to the ftc, the chief information security officer, the chief compliance officer and chief privacy officer all resigned instead of signing that letter.

Leo Laporte (00:25:30):
And they asked the engineers to self certify.

Alex Stamos (00:25:32):
Right. Which is not a thing. I'm just gonna say self certifying is not, they like, that's just in It's made up. That's just made up. Yeah. No, and, and because the other thing that's going on that is in the back of the mind of those three C levels of which I have to say two of them are friends of mine,

Leo Laporte (00:25:47):
They don't want liability.

Alex Stamos (00:25:47):
Right. Is that, you know, have you talked about the Joe Sullivan situation at all?

Leo Laporte (00:25:51):
Go ahead. Tell us.

Alex Stamos (00:25:52):
Yeah. So Joe Sullivan, who's my predecessor at Facebook, he's the reason I got the Facebook job, which I'll never forgive him for. Right. He took me out to lunch. He asked me, he was leaving Facebook to go to Uber. He asked me to go to Uber with him. I had met Travis on a boat. I have a story that's not for family. Podcast. Sometimes

Leo Laporte (00:26:09):
You get a feeling about a guy.

Alex Stamos (00:26:10):
Right. But like, you could tell just it is like, I do not want this guy to either meet my sister or be my boss. Right. Right. And so I was like, Joe, I, I'm not interested in working with Travis. He said, well then you should take my job at Facebook. Right. I I'll put your name for it. I'm like, oh, well, yeah. Nice. Not now. Like, thanks

Leo Laporte (00:26:27):
Joe. At the time, it seemed like a good

Alex Stamos (00:26:29):
Idea. Seemed very, I was very

Leo Laporte (00:26:31):
Flattered.

Alex Stamos (00:26:31):
T-Shirts at the Rangoon Ruby in Palo Alto. I was like, oh, Joe, I can't believe you thinking of me. And I was like, oh, look, it's a bus. It's a horrible, trippy bus of internal corporate politics. So Joe went to Uber and while I was at Uber, there was a security breach. There was guys who, who also are bug bounty guys. So the, these guys who participated in bug boies, but in this case, they kind of went well beyond the rules of what Uber any other company allows in a bug. Bounty actually grabbed user data and then sent it to them demanding a bounty. Right. And this comes back to like, the real problem with bug bounties is that bug bounties are a really good invention. The idea that big companies are gonna pay hackers to find bugs and is gonna pay them and then get the bug fixed. It's good for everybody. They're also a form of legalized extortion. Right, right. The whole thing is an extortion dance between an

Leo Laporte (00:27:26):
Unintended consequence

Alex Stamos (00:27:27):
Of it. Yeah. Yeah. Right. Of of the company's not gonna call the FBI on you. Right. And have your door kicked in and they're not going to embarrass you publicly and you'll fix the bug together and then move on and everybody's happy. Right. Right. And Joe made a decision, which is probably not the decision I would made, but he called it a bug bounty. He paid them the money. He sent somebody over to have them sign an nda, had them delete the data, and then didn't disclose

Leo Laporte (00:27:53):
Anything. We did talk about, oh, I

Alex Stamos (00:27:54):
Remember. Right now. Right now. And he was just convicted of two things. One mis prison of a felony, which is not reporting the initial crime to the government. And lying to the FTC because at the time the Uber was already under an FTC audit. Right. And the FTC was literally in his office.

Leo Laporte (00:28:11):
So a CISO can be liable

Alex Stamos (00:28:13):
In this case. He is going to go to jail, it looks like. Oh, yeah. Gosh. Now I, I, I'm not neutral here. I've known Joe for a long time. I I'm gonna be writing a letter to the judge of asking for, for leniency here. Partially because if you look at like the top 10 people in the United States who have put child molesters in jail, Joe Sullivan's probably on that list just because he helped build during the early, early days of, of Facebook this incredible capability, which makes Facebook still reports 90% of the child porn.

Leo Laporte (00:28:40):
They all come from Facebook. Yeah.

Alex Stamos (00:28:42):
Right. It's about 90% of the overall reports globally that go to

Leo Laporte (00:28:45):
NCMEC from Facebook. We, we, we noted that

Alex Stamos (00:28:47):
Remarkable stuff. A lot of that is due to him. Yeah. And the work he did, there's other great people int Davis, a lot of great people, but he needs to deserve a lot of credit for that. And so it's like you gotta offset him making a mistake with the ftc with also the fact that any person he goes to is gonna be full of people who we put there. Right. For

Leo Laporte (00:29:03):
One way. Well, but, and also this is the dance that happens with bug bounties. Yes. And that, it's kind of an unfortunate, but it probably happens

Alex Stamos (00:29:09):
A lot. It happens all the time. It happened to me multiple times now, not in a situation where user data was exploited. Right. But we would have bug bounty participants go off the reservation and then effectively blackmail us. We had this happen once that I, instead of having this guy arrested, which is what the legal team wanted, right. The legal team wanted to call, he was Canadian. You know, the, the rcmp, the Royal Canadian match.

Leo Laporte (00:29:31):
Well, they're mean, man, don't

Alex Stamos (00:29:33):
Mess with these like the red outfits and stuff. But it turns out they have a SWAT team. Yeah. Yeah. And the SWAT team's not so nice.

Leo Laporte (00:29:37):
Did not mess with the

Alex Stamos (00:29:38):
Mp. Oh, can, yeah. Was this a boot? Right? No, they blow the door in with like a Canadian flash ban. Right. That story. And that's what the, our, our, and I, I was like, Hey, give me one more chance to stop this guy from blackmailing us. Good. And I called the guy's boss and I'm like, Hey, he's about to be in real trouble. Somebody he trusts and he needs to talking out of it. And he talked him down and then like six months later, a story was written about me threatening his boss. Oh dear. So it's like, it was like kind of no gge, but it's like every season runs into this of like, I didn't want some Canadian teenager to have a, a, you know, a federal US felony extradited to the US for Computer foreign abuse Act because he did something stupid. Right.

(00:30:16):
Right. Now, Joe, again, I think the decision he made was not the right one. But I can see how he got there. And certainly this, this decision is one made it that nobody wants to be a ciso. Right. That like, if cuz he was told by Travis, by the ceo, don't disclose. Right. And so if, if you've been told by the CEO and you've received advice from legal counsel that it's okay not to disclose he's the one going to jail feels very unfair. Yeah. Because Travis is just got his billions of dollars and is enjoying himself. Yeah. and didn't defend Joe. Just threw Joe totally under the bus. Right. Didn't come to the trial, didn't help him out in any way. That's just the other thing going on is Dara took over Uber. And so Joe was really just a victim of a setup from inside of Uber where D'S team was trying to make Travis look as bad as possible. Here's the, and they're the ones who sent all of the information to the US attorney's office and pushed for the prosecution. So anyway, to that context, if you're working for Elon Musk and you're like, you want me to sign this FTC letter after you fired every team that makes it possible, you're insane.

Leo Laporte (00:31:16):
Not gonna do it. Let's take a little break. Hold on a second. Hold that thought. You're next. I'm sorry, but we do need to take a little break. Pay, pay the bills. This is awesome. Alex Stamos is our guest from the Stanford io. I like that. The internet observatory, the Stanford io. We're gonna talk about his ma is it your MA on instance or are you just a member of of the MA on instance?

Alex Stamos (00:31:38):
I, I run that ma talk about

Leo Laporte (00:31:40):
Villains

Alex Stamos (00:31:41):
Cyber villains.com. Yeah.

Leo Laporte (00:31:42):
Talk about, don't wanna join cyber villains.com, but we will talk about masses on secur Twitter. Security. Security. Yeah. there's a lot to talk about with Alex Stamos and we are thrilled beyond measure to have him in studio. What a great opportunity to kind of get the story from inside. We talk a lot about bug bounties. It seems like on balance it's a good thing to have. Cuz the other option is that these guys go to Erodium or somebody and sell it. Right. And then it goes to a nation state, which is then weaponizing against us. Yeah. But I didn't realize it's so fraught and it's

Alex Stamos (00:32:16):
I mean you're, you're dealing with 20 year olds often. Yeah. And they make

Leo Laporte (00:32:19):
No

Alex Stamos (00:32:19):
Frontal lobe. No frontal lobe. Yeah. Right.

Leo Laporte (00:32:22):
You know, what did you do as a 20 year old? Just dangle hot pockets in front. Do whatever you want. It always works

Alex Stamos (00:32:28):
Well. Just like all these other things. I think we put teenagers in these ridiculous, where they make a mistake on Instagram at 15. Like, thank God every single person in my social group was not recording everything I said when I was 15 years

Leo Laporte (00:32:37):
Old. Exactly. It's a, a sad thing. Do you have kids three? Yeah. Yeah. How old are they?

Alex Stamos (00:32:41):
They are 11 year old girl. A 13 year old son, A 15 year old son. So

Leo Laporte (00:32:45):
We're Right. So what do you talk to them about? What do you tell them?

Alex Stamos (00:32:48):
So one I do every year, the speech to the eighth graders at my son's school.

Leo Laporte (00:32:53):
Oh, they lying.

Alex Stamos (00:32:55):
Oh boy. Does he

Leo Laporte (00:32:56):
Love that. Okay. Hang that, hang on. I do have to take a break. Rolling. I want to hear the speech to eighth graders. Wow. Because we got a lot of eighth graders and people were eighth grade in the brain listening and watching, including me. This is true. And I wanna hear the speech to eighth graders. Alex Stamos more coming up. Jeff Jarvis, Ant Pruitt. Great to have you in our show today. Brought to you by Nova. We are in this weird environment where some of the employees are at work, some of the employees are at home and we have some go back and forth. We've got this hybrid work environment and of course that means your huddle room, your meeting room is getting a lot of use. You have an all hands meeting, half the people are there and half the people aren't. And the biggest problem I could tell you right now, I know cuz I've lived through it, is audio.

(00:33:34):
It's audio. You can go out, you can, and a lot of companies do this. They spend a, a kind of an a stunning amount of money. Tens of thousands of dollars to put in very elaborate video and audio conferencing systems. They have to have them tweaked constantly. They've got wires everywhere, microphones everywhere. And then of course, you with that product shortages, delays, supply chain, the amount of time your IT department now is devoting to just getting this huddle working. It's just not a good solution. Customers want better, they want intelligent products that require minimal effort from IT to deploy and manage its scale. Zero end user training. They want NOVA and U R E V A Nova's been around for a while, but boy, this is their time. Their patented microphone missed technology gives you great audio without any of the wires, the microphones without any of the tweaking zero end user training.

(00:34:36):
And, and it works for small and large spaces. It's basically a soundbar, looks like a soundbar, but it gives you true full room mic pickup. Just one or two microphone and speaker bars you can install. If you can install a soundbar, you can install this yourself in half an hour. Maybe you got a big space you're gonna put in two. Oh, it's gonna take you an hour. You don't even have to get it involved. Or if you're an it, you'll love it because the NOVA console means you go back to your office. And even if you have many huddle rooms, many conference rooms, many all hands meetings, you can tweak them, set 'em, monitor 'em, turn 'em on and off, all from the console over the web. It's incredible. No more complicated maze of met multiple mics and speakers and DSPs and switchers. Your room won't go offline for days.

(00:35:24):
You can have it installed before this show is over. Some traditional systems require you to go around from room to room and tweak it right. And get all this software, the RAVs you monitor, manage, update, and adjust all your Nureva systems systems from a powerful cloud-based platform, the Nureva console, and it scales for large organizations for a fraction of the cost of these traditional systems. Take a look at this HDL 300 system. This microphone missed technology means everybody in the room can be hurt clearly no matter where they're facing. No matter how they're social distancing, it's, it fills the room with virtual mics. It's a patented technology that's incredible. Right now, 50% off a Nureva HDL 300 system for midsized rooms. When you get a live online demo, as long as you buy before December 16th, 2022, go to Nureva n u r e v a.com/twi. The 300 is the perfect midsize system. There are bigger systems, there are little systems, but, but I think this is for most conference rooms. This is exactly what you need. N U r e v.com/twit. Great audio simplified with Nova. Thank you Nova for supporting this week in tech. You know, we're all about good audio. That's why we make people sit in front of big honk and big microphones <laugh>. That's, that's one of the things that's amazing. Nureva.Com/Twi. Okay. You're on a Mac. Yeah. Alex Stamos. Not a Chromebook, not a Windows machine. Just had to notice that Ken

Alex Stamos (00:36:52):
Runner really run dock containers on my Chromebook. So

Leo Laporte (00:36:55):
So it's all on Docker, huh? Yeah.

Alex Stamos (00:36:57):
A bunch of stuff. Yeah.

Leo Laporte (00:36:58):
Yeah. Nice. Alex Davis was our guest. I interrupted you an did you have a question for Alex?

Ant Pruitt (00:37:02):
I want to hear his story first cuz I can piggyback off

Leo Laporte (00:37:05):
Of his story. The eighth grade lecture. Lecture. Yeah. What do you tell kids in the middle school years? No frontal lobe, no executive function. But you knew you did what you did when you were there. There every move is recorded on social media and posted on Instagram or Snapchat or TikTok.

Alex Stamos (00:37:23):
Right. All of their relationships with their friends are intermediated by technology now. Yeah. Right. That's,

Leo Laporte (00:37:29):
There's no more passing notes. No,

Alex Stamos (00:37:31):
No. And that's one of the permanent changes I think from Covid is Covid pushed all of the relationships online. Yeah. And only 20% of it came back to in-person. Like you will see, we'll have a group of 15 year olds in our basement and like we've got a pool table and fish ball table and they're all sitting there texting each other

Ant Pruitt (00:37:48):
In the same dagum room. Yeah. Yes. I've

Alex Stamos (00:37:50):
Seen that. They're sharing a pizza. You have kids?

Ant Pruitt (00:37:52):
Yes. Yes. I have hard heads. And they sit in the same room.

Leo Laporte (00:37:55):
High school you wanna call it,

Ant Pruitt (00:37:57):
Text each other in the same room like you're sitting right

Leo Laporte (00:38:00):
There. My kids are 30 and 27. So I dodged this bullet. Yes. The internet was there, but they were using aim. Oh, I haven't even thought of weird. They were, she would do, my daughter who's 30 now would do her homework with music and aim Yeah. And a video chat going on and all that stuff. But just gone beyond that.

Alex Stamos (00:38:15):
But she didn't have a phone in her pocket. The camera. It's the camera that gets in trouble. It's the camera. Right? Yeah. So, you know, so when I talk to the kids, there are obviously all kinds of bad things that happen to kids, but the, the really horrible tragic outcomes. Right. The you know, I'm not gonna name any of the teenagers, but I I, when I teach my class, I talk about teenagers who actually ended up taking their own lives while I was seeso at Facebook. Right. Due to them being exploited

Leo Laporte (00:38:40):
In some way. Oh my god. Yeah.

Alex Stamos (00:38:41):
And those situations are because the kids didn't have anybody they could turn to that they felt that they could talk to once they made a mistake, once they kind of slipped up a little bit. That for them there is no outcome other than to take their own lives. Right. and and so I think a big thing that I say to the kids is one of the metaphors I have is I, I ask the kids has anybody here ever been really badly hurt? Had an accident and one kid raises their hand? I'm like, yes. And he says, oh, I ran through a plate glass window once. I'm like, whoa, okay. That's a good one. Right. Like a, a glass door. Was it scary? He's like, yeah, I was covered in blood, I was bleeding everywhere. And the kid's like, you cool?

(00:39:23):
Yeah. Mm-hmm. <Affirmative>. and I ask him, so when, when you did that, were your parents angry at you? No. What were they, they were scared. Right. And that's what you have to teach these kids is like when Yes, your parents spend all the time being angry about you, about not turning in your homework or not walking the dog or the, you know, fighting with your sister when you're in real trouble, your parents wanna protect you. Wait, that's so good. And you need to go, if you get into a mis if you're talking to somebody online and you're like, I don't think this person is who they say they are. Or if you've done something like sent a photo to somebody and regretted it, it is much better for you to go talk to your parents at that moment mm-hmm. <Affirmative> than to try to fix it yourself. Mm-Hmm. <affirmative>. Because the, the worst outcomes are when you try to fix it yourself. And for the, the really bad child abusers, they know that. And so they create a Stockholm syndrome, a you know, a fake relationship where it's you and me against your parents.

Leo Laporte (00:40:17):
There's a horrific story just happened in Santa Rosa up here. Mm-Hmm. <affirmative> teenage girl. Catfished. Yes. Guy figures out where she lives, comes to her house, kills her mother and her grandparents, and abducts her and drives off with her. Wow. Horrific story cuz she was catfished. The Right,

Alex Stamos (00:40:33):
That's like the worst, worst outcome is we

Leo Laporte (00:40:35):
In person

Alex Stamos (00:40:36):
Abuse.

Leo Laporte (00:40:36):
They by the way, they, they, they caught 'em and they, she escaped safely, thank God. And they got the perpetrator, but her parents her mom and her grandparents are gone. Yeah. horrific story. Right. And that's catfish that's posing

Alex Stamos (00:40:50):
Right. As it's catfish. And then the, where catfish often goes, where it becomes really harmful is called sextortion, where you trick a kid into giving you a naked photo and then you leverage that into more and more control over their

Leo Laporte (00:41:03):
Behavior. Right. And parent, good friend of mine just happened to his 17 year old.

Alex Stamos (00:41:07):
Yes. It's extremely common. And that's where you need to teach your kids one, you know, it, you don't wanna be victim blaming, but you also wanna teach kids. Like, you don't send naked photos to your friends. Ever,

Leo Laporte (00:41:18):
Ever,

Alex Stamos (00:41:18):
Ever, ever. It's like you have to teach one, you have to teach teenage girls that teenage boys are idiots. Right. Like I think they understand how dumb we were and maybe still are, but certainly how dumb I was when I was 15 years old. Yeah. They have no, in teenage boys have no impulse control. None. No ability. And so you have like these, nobody dies, but it's a big deal if you end up with the naked photo being distributed with friends and it's technically distribution of child, sexual abuse material. Technically a bunch of those kids are committing a felony.

Leo Laporte (00:41:45):
Well, but the next extortion could go far worse.

Alex Stamos (00:41:47):
Right. But if Right. That's bad. And then if it goes worse that that person that you shared the image with is an adult who's an extortionist, then they will turn that into a multi-month. Hell. And so we had this guy who,

Leo Laporte (00:41:58):
That's where you get suicides.

Alex Stamos (00:41:59):
That's where, that's where you get suicides. And, and we had this guy who we called the worst man on Facebook which is like a pretty high bar, right? Yeah. Right. And we spent two years tracking this one guy cuz his OPSEC was perfect. He never made a mistake. He never used a real phone number. He had never used a real ip. He was on tour all the time. Mm-Hmm. <affirmative>. And he had, he approached thousands of teenage girls. He, it turns out later we find out he was tracking how he was approaching them and what approaches were statistically more successful. Right. Wow. And then he would, he would usually, what I guess was successful was he make them think of like, oh, I know you sent a nude to your boyfriend. I was able to hack it. Why don't you send me another one and then this will be over with. He doesn't have a real nude,

Ant Pruitt (00:42:38):
It doesn't have anything

Alex Stamos (00:42:39):
But 4%, 5% of the girls might be, it's believable. Right. Conversion rate. And so that's the kind of situation that you need to teach your kids. If you get that message, we're not gonna be angry at you, even if you did send your boyfriend nude. You can come talk to us and we can help you out and help you out of this problem. And instead you talk

Ant Pruitt (00:42:55):
To parents is good that you're, you're giving this to these eighth graders and, and, and young kids. But is, are you speaking to the parents as well and speaking to just adults in general? Because a lot of times people my age and a little bit younger, a bunch of know-it-alls and don't know when it comes to the security stuff and we're gonna, we're gonna talk to, and then when I, when I saw it's not just

Leo Laporte (00:43:14):
Know it all, it's, it's just some, I mean, I talk to people on the radio

Ant Pruitt (00:43:17):
All the time. Ignorance is another thing. But I'm talking about the people that are know-it-alls. When I try to explain things to people about even just password sanitation, they look at me as if I'm talking out the side of my neck and I'm going overboard over security. What, what is your approach when

Alex Stamos (00:43:33):
We do talk to parents part, I mean, part of what you talk to parents about is create that open line of communication. Mm-Hmm. <affirmative> also, you have to have the expectation until your kids are out of your house. They have no privacy on their phone. I mean, it sucks to say it.

Ant Pruitt (00:43:43):
Oh, I know that. You

Alex Stamos (00:43:45):
Know that. Right. And so spot shops and what will happen is, is we've had this with our kids where we say o only one of them has a full time phone. Right. It's time for a phone check and they will preemptively admit something. Now, so far everything that's been admitted Wow. Has been kind of small potatoes. Right. Wow. But that's, you want that.

Ant Pruitt (00:44:02):
You planted the

Alex Stamos (00:44:02):
Seed. Yeah. You plant the seed. Yeah. And you create a situation where like they now have permission almost to share with you, right? Mm-Hmm. <affirmative>. So yeah. I mean I think for parents, part of the problem though is the technical controls parents have suck. Right. Like the, the, the good thing that Apple had, Apple's finally made some progress here. And I think Apple's the company that has the most opportunity, at least in the US because they dominate, you know, teenagers, right. Is, you know, they now have the ability to classify photos as they leave your kid's device to see if they're naked photos. Right. And to stop them from leaving the device.

Leo Laporte (00:44:32):
This was very controversial when Apple proposes.

Alex Stamos (00:44:34):
Well there's two different things. There's a part where they're actually scanning your photos Yeah. As on the device. Right. And I oppose that much, so much. I wrote in New York Times op-ed, I remember. So I wrote that part, but the same time they announced something I think is great, which is you can say this is a kid, they should not send naked photos.

Leo Laporte (00:44:51):
This is totally in the hands of parents. This is not going back to the corporate or

Alex Stamos (00:44:54):
Anything. Right. And it never calls the cops. Yep. It never does anything. It doesn't even even tell the parents. Right. It just stops the photo from being

Leo Laporte (00:45:00):
Sent. And it even warns kids now. You sure you wanna send, it's good. It's actually, I think well done.

Alex Stamos (00:45:05):
Right. And I think those kinds of interventions,

Leo Laporte (00:45:07):
Parents have to turn that on by the way. Should mention that. Yeah.

Alex Stamos (00:45:09):
You have to turn it on. It's in, I think it's under screen time settings. Yeah. And, and so I think setting the screen time settings, so the other thing for kids is teenagers wanna be on their phones all night. They don't get any sleep. And so having the phone turn off at nine or 10:00 PM

Leo Laporte (00:45:21):
Whatever you, that's good for adults. <Laugh>. Yeah. Yeah. No, I think so. I can tell you No,

Alex Stamos (00:45:24):
I, I'm, I'm bad at that <laugh>, but at least I could fix my problems with my kids, right. You know, doing the screen time limits and then having no expectation of privacy. And I'd like to see companies get more aggressive about those kinds of limits on, Hey, it looks like you're sending a naked photo. Is that something you really wanna do? Here's some things that you need, you should read first before you do that. Right. And to at least, like, cuz again, you said no frontal lobe, right? Like their decision making is really just create a friction and so create that friction that they have to think about it. Mm-Hmm. <affirmative> I think is a, a good thing.

Leo Laporte (00:45:52):
Go ahead. You were gonna follow? Oh,

Ant Pruitt (00:45:54):
Oh, no, that was it. It was just the whole education side of it far as speaking with adults, but actually now I do have another question. You said nobody really wants to be a CISO anymore? Yeah. nowadays, at least what I've been seeing and hearing is colleges are really trying to teach kids and to get in into entrepreneurship and things of that nature. Even from the tech side of things, they're talking about writing code and developing apps and whatnot. But I don't really see a lot about security out there, even though we need security. Yeah. is it just the push of telling people to be a consultant or just stay away from being a C-suite and just be a one person team and, and consultant for all of these big banks and big corporations or whatever that's gonna need information

Leo Laporte (00:46:40):
Security? Do you care your kids to hack?

Alex Stamos (00:46:43):
I haven't taught my kids really to hack anything yet. I mean, they haven't insured as much, much interest. Right. So That's fine.

Leo Laporte (00:46:48):
I always wish my kids wanted to. Yeah, yeah, yeah.

Alex Stamos (00:46:51):
If dad does it, you

Leo Laporte (00:46:52):
Don't want to do it. Yeah. No, you don't wanna do it. That's right. Right, right.

Alex Stamos (00:46:55):
Yeah. I so the, I mean, the good thing is, is that most good computer science departments now have security classes you can optionally take. Right. that was not true. When I was an undergrad. There was no undergraduate security class. I'd take a graduate seminar. It wasn't like a soup to nuts. We read papers, right? Mm-Hmm. <affirmative>. And so now you can take those classes thanks to, you know Dave Wagner at Berkeley, Dan Bonnet at Stanford felt Ed Felton at Princeton. They created these first classes in the early two thousands. And now that's pretty widespread. It's, I don't know of a single school where it's required to do security. And, and this is something that Matt Bishop at Davis has thought, thought a lot about is how do we integrate security curriculum into just a standard computer science curriculum.

(00:47:40):
It's just so packed right? To everything you have to teach students in, in four years mm-hmm. <Affirmative>. and so what a lot of people have tried is, okay, well, we're teaching them basic programming. We'll also teach them basic security side by side Okay. With programming. So I, I think that's a reasonable thing. You know, but this is why I teach classes, right? So I teach a cybersecurity class for non CS majors. So I have lawyers, I have MBA students, I have a lot of international policy students to teach 'em the intro to cyber and to get them actually hacking. Right? so they use non programming hacking tools like Burp and

Ant Pruitt (00:48:09):
What was it Wire, was it wire

Alex Stamos (00:48:10):
Guard? Wire shark, stuff like that. Yeah. So wire shark is one of the things they use. They get to sniff wifi networks and stuff, and

Leo Laporte (00:48:15):
Then what's the point of that? They're not gonna do that in their job.

Alex Stamos (00:48:18):
The point there is that is a, there's a masters in cyber policy at Stanford, and that is the first required class. And this is effectively how I got to Stanford is That's

Leo Laporte (00:48:26):
Interesting. But

Ant Pruitt (00:48:27):
Again, is it still just more about plant the seed and, and having awareness about what's going on around

Alex Stamos (00:48:32):
Digital

Ant Pruitt (00:48:33):
Standpoint,

Alex Stamos (00:48:33):
Right? Yeah. Yeah. For those folks, a lot of them, if my whole problem was, I basically, I had this anecdote that I said to some of the professors at Stanford was, you know, I, my first time to the White House, I was there because of this FSB breach of Yahoo, and we are briefing them on this investigation, and all of the techies were on my side, and the entire other side of the White House table was lawyers <laugh>. And we couldn't speak the same language.

Leo Laporte (00:48:56):
Ah, right, right. So

Alex Stamos (00:48:59):
And

Leo Laporte (00:48:59):
So my thing was certainly policy makers need to have this knowledge, right?

Alex Stamos (00:49:02):
Like, if you go to National Security Council, the people who do cyber are either coming from a, a specialty in a country, like they have a PhD in Chinese studies or in Russian literature, and they've been a cold warrior,

Leo Laporte (00:49:14):
Which by the way was my major, but Oh, I dropped it came back. I dropped <laugh>. Right. The Russia is the time was a good idea. Yeah.

Alex Stamos (00:49:20):
And then like, everybody was bored about Russia for a while. It was all about learning. Arabic came back about terrorism or something. Russia's back big man.

Leo Laporte (00:49:26):
That's right. 

Alex Stamos (00:49:27):
You see that actually like Stanford, like the, the, the old Russia, like the people who are in like the Reagan White House are all super excited again,

Leo Laporte (00:49:34):
<Laugh> the Soviet

Ant Pruitt (00:49:35):
Union's background.

Alex Stamos (00:49:37):
Yes.

Leo Laporte (00:49:37):
Right, right. Yes. Actually, I'm a little more worried about China and maybe we should be, but

Alex Stamos (00:49:42):
But, but to ask question, and then I teach a trusted safety class of CS students, which is about hate speech and bullying, harassment and child exploitation, adult exploitation. Right. Because I got kind of tired. Stanford will graduate these 23 year old dudes, they're always guys who are like, man, I've got a startup in this startup. You can take a photo and then anonymously send that photo to a hundred women. Great.

Leo Laporte (00:50:01):
At the same time thinking buddy.

Alex Stamos (00:50:03):
Right. What could possibly go wrong? And so my goal is like, well, if you take the class, you'll know the 17 things that have gone wrong anytime anybody is allowed to send a photo. Right?

Leo Laporte (00:50:11):
Right, right. Interesting. And the, and the intent with the lawyers is not to get them to be proficient with wire shark, but to have 'em understand Right. The blank what's going on in the light. Right.

Alex Stamos (00:50:20):
Cause when, when they are now in the White House, and so actually one of my students is now working at the National Security Council. Nice. And when she sees a briefing about, you know, the Lazarus group of the, the, the d p K of North Korea you SQL injection, she'd be like, SQL injection. I, I know what that is. I did this. Yeah, I did that in stasis class. Right. Good. And so, yeah. Is is she gonna be a professional hacker? No, no, no, no. Is she going to bringing,

Leo Laporte (00:50:44):
Seeking to at least communicate to the rest of the

Alex Stamos (00:50:47):
Team that can help? Which is a real problem in cyber policy, right. Is like the people who do other national security policy often come from the military, right? Like the chairman of the joint chiefs, I, I don't know who, I'm sorry, I forget who it is right now. Is it Millie? I think? I think it's Milli. Yeah. Yeah. He was like a, a marine platoon commander, right? Mm-Hmm. <affirmative>. So it's like the dude was in the dirt with his dudes. You probably still field strip at M 16, right? <Laugh>. Right. <Laugh>. but like the people who run cyber folded upside government have never, they've never changed a hard drive. Right. They've never reinstalled their operating system. They never hacked a single thing. Right. And that's, I think what we have to change is that the people who run cyber for our government, that they have to have at some point been hands on at some

Leo Laporte (00:51:21):
Point. Is it your sense it's getting better? Because I think this has been a big problem as government not understanding the, the, the, even the, the ground that they're walking on it is getting, and, and also legislators. I mean, I guess it's their staff that needs to know this.

Alex Stamos (00:51:33):
It's not getting better encount so much. I mean, you, you now have, like, the key, one of the problems is there's no cyber committee and five or six congressional committees say cybersecurity is their problem. Right? And so you have a, you want a cyber

Leo Laporte (00:51:46):
Committee. Do you really want

Alex Stamos (00:51:48):
One the way they mess things up? I think something like a select committee wouldn't be a horrible idea. Because what you end up right now is you have, you know, homeland security and judiciary and ways and means and all these different people having some kind of cyber component and, and then not being able to have the, the real skill set in house, right? Mm-Hmm. <affirmative> the,

Leo Laporte (00:52:05):
There also used to be in office of technology policy, right?

Alex Stamos (00:52:09):
Oscp It's back. Yeah. They, it's back. It's back. But what's more important, I think the good thing Congress did is they created sisa, the cybersecurity infrastructure security agency. That's huge. Unders. That's, which is huge. Yes. Because finally there's a technically competent defensive cyber security agency. Yeah. It used to be the only people in the US government who really knew anything about cyber was NSA and cyber command. Right? It's all offense all classified. Right. They could, they would never help you out. In fact, it was kind of sketchy talking to them. Cuz you're like, you're telling them about vulnerabilities that you don't want them using for their own purpose.

Leo Laporte (00:52:39):
NSA's always been schizophrenic, both de defending our shores and attacking Yes. Others. And that's always been a little schizophrenic. Your, your partner Chris kras, of course was the head of CSA and left

Alex Stamos (00:52:50):
Fired by

Leo Laporte (00:52:50):
Tweets. Fired by tweets.

Alex Stamos (00:52:51):
But it turns out raises all these interesting HR questions under the administrative act, <laugh>, like of your 401k or your, your pension and stuff

Leo Laporte (00:53:00):
Like that. Chris of course, famously said the elections were, were well done. They were very best elections. We were anyway so CISA though is a little controversial sometimes. Yeah. but you feel like on balance it's a, it's a good,

Alex Stamos (00:53:13):
I think on balance is great. I think the current director, Jen Easterly, the second director ever, is fantastic. She has, I mean, she came out of the military and then had NSA and cyber command experience. Yeah. So we're in this weird place where there's a bunch of competent people and they all come from NSA because it's the only place you can come from in the government and have technical competence. Right. So I think it will be good in five years when hopefully we have people who did not come up through the offensive, the spy

Leo Laporte (00:53:37):
Thanks to you and Stanford and, and more programs like that, I think. Right.

Alex Stamos (00:53:40):
Look, Georgetown does this and Columbia now. So there's a lot of schools who are trying to teach real cybersecurity skills

Leo Laporte (00:53:47):
To folks. Jeff's good to know. Get in here. You, you, you can, I left out there that field.

Jeff Jarvis (00:53:52):
I think, I think part of the reason that you're here is, is as, as the world started shifting toward Macon, I saw the Uhoh Alex demos tweet that, or no, it was, it was, it was, it was a tut where you said, I'm cataloging problems and I said uhoh, and I'm, I'm sure it's there. So I'm, I'm curious about two things. One, what you think of the structure of the V verse, but then second and I was talking to a mutual friend of ours about justice the other day. If funders were to come into this space, as I hope they do, to develop at least tests, for example, around black Twitter or around personally selected algorithms or around security to bolster this new federated, wonderful little world that we see aor what do you see as the status of it and what kind of work needs to be done and what does it take to do

Alex Stamos (00:54:47):
That work? Right. Those are great questions. So the Fed averse has like inherent strengths and weaknesses, right? So the inherent strengths obviously being distributed, you're not gonna end up with a single person getting red pilled and all of a sudden making everything go nuts, right? Mm-Hmm. <affirmative> you as an

Leo Laporte (00:55:03):
Individual, you think that's what's happened by the way, I

Alex Stamos (00:55:06):
I

Leo Laporte (00:55:07):
Think it's

Alex Stamos (00:55:07):
Hard to know. Musk is when you're posting photos with two replica guns and four caffeine free diet Cokes. Yeah. The caffeine-free diet Coke, that's like one step short of a diet Dr. Pepper. Like if it's, if you had four Diet Dr. Peppers, I feel like California

Leo Laporte (00:55:23):
Was a pun. I think it was send lawyer guns and money. It was guns and coke. Yeah. I think was the pun. But were they replica that, that's a relief.

Alex Stamos (00:55:32):
One of them, one of them was like a was a video game replica. The one's a musket, which might be a real musket a he has enough money that he could own a real revolutionary war musket, which I think is actually pretty cool. Okay. I just think it's a weird,

Leo Laporte (00:55:41):
It's a bad thing to be, I feel owned a company like Twitter.

Alex Stamos (00:55:45):
He's clearly, if I was his family member, I'd be really worried about him. Yeah. I feel like he's having like a breakdown. Yeah. Okay. So the upside of the Fed averse is you can't have that come in some downsides, right? First off, the kind of privacy model of the Fed averse is like, if you looked at the Cambridge Analytica scandal and you said, I wanna build an entire social media network based upon Cambridge Analytica, right? Like the closest any major company has been to being as open as any fed averse instance is, is Facebook with graph API v1, which is the core API that caused the Cambridge Analytica and some, a bunch of other problems. Problems. So that is like a fundamental problem, is that you have no privacy in the Fed averse people know this pretty widely right now, but your dms are no way encrypted.

(00:56:28):
They're seen by every single else. But then also it is effectively trivial to make a archive of everything anybody says publicly in the Fed averse. The, the Macon developers and such don't build that into the system. They, they've, you know, avoided people having search and stuff, but these are just conventions. Mm-Hmm. <affirmative>, I know for a fact people are breaking those conventions and just effectively archiving the entire Fed averse in real time, which then does not all the rights that we expect under gdpr, under California's laws now are effectively non, can't be applied to the fed averse and never will under the current design of activity pub. Mm-Hmm. <affirmative>, you cannot have privacy. Okay. So that's a fundamental problem

Leo Laporte (00:57:07):
As long as people understand that you don't have privacy and DMS on Twitter now. Right?

Alex Stamos (00:57:11):
Well, no, that's not true. Like your dms on Twitter are protected by the Electron Communications Privacy Act in the store. Communications,

Leo Laporte (00:57:16):
Ah, legally protected are legally protected. Not Elon

Alex Stamos (00:57:19):
Musk just published those. He'd be violating, I think it's 18 USC 27 1. Right. That's a real federal law.

Leo Laporte (00:57:24):
A

Alex Stamos (00:57:24):
Real federal crime. So like it, I think that might be true for the Fed averse too. I, so what my colleague who I teach my cyber class with re feor is a lawyer. And one of the things I wanna work on with her and the law students is like a legal guide for Fed Traverse, because that was an, an SCA apply to you. What kind of responsibilities do you have under the, the child exploitation statute? So 18 usc 2258 A is like the, the provider responsibilities. 

Leo Laporte (00:57:48):
Okay. That's one reason, by the way, why I'm glad dms are not private.

Alex Stamos (00:57:51):
Right? Right. Yeah. Yes. If people thought they were private, they would be much worse. The other interesting issue is, as mass is on scales and gets more diverse and you end up with more and more people that you don't like on your instance, you're gonna have to do more content

Leo Laporte (00:58:04):
Moderation. I kick 'em off.

Alex Stamos (00:58:05):
Right. And but the tools for that that exist right now really suck. Right? Yeah. And I mean, like, you know, the reporting, when you report something a Macon, there's not, you don't have the ability like you do on Instagram. You can choose how to report it and stuff. That means it goes into different queue. Right? When it gets queued, ML looks at

Leo Laporte (00:58:21):
It. This is less of a problem as they stay small.

Alex Stamos (00:58:23):
If they stay small. So if, if we believe in the vision, then we have to believe in a vision where you're gonna have to do a pretty massive amount of moderation. And having a single queue that has no ai ml component, right? No automatic scanning, none of the tooling. That is what people have spent billions of dollars to build at places like Facebook and Twitter is gonna be a problem. Right. so this is actually one things we're doing. So we run cyber villains.com I was just doing it for fun and it's been successful enough that we're gonna port it over and make it official Stanford io project. Oh, nice.

Leo Laporte (00:58:54):
You only have 94 users right now. It's not right. It's not, it's not intended to be a public

Alex Stamos (00:58:59):
Instance. No. But like, we found some interesting stuff by playing with it. No, it is public. It's, it's gonna be public. I, I have it announced yet, but it's gonna be stable, so people wanna be on it. What we do is it's intentionally an instance that people can hack. Right. So we have a policy that if you want to try to hack it and find problems with it, you should.

Leo Laporte (00:59:13):
I love that. Do so go ahead and hack it. Now.

Alex Stamos (00:59:14):
That's, we say in the privacy policy, you have no privacy on this instance. Right? That is true for all of mass.

Leo Laporte (00:59:20):
I should probably say that in my privacy policy. You

Alex Stamos (00:59:23):
Should just say you have no privacy. You have no privacy. Right. Like I make absolutely no guarantee of anything. Yeah. Because you have no control over the security of that code. Right. Did not know that. And so we're gonna do that. But the other thing we're gonna do is we're gonna start running off of a fork of Macon that we're gonna maintain at Stanford where we work on trust and safety tools. So that I want build out an API with my students of here are plugable things of like, here's my hate speech detector, here's my classifier for this. Probably the first one will be child exploitation. So we're running a project right now to scan the fed averse for using photo dna. And it's not great so far. So we'll, we'll have some results published. But right now the tools available to admins are pretty bad.

(01:00:01):
And so we'd like to build those tools and if they want to accept our patches upstream, that's great. Otherwise people can try to use our, our thread. And so that's one of the things that we're gonna be working on is cause I, I do think there's a lot of great future in federated networks, but we're going to have to rethink all the trust and safety stuff is based upon the idea of large, well-resourced corporations owning the platform and having a legal team that tells 'em what their legal responsibilities are. The timing here, one things I, the thing I tweeted when Musk closed the deal was that his timing is crazy. And that he bought Twitter at the hardest geopolitical moment for social media companies of everybody wants to regulate social media. It's midterms.

(01:00:41):
Right? It was midterms, but also the day he bought it, the, the final text of the Digital Services Act in the EU was published. Yep. India has been publishing regulations. There's a, a online safety act that's extremely draconian in the uk. Mm-Hmm. We just passed a a, a not so great child safety law in California. So it's just a crazy time for him to buy himself into this area. And that's true for all Macon runners. And so if, if you're gonna be part of the Fed averse, you're, we're going to need to build better tools so you can live up to the responsibilities because the, the bar has been set here by billions of dollars of spend from large corporations. And you can't get there, but you get somewhere because right now we're down here,

Ant Pruitt (01:01:20):
Twitter is not that great. You go to report something on that and it's, it's work just to report case on that.

Leo Laporte (01:01:27):
Yeah. So I just added a rule to my instance saying there's no privacy. Don't expect privacy. Even if you post a dm, it consider yourself posting publicly. Thank you very much.

Jeff Jarvis (01:01:36):
So

Leo Laporte (01:01:37):
Hold on, I'm gonna take a break. I wanna talk about you raised some interesting questions. I know Jeff will wanna talk about the earn act in section two 30. I want talk about the assault on e do e end to end encryption. Yeah. Because there are very few governments in the world that like end to end encryption, including our own very few <laugh>. In fact,

Jeff Jarvis (01:01:57):
The UK bill as of today, the UK bill that, that Alex just talked, that's about, that's is basically forbidding encryption. That's right. Forbid encryption in the uk.

Leo Laporte (01:02:07):
Right. So that's a very hot topic right now. We'll talk about that in a lot more with a very special guest. This is an unusual addition of This Week in Google. We might not even get a change line. I just, every week, every week's unusual. You talking about should, we should bring up Google. Cause I feel like, oh yeah, we'll bring up Google. We'll figure out a way to just stick. We always try to little stick a little Google this weekend. You already mentioned Chromebooks. Oh, that's nice. We're done Chromebook. There's not much spam in it. There's just a little bit. And I wanna reassure people who are saying, but Stacy Stacy had a variety of personal commitments, events she had to go to in Sing. We knew this ahead of time. Yeah. This has given us a great opportunity to have some wonderful special guests.

(01:02:48):
She will be back next week. Yep. She's not leaving the show, so don't worry. I'm just off next week. I'm kidding. Oh, geez. I'm kidding. Come on on. I'm kidding. I'm always here. Aren't you leaving sometime soon in my head. Oh, okay. Hey, hey. Our show today brought to you by Rocket Money. This, this single app has saved me. I'm, I almost wanna say thousands of dollars. This certainly saved me hundreds of dollars. Rocket Money. I first started using it when it's called True Bill. They've renamed it, rockets acquired it, they've renamed it, and they've made it, I think a hundred times better. Let me ask you a question. I think you know the answer to right off the top of your head. Are you wasting money on subscriptions? God, we all have hundreds of subs subscriptions these days, right? Who could keep track of them?

(01:03:38):
Rocket Money surveyed people and they found 80% of people have subscriptions they've forgotten about. But that's not the worst news. They averaged. They thought around $80 a month on subscriptions. Oh yeah, yeah, yeah. About $80 a month. When, when they actually did the digging, they found out it was a lot closer to $200 and more a month. Many of those subscriptions not used long. Forgotten. You have a I So in my case, it was a political contribution I made in the last cycle. And, you know you go to these sites for political contributions. There's always a checkbox that says, make this a recurring contribution. And it's always pre-checked just in case for your convenience. Well, I didn't notice that. So I was giving a political campaign after the election. I don't even wanna say how much money every month. I love how you notice it.

(01:04:27):
Right? During the re for months. Yes, you saw me do it. I went, what the hell? Thank you. Thank you. Rocket Money, you save, you save me. I turned it off immediately. But that the beauty of this is I didn't even have to turn it off In Rocket Money, you'll see all your recurring subscriptions you'll see which are duplicated. Sometimes you even have two of the same thing, which is crazy. I did have one for day one, which is a journal. I had two subscriptions like, so anyway, it finds those and then you cancel it in the app. You just say, well yeah, please cancel that. And it does it for you. It is incredible. All you have to do is press the cancel button. Rocket money takes care of the rest. If it doesn't save you money right out of the box, you're just better, more disciplined than I am, I guess. Rocket Money, they used to call it True Bill. Maybe you have True Bill. If you had True Bill on your phone, look cuz it's now Rocket Money has a lot of new and wonderful features. It's great for budgeting to see what your net worth is. See where your money's going. It's all sorts of great stuff. But the single most useful thing, <laugh> that pays for itself, get rid of useless subscriptions with Rocket Money. Now go to Rocket money.com/TWiG. Was that on this show when I found that it was.

Ant Pruitt (01:05:36):
That's hysterical. Yeah. I I, I remember you doing our, our doing the Read the Rocket and you pulled out your phone and he was like, I did what, what

Leo Laporte (01:05:44):
<Laugh> what? Since 2020. Seriously, it could save you hundreds of dollars per year. Save me thousands. Rocket money.com/TWiG. Cancel your unnecessary subscriptions right now. Rocket money.com/TWiG. We thank 'em so much for supporting This Week in Google. You support us of course by going to that address so that they know you saw it here. Rocket money.com/TWiG. We are, this is more and more that's it for the ad. You can take down to author, but I, I do want to comment on this because this is more and more of advertisers are saying to us, oh yeah, we wanna track all your listeners. They call it a tracking pixel. Yeah. Just put a tracking pixel on there. Yeah. So we can't put a tracking pixel. It's a podcast. Oh no. We have ways we say no. You'll be glad to know we say no. But it's getting harder and harder as a result for us to find advertisers who are happy just selling a lot of product.

(01:06:40):
Mm-Hmm. <affirmative>. Because with this is the thing that irks us so much. Without exception, the ads do really well for them. But they say things like, well, we don't know if they came from your show. We don't know if that coupon called, maybe they saw it in another site. So <laugh> a, when you hear an ad, use that offer code, you know, because that way they'll, at least they can't deny it, I guess. But number two, support us through Club twi because that is a really great way, Woohoo. For you to spend a little bit of money. Seven bucks a month, less than a blue check I might add. That's right. And everybody on Club TWI in the Discord has added Blue Checks. Not of their names, by the way. Which is

Ant Pruitt (01:07:18):
Hysterical. It's so funny.

Leo Laporte (01:07:19):
Less than a blue check. But what do you get? You get every single show we do ad free. And that means tracker free. Absolutely. Tracker free. Right. So total privacy cuz rss, we don't know anything about you. You also get shows that we don't put out on the regular feeds, like Hands on Windows with Paul Thro, hands on Macintosh with like a Sergeant, the Untitled Linux Show. Which is a fabulous program for Linux lovers. I actually would like that show to get bigger. But you know what, here's the problem. A show like that, it's hard to sell advertising on the Untitled Linux Show. Mm-Hmm. <affirmative>, maybe if we had a title, I don't know. But Jonathan just judge a good job of that show. So the, so who supports it? The members. And that's why it's so important. We want you to join Club Twit. You also get access to the Discord. You're very on blue check if if that, if that rocks your boat, you can do that. See everybody's got a blue check on there. Some of 'em have just little, oh no, I have a TWIT logo, but everybody else has blue checks.

Ant Pruitt (01:08:12):
We got

Leo Laporte (01:08:12):
Twit bugs, we got, we got all sorts of, we got special got some special emojis and things. And you get the to plus feed, which has all those shows that we don't put out in public. Plus a lot more stuff. For instance, we had great conversation. The best stuff before the show. Almost always. Alex, we're talking about Alex Great stuff. Didn't make it in the show. But we have it on the to plus feed, so that's Sure. So what <laugh> No comment. <Laugh>. So No, he didn't say anything bad. And I don't think, anyway, you can, you can we can pull it down if you want. <Laugh>. did I tell you that on the feds you have no privacy. Did I mention that? <Laugh> twi.tv/club twi twi.tv/club twi. Get your blue check for only seven bucks a month. We thank all our members. We have great members and it's always a great conversation.

Jeff Jarvis (01:09:01):
When I joined, I officially joined.

Leo Laporte (01:09:03):
You didn't have to. And I joined. And thank you for doing that Jeff. And for coders we have in our coding section, we're all excited. We have our club Twi advent of code leaderboard. It starts at 9:00 PM Pacific Midnight. Oh boy. Tonight I will be a little groggy for the next 30 days. <Laugh> <laugh>. Oh, this is, it's always a channel. It's in the coding channel. If you wanna do advent of code, join our private leaderboard. John Arnold, set it up and see, compare your coding skills. There it is. I see it. Oh, it's so much fun. We, we love advent of code is is my, is my early Christmas present. I love it. Every year. <Laugh> oh boy. Already I'm seeing

Jeff Jarvis (01:09:43):
Can can I ask a follow up question here to the, to the ma? Do? Yes. I'll make it two questions cause I'll cheat. I had a conversation with somebody who's starting a competitor to Master dot. I'll just leave it at that. Who said, oh, it, the codes has me completely rewritten, blah, blah, blah. And I don't know enough about this to know what the underlying code base and how good it is. That was question one. And question two is, you have next to you a host of an instance. What advice do you have for Leo <laugh> as a host? That's

Alex Stamos (01:10:14):
A great question. So on the second one, I, you know, like I said, I, I'd like us to be working on official recommendations for Macon hosts. I, I mean, right now I you have, as there's an open question of whether you're a electronic service provider as defined by, by federal law.

Leo Laporte (01:10:31):
I'm screwed. Anyway, we have an irc, we have a forum, we have Macon, we have a private discord, right? I got it. Coming and going. So

Alex Stamos (01:10:39):
What I'd love to see is, I think it would be great to get kind of legal and trust and safety services from a group of service providers that then you could pool and you could pay for insurance. I could totally see that you pay, well,

Leo Laporte (01:10:51):
We buy, we have an umbrella insurance policy, right? But you

Alex Stamos (01:10:53):
Pay like a thousand bucks a month for access to lawyers and a pool where the top, the the top 10, the top 20 instances I'll pay for. We,

Leo Laporte (01:11:02):
We don't, now I, at least for gdpr, you have to have a certain amount of income. You have to be a 50 million.

Alex Stamos (01:11:08):
I don't think with gdpr. No, no. You're talking about dsa. So DSA has this idea of a very large platform, but for gdpr, some of the stuff kicks in at any level you were processing data, right? So yes, it, and

Leo Laporte (01:11:19):
This is a shame because yeah, we're creating communities. They're nice communities, right? I understand. I wanna protect people's privacy. I wanna protect their security. I want them to have the right to be forgotten if that's what they want. Yeah. But at the same time, I wanna, without massive li incurring massive liabilities and massive costs, which means only big guys can do it. Yes. I wanna create communities.

Alex Stamos (01:11:40):
Yeah. I mean that is, this is, I've talked about this for a while. The, one of the hard tradeoffs at any regulation of this space is it is very hard to come up. You can come with regulations that say it only works for the big guys.

Leo Laporte (01:11:52):
Yeah. They're appropriate for Facebook, they're appropriate for Google. See, we said, but

Alex Stamos (01:11:55):
Like doing that is hard and it's in under some legal regimes. It's a difficult thing to do under their rules. Right. and it also doesn't make sense in a lot of cases. It creates gamemanship where people are going to like structure their companies and such. Of course in ways. But yeah, I mean this is the problem of GDPR and some other regulations is they, they, you can't, what I would love to see is that when these regulations are passed, that they think about the 10 person volunteer project. That you don't want the 11th person to have to be a private, a European privacy lawyer. Right. That there is a four page checklist that you can go through to be compatible, but those checklists don't exist. Right. and and this is, can

Leo Laporte (01:12:32):
We just say, can I just assume, well, I'm a little guy. They're not gonna go after me.

Alex Stamos (01:12:36):
Sure. I mean, that's true for the situations in which you don't have civil liability for individual users. So for most of gdpr, you're probably okay because the UK

Leo Laporte (01:12:46):
Screwed

Alex Stamos (01:12:46):
The complaints. Okay, you're gonna be screwed. Right? UK you're gonna be screwed under the new system. Yes. But under current gdpr, it has to go to the Data Protection Commission to be adjudicated. And so individuals don't bring the cases, the cases go through government agencies. I'm not totally sure under Digital Service Act anyway, I'm not a lawyer. This is something that we wanna work with the law

Leo Laporte (01:13:05):
School. Absolutely. I'm not considering this legal advice by any means. Although Denise Howell, who is a lawyer and IP lawyer and is a member of our community and has been on our shows many times, gave me all sorts of advice.

Alex Stamos (01:13:15):
Are you a, do you have a registered DMCA agent with

Leo Laporte (01:13:18):
The blood advice? I do. I am the Registered DMC

Alex Stamos (01:13:20):
Agent. Like crazy stuff like that that you never think of. Yeah.

Leo Laporte (01:13:22):
Yeah. That's important. That's so if somebody has a DMCA takedown, they know who to go to. They go to the US PT o, they do a search, they say, oh, it's Leo, here's his email. They say, that was the kind of great advice you gave

Alex Stamos (01:13:31):
Alex on. I saw everywhere. Just saying, do that. Yeah. Well, and, and then yourself a favor, a couple of big deals are gonna be, if you're gonna be in this space is one, eventually you will end up getting a request from law enforcement. And at that point you have to have lawyers that specialize. Fortunately, there are law firms that specialize in this. The one I usually recommend to startups is called Z Wil Gen. A guy named Mark Weinger has in a lot of litigation on behalf of big companies. And his firm will also do small,

Leo Laporte (01:13:55):
And you can leave me your card <laugh>,

Alex Stamos (01:13:58):
And then the, the others. If you run into any child exploitation material, then a bunch of legal requirements attached

Leo Laporte (01:14:05):
To you have to report. You can't just take it down. You

Alex Stamos (01:14:07):
Have to report. Right. So actually Stanford Inter Observatory, if you look now in the NCMEC database of reports last year, we're now on the list. Really. We're official reporters, ncmec, cuz one things

Leo Laporte (01:14:15):
We started doing, you see everything?

Alex Stamos (01:14:16):
Yeah. Because we're, we're grabbing effectively most of Gab in Parlor.

Leo Laporte (01:14:20):
Oh, it's, that must be fun.

Alex Stamos (01:14:23):
I will eventually be fired from Stanford, but I want it to be for some kind of really cool academic freedom issue. <Laugh>. I don't want it to be because a 19 year old looked at csun. Right. Accidentally. Right. And so we scan all of our incoming now and we just catch stuff. That alerts only the adults, students are not told that gets encrypted. We're extremely careful in how we handle it. But anybody who does this kind of stuff, unfortunately child sexual abuse material is the water that finds all cracks on the internet. So whenever you have any kind of unmoderated space, it does become a problem.

Leo Laporte (01:14:53):
Good grief. Well, I moderate heavily, but you that you make that really important point. You have a duty to report. You

Alex Stamos (01:14:59):
Have a duty report, which is one of the things I wanna work with, with my students is one recommendations for folks, but then also the code that you can just hit abundant, do the report automatically. Yeah. Which the cool thing is there are services. Microsoft runs a photo DNA service that will automatically do reporting for you. You can actually fill out the information and check the box, and then it goes through Microsoft's team. But there's no way right now to integrate that with Macon, which is one of the things I wanna work on. Not yet. Not yet. And

Leo Laporte (01:15:23):
If two 30 goes away, Leo, you are really Ft

Alex Stamos (01:15:26):
Maybe, I mean, imagine what the Supreme Court does with the First Amendment. Right? Like a lot. Right. But yes, he's probably after that you don't have, you don't win with the initial, you, you can't win with at the beginning of the process. The

Leo Laporte (01:15:38):
Nice thing about two 30 is many, many cases are just immediately dismissed. Yeah. Because of two 30, it protects you. You, there's no standing. Bye-Bye. The judge says, yeah, you can't sue this guy. Right. Protected. As soon as that goes away, great. I have the right to defend myself in court.

Alex Stamos (01:15:53):
Right. And, and if two 30 goes away, I mean the internet will be for the Googles and the meadows and, and the apples.

Leo Laporte (01:15:58):
That's really sad, isn't it? Yes,

Alex Stamos (01:16:00):
It will be. Yes. It is very sad. And it is effectively, I I mean I think it's where we're going in Europe right. Is we're moving towards a direction where it

Leo Laporte (01:16:07):
Seems that's not what they want though.

Alex Stamos (01:16:09):
Well this is the problem with European politicians is they think they can have everything. Yeah. But they can't. Right? Yeah. They have

Leo Laporte (01:16:14):
To. So does us.

Alex Stamos (01:16:15):
Well, well in the US we do nothing. Right. So Congress just doesn't legislate anymore. The most important kind of two 30 cases right now are all in the Supreme Court because the US hasn't, well, all these senators talk, talk, talk. Mm-Hmm. <affirmative> Congress hasn't seriously moved any bill even out of committee. Right. whereas in Europe, they really do move legislation. Mm-Hmm. But what's important in the US right now is there's two big cases in SCOTUS next year. They'll come down next

Leo Laporte (01:16:37):
Year. These are First Amendment cases.

Alex Stamos (01:16:39):
First amendment, and two 30 cases of what limitations. And so one of them effectively blames Twitter for terrorist attacks. And Google. So there's one against Twitter once against Google, I think. I'm sorry, it might be Google that's responsible. But basically saying you are responsible if a terrorist use your platform to, to organize a terrorist attack that you're responsible. So it's like a direct attack against two 30

Leo Laporte (01:16:59):
Effectively. So the big guys can afford, they have buildings entirely populated by attorneys. They can afford to defend themselves. The little guys just shut down. It has a chilling effect. So

Jeff Jarvis (01:17:09):
There's no competition

Alex Stamos (01:17:10):
Then, which is why Mark Zuckerberg wants regulation. It's

Leo Laporte (01:17:13):
Which

Alex Stamos (01:17:13):
Is why you saw him make that swap. Yeah. In that of

Leo Laporte (01:17:17):
I all these ads, and we're seeing all these ads from Facebook, we want regulation. We care about the quality of your

Alex Stamos (01:17:22):
Every New York Times podcast. Have you listened? I don't know if I'm getting targeted, if I'm in some segment, but every time I listen to the Daily, I get a Facebook Facebook ad for we are asking for

Leo Laporte (01:17:33):
Regulation. They're everywhere. They're in NFL football games. They're, I mean, they're everywhere. And it makes sense. It's, and and you introduce me to that term, Jeff Jarvis regulatory capture using legislation to protect your interests and to prevent, to pull the ladder up after you to prevent the,

Alex Stamos (01:17:51):
It's because it's what they, they fought GDPR in Europe and then your GDPR turned out to be fantastic for the big American tech. They learned the lesson. And so the lesson has been, instead of resisting, we should celebrate it. But what we should fight is any kind of minimus standard and make sure that everything applies to every single competitor. Yeah.

Ant Pruitt (01:18:08):
No, Mr. Jarvis mentioned a Macon competitor. Someone you know is, think they're not working on. Well,

Jeff Jarvis (01:18:15):
Yeah,

Leo Laporte (01:18:16):
There's no,

Ant Pruitt (01:18:17):
My question is more,

Leo Laporte (01:18:18):
The thing that really understand is the Macon is just a client to the Fed averse. That's

Ant Pruitt (01:18:22):
What I was gonna ask. How is it even a competitive service if everybody is just connecting to at It's

Leo Laporte (01:18:28):
Just another one. Pixel Fed is another one. Peer tube is another one. You know,

Jeff Jarvis (01:18:32):
I was talking about and I was talking about a, a a

Leo Laporte (01:18:36):
We talking post,

Jeff Jarvis (01:18:38):
Post talking about Post.

Ant Pruitt (01:18:39):
Oh, okay.

Leo Laporte (01:18:40):
Yeah. I think you know, the very fact that post in, its in its very first page, it had some of its user agreement says that billionaires are a protected class.

Alex Stamos (01:18:49):
Yeah.

Leo Laporte (01:18:50):
Really tells you a little something about where that headed

Jeff Jarvis (01:18:52):
And, and full disclosure is that I left the advisory board for post and received nothing from them. And I'm not associated with them in,

Leo Laporte (01:19:00):
I don't understand, I know I put that in

Alex Stamos (01:19:02):
Interesting post made was at the day, during the week of the most movement, they still had a limited signup. Right? Yeah. Like if you really believe in it, then you just have to go all the way and push your engineers to scale and take the million signups. Because

Leo Laporte (01:19:15):
Am I a nut for saying I believe in open source, non proprietary decentralized systems?

Ant Pruitt (01:19:20):
You're not a nut, you're just

Alex Stamos (01:19:21):
Weird. No, I, I think, I mean, I think there's definitely a feature there for sure.

Leo Laporte (01:19:25):
Are they inherently more dangerous?

Alex Stamos (01:19:27):
I would say they're inherently more dangerous, but it's more complicated and there's no, there's nobody to turn to to make it safer.

Leo Laporte (01:19:33):
Yeah. Cuz it's decentralized.

Alex Stamos (01:19:34):
It's decentralized,

Leo Laporte (01:19:35):
Yeah. Which is why I

Alex Stamos (01:19:36):
Like it. Which is I think what we'll see is just like with email, one of the reasons you're in Gmail is they catch may more phishing, spam ski, you know, people forget why Gmail dominated. But one of the reasons was Google was very good at spam detection, right. Compared to Yahoo and Aim and Hotmail and others. And, and that was like a real selling point, was the safety aspect of you're not just flooded with spam and scams all day. Right. So I do think that, I think there is a future for averse, but I think part of it will be what protection you get from your instance host.

Jeff Jarvis (01:20:07):
I had a really interesting discussion on the Fed verse this last, I, I, I got into two long threads. One after Gelan Cobb, who's the dean of the journalism school uptown for me at the rich people go to called Columbia did a New Yorker piece saying I left Twitter. And I said, I, I don't know, maybe I, I side more with Sarah Kenzie your's view that we can't seed territory and information war. And then I got people going after me like crazy because you, you're, you're supporting the Nazi. And I said, I'm just trying to pull friends over from the old place to the new place. The other one I got into was when I said, you know, I, I missed the, the algorithm a little bit. I, I feel like I'm missing things as they go and I would like to have something in my control. And I got the same kind of scolding. It's a very scoldy place. This, it

Leo Laporte (01:20:54):
Is, if you come in, if you march in with your Twitter on and your little Twitter kee and say, you know, sing are better, everybody come back.

Jeff Jarvis (01:21:06):
But what came out in the end was, was a lot of really interesting good ideas from developers about one guy was already mocking something up where he could just look at his own feed and see who he missed in the last 12 hours. And it becomes a roll your own, choose your own control, your own service for you. That's what I'm really looking forward to in the Fed traverse is those kinds of add-on services. Whether it's to recommend or to authenticate or to block stuff or whatever it is. I think there's a lot of opportunity to build on top of this. That's what excites me most.

Alex Stamos (01:21:41):
Well, I think full tech search is just gonna have to, I this is one of those, like, the ideas of the original developers of some of these products are not gonna have, they can't be god's forever. Right. So without full tech search, you're not gonna end up with people really wanting to use it. 

Jeff Jarvis (01:21:56):
Well do you think that that that full tech search that Eugene's contentions and softening on the QT one, but that quote tweet and full tech search were vectors of bad behavior. You who study bad behavior? What do you think about that? I

Alex Stamos (01:22:12):
Think quote tweet tweets for sure. I think full text searches, unless people use hashtags very aggressively, it's a basic part of discovery. Yeah.

Leo Laporte (01:22:22):
The contention is that because I can search for anything, I can use it to harass.

Alex Stamos (01:22:26):
Right. But this is the problem is the Fed versus is totally open. You don't even need to have like a registered instance to just pull down Right. The entire content of macon.social. Right. So people will in create full tech search engines. Right. The question is, is will it be under control and at all privacy protective or completely

Leo Laporte (01:22:41):
Non-Profit? I split the difference on TWI social by turning on elastic search. Yes. So we do have the ability to do some pretty good searching within our own instance. Not full tech search, but

Jeff Jarvis (01:22:52):
Hashtag I'd like to start it with just my own posts. That would be a wonderful thing

Leo Laporte (01:22:56):
About you could search if you, well see, you're, you're unfortunately you're on some other,

Jeff Jarvis (01:23:00):
I know I'm, I'm probably gonna switch, but I you don't have

Leo Laporte (01:23:02):
To, I don't want you to switch, but Oh, you don't have to switch. Oh. Well that's the beauty of the Feds. Well, you stay in that silly little phole that you call home, but <laugh> no serious each other. Love each other. Tell, tell. Are you on J Host or are you on Ma Social? No, I'm on Bachelor Social. Cause I wanted to see what it was like. Gar run. Have elastic search turned on there. You must have it on there. Maybe it's too big. It's such a big instance. Maybe too big. It's so big.

Alex Stamos (01:23:29):
Well, you can run it. I mean this is, you asked the question before about scaling. One of the problems with Macon is it's not built,

Leo Laporte (01:23:33):
It's not designed to scale. It's,

Alex Stamos (01:23:35):
It's not designed to be able to scale out tiers. Right. And so really I think what we're gonna see is a bunch of work to take these components of like sidekick elastic search and a lot more work around the dockerization, the yarn configs, the Kubernetes configs. So you can have individually scaling Teals tier like a big company would mm-hmm. <Affirmative> mm-hmm. <Affirmative>. But like, it's clearly something that they were used to running as one.

Leo Laporte (01:23:57):
We never thought all these people would show up for one thing. Well,

Alex Stamos (01:24:01):
And also I think traditionally probably you don't have a lot of developers working on this Right. Who have worked at real scale companies. And so

Leo Laporte (01:24:07):
There's a, in the first five years didn't know how to do this. Yes. It was a Ruby on Rails project.

Alex Stamos (01:24:14):
Like, like Macon. I mean there's also this question of whether Macon's gonna be able to scale while it's still on Ruby. I think it will be fine, but they're just gonna have to create a bunch of auto scaling stuff. So you could go put it up an aws, there's

Leo Laporte (01:24:24):
A huge amount of technology that goes into something like Twitter or Facebook. It's a, it's actually mind boggling to think of what the scaling takes.

Alex Stamos (01:24:31):
It is. Well you, you guys were talking about the leap second last week. Right? Oh gosh. You know why that's so important to Facebook? Why care, Facebook care is so much and Google. Yeah. So it's the basis of humongous distributed file systems is perfectly perfect resolution GPS time. So in the roof of every Facebook data center, there's a very sensitive GPS antenna that goes into custom hardware that Facebook gets OEMed from. And I believe you can actually download the patent, at least the patent, but the designs in the paper of they

Leo Laporte (01:24:59):
Run an an NT an NTP server. Right.

Alex Stamos (01:25:01):
And they, well, Facebook runs like a post ntp Yeah. Something that's more accurate than ntp. Yeah. <laugh> internally. Yeah. Geez. To do these transactions, when you do transactions in the distributed database or distributed file system, you use timestamps to figure out what the eventual consistency is of that. And so you have to have all of your data centers within nanoseconds of each other and doing that's incredibly hard. It's especially hard if all a sudden you lose a second or gain a second.

Leo Laporte (01:25:28):
Right. Well they won,

Alex Stamos (01:25:29):
But not until, but that's like the kinda thing. But the nice thing is, is the difference is is like Facebook and Google and these guys grew up before the cloud era. Yeah. And so I, I don't think it would take a lot to build

Leo Laporte (01:25:39):
Scaling Capabil. We know now a little bit better how to do this and

Alex Stamos (01:25:42):
You can get it from aws. Like the basic infrastructure style. Yeah, yeah, yeah. Like the basic storage of the database, the database tier, the auto scaling, the load balancing, the global load balancing, the running of a global edge, all of that stuff is taken care of. It just, Masson has not been built for that. Like one of, one of the first I'm working on this code change and it like, I'm so bad at Ruby, but Masson doesn't pick up IP addresses from a proxy. So I run my instance in GCP behind the Google Global Edge. And so all of the IP addresses in my logs are wrong because it doesn't realize I'm behind a global edge that's rewriting the ips. And so basic things like that are, you know, have to get done. And then eventually a bunch of auto scaling work of I'll a sudden a million people just signed up. Well it's not a big deal because my system detected that it called into aws. It asked for 10 more web tier machines to be spun up and it increased the database memory automatically.

Leo Laporte (01:26:32):
One of the things that we are kind of at the mercy of a very thin layer of technologists who understand this stuff. And it's, that's a, that's a small number. In fact, I was talking earlier about this, I think I'll be talking more about it. There has been an imperative for every company in the world to digitize to become on, to go online. And there aren't enough good technologists to do that. Yeah. So very many websites are crap. Yeah. Not just insecure but unusable. A huge number of apps are crap. I, this came up for me cuz our son at least his son is 19, he's joining the union. He works for a big grocery store. Mm-Hmm. <affirmative>, the grocery store site is crap. So can't get his employee id. The union site is crap. Mm-Hmm. <affirmative> cuz he can't log in. Apparently it doesn't like Chrome. He can maybe use Safari. I don't know it. Right. Anyway, it ends up with a phone call to a tech support person who doesn't really know what's going on. The stack was probably written by somebody who's long gone. No one knows how it works. And this is Universal. Yeah.

Ant Pruitt (01:27:37):
But see that,

Leo Laporte (01:27:38):
And it's very expensive. These engineers are very expensive. We run on Duple. We've just been, you know, we've now realized that we're going, what is it? Triple nine. Our, the version of Triple we're on is being deprecated next year. So it'll be insecure and it costs you a fortune to do that. We had two sites. We had to, we basically shut down the tech guy site cuz it was a quarter of a million dollars. I think we've negotiated the canopi down to $180,000 to update the TWI site. It's very expensive for companies to do this. The people who know how to do this are getting, are, are a thin crust of technologists.

Ant Pruitt (01:28:16):
That's that's what I was saying earlier. It's, it's like people are being educated to jump into app development and, and

Leo Laporte (01:28:23):
We're users, we're users

Ant Pruitt (01:28:25):
And stuff,

Leo Laporte (01:28:26):
But nobody knows how

Ant Pruitt (01:28:26):
To people that are going be able to be plumbers as well as be someone that can go in and and do a cable drop if we need to. You know, some folks don't even understand the, the idea of just dropping the ether.

Leo Laporte (01:28:37):
I just worry about, and I think we're starting to see this, in fact, some people, they've been stories about how big tech is enjoying what's happening in Twitter because it's disenfranchising the technology class, the engineer class. But who have been, I heard that so powerful. Mm-Hmm. <affirmative>, I don't think it is. I think they are powerful and I worry that they were gonna come. This is the new elite.

Alex Stamos (01:28:56):
Yeah. I I mean to there is, I know best we have this big problem in security of every Fortune 500 company is now a legitimate target of foreign intelligence.

Leo Laporte (01:29:05):
And they're not enough CISOs to

Alex Stamos (01:29:07):
Go around. Right. And the number of people, not just CISOs, but directors

Leo Laporte (01:29:10):
And managers, everybody.

Alex Stamos (01:29:12):
Individual threat and tell people and instant response folks. Yeah. and security, you know product security folks who have worked at that level, who have played against the ministry, state security, who have tested themselves against the GRU and the SVR and have come out on top the number of people who are in that category in like the thousands.

Leo Laporte (01:29:30):
Right. And they command massive salaries.

Alex Stamos (01:29:32):
Right. And, and so that's because they can, cause they can

Leo Laporte (01:29:34):
And

Jeff Jarvis (01:29:35):
Perhaps

Alex Stamos (01:29:35):
Should. And we've, we've done a really poor job of creating economies of scale where you don't have to have a large team that can operate at that level. But like, my guess at the Fortune 500 is 150, 200 of those companies, or at least playing the game. Right. That if they go up against an adversary of that level, they at least have a possibility of detecting it. Most of them. And then the vast majority of the Russell 2000. Yeah. Not at all. All

Leo Laporte (01:29:59):
You have to do is look at is that

Jeff Jarvis (01:30:00):
Sony Switch.

Alex Stamos (01:30:02):
Right. Sony, Sony was in that lower category before they invested a huge amount of money after

Leo Laporte (01:30:06):
Their breach. Yeah. They were so cheap for so long that they got bit

Alex Stamos (01:30:09):
Right. And also I think Japanese companies are particularly have a history here of having, of security. Security's a tough thing like in kind of Japanese corporate culture of being negative of, you know, it's, I've actually, I've worked with some Japanese companies and it's, it's act it's a, it's an interesting issue.

Leo Laporte (01:30:24):
But all you have to do is look at the number of ransomware attacks, the number of breaches to know this is, we got a problem. Mm-Hmm. <affirmative>, we, we got a problem. All right. Let's talk about, it's fascinating

Jeff Jarvis (01:30:32):
With the psychology you deal with Alex. I mean, I just, I think it's almost like if you were gonna go back and get another degree, it'll almost be psychology.

Alex Stamos (01:30:38):
Yeah. I'm good Jeff. Thanks. Appreciate that.

Leo Laporte (01:30:40):
<Laugh>, <laugh>. No, it's true though. I mean, you have to be a psychologist. You have to understand the adversary as much as anything else. Yeah. What makes them take fascinating and, and honestly, we've set this up in such a way that it isn't hard to have good opsec. It's easier to be an attacker than a defender, I think. Yeah.

Alex Stamos (01:30:56):
Well, it, and for normal people, it's completely unfair that we digitize all their lives. We push all this tech into their lives and we teach them nothing. Right. And by default, they're not secure. They have to take individual steps. You know, I've had the thing that's also really blown this up has been the explosion of cryptocurrencies because it's turned a bunch of hacking against individuals and actually super profitable. It used to be if you hacked like a normal dude Yeah.

Leo Laporte (01:31:20):
What do you, the amount of money

Alex Stamos (01:31:21):
You could steal if you get access to their bank account, you get a couple thousand bucks before Bank of America clamps down. Right. But I have a father of a personal friend who lost effectively entire retirement savings over a million dollars

Leo Laporte (01:31:35):
In the crypto wallet. Custodial, or

Alex Stamos (01:31:38):
No, no, no. Yeah. Through a scam where he thought it was safe because it's, it's almost impossible to tell the legit from the non-it, especially if you're a boomer,

Leo Laporte (01:31:44):
Here's the, here's the address to use right here.

Alex Stamos (01:31:47):
Exactly. Yeah. Yeah. So it, it, it's it's not a good place for it. It is really unfair what we, the tech industry do for, for individuals

Leo Laporte (01:31:54):
Right now. It sounds like you think though, that the solution is a sort of a centralized service economy for security.

Alex Stamos (01:32:02):
I, I think we need more economies to scale where companies can share security services. Yeah. And so, especially at the small to medium managed service providers have been a big deal for the, the, the small to medium enterprises. And I think that's one of the good things that's happened over

Leo Laporte (01:32:15):
The years. We thank God for our managed service provider. Yeah. I mean, honest to God, we have somebody so good that we don't feel unsafe. Yeah. But we're just lucky. And

Alex Stamos (01:32:23):
The move to the cloud, right? Like Yeah. You, it you have to be completely insane to run your own exchange server in the, the Lord 2022. Like,

Leo Laporte (01:32:30):
And a masochist. And a masochist. Right.

Alex Stamos (01:32:32):
But people still do it. But like, that's the kind of thing, like one of the benefits is you can go to Google or you can go to Microsoft and you can pick a provider and you can, you can amortize their huge security team across a million.

Leo Laporte (01:32:43):
Is Google doing a good job

Alex Stamos (01:32:45):
Security wise?

Leo Laporte (01:32:45):
Yeah. I mean, not only, yes. That's question one. And question two is for their users.

Alex Stamos (01:32:50):
So for their actual internal security, I think Google's the best. I think they probably the most secure enterprise

Leo Laporte (01:32:55):
From the outside. That's how it works from the

Alex Stamos (01:32:56):
Outside. Yeah. they have had, you know, 2009 was a huge turning point. The Aurora attacks, which it's nice to talk to guys of a certain age, cuz I could talk about 2009, I

Leo Laporte (01:33:06):
Can't talk about to my

Alex Stamos (01:33:08):
Students is

Leo Laporte (01:33:09):
Like 2009 I was in

Alex Stamos (01:33:11):
Kindergarten. Right. It's like when my teachers talk about Vietnam. Right. Like it's, that's what 2009 is to them.

Leo Laporte (01:33:16):
Yeah. God, that's amazing. Yeah.

Alex Stamos (01:33:19):
<Laugh>. And so yeah. 2009, the Aurora tax against a bunch of Silicon Valley companies, most famously Google People's Liberation Army. Google invested massively in security after that, like they spent, and it all came out of the co CEOs, you know, especially Sergei, that his experience growing up in the Soviet Union mm-hmm. <Affirmative> distaste for totalitarian countries. They spent a huge amount of money and they built out a lot of what we consider kind of standard, like the whole zero trust model comes from this beyond corp idea that Google was the first one to

Leo Laporte (01:33:54):
The popular. It also eventually prompted them leaving China. Yes.

Alex Stamos (01:33:59):
They left China to, to, to their credit, they're still not back. Right. Like they've, they've put their toe in and their, their, their employees revolted. And you know, compared to, I keep on saying this, but people need to be reminded Apple has done more for the Chinese Communist Party

Leo Laporte (01:34:16):
Absolutely. Than

Alex Stamos (01:34:17):
Any tech company has done for any authoritarian state.

Leo Laporte (01:34:19):
Absolutely. And of late they just did something to tamp down protests Yes. By blocking airdrop to everyone. Yes. And they're getting a pass on it. But this is the, this is the deal with the devil. If you wanna be in this country operating this country, you are going to be asked to do things like this. And that's what Google didn't wanna do. Do Yahoo. Yahoo got proper crap for it, for Yahoo. Helped dissidents get to jailed.

Alex Stamos (01:34:48):
Yes. That was, so I was the first Yahoo executive to testify in Congress since that famous Jerry Yang situation where Tom Lantos, a Holocaust survivor, called him a moral pme while he sits in front of the parents of the Chinese dissident who had been arrested. Like, wow. That is not considered a win from like a, a DC law firm

Leo Laporte (01:35:10):
Perspective. Not Tom Lantos, by the way. Great, great John.

Alex Stamos (01:35:13):
And let's pour one out for John and for Jackie Spear.

Leo Laporte (01:35:17):
Jackie Spear also,

Alex Stamos (01:35:18):
Who's been shot more times than 50 cent and went to Congress. 

Leo Laporte (01:35:22):
Jackie was just

Alex Stamos (01:35:23):
Retired,

Leo Laporte (01:35:23):
Unfortunately was shot in the, I was at the examiner when that, when that happened. Oh, yeah. Yeah.

Alex Stamos (01:35:28):
She has pictures of it in her office when you go there. Horrific. Yeah. A great rep. I don't know this new guy who's representing us, but Jackie was my congresswoman.

Leo Laporte (01:35:35):
Yep. so Google, and then the second part of that is, do they, it seems to be that they're doing as best they can for their users as well, and forcing Tofa really encouraging people to do the right thing. I think even selling Chromebooks Yes. Is really that, that is a computer. I can point to the least sophisticated user and say, you're probably safe using

Alex Stamos (01:35:56):
This. Yes. I mean, Chromebooks is, I over about 15 years ago, 14 years ago when Chromebooks were, were first started, remember the, the Pixel books, like the first

Leo Laporte (01:36:05):
Google, oh God, don't get us started. Yes.

Alex Stamos (01:36:08):
So I went one than Thanksgiving. I, I'll start crying <laugh> nostalgia. And so I, I, I'm not neutral here as a consultant, I worked on Chrome and on Chromos. And so, you know, I got to see all the work that went on the inside. And so I bought those early, early Chromebooks. And one Thanksgiving I had took four of them back to Sacramento and gave them to my parents and my in-laws. And it was the best investment I've ever made in the Thanksgiving because

Leo Laporte (01:36:32):
It

Alex Stamos (01:36:33):
Was just like, brilliant. Don't have to worry anymore. Yeah. They just were like, don't have to clean all the viruses out and not ask like, what websites are you on? Right. You got all these viruses fighting for control of your browser. Yeah. It was great. You know. No, I I think Google, Google was really early in having people focus on the psychology of their users and of do user experience studies. Yes. so Adrian Porter felt who's there

Leo Laporte (01:36:54):
Who's on Mastered on, by the way

Alex Stamos (01:36:58):
Was her boss for a long time. The head of Chrome security. You know, there's several people who are there who are like really early in building that out. And I think, yeah, I mean, I think as far as security from normal people goes, I think Google's doing absolutely the best job right now. Android, Android's got problems. A lot of those problems are due to its openness. And, and I think and the fact that Android OEMs, if you're gonna buy an Android phone, you have to buy Google. Right. Like taking all the extra crap and then waiting for your OEMs to patch, I think is not worth it. Get a pixel. That's why I tell people, if you wanna be in the Android ecosystem, get a pixel. Yeah. And in some ways, I think pixels are now more secure than iPhones. Like Apple has really wasted their lead you know, NSO group owning up iPhones over and over

Leo Laporte (01:37:44):
Again with zero click exploits,

Alex Stamos (01:37:45):
Zero click iMessage exploits. Holy crap. It's just really embarrassing. Now, I know the people at Apple and they're working really hard on this and they finally are getting it together, but they did not have real executive support for, for the fundamental changes they finally have that it, it got so embarrassing that this one company in Israel owned them over and over and over again. That they're finally making the fundamental operating system changes to jail, iMessage to reduce the attack surface. Seems

Leo Laporte (01:38:10):
Like they did as much as they could though. I mean, you at one point that was completely not secure and they've done a lot to lock it. Downstair.

Alex Stamos (01:38:17):
They've done a lot. Not great. I mean,

Leo Laporte (01:38:19):
Blast Glassdoor

Alex Stamos (01:38:20):
And Blast Door. And one of the problems is they're still writing everything in objective C like they have their own memory safe linkage. Yeah. That turned out to flop. Right. So like, I think part of the fantasy was, is

Leo Laporte (01:38:29):
Swift gonna make it better?

Alex Stamos (01:38:31):
Well, it would. I mean, swift is much less vulnerable to these kinds of attacks. Yeah. But they don't use it for any of their core stuff. Any of the core libraries, a lot of the core libraries are still C

Leo Laporte (01:38:39):
Wow.

Alex Stamos (01:38:39):
Right. That they call out, they call out to from objective C. Right. Like a lot of their parsing code for video and such. Interesting. So what do you hear? That's a, that's a, I think that's a, they've made a fundamental mistake in their language.

Leo Laporte (01:38:49):
It's interesting. You can make that cultural mistake 10 years ago and you're still living with

Alex Stamos (01:38:54):
It. Right. Right. And so now, I mean the people who are being smart about this is Google is one of the companies that's been really pushing Rust mm-hmm. <Affirmative>. and so finally there was Rust support I think in Chrome. And there's rust support in the Linux

Leo Laporte (01:39:05):
Kernel in Linux, which

Alex Stamos (01:39:05):
Is amazing. And so I think like moving to the memory safe languages is where we have to go. Yeah. It's always something that has a five year time horizon. Yeah. So start now, if we had done it five years ago, we'd be in way better shape. Right. But that's

Leo Laporte (01:39:16):
People Is it hopeless at Microsoft?

Alex Stamos (01:39:20):
Okay. Microsoft does <laugh>. There's a lot of really good people at Microsoft.

Leo Laporte (01:39:25):
We have, we know some of them, some of them work with us. I

Alex Stamos (01:39:28):
Think one of the problems with Microsoft is that they still sell all of their old enterprise stuff. And they legacy the legacy stuff is in the level of sustained engineering that's not appropriate. Yep. The Chinese, the People's Liberation Army keeps on owning up exchange. Yep. Over and over and over again. You have these attacks where tens of thousands of companies are being hit by the Chinese and their exchange servers taken over. That's not acceptable. I mean my, I think being on Office 365 is fine for corporate side. We're on Microsoft

Leo Laporte (01:39:58):
365, but they manage the servers not Right.

Alex Stamos (01:40:01):
Make it their problem. Yeah. Well one of the problems here is you should never run a Microsoft product that Microsoft doesn't use <laugh> and Microsoft

Ant Pruitt (01:40:07):
Change

Alex Stamos (01:40:08):
Anymore. Right. Right. They use Office 365. They're, wait, wait, wait. You're on Microsoft 365? Yeah, we're on Microsoft 365. E five. Yeah. So one you have to pay for E five. Unfortunately, like all the, all the levels below that are less secure. They don't have all the security features. Oh, interesting. But yeah. Yeah. I mean it's unfortunately, like if you're a consultant and you're working with Fortune 500 companies, you have to be, they're all SharePoint, they're all office. And so if you want to collaborate with them, you have to be on 365. Yeah. But so can I ask

Leo Laporte (01:40:35):
Another company

Ant Pruitt (01:40:36):
Microsoft? Go ahead. Go ahead Jarvis. Go ahead. A you

Leo Laporte (01:40:39):
Go back cause I wasn't change the subject to another company.

Ant Pruitt (01:40:41):
Well, with Microsoft, knowing the Knowing Exchange is getting attacked so often and not really doing anything about it, that's just more leverage for them to say, huh, come on over to the Azure side of things.

Alex Stamos (01:40:51):
Right. But they'll never make the cut. Right? Mm-hmm. <Affirmative>, like, <affirmative>, like I would love for them to end of life their legacy life. They should just end of life.

Leo Laporte (01:40:57):
Historically, their

Alex Stamos (01:40:58):
Problem, they should just announce that exchange is end of life.

Leo Laporte (01:41:01):
They never want to cut off Legacy cuz that's a big part of their

Alex Stamos (01:41:04):
Business. Right. And then they've done a couple of really cool experimental things like the Windows S stuff, which is like the Windows Chromebook, which I wish they had really committed to because we're No,

Leo Laporte (01:41:12):
Nobody wanted. Everybody turned it off.

Alex Stamos (01:41:14):
Yeah. I think they

Leo Laporte (01:41:15):
Made some, they should have committed to it. Like Chromebook, they should have said, this is it. That's all you get. There's no turning it off.

Alex Stamos (01:41:20):
Right. And, and so like, and you know, again, the year of our Lord 2022, we're still running like 32 bit compiled executables. Yeah. and, and they have to do all this stuff to make the the NT four api. You know, NT DLL has barely changed. When, when I did that work at Microsoft as a consultant, you see the source code headers and this is like in the 2003, 2004 range. And so you look at the people who had worked on those headers as like interns and engineers and they at that point were EVPs mm-hmm. <Affirmative>. And so now those people are retired. Right. The people who actually wrote NT NTD L Right. And all of the API stuff that they have to do all this work to maintain compatibility, but then using virtual, they do all this really smart but kind of hacky stuff using virtualization, especially to try to maintain backwards compatibility with the WIN 32 API and then also reduce the possibility of a single piece of, of software going crazy.

Leo Laporte (01:42:11):
Alex Stamos is our guest. Hold on a second. I do wanna take a little break. You can try another company and I still have to get to end to end encryption cuz that's really Yes. An important topic. That'll probably be how we'll wrap it up. Cuz we've gone for a long time already. And well, we could go, we could go hours and hours. And

Alex Stamos (01:42:28):
The thing about is honey, call the police as

Leo Laporte (01:42:30):
Fast as I do. I'm trapped here. Trapped. He crams

Alex Stamos (01:42:33):
In all kinds of knowledge

Leo Laporte (01:42:34):
In a short amount of time. It's so great. But I tell you what, it's a rich stew of information. Indeed. You're enjoying every minute. KS group is his consultancy. He's a professor, adjunct professor. And the leader of the Stanford, you

Alex Stamos (01:42:47):
Have to say adjunct. They get really pissy about that. If you're <laugh>, if you pretend to be a real professor, I'm a adjunct. Is Latin for fake the

Leo Laporte (01:42:55):
Fake for this one <laugh>. So, but I'm not wrong in using it. Sure. You're a real professor. Are you a

Alex Stamos (01:43:00):
Real profess I'm not fake. I'm a fake adjunct is fine use.

Leo Laporte (01:43:03):
I know because my father was a professor and so we know about all these assistant professors, associate professors, adjunct professors. I'm

Alex Stamos (01:43:10):
Not allowed to live on campus. Like, that's, that's how you know you're real professors when they give

Leo Laporte (01:43:14):
You a house. Oh, that house. Those houses are nice. Let me director, you should get it as director of the Stanford Internet Observ you. At least I think

Alex Stamos (01:43:22):
I do not want those neighbors. So I

Leo Laporte (01:43:23):
Appreciate it. <Laugh> very high, very highfalutin. We will have a little bit more with Alex. Jeff will get to ask his question in just a second. But first word, you know, this is actually really timely from Secure Works. We were talking about this whole idea of kind of you know, there's never enough people, there's never enough time, there's never enough money to really do security. Right? That's why you gotta think about SecureWorks as part of your security team. Secureworks is a leader in cybersecurity building solutions for security experts by security experts. They're your partner. Secureworks offer superior threat detection, rapid incident response, all while making sure customers are never locked into a single vendor. They've got a really powerful, and actually I think it's fascinating extended detection and response platform. They call it Tais xdr. And I think if you just listen to the show, you know why it's time to get it right In 2022.

(01:44:25):
Cyber crime's gonna cost the world 7 trillion in three years, that number is gonna grow to 10.5 trillion in 2021. Ransomware totaled, as far as we know, 20 billion in damages attacks occurred at every 11 seconds. By 2031, it's gonna be much, much worse. 265 billion a year. Strike every two seconds. I think that might even be a conservative estimate. Make sure your organization is not the next victim with SecureWorks TAs. Xtr TAs provides superior detection, identifying, get this, this is where I'm fascinated. 470 billion security events a day, a day. Then prioritizing the true positive alerts. Eliminating alert noise, but giving you the information you need to focus on the real threat. But there's more. Tais offers unmatched response, automated response actions to eliminate threats before the damage is even done. That's fast. With SecureWorks Tais managed xdr, you can easily leverage SecureWorks experts to investigate and respond to threats on your behalf.

(01:45:32):
This is where they become a part of your team. You can cut dwell times, decrease operational burden, reduced cost 24 7 by 365 coverage. So if you experience a Christmas Day security event, or half your team is out sick, don't worry. Secureworks is there, they're behind you. And of course, with companies facing this shortage we were just talking about is cybersecurity talent. Secureworks Access is an extension of your security team on day one. Alleviating cybersecurity talent gaps, letting you customize the approach, get the coverage level you need now. And, and Alex was just saying, this is the fun part. What happens if you think you've been breached? You find an intruder in your system. I want you to get a Post-It note right now and write down this number. 1-800-BREACHED. Put it on your, put it right there on your desk, 1-800-BREACHED that connects whether you're a customer or not, that connects you with a SecureWorks Emergency Incident Response Team.

(01:46:29):
They can provide you with immediate assistance. It's so nice to know these guys are on your behalf. They're on your behalf 24 7 responding to and remediating a possible cyber incident or data breach. You don't have to go it on your own. Of course, you've got a great team. I'm not saying that. Just make it better. With Secure Works like Secure Works, you can learn more about the way today's threat environment is evolving, the risks it can present to your organization. They've got case studies, they've got reports from their very prestigious counter threat unit and a lot more. Visit secureworks.com/twi, get a free trial of pages, xdr SecureWorks dott com slash twi. Please use that URL so they know you saw here. Secureworks.Com/Twit I t SecureWorks defending every corner of cyberspace. That's exactly what we were just talking about. All right, Jeff, you had a question about another, another company for our esteemed guest, Alex. Oh,

Jeff Jarvis (01:47:28):
It's just obvious brief gossip. Do you know anybody left at Facebook? Do you hear anything? What, what do you hear? What do you know? The whole thing got steamrolled with Twitter blowing up and 11,000 people, a lot of people I know who were there are gone. What do you hear?

Alex Stamos (01:47:41):
Yeah, I mean, so they're out. The news. Somebody pointed out, like for the first time ever, Facebook was not anywhere on the front page of Tech Meme. Right? Isn't it? Wow. I mean, nobody, I said this at the beginning, nobody was gonna be as happy about this acquisition as Mark Zuckerberg. Because, you know, he,

Leo Laporte (01:47:59):
The heat is off.

Alex Stamos (01:48:00):
Right. His argument is this is a super hard problem. Yeah. We're doing the best we can. Yeah. And unless you've got somebody who just doesn't give a at all <laugh> mm-hmm. <Affirmative>, it's hard to make that argument. Right. And cause but

Leo Laporte (01:48:13):
Now he's got that person

Alex Stamos (01:48:14):
<Laugh>. Now he's got that person. He's like, oh, oh, you don't like me. I think you really want to talk to this guy. Yeah. so yeah, I mean, it is what's going on there. I mean, I think there are some negative trends. You know, Facebook's not doing great from a financial perspective. The stock is way down. They had the layoffs. A couple people I know got laid off. For the most part, the security and safety teams were spared from the layoffs as they should. So the vast majority of the security people I know there are still there.

Jeff Jarvis (01:48:41):
The folks working with newspapers are gone.

Alex Stamos (01:48:43):
Right. I think a combination of two things though is worrying me from a trust and safety perspective. One, the, I'm a little afraid that a lot of the investment that was made in the post kind of 2018 timeframe into trust and safety work, which was significant, was really based upon unsustainable revenue numbers for Facebook. And that that will be a place that they cut first. Second, whenever Mark Zuckerberg loves to be in a corner, right? Like, he loves to be in a situation where people tell him, I think he doesn't like the fat and happy times. Oh, interesting. I think he likes the times when people tell him, you can't do this. You're gonna fail. Right. Like the story you always hear. That's fascinating. Like in the you know, I went through engineering bootcamp, right? Mm-Hmm. <affirmative> and got my butt kicked by all these 23 year olds who had just graduated mit, right?

(01:49:35):
Mm-Hmm. <affirmative> <laugh>. But I'm going through like engineering bootcamp and they tell all these stories of the good old days. And you know, one of my concerns about Facebook at the time was it's a very small sea conservative company about looking backwards of the good old days when it was only 300 people in the bad office in Palo Alto. Yeah. And, you know, the 2010 or so, 2011, people were like, you'll never make money. You'll never make the move to mobile. And that's when Mark Zuckerberg was happiest when you could crush it on mobile. Right. Proven people wrong. Yeah. Proving people wrong. So I think he's always looking for that moment where he can prove people wrong. And I'm a little afraid that we are past that from the safety perspective, that people said you can't get a handle of these things and they did better.

(01:50:19):
I have my issues with what the company has done in a number of ways, but they invested a huge amount of money that he has now moved past that in is back to now can we make the Metaverse work? And in doing that, that the, his eye is off the ball on the fact that they have 3 billion users that are using their current products that are not in the metaverse. Mm-Hmm. <affirmative>. When they did the, the meta thing, I I, I was actually first happy cause I thought it would be an alphabet thing where Facebook became its own company and had its own ceo, like a Chris Cox running it. And then Zuck would be the CEO of Meta overall. But Zuck still runs the Facebook product as well as all the Metaverse stuff. And I think like he's probably too distracted there. And so I I'm worried about the distraction.

(01:51:01):
I'm worried about the spend of money. The other thing that's happened is since the Hogan documents were, were leaked, so there were some like legitimate scandals in those documents. Most of those documents are people trying to do their job, which is a hard job. Well, and the leak of those documents has massively changed the internal culture at Facebook where there's no longer any openness about talking about safety issues. Yes. Integrity issues. And the long term impact of that document leak has been that a bunch of people I think have lost their jobs are not being hired. That there's not gonna be investment in quantitative social scientists to do that kind of work. And that I think is a huge loss for the entire industry. Cuz Facebook was really the only company doing that at that level. And we, we've seen the peak of that and it's over. And now if you're z you're like, well, does it matter cuz doing anything is better than Elon Musk. Right? So like, he now has somebody who is so much worse than him who just straight up overrides his team, who

Leo Laporte (01:51:55):
The bar has been lowered,

Alex Stamos (01:51:56):
The bar has been loaded. I mean, Twitter's gonna have either a child safety scandal or they're gonna have a breach. Right. Like the, you can't run a company of that size of that complexity with that small of a team. The amount of risk he is running every day is an unsustainable amount of risk that if he had a board of directors, which he doesn't, their audit committee should be losing their minds right now. But they don't. He's the audit committee. Right. Yeah. So from from Z's perspective, I think the pressure is really off. And so I am really worried about where we're going now that we might have seen the peak with like the 2020 election was the peak of focus on integrity issues at big companies. And it's just been downhill since

Leo Laporte (01:52:32):
Then. Do you think we're gonna have trouble in the 2024 election?

Alex Stamos (01:52:36):
It can go both ways. I mean, the, the upside of what happened in 2022 is the election deniers lost. Right? So like in a world where a bunch of election denys secretaries of states, one, and it was successful for people to election deny. But the fact the tech stuff has always been downstream of the culture. I think this is one of the places where a lot of the popular you might call the, the New York Times position on tech is wrong of they see the tech as leading the issue. Whereas I see the tech as reflecting culture, the culture, the political culture of the United States mm-hmm. <Affirmative>. And so the shift in the political culture is gonna make things better, not because the companies are doing better just because there's gonna be a lot less demand.

Leo Laporte (01:53:18):
It's good news. It's good

Alex Stamos (01:53:19):
News. Yeah. I don't think that'll be true outside of the United States. And I think the most important country to keep an eye on in any of these, of the retreat of democracy and of tech regulation is India. Right. India's legitimately democracy. Mm-Hmm. <affirmative> Modi received roughly as many votes as there are people in the United States. Right. Like he was legitimately elected and he's using the power that was legitimately given to him to crush his enemies using the power of the Indian state. Right. And that is like a serious problem for these tech companies, especially if you're Facebook and Twitter, they are locked out of China. It is very hard to be locked out of China and India. So because they are locked out of the entire Chinese market, especially for Facebook, because it's still meta is still a public company. Mm-Hmm. <affirmative> Musk can do what he wants to do, but for meta it's a big deal for your shareholders that you're locked out of China to also be locked out of India would be unacceptable. And that gives a huge amount.

Jeff Jarvis (01:54:11):
You can't work in Philippines or Indonesia.

Alex Stamos (01:54:13):
Yeah.

Jeff Jarvis (01:54:14):
So yeah, your choices

Alex Stamos (01:54:15):
Are limited. Well, and access to the market. Right. Of access to those billions people. So yeah. I'm less worried. I'm a little worried about 2024. I have a foreign policy piece I'm working on right now of one of the problems is the entire team at Twitter that does looks for foreign interference is gone. So if you are the ministry state security, if you're the People's Liberation Army, if you're the Gru of Russia if you are the revolutionary guard core, Twitter is your number one focus. I think the, the one after Twitter is probably Telegram. Because Telegram is now the most important platform for the extreme elements in US society. So if you wanna manipulate people who might actually turn violent mm-hmm. <Affirmative>, then you're investing heavily in

Leo Laporte (01:54:52):
Telegram. Wow. Not much we could do about Telegram.

Alex Stamos (01:54:54):
Not much you can do about Telegram. And,

Leo Laporte (01:54:55):
And Pavel D's Russian citizen living in Dubai. Right. He's completely out of our reach.

Alex Stamos (01:55:01):
Yes. And you, I think you could call his Facebook status with the Putin is, it's complicated, right?

Leo Laporte (01:55:07):
Yeah. Yeah. <Laugh> like

Alex Stamos (01:55:08):
He left Russia and fled Russia, but mostly for like financial things. Not really political. It's not clear Cat

Leo Laporte (01:55:13):
Putin stole his company. Yeah. Right. So I'm presuming he doesn't have a lot of love for the regime.

Alex Stamos (01:55:20):
Right. But also I don't think the guy's at Thomas Jefferson. Right?

Leo Laporte (01:55:23):
Like I agree. Yeah.

Alex Stamos (01:55:24):
You know, and so but

Leo Laporte (01:55:25):
Also even if he were, that platform is kind of intractable. It's a messaging platform that's pretty hard to police. Well,

Alex Stamos (01:55:32):
It's messaging and it's not like the, the large groups that are are

Leo Laporte (01:55:35):
Very well Yeah. Hundred thousand groups. Yeah. A hundred people group. 

Alex Stamos (01:55:37):
Those, you know, in our monitoring of election disinformation, there's a, I mean, one of the things that's happened post January 6th is you have a huge fracturing on the American right. Of social media platforms, right? Mm-Hmm. <affirmative> Gab, parlor Truth Rumble is a big one to watch. Rumble is competing with YouTube and has effectively no controls on disinformation. But Telegram is where we saw people, doxing, poll workers talking about taking their guns to protest, stuff like that. So if you're trying to actually drive Americans to violence,

Leo Laporte (01:56:08):
That's where the organization is

Alex Stamos (01:56:10):
Happening. And the problem for us is the Russians are all over Telegram. Cause Telegram the most important platform for the Ukraine invasion, right? So if you're the Gru, you have a huge team already dedicated Telegram. I think right now, one of the things we benefited in 2022 is they've, the Russians have their own problems. Right? They are focused on the war they're losing in Ukraine and the drop of support for Putin domestically. I think a lot of what happens in 2024 vis-a-vis Russia will depend on what their domestic political situation looks

Leo Laporte (01:56:38):
Like. Just like China. Yes. settle a bet for us.

Alex Stamos (01:56:43):
Okay.

Leo Laporte (01:56:44):
So I, I won't put words in your mouth, Jeff. Why, why make this Danny <laugh>? But you, well, you, you stand in defense of, of tech and tech platforms. I stand in defense of the internet, of the internet platforms happen to run it now. Yeah. I guess the d the, the bet is the debate is who's responsible for keeping people well informed? Who's, is it, is it my responsibility as an individual not to fall for this? Or is it the platform's responsibility and government's responsibility to protect us from disinformation? Who's responsible? Mm.

Alex Stamos (01:57:24):
Okay. So I don't, I don't think there's a right answer here. I think everybody has to have their own kind of,

Leo Laporte (01:57:29):
A lot of people will say, well, look, you just gotta train people with critical thinking still. They're believing they need to start, you know, treating stuff from the internet is not from the mouth of God. We can teach people that,

Alex Stamos (01:57:42):
I would say for, for all trust and safety issues, the responsibility of tech companies is not to make things worse. Right?

Leo Laporte (01:57:49):
Yeah.

Alex Stamos (01:57:50):
Everything we're talking about here, propaganda, disinformation, the abuse of children, terrorism, right. Hate, racism, not exactly new things. Certainly not new in American society. Right. all really deep-seated pathologies of human civilization. And some of them are specific mythologies of America. Yeah. Right. Based upon the original sins of the United States. Mm-Hmm. <affirmative>. And, and so the responsibility of the companies, I don't think is to make people better or to solve those problems, but it should be to not make the problem worse.

Leo Laporte (01:58:24):
To not weaponize disinformation,

Alex Stamos (01:58:26):
To not build their products in a way that it creates a unique advantage for their products, for those things to happen. Right.

Leo Laporte (01:58:33):
There

Alex Stamos (01:58:33):
You go. That's how I think of it.

Leo Laporte (01:58:35):
An algorithm, for instance, which exacerbates this.

Alex Stamos (01:58:39):
So I, I have, I have have a, an anecdote here, right? So like when I first joined Facebook, the number one trust and safety problem was, was terrorism, was ISIS particularly, right? Mm-Hmm. So like, you know, Islamic terrorism, not a new thing, but ISIS was unique of being like the first millennial Yeah. Terrorist group where they were internet first in their propaganda strategy. Yeah. In a way that nobody before had been very, very smart in their use of the internet to radicalize and to recruit, especially disaffected European Muslim men. Right. 

Ant Pruitt (01:59:07):
And was highly just mainstream all around. Yes. You know, any and everybody knew

Alex Stamos (01:59:12):
Isis very good. Production values for their dis information for the propaganda, very good distribution means, and the ability to make it seem relevant to BE'S seems in a way that like in Al Qaeda Yeah. Like the first

Leo Laporte (01:59:26):
Internet, first

Alex Stamos (01:59:28):
Terrorist group. Right. Yeah. It's

Leo Laporte (01:59:29):
Fascinating. I never thought of it that way, but you're right.

Alex Stamos (01:59:31):
Yeah. And so when I got to Facebook, that was the big thing, right? Was Isis and I was in the meeting cuz one of our key executives had come back from the uk. There had been a horrible murder in the UK where the, the people who had committed the murder, the terrorists who had done so, had been hanging out on Facebook. Now they were also under surveillance by I five, but the UK government kind of covered that up, right? The conservative government, they blame Facebook for this attack. And so our executive had been screamed at by David, David Cameron, the prime minister of the UK as being personally responsible for the death of this British off-duty British service member. And so we're in this big executive meeting and somebody asked, we're talking about we need to really upgrade our fight against isis. We need to figure out what to do. Which I think was correct, but somebody asked, okay, what's our goal? Right? Like, this is a tech company, you gotta think about your goal is, and then you could try to come up with OTRs that you can manage that goal. And that executive who just got yelled at said, our goal is to defeat terrorism. And to his credit, my boss who's the general counsel, was like, whoa,

Ant Pruitt (02:00:32):
No, that's not, that's not

Alex Stamos (02:00:34):
Facebook's job. That's the breaks. Yeah. He's like, that is not our job. Yeah. Our job is that we don't make terrorist lives easier. Right? Right. But whether ISIS is defeated or not is something that is out of our hands. If we make that our goal, then we will lose and we will lose ourselves. Right. And I think that's true for all these issues. That's a good point is that you can't say we're going to solve the problems about American democracy. We're gonna solve this is where, you know, the, the big controversy around Twitter and disinformation was the hunter bit laptop story. Right. Which again, only taken down for a couple of hours, created a massive Streisand effect. The idea that Twitter doing that affected the election is ridiculous. Mm-Hmm. <affirmative> from any kind of quantitative measurement, but Okay. But I think it was a mistake by Twitter.

(02:01:17):
Yeah. And the reason Twitter made that, which your old says now, I think, which you all says, and Jack says, but you can understand how they got there. Because when you look at the 2016 campaign by the Russians, there was the online trolling stuff that the companies really responded to that was a pure online, but there was also a hack and leak campaign who was the target of the hack and leak campaign. It was not Facebook and Twitter, it was the New York Times. It was cnn. Cnn, it was a Washington Post. It was especially Fox News. Right. And so if you are, the problem there is that Twitter was thinking we're going to defeat foreign interference in our elections. And in doing so, they took upon themselves a responsibility that was not their responsibility, which is keeping the New York Post for being manipulated. Fascinating. Now, in the end, it turns out the, your posters not being manipulated. But at the time it was not a crazy assumption. It seemed very suspicious. But they took upon a responsibility for which they did not have the appropriate data. They did not have the appropriate kind of like democratically controlled mechanisms. It was not their responsibility. And as a result they overreached and they caused much bigger problems.

Leo Laporte (02:02:16):
So ultimately their mistake was taking on too much to try to do too much.

Alex Stamos (02:02:20):
Right. They sort of restrains themself to we will, we will stop foreign interference on Twitter. Right. And I think another reasonable thing if you're a tech company is we will help smaller tech companies do better by sharing information, sharing tools, sharing intelligence. Good. Right. But we're not going to solve the problem. The problem of foreign interference and US elections is actually a universal problem that is built into the First Amendment. We allow foreigners to have First Amendment protected rights. Right. We allow Russia today,

Leo Laporte (02:02:47):
We can't fix that.

Alex Stamos (02:02:48):
Not without losing who we are as Americans. Yes. Right. And certainly Twitter can't fix it. Right. And so that's my position on all this stuff. Are you making things, you, yourself, your company, making things better for these bad guys. And that is what you have to focus on reducing, not on solving the overall problem, because that's

Leo Laporte (02:03:05):
A much easier job, frankly.

Alex Stamos (02:03:06):
That's brilliant. And and these, these problems are hundreds of years old. Yeah. You can't thousands of years. Exactly. And they, they weren't

Leo Laporte (02:03:11):
Caused by the end

Alex Stamos (02:03:12):
And they'll exist

Leo Laporte (02:03:12):
In a thousand years. Good answer. Wow. Yeah. Good to boy, I, we're at time. I don't, you know, I don't want to open the Pandora's box of end to end encryption <laugh> the UK is, I also wanna hear about TikTok. Oh God, we didn't even start with TikTok. Or let's do TikTok. That's much more interesting. Cuz this end to end encryption thing is gonna go on forever. Should TikTok be shut down as a, as a channel for the Chinese government to influence? I think that's, that's a

Alex Stamos (02:03:40):
Harsh way to ask it. No, I think the United States should pass a federal privacy law that is our gdpr, but more specific. And that, unlike GDPR explicitly recognizes that some countries are allies and some are not. Right. And some are adversaries and there's a bunch of countries in the middle. And so I would like to see a federal privacy law that binds all tech companies in a bunch of ways, but ones of the ways it binds them is it does not allow certain information about American citizens to be stored or processed or accessed by the citizens of certain countries. That's fair. And that would include the people's

Leo Laporte (02:04:11):
Republic of China not force TikTok to be owned by an American company. Right.

Alex Stamos (02:04:15):
I I would like this law to apply for TikTok and Apple

Leo Laporte (02:04:17):
And Apple and Facebook. Let's face it. Wow.

Alex Stamos (02:04:19):
Well, right. So Facebook just no data processing in China, but it, but the domestic stuff around rules, the domestic rules should apply to Facebook,

Leo Laporte (02:04:26):
Certainly mm-hmm. <Affirmative>. Yeah. Mm-Hmm. <affirmative>. That's a good point. Christine, no. Governor of South Dakota just announced that TikTok is banned among in government offices in South Dakota, which is

Alex Stamos (02:04:36):
I'm sure was, was a, it was a hot item of the Chinese. So here's my hot take of the Chinese companies. We should worry about. Wechat is a much bigger one for me. I agree. Because WeChat is a massive tool of surveillance against American companies.

Leo Laporte (02:04:46):
We don't know about it because it's used by Chinese nationals abroad.

Alex Stamos (02:04:50):
Right. But every American company has Chinese speaking employees. Yeah. They, they're not intentionally doing anything bad. No. They just, but they all have WeChat. They all have it because it's the only way they can talk to their family. Right? Yep. Which is effectively a subsidy by the great firewall Yep. To make WeChat used around the world. And every single company has a, like, effectively an employee resource group that is on WeChat of Chinese speaking employees. That's fine. If what they're talking about is, I don't like this manager or this HR thing's going on, it's not as cool when they're talking about tech stuff. And this is something we actually had at Facebook. Yeah. Which is we had information that we knew landed in the hands of the Chinese Wow. That one of our theories was, it had been discussed by, you know, Chinese speaking employees. They didn't understand that everything they wrote was being logged in Beijing. Wow. So WeChat, if if we're gonna start with something, it should be WeChat because also TikTok, it doesn't, it has almost no private communication on it.

Leo Laporte (02:05:43):
Right? Right. It's just watching

Alex Stamos (02:05:44):
Videos. Right. Where WeChat, you know, private the issue, people buy stuff, they buy drugs. Right. They probably communicate with their mistresses, like there's a bunch of black male material, a

Leo Laporte (02:05:51):
Wechat. We know they're seen a lot of escort ads. We know that. Right. They've seen

Alex Stamos (02:05:54):
A lot of, and then the other thing WeChats use is it's used to control the Chinese diaspora in the us. Like you see university groups and stuff where if, if you read any of these indictments of people who have been turned by the MSS ministry State security while they're in America, there was just one a week ago by the FBI right before Thanksgiving. The word WeChats all over it. Yeah. That is how you reach out to somebody. That is how you threaten them. That is how you point out that the MSS has control of their parents. Wow. WeChat is the platform I think we should worry about.

Leo Laporte (02:06:21):
I think we're gonna wrap it up and just say we've been spec spectacular. We've got so much more to talk about. I hope you will come back. You have an open invitation. It's really great to talk to you next time you zoom. Yeah. You don't have to. I mean, thrilled you're in studio, it makes it so much more fun. Yeah. is there anything you would like to promote? Or

Alex Stamos (02:06:41):
Promote? I mean, so if you want reading the stuff that these reports io do stanford.edu. And if you're a company looking for consulting help, it's KS group. Is you I work with Chris Krebs. He's a great guy. And we try to help companies

Leo Laporte (02:06:54):
Out. So much respect for Chris. So impressed with

Alex Stamos (02:06:57):
He's a great guy. I mean, when the cards are down, he made the right call. Even though he has five kids you know, that's tough to, to walk away from your healthcare.

Leo Laporte (02:07:03):
No kidding. Yeah. No kidding. The internet observatory lots of interesting

Alex Stamos (02:07:09):
Stuff that, that top one, that's our report about the US doing this stuff. So if you're an artist Ah, very interesting. We called it unheard voice because nobody mm-hmm. <Affirmative> in, in the sad part is, is this report is now being cited by like Iranian propagandist and Chinese

Leo Laporte (02:07:23):
Ofand. Of course. See they're doing it

Alex Stamos (02:07:24):
Too. See, they're doing it too. It's just the the sad mistake our government

Leo Laporte (02:07:27):
Made. Yeah. That's why we don't do it. Yeah. wow. I just such good material. I have food for thought for weeks. I am so glad you were all here. We don't need to do anything but just wrap the show up, I think. Right. is there anything you wanna plug?

Ant Pruitt (02:07:45):
I wanna plug Club Twit.

Leo Laporte (02:07:46):
Thank you.

Ant Pruitt (02:07:47):
Plug Club Twit. You

Leo Laporte (02:07:48):
Are a community manager.

Ant Pruitt (02:07:49):
I'm community manager and all of the support is greatly appreciated.

Leo Laporte (02:07:53):
It's just a fun place

Ant Pruitt (02:07:55):
Here at twit. Yeah. I have a show. Oh, you're gonna play bit tomorrow.

Leo Laporte (02:08:00):
Come

Ant Pruitt (02:08:01):
Some cards with me at four o'clock. How

Leo Laporte (02:08:03):
Fun. I might you on that. That's

Ant Pruitt (02:08:05):
Just hop on in. I

Jeff Jarvis (02:08:06):
Wanna see you do Big Go

Ant Pruitt (02:08:07):
A Well, I'll figure that out one of these days.

Leo Laporte (02:08:10):
We can do this in the Let's play chat. That's channel, which is,

Ant Pruitt (02:08:12):
It's going be in. Let's play. If you're club, you'll

Jeff Jarvis (02:08:15):
Have our friend Glenn Fleishman soon.

Ant Pruitt (02:08:17):
Glen Fleishman.

Jeff Jarvis (02:08:18):
I've been giving him recommendations in, in Berlin. He went to the calves, the ve which is this amazing department store cause they have this huge, amazing food floor. And he came out just saying like, capitalism went too far.

Leo Laporte (02:08:31):
<Laugh>. He did have the best breakfast he's ever had. I understand. He really is enjoying himself. I can't wait to hear his stories. Glen's with his son in Berlin. What a great time. He's awesome. Stacy's book club this year this week is this month. This next month is be January, whatever project. Hail Mary. Oh, next year. Next year. Next year's book club. January 12th Project. Hail Mary. Great book. I will be there for that cause I've already read it. Mm-Hmm. It's fantastic.

Ant Pruitt (02:08:58):
I'm rereading it.

Leo Laporte (02:08:59):
Well and watch our interview that we did with Andy Weir. Andy we're on a triangulation a few months ago when first came out. Cool. Yep. And then the LA Ports are gonna do a inside twit January 19th. All of this is available, but only if you're club member twit.tv/you

Jeff Jarvis (02:09:14):
Should join folks.

Alex Stamos (02:09:15):
I'm gonna start a hashtag. Andy. We are right in the third person. Let's see if we can get him to Yeah. Yeah.

Leo Laporte (02:09:20):
It's always him. It's all about him all the time. I don't understand <laugh>. He he we, we were gonna have him on a few months ago and he just had a baby, which is great. Very happy for him. But I think now that the ba now that the baby's probably four or five months old, he's probably anxious. Oh, you wanna get out please. Anxious to come on a show, please. So we'll try to get him back on the movie project. Hail Mary's moving forward. He'd optioned it. He told me at the time that Ryan Gosling was play. Yeah. I, the lead, which I mixed feelings about, let's put it that way. But we'll

Alex Stamos (02:09:53):
See. I have this problem in that HBO bought a Facebook book that I'm

Leo Laporte (02:09:57):
Oh.

Alex Stamos (02:09:58):
And so Claire who's

Leo Laporte (02:09:59):
Playing

Alex Stamos (02:09:59):
You? Well, we don't know who's playing me. But it's Claire Foy, you know, from the,

Leo Laporte (02:10:04):
I love Claire Foy

Alex Stamos (02:10:05):
Is Cheryl.

Leo Laporte (02:10:06):
Oh. So

Alex Stamos (02:10:07):
I'll probably get Zach Gal is my <laugh>.

Leo Laporte (02:10:10):
It's exactly what you're getting bad news,

Alex Stamos (02:10:12):
Right? Him doing that. He wants his, he wants to do his like legit turn, right? He's gonna do some,

Leo Laporte (02:10:18):
Yeah. Oh, she's just going bat those big eyes at you. And it's over. It's over. And

Alex Stamos (02:10:23):
Food in his beard.

Leo Laporte (02:10:25):
Yes. I'm sorry. Thanks, man. It sucks. <Laugh>. <laugh>. That sucks. Jeff Jarvis, thank you for being here. Buzz machine com Thank you for doing well was your idea. Get the Gutenberg books coming out next year. You can get on the list by going to Bitly dot sorry. B I t dot ny slash by Gutenberg. Jeff of course, is the director of the Town Eye Center for Journalism at the Craig Newmar Graduate School of Journalism at the City University of New York. We will do two

Speaker 6 (02:10:56):
Pos. Who's birthday? 70Th. Birthday is

Leo Laporte (02:11:00):
December 6th. That's a big one. Is he gonna do a big thing? My 60 60 by the way, yesterday Beated. And they made me, they forced me to eat a lot of cake. Just so much. Take

Speaker 6 (02:11:12):
That mar cake cliff.

Leo Laporte (02:11:13):
There's more cake. It's my house.

Speaker 6 (02:11:14):
Aren't you glad you're off that stupid diet you

Leo Laporte (02:11:16):
Were on long ago? I'm still on it and I'm paying the price for eating all that cake. <Laugh> so good though. Happy birthday, Craig. That's awesome indeed. I guess that's it. What a special episode. Yeah. Thanks for having us, Alex. What a pleasure. Really great to meet you. Thanks for the work you do, which is clearly incredibly important. We thank everybody who watch the show. We do this. We can Google every Wednesday, 2:00 PM Pacific, 5:00 PM Eastern, 2200 utc. Watch live@livetwit.tv chat live in the irc or or in our club TWI Discord after the fact. You can download copies of the show from the website, twi.tv/TWiG. Watch it on YouTube. In fact, this would be a good one. Everybody clip out some salient quotes from Alex and send them to your, your CEOs or your IT department. Yeah, let them know. That's all on YouTube. And of course the best way to listen is to subscribe and you get audio or video the minute the show's done and never miss another episode. Thank you everybody for being here. We'll see you next time on TWiG.

Speaker 6 (02:12:22):
Bye bye. The world is changing rapidly, so rapidly in fact that it's hard to keep up. That's why Micah, Sergeant and I, Jason Howell talk with the people Macon and breaking the tech news on Tech News Weekly every Thursday. They know these stories better than anyone, so why not get them to talk about it in their own words? Subscribe to Tech News Weekly and you won't miss a beat every thursday@twi.tv.

All Transcripts posts