Navroop Mitter

[00:00:05:05 – 00:00:25:07]

Welcome to the Lock and Key Lounge and the first of what we hope to be many riff additions. I’m Navroop Mitter the founder and CEO of Armortext. A few weeks ago, Matt approached me about doing a different type of episode, one that sees us bringing articles, talks, news and events that caught our eye to each others. And your attention.

Navroop Mitter

[00:00:25:09 – 00:00:35:19]

No scripts, just a smart riff. So here we are, master recording from home while I do this. Having just landed from meetings in Iceland, perched up by a construction site, I know, right? Sometimes, yeah.

Matt Calligan

[00:00:35:20 – 00:00:36:20]

It’s always something.

Navroop Mitter

[00:00:36:22 – 00:00:45:04]

Yeah, exactly. It’s always something. We’re on the road quite a bit. And so with that, let’s kick off today’s riff with something near and dear to our hearts. And that’s beer.

Matt Calligan

[00:00:45:06 – 00:00:46:01]

Yeah.

Navroop Mitter

[00:00:46:03 – 00:00:52:13]

Matt, I don’t know. Did you see that? The Reuters, article about the Asahi’s cyberattacks that halted production?

Matt Calligan

[00:00:52:15 – 00:01:10:12]

I did, I did, you know, the first thing that did, kind of keep me off to it was actually the, that threat sharing community where part of they’re kind of reminiscing about when they first had their us. How do you pronounce that? Asahi. Asahi? Beer or whatever. Everyone was talking about when I had my first year.

Matt Calligan

[00:01:10:12 – 00:01:13:18]

So it was interesting that I was like, oh, something, something big is happening.

Navroop Mitter

[00:01:13:22 – 00:01:28:14]

You know, that’s interesting. I actually do remember my first Asahi beer, and I don’t know how to pronounce it. But I do remember my first one that was. Yeah, that was a long time ago. I don’t even want to admit how long ago that was. Right. Coming back to what actually happened, though, there. I mean, so there’s some obvious things, right?

Navroop Mitter

[00:01:28:14 – 00:02:01:17]

This is like that. Perfect it entanglement. Right. It got hit. Bottom line stopped. Obviously there’s an impact on revenue in the supply chain. So this is not just theater. And no PII was leaked. Right. Those are all the basics in the article. But something that stood out to me was 1 or 2 lines in the article that brought up the fact that despite only having about 30 plants in Japan that make beer or other beverage or food products, they weren’t sure which ones had ceased production and which of any might still be operational were there partially or in full.

Navroop Mitter

[00:02:01:19 – 00:02:23:04]

And what that seems to imply is, is that they couldn’t communicate even just among 30 plants. Right. It’s like you’ve only got 30. Call Watari, call it ten. You call it a hoto or a. And I’m going to mispronounce all of these Japanese names. Right. But call them up and just go find out whether they’re running. Do you not have a comp plan?

Navroop Mitter

[00:02:23:06 – 00:02:41:05]

Do you not have this baked into your instant response when clearly, whatever this cyberattack was took out their day to day communications like email and chat, did you not have an out-of-band capability? And we always talked about how important that is for manufacturing. This seems to be like a real world example of when that wasn’t addressed.

Matt Calligan

[00:02:41:08 – 00:02:59:09]

Yeah, yeah. Well, you know, we’ve got what was it? Stoli. You know, they they fired, they file for bankruptcy after that cyber attack in 24, you know, now they got the beer. I mean, if they do the whiskey, then I’m out and I just I’m just running for the hills at that point, I can’t I’m done.

Navroop Mitter

[00:02:59:11 – 00:03:05:10]

That would be a declaration of war, right? You come from my whiskey. You’re about declaring war.

Matt Calligan

[00:03:05:15 – 00:03:06:23]

Yes. In the full force.

Navroop Mitter

[00:03:06:23 – 00:03:12:17]

And might of the military. And everyone else will be on your ass. Yeah, we’re whiskey.

Matt Calligan

[00:03:12:19 – 00:03:40:16]

Well, and it points to it. Points to a challenge in in very with they, you know ot heavy industries like manufacturing and oil and gas and stuff. You can create a very big blast radius even with even a small, you know, small interruptions around smaller manufacturers. It’s, it’s it’s the thing that you’re seeing across all of these industries that are, you know, less than heavily the most heavily regulated out there.

Matt Calligan

[00:03:40:20 – 00:04:11:09]

I the the way that I was reading this, it reminded me of how Colonial Pipeline got hit, right? I mean, they didn’t even get into the road side, but it was through the billing software that that ended up, you know, hitting them like Stoli. It was their ERP, right? And they had to go completely bankrupt. Colonial pipeline, we were, you know, fighting over gas for a week because they hacked their ERP or their, you know, their, their billing system, and they had to shut down the actual physical pipelines and or even going back to not patch you in manually.

Matt Calligan

[00:04:11:09 – 00:04:32:18]

It’s like the, the idea that o.t and it can can live these completely separated lives. And the mistake I’ve seen culturally of kind of categorizing cyber as an IT specific category, I think that’s that’s kind of the root cause of a lot of these things.

Navroop Mitter

[00:04:32:21 – 00:05:00:17]

Yeah. You know, for years when we were first starting to pitch the armor techs value proposition, we would actually bring up, you know, the 2017 case of not Pecha, right, and Mondelez and others, who are actually in similar sectors, I guess, right. Food production cookies. They during that attack, suddenly found themselves unable to access any of their own servers or their on premise solutions or down their laptops and other devices were impacted and so they couldn’t actually get out to anything else.

Navroop Mitter

[00:05:00:19 – 00:05:20:08]

And as they were trying to figure out how to communicate, they realized they didn’t have everyone’s phone numbers, they didn’t have some out-of-band comms capability. And the founders of reconstructing phone trees, both by telephone itself, but also on things like WhatsApp or Yammer and other solutions. They were literally reconstructing them almost one by one. It’s like, hey, Matthew, John’s number.

Navroop Mitter

[00:05:20:08 – 00:05:43:18]

Hey, John, do you have Joel’s number of Amy’s number? And that’s how they were reassembling these in these groups, in which they could then try to coordinate to both bring the business back up from a technical perspective, but also try to see what operations might be salvageable at that moment. Right. And so, yeah, absolutely. When you’re unprepared in areas like manufacturing, these kinds of attacks can have a huge impact.

Navroop Mitter

[00:05:43:18 – 00:05:54:09]

It isn’t just about taking out your email system that went down. It actually can have an impact on everything else, including the entire operations of the company. What makes you the actual money? Yeah.

Matt Calligan

[00:05:54:11 – 00:05:59:00]

Yeah, yeah. So we had to operate like manually for months because of it. Yeah.

Navroop Mitter

[00:05:59:00 – 00:06:11:16]

When we were at at like con recently, you know, one of the guys brought up that I think it was the U.S. Virgin Islands when they had one of the storms that hit and they were unable to access a lot of the systems, it forced them back to pen and paper. And we’ve seen that in hospitals as well, too.

Navroop Mitter

[00:06:11:16 – 00:06:26:21]

Right. Your systems of communication plus your EMR, your electronic medical record systems, you know, they’re inaccessible and suddenly you find yourself having to literally resort to pen and paper, something that most people just aren’t used to doing for processing anymore.

Matt Calligan

[00:06:27:01 – 00:06:50:09]

Oh yeah. Yeah. And some of it’s not even doable, period. Like it’s only in hospitals and stuff. And it reminds me, really, it it ties actually into my article that I was, reading, and it just kind of came out this week. Our, our dear colleague Jen Easterly, formerly of Cisa. It was a point, I think this ties into that because she she wrote something and she kind of declared it very provocative for me.

Matt Calligan

[00:06:50:09 – 00:07:15:05]

It was just common sense. But I applaud her for saying it because, you know, more people need to. But her entire point was these, these, these challenges that we see these continue, you know, hacks and breaches and interruptions there, the the the strategy and techniques that hackers used to get into these, they’re, they’re taking advantage of vulnerabilities that they’ve been doing for 40 years.

Matt Calligan

[00:07:15:07 – 00:07:34:18]

You know, she pointed out like sort typhoon volt typhoon with the telecoms and stuff, the unpatched systems, poorly secured routers, devices built not for resiliency. These are all things they’ve been doing for decades. Right. And she went on to list like recommendations of one, this is what we should do here. And there were four of them. I don’t remember all four.

Matt Calligan

[00:07:34:18 – 00:07:54:05]

But the first one was, you know, clear accountability and liability for negligent software design, because that was our whole point, was that we don’t have a like we don’t have a, a, a, a the challenges that we have a bad software problem. Right? We don’t have a cybersecurity problem. It’s not that we’re not using enough AI or something.

Matt Calligan

[00:07:54:08 – 00:08:02:17]

The problem is that we’ve been building really lousy software, that is not built for resilience. And,

Navroop Mitter

[00:08:02:19 – 00:08:19:23]

A lot of that has to do with the incentives, right? You’re producing the software. Ultimately, you know, and I don’t want to go into too much detail on this topic just because it is a much longer thing. We probably do a full episode on, but, you know, I like it. Ultimately, what you’re incentivized to do is meet a compliance standard.

Navroop Mitter

[00:08:20:02 – 00:08:38:11]

Yeah. Check the box or something else. Right. It’s you’re incentivized to go check the box. And oftentimes that compliance center is a look in the rearview mirror. Right? I’m driving down the street. I can see what happened behind me, but I’m not looking forward as to what might be coming next. And that’s what these compliance standards are about.

Navroop Mitter

[00:08:38:11 – 00:08:58:10]

They were built around things that took place 20 years ago. And so often as you’re working towards that, while at the same time still getting basic cyber hygiene and patching and things like that, wrong, right. And so it’s a mix of a lot of things. Right. But you’re right, there’s a software quality problem. There’s an incentives and liability challenge.

Navroop Mitter

[00:08:58:12 – 00:09:17:03]

We do need to start to work through those. Right. Because if all we’re measuring vendors by is that checklist and whether or not they check the box on something without really evaluating the security model, that’s why you wind up with some of these common solutions out there that, you know, it’s simply username and password that stands between your adversary and your most sensitive columns.

Matt Calligan

[00:09:17:03 – 00:09:43:10]

Yeah. Well, that was that was a comment that I made in, in the she, she posted this sort of a summary on LinkedIn and I said, you know, as a response, I said, you know, enterprise innovation moves at the speed of compliance. You’re not going to get these giant organizations to, you know, invest heavily in something without knowing that they’re going to immediately turn around, be able to sell it for more like it’s not an ROI equation.

Matt Calligan

[00:09:43:10 – 00:10:10:14]

And until it costs them more to not comply, they’re they’re going to keep kicking the can. And I said, why? Why stop with just vendors. Why, you know, things like the SoC, the compliance standards, they’ve been sort of I mean, I mean, people have been told they’ve been resisting modernizing because that cost like if they modernize their requirements, then it’s going to force all this kind of cascading extra cost down on these mega enterprise software vendors.

Matt Calligan

[00:10:10:15 – 00:10:26:04]

And that hurts us, right? Where these innovative solutions like, oh, we got to spend months and money trying to jump through these soft compliance requirements that, you know, aren’t, aren’t even, aren’t even up to par with what we’re building here. It’s it’s, it’s crazy.

Navroop Mitter

[00:10:26:06 – 00:10:38:16]

There are times where you have additional controls you’re adding on solely for the sake of checking the box, not because they actually add any additional security value, because it would add security value has actually been addressed in a completely different way.

Matt Calligan

[00:10:38:18 – 00:10:39:04]

Yeah.

Navroop Mitter

[00:10:39:06 – 00:10:51:01]

But you you need to go do something over here. So it makes it easier for the auditor to do their job, rather than having to spend a lot of extra time digging in and understanding something that, frankly, oftentimes they’re not even qualified to understand.

Matt Calligan

[00:10:51:03 – 00:10:55:23]

The auditor is literally looking for the box being checked. They’re not even asking the right questions.

Navroop Mitter

[00:10:56:01 – 00:11:14:04]

Yep. Takes me back to my days, in auditing. Consulting. All right. Let’s move on to a different one that came up. Right. And that’s okay. So this is about messaging. It actually has nothing to do with the enterprise math. I don’t know if you saw this one. It’s actually about text messaging stands, right. I figured it’s, you know, it’s messaging related.

Navroop Mitter

[00:11:14:04 – 00:11:36:00]

So be kind of fun to bring up. There’s an interesting thing that jumped out about this rise in, you know, reporting around like scams that originate in text messages for 18 to 29 year olds, the number of you know, folks reporting that a scam that they fell victim to jumped from like 13% to 40% in a single year.

Navroop Mitter

[00:11:36:04 – 00:11:57:21]

That’s crazy. We have to increase. But for a generation that is supposed to be tech first. Such avenue. Right. All of this. Right? I mean, overall it jumped by 50%. But for the 18 to 29 year olds, the kids who literally they live, breathe, die, sleep with a phone number, you know, texting continuously, they live their entire lives over chat.

Navroop Mitter

[00:11:58:03 – 00:12:04:06]

I keep hearing that no one knows how to approach someone at a bar anymore because, you know, you don’t have to talk with their phone.

Matt Calligan

[00:12:04:07 – 00:12:06:07]

You don’t think, yeah, right. Exactly.

Navroop Mitter

[00:12:06:07 – 00:12:21:14]

Right there. The phones aren’t immediately doing it for them. They want I avatars to go help them while they’re at the bar trying to pick someone up. And yet for everyone else, those texts and messaging originated scams jumped by 30%. For them, it was literally A3X drop in a single year.

Matt Calligan

[00:12:21:15 – 00:12:27:02]

I had to read that line twice. I was like, surely they mean like 89 to 92 year olds or something, right?

Navroop Mitter

[00:12:27:04 – 00:12:49:23]

That read that a couple times too. Right. And we’re going to link back to the original article. Maybe other folks will play different, take them out, interpret it. But, it’s interesting. There was a couple theories in the article about what was so special about this age bracket and what made them so susceptible to this. And the experts in the thread, I believe they basically brought them like three trends of this are colliding right now.

Navroop Mitter

[00:12:49:23 – 00:13:15:16]

I’m going to try to summarize them from memory here. Right? One was are they they live in messaging and texts. Right. This is a text native world for them to. They’re used to large group threads on these text chains that oftentimes involve a lot of unknown folks. It’s not abnormal for them to suddenly just engage in text, someone that they don’t really know or that they only vaguely recognize or think might be familiar.

Navroop Mitter

[00:13:15:18 – 00:13:36:06]

And then three, they actually might just have less experience spotting scams and being burned. And so into the novel as a, as hesitant, it feels like a trusted channel of communication because, well, they, they have my phone number and they’ve got my, you know, they’re chatting on the same application I’m chatting on. And so clearly and most probably just someone I know from the group.

Navroop Mitter

[00:13:36:06 – 00:13:43:02]

And so if they’re asking for acts, it’s probably not that big of a deal. But it’s sort of like they were living on these three trends.

Matt Calligan

[00:13:43:02 – 00:14:02:19]

Right? Right. Yeah. Well, I mean, that’s that’s the, the age bracket thing is the thing that always makes me do the double take because, you know, use it makes sense in so many other generational brackets, you know, even with Pete heads. Right. I mean, he, he fell victim to the same unknown party kind of situation in his chat threads.

Matt Calligan

[00:14:02:21 – 00:14:22:09]

But, you got, I mean, so many other layers of generations and stuff like that seem to be the ones that are the most visibly getting taken advantage of. This, you know, the. It was Susie Wiles, chief of staff, you know, Marco Rubio, they’re all it’s you see these being the headlines, not this age group.

Navroop Mitter

[00:14:22:11 – 00:14:44:10]

But but it takes me back to a conversation I was having with, former ambassador from the US to Australia. Jeff, like, when he was, I think, running for deputy governor in the state of California, if I’m not mistaken, during that campaign, we were discussing the need for cybersecurity and awareness education as almost like a public good that had to be brought into the state of California.

Navroop Mitter

[00:14:44:12 – 00:15:02:16]

And while we were doing that, a lot of the emphasis was on the elderly because it was assumed that they were the ones we’re most like this fall victim to these things. And now, looking back to what that entire conversation we had as a group of cyber experts talking about, you know, what are the kinds of things we could invest in as a state.

Navroop Mitter

[00:15:02:20 – 00:15:05:07]

Now I’m wondering if really we should have been talking about the children.

Matt Calligan

[00:15:05:13 – 00:15:11:09]

Right, right. They gotta yeah, they need to be educated to they’re not just instantly going to absorb this stuff.

Navroop Mitter

[00:15:11:11 – 00:15:31:21]

Now our, our our thought process then when it came to the kids was to actually focus those kinds of educational resources more on on awareness about, you know, predatory behavior, but more often, like the sexting scandal around or asking for nudes or things like that. We had thought about these kinds of scams and the kids we kind of figured they would be, you know, more than up to date on that or.

Matt Calligan

[00:15:31:22 – 00:15:33:07]

Left that one out. Right.

Navroop Mitter

[00:15:33:12 – 00:15:37:14]

And yet it turns out three x in a single year.

Matt Calligan

[00:15:37:16 – 00:15:57:14]

Not it’s not. Well, staying on the telecom team. I got one here. You know, we’ve been everybody’s been wringing their hands over the typhoons. Right. Voting and more recently sort typhoon. But there’s a new one here called Bantam Taurus. I don’t I don’t know if you you probably saw this one, but, it’s from unit 42.

Matt Calligan

[00:15:57:15 – 00:16:25:04]

It is a, allegedly a Chinese app. Right. And their goal is not the typical sort of smash and grab where they’re going after sensitive data to bribe their they are taking their time and they’re going deep. And, this the article that I was reading, actually came from unit 42, and they were they were saying that the only thing to explain why they’re working so hard to stay off the radar is espionage, right?

Matt Calligan

[00:16:25:04 – 00:16:51:07]

The the they’re not again, they’re not it’s not mass, you know, export of data. They’re they’re going after government agents and critical roles in different organizations, whether it’s geopolitical or military. They even said they’re doing embassies and foreign affairs, but they’re they’re accumulating information. Right. This is this is the old school, you know, espionage stuff where they’re going to be start using this for leverage.

Matt Calligan

[00:16:51:12 – 00:17:12:04]

And it brought me back to that comment that Joe Slowik said on our podcast when we were talking about sort typhoon, he said if they can access it, they can shut it down. And and that’s you got to you got to take a second look at that kind of thing. You can’t just sort of categorize that behavior in the same bucket as all these other cyber attacks.

Matt Calligan

[00:17:12:04 – 00:17:38:12]

When you see them taking this time specifically to, to dial in. And it really begs for me, it really begs that question about, you know, people who assume certain technologies will be there in these kinds of crises. They never they they, they simply assume it’s going to be working. It’s going to be functioning. And they assume that functioning means it’s okay, but we have to.

Matt Calligan

[00:17:38:14 – 00:18:13:16]

We’re in a world now where you have to assume, even if it works, is probably contested, is probably degraded. They’re probably listening in. You can’t operate as if this vendor is also, managed to avoid being hacked, even if you’re in the midst of trying to respond to it. The I was it you? They told me this I can’t remember one of our telecom clients mentioned, you know, the that during whole typhoon, it was another telecom that got hit and they were trying to reach out to Microsoft and neither Microsoft or this other telecom would trust each other’s technology to, to, you know, execute on on the plan.

Matt Calligan

[00:18:13:16 – 00:18:14:01]

You know.

Navroop Mitter

[00:18:14:05 – 00:18:34:23]

Yep. You know I’ll I’ll give you the background on that one without naming any names here. Telecom A it needs to talk to Microsoft and Telecom A says, hey we don’t trust jumping on teams with you because we don’t know if they’re listening in on the teams environment. And I think someone at Microsoft may at that point of the well, what would you like to use?

Navroop Mitter

[00:18:34:23 – 00:18:51:11]

And I believe Telecom responded back saying, hey, can you can you jump on signal or something else? Right, right, right, equivalent. And like, hey, we’re not sure if we’re allowed to use that. We’re not sure if that’s trusted. We don’t, you know, have an enterprise, you know, approached us. And so they had to come to a consensus.

Navroop Mitter

[00:18:51:11 – 00:19:08:18]

They could communicate. But yeah, to your point, there was a lot of concern about what may be listening in on at that point, no one quite knew. And this is where, you know, anything short of end to end encryption for those kind of comms becomes an issue, right? Whether it’s the messaging or the file sharing or the voice video.

Navroop Mitter

[00:19:08:18 – 00:19:20:00]

And screen sharing. Yeah. You want to make sure that you’ve got and then encryption in place for those things. So you’re not relying on that transport layer Security alone to protect those communications, because those are going to get tapped.

Matt Calligan

[00:19:20:02 – 00:19:39:21]

Yeah. Yeah, I that’s one of the things that I talked to a lot of, you know, when we’re walking through this plan, it’s like you have to operate with that assumption that you’ve already been compromised. They’re already listening because you never find out the moment they breach you. You find out six months later, a year later, or in something.

Matt Calligan

[00:19:39:21 – 00:19:44:11]

And in this case, many years later, and in some of the cases of with, with these new APIs or for.

Navroop Mitter

[00:19:44:16 – 00:19:59:04]

This next one you’ve got here. Matt, I just saw your ping on what you were about to bring up. This one. Everything was, I think, I think your one piece of way back in the day and sounds like something new is happening with proton now too. I oh yeah, Microsoft ICC thing. So I’m going to let you see it up.

Navroop Mitter

[00:19:59:04 – 00:20:02:06]

And then I think just been a really interesting one here.

Matt Calligan

[00:20:02:08 – 00:20:12:08]

Well yeah. So we we already know about the ICC and Microsoft shutting down the, you know the specific email address of of the of somebody. Apparently the you know the white House wasn’t it.

Navroop Mitter

[00:20:12:08 – 00:20:19:22]

Was a phone. It was it was a lawyer I think it was or council was is Karen Colin I think it’s the unlikely. Yep. They had his account shut down.

Matt Calligan

[00:20:20:00 – 00:20:42:22]

Right. So, I mean, we knew you know, we kind of suspected even what, even during the. I forget what the actual, you know, being there on the stand in a in France, a Microsoft executive. And they would not they basically, you know, admitted under oath that they they can’t guarantee that they can’t access your data, even if, you know, you’ve taken all the quote unquote necessary precautions for your data.

Matt Calligan

[00:20:42:22 – 00:21:04:03]

Right. But even with proton, right, they’re there now. I mean, they’ve kind of walked it back and sort of pretended like it was an oops. But, you know, we saw it in black and white. They can shut down journalist accounts, just because a certain country doesn’t like them or, you know, was concerned about it or, you know, complained to the vendor about it.

Matt Calligan

[00:21:04:06 – 00:21:05:08]

Okay.

Navroop Mitter

[00:21:05:10 – 00:21:30:15]

That was why you’re starting to see, you know, a lot of concern when at least when I’m traveling abroad in Europe and other parts of the world, right. There’s a lot of concern about whether or not they can continue to rely on cell services, in particular, that are either domiciled here back in the states or that rely on the goodwill of a US based entity to continue to operate and to continue to allow them to have access.

Matt Calligan

[00:21:30:15 – 00:21:40:08]

Oh, the malfunctions around us. Yeah, there’s a huge shift in that appetite for the you know, I’m literally talking here having the same conversations.

Navroop Mitter

[00:21:40:10 – 00:22:02:10]

Yeah, I know a lot of people position as a data sovereignty thing, but I think there’s actually a distinction to be made between data sovereignty and serenity of infrastructure. Right. Those are not necessarily the same thing. The sovereignty. The infrastructure implies that, you know, even the infrastructure, the very platforms upon you which you’re running can’t necessarily be impacted by a user entity that might be under pressure to take a step.

Navroop Mitter

[00:22:02:10 – 00:22:21:06]

Right. So if this was the kill switch that connects some more and number of other things, you need to know that your infrastructure is still safe, right? This is actually going to be the subject of a talk that we’re giving you over a black hat in the Middle East in December, because my understanding is of this topic has become a hot button issue even out there.

Navroop Mitter

[00:22:21:08 – 00:22:48:05]

Different reasons, different threat models. But this is also a lot of what led to the launch of what some of our listeners probably about the armor text Icelandic Sovereign Edition, right, where they’re a threat model because of the geopolitical risk. It’s not about, you know, any beef with the US. It’s actually completely different. But they too understood that they needed to have implementations of armor types that would survive multiple other types of risk.

Navroop Mitter

[00:22:48:05 – 00:22:55:05]

Right? Cables getting cut as an example. And that would be operational on the island independent of anything else taking place on some of the world.

Matt Calligan

[00:22:55:07 – 00:23:14:18]

Yeah, yeah. You can’t just trust a single vendor anymore. You can’t, you know, the you know, the, the the old logic was, well, we have one throat to choke. You know, we can we can use the leverage of, of all the, the money we pay the single vendor to, you know, to get good service and get, you know, good cost and efficiencies.

Matt Calligan

[00:23:14:20 – 00:23:23:19]

But, you know, we’re seeing now that bad guys and governments can, can choke that same throat. And you just there’s nothing you can do about it.

Navroop Mitter

[00:23:23:21 – 00:23:50:10]

Well, it’s not necessarily that you can’t trust that that’s what single vendor is just they now need to be augmented by a, a kind of a cast of characters around that entity that can then help take over for certain operations that have contractual obligations that, you know, suddenly actually cut you as the primary vendor off from being able to do certain actions and automatically hands it over to a certain cast of characters who then are helping keep things alive.

Navroop Mitter

[00:23:50:10 – 00:24:19:02]

Right there. There are ways to do this. And so part of what the talk is going to be in December and so on. So that talks happens. We might actually just publish a portion of what we were discussing there. Yeah. The lawyers and I’ve been talking through a lot of this kind of thing, and we think we have thoughts that are relevant, not just for us, but for any SaaS company that’s looking to kind of replicate that sovereign infrastructure approach to serving the needs of companies as well as entities in, in, you know, other countries are they want that autonomy?

Matt Calligan

[00:24:19:02 – 00:24:30:00]

Yeah, yeah. Yeah, absolutely. When I saw you would I saw you one of my favorite things to hate on you. You posted you were looking at an article about Satcom. They’re kind of similar. Similar?

Navroop Mitter

[00:24:30:02 – 00:24:37:15]

Yeah. There’s actually a lot of ties back into that whole espionage angle you were talking about earlier, right? When? Where who is it? Trauma. Photon. What?

Matt Calligan

[00:24:37:20 – 00:24:41:12]

What really cold photon. Boris. Yeah, yeah.

Navroop Mitter

[00:24:41:16 – 00:25:06:14]

His name is. Are you seeing more and more? Well, you know, they’re blurring so deep in order to go do that. Espionage. It turns out they just spent 800 bucks and literally spied on some of the geostationary satellite signals because they’re unencrypted. And it’s exposing sensitive data, including text calls or internet traffic or communication, like remote infrastructure, like it was on oil rigs and military intelligence.

Navroop Mitter

[00:25:06:16 – 00:25:22:08]

That’s how we would do it. We would just spend the 800 bucks together, 5 or 6 different components together, and small patch of the sky. And listen in to the Satcom. You know, this isn’t exactly new, right? Wire just ran the article, which is why we’re bringing it up. And I think there are a bunch of Instagram Reels that were just made about it.

Navroop Mitter

[00:25:22:10 – 00:25:42:21]

So I think we’re gonna link to one of the Instagram Reels because, the person posted was rather entertaining about it. But yeah. Researchers at University of California, San Diego and the University of Maryland were the ones who demonstrated that they could just pick up the signal looking at a tiny part of the sky for 800 bucks and a few hours of work, and you could get a whole load of those sensor accounts.

Navroop Mitter

[00:25:42:23 – 00:26:07:08]

Crazy. You need to do this long term borrowing and everything else just for listening. And yeah, and while it was bad here in the US, the article actually made a quick point to say it’s even worse for our southern neighbors in Mexico, because the leaks that were observed were even worse. Apparently they were relying on these these kinds of, you know, highly vulnerable geostationary satellite communications for a lot more than even what we rely on them for.

Matt Calligan

[00:26:07:12 – 00:26:42:01]

Yeah, yeah. When I see this, there’s an entire it’s not even a shift. It’s just a it’s a bifurcation of folks using this like I’m, I continually I just I can’t help but grimace when I mean, clearly we talk about, you know, communications resiliency every day with people and plans and technologies and all this stuff in place. And every time someone is like, oh, our backup plan is we have set zones and even even B, I mean, this this is just a, you know, icing on the cake, the fact that this is unencrypted.

Matt Calligan

[00:26:42:04 – 00:27:16:15]

But I mean, the the fact is they’re, they’re very limited in functionality. They have a single single use case. It’s just audio. There’s no ability to expand it to do anything else. And, and they’re, clunky and they’re, you know, you can’t use them inside. And if it’s raining and blah, blah, blah, and and so what what I’ve seen in this is this bifurcation with executives who take all their security strategy cues from, like, you know, Jason Bourne movies, are the ones who are asking for the cool sat phone because they’ve grown up seeing satellites as being cool.

Matt Calligan

[00:27:16:15 – 00:27:45:23]

But the real guy, the real teams that are security operations centers that are responsible for taking that call and initiating some sort of remediation effort, they’re actually going completely opposite. They’re going with encrypted messaging off, you know, technologies, overset data. So they’re not even trusting that layer to, to protect it, but it also gives them a wider, you know, functionality and wider abilities to do other things other than just talk via audio.

Matt Calligan

[00:27:45:23 – 00:27:51:08]

It’s, it’s interesting to watch. I don’t know how long it’s going to take to get the executives to catch up to it.

Navroop Mitter

[00:27:51:10 – 00:28:13:11]

Yeah. I mean, like, if you instead solve for SAT data, you can do a handful of things. One you can use and then encrypted platforms like ours or, or others, and you can use them for voice, video and screen sharing, plus messaging and file sharing. But if I’m not mistaken, you can actually done right. Use your phone and hook it up as Wi-Fi calling through the SAT data.

Navroop Mitter

[00:28:13:13 – 00:28:23:14]

And that actually gives you even more flexibility in how you communicate, right? It kind of helps you reestablish even some of the the normal pathways, so to speak. Besides those applications.

Matt Calligan

[00:28:23:19 – 00:28:26:09]

Yes. I never thought about the hotspot. That’s true.

Navroop Mitter

[00:28:26:11 – 00:28:47:20]

Yeah. If I’m not mistaken, you can actually tether up to them. You got the little router going and it’s got a signal and you use the Wi-Fi calling. At that point, if you go right, you know, it’s it’s kind of interesting that you brought up the point of as the single use case. The way I’ve been position is when I talk to switch to like physical security, which is ultimately your walkie talkie and the cell phone now included.

Navroop Mitter

[00:28:47:22 – 00:29:08:05]

These are low context devices, right? They’re not going to allow you to prepare or share a visual. You can’t say, here’s what the attacker looks like or here who here’s what you know. The group looks like that’s outside of our gates right now. You can’t share a site plan if you needed to. You can’t share an evacuation plan if you needed to.

Navroop Mitter

[00:29:08:07 – 00:29:29:13]

Do, you suddenly had to sketch out, you know, a new architecture for how to go do things or make a, you know, list of complicated instructions and details. You couldn’t just do that. Take a photo and send that across. So people would have absolute clarity of what you’re talking about. You have to dictate over the phone very slowly and make sure I use notes to go get the job done.

Navroop Mitter

[00:29:29:13 – 00:29:43:20]

Right. It’s just it doesn’t make sense. Yeah, right. This is the modern enterprise. The more complicated our environments get, the more we need precision in how we communicate. And that means over time is more than just voice.

Matt Calligan

[00:29:43:22 – 00:29:45:12]

Yeah. Yeah, absolutely.

Navroop Mitter

[00:29:45:16 – 00:29:51:09]

Well, I think that brings the list of articles to an end. But unless you’ve got something that and it see in your notes.

Matt Calligan

[00:29:51:14 – 00:29:58:18]

I know that’s it for me today. That was that was, that was those are the things that were, you know, gave me something to spout off about.

Navroop Mitter

[00:29:58:19 – 00:30:02:07]

Yeah. Hopefully, hopefully you enjoyed this, first edition.

Matt Calligan

[00:30:02:07 – 00:30:06:18]

Yes. And I try. Yeah, it’s a nice a nice first run. Nice first run here. I like that.

Navroop Mitter

[00:30:06:23 – 00:30:11:14]

We might have to keep doing this. It’s a lot more natural than I thought. We actually have this done the single take.

Matt Calligan

[00:30:11:16 – 00:30:15:02]

Yeah. Yeah, look at that. We can talk for an hour without having any problems.

Navroop Mitter

[00:30:15:02 – 00:30:16:18]

Yeah. I’m not sure if that’s a gift or a curse.

Matt Calligan

[00:30:16:23 – 00:30:17:10]

Maybe both.

Navroop Mitter

[00:30:17:13 – 00:30:20:01]

Maybe both. With that, Matt, I will let you take us out.

Matt Calligan

[00:30:20:06 – 00:30:44:23]

Well, this was the Lock and Key Lounge riff edition. I am Matt Calligan, director of growth markets here at Armor Text. And, you know, if you got a topic, a war story or even a fix, you know, you want us to riff on, hit us up. You can email us at Lounge at Armor text.com. And, of course you can find more of our special riff edition and just regular episodes at Armor text.com/podcast.

Matt Calligan

[00:30:45:01 – 00:30:57:06]

Until then, be vigilant, stay curious, do good work.