Listen to the full podcast here.

Nathan: Today we have with us Jake Rogers, the chief information security officer at Copper. Jake, thanks so much for your time. Thank you for coming on our show.

Jake: Thank you for having me.

Nathan: I found out about Copper through the announcement with the Avalanche network. And I took a deep dive  into multiparty compute and the general Copper platform.

Can you talk to us a little bit about how Copper does secure offline custody?

Jake: Absolutely. Probably a few key pieces of that to talk about, but I think essentially I'm pretty much at the very core of the business and this is something I know people throw around a lot, but at Copper is something we actually do, we commit to, and I'd like to think and hope that we get it right.

So we are what I would call a trustless and it's truly trustless organization. So the premise behind MPC. You have multiple parties that require a shared secret. However, these parties can never have any understanding of what those shared secrets actually look like outside of what they're holding.

So think of it of breaking a key or a private key, such as an RSA key any sort of encryption key and think of breaking that in serves all three constituent parts. Now the technology that we have, the technology we leverage in Copper, something  which follows that strategy of MPC, what it allows us to do is to create a shared session between three parties, normally three individuals, one belonging to the customer's organization, their trusted third party and Copper itself. And we can then generate individual keys, belonging to each of the parties or each of the recipients in a single session without ever having to transmit that key data back to a central server without ever having to have knowledge of any of the other parts of that key. We call them shards, so I'm the referring to the as shards going forward because that's slightly easier for me as to the language I'm used to. Now, importantly as well, when you come to transact anything that is done on the blockchain level requires two of three shards to be presented back.

And actually when I say presented, it was probably a bad use of words for that. It doesn't actually have to have the shards transmitted anywhere. They will always live and stay locally on the device. What it will do is it will do multiple rounds of computation using these shard pieces. And the outputs from the computations will then be sent to the central server.

Those outputs will then be used to facilitate transactions on the blockchain. So I think when we talk about Copper and very important to know, and I'm aware of a few other providers that do too similar, but I'm not aware of any of the same size or the same juncture that we are.

There are a few key players in the space that do also utilize MPC, but we tend to find that those will also warehouse and store your MPC centrally somewhere. And that's what we try to avoid. It's a methodology, I think it predates me, it's something that goes back to the early two thousands, the sort of trusted architecture and reading up on MPC and Shamir secret sharing is something that has been around for a while, but never really been are deeply explored or investigate until it became something to facilitate blockchain transactions so I think we can probably think that they're calling for that.

So yeah, I think that's pretty much Copper in a nutshell, we are, I would say custody first and not speaking now on behalf of the company, only on myself, but toward the future, I see this as tomorrow's payment fabric.

So where we have the Swifts that backs all of these services to do facilitate interbank payments and Intercontinental transfers and all of these fairly inflexible, very rigid things, currently I could see those being replaced in the very near future, actually by a lot of the technologies that we're building up today.

Nathan: You, you mentioned that there are other players in the platform that utilize MPC, but they warehouse the shards somewhere. As I recall doesn't Zengo I have a Zengo wallet, doesn't it store one of the shards on iCloud?

Jake: So it'd be inappropriate for me to discuss that technologies, firstly, because I might be wrong. But yeah, secondly, in the interest of fair competition.

Nathan: Understood. Where are the shards stored for a user? Could you go into that?

Jake: Yeah. Yeah, of course. So the part of the signup process, once you been through AML and KYC, you will gain access to the platform. On the platform, you can download the Copper unlimited client. And that can be downloaded to a windows, desktop, Mac, desktop, iPhone, Android, we've various clients for various flavors of machine and the operating system.

And that is the client that will actually be used to generate the shard pieces. So when you fire it up and maybe slightly difficult to visualize, but you have the option to create a wallet. So you can do that, or you can join a session. The creator of the wallet will initiate the session and they will then get a session ID spout back to them.

The session ID can then be used by the other parties to connect back through a central server and during the same session for the initial round of transmissions to start to generate those shards. And it's fairly similar behaviors that would be observed if we were just trying to transact to the blockchain. So I past the point of becoming a client in generating the wallet, the process remains fairly the same. It's very similar.

Nathan: So you initiate a session and the session is joined through a central server. Can you go into how that server is set up? What where's the trustless mechanism?

Jake: So the trustless piece is really more about very sort of low level encryption. I'm getting slightly out of my depth here because I'm not a cryptographer, but the trustless piece comes about as a result of use utilization of the MPC.

There is a very specific round of requests, which have to be sent at the outputs of this first round must match. If there was an attempt to intersection, even at the server, then the rounds of computation would fail and therefore either the charge would not be generated or the transaction could not be processed.

So the trustless piece comes about by saying that we are the secret holders in this instance. So for example, if me and you joined a session let's just pretend this is a two of two shard. So myself and yourself joined the session. We generate the shards and we are then both the sole possessors of these shards.

Now at no point in time, have these shards been transmitted back. The central server has absolutely no knowledge of what they are and it is it shouldn't be able to glean that either. Now there is no requirement on me and actually if I talk about an external entity to the organization, so if I talk about our customers, there is no requirement on them to ever have us in a position where we are able to transact on the blockchain without their knowledge, their authorization and their participation.

So that's really the trustless element for me and that's what I'm referring to when I say trustless. If I put it conversationally, you don't have to trust us because there's nothing we can do. If you decide to store your crypto with Copper and there is ever a position or a situation, actually something the CEO likes to say is we could take all of our shard pieces tomorrow and we could publish them on the front page of the financial times, and there should be zero risk to client funds or assets. And that's sort of the whole trustless piece you're removing any element of trust you would have to have for us from the conversation entirely.

Nathan: Now if the financial times also carried our shards, then we'd obviously be broke.

Jake: Oh yeah. Yeah, you wouldn't want to publish two or two or three shard pieces. It's definitely not. And yet if the financial times had multiple shard pieces and they will be able to transact on the blockchain level.

Nathan: So if the only way for an attacker to get the shard piece would be to hack the Copper accounts or like some password manager, what's the threat surface?

Jake: So there are, what we present is we present two of three by default, which means there would need to be two of three shard pieces present. At this ceremony too, to make sure that the outcome was a success.

So let's assume that myself, yourself, and any trusted third party, anybody anybody you choose to nominate normally, generally that will be a solicitor, or it will be somebody trusted to the client, but it will be a separate entity or an organization. Now sometimes larger organizations that's not possible. They have various policy or controls or structure in place, but they're able to warehouse those in a way that they feel they are removed enough from at least their area of the business that offers them an additional level of assurance. So they would have to hack Copper, they would also have to have to hack yourself as the customer or the trusted third party, but two or three of those organizations would need to be breached in order to lose those shard pieces that would be required to do anything on blockchain level.

Nathan: Got it. That's clear. What's the status of insurance that Copper offers can just be presented to someone like Lloyd's or some other insurer.

Jake: Absolutely. So any funds that we have on the platform, they are insured by default. I can't go into the specifics of the policy. It's something we safeguard very carefully. I know it's very common actually in the industry because the insurance is one of the most difficult things, I think for anybody in this vertical, because there are so many horror stories out there. There are so many records in the public domain of things going wrong, especially as it's pretty much a brand new technology and the accessibility of it was it was open to everyone. So there are a lot of bad stories out there. And I think insurers when they view a business like ours, it's difficult for them, firstly, to quantify and understand the risk really. When we present them with something like MPC and we start talking about being trustless and we start talking about this warehouse of other technologies that we have in play to safeguard assets. It's very difficult for them. They're not used to these technologies. Actually quite a lot of the conversations I have outside of Copper are in and around the intricate details and delicacy of a MPC and some of the other parts of the stack as well. I can say that all funds are insured and it's by a leading insurance provider in the UK. But I can't really say any more than that.

Nathan: Okay. So  you can't discuss like limits?

Jake: Unfortunately not.

Nathan: Okay. Got it. So users would have to sign up to Copper to be to understand that. Can you explain can you go over how the pricing structure works for Copper?

Jake: So the pricing structure, and this is it's a fairly complex case because it's not just the core service I would say would be custody, but we have a lot of tertiary, secondary and tertiary services. So we have offerings such as clear loop. We have and actually, it really depends as well on the type of individual. We have as customers everything from your high net worth individuals to very large institutions. We have a plethora of different use cases, everything from high-frequency traders to NFT collectors. It really depends on the usage of the platform, the type of offering that you're uptaking and the amount of attention that your account will need from the likes of account management and interventions from various other people within Copper, I would say that all of our quotes, all of our pricing is relatively tailored to each and every use case, it's very difficult for me to give a standard, because I think if we went back through and we went back through the billing, there would be very little conformity between the invoices we issue out. And that was mainly due to the complexity of some of the products and services that we do offer. It's a highly competitive market. I will say that. And generally, I would say if you have enough crypto to be concerned about it falling prey or falling victim to an attacker or to somebody that, that shouldn't be anywhere near your crypto, it's probably worth considering a custodian because the prices are likely far lower than you think.

Nathan: So NFT collectors, are there MPC shards for moving ETH NFTs?

Jake: That is something we are currently working on. I don't know the specific release date in and around some of the components of that, but it's something we're actively working on now. I know we've had a lot of interest. Externally to be able to warehouse these collectibles and it's something that it's been pushed to the front of the development queue, because it is so frequently requested now.

Nathan: A lot of the risk in NFT comes from the metadata being pulled down from the servers by let's say a malicious seller. As someone who is a former pen tester and CSO, could you go into how that sort of mitigated in an MPC scenario?

Jake: So the MPC itself wouldn't really provide any additional protection in that scenario. But what we do is we have various technologies stood up. We undertake regular assurance testing by, actually some really leading organizations. So we work with the likes of SY4, BAE, Bridewell just to make sure that we're doing things properly, everything that we release will be tested before release, and it will be tested incrementally throughout the year. And that sort of minor and major revisions as well. So whenever there is a need for it, we will make sure we have the appropriate people come in with the relevant skill sets and run that security testing. I would have to query the developers in terms of what is currently in the pipeline in and around security on those. I don't have them to hand and it's been a very busy week. So you have to excuse me.

Nathan: From my understanding, if the NFT image hosting server, or let's say AWS or IPFS is either moved that's the sort of threat surface for that. So I assume that a Copper MPC wouldn't address the hosting, but rather the key movement.

Jake: So the MPC is specifically around the facilitation of transactions. I think possibly what you may be referring to when you mentioned environments being moved on AWS or cloud providers, you may be referencing sort of memory dumping and that's been possible for some time. I know there are some safeguards in place. And people realize, I think quite a few years ago now that in a virtualized environment, when the memory or the RAM was flushed, there may still be remnants of the previous memory there that was recoverable to a point In some instances, it was recoverable enough, the private keys and other what should be very secure artifacts could be dumped out of the memory and then used for various nefarious purposes. Is that what you were referring to?

Nathan: I'm more referring to just a 404 error, just people just moving the source file. Cause the NFT has JSON metadata attached to it and it's just a 721 smart contract with a photograph basically. And if someone removes the photograph then you're out of luck.

Jake: Sorry, I was going down the more complex attack paths. So we build microservices so our entire architecture it is elastic is recoverable. We are at point now where I'm quite confident that if an individual service goes down, that it will fail gracefully and it will give us time to recover. In and around the safeguards and specifically around HTTP HTTPS, we will stand up the tried and tested and true. So my approach is always to go with what is known, what is tested, but I think we'll likely to be standing up a lot of your traditional controls, your web application firewall. I know we have with Canary tokens and various other bits and pieces going forward with that as well.

I'm not sure off the top of my head though, if I was to defer back to the technical docs, exactly what part and what component is doing, which job.

Nathan: Got it. Would you go into the assets that, that in Copper currently custodies?

Jake: So I think at the moment we have, we may just be an excess, I think of 200, there is a very short, actually time to live. Generally, a customer will request a token. We have a fairly rigorous process to determine whether it's something that's really appropriate for us to have on the platform. And what I mean by that is in terms of compliance and probably speaking at a slightly higher level regulation by the FCA by the SEC.

These are all things in the crypto world, which is probably quite perverse, if you come from traditional finance that we would welcome. So in a lot of instances, we already follow a lot of the rules, a lot of the regulation, the advice and guidance is handed out by the regulators in regards to these things. And we would treat them as we went any traditional asset. We make sure that money laundering rules can be applied. We make sure know your customer is applicable across every asset we safeguard. It does give us some some issues. In some instances, whereby privacy tokens, for example, they can be quite challenging.

But inside of specific use cases with specific clients we are normally able to get the sign off, but it's over an ever expanding set. Then it does expand fairly rapidly. I think our normal time to live is around two weeks. So that's from the requests coming through the door to having that full functional audit and all of the paperwork done to being on the platform is normally 10 to 15 days, I would say.

Nathan: So that's a huge amount of assets. I'm not even sure. Coinbase has 200 assets.

Jake: It's a highly diverse place. Yeah. A lot of the times it's generally I think because we're so customer driven and we're so focused on building an app, it's probably something worth mentioning is we build for the customer.

So massively important to us is to be gathering this feedback, to be understanding what the industry wants, what the customers want, and that's where we will go next. I think it's just come about and possibly as a result of, as being so fast, actually that may have been our own undoing in this scenario. But yeah, we have a relatively a well-developed compliance team. They're all very good. And can act on these things relatively quickly.

Nathan: In regards to the NFT space and the development do you think Copper could use an MPC shard to represent real-world digital assets or real-world assets?

Jake: I mean on the assumption that they could be stored on chain in such a way that we could essentially just generate that private key then yeah. I don't see why not NPC as a technology is agnostic, so you can apply it to different types of encryption keys, and different types of encryption, but it obviously has to be a tune to be able to facilitate that. But I see absolutely no reason why it couldn't be.

Nathan: This is the obvious space that it's developing into. As we have more digital representations of physical goods, that the sort of digital twin is obviously needs an MPC sign off for a transfer and or a custody agent or the IP holder?

Jake: No, absolutely. And I think probably a good way of viewing it is wherever you have a private key, then that should be replaceable by MPC.

Nathan: Got it. I know you've been with the company about a year but you have an extensive security background. I'm most fascinated with the work you spent at Amnesty. Would you like to go into some of the history of that work? I'd be fascinated to hear, I'm sure our listeners would be as well.

Jake: I'm happy to. I'll give you a brief sort of walkthrough of my career. I'll start when I moved into security before I worked in security, I did work in IT. Interestingly coming off the back of the conversation we had earlier, I worked in broadcast.

So I used to, for organizations, we used to downlink analog, satellite streams. We used to convert them to IP and push them out over CDNs. So that was a very interesting. Actually, I've got most of my low level of networking knowledge in that specific role. But from there moved into security, I think my very first job, I was a penetration tester, and that was my very first foray into InfoSec and massively enjoyed it.

From there went working in blue team. So I moved from being a pen tester to working in a security operation center in a bank and I was an analyst there for a number of years. Moved onsite contract moved around a lot of the major banks, at least in, in in the UK worked extensively with the likes of CyberArk, with Barracuda, with various other partners on project delivery with them, got to a point in my life where I felt slightly unfulfilled.

I was extremely privileged and lucky to be in a position where I could take a step back and start to think about really not just in terms of career development, but personal development. What do I want to do at where do I want to go? What will be the ideal role for me? It was off the back of the conversation I was having with another friend and he said I think I've got a role that I know of that's just opened up and I think you'd be really interested.

So I stepped into the interview blind I'd of course I knew who Amnesty was. I knew what they did. But yeah pretty quick interview process. I think they made me an offer within a couple of days and started there. I think about four years ago now. So I was there for sort of two, three years, I was their head of information security. And that was one of the most challenging and one of the most rewarding roles I've ever had and likely ever will have.

Amnesty as an organization tends to be a thorn in the side for governments all over the world. And that includes mine and yours.

Nathan: That's correct.

Jake: It's I think when I was there, we had either 84 or 86 locations across the globe, most of them in countries with varying degrees of challenging political climates, varying degrees of significant differences between some of them in the human rights landscape as well. Most of actually most of them I dealt with there was more on the education piece.

So whilst we did spend a lot of time triaging, responding to incidents, I think probably the most value I managed to deliver there was just around general staff awareness training and just really pushing and getting people to understand exactly what information security was or is even. It's a place where it's the first time for me, that my discipline has ever crossed with the real world physical security side of things.

So it wasn't unusual. And as I say, it wasn't unusual. There were probably three or four instances whilst I was there a fairly aggressive surveillance being conducted against staff. And that looked the cars for the police when being parked outside their house in the middle of the night, I think a lot of the time it was probably set up to intimidate rather than actually gather any intelligence, but that Amnesty would be a fairly typical day.

And I think on average. And actually I'll prefacing this with explaining what APT is. So APT stands for advanced persistent threat. This was a term that was coined by Facebook, Microsoft a number of years ago. If I remember correctly, my memory serves me, it was as a result of a breach that went undetected for about 18 months and it was orchestrated we know now by I believe it was a PLA a Chinese PLA state sponsored hacking group. And I think it was the first really significant public incident.

Back then what they did was because this was really a new category, a new definition of attacker, or maybe this was common in the government space and defense and energy, but in the private sector, generally, these were not things you ever heard about; an attacker going unhindered and undetected, and Facebook is a company that even then invested significantly insecurity, right? Massive amounts of money, massive amounts of resources and some very good people.

Nathan: Is this before the specter vulnerability?

Jake: Or, and before Melville, before we're going back now to, gosh, I think probably around sort of 2012, 2013, I'd have to look that up. But it was Mandiant at the time the came in and did, if I remember correctly, the instant response and they coined the term APT, then the term APT applied there to nation-state sponsored threat groups that could live undetected on a network in excess of 12 months.

Now, since they coined that term and things have changed significant and leading you, you hear it now being used to refer to criminal groups. A lot of the time you'll hear it referred to, or being used in marketing materials a lot, but in the traditional sense and in the way that I will use it in most CSOs and people in the space will use it will be around state sponsored attack. I think Amnesty, we saw if I were to average it out, probably I would say every six to seven weeks that we will be dealing with a new state sponsored incident.

Sometimes it was immensely frustrating and an immensely troubling. Actually I really didn't realize the sorts of things that happened in the world before I started working there. I think we identified when I was there I think seven or eight different countries that we believe that these groups originated from and was sponsored by.

So it is something that is so immensely prevalent, but people don't really get to see it. They may be sometimes sat on the edge of it, but if you're outside of your oil and gas, your energies your space, your defense your auto manufacturing, your sort of critical national infrastructure, anywhere outside of that, these things will not really be seen. And it very irregularly if ever.

I know there has been an uptick in attacks that are targeting financial institutions and that is mainly conducted by states as a means of securing another source of income. So North Korea is very well known actually for orchestrating attacks against organizations in our vertical.

And actually I know various traditional banks that have suffered very badly actually at the hands of certain North Korean state sponsored groups. They tend to be very well-resourced and they are, I don't know if I should really use the word because it sounds, I would say they're very good at what they do. They are fantastic, which is even more worrying. And that could be anything from. Very basic attacks against a known vulnerable VPN service. That's something that I saw a couple of times there, and that was done with sort of public tools, not public knowledge, but knowledge that was in the public domain.

You wouldn't have needed any special skill sets. You just would have needed a lot of time and a small amount of skill to be able to craft the payloads and deliver them. Stuff like that we detected very quickly. On the other end of that scale, there are the likes of organizations, such as NSO group who were based out of Israel and what they do is they specifically develop software that will be used in conjunction with, and when I say zero day. So it was zero day. When I say that what I'm referring to is an exploit or a vulnerability that is unpatched on a system and generally is unknown to the manufacturer. So if I could discover a zero day for windows, a remote zero day for windows, that would potentially give me the capability to run an exploit and run code or gain access to every single windows machine that was connected to the internet.

The likes of NSO group, and there are various other private sector organizations and they are based out of the US out of Israel, out of the UK, out of India. They're getting more and more prevalent. In fact, they will build software, so they will build remote access tools, remote access Trojans. They will then weaponize them and deliver them with these exploits that are just essentially unknown. So nobody knows about them, the public, the manufacturers don't know about them. And therefore have a very hard time safeguarding against them defending against or detecting them when these events happen. I think in the case of NSO group their favorite play was to develop WhatsApp and various other messaging applications.

They would develop zero days for them and they would deliver their malware through that. I know they've been implicated in various cases around the world up to and including the loss of life, so Jamal Khashoggi, for example. I know that there was an implant on his phone, which was put there likely by NSO group, because it was, I believe Pegasus was the name of the malware they used in the implant.

But that was something fairly prevalent. We saw that a few times around the organization when I was there and that was scary. It probably the best way of putting it, but there was a real range. When he came to targeted exploitation, a real range. And it went from the very, very easy to detect the very low level of the stuff that you would generally see out of, anybody with a mediocre level of skill right up to the very, very top end where you could see it being professionally done, somebody who went out and they paid for this service and paid a lots of money for this service to be able to target this specific individual. And that's, I think where I spoke a little bit about physical ability and that's where the sort of the crossover between cyber and physical came in.

When I joined the organization [Amnesty], I was working very closely with their global head of security and a chap named Toby Woodbridge, absolutely fantastic. I think possibly learn more from him than anybody else that I've ever done in a professional setting. Absolutely amazing. And I do miss working with him. But that's where it's the crossover between cyber and physical came into play. Because the likes of a foreign government who wants to gain access to a CMS, for example, to identify people that are donating in the country where they reside, chances are they're not doing that because they want to send them Christmas cards or any other, that they're doing that because they are likely then going to become targets themselves or to varying degrees.

And that can be anything from just being added to a list of known detractors or people of interest. Right up to and including being taken from your house in the middle of the night and actively interrogated and that sort of the ultimate end game that we really want to avoid.

I would say on the whole we did very well. We managed to find, shutdown, isolate, to identify actually in some cases, so there were various jobs we worked were working with external partners and intelligence providers. We were actually able to not only identify the group, but in some instances actually identify individuals that were a part of the group.

And that was seeing how how these cases get put together by, by a skilled intelligence analyst is yeah. Phenomenal. Yeah, it was something else. It's probably not unexperienced I will ever have again. I would say I'm I massively glad I was there. Towards the end, they, it got to a point where.

I felt as though I wasn't giving as much to a lot of the work as I should have been. I did feel in a way burnt out. It was a massively challenging job and it was pretty much constantly work, not just the work, but the working through the night, working in from different locations. I mean in January of last year just before the pandemic kicked in, I spent, I think two, three weeks in Thailand and then off the back of that, another two, three weeks our Sri Lanka as well, helping to train and facilitate training sessions there with staff and yeah, it is taxing emotionally.

It's also very taxing as well. And people often don't take that into consideration, but organizations like that, the work can be very challenging. Yeah. And you do feel it's a personal connection to a lot of the staff, right? And these are the people that are being targeted. You don't want to miss things, you don't want to get things wrong. And especially when you're sort of in the heat of an incident, there is an immense amount of pressure actually to get things right. To get them right, very quickly. And I think there's only a very limited amount of that, that you can do within a compressed timeframe, and still be able to give every single job and every single individual the attention that they really deserve. And I think that's part of what drove my decision to come to Copper. I felt for me. It was time to let somebody else step into the breach sort of a fresh set of hands, a fresh set of eyes and a fresh way of doing things.

And also, yeah, massively excited to move into the crypto space. And also with the same sort of good intentions as when I joined Amnesty.

Copper has been immensely rewarding. The team is absolutely fantastic, every single one of them. Absolutely excellent. And yeah, like family, I would say.

Nathan: I can obviously hear your immense dedication to ethics and the people and the work that have been going on at Amnesty for quite some time.

I know like InfoSec in general is a pretty far out space,  I've been SIM swapped attacked. What do you think is a good checklist for normal crypto heads who are not managing billions of dollars in crypto to go through in their minds in order to maintain safety of their funds.

Jake: So massively important. I think quite often, this is a conversation I've had probably a thousand times over is there is a general conception that people tend to gravitate towards specific tools and technologies.

Quite often these things will be very complex. And if I go back to the likes of Telegram messenger, people use Telegram, they say a secure where, how do you notice secure? My advice in every single instance is to simplify where you can, if you can't simplify it, try to remove the technical element.

I would say over and above having the latest and greatest in encryption technologies, it's fundamentally crucial to be getting the basics. And what I mean, when I say that is probably 95- 98% of people that have crypto and I, myself included and I'm guilty of this, so I have it stored on my machine, which is not air gapped. It's connected to my network. And although I only use it for very specific purposes, one of them being to warehouse the crypto, there are probably things I could be doing a bit better, but understanding the machine is sat there. We have a good antivirus on it with EDR capability and EDR stands for endpoint detection and response.

So my personal favorite for that, my personal choice is an antivirus called Cylance and naturally probably an interesting story about Cylance in particular, and this is in no way a product plug. I haven't used them for probably now a year and a half. So I'm not sure the current state of the product, but it was a purchase we made at Amnesty, I think seven years prior to my joining, they suffered a state sponsored incident involving China.

And there were artifacts left over on the domain controllers and on various other servers within the organization. Kaspersky, I'm still not sure how you pronounce it after 15 years. That was installed as the antivirus component and all of these machines. And it lived quite happily on there since the incident. Now, when we went through the exercise of pulling those back and we deployed Cylance to these machines, they, I think the phrase I used at the time was lit up like Christmas trees. And that was pretty much pretty much the case. This wasn't anything viable for an attack, it was just the remnants of an attack. But the fact that the Cylance itself detected all of these relatively benign looking files, even on manual analysis. If you would have combed through the discs yourself, you probably wouldn't have found them or notice them. And that sort of spoke volumes to me about its efficacy.

And I think they were acquired by Blackberry a while ago, so they may be slightly more expensive. But when I purchased my license, and that's, what's been running on this machine in the background. They also have a personal machine offering as well and it is generally reserved only for the enterprise, these types of tools.

And these types of technologies are actually very hard to get in consumer devices because you have a minimum subscription fee. You have a minimum purchase amount, but with Cylance, you can actually go on and buy a home package to defend three, five, 10 machines, whatever that may be, there is security, basic checklist to follow.

So make sure you have an antivirus installed, make sure that when the pop-ups are coming up and actually I'll speak, especially to Mac users here because they are really easy to defer and it's something I'm forever battling staff with make sure that you are applying updates in a regular, timely manner when they come out.

Because quite often they will be bundling in security fixes that aren't even in the release notes, they don't want to make these things public, but there are things that are happening in the background and vulnerabilities that are being discovered and patched without being broadcast so widely.

Multifactor authentication absolutely essential. When I say multifactor, true multifactor. You spoke a moment ago about being SIM swapped. That's something that we want to avidly try and avoid.

The GSM network and actually the telephone networks in general were never developed as a tool or anything with security in mind. It is trivial, and actually I've seen it on the dark web many times. I won't name specific marketplaces actually, so I don't want to encourage this type of behavior, but there is the dark web marketplace we have monitoring set up on. It is trivial to go on there and you can fund your account with Bitcoin or Monero or various other cryptos.

And I think the average cost to have a SIM swap carried out on your behalf. So these things are commodified they're available as a service, right? I think the last time I checked about a month and a half ago, it was $60. And that was AT&T. So the cost of SIM swapping somebody and the barrier to entry is now so low. That's why these things are so prevalent.

Make sure that any multifactor you use is using true multi-factor so you use the oath rolling codes, or you use the sort of next gen multi-factor with the likes of Microsoft and Google, where you get the prompts pop up on your phone and you have to approve or deny.

Outside of that, I would say just practicing good hygiene. If there is something, a seed phrase, for example, that you're told to store and remember, then make sure you do that. We hear horror stories all the time. And it's, it wasn't one that long ago. And I think it was around a $100M. And it was a chap who would sequestered away a private key or a wallet on, on an Iron Key. Then these devices are very good. They're made, I think for the most part, for central government and other organizations with two and three letter acronyms. And they're essentially impenetrable. They're made very well. They're very hard, actually near impossible to recover anything from past past the point of encryption, and the poor guy I think he forgot his password. So that's a hundred million dollars worth of Bitcoin. That is irrecoverable because of what you would see is probably a fairly trivial, simple mistake, but it's an easy mistake to make. And we will make those mistakes. I've hundreds of times in my life that's caused and caused me to force myself to learn that these things can go wrong and spending that extra two or three minutes.

Just making sure that you following the instructions on the label, following the instructions on the box, and that can be significant differences in outcomes down the line.

I've just had a ping from a client and I'm going to have to jump off.

Nathan: It sounds like you got the bat signal, man. Sounds like you should go.

Jake: It's pretty much a bat signal. Yeah.

I appreciate it. I'm so sorry, man. I've just got a message out of the blue and it's something I really need to tend to right away. I'm so sorry to do this. No problem, but I'll ping you directly after. So sorry, Nathan. And thank you. And of course, thanks for your time.

Thank you, and we'll speak soon.