>> From the Hard Rock Hotel in Las Vegas, it's theCUBE! Covering HoshoCon 2018! Brought to you by Hosho. >> Okay, welcome back everyone, we're here live in Las Vegas for the first security blockchain conference's inaugural event, HoshoCon, and it's all about the top brains in the industry coming together, with experience and tech chops to figure out the future in security. I'm John Furrier, the host of theCUBE. Our next guest, Andre McGregor, who's the partner and head of global security for TLDR. Welcome to theCUBE, thanks for joining me. >> Thank you for having me. >> So you have a background, we were just talking off-camera, FBI, you've been doing the cyber for a long time, cyber-security, mostly enterprise-grade, large-scale. Now we're in crypto, where you have small set of teams, running massive scale, with money involved. >> Correct. So guess what, money attracts. >> Right. People who want it, want that money. Lot of hacks, $400 million in Japan, plus 60 million over here, you add it all up, there's a billion so far this year, who knows what really the number is, it's pretty big. >> It is, and what's concerning and the reason why I came over in this space was the number of hacks that were happening. My company, we get probably a call a week, whether it's high net worth individuals, CEO, exchanges, we've helped a couple, some that you'd know of if I told you who they were, trying to get out of a very bad situation. And interim response has been big, but what we've learned is that it's the same old fraud, the same old security tactics that are being used against some of these crypto-companies. >> And we've seen it all the time, everyone's had fraud alerts on their credit card, this is like classic blocking and tackling, at a whole 'nother level. >> It is, because if you think about it from, like a traditional start-up, you have a company that's small, they have time to develop their MVP, they go out and do maybe a seed round, friends and family, they're sort of ramping up over time, whereas we basically flipped the model upside-down, the same six founders now have $10 million worth of crypto, and they're not protecting it in the ways they think they should, because they're in hyper-growth mode. So the bad guys have determined that as a great place to target, and now as we see in the news, it's actually happening. >> Yeah, and Hartej, the co-founder of Hosho, was just one talking about physical security, in the sense of you got to watch out where you go too now, it's not just online security, it's physical security. So start-ups have that kind of fast and loose kind of culture. >> Well, if you think about it, traditional security in corporations, I can put everyone in a building, I have this similar or same network egress points, I can protect those, I can do the gates, guards, guns, perimeters around, but I got people working from home now in the crypto space, everyone's got their own setup. If someone's in an audience, they say oh, I've been in the blockchain space since 2010 or 11, I can make assumptions about them, about their financial worth, and other people are doing the same, but having nefarious reasons. >> Yeah, you connected the dots okay, it was $0.22 in 2011, so therefore, if they had kept a little bit of Bitcoin-- >> They would be doing very well. >> They're a target. >> Therefore, they're a target now. So when you think about it, you put all those scams together, it becomes sort of a hot topic for-- >> I just got into crypto. (laughs) >> Good answer, good answer. >> Alright, so let's talk about this security hack. Because obviously, in the enterprise tech, we cover a lot of those events across the year. IoT Edge is a huge topic, cloud computing booming, so now you have a lot of compute, which is good, and for bad actors too. So you have now a service area that's now, no perimeter, there's no egress points to manage. Is there a digital way to kind of map this out, and does blockchain give us any advantages or is there anything on the horizon that you see, where we can, in digital form? >> Well, I mean the true reason I came to the blockchain space, having worked hundreds of victim notifications and several dozen actual intrusions, from large intrusions at banks that are top five in the world, all the way down to small core defense contractors, you realize it's always a server you didn't know about, credentials that had more access than they should, obviously gaining access to a centralized server, that then gets exposed and allows that data to be leaked out. So the idea of blockchain and being able to decentralize, distribute that data, own it, and keep it cryptographically pure, and also being able to essentially remove the single source of failure that we saw in a lot of these hacks is exciting. Obviously, blockchain is also not the answer to everything. So in some ways, the spread sheet is still a spread sheet, and the MongoDB will still be the MongoDB, but-- >> The post-it next to your computer, your private key on it. >> But at the same point in time, it all comes down to cyber-hygiene, right? I mean, the stuff that we're looking at, the hacks that we're seeing, the hacks that I'm dealing with and my company dealing with, day in and day out, are not sophisticated. They may be sophisticated actors, but they're using insophisticated means, and of course, I hate to harp on it, but e-mail is still the number one intrusion vector, we all have it, we all use it. You could take stats from the FBI that says 92%, you could take stats from Verizon that says 93%, but that will be the number one way in. >> And phishing is the classic attack point. >> It will always be, because-- >> It's easy. >> I can manipulate people, I find the right opportunity, I always say even I've been phished. It happens, the way your mind is, it's just how you react, is what we need to teach people. >> It's really clicking on that one thing, that just takes one time. >> Yep. >> A PDF that you think is a document from work, or potentially a job opportunity, a new thing, sports scores, your favorite team, girlfriend, boyfriend, whatever, I mean, you don't know! >> But, I'm going to challenge you on this, you get, you click on that bad link, or you feel like your computer has been hacked, who do you call? Do you actually have someone that you can call? There's no cyber 911. Unless you are a high net worth individual, or being targeted by a nation-state, you're not calling the FBI. So who do you call? And that's a problem that we have in our industry right now. I mean, I guess I've been the person that people have been calling, which is fine, I want to help them. 12 years as a firefighter on top of my FBI career, I'm used to helping people in time of need. But really, in the grand scheme of things, there's not enough Mandiants or Verizons are too big. So for these smaller, six-person companies, that don't have $500,000 to spend on instant response, they actually have no one to call when they actually do click something bad. >> And the people they punch in a call, the ones that aren't actually there to help them. Sometimes they get honey-potted into another vector. >> Sure. >> Which is hey, how can I help you? >> Or I even challenge it a bit further. You call any of these companies when your phone has been hacked, you SIM-swap, whatever it is, and you need to sign a master services agreement, you need to go through all the legalese, while you're actively being hacked. Like, it's happening hour after hour, and you're seeing it, your accounts are being compromised and being taken over, and you're trying to find outside counsel to do redline. So in emergency services, we say, don't exchange business cards at the disaster site. It's not the time that you should be saying hi, I'm introducing myself, we should figure out all the retainers, inter-response, legal questions beforehand, so that at 2:00 in the morning, someone calls, and you have someone pick up the phone. >> Yeah, and you know what the costs are going to be, 'cause it's solve the problem at hand, put out that fire, if you will. Okay, so I got to ask you a question on how do people protect themselves? 'Cause we know Michael Terpin's doing a fireside chat, it's well known that he sued AT&T, he had his phone SIM swapped out, this is a known vector in the crypto community. Most people maybe in the mainstream might not know it. But you know, your phone can be hacked. >> Yes. >> Simple two-factor authentication's not enough. >> Correct. >> What is the state-of-the-art solution for people who want to hold crypto, any meaningful amount, could be casual money, to high net worth individual wants to have a lot of crypto. >> I mean, I spent a good amount of my time talking about custody. We've sort of pivoted off to a new part of our business line, that deals specifically around institutional custody solutions, and helping people get through this particular process. But we all know, especially from that particular case, that SMS compromises, after account takeover of a phone, is high. Hardware tokens are always going to be something that I'm going to, Harp or YubiKey, or something like that, where I'm still having the ability to keep a remote adversary away from being able to attack my system that has my private keys, or whatever high-value data I have on it. But if I think about it at the end of the day, I'm going to need to transfer that risk. I would like to say that we can transfer all risk, but instead for the people that have a lot of crypto, you're going to need to look for a good custody solution, you're going to need to look and trust the team, you're going to need to look and trust the technology they have, and you're going to have to get insurance. Because there are so many vectors, in a certain point in time, we can't go back to the wild west, where we're actually >> The insider job is, is really popular now too. >> It is, but there are ways around the collusion, counterparty, third party risk of ensuring that not one person can take the billion dollars worth of crypto and run away off to Venezuela and never appear again. But again, it comes down to basic hygiene. I ask people, I've surveyed hundreds of people in the crypto space, and I ask simple questions like VPNs, and I'm still getting a third to a half of people are using VPNS. Very simple things that people are not doing. When you looks at password for example, if anyone still has a password under 12 characters, then game over. I mean, there are a variety of ways of hacking them. I can use GPU servers to do them very quickly. I won't go into all the different options that are there. People still-- >> So 12 characters, alphanumeric obviously, with-- >> With special characters as well. >> Special characters. >> But the assumption, let's just make the assumption, that either those passwords have been cracked already, because they've already been dumped, people share passwords, they get used again, and then the entropy is exponentially higher with every single character after 12. So my password's 22 characters, sure it's a pain to type it in, but when you think about it, at the end of the day, when I combine that with a password manager that also has a YubiKey that's a hardware token, and I require that access all the time, then I don't run into the problem that someone's going to compromise a single system to get into multiple systems. >> And then also, I know there's a lot of Google people as well, they're looking at security at the hardware level, down to the firmware. >> Sure, sure. >> There's all kinds of-- >> I mean, obviously, you could use the TPM chip as well, and that's something that we should be better at, as a society. >> So while I got you here, I might as well ask you about the China super micro modchip baseboard management controller, BMC, that was reported in Bloomberg, debunked, Apple and Amazon both came out and said no, that's been confirmed. They shift their story a little bit too, the reality probably there is some mods going on, it's manufactured in China. I mean, it's a zero-margin business going to zero, why not just let the Chinese continue to develop, and have a higher-value security solution somewhere else, that's what some people are discussing, like okay, like the DRAM market was. >> Yep. >> Let the Japanese own that, they did, and then Intel makes the Pentium. Wall Street Journal reported that, Andy Kessler. So the shifts in the industry, certainly China's manufacturing the devices. There's no surprise when you go to China, and if you turn on your iPhone, it says Apple would like to push an update, but that's not Apple, it's a forged certificate, pretty much public knowledge. The DNS is controlled by China, and a certificate, these are things that they can control, that's, this is the new normal. >> It, it-- >> If you know the hardware, you can exploit it. >> We've been dealing with supply-chain issues since Maxtor hard drives in Indonesia. So was I shocked when I hear stories about that? No, I'm sort of scared myself into a corner, working in skiffs over the years and reading the various reports that come out about supply chain poisoning. >> Certainly possible. >> It's happening. I mean, it's just to what extent is still something that may or may not be known to its full extent, but it's something that will happen, always happens, and will continue to happen. And so at a certain point in time, capitalism does step in and says alright, well, guess what, China, the way I see it is, China wants to be a super-power. At a certain point, they know that people are looking at them, and saying we can't trust you. So they're going to clean up their house, just like anyone else. >> It's inevitable for them. >> It is inevitable. Because they need to show that they can be a trusting force, in the world economy. And at the same time, we're going to have competition out there that's essentially going to say, alright, we can actually prove to have a much better, stronger, validated supply chain that you'll use. >> I mean, IoT and blockchain, great solutions for supply chain. >> 100%. >> I mean, so this is where-- >> I mean, we're talking, I mean, I was actually on a plane flying from Phoenix, to Santa Fe, New Mexico, and I was sitting next to a guy, who was just like, I just want to use a blockchain to be able to deal with a supply chain around compromised food. So in the sense that if you think about it, fish for example, there's a lot of fake fish, fake type of tuna and other stuff that's out there, that people don't know the difference. But the restaurants are paying double, triple the amount of money for it. You start taking things like elephant tusks, you take things like just being able to track things that no one's really thinking about, and you're just like huh, I never thought of it that way. So at the end of the day, I still get surprised with what people are thinking about, that they can do with the blockchain. >> So Andre, question for you here, this event, what's the impact of this event and for the industry, in your opinion? Obviously, a lot of smart people here talking, candidly, sometimes maybe a little bit contentious about philosophies, regulation, no regulation, self-governance, lot of different things being discussed as exploration, to a new proficiency level that we need to get to. What are some of the hallway conversations you're hearing, and involved in? >> A lot of mine are obviously around custody. That is the topic of the moment. And for me, I'm in learning mode. I recognize that I've spent a lot of time in cyber-security. However, whereas it relates to blockchain and digital asset custody, whether it's utility tokens or security tokens, I'm on the CFTC Technology Advisory Committee, specifically, with cyber-security and custody, and so I want to take in as much information as I can, bring it back to the committee, bring it back to the commissioners, and help them create the proper regulations and standards, whether it's through an SRO, or it's through the government itself. >> For the folks that may watch this video later, that are new to the area, what does custody actually mean? Obviously, holding crypto, but define custody in context of these conversations, what is it, what's the threshold issues that are being discussed? >> Sure. I mean, to break it down, custody is very similar to a bank. So you are, you're saying I have a lot of X. It could be baseball cards, it could be gold bars, it could be fiat cash. And I want to have someone hold it, and I'm going to trust them with that. Of course, I'm transferring that risk, and with that, I have an expectation to have a qualified custodian, that has rules and regulations of how they're going to actually manage it, how they're going to control it, ensure that the risk, that people aren't going to take it. It could be, again, the Monet, it could be the Johnny Bench Ricky card, it could be 100 million blocks of gold. But I also want to have a level of insurance. That insurance could come from the insurance industry themselves, and allowing me to protect it in case something does happen to that, or the government. The FDIC, $250,000 for your bank account is a type of insurance that people are using. By the end of the day, from an institutional perspective, you want a pure custodian that takes all the risk. The government wants to say a certain point, that that custodian can allow for margin call, so that the client can't come in and say, well I'm not going to pay out $100 million worth of crypto, and I'm going to seize, or seizure of funds as well. And that's what's being set up right now. Traditional banks are not ready to handle that. Traditional auditing firms, like PWC or Ernst & Young, are still trying to figure out how they'd even be given a qualified opinion, as it relates to how-- >> So it's not so much that they are not have the appetite to do it, they don't have systems, they don't have expertise, >> They don't have systems, they don't have expertise, >> They don't have workflows. >> And right now, things are so new and so volatile, that they're sort of almost putting their toe in the water, but really not sure what the temperature is yet of the water to hop in. >> If someone wants to go to court, you say hey, prove it. Well, it's encrypted, I don't know who did it. >> Well, and the thing is is that when you have 53 states and territories with different money-transmitting laws, on top of the countless federal agencies and departments that are managing that, it is hard to come to consensus. It is much easier in a place like Bermuda, where the government is small enough where everyone can get together pretty quickly, have consensus on an opinion of how they want to deal with the crypto market, deal with custody, pass a regulation, and what's nice about Bermuda is it has crown ascendancy, so the UK government still approves it. >> And they move fast on the regulation side. They literally just passed-- >> They are the only jurisdiction that has a fully complete law surrounding cryptocurrency. >> You're bullish on Bermuda. >> I am, because I saw the efficiency there. And I expressed my same opinion with the CFTC, when I was doing my hearing last week, that it's nice to see the speed, but it's also a small island that allows for that speed. >> And they have legitimate practices that have been going on for years in other industries. >> Right, so there's no dirty money, there's no anything that people are sort of concerned with, they have the same AML, KYC, anti-money laundering and know your customer regulations that you would expect if you had your money in the United States. >> Yeah, we had a chance to interview the honorable charge there. >> Premier Burt, oh very nice. >> Yeah, he's great, and Toronto, so it's awesome. >> Nice. >> Alright, so final takeaway, for this show here, what's your takeaway about this event, the impact to the industry? >> This is a very important event, because I think people are still trying to get their footing around blockchain, they're still trying to get their footing around digital asset protections. And if we can get the smart people in one room, and they can share knowledge, and then we can come together as a community, and create some standards that make sense, then we're protecting the world. >> Well Andre, I'm glad you're in the industry, 'cause your expertise and background on the commercial side and government side certainly lend well to the needs. (laughs) So to speak. We need you, we need more of you. Thanks for coming on theCUBE, really appreciate your commentary and your insight. It's theCUBE, bringing the insights here, we are live in Las Vegas for HoshoCon, I'm John Furrier with theCUBE, we'll be back with more coverage after this short break. (upbeat music)