EX-NSA engineer Alex White: Mobile security for high-risk individuals
Mobile devices have changed how we work and how we live our lives. We have become increasingly attached to our handsets thanks to apps for communication, time management & entertainment. As low-tech cell phones have transformed into smartphones that handle huge data traffic every day, our devices have also become coveted target for hackers.
As a result of society’s rapid transition to a more flexible remote work setting and BYOD (Bring your own device) strategy – the security of mobile devices can no longer be an afterthought. To find out how the mobile threat landscape has evolved, we had a chat with former NSA engineer and co-founder of Glacier Alex White in the latest episode of under CTRL - hosted by Balázs Judik.
Glacier was born from a desire to rethink the security of mobile devices. After recognizing that high-profile executives and high net worth individuals were at risk when communicating through mobile devices, White designed an offering that provides tailor-made security for text and video communications using end-to-end encryption.
See below for a round-up of the security themes we covered below:
- Why mobile devices are more valuable targets today and the variety of attack vectors cybercriminals use to gain access to them
- Glacier’s business model targeting high-risk individuals in the private, government, and NGO sectors
- Insights into how the NSA works and why Alex’s professional interest shifted towards mobile security
- The facts about burner devices and other techniques that individuals traveling to high-risk areas can take to protect their mobile communications
- And finally, we address the digital dilemma of security vs. convenience through the controversial case of Signal & MobileCoin
Looking for more insider scoops on how intelligence agencies operate? Check out the previous episode of under CTRL featuring ex-CIA executive and cybersecurity expert Gus Hunt – and stay tuned for more episodes on Spotify. You can also stay connected with all things Tresorit through Twitter and LinkedIn.
Balazs: Welcome to "under CTRL". My name is Balazs Judik, and I am your new host. Today, I will speak with Alex White, former NSA Network Engineer and Co-Founder of Glacier Security. Hey, Alex! Welcome to the show. Nice having you here.
Alex: How are you? Thanks for having me.
Balazs: I'm great, thank you. How are you today?
Alex: I'm doing great. It's a- I'm in Western- Midwest Michigan. The weather is starting to turn. It's been 40 degrees for the last couple of months, so I'm excited for the weather to change.
Balazs: Ah, sweet! Sweet! I think, based that we are on the other side of the world in Hungary, Budapest, it's quite a different weather here, but... yeah, I'm happy to have you here. And I'm very interested to have this discussion with you. Let's just start off with you doing a small intro about who you are, what you do, and how did you get to this opportunity to have a chat together?
Alex: Yeah, absolutely. My name's Alex White. I am one of the co-founders of a company called Glacier Security. We do a light variety of mobile security, of specifically secure communications. We provide most of our solutions to governments, high-net-worth individuals, high-risk individuals, as we call them. Those could be someone who is traveling overseas, for example, you know, going to a conference, you know, staying in a place, you know, they may never been before. And also, we work with some NGOs, right? So, you know, how do you- how do we protect those comms, as people go over and do humanitarian aid type work? So Glacier, you know, we were formed out of the government. I'm sure we'll probably get into that as well later in the conversation. But yes, so our focus is mobile security. And we also do quite a bit of other kind of one-off security, just because of our backgrounds.
Balazs: Right. Speaking of background, so how did it all start? Because I assume, like, basically you guys started in 2015, right?
Alex: Yeah.
Balazs: So what's your story before the times of starting Glacier?
Alex: Yeah, so Glacier was formed out of the intelligence community. Myself and a couple of- like two other co-founders, we met in the IC. Now we saw a huge issue with mobile security from all the different organizations, both within our organization as well as, you know, other government groups, other commercial groups that we'd been working with. And, you know, we knew from being in this community that there's so much risk. We knew what was possible from different types of attack vectors, and it just made sense that we, you know, also provide that level of security for- you know, for our people, our customers that we're working with, for example. So I- yeah, so I started, you know, right out of college, right out of undergrad. I applied to two places. Right out of junior college, I applied for the FBI and the NSA. So fast forward, you know, several months of not hearing from, you know, either of them, I get this massive packet, you know, mailed to my parents' house. And at that point, I was traveling Europe for my- for study abroad. And my parents called me and they said, "Hey, you know there's this Department of Defense document that was mailed to- you know, to the home. It has your name on it." And at that point, I had this like, you know, just this excitement, right? Because, again, I'd only applied for, you know, two places. So I get back. I get back from study abroad, and I fill out this information. And then there's this whole entire process between my junior year of undergrad and my senior year of undergrad, it was just processing. Right? Like making sure that everything checked out for me, you know, to do this. And for that- and that position was actually just a summer internship program, right, so it was only going to be for potentially three months. Now, at that point of all- I've committed. Right? I've committed to, you know, making this happen. So it took a really long time for processing. The summer internship was probably one of the best experiences that I had. And at the end of that summer internship program, they offered me a position, which they usually do for most of the summer intern grads. And then from there, it was just- I spent- it went by fast. I spent almost ten years in the community.
Balazs: And what was the role that they offered you? And what was the role that you were working later on?
Alex: Yeah. So my undergrad program- I was focused on network security, right. So primarily Cisco was kind of like the hot thing, you know, ten or fifteen years ago. So most of my undergrad was, yeah, network security, network engineering, designing networks. When I applied for this position, they knew my background, but the actual position was very generic. It was like Global Network Engineer, right? And you're just like, "I don't know what that is. I don't know what that is." But as soon as I got there, it was a lot of training. A lot of more education. So just, you know, network design in the real world, right. So in college, I felt like we were always doing lab work. We never really got hands-on on real networks. At that point, it was just completely overwhelming about the whole- how this massive community, you know, communicates together. So. Yeah, that was my initial position.
Balazs: Was it more, the position, about defensive technologies – whether about research... or what was it focused on?
Alex: Yeah, so I started more in the defensive side of things, right. So you have all these networks that are created all over the world. You know, the whole idea is, you know, protecting the warfighter, right. So networks that could be potentially providing data to them. Not necessarily like- any type of- there isn't one specific data, you know, like classified data, like something easy, right. Something simple. Like how do they communicate back home to their friends and family? You know, that was one of the areas, too. Right? So how do you secure those networks? So a lot of like firewall-type diagnostics and that kind of stuff. At that point, I knew nothing about the agency, right. I knew that they kind of separate things into, you know, different types of... roles and organizations. And then I kind of transitioned, once I took a full-time position, it was actually another internship. But this was more of a development program. So you basically can go into these programs for you to have an opportunity to hop between the organizations every six months, for example. And that really gives the individual like the student like an understanding of how the entire government, how the entire intelligence community, works. And then from there, you kind of have an idea, you create relationships, and you have an idea of where you might want to go after you get done with the program. So you can kind of think that first year- the first three years that I was there, I'd say about two and a half- was more training, more development, more social, you know, networking with different types of organizations.
Balazs: Did you have an idea, by the end of these two and a half, three years, which direction you would want to go or explore more?
Alex: Yeah. I think that... I was more interested at that point in my life in traveling. Right, so doing more field-type work, like field engineering. More research into mobile technology. For some reason, I always had an interest in mobile devices. I have no idea why. I have always (inconclusive) to that person that had like a Palm Treo, for example. I had a Palm Treo with no internet connection to it. So it made no sense whatsoever for me to have this phone. But when I got into the program, there was a mobile security kind of development lane that you could go down. And that was very interesting to me. And at that point, the first Android devices were coming out, right. Like I think that the T Mobile version of the Android device first came out, and the big thing was: How do we secure this? How can we potentially use this as a tool, you know, to communicate? And that's one of the projects that I was working on.
Balazs: In an earlier discussion, you mentioned that there was a lot of knowledge and guilty knowledge as well. Could you elaborate on what would that mean, in layman's term?
Alex: Yeah, from like a mobile security side of things, I think, you know, for me, you know, going into an organization like this without any previous experience – like you just assume that, you know, these devices are secure. And I think- I mean, you know best with this podcast and, you know, with your products, it's like there's not- I'm never one who would ever say, "Hey, this is a hundred per cent hack-proof." Right? You see that a lot on the internet for different types of products and services. And it kind of give you this feeling like, "Oh man, that's a really bold statement." Right? Like I would never say something like that. But yeah, I think, you know, if you have... from a research side of things, if you- and even from an educational standpoint, too, like these labs that have all this funding, and all this time, and these students or PhDs, for example, like... I've seen anything is possible, right. I think the conversation that we had earlier was, you know, anything- with time and resources, you can potentially bypass, you know, security measures, both on the computer network side of things, and definitely on the mobile device.
Balazs: Was this something that you thought that's possible before you joined the agency?
Alex: No. Well, I mean, you kind of get those- you know, those stories. At this point, you know, ten, fifteen years ago, they didn't have- no one was thinking about mobile device security. It was just not something that was, you know, talked about. And I think one, because not much work was being done on the handsets. And even when the first iPhone came out. But today, it's- you know, it's a much more valuable target. Right? Because we're using it for everything, you know. Email, calendar, you know, sensitive communications. Everything basically is around this mobile device, and it's- yeah, you know like a mobile device is a different type of tech. Right? Like it's almost a part of, you know, your body. That sounds weird, but like, you know, you take someone's laptop away from them, they're like, "Okay, that's fine, whatever. Right, I don't need my laptop each day." "Give me your phone." You have this like weird feeling that comes over you, like, "No, that is my phone!" You know? And that's just because there's a lot of information, there's a lot of data in there. And an adversary, whether it's a state-sponsored adversary or, you know, something more of like a hacker-type of community, like that's a value, that's a target for them.
Balazs: And you mentioned that there was pretty much no mobile device that was secure from an aspect of resource slash time. Would you say that's changed over time, since the last ten, fifteen years?
Alex: I think it's gotten better. But not by much. I think that, you know, recently there is, you know, like an iPhone, you know, zero-day that was published. Apple, you know, quietly (inconclusive). But that was (inconclusive) in the last month or two. I think that those type of things happen quite often. You know, we have no idea how long someone was able to use that particular exploit. Right? You don't know how far that exploit moved throughout the community. I think there's just so many things that you have to protect from a mobile device standpoint. Like a lot of people think like, "Okay, I'm going to hack the phone. I'm going to plug it in, you know, use some sort of tool like Cellebrite." I think we should talk about that later, too. Especially the- what Signal did over the last few days. "Now that you plug in a tool like Cellebrite and you can- you just get all of- magically get all the information from it." Right, and in reality, that's just not the case. I think, from an attack vector, I think your best bet is going to be, you know, some sort of phishing attempt. You know, SMS, text messaging. I don't know what it's like, you know, over on your side of the world, but over here, it's- the amount of spam that you get from text messaging... you don't know if it's just, you know, some sort of, you know, way of getting people to show ads or clicks, or if it's something more targeted. And I think there's really now way of stopping that. That as well as networks, too. Right? Like when I connect to some network, whether it's a hotel or an airport or, you know, some other open wireless network, there's a lot of opportunities there for exploitation.
Balazs: Yeah, I was going to ask that, after all these years of experiences, working with these technologies, did it have any scarcity effect on you? Or how do you relate to this topic? After starting your own company, of course, as well. But back in the days, when you were still at the agency, did you have this feeling that you were just not safe if you own a mobile device?
Alex: Yes.
Balazs: Do you still have that?
Alex: Yeah. I... do. I do. Because like you go around, we meet some really interesting people on the commercial side of things. Like we're more targeted towards the higher-risk individuals. So we're talking to them about potential threats. Like someone that makes, you know, X amount of millions of dollars is inevitably a threat, right? Like someone that you can google, or someone that you know of that has potential- that level of money, you're a threat. Whether you like it or not. Whether you're in the public eye or not, you're a threat. So I think like for us like we've seen some really interesting things, as far as like perpetual attacks, where you kind of always have- like I have this thought on my mind, whenever I connect to like cultural wifi, for example. Like just the other day, I usually bring a cellular hotspot with me. And I very rarely connect to a hotel wifi network. And, you know, I didn't have a good cell data, I had to get in, I had to do something for work. And it's just like, "Okay, I'm going to connect, and I'm going to try to get my VPN running." You know, there's all of these things, and I think that that complication, those complicated events of trying to connect to a network securely, is kind of why Glacier was started. Because we feel like, you know, there's a lot of technical people out there that can do this. But there's a lot of people that have no education or training on digital security. And that's kind of who we're targeting, right. Like how do we easily provide them better security? Increase their security posture? And that situation I just explained in the hotel happens every single day. Like there's not- there's not a situation where like, you know, connecting to a wifi network or connecting to a cellular hotspot is easy. And I feel like there's always- there's always something that happens. And inevitably, you go back to the most, you know, insecure way. Because you just need to do that thing, you need to go on and connect to the network and do that thing. So you just want to take that risk.
Balazs: Yeah, in regards to that, when you started the company, and we'll deep-dive into the details of that, but did you feel like there was an out-of-the-box solution? Like one that fits all for all these threats?
Alex: No. No, and that was one of the things, too, that was really difficult to get out, because I don't believe there is any one solution. Right, like I don't think that there is one app or one network device that you can install that's going to protect, you know, a device. You know, Glacier's- you know, at Glacier, we make a secure messaging platform, right. So we do text, you know, voice, video, file transfer. But then we rely on a lot of different other services and partners to do other things. Like there's no way that we could provide all the different solutions. And I think that's a fair thing, as long as you're like transparent about it, like, "Hey, you know, we've been working with this company for the last couple of years. They provide X, Y, and Z." So what Glacier does is, you know, we essentially bring an entire device to somebody, right. So if you're an iPhone user, we're going to give you an iPhone. Right, if you're an Android user, we're going to give you an Android device. So we do a full- you know, full hardware configuration, almost assembly-line style. Right, so for protecting, you know, executive leadership team, for example. You know, we've had, you know, eight to ten iPhones come into our office, so we basically, you know, like I said, assembly-line style configuration. Using our tools, as well as, you know, other partners' tools, you know, to attempt to reduce the attack surface. Right, and again, going back to "no device is a hundred per cent hack-proof".
Balazs: Yeah, who would you describe as your ideal profile for buyers?
Alex: I would say it is a high-net-worth executive leadership teams, a traveling scientist, a traveling salesperson that's going to be, you know, our type of end user, as well as governments. You know, we started out in government. I would say right at this point, we're- most of our customers are primarily commercial. But we definitely hold still that base of government customers.
Balazs: So essentially we could say that you came up with a solution working with the NSA, and then created a company and just went back and pitched the idea for them? How did they take it?
Alex: Pretty much! I think, yeah, it took a while for it, because, you know, our first customer was the government. But we quickly realized that our product was really designed for... more of the high-risk travelers on the commercial side of things. It's just we didn't have a product yet that was tailored for them. You know, like our first solution was this Android device- I think we were running like on a Moto G something. There was only Android. We did voice and text, no video. And, you know, I have this experience that I tell people in the tech world starting a company, we had an opportunity to pitch our solution to a massive company in New York. So our first pitch, we're there, we get to their conference room, and there's all these executives sitting around, and while I'm doing the pitch, they're all on their phones, right, not paying attention to anything that I'm saying. And at one point, you know, I finally get to the end, when we're like, "Hey, you know, we want you to use this secure device for a week and just show us- let us know how it goes." So I give this guy an Android device, like I said, it was probably Moto G, and he looks at the device and he was like, "I don't know what that is." And I said, "What do you mean? You don't know- what you mean? It's a phone." He was like, "I'm an iPhone user. I don't use Android devices. I'll never use Android devices." And at that point we realized, I realized, that we can't just rip someone's- like again, that iPhone from them and give a completely foreign device. Like they're not going to use it. So at that point, you know, we kind of rethought what our product offerings were and, you know, we started focusing and putting resources to iOS. 'Cause we knew that if we were going to try to attempt this commercial, you know, opportunity, we had to support Apple devices.
Balazs: It's a very, very interesting segment that you are working with. But I would imagine word of mouth has quite a big effect in your- in this industry. How do you- how do people find you? Because as- once again, it's a very, very specific segment.
Alex: Yeah, it's definitely word of- it's definitely a huge word of mouth. You know, I think one of the great things about the government community is over all these- all the time, you know, I been in this, you know, yeah, almost fifteen years, I think it's one of those things where you have, you know, someone who leaves- you know, leaves the government and becomes some sort of engineer, for example, for a commercial (inconclusive) company, that happens a lot. Where you have government people that, you know, learn a lot of skills about things, and then they're just- you know, they want to try something else. They try the private sector, and I think a lot of the times, you know, every week I have a conversation or a new call. It's like, "Hey, I used to work with you in this- you know, this area. Yeah, what are you guys doing?" And I think that's kind of how we've grown over the last five years, is providing a solution that not many other companies do. It's difficult to advertise this type of solution, right? Like how do you- how do you just target like, you know, "I want to sell, you know, high-net-worth secure communications." Well, like they don't know us. They don't have that trust. They don't- you know, no one's ever going to go our website and say, "Yeah, I want to buy that right now." Right, so it's a lot about creating relationships. You know, we're big in- if someone's interested in our product, like we want to get in front of them, like face-to-face. We want to understand the pain points, understand if they've had any issues in the past. And then how do we first get their devices and their communication secure? And then from there, let's talk about other problems that you potentially have.
Balazs: Yeah, the threat in the industry and specifically regarding mobile devices, we can say it's a new thing in the last ten, fifteen years. How open are these people for education or... the experiences that you can share with them in general?
Alex: Yeah. Yeah, most of the time, they're very open to it. I think... the technical- some people that we talk to have a decent technical background, but they just- they don't understand the other threats that, you know, some of us have seen. So I think a lot of them are- if we make it easy, if we make the training easy, right, like how to make sense from a day-to-day, like actual day-to-day usage, like I said before: We target like the (inconclusive) in hotels and airports, and also networks that are not familiar to the user. But usually, they're really into it. You know. We do all kinds of different training from, you know, just generic, "What is a mobile device? How does it communicate? And how does Glacier secure it on like a level 1?" And usually, they're very interested in learning more. Yeah.
Balazs: And how do you feel about- do you think your past at the NSA contributes to the trust they have in you guys? Because, I mean, let's address it: A lot of people, I think, have a specific idea about the NSA and how much resources they might have, how much researches they can do. And one could say that if, of all the shadiness, so to say, that you had the chance to experience with different technologies and how to break them. Do you think that's a contributing factor for the trust they have in you?
Alex: Yeah, I think so. Well, I will say it's either- it's one way or the other, right? We've been in situations where most of the conversations that we're being in is because of our backgrounds, right. I think there's like some trust that just comes out of there. For us to kind of tell our experience, our story, you know, what we've seen, you know, for example. Other times, it's hurt us. Right? Like we've had situations where people say, "Yeah, I'm not going to work with that company, because of their backgrounds." And at that point, there's really nothing that we can do, right. There's no conversation that can make that potentially right. And I completely understand that. But I think for us, like our unfair advantage is having that experience, that background, that knowledge. And I think there's enough customers out there that that really makes them feel comfortable. And we always bring it up, we're very transparent about it. That usually is something that allows our customers to, or potential customers, warm up to us. Just to have that experience. But yeah, there's definitely situations- like, for example, we posted something a few months ago about some release notes on Twitter, and just one particular person that was like, "Why would you ever use this product? Because it's, you know, their backgrounds are X, Y, and Z." And it's like- we can't- you know, we're not going to hide that, you know, from people.
Balazs: I'm quite curious about your opinion in this topic as well, because in our previous talk, I also asked you, and I'm encouraged to hear it again, or just for- showing for the audience as well: When you started working at the NSA, there was already news about the PRISM program, and then in 2013, Edward Snowden happened as well. How does one deal with all this situation, working with the government? How did you take it? Or how do you feel about it? Because, as you say, now people would also think about NSA in a particular aspect, because of the previous historical reasons. How does one address it while working for the government?
Alex: Yeah. I think at the time, it was really difficult. Just because, you know, that's all we knew, right? That's all we knew. That's what you did. On a day-to-day basis, you came in, you worked inside the government, and when that particular event happened, it was kind of frustrating. It's unfortunate that it happened the way that it happened. You know, as far as w- it didn't really directly relate to anything that my organization was doing. But when- that was basically like the story, right? That was the story for a long time. And I think a lot of things definitely changed... even in our organization, right. Just, like I said, it was the spotlight. Like that was the thing that was happening. I think after, you know, however long it's been, I completely understand the opposite, you know. The opinion that it was the right thing to do, like I get it. But again, I think I'm always going to be Team, you know, US- Team Intelligence Community. Just because those are- I grew up in that, right. I grew up in that world. My friends, you know, who I call my family, are still- you know, some are still there, some have moved on. I think like my opinion is that it's just really unfortunate that that happened the way that it did. So... yeah. Not very- a controversial answer to your question.
Balazs: No, I see your point as well. I guess it's also limited how much you can discuss or cannot discuss during the show. So that's perfectly fine. I have another question though: During the years when you were still there, so how would one imagine a day at NSA and Communications? Or communicating with other colleagues as well? So... you mentioned that the whole background, or the root of the- of Glacier started at NSA. So could you go into details of what was exactly the issue, and how did you experience it?
Alex: Yeah... Yes, so when we started- when I started at this- you know, I was looking at mobile devices and moving through different organizations in the development program, it was- and again, like, I think we had this conversation before, like you could go- you have to imagine it almost as like a city. Right? Like you don't know everything. You don't know everybody that works there. And that's through a lot of different government organizations. So it's really difficult to say what other organizations were using. For us, it was like very basic. You know, like, when you're doing communications, you're going to use, you know, this particular BlackBerry- we were using BlackBerry at that time. And, you know, there was a lot of- there wasn't data, there wasn't VPN, there wasn't a messaging service. You know, there's- you have to kind of think like- there's no like development organization that's creating apps for these people to use. And when I came in, I was like, "Why- you know, how do we not have a better way to communicate?" And there was a few guys there that were asking the same questions. And, you know, for us, we were just there, like, you know, taking open-source type technologies and trying to build something out. I think that the most difficult part was how do you make, at that point, end-to-end-encrypted communications. And, you know, so we had this (inconclusive) with a mentor of mine – still is – and he would run this like kind of like exercise, where it's like The Washington Post Exercise, right. Like so if you- if you were to, you know, use some sort of communications tool, and, you know, someone took that device from you and they looked at it, what would that news article look like in The Washington Post? Right? And it was like something that you'd always play in your mind, like, "Yeah, that probably is not a good idea. Like they're using WhatsApp or they're using...", you know, Signal wasn't around at that point. "But we- you know, we have to have something better. Like we're the NSA – we have to have something better than this." And it just wasn't- that just wasn't the case. I think that that's kind of where our idea came from. And it wasn't necessarily how to secure like the actual communications, like the actual messaging communications. It was more about how do you connect to networks? And essentially reduce the attack surface. So I'll give you an example, right. So your phone is connecting to, you know, a bunch of different services, right. So what if we move those services around the month or around the year? So, for example, you know, our product, you can say, "Hey, I'm communicating to this messaging server." Now by the time that some adversary sees that that communication is going to that server, we burn that server down, we replace it with a new one. So, you know, obviously there is ways that you could potentially see, as things are changing, but all we're trying to do is just make it a little bit more difficult for the adversary. So my background was more on the network side of things. And once we- once cloud networking started to get, you know, easier, cheaper, easy to access, that's when things started getting interesting. Because at that point, we could launch servers in seconds, right, where we used to have to use, you know, bare-metal, which just doesn't have that changeover effect.
Balazs: What I'm curious about is: You mentioned that some part of your area is pretty much supplying hardware as well to your customers. Does it mean that you mainly have customers from the US, or is it starting to become a global thing?
Alex: Yeah, it's primarily the US. We do have some overseas customers. They're not, sorry, for you, overseas, right. Some non-US customers. Primarily, it is US-based. You know, so one of the things that we do is, you know, try to protect against the supply chain threats. So that would be... what if I procure an iPhone or – it doesn't have to be an iPhone, right, but let's just say we procure an iPhone. How is that security straight from the manufacturer, straight from the distributor? And that's something that's an easy- it's an easy thing to solve. And for us, that's just something that we just offer our customers. So how that would play out is that we have a wide variety of companies that we've created relationships with that can procure these devices for us. And that basically just allows us to not tie a particular serial number to Glacier or the customer, right? So again, the whole idea of Glacier is to- just to make things a little bit more difficult for someone to know who's using that device, and who purchased that device. So that's something that we just do for all of our customers, whether they ask for, you know, that or not. We- so like if I were to procure ten devices, I might get those ten devices from three or four different partners. And then those devices would come into our spaces, and they'll be configured.
Balazs: Yeah, so what I'm curious about is that, based on your previous experience at the NSA and saying that, you know, you can't really trust any mobile device anymore, can you trust the factories that are producing the devices?
Alex: I don't know. That's a tough one. I think the factories themselves-
Balazs: Like you mentioned that there was only a matter of- amount of resources and time. Like what's stopping a group of hackers or the government, so to say, for reaching out directly to the manufacturer?
Alex: Yeah, I think if you're going directly for the manufacturer, that was one of the reasons why we primarily recommend, you know, if you- any iOS device. And if you're going to do Android, we recommend, you know, the Google Pixel line, which for the most part is straight from Google. Obviously, there's- they ship them to distributors, and the distributors ship them to, you know, big drugstores, for example. That's, I think, where the threat is. Right there, is as devices are flowing through, from the manufacturer to these other distribution channels. That being said, some of the other devices that our customers- I don't think we have any customers using some of the more popular devices that are overseas, right. There's a ton of different Android manufacturers – I'm not going to call out any of it- any of them, right. But there's definitely been situations where someone has been able to get access to the supply chain straight from the manufacturer. Like I think, you go back to the trust level, right. Like do you trust this company? And their employees that are working in this area versus, you know, straight from Apple or straight from Google, for example? I think that a phone, if you were to track it, like if you were to check a Google phone and how many people touch it, it's scary, right? Because if they're able to figure out, "Hey, you know, I'm a distributor for Washington D.C.", for example, right. Like that might be an interesting target or potential target, where you might be able to exploit, right. Like you might exploit 500 to 1000 devices – you have no idea where that device is going to land, right. So for us, you know, to try to limit that by procuring devices not in those channels, I think, is just one of those things that we do that I don't know who else is doing.
Balazs: Yeah. What I'm curious about as well is that you can see in a lot of thrillers or different movies that people are using burner cells. In layman's terms, could you explain what's that, and if you'd recommend it? Is it an alternative for regular iPhone or Android? Could you talk a bit about that?
Alex: Yeah. Yeah, so there's a funny thing- a funny kind of like story or meme that goes around in the privacy world is, you know, somebody carrying around a burner right in the same pocket as their primary device, and just completely defeats the purpose of having a burner. I think a burner would be a device that has no PII data linked to yourself, right? So personal identifiable information. So you would use those devices for a temporary trip, for example. So this device would be no Google account, no Apple account. The problem with the burner device these days is that, you know, the first thing you do when you purchase an iPhone or an Android device is you log into your iCloud account, or you log into your Google account. You don't have to, right. You don't have to log in. It's just at that point, you know, from the Apple side of things, you can't download applications. And from a Google side of things, you have to use a third-party app store, you know, to download APKs on your device, which is- there's a potential threat there as well. So I think today, it's more- it's way more difficult. We recommend temporary or burner devices for someone who is doing a potential quick trip over to a high-risk area. So we might procure a Google Pixel, we load it into a mobile device manager, which allows us to completely remove the need for a Google account, right. And again, you have to kind of understand what you're trying to protect yourself from, right. Are you protecting yourself from Google? Or are you protecting yourself from a potential adversary where you're going? And I think that's- first one, you get to decide, right. There's- if you don't trust a company like Apple or Google, there's a lot more work to be done.
Balazs: Yeah, I'm very curious about this part as well. Is it a rather local issue that you normally need to protect against? Because you mentioned it depends on the area. And there are different high-risk areas as well. What would those be? And is this a local issue, or a localization issue?
Alex: Yeah, I think for- it is. It is. And I think the threat really comes down to who you are, or what company you're representing. So if you're a public figure, and you're traveling to a higher-risk area, let's just call it how we see it, like. If you're going to China, if you're going to Russia, those type of areas, more likely than not, there's going to be some sort of, you know, targeting that is happening. Whether- depending on the sophistication, who really knows. But I think the one thing you have to understand is, it's- they- those countries own the telecommunications network. So if you have a burner device or temporary device and you always put the same SIM card in it, and you're always connecting to the same cell towers, there's no protecting yourself, right. They know that you are in the country, because basically, "Hey, this SIM card is now connecting to the telephone."
Balazs: Can- say the Russian intelligence would like to penetrate a particular mobile device of a particular person in- who- the person is currently located in the US. Would that be possible? Or is it actually easier if that particular person is in Russia, for example?
Alex: I think it's definitely easier if the person is in Russia, 'cause you're in their territory and they own all the infrastructure, and there's- the risk is much lower. That being said, I think that our telephone- our cellular networks are dated and they have their own issues. Right? You hear about different types of attacks, just by, you know, gaining access to the telephone network, whether that's social engineering somebody at T Mobile, or, you know, doing something a little bit more sophisticated, where you're leveraging like a phishing attempt. But I think that if you are in that country's region, that country's, you know, basically, playground, I think it's way more, way more of a risk.
Balazs: And you mentioned that, if you have your normal mobile device in your pocket plus the burner, it defeats the purpose. If you use it with two different SIM card, why would that be?
Alex: Well, 'cause you're kind of linking- you could basically see, okay, well if I see that Alex's phone is connecting to this cellular network, and you have this other device that is right next to it, everywhere Alex's device, this other SIM card is going. It's fairly easy for someone who has sophisticated, you know, filtering and searching, that they can basically say, "Oh, there's something interesting about this other phone that's near that person." Whether it's his burner phone, or maybe it's someone that he's, you know, working with, for example, it would be very easy for someone to basically filter down and say, "Hey, show me all the devices that are near this particular cellular device."
Balazs: So say you have a person who would be a high-risk target traveling to Russia or China, so to say. What would be your care package for this individual?
Alex: Yeah... it all depends. I think, ideally, you procure a device that's clean, that's safe. Right. Like something that's new, that's never traveled before, right. Because... (inconclusive) on the phone are burnt into the device, right. So as you connect to the network, they are essentially burnt at that point. And there's no sense in the factory wiping the device or doing anything with applications. There's really nothing you can do. So a fresh device, a fresh SIM card. SIM cards are interesting, too. I don't know what it's like over there, but there's many countries that require identification before you purchase a SIM card.
Balazs: That's pretty much the same all over in Europe in the last couple of years because of protection against terrorism.
Alex: Yeah. Yeah. So it used to be: You could go into any like convenience store and buy a data-only SIM with cash, and put the SIM inside your phone, and yeah, you're good to go for a week, or you're good to go for a month. What's super interesting about the data SIMs is that now like, you know, there's many applications out there, but like we have a dialing app that just can replace your dialer on your phone. And that doesn't require an actual phone number, because it uses (inconclusive) to make those phone calls. So if I just have a cell- data-only SIMs in my phone, I can do pretty much anything I want, as far- from a communication standpoint. So for the countries that you can go, and you can basically pick those up within a couple of minutes, you know, with 10 Euro, for example. That's the best way to go. But like you said, that's going away. You know, Dubai, for example, they require a passport, to-
Balazs: Yeah, same in Europe. Pretty much all over.
Alex: Okay. Yeah. And also like, for example, in the Dominican Republic, you have to have, you know, essentially their version of a driver's license to also get, you know, a SIM card. And I think that that's kind of one of the restricting factors, you know, for someone that's higher-risk. So what you could do, which obviously there's cost involved in this, is, you know, have someone else procure that SIM card on behalf of the other user, or the other person. And as you can imagine, like the logistics in that and the cost in that could be a little out of reach for, you know, some people. But that's something that we could do. That we could- that we would recommend, really.
Balazs: Interesting. Now, another topic that I wanted to raise is the whole pandemic. Of course, we are all in it in the last... well, it's a bit over a year already. How did it change the business for you, if it did? Or what are the changes that you experienced in the past one year?
Alex: Yeah, I think it definitely affected us. You know, we- again, our primary focus is protecting people in high-risk situations, high-risk travel. And across the board, travel was down. So I think for us, it was one of those things where we had to focus on, one, building up the product. We used the opportunity to build the product, and continue to advance the product. And also kind of prepare for what life would be like after, you know, the pandemic. So I think for the last I'd say- you know, over here in the States, things are pretty bad still. But travel is definitely starting to pick back up. So we've been supporting much more events lately than we ever did over the last year in a few months. So yeah, I think, you know, we definitely- we were definitely affected.
Balazs: Yeah, and there was also-
Alex: But I will say-
Balazs: Sorry, carry on.
Alex: Sorry, go ahead. I was going to say, you know: We kind of- we did pivot a little bit in saying, you know, "As you're employees are sitting at home, at their house, how do you know that their networks are secure? How do you know that-", you know, for example, if I'm living in a dense environment, right. Like say New York City, for example, you know. There's a lot of risk from wireless security exploitations, right? So how do you protect those users at home? So we started to kind of go down that path, and we started to provide a lighter way, I'd say, solution of our product that was more tailored towards, you know, all individuals within an enterprise, versus just the high-risk ones.
Balazs: Yeah. Would you say it's rather- it's a corporate segment, or is it more like family offices and similar segments?
Alex: As far as like our customer base?
Balazs: Yeah.
Alex: Yeah, I'd say more of a f- more family in offices, just because we feel like we can come in and provide them almost like a- like you almost have Glacier working for your family office, rather than just buying a product, or buying a license from us. We don't like idea of just saying: "Here's a license to log into our application. Go for it." Like we want to be more part of your organization. Some people like that, some people don't like that. We do have some enterprise customers where they just- they run our system themselves, and we come in and provide a little bit of, you know, train the trainees or train the trainers. But that's definitely not our main- you know, our main goal.
Balazs: Yeah, I see. I see. Alright then. There was another big change as well, specifically for you guys. But, I guess, a little bit for everyone in the world, is the Trump versus Biden administration change. I don't- I'm not necessarily trying to figure out your political views here. It's rather about: Did it affect you in any way? Or what's your experience with the new Biden administration?
Alex: I think from a Glacier standpoint, I don't think it affected us much. Again, it's unfortunate that- the way that things kind of unfolded with, you know, the transition. And just over the last few years, there's a lot of- a lot of topics are very, you know, polarizing. From an intelligence community standpoint, I always- I- we had a lot of- a really good group people that I worked with that during those administration changes, it's just something that we just don't- we don't necessarily talk about. And I think it's just because it's better that way, right? Like you want- you don't want to have some sort of conflict between the people that you're working with closely. Yeah, so I think that that's probably the best mentality to look at it, you know. And I- that continues through Glacier as well, because, you know, our employees, we train them to not have an opinion about that, right. Whether you do or not, like you should have an opinion, but, you know, we have customers that are on both sides of, you know, "I'm pro this." "I'm pro that." So that, you know, we don't want to necessarily pick sides.
Balazs: Yeah, but if you just look at it from the other perspective that in the past couple of years, the whole trade war between China and the US increased and... wouldn't affect the whole intelligence community? I mean, wouldn't there be increased amount of threats, because of that as well? And that would indirectly reflect to Glacier as well, I assume, and your clients?
Alex: Yeah, I think- yeah. Absolutely. I think so. I think- especially, you know, as you are putting up different restrictions and, like you said, you know, trade war, you know, type of events. I think that just increases that... I would say- what would you say? Like temperature. Like in the community of customers or intelligence community.
Balazs: Is it the tension?
Alex: The tension, right. And I think other governments are willing to try more things, right? Whether that's, you know, actually to conduct espionage, or if it's just to be like, "Hey, just so that you know: Like I'm here." Like just, you know, you're poking the bear, I think. I think that that temperature has definitely gone up over the last, you know, few years. Which we try to educate our users, while going overseas or going different countries, that that potential government climate can increase the risk for them.
Balazs: You mentioned earlier in the discussion that some of the clients were involved in research as well. I'm not sure if you can discuss this as well, but I imagine part of this whole pandemic was a crazy rush towards creating a vaccine that could help remedy the whole solution. I guess, it might had an indirect effect on you guys as well, right? Because the research for a vaccine is one thing, but there are different suppliers involved, different researchers, different politicians, different organizations who are funding the research involved. So there is a large picture here. Would you say that that was something that was an interesting area? Or are you very involved? Or that's not something that you guys help with.
Alex: Yeah, it's a- yeah, it's interesting, because these communications are super sensitive. And I think mainstream knowledge of secure communications was very limited before the pandemic. I think the big- like what- the big story that hits me is the Zoom- you know, Zoom's story with their, you know, quote unquote "end-to-end encryption". And I think that that-
Balazs: Yeah, that was a big one.
Alex: That was a big one that I think a lot of different, you know, technical like CISOs and CTOs started to ask questions. Like, "Okay, well, what is end-to-end encryption?" And then, fast forward a little bit to WhatsApp, the WhatsApp, you know, privacy with the policy message that popped up for all of their, you know, billions of users.
Balazs: Yeah.
Alex: Basically saying- you know, poorly worded, basically saying, "Hey, you know we're to give all your information to Facebook." At that point and that transition, that flood of users to Signal...
Balazs: Yeah.
Alex: ...was great for us. Because here we are, this small company. You know, just trying to get our word out about securing your communications. And it's tough. People don't want to listen, right. Like you look at text messages, "Well, isn't iMessage encrypted?" That conversation always comes up. But now people are starting to think about secure communications. And going back to your question about the pandemic and the research: People are coming to us and say, "Hey, we're working on this project. How do we position ourselves to do this, communicate securely?" Because people are all over the place, right. Like so you have people that are in labs, or people who are communicating, or making a product. They're in all different parts of the world. And the products today are what? You have Slack, you have Microsoft Teams, for example. All of these really great products that have a lot of features. But unfortunately, the security is not at the level of what I think it should be. And I think the reason for that is because it's difficult to offer all of these really great features and also add, for example, end-to-end encryption.
Balazs: Yeah.
Alex: Just because- from a design perspective, and a math perspective, like adding end-to-end encryption to all these things is at this point almost impossible to do. So having a solution like us, they can use for out-of-band kind of more sensitive communications is kind of where we're feeling like we were filling that gap. There's no way we'll ever compete with a company like Microsoft for Microsoft Teams. And we're not trying to. Right. You use Microsoft Teams, but when you want to have a different conversation, there's other applications, there's other ways to do that. And whether that's Signal, or, you know, our product. You know, there's many other oper-
Balazs: Yeah, very interesting you brought it up, because I think there was a lot of discussions lately around security versus convenience, and if you can have both in the same time. And I personally think that's not really the case. And, as far as I understand from your words, you pretty much agree on this. And the case about Signal and the scandal that they had with MobileCoin, that was a great example where they essentially take an oath of about end-to-end-encrypting messaging as for security. And then they pretty much tried to combine it with convenience, with being able to pay, at least for now in the UK, via the app. So I'm wondering: What's your take about that?
Alex: It's super strange. It's super strange to me that this is the kind of way that they're going. And who knows? That that- they could still (inconclusive) it. So, for your listeners, if they don't know... They basically have established a relationship with MobileCoin. MobileCoin is, you know, just like any other coin, you know, out there. And basically, they want to add a new feature into Signal, where you could pay your friends, very similar to how, you know, Venmo works here in the States. You know, PayPal, for example. Cash App is another one that's very popular here.
Balazs: Or Revolut in Europe, for the European listeners.
Alex: Yeah. Yeah, yeah. So, you know, there's all these other services that are out there that have, you know, for example, no fees, right. And I'm not a crypto- I'm not a crypto hater at all. I just think it's tough for me to see, you know, using an app like Signal to send money to people, and also pay, you know, currently there's a sixty cent fee per transaction. But pushing that aside, it's strange because I don't think the Signal community goes to Signal, you know, for that type of product and service. You know, to me- you know, we have customers that use Signal. We put Signal on devices that we give to people on top of our application. So there's no competition there whatsoever. So that being said, like we think of them as like the standard, right, like, you know, a non-profit organization that's providing secure end-to-end encryption to the world. And they done some fantastic work. So this particular addition, this feature thing that they're adding, is really strange for me. I don't know what the reason for- he was- I don't know if you listened to- Moxie was on Joe Rogan a few months ago. And he talked about how secure messaging is not the only thing that they can be doing. I think that was kind of like a hint. He was more talking about it from a social media perspective, right. Like how do you do end-to-end-encrypted social media? And even when he said that, on that particular podcast, I was kind of taken aback, like, "Hey, you know, like you have a great thing going on here." Right? Like there's, "You don't necessarily need to add social media, you know, crypto coins, all these things to it." So for me, I think that it's a really interesting decision. But who knows? I mean, they have a huge user base, right?
Balazs: Yeah. Don't you think that some of the people who are involved in cryptography are to some extent philanthropists? They try to change the world for the better. And this could be a manifestation of that, from pure good-heartedness, pretty much trying to serve more people with convenience, being able to pay for your friend in an easy in-app solution. Don't you think that could just be that?
Alex: I do. I personally think so. I think also to the, you know, you're choosing a coin. I'd never heard of it before they posted it on Signal. I don't know if that's something that you've heard of? MobileCoin?
Balazs: I haven't. I did see that there was 450% increase just in a couple of weeks, which was- which let's just say is suspicious, to some extent. And I assumed that that was part of the issue that'd blown up this whole scandal.
Alex: Yeah, so the scandal is really- it comes down to, you know, Moxies' relationship with MobileCoin, not for the actual (inconclusive).
Balazs: Oh, the lack of transparency about it.
Alex: Right. Right. And there was a- and I've only read, you know, some- if you- you could spend all day on Reddit, looking at some of these comments, right? Some of these stories about it. But, you know, looks like they removed his name from a technical whitepaper. You know, it was clearly obvious that they removed his name from a technical whitepaper. That being said, like if he had a relationship and trust with MobileCoin, and he thought that- and I assume this was the actual decision-making. Like why would I go with someone who I don't know?
Balazs: Naturally.
Alex: When- and a technology that I don't trust? So I don't think that there is anything malicious. I think that it may be just that it was a poor series of events. And I think they probably could have got out in front of it better. You know, releasing it. So, I don't know. What do you think?
Balazs: I think it perhaps comes down to PR and the way how it was communicated, because as you say: Naturally, if he was part of- as a CTO, if he was part of the team who built MobileCoin, and he trusted that it was the best solution to be built-in in Signal, then it's natural that he chose that. It's just the way it was communicated. And I think, especially privacy freaks, so to say, I think most of us prefer clear communication and transparency in the world of privacy, because we want to know what's behind the curtain. And when there is a company that's a big promoter of privacy, we would expect that all the communication coming from them would be transparent. And perhaps that's what people missed the most.
Alex: Yeah, I think that they're also- they were a fairly small company up until what? A few, you know, months ago. And I think that that growth could potentially cause- you know, cause issues. Like you say, with like a PR type event. Like I think it just could have been handled better.
Balazs: Yeah, I think also that was the scandal of WhatsApp and their privacy policy change. But also Elon Musk also contributed to this whole Signal boom, because he also tweeted just this "Use Signal." And then, the next day, they got millions of new users. And I think, as a small company, I can imagine there was a lot on their plate to deal with. And perhaps this was just a bit too much, and they didn't handle it the best way. But I'm sure they wanted the best for their users, as a non-profit organization. So... that would be my take.
Alex: Yeah, I agree.
Balazs: Alright. As the time is soon up, for a takeaway for the listeners, would there be any book that you would recommend reading that you enjoyed that you think it's interesting or exciting, from this whole intelligence industry, or privacy, so to say?
Alex: Yeah, I do. I think a lot of times when people recommend books, it's like a self-help or, you know, like some sort of story. There's a fictional book called "Blood Money", which is a really- really interesting story, about a CIA person in Pakistan. So I think if your listeners are into fictional kind of spy thrillers, I think that that book was pretty fun. So...
Balazs: It's great you mentioned it's fictional. And we had this conversation about mobile device protection. I just- I'm somewhat skeptical about what might be fictional and what not in that book, but... I'm very excited to read it. Well then, thanks Alex, for joining! It's been great having you!
Alex: Yeah. Yeah, really appreciate you having me. This was fun.
Balazs: Alright. Talk to you then. And thanks for joining once again.
-
Tresorit Team
View more articles