“Please, Just Change Your Password” – Transcript
JIM GOEPEL
Why then do we still suck at cybersecurity?
MAURICE BAYNARD
Welcome to Drexel’s 10,000 Hours podcast. Our goal is to mind the stories behind our region’s innovators, inventors, and thought creators. We’ll be talking to experts and subjects from dance, to cybersecurity, to find out what lies behind the passion for their work, the inspiration for their ideas, and the motivation for their creativity. I’m your host, Maurice Baynard.
[MUSIC PLAYING]
Jim Goepel is an adjunct professor at Drexel University’s Klein School of Law. He is the CEO and General Counsel for Fathom Cyber LLC, and specializes in the law and strategy surrounding cybersecurity.
So James Goepel, thank you for being on the 10,000 Hours.
JIM
My pleasure.
MAURICE
You have a really fascinating sort of origin story. So I’d like to start all the way back at the beginning. You know, I really like to ask people, is there anything in your youth that is sort of an indicator of what you would do as a professional?
JIM
[LAUGHING]
Yeah, I’ve been a big geek pretty much my entire life. I got my first computer when I was– I think it was about ten years old, ten or 11 years old. And it was one of those original– I’m so old that they don’t have– we didn’t have floppy drives. We didn’t have any kind of hard drives. Everything was– if you recorded anything, or stored anything, it was stored on a magnetic tape if people know what those are, that tape.
My computer had 2k of RAM, just for perspective. Most computers today have gigabytes of RAM. Mine had 2k. You had to write every line of code yourself.
Yeah, I got into computers because I found them fascinating. You have to go back, this was the 1980’s at that point. So they were still pretty new. These were some of– the first time that computers really came into the home, there were PCs. They were ridiculously expensive at the time.
My Timex was much less expensive than the typical PC. But I saw them as being really fascinating. I thought it was really cool to be able to tell something what to do. Not in a control freak kind of way, but just to be able to write something, and how to automate the processes, and the thinking that you would want to do.
And I knew that I wanted to be around that. So I actually didn’t want to– by the time I finished high school, I decided I didn’t want to be a programmer. I had written code for a long time. I was reasonably competent. I knew I wasn’t an expert. It was all self-taught.
But I knew that I could learn most languages, most programming languages. And so OK, I wanted to do something else. And I wound up going into the hardware side, and doing computer design. Because I wanted to actually to build the computers that people then used to write their code, as opposed to just writing code.
MAURICE
I mean, this is such a fascinating story. It’s almost the founding of Apple all over again. So there you are, right, you start with writing. You get Cobalt under your belt, whatever the other ones are.
And so you decide to be an engineer. And which university, shout out, do you decide to go to, and why do you make that choice? Like, what was it about the place that you chose, so people can see the force shadow.
JIM
I am a Drexel grad.
MAURICE
Woo-hoo.
JIM
Yeah, absolutely. And I came for a couple of reasons. Number one, I grew up in South Jersey, so it was a local school. But also, I mean, it was like when you talked about engineering, this was again, in the late 80’s at this point. But when you talked about engineering in the Philadelphia area, Drexel was the school that everybody talked about.
But it was a lot of fun. It was a lot of challenges. And I got out, and as a co-op, I got to do some really cool stuff. I worked for the US Coast Guard at what– the base is now closed. But it was in Cape May County. Their electronics Engineering Center, I got to help design test equipment, and write test procedures for fixing what was the precursor for GPS.
And then I got to do some other really cool stuff. I worked for the University of Pennsylvania as a co-op, where I was involved in a research project for the US Navy, where we looked at breathing gas mixtures for submarines. That was a cool job.
MAURICE
Wow.
JIM
Yeah, so I’ve had a lot of really neat experiences just as a co-op getting to do those things. And then to then leverage that as I went out into my career was really cool.
MAURICE
OK. So there you are graduating from Drexel, you’re Drexel alum. What’s your first job out of college, given all that great experience.
JIM
It was actually back to that other place here in Philly.
MAURICE
Darn it.
JIM
I really loved what I did. And so it was a lot of fun. And I was there for about a year. And then I got picked up by Lockheed Martin. And I was designing test equipment for satellites.
Unfortunately, I was only there for about six months. Because right after I started, they announced– I went to work for what was then Martin Marietta. And they announced right after I started that they were merging with Lockheed. And about a month later, they announced that they were closing my plant, and moving everything to Denver.
So I wound up in the Washington D.C. area. And then I saw an opportunity to work for the US House of Representatives. So I got to work on Capitol Hill as an IT person. I was in an office of 35 attorneys.
It’s one of the few truly nonpartisan offices on Capitol Hill, and just an amazing group. It’s called the House Office of Legislative Counsel. And their job is to advise members of Congress on how to write the laws to meet the member’s specific goals, whatever they are.
I almost wonder how you even fell into that role.
When I was at Lockheed Martin, I saw that the IT people were like basically running the place. So I actually got more and more interested in the IT side of things, as opposed to the dedicated hardware pieces that originally, I went to school for.
And when I went to work for this office on Capitol Hill, they were maintaining their own exchange server. They had their own email. Because they were truly non-partisan, there were concerns about objectivity, and all sorts of other things. So they had at the time, had their own email server. And they were looking for somebody who had experience with it. So I just happened to have the right experience, and so I got that job.
MAURICE
So this is great. There’s a line in your bio that I really love. It says that, you’re a cybersecurity expert lawyer, turned cyber security expert. And what I love is that you’ve had this whole rich career. It feels like three careers up till now. And we still haven’t gotten to becoming a cybersecurity expert.
So clearly, there’s something important that happens on your career path while you’re here in this congressional office. So who is it that you’re interacting with? And is there some ah-ha moment where you go, oh, this is the thing I’m now interested in. Let me go pursue that.
JIM
Yeah, I was supporting an office of 35 attorneys. And I think it was about ten or 15 support staff. And I realized that I had gone basically as far as I could in that office. I was the IT person. I was the only IT person in the office. And that was pretty much as big as that group was ever going to get. Maybe I’d have a direct report at some point, but that was about it.
And so I was trying to figure out what I wanted to do next. It was a great place to be. There were a lot of benefits to being there. But it could be intense working on Capitol Hill. When Congress was in session, it was very intense. There’s a point where you start to burn out, because you’re just on this treadmill like all the time.
So I was trying to figure out what my next job would be. And I started looking around at the people that I was working with. And they were some amazing people. And they got to do some phenomenal work. So I started asking them a lot more about being a lawyer. And I had several of them who encouraged me to go to law school. And so–
MAURICE
Yeah, it seems up until that moment, your entire career was about working through technical solutions.
JIM
Yes.
MAURICE
So I wonder, was it the non-technical aspect of what they were doing, the people [INAUDIBLE] that really sort of got you.
JIM
No, so the areas of the law that were interesting to me were the technical areas of the law. So it was being a patent lawyer. And then the two others that were interesting to me were trust and estates, because there’s a lot of complexities there, and tax law. Again, because there were a lot of complexities, a lot of things you had to really– If you think about the way you would analyze the tax code, it’s actually like analyzing software.
MAURICE
Yeah.
JIM
A lot of twists and turns, and things, and conditionals, and all that kind of stuff. And so, oh, OK, that seemed like a natural fit for me. But right when I was talking to them, there had been a Supreme Court case about two or three years earlier that opened the floodgates for the ability to patent software. And so they said, oh, with your background, you really should look at being a patent attorney.
And so I was really interested. I’ve always had a soft spot for small businesses, and helping protect small businesses. And so the idea of helping companies and helping small inventors protect their inventions was really cool to me. So I decided, OK, that would be neat.
MAURICE
So it seems to me that you could have been lost to all history down the patent lawyer rabbit hole. But clearly, you did something. So once you’re done with law school, what is the opportunity that turns you towards cybersecurity?
JIM
It’s always been something that was of interest to me. And even when I was in law school, I went to law school at night. I got both my JD and my LLM, so Legum Magis, or Master of Law.
MAURICE
Yes, thank you for the Latin.
JIM
Yeah. So I got both degrees going to school at night, and working full time for a law firm during the day. And my job with the firm was again, as a patent lawyer. And most of my clients were in the cybersecurity field, or the technology field. Because of my background, it’s just naturally where I gravitated.
So a lot of them did really cool, innovative stuff. They knew operating system architectures that were highly secure, or data encryption algorithms, or new networking technologies, or just across the board. So it’s always been things that either as the geeky engineer designing, and building, and maintaining this stuff, or as the patent lawyer, who was listening to all the geeky engineers who were designing, and building, and maintaining all the stuff.
It’s always been something that I’ve done. I represented a lot of people when I was outside counsel. And then I actually got to work for Unisys here in the Philadelphia area. That was amazing. They’re a 120-year-old, 100-year-old computer company that has been a cybersecurity company basically from the beginning, which is really– They didn’t really think of themselves that way, because it just came naturally to them.
But over the last decade or so, they’ve really embraced the fact that they’ve always sort of been a cybersecurity company. That was really cool. I got to meet some amazing researchers, who again, working next to them, and through osmosis because of the work that I was doing, I got to learn a lot about the innovations that they were creating.
And then I went to work for Johns Hopkins Applied Physics Laboratory in Maryland, which is one of the government’s biggest think tanks. And they do offensive and defensive cybersecurity work, among many other things for the federal government. And because of my background, that’s where I kind of got fit.
They do health care. They do all sorts of other things. But because of my weird background, I got put in with the cybersecurity teams. And so I continued to work with them for a while. That was a lot of fun.
But then I got an opportunity to be the General Counsel and Chief Technology Officer for a cybersecurity company. And it was a startup. I was employee number three for them. And because of my technical background, the person who owned the company was really interested in me, and again, made me the Chief Technology officer too.
I ran our Development Center in Poland. I helped design the product that we were creating from scratch. I did all sorts of other hands on technical pieces. And that was fun, because it was the first time in probably ten to 12 years that I had really gotten to do things hands on.
Everything else that I had done, like I said, was through osmosis for the most part, for the last decade or so. And then to be thrust back into this was like, oh, OK, this is fun. So one of the things that I got to do is, to go out as the– because I was employee number three, I was the sales peoples’ favorite person to bring along on the sales calls.
I understood the technology. I understood from a cybersecurity perspective, there are legal risks. There’s all these other things too. And I could talk to all of them, because I had the background to do it.
So they loved bringing me along. And as you can tell, I am good at talking. So they loved bringing me along on the sales calls. And I very quickly saw that cybersecurity was this very weird space. Everybody immediately jumps to technical solutions.
And as a Chief Technology Officer for a technology company, I kind of understood. But what I saw over and over again was that actually, the problem isn’t that we don’t have cool technologies. I worked, again, for some amazing companies that did just groundbreaking research on the technical side.
And what struck me was, if I knew that all these cool technologies existed, there were– I won’t go into them– just some amazing technologies that are out there. Why then do we still suck at cybersecurity?
MAURICE
Right, exactly, yeah.
JIM
And as part of my job, I went off and started reading some of the analysis of things like the Equifax breach, and some of the other big breaches at the time. And what you see over and over again is that it’s not that they don’t have the cool technologies. Equifax spent a lot of money, and had some really cool technologies in place, but they didn’t have good controls on the backend.
So those technologies throw up warnings, and tell you, oh, you need to update in their case, to get GigE, the SSL certificate on one of our SSL sniffers has expired, and we can’t see the traffic happening anymore.
MAURICE
Yeah.
JIM
And the management would just go, OK, and move on. And the technicians, because management wasn’t prioritizing it, the technicians were busy fighting fires all the time. So they would go off and take care of the other stuff. And this ministerial thing of having to update a certificate keeps getting pushed down lower and lower on the priority list.
Well, that’s the root cause of their biggest problems. They actually had the technologies to detect the intruders that were in their networks. But because this one thing didn’t get updated, they didn’t see it. As soon as they updated that certificate, voila, everything started to work, and they realized there was a problem.
There were other issues there too. They weren’t doing patch management. They weren’t doing some of the other things that they should have been doing. But at the end of the day, they had the technologies to catch it. They just didn’t maintain them.So what do you do? How do you fix that? You don’t fix that with more technology. That’s a people problem.
MAURICE
Yeah, this is super interesting. I mean, ten years ago no one was thinking about cybersecurity. And now, it feels like our entire lives are ruled by it. It also feels like the genie is out of the bottle, and we’ve all done so many wrong things that every machine on the planet is already breached.
And so I haven’t been able to let go lately. I was listening to a podcast about printers. Because you were talking about printers earlier, especially government printers. And that because they’re now connected to the internet, they can be hacked. And no one ever thinks to update the patch on their printer, which then opens it up to all kinds of global hacking.
And it just feels to me that the problem with cybersecurity is that it involves people. And it’s not that people are dumb. We’re just kind of lazy. Nobody is going to update when the little pop up says to update. And is there a way to get the people out of the loop?
JIM
No. Because we’re the users. I mean, so there are things that you can do proactively, and there’s actually a big push. California, about two years ago now instituted a law that any new IoT internet of things device, like your SMART thermostat, or refrigerator, any of those other SMART devices.
By default now, if you sell into California, you can’t have them with a default username of admin, or password of admin.
MAURICE
Exactly.
JIM
You actually have to– every device has to have its own unique username, or at least username and password combination. Or you have to prompt the user to set up a unique username and password every time when they’re installing a device. Those little things like that.
And now, users get frustrated, right. Because if I go by this other device, that one, I just have to plug it in and it works. We all want the simple.
MAURICE
Exactly.
JIM
The device that’s asking you for hold on, you need to fill in a password here, that actually is much more secure than the other. So there’s this constant trade off. Everybody wants the easy, and nobody wants to do the work. But staying secure– the example that I use is, in your home, right, wouldn’t it be nice if we just had those big heavy plastic sheets that they have at Costco when you walk into the frozen area. That you walk in there, and it keeps that part cold, and you walk out, and the rest of the place is warm, or vice versa.
MAURICE
Right, right.
JIM
And so if that was my front door, that would be awesome. Unfortunately, the realities are that that’s not the world that we live in. We have doors. And we have doors in part to keep animals and other critters out. But we also have doors to keep other humans out, because we need to.
And so we have to close those doors behind us. And we have to lock those doors. And when you’re carrying groceries out to your car, wouldn’t it be nice if your car just automatically opened the door for you whenever you walk by. But then, how does it know who you are versus somebody else? And you have all of these complexities.
Security is something that is always inherently inconvenient. We have to learn. We have to better educate ourselves about security to understand then why some of these inconveniences are being imposed on us.
MAURICE
Yeah, I mean, it’s a lot of maintenance. And it feels like you’re doing a lot of work. And just speaking for myself, just changing my password for everything can be really challenging. But it also seems– yeah, go ahead.
JIM
You just pushed a big, big button for me. So there are password managers. That’s one of the best things that you can do from a security perspective. So I’ll give you two good security tips. Number one is, to enable automatic patching for most of your products, and actually let it patch.
Microsoft Windows, if you’re a Windows user, or any of your mobile OS’s, you can actually enable automatic patching. And I’m so anal that I every couple of days will force my computer to go out and double check, and see if there’s a new patch.
MAURICE
Wow.
JIM
Because the minute those vulnerabilities are disclosed, usually within about two days, there’s some attack that’s based on that vulnerability. So if you are not updating your machines on a regular basis, you are leaving yourself exposed. I knew people that haven’t run patches in months or years. And in fact, that’s actually one of the other problems that led to the Equifax breach, was they weren’t doing good patch management.
So make sure that you have that enabled. Yes, there are some problems sometimes with patches. And yes, it can lead to issues. But I can guarantee you that the risk that comes from automated patching is significantly lower than the risk that comes from not allowing automated patching. So that’s tip number one.
Tip number two is, use a password manager. So I use– there are several. And I won’t endorse any particular product, but I use one, and I love it. Originally, I was really resistant to it. But the architecture, the way that the good ones are set up– and there are several good ones you can find online reviews. There are, again, several good ones.
The way that they’re set up, only you can get to the passwords that you stored in there. The data is encrypted with a key that only you have. And so it goes up in their server. Yes, they do maintain a copy of it. But you’d have to be able to hack the encryption. And they use really good encryption to keep all of that stuff secure.
So you put all your passwords in there. You use a unique password for every website that you visit. And then it just manages so you have a master password that you use to get into your password manager. It unlocks it. And then you go to log in, and you can log in on any website. You have unique passwords on every site. And it will automate the changing of them if you want it to.
But also, if you use complex passwords, which now the password manager lets you use a 20 character password, because I don’t need to remember it. So I store it in the password manager, and now, I can use a 20 character password. And the National Institute for Standards and Technology, the group that the US government uses to set all of the standards for the government has said, if you’re using a password that’s more than about 12 characters, and you use some different words, unrelated words in your password, the length of that, you don’t even need to use– according to them, you don’t even need to use the funky characters, like the @ symbol, and that kind of stuff in your password.
As long as it’s long enough, that’s what matters. Because there’s what’s called entropy. And so for the first character, if I have only a one digit password, or one character password, I’d have the 26 letters of the alphabet times two for upper and lower case. Plus, I have the ten numbers, right. So I’ve got some lists, whatever.
MAURICE
Exactly. We can do that math, right. Exactly.
JIM
But as I go out, now, each time I add another character, I multiply that, so it gets bigger, and bigger, and bigger. Eventually, statistically, it just becomes basically impossible to pick your password, unless you’re using a common password, unless you’re using certain thing, or if you reuse them, that’s where we get into a lot of problems, or a website gets hacked.
They get your username and password. And now, that password is known. And it’s a known password combination between your username, which is typically your email address. And so now, they can start using that. When Disney Plus launched, within like two days there were accounts on the dark web for Disney Plus.
And in the security community, a lot of people started going, oh my god, like, how can Disney have problems? How do you launch a service– in what was that, 2020, or 19, that doesn’t take cybersecurity into account. And Disney went back and looked at some of those accounts and said, no, no, no those are accounts where the username and password are the same that they used on other sites, and those other sites were breached.
And so the bad guys knew that the username and password combinations were out there. And they just tried them against our site. And eventually, they logged in.
MAURICE
I feel like everyone who’s listening to this, their blood pressure just went up like ten points. Because it feels so overwhelming, if I can just speak for myself. And I mean, I am going to try both of your recommendations. Absolutely, I’m going to automatically patch. And I’m going to try to manage my passwords with a password manager.
Is there anything else that people just get wrong about cybersecurity, either because they don’t know, or because they’re just being lazy?
JIM
So my other big tip is, the multi-factor authentication. That’s the third prong of it. Make sure you enable it wherever you can. That’s where you either get a text message, or even better, the text message ones are easy to breach. So there are several different ways of getting your text messages.
MAURICE
Great, great, great, great to know. Thanks.
JIM
So that’s all comforting, isn’t it? There’s actually an app, they are mobile apps that you can get Microsoft Authenticator. Google has their authenticator as well. There’s another one called Duo.
Those generate random numbers. They’re actually pseudo random numbers. So the website that you’re logging into knows what the sort of what they call a seed value, or starting value is. And then your app and that website changed the number on a regular cadence. So it’s every 30 seconds that the number gets updated.
And so by having that app on your device. Now, you pull it up. You’ve got your six digit code, and you just plug-in your six digit code on their website. Those are the better way to do it. There’s actually even more advanced things called the USB keys that automate that process for you even more.
But the mobile apps are a great way to do it. And if you put that in, again, to go back to my analogy before, the home, yes, it slows you down, because you have to pull out your phone, and you’ve to get that six digit code. There was a study done by Microsoft recently that I think they said 99%, or was it was it 99.9% of recent attacks would have been stopped if multi-factor authentication was enabled.
MAURICE
So I wonder, so everybody’s interested in both your area of sort of law, because it has all of these larger implications, and cybersecurity, because it seems like the entire world is on edge about our data, about our information, and how we keep it safe. I wonder if you just had to, if you were cybersecurity czar– actually, that is a thing, right? If you’re a cybersecurity czar of the country, what is the law that you– or the rule that you implement to best help us all keep the things safe that we want to keep safe?
JIM
That’s a really tough thing. Because anything you do is going to intrude on civil liberties in one way or another. You’re going to–
MAURICE
Civil liberties, stop it with that silliness. Keep going.
JIM
It’s really important. And so you have to constantly weigh that. There was just something yesterday, or earlier this week, where the FBI went in. They got a court order, or they got permission from the court to go in and actually removed malware that had been installed on hundreds of computers around the country.
MAURICE
Wow.
JIM
And so this is the first time that the FBI has done that. And in some of the courses that I teach at Drexel, one of the questions that I ask students, we explore cybersecurity from a lot of different perspectives. And one of the questions that I often ask is, once you understand how important cybersecurity is, should we also have a police force that goes around and helps protect people, an online police force.
We have police who are online. They are looking for– and I don’t mean to trivialize it– because it is definitely not normal. But they’re looking for child pornography. They’re looking for other really horrendous things that happen online.
They’re not looking for– and again, it’s still a huge economic issue. But they’re not looking for the guy who’s committing ransomware, generally speaking. They’re just not out policing at that level.
Should we have that instead? That’s going to cost us a lot from a social perspective. As a society, there’s a lot of literally paying somebody to do that. You have to go find good, qualified people. You have to make sure they stay trained.
This is not a one and done learning thing. It is a lifetime commitment to be a cybersecurity person. So do we want to impose those costs on ourselves. Right now, we’re, sort of like the Old West, where you had security companies who took care of physical security for you. And then eventually, we got rid of that, or downplayed that a lot, and we established law enforcement.
So do we do something like that now in the virtual world instead? And that’s an interesting problem. So in this particular case, what happened was, there were vulnerabilities in ironically, Microsoft Exchange, in their email servers. And there were bad actors who have, I think, recently been attributed to Russia.
There were bad actors who were taking advantage of that Microsoft Exchange vulnerability, or set of vulnerabilities, and installing, essentially, back doors that gave them complete access to those servers. And again, they had hundreds and hundreds of these servers that they took control of. And the FBI went to the courts and said, hey, this is such a significant problem for us. We want the authority to come in and uninstall this malware.
We’re not going to do anything else. And they described to the court exactly what they would do. But they said, here, we need the permission to come and do this. And the court gave them that authority.
Imagine what the court just said was, the FBI was allowed to proactively go into a home and remove something from that home, that OK, I didn’t really want it to be there. But the court just gave them the permission to walk through that open door– and admittedly, it was an open door, because there was a flaw.
MAURICE
Right.
JIM
But the court gave them the permission to walk through that open door, and actually make changes in your home. Again, you know, stretching it. But could you imagine coming home, and all of a sudden, like, your silverware drawer is rearranged. Because yeah, that’s the right way it should be. Or other not major changes, but subtle changes.
And where do you draw that line then? What’s the difference between a subtle and important change, like removing something that shouldn’t be there, versus something that’s different. And should they have gotten permission first?
Usually, when you call and report a burglary, and the police are coming to investigate the burglary and they go into your home, they’ve gotten permission, at least implied permission, because I called and asked them to come check my home.
MAURICE
No, understood. Yeah, this is the police showing up and changing my locks because they’re like, those locks are no good. Anybody can break in here.
JIM
Yeah, and they give you the key back, you know. So [INAUDIBLE] of no harm. But I didn’t tell you to come in. And what else did you do while you were here?
MAURICE
Wow.
JIM
We build into our society protections. I love the police. So please don’t misunderstand me. I think they play a very valuable role, the FBI, everybody plays a really valuable role in keeping us all safe. But we do have controls on them for a reason.
And have we overstepped our bounds? Or did the FBI and the courts overstep their bounds? This is a really interesting issue. And I think we’re going to see this play out in the courts in different ways, and in Congress in different ways over the next several years.
MAURICE
Wow. Well, Jim Goepel, I don’t think we can end on a more terrifying note than that. This has been both enlightening and really fun, and you know, super educational. But I also don’t think I’m ever going to turn my computer on again. This is it. This is the last one.
JIM
This has been a lot of fun for me, Maurice. Thank you very much.
MAURICE
Drexel’s 10,000 Hour podcast is hosted by me, Maurice Baynard. Our producers are Shaun Fitzpatrick and Nathan Barrett. Drexel’s 10,000 Hours podcast is powered by Drexel University.
[MUSIC PLAYING]