92: X-Factor with Vivek Ramachandran

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: It’s on Barcode, the award winning cybersecurity podcast who has brought you insider access to cybersecurity icons, mavericks, and secret weapons, is unifying elite content with Elite consulting services. And through that synergy, we will be able to provide you with a level of service you have yet to experience. Service that includes strategic roadmapping, enemy emulation, next gen enterprise, AI, advisory data governance, and pipeline where privacy meets security.

Chris: Oh, yeah. You listened to a podcast where you heard an expert speak on a topic or challenge that you’re currently facing. Tap into our expert on demand service, where you can get specialized counsel from our roster of vetted experts. Heard a guest on a show that you want to hire for your own keynote or virtual preso? Hit us up, because we can make that happen, too. Prepare for a new look to cybersecurity guidance and expertise you undoubtedly will not find anywhere else.

Chris: When you pick up a comic book, you quickly become familiar with the story of a legendary hero, someone with unbelievable skills who saves the world and their community by overcoming adversity and leading them to victory.

Chris: Well, just like those comic book superheroes, the cybersecurity community has its own legends who have made tremendous impacts and led us to safer digital worlds. And Vivek Ramachandran is certainly one of those cybersecurity heroes. With his groundbreaking Wi Fi attack discoveries, best selling hacking books translated globally, trainings for thousands of cyberpros worldwide, and even creating the hacker comic book. Called Hackers Superheroes of the Digital Age, vivek has an X factor that sets him apart.

Chris: He is currently the founder of SquareX, a browser based cybersecurity solution. Previously, he was the founder and CEO of Pen Tester Academy, which trained thousands of cybersecurity professionals from government, fortune  companies, and small businesses in over  countries before being acquired by INE

Chris: Vivek, thanks so much for joining me today, man. To kick things off, can you tell us more about your background and what ultimately led you down the path of being a cybersecurity professional?

Vivek: Yeah, so, Chris, I was born and brought up in India, and I’m  now. Interestingly, at that time in India, there were no laptops when I was a teenager, and all of that, or even, for that matter, regular desktops and all that were also just there in a very few places so interestingly, my mother’s sister had migrated to America, and she had a son who was roughly my age. And she called up my know, one of the days and said, hey, you know what, there’s this new computer thing going on in America.

Vivek: I think you should get one for vivek because I hear this is going to be the future. So at that time, my mom had to convince my dad because literally that was four months of his pay to ship a compact presario from America to India. So it was crazy expensive. There was really no justification as to why you wanted to get it. And anyway, I got my first computer, if I remember, when I was almost  years.

Chris: So , you’re still in school at that time?

Vivek: Yeah, I was still in school, and I think I was starting to prepare for my engineering exams. And this was back then where primarily India just had like two professions. You either become an engineer or a doctor. So that’s really what everybody wanted to be because, hey, you could probably get a good job and your life would be set. And that’s how all parents tend to go ahead and nurture their kids. Good for me. I genuinely enjoyed technology and all of that pretty much at an early age. So I was never forced, even though my parents would probably have wanted me to do what I did.

Vivek: So, yeah,  st computer comes. And interestingly, back then in India, internet connections were just those old text based Internet connectivity. So if you had to get a graphics account, you literally had to pay $ a month, which was crazy.

Chris: Wow, that’s expensive.

Vivek: Yeah. This was , I think, ,  . So I still remember I was using links and Pine and all of that, the first two to three months to go ahead and surf the web and barely could figure anything out because, hey, back in those days, there wasn’t much on the web, to be frank, apart from university websites and@yahoo.com was more popular than Google, right?

Chris: Yeah.

Vivek: So kind of fast forward, I managed to get like a graphics account somehow pushed my parents and said I could learn physics online and all of that stuff, and they got me a graphics account. Fast forward . I was going to enter into engineering. I had a bit of time in my hands, and this was the time when those massive DDoS attacks happened on Yahoo. And all of that, if you kind of recall, right, like, long time back.

Vivek: And I started getting very curious because here were all these news articles that a hacker by the name of Mixter had written these DDoS tools called Tribal Flood Network, TFN, trinu and all of that. And this had basically brought down these massive websites. So I became very curious. I was like, hey, how could one person end up writing something which was used by others, which could bring down such mammoth sites, right?

Vivek: So I started googling. Somehow I managed to get access to the TFN code. I think he’d released it open source. At that point this was all pre GitHub and any source code repository era, right? Like, if you recall. So literally all you could get is forums and places where you had to go in, create accounts, dig deep. Virus signs were around, code breakers. Whatnot? So I downloaded, opened it up and it was in C. And at that point I had no clue, right, because I was just a very superficial computer user as a kid.

Vivek: So I looked at it and I said, oh, this is interesting, I should probably teach myself C programming. Yeah. And that’s really how the whole thing started, which is I started teaching myself C programming and looking at more attack tools, because somehow as a kid I was very reserved. I used to primarily spend all my time just with myself, reading books and all that. So I guess to some extent I had this whole thing about like, hey, probably I’m a nobody, right? Like no one bothers about who Vivek is and all of that.

Vivek: And I think that just got me more excited because now I could just chat with people online, post things on forums, learn, be part of a community, while in the real world I was a very shy kid who was just pretty much home all the time. And then I started getting into Virus Zines. So these were code breakers where they talked about how do you write A infector the toad virus? Then I was like, hey, what is this assembly? I absolutely don’t know what this is.

Vivek: So I started teaching myself assembly and C. And that was also the exact time that I had entered the engineering colleges.

Chris: Okay?

Vivek: So India at that point, it was pretty ruthless. So there weren’t many good colleges and they used to have these massive entrance exams. So , people would appear and there were only  seats available wow. Yeah. For the top engineering institutes right. Called the Indian Institute of Technologies. And at that point that was everybody’s Aspiration, because if you get there, you have a great peer group.

Vivek: Those days in India, best infrastructure, so you could really learn technology, the best professors and all of that. So in a way like the MIT or the Stanford of India got you. So I was lucky enough, managed to crack that exam, went into an Indian Institute of Technology. And that was the time when I go in and I ask the rest of my class and out of  people, only two other people had ever touched another computer. Think about it.

Vivek: And so I walk in and all of us go into the computer center and most of my class does not even know how to really switch on and actually start Microsoft. At that point it was Windows . If I recall, and probably . But still, most people were using Windows  and most people didn’t know the GUI and all. Which is crazy because most of the folks I studied with now are all sitting at Google and Facebook and we’re not building technology solutions.

Chris: Wow.

Vivek: But that is how bad the situation was. Anyway, I went in at the moment, I saw no one else knew, only three other guys. Of course, as a young kid, you want to keep that lead on, right? You want to make sure you are ahead of the pack. That drives you quite a bit. So I was studying electronics and communications and trying to specialize in something in computers. So at that point, to be candid, even the professors weren’t very exposed to really what was going on. Bleeding edge.

Vivek: And the third year of my engineering was when we had to hunt for internships. And most of us tried to do a foreign internship just to get some exposure. So that later if you wanted to do our masters and whatnot. And of course, none of us had the money to really fund an internship externally. Just too expensive.

Chris: And that was not funded through the school either.

Vivek: No, because the Indian Institute of Technologies are funded by the government of India. So that heavily subsidizes what you have to pay. So unbelievably, the tuition I paid for my entire engineering four years was less than $,.

Chris: Nice.

Vivek: So at that point, I just started applying to every single foreign institute that I could find. So, unbelievably, I sent out  applications. Only one guy responded, and this took me three months to apply. Right. I used to go online, search for a university, find somebody who used to do something in networking or more networking than cybersecurity, to be honest, because universities weren’t really doing cybersecurity back then. Right? Yeah.

Vivek: So I thought, that is the closest that I could get. One guy replied. And this Professor Beat Stetler from the University of Rappersville in Zurich, Switzerland. And he replied and he said, hey, I have only one position, but that is actually for someone who’s going to do wireless land security.

Chris: Really? Okay.

Vivek: Yeah. And he basically asked me, hey, do you have any experience with WiFi security? And if you do, could you please share some papers with me so I could decide whether I want to select you?

Chris: That’s crazy.

Vivek: Yeah. So it gets even more crazier. Right? So back in those days, we only had desktops and we had Lans at our university. I had never seen a laptop. And this was the time when you had those PCMCIA cards that you had to kind of put in the side slots and whatnot. But I had never seen a laptop. So I said, here’s the only opportunity I have. I went ahead like a script kitty downloaded probably some  different papers on wireless land security, read all of them, somehow ended up regurgitating my version of consolidating. It’s almost like a case study.

Vivek: Spent three sleepless nights because I had to reply to the guy and then sent him that consolidated paper. And he looked at it, and I was like, oh, this is interesting. This looks like you’ve done a very good case study. So come on know, we’d love to invite you. A fully paid internship. And I was, you know, this is crazy. I finally did. And so then I go to Zurich.

Chris: Okay, so that was an on site internship.

Vivek: Yeah, it’s an you know, we had three months of vacation, summer vacation, just like American schools back then. So three months I would actually spend in Zurich at this university working on WLAN security. I go there. So nowhere on the email the professor ever asks me if you have practical experience, because I just sent him a paper. Right? Yeah. So I’m giving you a very scenic view.

Chris: There was also probably not at that time, how many people were focused on that too? Right. In terms of practical experience, I mean, I can’t imagine anybody really had a lot of practical experience.

Vivek: Absolutely. I think this was the time when Cisco used to have their very first AeroNet access points, and companies were still deploying it unbelievably. Much of the networks were open, and yeah. And Web was considered like, strong protection, if I remember. I don’t even think WPA was there back then or probably, like, very early stages. So network administrators in banks and big institutions, they knew, oh, you could deploy this, and you had these few of the C level executives got those laptops which they could use and all that. Right. Laptops were quite expensive back then, if I recall.

Vivek: So I go there. The professor gives me a laptop, a couple of Pcmci cards on top, and I have no clue what to do with it. Right. I look at him completely blank, and that’s when he realizes that it looks like this guy probably pulled a scam on me, for what it’s worth. But anyway, then I really sit down kind of, like, work super hard, and within probably a month’s time, I probably know more about WLAN and WLAN security than most of the folks in the lab.

Vivek: I was a good programmer by then because I’d already done C and assembly and all of that for a couple of years. So what I did was I was able to write a couple of attack tools sniffers back in those days, WLAN Fuzzers and all of that, and it was a fantastic internship. At the very end, he literally gifted me that laptop. And when I came back, that super boosted my confidence. Right. Young kid from India, someone believing in you. Right. And the fact that you can do something.

Chris: Yeah, that’s such a differentiator absolutely.

Vivek: And fast forward. Once I graduate, I worked with Cisco Systems for a bit. I was a programmer again. Layer two, security all those old catalyst,  switches and all of that. But then I got my lucky break when I joined this company called Airtight Networks, which was actually building wireless intrusion detection systems interesting back in the day. So this was probably , right? I graduate, two, three years pass by, I hop a bunch of companies, and I finally find this place. And the only reason Airtight gave me that job is because I’d done the WLAN security stuff as a student.

Vivek: So when they interviewed me, I was able to answer all the WLAN specific questions very well. And they were very surprised because very few people in India back then had that kind of exposure. So I joined Airtight, and then the CTO of the company tells me, hey, Vivek, why don’t you try to break security? Because there are these big conferences like Defcon and Black Hat. No one from India has ever gone and spoken in those places.

Vivek: But you know what? If you could do something interesting, we’d be happy to sponsor you. And honestly, to be honest, Chris, I didn’t believe that I could do something right, because till then, all I would look at is these videos and PDFs from Defcon and Black Hat. People you idolize, right? If I remember, Dan Kaminsky was quite big with his TCP IP stuff and all that back then. So you would read, but you’d be like, hey, I don’t know if I could ever do this.

Vivek: Anyway, fast forward. There’s this technology called Web Cloaking, which was built to protect web. So I went ahead, built some tools, cracked it, and that’s how I got my very first Defcon main stage talk. If I remember, that was Defcon  or , which is .

Chris: Okay, wow.

Vivek: Yeah.

Chris: That’s awesome, man.

Vivek: Yeah.

Chris: And to be honest, as I began in the security field, I just remember watching security two videos, like nonstop back then when I moved from it into a level one security analyst type position. So I’d love to hear how you transitioned from the practitioner researcher side over to the entrepreneurial.

Vivek: Yeah, yeah, that’s a good point. And that’s really where Chris, what had happened was that in Airtight, I did the first Defcon talk, I discovered the Cafe Latte attack. And what was happening is other younger folks at Airtight at that point who were programmers and testers, they started coming and asking me, hey, Vivek, how do you do this? Like, how do you write this code? Right? As I said, that was the time when there was no GitHub, there was no code repository sharing and all of that. So the only real way was you had to read code, learn, try iterate and all. So, interestingly.

Vivek: I did a couple of classes within Airtight, and those were pretty good. Like, people really applauded and said, oh, you have a knack for teaching. And that was the first time someone told me that. So then over a weekend, I thought, why not just shoot some videos? And because a lot of people were hounding me in the company to teach them and I was like, I just didn’t have the time. So I thought maybe I could just shoot some videos and just have them use it.

Vivek: So I shot some videos over a weekend. I gave it to folks in the company and they said, hey, these are pretty good, maybe you should just put it online. And this was back know, here was this kid, I was still very young, based out of India. I really didn’t even know if people wanted my point of view. Right? And YouTube was just two, three years old, and YouTube was only entertainment back then. I actually created a site before SecurityTube called Securityfreak Net, and I just know a bunch of videos on Raw Socket programming and whatnot on it. And then I sent a mail to Bucktrack, if you remember those old mailing lists, which used to be there on Security Focus.

Chris: Yes.

Vivek: Which people used to subscribe to know what are the latest vulnerabilities coming in and whatnot. Right. So I put up the site, shoot a massive email. Ten minutes later somebody replies to me saying, hey, I can’t understand your accent. I was like, oh shit. And then ten minutes later someone responds saying, you sound like Apu from The Simpsons.

Chris: No.

Vivek: Yeah, no kidding. So then I was like a little disappointed, but what happened was I closed the laptop and everything and I was like, okay, let’s just head home and take a break. Clearly this is probably only for people from India or whatever.

Chris: So you were discouraged?

Vivek: Yeah, I was pretty discouraged because the first time you put something out, people come back with a very negative reaction and something so fundamental to you as your identity, which is your accent, where you’re from and all of that, which, you know, neither would you ever want to change, nor can you change. Right. So anyway, next day morning I come in. To my surprise, I also get a couple of positive comments, right? People reply to me saying, hey, this is amazing.

Vivek: I think I could use this. So then I thought to myself and I said, look, out of  people who see this, if even ten people like it, you know what? I think it’s probably worth doing it. And Chris, that’s really where my obsession with making video started. So then I said, oh, you know what, YouTube is popular, why not create security? Right? Which know, YouTube for security people at Airtight. I started putting out these videos over the weekend, late at night, SecurityTube Net just uploading it.

Chris: Were you still working full time?

Vivek: I was still working full time. Right.

Chris: So this was on the side?

Vivek: Correct.

Chris: Okay, correct. Jeez.

Vivek: And even today, I think back then I was a crazy workaholic. And of course your age supports it as well. I used to routinely do like ,  hours, pretty much just wake up, go to work, come back, start making videos. Four or  hours of sleep. And that used to be enough, right? Like, when you’re , , you feel almost immortal, for what it’s worth. Right? Yeah.

Chris: And you were putting out content, man, I remember watching it, and it was just endless great content. And at that time, nobody was doing that. Not even on YouTube?

Vivek: No, nowhere. And what happened is, Chris, at that point, as you said, you supported us. A lot of folks started supporting us, and the readership on the website grew. And by then, we were almost at , unique visitors a month, which for that time was pretty big. And then different universities sorry, different companies and government agencies around the world started emailing me. And they basically said, hey, you’re doing all of this attack training on your website.

Vivek: Could you come down and teach us? So that’s when I thought about it, and I said, look, at that time, I was still in India, and I felt like, okay, I don’t think I’m ever going to get an opportunity to do pure research. And once I spoke at Defcon, I really love breaking security. So that was when I quit my job. So this was like, I think, , when I quit my job. And I said, you know what, if I could even get a couple of trainings around the world, the exchange rate with India and currency works well.

Vivek: So which means I could probably make enough money to have an okay life, but at least I would get to do what I love, which is do research, make videos, and let’s just do this full time. So that was really a transition. Honestly, I don’t think I was ever business minded. I don’t think I ever looked at it and said, I’m going to build a business out of this. For me, I just craved that freedom that I needed so that I could be creative in the way that I wanted.

Chris: You spoke about pushing through that discouragement and that disappointment that you encountered. Would you say that that was a key takeaway that you experienced, that you think aspiring entrepreneurs in the cybersecurity field or any field really should consider and learn to do?

Vivek: Absolutely. And one of the things I would say is people always look externally for motivation. But I think what I tend to do is whenever I feel like something isn’t working or I feel a little demotivated, I go back to my own life, to past events, and remind myself of a similar time when things were really bad. But I push through and then I tell myself, you know what? You did it back then, you can do it right now.

Vivek: And I feel like that is rooted more in reality because you are your own example. And I think that is exactly how I’ve done it all my life, is I go back and say, look at a time when people were probably laughing and saying, you’re Apu from The Simpsons. If you could push through that. The first couple of trainings, which I’d taken in Europe and a couple of places I don’t want to name where when I went up and started talking, you could clearly see people were like, hey, who is this guy from India coming and teaching know within an hour, all of them probably completely converted because they knew this guy knew his shit, right? He knew what he was talking.

Vivek: He knows more than us and all of that. So I quickly figured, like, you know what? I can’t expect everything to go my way. I can’t expect the world to appreciate me from T equal to zero or minus one. But I think if I’m patient and I can just push through for some amount of time, generally that hard work and that perseverance compounds.

Chris: You know you’re capable of doing it. I mean, you basically have proven yourself in the past. In similar times. It may be a different application or a different use case, but mentally, you’ve been there before, and % of that battle is mental.

Vivek: Absolutely.

Chris: So let’s talk about VRN comics, man, I got to hear about this. So hacker superheroes of the digital age. It’s a hyper realistic hacker comic that demystifies the art and science of hacking, all in exact technical detail. So I’d love to hear the backstory of this. How did this project get started?

Vivek: Yeah, so I think post security tube, I started Pen Tester Academy, which eventually got acquired by Ine in . And so post that, I had a bit of time, and everybody at home was like, hey, you have to take a break. You haven’t taken a break in like a decade and all that. So I first told myself, I’m not going to pick up any big technical project. Let me just take a break. So at that time, my elder son came and asked me. He was like, hey, dad, what do you do?

Vivek: I pretty much just see you at home. And I was like, okay. I said he was starting to get used to using the computer and all of that. So I basically said, why don’t you go Google me? I said, I’ve been putting out a lot of work over the years. Google and come back and tell me what you found. And I was thinking, I’m probably teaching him OSINT for what it’s worth. So he comes back a day later and he basically says, oh, you’re a hacker. You’re a bad guy, and you steal from people.

Chris: Oh, no.

Vivek: Yeah. So that’s when I realized Chris is the unfortunate thing is the mainstream narrative of the word hacker has gone absolutely negative.

Chris: Yes, agreed.

Vivek: Right? And that was the time when I kind of felt like, hey, you know what? This is the industry which I so dearly love. I’m now almost  years in cybersecurity. It’s almost been like a religion for me. And I kind of felt really bad that my own son was being misled by overall mainstream media’s perception of who hackers are, what they do and all of that. So that’s when I started thinking and then it kind of hit me as well. The big problem is, if you pick up any mainstream movie Matrix, right, everybody says, oh, that’s the holy grail of Neo basically waves his hand and the digital world parts its ways and whatnot happens, right. Totally unrealistic, right? Same with Swadfish and all of that many movies, which we love, right, and that’s where I felt like the depiction of hackers and hacking was very unrealistic.

Vivek: So anyone who didn’t know about this at all would either think it is an absolute black art practiced by, of course, folks who are bad, right? And that’s really where I thought, okay, you know what, why don’t I create something and maybe in a medium which is very easy for anyone to understand, including my own kids.

Chris: Yeah, that’s genius.

Vivek: Yeah. And I look back and I basically say, like, you know what, we all go through that age group where we are going to read comic books, right? Also today we live in an age of superheroes, right, thanks to Marvel and DC and all of that. And I looked at it and said, well, you know what? There is no hacker superhero.

Chris: Yeah, right?

Vivek: So that’s when I thought I was like, okay, why not think about like a hacker vigilante story, but do it a little differently? I know that the mainstream characterization is hackers are folks who do bad things because they just want to create chaos at the very same time, this whole characterization of somebody who’s probably mentally disturbed or has something really bad going on and that’s his vengeance on the world.

Vivek: I mean, we know that people come in all shades, right? So do computer security researchers, hackers, whomsoever. But I wanted to take away all of those complexities, right, and basically say, why not have a very clean story where you basically have someone who teaches himself cybersecurity because he enjoys doing this, he loves learning about networks and how to kind of break it, purely curiosity, right?

Vivek: And then he probably shows some attacks and all of that, but very realistic. So when we talk about a WiFi attack, we really talk about how it happens. Talk about an IoT attack on a TV with a camera, then we talk about firmware analysis and all of that, right. But I wanted to strike a balance between it not becoming a lab manual where it starts to become boring. So what I did was I’ve kept the very juicy bytes of, hey, let’s look at the firmware and see if there could be vulnerabilities and some small screenshots here or there.

Vivek: But at the very end of the comic book, I actually. Have a section which is Dissecting the Hacks, where I talk about it a little bit more in detail. So, ideally, a kid could pick it up, or even somebody just cursory, kind of someone who’s probably just curious about cybersecurity could pick it up, go through it, really feel excited about how hacking happens, and if they really want to learn more could go back at the end glossary page dissecting the Hacks have a lot more info of how to begin their research into the field.

Chris: I love that, man. And you’re up to issue number four now?

Vivek: Yes, actually. So we’ve released issue number one. What I wanted to do is at least finish till issue five before I start putting the next issue out. So everybody only has issue one right now, which we put out in the next two months. We’re going to put out issue two. Just so I have a bit of a buffer. And the idea is in every issue you pick a specific technology. So the first one we picked up IoT hacking and WiFi hacking and all of that.

Vivek: The second one we are actually going to pick up online gaming and addiction and all of that stuff. And the third one is literally like crypto hacking with blockchain based attacker tracing and whatnot. So trying to pick up these diverse technologies and talk about it in a very technically engaging, but at the very same time entertaining way, that is so awesome, man.

Chris: Has Marvel contacted you yet?

Vivek: Not yet, but I really hope I can keep doing this maybe for the next decade. I mean, it is quite an endeavor, I can tell you that. I can’t draw to save my life. So I wrote the whole comic, I wrote all the dialogues, I did the storyboarding, but then I had to actually hire really good artists to go ahead, do the artwork, the coloring and all of that stuff. So I learned a lot of things, most importantly to appreciate fine arts and all of that, which as tech folks generally, most of us might not have exposure to. And all of yeah, and the artwork.

Chris: Is fantastic as well, man, I do need to tell you that. So where can people get this? Is it digital download only? Do you have printed copies for sale?

Vivek: Yeah. So what we’ve been doing is with Squarex’s help, we’ve actually been distributing printed copies in all the top conferences.

Chris: Nice.

Vivek: So at Defcon, we gave out almost , copies at the end of the month. Actually, literally, this weekend, I’m traveling to Texas. To the Texas Cyber Summit. So we are going to be giving copies there as well. So printed copies. Right now we’re just giving it out at conferences. I plan to put it up on Amazon for folks to buy as well. But the digital copy will be forever free. Ideally, I want people just to use it, consume it, but on Amazon we might eventually list it so that people could just buy it because it’s impossible for me to ship one to.

Chris: Right, yeah, absolutely, man, that would be good. So I’d like to hear about SquareX, if you don’t mind. Tell me what that is all about and what inspired you to build SquareX and really see it as a need in today’s world.

Vivek: So, Chris, good question. So I think almost said like  years in cybersecurity. The last ten years, purely teaching and training, I’ve gotten the opportunity to speak to people from all around the world, large, small enterprises, individual researchers and whatnot. And that exposure always kind of gets me thinking, is like, hey, what kind of products could really be beneficial to end users? Right?

Vivek: So once I exited Pentester Academy and I had a little bit of time post the whole comic thing and all, I started thinking about what’s wrong with existing endpoint security solutions and why are companies and individuals still getting hacked? And really I could distill it down to the following, right? If you look at the entire existing generation of cybersecurity solutions, let’s pick endpoint ones, antiviruses, antimalware, all of those.

Vivek: You will see that they work by blocking access to files and websites anytime that they find something to be suspicious. Also, unfortunately, for the last  years they’ve been working in purely probabilistic models. And what I mean by that is for the same file, norton Antivirus may say this as malware, but Microsoft Defender may say it’s okay. Right. And that’s really where most of us tend to use virus Total and all of that to just spread that file over to  different antiviruses and hope something picks it up.

Vivek: And at the very same time, imagine a regular user who’s just received a Word document. Maybe this is a job offer and legitimate job offer, right? And maybe the HR who sent the job offer got infected by malware and now maybe I’m the person receiving it. I try to open it and my antivirus ends up screaming, saying there’s malware in it. So what does the person do? He knows he can’t reach out to the HR and say, send me a clean file.

Vivek: Right. So most people, normal people, tend to disable the AV at that point and just open it up because they have to, right?

Chris: Yes.

Vivek: Your life depends on it. Your job depends on it. You’re going to do it. Also, funny enough, a lot of people are a lot more callous when it comes to their office and enterprise laptops because they’re like, hey, you know what, I don’t give a shit. This is someone else’s problem. And I’m sure you’ve had your fair share of having to inspect, clean, and image those laptops.

Chris: Oh, yeah.

Vivek: So I think the key realization was that the probabilistic model unfortunately can never work because we know that as attackers, you could always manufacture a very sharp silver bullet of sorts. Once you know what are the defense mechanisms a specific organization is running, right? So if not in antivirus, an attacker could sit for a month, two months to create maybe a malware which not in gun detect.

Vivek: Right? And this is how APts and all of that happen. But anyway, going back, this is really where the big question was hey, could we completely rethink that model and move from probabilistic security to deterministic security? Now could in the same scenario the person opens up the word file and he never has to bother about whether there is malware in it or not? Even if there is malware, he can still open it and he can never get infected.

Vivek: And that is really how SquareX started, which is SquareX wants to be productivity first by never blocking access to any file or resources, not just suspicious ones, but ones which might even have malware in them. Now, the way we kind of do this is kind of blending when a person opens a document with our cloud service. So imagine this you are on your Gmail and you’ve received a document from somebody unknown or even someone known who typically doesn’t send you that kind of document, right, with SquareX installed. And you can install it just as a simple browser extension because we wanted it to be very seamless in the user workflow.

Vivek: You could literally right click and say open in SquareX. The document right from the browser’s memory will automatically be sent to our cloud server and it gets opened in a containerized box where if it is Excel or whatever, we open it. You can just look at the document as a tab in the browser, play with it, change it, do whatever you want with it and then dispose it off once you’re done with it. So, because the document never really opens on your own computer, even if it had malware, it executes inside our container. But because these are ephemeral transient ones with completely watertight boundaries, once the job is done it’s completely destroyed.

Vivek: Right?

Chris: So it’s isolated then it’s destroyed.

Vivek: Exactly.

Chris: Nice.

Vivek: So what we’ve done is isolation solutions have been there for a while but I felt like the industry has done it wrong where they’ve always compromised on user experience. And once you compromise user experience, no user wants to use the product. Right? That’s why people hate security products so much, end users. Because anytime your security product lights up, it’s bad news gets in the way of something.

Vivek: So we engineered SquareX to delight end users. Interestingly, most of the folks who use the early version feel it’s more of a productivity tool because we give you disposable browsers, disposable file viewers, disposable emails and a bunch of other stuff and that’s the way we are building it. Now, this gives you deterministic security because you now don’t care if the file had malware, you can still open it.

Vivek: Similarly, you could visit any website, even the ones which are malicious. So imagine a SoC team who gets forwarded so many emails every day saying, should I be opening?

Chris: Right?

Vivek: And the SoC team is going to be setting up these heavy duty VMs and whatnot, try to open it up in them, see if it is safe, still not be able to figure it out with SquareX. Why do you even have to bother? Ideally you shouldn’t have to hunt whether something is malware or not. It should just open and your system should be safe. And that is the unique contrarian view that we are approaching endpoint security with.

Chris: I love that man. Now, are you focused strictly on an enterprise model or do you also offer a consumer model as well?

Vivek: Yeah, that’s a good question. So I think what we are going to do is we are going to have a completely freemium edition which will be very functional and that hopefully we would want everybody on the web to use. And in that we are going to have very interesting features like data leakage prevention. Imagine being able to catch phishing right there when something is happening and all that because ideally for anything which runs on the user’s local browser, we don’t want to charge.

Vivek: Only when you’re going to use our cloud service would you have an option to upgrade. And that way we actually feel we are going to be contributing to the overall security of the world. And actually eventually we also plan to make whatever runs on your browser open source so that others can contribute to it as well. Now, the second part is we want to do both a Prosumer, which is a professional consumer model as well as enterprise, similar to what LastPass OnePass and all of these guys do. Right? Because as an end user, you might still want to use SquareX to protect yourself and your family and as an enterprise user, you might want to go ahead and deploy this in your organization.

Vivek: So we’re going to be supporting both models?

Chris: Yeah. That’s fantastic. And it’s just so important because it’s making a positive impact on .% of humanity that uses the internet. Thank you for sharing that. So I’d like to fast forward, how do you see the future of malware evolving with AI? We’re in this pivotal moment in society. So I’m curious to hear your perspective on AI and its involvement in the future of malware and also what role will SquareX play in those impeding threats and challenges?

Vivek: Yeah, it’s a very good question, Chris. I think if you recall, there was a time where script kiddies used to wait for people to put out tools and they would just take it and start firing it. Right. I think what’s probably going to happen is as AI starts to become more and more sharp at what it does, I think AI is going to supercharge scriptkitties because imagine now that people are able to write tools and all of that which literally they try to describe and somehow manage to compile. And it works.

Vivek: Maybe works shabbily, but still works for what it’s worth. Right. And I’m very sure the advances in AI as they are kind of happening now in leaps and bounds with so much of venture money going into it and all of that, I think you’re going to see an emergence of a lot of tools completely written by AI. And this is of course going to empower people previously who had to wait for top security people to actually write those tools for them.

Chris: Yeah, good point.

Vivek: Right? So not just malware, your phishing emails aren’t going to be grammatically incorrect anymore. And eventually spear phishing is going to get even more targeted because imagine now you could automate attack tool, visiting someone’s LinkedIn page, Facebook page, their Twitter, understanding what they think about what they write about and craft a very specific phishing or targeted email attack email completely, I would say created for whatever they are talking right now. And you could now do this at scale.

Vivek: Right. Previously as Pen testers, we would have gone to all of those profiles. You know what, this is what this person is. This is the party he supports. This is what he’s interested in. Okay, you know what, now I’m going to create a mail for him. Right? But now with generative AI, you could basically have it automatically browse all of that and just say craft an email which you think this person would open, put a burning issue he’s talking about and then you’re going to attach some kind of document with a malware also created with AI.

Chris: And I think that’s the beauty of SquareX, right, is that you don’t need to significantly adjust your model.

Vivek: Exactly. And that’s really where I feel like if we still continue to hunt for what is malware, what is malicious and what isn’t, I think we are going to lose this war. Hopefully SquareX is going to go ahead and probably inspire others or hopefully push others if we start doing well, to also follow the deterministic model where no matter what, a person should be able to open documents and websites. Hey, malware, no malware. Why bother? Why bother with detection when you can never get kind of like hacked or attacked?

Vivek: Because the malware just runs in sandboxes.

Chris: Yeah. Beautiful. You mentioned before that you’ve traveled extensively, speaking at conferences, educating others during your downtime. What do you enjoy doing?

Vivek: Interestingly. I think I’ve really enjoyed the last like  years, especially the last ten. So I’ve never felt like I’ve ever worked a single day, to be very frank. I know this is a very cliche saying, a lot of people say it, but that’s exactly how life has been. But to be honest now, because I have a family, kids and all of that now, I make sure that at least my weekends, most of it is kind of dedicated to the family, make sure I go out, do other interesting things as well.

Vivek: Also gives me a reason to buy toys, which I wanted as a kid, but now I kind of forcefully have my kids have them because I’m like, hey, why don’t just buy this one? Left to me, I think what I like doing is meeting some of my good friends over dinner or lunch and just talking about things, exchanging ideas. I think I’ve always been motivated to do something, so I love meeting people who are just like that, who are motivated towards a cause no matter what it might be.

Vivek: Not necessarily entrepreneurship, but anything they feel very strongly about. They like to build stuff like yourself. You’ve been doing this podcast that takes a lot of perseverance, right. So folks like yourself, people who I genuinely feel are pushing the needle, pushing the envelope that’s really what I kind of do in my spare time, because that charges me up as well. Right?

Chris: Yeah, %. Man. And I love that. And that’s something that I really admire about you, as well. So I need to ask you this. During your travels, have you ever walked into a unique or cool bar worth mentioning?

Vivek: Yeah, actually, I rarely drink anymore. But I’ll tell you, the most interesting experience I had was when I had spoken at Black Hat Abu Dhabi. So, this was in the Middle East, and this was the time when there was a Black Hat Abu Dhabi version. I think this was  or . And black hat Abu Dhabi used to happen in the Abu Dhabi palace which is like an iconic hotel. I think back in those days, the hotel cost some two $ billion to build.

Vivek: And if you were a Black Hat Abu Dhabi speaker, they used to put you up there, which means I was there completely free of charge. So I still remember I check into the hotel, go into the room, and all of a sudden, there is a knock. And I open the door, and there’s some guy standing over there in, like, butler clothes. And I’m like, what do you need? And he’s like, I’m your personal butler. You tell me what you know. I’m in a playful mood. So I just tell him, oh, you know what you’re saying? I could order any food?

Vivek: And he was like, yeah, pretty much anything, because we support all cuisines. So I gave him a very unusual request for this very specific cuisine in India. And unbelievably, within, I think,  minutes or so, he actually got that for me. Yeah. And the rest of the trip, I started making all of these unusual requests, almost pen testing the whole butler service in the restaurant, at the hotel. But to their credit, they always got back with whatever I asked for. But that was a very unique experience.

Chris: Yeah, definitely. Man I just heard last call here. You got time for one more? Yeah, of course, if you decided to open a cybersecurity themed bar, what would the name be and what would your signature drink be?

Vivek: Think you know what, I’m mostly known for wireless, so I’d call it the Wi Fi Cafe. And of course the drink would have to be the Cafe Late Attack.

Chris: That’s perfect. Okay, so before you go vivek, can you just let our listeners know where we can connect with you online and where we can go to learn more about SquareX?

Vivek: Yeah, you could actually go to Squarex.com sqrx.com and there you can go download use the extension either a web app or you can go ahead and install it as a Chrome extension and try it know we have an extremely responsive support. You can actually tag me anywhere on social, give us recommendations of what you like, dislike, what else we could do, and the team will jump right in. So thank you so much, Chris. Really appreciate your time. This was a fantastic and very enjoyable discussion and hope to meet you in person in one of the conferences very soon.

Chris: Definitely, man. Thanks again. You take care.

Vivek: Thanks, Chris.