I am Shaun Murphy, cybersecurity expert for 20 years, right now solving the security flaws of cloud storage and content sharing with sndrBlock. AMA!

If a packet hits a pocket on a socket on a port,

And the bus is interrupted as a very last resort,

And the address of the memory makes your floppy disk abort,

Then does socket packet pocket have an error to report?

[Edit: This poem is not mine. It originates from Usenet back in the 80s. For more, google: Dr. Seuss on computers]

---

On a more serious note, what are your thoughts about MIT's Riffle?

Thank you for that, we'll have to incorporate that style into our whitepapers soon.

I like the idea of anonymous exchange of content and communication - some people really need that and something better/faster than Tor is always a plus.

I haven't seen any group take off with yet, perhaps there's an opportunity there.

Makes one wonder if a system could be developed that's smaller than tor (faster), all nodes controlled by a single entity (the company)(so again faster, but also increased deployability), but where a user could exchange data with that entity with proof of anonymity...

Perhaps but that sounds like a VPN - what if that single entity is your adversary?

How did you get into cyber security? What career path should i take from university. I am planning on going to Guelph for computer science/ software engineering. Would those courses allow me to get into cyber security?

These days there are many excellent degrees and certifications paths you can take, it is a bit overwhelming. I didn't have that many options when I when through my undergrad so I took a computer engineering approach - one that mixed software and hardware study.

Most systems you'll use in practice these days are controlled strictly by software systems but there are some systems that do have hardware components that are mysterious black boxes for most people.

I recommend checking out some relevant clubs at the university as well like Cyber defense clubs and the sort. I always like the approach of learning how to breach a system in depth before you consider how to secure one.

Do you have any feelings towards why so many people blindly trust their data to the cloud? I know some make an informed choice but many simply upload personal images and other data without thinking about it... any views on why that would be?

Our research into this subject found that most people think: "I have nothing to hide... not that I could." They are also given mixed marketing messages that they have do have "encryption" or they are "probably secure"

Also the appeal of a service that costs nothing (but your privacy) for a single cool/new feature is quite appealing to the masses. The more you give people the more they will take.

We don't think people are wrong for not considering this... the service should be there to protect them and treat them like a customer, not just another monthly-active-user to advertise to and scrape through all of their data. Unfortunately the only way people can see this as a threat is when it's too late.

Throwing my 1c in here - I don't have anything of value to hack. I would be sad to see my 448 post karma and 31,034 comment karma go away. But. Like. I don't really give a shit.

If someone hacks into my Google Drive, they will find a lot of porn. A LOT OF PORN. SO MUCH PORN. I have a 2GB folder with nothing but written erotica. I have a 7GB folder full of nothing but images. I have something like 68GB of videos, or something along those lines. I have never gone back to view them after saving them. It's like digital hoarding.

And then like one Heroes of Might and Magic 3 map that I made.

You are welcome to all those things.

You've made some google drive employee very happy

What is your opinion on the Snowden event ?

It's a tough call for me, personally... The fact that more people are talking about security and privacy and more companies are starting up to develop solutions to truly protect their customers is great - but it should never have gotten this bad.

We were all made so vulnerable by the tech giants and other entities capturing and correlating data on everything we do and every data breach moves us closer to a total collapse of any authenticity of the internet making our lives miserable as we try to recover from identity or financial theft, are devastated that our intimate conversations and content were leaked, or simply we have no idea what or who is real online anymore.

In a lecture titled "Cyberphobia: identity, trust, security and the internet" Edward Lucas made the argument that the internet was inherently built to not be secured. "The internet was designed by a small group of computer scientists looking for a way to share information quickly. In the last twenty years it has expanded rapidly to become a global information superhighway, available to all comers, but also wide open to those seeking invisibility. This potential for anonymity means neither privacy nor secrecy are really possible for law-abiding corporations or citizens."

Do you agree that the way the internet was built and the dramatic expansion of HOW we use it means we may never actually be secure in our Data?

Privacy and security doesn't have to be just about being anonymous or invisible. The sheer number of apps, services and devices connected to the internet that have no security is staggering and the damage done after a major breach goes on for a lifetime.

I think the internet does have some fundamental flaws - the recent massive take down of major DNS servers from IoT devices was a rude reminder of that... but it's mostly the applications and services we use that have let us down. Sure, perhaps people share too much personal information online... the's not much you can do to stop that user behavior.

What you can do is protect the other huge percentage of users that want to share content with friends using public key cryptography technology we've known about for centuries (or more.) Web browsers should've had this several generations ago, social media should've had this from the very start, and every messaging/email system out there should have this built in as a default.

The common saying is "encryption is hard" - so was streaming video, tracking users across services and selling that data but that's working pretty well these days for the tech giants.

I guess my follow up would be how do you protect people from themselves?

Requiring a Password and people just use "password1", or leave themselves logged in on public computers.

Secondarily, we see major institutions get hacked people of one person who may have access to alot of information...would there be a way to segment more data so a breach isn't universal?

You give them sane, secure defaults.... not make them opt in

Combine passwords with 2 factor authentication (something you know + have) solves most password reuse issues. Sure, this slows things down a bit - just like the chip vs magnetic swipe card readers but the security improvement is massive.

Leaving themselves logged in on public devices - that's a tough one and would require the hardware itself to have some continued user identification - Microsoft is working this area as are others. Best advise is don't touch a public computer, however, who knows what's on there capturing keystrokes (software, hardware and gross stuff on the keyboard)

Yes - I call that an internal threat, an employee walks out the front door with tons of data or accidentally clicks something that acts like him or her on the network. In communication and content sharing services, the data should never leave the user's devices without proper and secure end to end crypto. Only the sender and recipients need access to that decrypted data, the provider does not. The beauty of that is if a rogue employee does violate some piece of paper agreement they will have an impossible task of decryption each little chunk. For systems that do need access to customer data - encrypt in transit, encrypt at rest, use hardware key systems, segment sensitive data on different (and air gapped) networks when possible, etc.

So, how does this compare to Fakeblock?

So watery and yet there's a smack of ham to it.

Do you recommend Windows Defender over dedicated antiviruses such as norton or avast?

I think windows defender is a sound product for Windows. It's updated often and it seems to rank well compared to the commercial offerings. I will say that things like Ransomware and Malware tend to not classify as viruses and that's where your real threat lives these days.

Why do all my nude selfies keep going straight to the public cloud?

Because

Interesting product. What does it offer that isn't already out there? Or is it just the fact that it brings all of those features into one unified platform?

There are a lot of apps out there, there are a lot of hard drives connected to the internet, and there are a lot of cloud services to choose from. All of these have their different limitations and security problems.

Unifying these all into one platform makes it much easier to dramatically improve your security posture and it also lets their strengths support new levels of efficient content sharing and communication.

Combining a local device and the cloud, for example - you get the speeds of local transfers so you get content off of your devices fast and your recipients get the speed of the cloud where ever they may be around the world.

Mr. Murphy thanks for your time and insight. What question do you wish more people would ask you regarding security?

What can I do to protect my kids? We worry sometimes about secure data migrations, ephemeral messaging, ratchet vs. other algorithms that we tend to forget we're raising a brand new generation that is surrounded by technology and their adult lives will be far different than what we have now.

How'd you start?
Are you happy with your job?
Are you payed enough? Any tips for someone interested in security?

I started working on intelligent payphones back in the day. Towards their end of existence, payphones were actually computers inside the big metal case that held all of the logic for billing, alarms, etc. And there was a lot of consideration for the security of the payphone owner (phreaking) as well as the privacy of the phone users.

That led into my deep interest in the crypto wars in the 90s with PGP and such and so I studied computer engineering for my undergrad and graduate degrees.

The job is useful - there are how many users on the internet RIGHT NOW, how many of them are going to lose a job because of something posted, how many are going to have financial distress during the next big system breach? It's almost a never ending stream of opportunity to help real people and I love that.

Pay can quite good depending on the area you go in. I suspect with the happenings in the United States right now, you're going to see more demand for professionals in this area.

Say, what do you think about Kali?
The tools it offers and such.

Kali is fantastic - I have a bootable usb stick on my keychain at all times

I'm sure you've had job opportunities with government agencies. Is there a specific reason you chose not to go that route? Cyber Security student here.

I've worked both in both private industry and as contractor for certain agencies. The best part of private industry is you can talk about what you've worked on, sometimes!

No matter where you end up, you have an enormous responsibility to your user base and right now almost every industry is in need of new talent.

Hey, Shaun! Awesome to have you here. I am going to my 2nd year of computer engineering. What should I be learning so I can work with cutting edge cyber security in the future? Thanks!

See if your university has a cyber security/defense club and learn the tools your adversaries will be using.

What is your opinion on hardware based secret system such as AWS CloudHMS? Who do they protect against? If a government wants to get your data they can surely get the private keys from the hardware storage, right? And the security in AWS facilities surely are hard enough that no ordinary attacker could get access to your data anyways by walking in and taking a hard disk. So whats the point? Just to be complaint against some security standard?

I really like the concept of HSM but for something that important you need to have extremely good physical security and solid knowledge of who has authenticated access.

There have been some HSM vulnerabilities where private keys could be extracted under certain scenarios but they required some level of authenticated access.

Compliance is a big piece of HSM, most normal use cases can't afford to use such an appliance. There is a movement to include HSM technologies in phones (Apple's secure enclave, for example) and this is a great use of the technology.

Does this include the "hybrid cloud storage"... and who pays for it?

The hybrid is two fold:

• local device you buy and attach to your network (the sndrBlock)
• cloud provider where we stick encrypted blobs - free for many users with in app upgrades so you can pay for a small temporary upgrade (we call them stamps) or subscription plans to upgrade the base storage for heavier use.

How do Apple's cloud services stack up? What are they getting right or wrong?

From a security standpoint they are working on solutions in this space and they actively market that. They are working hard to secure mobile devices. For that I'm very grateful.

Now the not so hot stuff is their cloud offerings. I would very much like to see end to end cryptography on iCloud files. iMessages does have end to end but requires a complete buy in of all apple hardware - restricting my choice on phone, tablet, and desktops AND they don't allow any completing SMS applications on their phones.

What does the future of information technology and cybersecurity look like?

In the United States: Busy

What are your opinions on The Internet of Things, and how we should handle securing such networks?

I have a huge article about that topic:

http://www.dailydot.com/layer8/internet-of-things-smart-devices-hackers/

What do you think of distributed cloud storage and content delivery such as ipfs and swarm? Do you think these sorts of projects make file storage safer or less secure?

And what about security from the businesses that run the services we use?

Love it - we actually tried to use IPFS with the sndr ecosystem and we may very well at some point. It turned out that large file support was really problematic.

Security from the businesses? Don't trust them with data that is not encrypted.

Are we paying enough attention to and, in turn, money in encryption? I've had cyber experts in the past say that hacking isn't an "if" it's a "when", so the answer isn't protection from invasive attacks, but instead should be focused on encryption.

I think it would be hard to find someone who hasn't been hacked. Government agencies, popular social sites, retail stores, etc. all have leaked data that was stored in the clear. End to end cryptography needs to be the standard across all tools and services.

hi shaun. I am a little bit late to the party, but whats your take on bitcoin? If you have an opinion on it, where do you think it's headed?

I'm excited about some of the new cryptocurrencies that are tied to resources - renting out unused storage, etc.

sndrBlock is pretty weird shorthand for Sandra Bullock, star of The Net!

Anyways, when doing some security measures, do you come to a point where you have to think "Am I punishing innocent people for the few bad eggs?". As in, do you think some security things SHOULD be left alone and rely on the person being smart enough instead of making all these loops to safeguard everyone that some of us might find annoying? I'm not talking about safe encryption that should just be there, but things like a ton of extra verifications, DRM-like examples, or even that chip in cards now (which I find very annoying and useless as compared to swiping). Is there a point where cyber security in that regard is too much?

press ctrl+shift and click the pi symbol

I never think of security problems in terms of "smartness" of a user. A lot of security problems are apps and services that simply have horrible defaults. Also consider that someone's lack of security could end up hurting you - even though you're an expert at keeping your stuff secure.

Anyways there are certain things that just don't work - magnetic swipes are trivial to scan, duplicate, and caused tremendous financial damage over the past several decades. The chip and pin (signature here in the US) is substantially slower. Newer mobile options such as Apple Pay and Android pay are incredibly fast and even stronger.

Hey Shaun,

What will the support lifetime look like for this device? Even if feature support eventually ends for this specific hardware, security support will hopefully continue otherwise there is risk of compromising user data.

We've seen enough examples of bad connected devices making it to consumers for years, hopefully we can get some good examples as well!

Our entire platform is built around user security and the hardware device lives on top of that. The platform is, at its core, secure from us - no one inside this company can read or modify your original content since it leaves your device end to end encrypted.

Is it a good idea to build my own general storage and email server at my house instead of using gmail?

I think it's great to experiment with these but email is somewhat of a mess - the big emails servers generally don't trust email servers you run at home. Having your own home storage is great though, just make sure you have a backup plan

Hey Shaun! Thanks for taking the time to answer our questions.

You mentioned in a post above to look into cyber defense clubs at your university to get started in this field.

Question: What are other ways are there to learn and bolster your resume for a cyber security position? What is your opinion on cerifications (CISSP, CCSP, CEH, OSCP)? Are the valuable to employers?

Thanks again!

All employers will be different - look at the area that you really enjoy. Startups may not care too much about these but big business will.

Hey!

At our startup we are building a cloud based service where we will be hosting data of any kind, we have put a lot of time in it to make it as secure as possible, what is the best advice you'd give us before going live?

Take a look at the OWASP cheatsheets, for this stage it might be the best thing you can do

https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series

Hi there!

I work for a cloud computing startup; we are currently beta testing our cloud platform.

What is a big mistake you see cloud providers make when it comes to cloud security? What should we focus on and make a priority?

We have a security consult coming in this week to evaluate our systems in person, but I'd love your take on things and any advice you may have.

Thanks for your time!

I would say, take a look at the free OWASP documents before the consultant comes in, you might spot some biggies you can address before paying $$

https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series

I need to strip out a VIP's (VERY VIP) email address from a bunch of archived email that I have both in a live Exchange mailbox, as well as a PST file.

Suggestions on how this might be accomplished?

Tell her to stop using email

Interesting product, kind of like snapchat and Dropbox had a baby. As someone who does cyber security as well, when I see cool hardware devices such as these my worry is who doing the updates all of these devices. Some of the biggest problems now are coming from old network devices that get compromised and put into a botnet.

Does your product still function independently should your cloud service not work out? So far a lot of people have bought into IOT only to have their devices become useless a few years down the road.

It's a valid concern as well and the answer is we are not going to lock down this device. It's yours and you're free to use it how you see fit.

We're dedicated to this device and this platform - our roadmap is quite long and we're looking to extend the platform capabilities with the help of the community.

What measures are in place to prevent corporate acquisition of privately uploaded data to personal storage 'clouds' ? My concerns are that privately uploaded memories will eventually become subscription access data or privately owned/sold by the physical datacontent holders (like, i upload a photo album from my wedding and later when im old they charge me to access seeing it) What stops this from happening? (I will NEVER put my data into the cloud)

Make sure the data they have is useless - encrypt everything and adopt tools and services that view you as a customer not a product.

How much of our personal data would be visible to an employer if we connected to their VPN using our personal wifi network?

Well VPNs really only secure your traffic between your local network and the remote network - after you reach that remote network it can certainly monitor what you're doing

A cyber security project won out national science competition recently, I've seen some people dismissing it as useless.

Any thoughts?

http://btyoungscientist.com/5th-year-dublin-student-shane-curran-announced-winner-53rd-bt-young-scientist-technology-exhibition/

I think that young man has quite the future ahead of him. I'm a big supporter of STEM (plus Art) initiatives like this program, I'm glad to see young women and men working on new (and sometimes incredible) things!

As far as the usefulness - I'd have to review the paper

How have the revelations of mass surveillance affected your work?

Events like those are bittersweet just like when a massive data breach happens - it's in the news and people talk about it but it's sad that the cybersec community works so hard to protect people and there's always an element trying to subvert that work.

Hi Shaun,

I'm a network engineer that's been transitioning into a security role for the past year. I still feel like my knowledge is very shallow, I know it'll be like this for a while until I gain some real world experience but what can I do to help in the meantime? Do you recommend any literature or security-focused site that can help me become more aware of the current state of affairs?

It's very quick to set upvirtual machines with older / unpatched guests and then hitting them hard with pentesting tools - metasploit, etc. It shows the adversary's viewpoint which is essential to protecting against them.

For current material I really like Schneier On Security, Krebs On Security, SANS and of course reddit/hackernews

Do you ever feel like that no matter what you do, your security measures will always fail? It seems like everything online is subject to being stolen, no matter how tight the security.

I don't... there are certainly things out of your control unless you stay hidden in a cave all the time - things like credit card skimmers at gas stations, etc. but you build up a defense around that (don't use a debit card, use a credit card instead, etc.)

The same is true with information stored online - put a defense around it (encrypt it) and make it part of your workflow or adopt tools and services that do it for you.

Hi there! As a young criminal laywer, I'd like to know how can I gain more knowledge in the field of cyber forensics and what courses can I join for the same?

I think surveying the tools available would be a good first step, it will give you a user interface into a forensics area. From there you can dig in a bit deeper without the tool and learn about protocols, devices, crypto, etc.

Look for local groups that are focused on this area and hold competitions - they can be quite informative on current topics.

I'm just getting into cybersecurity and it's a very interesting topic to study, but I'm also into coding / building Apps. Would you recommend learning both at once? Or take time to just focus on one? Also, any online recommendations for studying network security?

I think it's very important to have basic coding ability with respect to cybersecurity - you can certainly just run other's scripts and apps but knowing how to test, deconstruct existing code, and write new code will open a whole new dimension of the profession for you.

How do find a balance between providing too many security configurations for the user? I find that when the common user is provided many options, they do not have the expertise to make the correct decision and thus end up with analysis paralysis and simply don't choose at all. Are you finding that many are pushing that choice to the 3rd party?

I think you give them a sane and secure default configuration and enough information top choose something else if they want that option.

What do you think of BlackBerry phones? Are they actually secure in the way that they are advertised and presented?

I think it's interesting the work that Samsung and Blackberry have done to secure Android. The Android landscape as a whole is very challenging, one phone might be really secure and the next one may have malware calling back home - wherever that might be.

In terms of evaluating Blackberry's claims, I have not. Samsung Knox has shown to be a very good security complement to Android however.

I am generally concerned when hardware is introduced as a "security" mechanism so here are my questions to that end.

What type of cryptographic algorithm do you use? Do you utilise a TPM for storing the encryption/decryption keys/key generation? Do you use a statically loaded key/is it identical in every device? Are you planning to go through any type of common criteria approvals process or will you rely on consumer trust?

There e2e security is part of the app ecosystem, the hardware device works with the app.

Our first cipher suite:

Asymmetric - ECC safe curve with keylen 255

Symmetric - AES 256 CTR

Hashing - SHA2

HMAC - HMAC-SHA256

We do not use TPM. We have 2 kepairs - one for the user keypair and one unique per device that is used for device to device/server authentication and peer to peer asymmetric operations. The user keyPair does not exist on disk on the hardware device, it is transferred over the device to device encrypted link only when needed (when you're remotely commanding it or using it as a LAN accelerator to send/stash)

Yes we have gone through 2 audits so far and our development timeline has a final report audit for system and local items.

So, can sndrblock be a more secure replacement for services such as Dropbox/Google Drive/OneDrive and other cloud storage?

I mean, if I lose ALL of my hardware...everything. Will I be able to just go out and get a new computer and access all my data again? Or is this more of a local storage thing with cloud-ish features?

Does it have an https interface at all? Or does it need to run on the OS as an application? For instance, guest login from a Chromebook to access my files on the fly?

Yes and it's more than just than just storage.

Yes you will be able to replace all of your hardware with the secure default configuration of the sndrBlock. If you lose just one device, use another device on your account (tablet/desktop) to remotely revoke and logout that lost device. If you lose absolutely all of your devices, you can restore your access using a few methods we've developed to securely back up your keypair (we never will have it.)

It's a local cache - it only is storing what you're working on now, things you're uploading and things people recently sent to you. You can grow that cache by plugging in a fast storage in the back but it's not necessary. You can use the cloud to stash files or you can choose to only keep things local.

The system is configured and used via an app - web browsers are just not set up for end to end cryptography.

We do run on Chromebooks that can run Android apps - we also have an "Arc Welded" version for other chromebooks that do not run Android apps.

I don't know if you're still asking question, but I was a cyber security major at a tiny community college. I feel so defeated, my professor wasn't the best and all but 3 dropped out until the very end. I stayed until the end of my computer classes, but I ended up failing.

I had to change majors, i feel so defeated. I'm looking into building computers, I like making websites, I love messing around with computers...

How do I bounce back from this? What can I do alternatively to become in the computer field?

I'm still here, I'll answer as long as questions come in.

I know some really good software developers that don't have a formal engineering or computer science degree. The one thing they did have was curiosity and the drive to learn new things without ever giving up.

See if you can find local internships with companies that do this type of work. Even if you're not sitting down and pen testing / coding / etc you'll make good contacts, hear the conversations they have, see the resources they use - this is the real training.

By all means, get a degree if you can but don't give up. We need thinkers and doers that aren't all cut from the same cookie cutter.

I want my NAS to be encrypted but being able decrypt the filesystem on boot if it's connected to my AD domain. How should I implement this?

Send a "hey give me the decrypt-password!" to the domain controller encrypted with the DC's public key and then reply with a message encrypted with the file server public key?

What type of NAS do you have? This might be the job for an HSM

What are your security habits for normal computing? What computer/OS do you usually run? Phone? Programs and apps?

I run and test everything. For daily driving I use linux mint but I also extensively test on OSX and Windows 10. Phone - I use samsung android devices for the Knox capability, tablets I switch between iPad and the samsung tabs.

Programs and apps - things that are cross platform mostly. I'll run multiple web browsers per system depending on what I'm connecting to.

Dude - your KickStarter only ships the the USA? Why no love for Canada?!

We're looking into it, we didn't know how to estimate out of US shipping rates, kickstarter just has a static field for that - we'll eat the cost in the US but international might get costly

Confused about net neutrality. Isn't network throttling just ISPs responding to market demand? Shouldn't they be allowed to charge a higher price in order to meet demand?

Every day we use our smart phones, tablets, and other devices to try out new apps and services that just might make our lives better - it's terrifying to think that that innovation will be destroyed because the startups of the world are throttled down because they can't pay for faster access or we're stuck with the existing services with all their limitations because they simply have the most money.

It's also an insult to the US taxpayers that spent so much money building up this infrastructure only to get horrible upload speeds with the threat of even worse access in the upcoming year because they have almost no choice on ISPs.