03. The Top 3… “Dumbest Things Your Employees Do with Email” That are Worse Than Hillary’s Blackberry Exchange Server.
Our guest's LinkedIn profile
Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast
3 Key Takeaways
Episode Show Notes
Transcript
Speaker 0 | 00:01.764
Hey everyone, this is Phil Howard here and welcome to another thought-provoking, business-producing episode here on Telecom Radio 1. Today, we’re very fortunate. We’ve got Dave Baggett from Inky. And Dave, you know, just a little bit of backstory here because I always like to start with a story. We don’t want people just listening to technology stuff all day, but tell me a little bit about yourself, where you came from, and I want the craziest story, the first thing that comes to mind that’s… PG rated that comes from the past?
Speaker 1 | 00:34.605
All right. Well, I got some good ones. I’ll try to keep them at least PG 13. So I’ve been in software since I was a little kid. I literally grew up in the disco era and my dad was an electrical engineer working for the government and he bought this computer kit, like build your own computer from parts and not like. put the video card in parts like this is soldering components onto the motherboard kind of parts and so he did this six-month project where he assembled this computer you know and I’m like seven years old and I helped him he would say like get this resistor with these colors out of the box and give it to me and then he’d solder it in this thing was like a six-month project and I was just amazed when he turned this thing on it actually worked I was like this is amazing I didn’t think this thing would ever do anything this is crazy you But so, you know, we had a computer in 1977. And he likes to say that moment when he turned it on was the last time he ever touched that computer because basically I monopolized it. He actually built it for my mom because my mom’s a freelance writer. And back then, the idea that you could make edits on the screen and not retype your whole manuscript was like super science fiction far out. So she used this thing to write her books. But back in the day, I mean, this is like CRT. no color, you know, 80 columns of text was a big deal. I think the machine had 64k of RAM. It had the same CPU as Pac-Man. I mean, this is really old school. And so she would write her articles on there. And from the beginning, I sort of tried to learn to program, you know, reading Byte Magazine and stuff like that. There weren’t really, well, there was no Google or internet, so you couldn’t look stuff up online. You kind of had these paper listings you’d have to type in. figure out how to make them work. So I would write software for her that would do things like double-spaced the manuscript or put a header or footer on the on the pages like super advanced for the time. And one thing that came up recently was we found in my parents’basement a box which had the original manuals that I had made for this software, which remember she’s the only person who ever bought it right? I mean so like she paid me ten dollars for this software but I made a manual Like, here’s your user manual. And if you have any trouble, contact support. And I put my phone number, which, of course, was her phone number because I lived at home because I was, you know, nine. That’s awesome. At least pretending to do software sales since I was a little kid and sort of just got really into doing game programming like a lot of kids at that time, you know, because you couldn’t just go and buy a game. You know, there were games, but they were pretty primitive. So you could kind of make your own games that were similar. graphics and quality to the real ones. So it wasn’t like now where you have to have 500 guys to make a triple A game. You could kind of make your own little games yourself. So I did a lot of that and then ultimately went into computer science for real at the University of Maryland. Graduated from there and went to the artificial intelligence lab at MIT where I met these two guys, Andy and Jason, who had been doing games since like they met in Hebrew school in seventh grade and selling them. And so long story short, I left there, left MIT with a master’s and went to become first employee at this company called Naughty Dog, which nobody had heard of. And now it’s kind of like the premier game studio in the world and was basically their first employee. And we worked on this game, which was at that time called Willy the Wombat, ultimately became Crash Bandicoot, which is kind of the Sony PlayStation mascot game. And the funniest. at least PG story from Naughty Dog is we moved out to LA because we had a deal with Universal Studios. Universal Studios, the studio, really wanted to get into what they called at the time interactive, basically meant games. So they set up a division. They had a really impressive guy who had been an Atari named Skip Paul set up this division called UIS or Universal Interactive Studios. And we were one of the first developers they brought in. And the way it works is, you know, the studio gives you a big pile of money. In that case, it was like a million dollars and you make the game. And if you sell enough copies to earn back the million dollars, then you start making a royalty. So fortunately with Crash, it sold so much because Sony picked it up as their game and published it. We made a lot of money on the royalties. But one of the things is because it was in the Royal Studios, they gave us space on the back lot. So we were in Steven Spielberg’s bungalow. Nice. Literally in Spielberg’s bungalow. And in fact, one of the funny things was one of the first artists that Andy and Jason hired, Taylor Kurosaki, was working on the Dalek model for the U.S. version of Doctor Who. which nobody even remembers now, but there was a time in like 1994 when the BBC and Universal were trying to bring Doctor Who to America. And so they had all this, you know, artwork and collateral done for this U.S. version of Doctor Who, which never got made. And so we met Taylor and hired him away from making Doctor Who Dalek models to work on our models for Crash. But the funny thing is that, of course, on the backlot, you know, this is like the studio backlot. We’re right on the theme park. So like literally when our parents would come visit or whatever, we would just sneak onto the sneak onto the ET ride and like go on all the rides for free. And they had these little trams that would take people around on tours and they would sort of, you know, just make stuff up. Like basically the owner of the company, Jason, one of the two guys, the reason the company is called Naughty Dog is because he had a dog named Morgan and he’d walk Morgan around. And the guys on the tram would say, do you recognize that dog? You should. That’s the dog from, you know, he’d make up some show. It’s like a total lie. And all the people on the tram would go, oh, it’s the famous dog from whatever, you know, Lassie 4. So that was funny. And then the other thing that was the other hilarious story about that is, so in the back lot, you don’t have cars, right? Like you drive to work and you park in the garage, but then to get around the back lot, you’re pretty much taking golf carts. And so Jason and one of our… one of our other guys, Justin, who was assistant man, they were always trying to figure out how to make the golf cart go faster because it had a limiter where basically you can only go like 25 miles an hour. Governor, exactly.
Speaker 0 | 07:02.880
I’ve got a governor story for another day.
Speaker 1 | 07:04.721
I don’t know.
Speaker 0 | 07:07.022
I was going to say, there’s a lot of governor stories out there.
Speaker 1 | 07:09.903
One of the two, Jason and Justin, this is a good one because one of the two of them figured out the governor only works if you’re going forwards. You could go as fast as you want in reverse. So basically they ended up coming back from one of these, you know, golf cart runs where they had gone like 70 miles an hour down the hill and flipped the golf cart, killed themselves. And they also lost one in the parting of the red sea ride. They tried to drive the cart through there and it got flooded and to get a crane to pull the cart out.
Speaker 0 | 07:42.154
Oh wow.
Speaker 1 | 07:43.075
Universal did not like us.
Speaker 0 | 07:44.836
So we’ve got to go from, so we’ve got to go from that. We’ve got to go from this to email. I mean, really, how do you go from that to email?
Speaker 1 | 07:54.773
You know, it’s weird. Like, I’ve always been interested in hard technical problems. So I did two of the games. You know, I was basically, along with Andy, who’s one of the other founders of Naughty Dog, the two of us wrote all the code for the first game. And then we had two more programmers that helped us in the second one. And so I worked on the first two games and then made a big shift out of games and worked on this. other startup called ITA, which was kind of like Google of airfare. You know, we would compute the airfare prices for, you want to go from, you know, Boston to LA, here’s the prices and here’s a thousand options. And we wrote a full system to do that. And, you know, the first customer for that was Orbitz. So people remember Orbitz and Kayak and those guys, they sort of used our search behind the scenes and put a nice website on it. And then we also did a bunch of the airline websites. And so the transition from games. to travel search seems totally bizarre if you don’t know how programming works, but you know, in some ways, it kind of doesn’t matter what the domain is. An interesting problem is an interesting problem. There are lots of really hard problems that we had to work on to make Crash look as good as it did on that era of hardware. And then likewise, you know, making the travel search work, it was sort of when the idea of using a big pile of PCs and racks. to do a computation instead of a giant mainframe, that was like a new exciting idea. So Google was doing it, we were doing it, some others were doing it. And so we had to solve a bunch of these challenges. And people don’t remember, but the hardware then was a lot slower and more primitive than what we have now. So it was a challenge to fit a difficult computation like rendering the world of Crash on a PlayStation 1 or computing a billion airfare prices on a PC that fits in a rack.
Speaker 0 | 09:43.979
I would imagine.
Speaker 1 | 09:45.021
To email, basically email is very similar in some ways to travel in that there’s just a tremendous amount of accreted complexity in the industry. I mean, if you think about the airlines, they’re one of the first to adopt. networking and computerization and databases, right? They were doing this stuff in the early 60s. And one of the challenges though is when you’re an early adopter, then 40 years later, you’re stuck with a huge mess because people have just added on crap for 40 years and it’s never really been rationalized. So being an early adopter, you usually get penalized later. And indeed the airlines had created this mountain of complexity. It’s almost impossible. I mean, I remember reading a… study by IATA, which is the International Air Transport Association. They’re like the umbrella group for all the airlines in the world. They did a study, what would it cost to add a digit to flight numbers? So instead of having four digit flight numbers, they wanted to have five digit flight numbers because they were running out of flight numbers. They came back with an estimate of a billion dollars. So they basically did an 18 month study and assessed that the cost to add a single digit to flight numbers across all the systems would be a billion dollars. And that’s why there’s still only four flight. flight digits because they didn’t do it. And you can imagine all this complexity around things that people know intuitively, like Saturday stay over, right? Or, you know, advanced purchase, all that stuff’s embodied in a bunch of rules that have accreted over time. And email is kind of similar, right? I mean, email dates back to 1971, believe it or not. Email is so old that, in fact, the idea of HTML. was a really, really recent feature added to email. Like email used to only be plain text. The whole idea of having HTML and attachments and stuff, like all that was a grafted on bunch of stuff that happened in the 80s and 90s, especially the 90s. And so, you know, the idea that you can accrete all this complexity, then somebody’s got to come along later and sort of unwind it all and rationalize it all. And what really struck me about email was twofold. Number one, it’s kind of a mess from a usability standpoint. So we put a lot of effort into making the search work better and things like that. But also from a security standpoint, I mean, the internet in 1971, there was no remote consideration of security. It wasn’t even something that was on anybody’s minds. And so the email system, it has various hallmarks of being developed in that time in that it’s just completely and grossly insecure. An example is if you have a connection to a mail server and you’re allowed to send mail on that mail server, you can just put whatever you want in the front line. Pretty much. You can just say, I’m the president of the United States. I’m WhiteHouse.gov. President of WhiteHouse.gov. Send it. And that’s the way it’s always been. And so things like we’re working on now at Inky, protecting phishing, these are things that are just latent problems that have been around for a very long time because email is never designed to be secure. And so we’re retrofitting on top of it security features. And there’s all kinds of stuff like, you know, encryption’s been retrofitted on and digital signatures and attachments and HTML. And so in some ways, the crazy domain complexity is similar for email as it is for travel, travel search, even though they’re totally different domains. Right.
Speaker 0 | 13:13.555
So let’s give our, just to pause for a second, let’s give our general listeners, our layman. our lay folk like ourself okay like i’m the guy that would send that email with the president’s name in the front line i may have even done that um yep yep uh and i wanted to title this episode the three dumbest things employees do with email that are worse than a hillary clinton bez server that was what i was going to title this and i may still title this episode that but for the yeah exactly for the general lay folk what does inky do you Why should they have you?
Speaker 1 | 13:54.740
Yeah, so it’s a really good question. There’s so much crap and snake oil in the cybersecurity world now that I’m always really happy to answer that because I actually have a real answer, unlike 99% of the vendors out there. So if you look at phishing, right, it’s basically two kinds of attacks. And by the way, phishing, email-based phishing is like the most effective cyber attack there is right now. It costs nothing. It takes one sucker to fall for an email and you got them. It’s the perfect way to deliver malware. It’s the perfect way to perpetrate wire fraud. And it’s the perfect way to get, you know, identity theft, like people’s W-2s, right? So what are these people doing now? So what they basically do is, number one, they’ll try to impersonate somebody in your company. So they’ll send a mail, they’ll change the front line, and they’ll say, oh, I’m actually, you know, your CFO. And I’m going golfing. And sometimes they’ll even look at the social media profile of the person so they can say, you know, I’ll be at the Hamptons with Sally and the kids. So I won’t be able to do this wire. So get the wire out today and don’t bother me. So they make a very convincing looking message that’s forged, impersonating someone inside the company. asking you to do something and then because you don’t want to get in trouble with the CFO you go do it and it turns out well that actually money that got wired to an organized crime account and it’s gone. So that’s sort of case one. Very very effective that’s called spear phishing and case two is where you get an email that looks a lot like DocuSign or a Google mail and it says oh you better log in because you got to change your password or something so you go and then log in and it turns out you didn’t just log in to DocuSign. DocuSign, you logged into some attacker’s site, and guess what? Now the attacker knows your credentials and can log in as you to DocuSign, right? Or your bank. And so that’s what we think of as brand impersonation. So there’s this case one is sort of impersonating an individual, and case two is a brand impersonation. And what we’re doing at Inky is we have specific countermeasures to stop both of those cases. And in the first case, we basically can tell by analyzing the mail, whether it really came from your mail server. And so if it didn’t come from your mail server and it says it’s from somebody in your company, that’s a red flag, right? So we put a big red warning up and say, hey, this is an attempt to impersonate somebody internally. And we can black hole the mail or however people want to do it from the IT security standpoint. But the point is we can identify which mails are these impersonations. A brand impersonation case two is more interesting from a technical standpoint because there are what you’re really trying to figure out is. what brand is this mail trying to look like? And so if you get a real DocuSign mail, then the program should say, it’s trying to look like DocuSign, right? Because it is from DocuSign. So that’s sort of question one, what brand is it trying to look like? And then question two is, okay, well, it’s trying to look like that brand. Is it from a valid mail server for that brand? And so we can use cryptography to answer the second question. The first question is harder though, because we’re trying to look at a mail. with a program kind of like a person would. And what the attackers are now doing is they’re making the visual cues essentially invisible. So in the same way that Facebook looks at an image and says, do you want to tag that your mom? Because we think it’s your mom. They have machine learning models that do that. We have a similar kind of system that does that with imagery and HTML messages. And it can tell with 99 plus percent accuracy. gee that sure looks like the brand imagery from DocuSign you know or Bank of America or whoever and so what’s different about us is we’re able to catch these really nasty new waves of attacks that you can scrutinize the mail very carefully and still miss the fact that it’s a forgery and so the program’s able to look at the mail like a human but without getting tired you know, without missing any tiny detail. And I can give you some examples of these subtle details. They’re really, really clever on the part of the attackers. So really, we’re the only ones doing this kind of machine learning based stuff.
Speaker 0 | 17:56.389
So what’s the worst thing that you’ve seen? I guess what’s the worst thing that you’ve seen? And obviously, that’s what you help prevent. But can you give me like a, I don’t know, a testimonial or some kind of story or maybe horror story that would, you know, potentially get someone fired?
Speaker 1 | 18:14.564
Yeah, well, I have some examples of really eye-opening attacks that make people say, oh my God, they can do that. And then I know horror stories from the industry of, you know, there’s been an incident where $30 million wire went out that was fraudulent. The money was just lost. CFO was fired. You know, that’s a pretty bad one. I mean, I like to say $30 million to buy a lot of software.
Speaker 0 | 18:38.714
What about the general one that you’ve seen?
Speaker 1 | 18:41.075
It ain’t gonna be $30 million to buy our software.
Speaker 0 | 18:43.604
Yeah, but what’s the typical…
Speaker 1 | 18:44.984
Another example that people talk about.
Speaker 0 | 18:47.766
I mean, I just want like just one, just be one example of the typical everyday, it doesn’t need to be $30 million, it could be, you know, half a million dollars or even $100,000 or even $20,000 would be, I think, a fireable offense.
Speaker 1 | 19:03.415
Yeah, I mean, most commonly now we’re seeing the attackers either go lower on the amounts. So we’ll see lots of attempts to wire $1,000. and they’ll make a random number like, oh, it’s $1,532.18, right? So it looks believable. It’s a small amount. It’s below some threshold that requires extra checks. And sometimes we’ll see that being a widespread attack. They’ll do lots of those little ones, or we’ll see they’ll do one of those little ones as a probe. So I was just meeting with a customer the other day where they got a probe transaction that was something like $1,000, which they caught. And then they subsequently got one that was, you know, a million and a half dollars. So the attacker clearly was sort of probing with the small value and then trying to get the big whale amount secondarily. The other one we hear a lot about is W2s. So there are guys out there who really want to get detailed information that they can use for identity theft. And so there are famous examples where somebody says, hey, I need the W-2s for all the employees. And then the recipient thinks it’s really that person and sends them 18,000 W-2s, which then are now in some, you know, some database somewhere on the dark web. I mean, this stuff’s happening all the time. If you look at FBI stats on this, this is literally a billion dollars a year. This is costing US companies in just the wire fraud alone. So, I mean, it’s incredibly pervasive because it’s easy and cheap, right? And it’s easy to get caught up by one of these. You know, in terms of examples, my favorite example that I show people is there was an attacker who registered a domain that looks exactly like bankofamerica.com, except what they did was they replaced the M in America with RN, the letters R and N. which seems weird at first, but then if you look at that domain, bank of Arnerica, in most fonts on most computers, the way the ligatures work, that R and N look exactly like an M. And so literally I show this example mail, which is a perfect copy of a Bank of America mail, exactly the same HTML. We catch it because we see the logo imagery. And I show this to somebody and say, what’s wrong with this link? And even though they know something’s wrong with the link, they still can’t tell that the M has been replaced by R and N. And that doesn’t require some even more sophisticated stuff. Sometimes they’ll replace one particular kind of E, like a Latin E in Google.com. They’ll replace it with a Cyrillic E, you know, the Russian alphabet. And usually those look really similar and hard to detect, but you have to use funny domain names. You know, this Bank of America example is kind of like, you don’t even have to use any weird letters. You don’t have to use funny Unicode tricks. You could just, you know, replace an M with an R and another one is going to replace D with CL. In a lot of fonts, the L next to each other looks a lot like a lowercase d. And so I show these to people and they’re like, oh my God, this is like a whole new world for me. I realize now we’re so doomed. And I’m like, well, you’re not because actually we catch all that stuff. Right? So the good news is we catch it. Bad news is, yeah, these guys are getting really sophisticated.
Speaker 0 | 22:08.833
So what’s your role over at Inky? Just so people know.
Speaker 1 | 22:15.219
I’m the founder. Um, and I work a lot on, yeah, I work a lot on the sales. I mean, I’ve had a lot of influence on the technology. I’m not, I’m not a programmer on the project anymore. Um, if someone wants this product founder and like chief sales guy.
Speaker 0 | 22:29.110
Okay. Or if someone wants this product, how do they get it? What is it? Is it only a three 65 product or how do they, how does it work? How can they get it?
Speaker 1 | 22:43.142
Yeah. So, I mean, you know, It’s very easy to sign up for this because we use this mechanism called add-ins, which Microsoft added a few years ago. So as long as you’ve got a relatively recent exchange, now that’s certainly Office 365, but it also includes hosted exchange 2013 and so on. As long as you got one of those, it’s super easy. We’ll charge you $3.50 a user a month. for each user and you basically add this little URL into the admin panel of Exchange. And then the inky icon, which is a little octopus, shows up in everybody’s Outlook. And then when they have that thing open, it’ll analyze their mail in real time and tell them, you know, either this looks good and here’s information that we were able to verify about the sender. It’s really DocuSign or whoever. Or it’ll say red flag, orange flag, paid really close attention to this. Or in some cases, it can be configured just to black hole the mail. If the mail is bad enough, then it can just never deliver it.
Speaker 0 | 23:46.261
Now, and then is there like some sort of, is there like a quarantine? Is there like a quarantine or something like that?
Speaker 1 | 23:52.543
So you can set it up to quarantine the mail or black hole it. You know, we have all kinds of mechanisms that let the IT guys control the policy of how these mails that appear to be malicious. whether or not they get deliberate at all. And then, you know, how much information we present to the user and all that stuff is then tracked in an analytic system. So then the security,
Speaker 0 | 24:16.227
there’s a portal, there’s actually sort of portal or GUI. There’s like a portal or a GUI for an IT admin or say a partner. Now, obviously through CNSG, you know, if anyone wants to, if anyone wants to purchase this, they can certainly go to thehowardstrategy.com or they can email me, Phil at Phil Howard sales. Certainly all my agents can. can resell it. Any of the agency world can resell this product and you can come to me and we have a nice little special discount for you too. If you’re listening to this episode, just use coupon code telecom radio one. What about, what about Google docs? Anything there, anything with Google docs or they have to have an exchange?
Speaker 1 | 24:55.744
Yeah, it works with Gmail also. So we have a version that works with Gmail and G Suite and works as a Chrome extension. So you basically get, you know, for your listeners, it’s kind of hard to picture this. So I’ll try to paint the picture visually. The way it works is you open up the Inky panel and it just is like a separate side panel right inside your Outlook or Gmail. And then whenever you click on a mail, when it displays that mail, it also simultaneously displays Inky’s analysis of the mail. which if there’s nothing wrong with the mail, it’ll just say, okay, we were able to verify this came from, you know, whoever sent it. But if it’s suspicious or we know it’s malicious, we’ll put a big red warning up. So you see, you know, it’s not like a typical security product where it kind of silently does whatever and you’re left wondering as a user, what happened to my mail? In this case, generally the mail gets delivered and the user gets to see specific feedback on what we think is suspicious. Now, sometimes things can be wrong with mails that don’t mean there’s anything malicious. So links can be wrong. You can often see where mailing list mail will have a different reply to than the from. And that’s often a hallmark of malicious mails, but it’s very common in mailing list mail. So it’s not always the case that everything is black and white. It’s either malicious or not. Sometimes you can’t tell. And so we’ll say, well, that’s an orange flag. Just pay attention to this. And if it’s asking you to wire money or change your password, you know maybe don’t do that right confirm with somebody outside the email channel and so this same experience works in gmail too you get a little side panel because it’s like having a security guy sit next to you while you’re reading your mail saying yeah i don’t know if i’d click on that link it seems like all right yeah yeah that’s not from docusign i wouldn’t i wouldn’t log in a
Speaker 0 | 26:44.545
lot of other kind of larger enterprise companies that are still using things like lotus notes believe it or not is that something they should be doing And does this have anything to do with you? Okay, answer.
Speaker 1 | 26:58.850
I don’t have any dog in the fight. I mean, honestly, I don’t have a dog in the fight. So I’m happy to sell people a version that works with either Google Docs or what they call G Suite now or Office 365. I will say that to my mind, looking at the market and talking to CIOs a lot, because I do that as part of my job, obviously, I see a lot of momentum towards Office 365. So. I think if you’re not, you certainly should be moving to Office 365 or G Suite. And most of your peers appear to me to be moving to Office 365. And what’s nice about both of these ecosystems is, and Microsoft’s a little farther along, frankly, than Google is. The exact thing that we’re using to add this capability, these add-ins, they’re a general mechanism where vendors can create extensions that run right inside of Outlook or Gmail. And that’s… really cool because you’re not then dependent purely on innovation from Microsoft alone or Google alone. They’ve opened it up to other third-party ISPs like us that can add point solutions that address particular needs. And so that’s exactly why we focused on phishing. Microsoft, of course, has various security offerings, like they have something called ATP, Advanced Threat Protection. None of those things really addresses this newer phishing problem. pretty much the state of the art prior to inky is well if i see a url that’s been reported i’m going to block the mail but the problem is these newer mails they either don’t have urls or they have a unique url for each recipient so there isn’t a single url to block and we’re just seeing that this kind of url blacklisting approach is not going to work anymore and then on the other hand you’ve got the training software guys there’s one called fish me there’s no before and it’s great to train people to spot the signs of forgery. But the issue there is, you know, in bankofornerica.com, you can train people all you want. They can’t see something that’s invisible, right? There’s no training that’s going to make them see something that’s invisible. And the attackers aren’t stupid. So they know people are getting trained with the training software and they’re working around it now. So these add-in mechanisms let us do something very targeted. In our case, it’s targeted to this next generation phishing problem, but it also lets these other vendors. like us do this. And so that’s why I think you want to be on either the Office 365 ecosystem or the Google one. I think that you’re just going to miss out on these spot solutions if you can’t get on one of those two platforms.
Speaker 0 | 29:32.804
Well, let’s end with that last point that you were getting into, which is really your separation factor. So why Inky versus any other phishing software, which there’s probably plenty of out there and you know all your competition, but other than your days over at MIT and driving golf carts. or your friends driving golf carts backwards at speeds of 70 miles per hour or higher, and working on Crash Bandicoot and being a gamer guy, what really separates you versus the rest?
Speaker 1 | 30:11.382
Yeah, I mean, we’re just unique, right? I mean, we’re the only ones doing this kind of machine learning. You’ll see machine learning related buzzwords in the other guy’s marketing, but I haven’t seen any evidence that anyone’s actually doing analysis of imagery and text or domain names like we’re doing. And that’s really the key to catching this newer stuff. And we’re constantly adding these things too. So we have about two dozen of these heuristic machine learning checks and we’re adding more all the time. The add-in mechanism, by the way, lets us deploy things instantly. Like you don’t even have to restart your Outlook to get our latest version. It just shows up. So as we’re adding stuff, it just gets deployed without even IT guys doing anything. And the second thing is we’re unique in that the way we present the information is different, right? So we’re not a typical spam filter product or even the things that claim to look at phishing. They’re kind of working without the user knowing what’s going on. And so one of the things we get a lot of positive feedback on, in fact, it surprised me a little bit because I thought this was sort of a minor feature of our product. But it turns out it’s the thing that people remark on the most. unsolicited and that is hey I like the fact that users can see what he thinks is wrong with the mail so it’s a training function and a protective function and the users in the loop right so the user is able to see hey that particular link looks funny to me doesn’t necessarily mean it’s malicious but you should pay attention to that so it’s kind of implementing a bunch of these guidelines you’re trying to train people to follow but you’ve got your little robot assistant doing it for you and then calling your attention to the stuff it finds and i think you know as far as i know we’re the only solution that has either of those properties either real deep use of machine learning you know we use neural network based deep learning and and some other approaches um and we’re we’re as far as i know the only vendor that has anything like an add-in that actually interacts with the user i think both of those things are are really game-changing and both of those things are what you need to deal with this next wave of phishing attacks we’re seeing.
Speaker 0 | 32:12.128
Nice. So to review, the top three dumbest things employees do with email that are worse than a Hillary Clinton bed server are, number one, clicking on an email.
Speaker 1 | 32:29.415
You can’t really get worse than screwing up an election with your email habits. That’s kind of going to be… the hundred year story about email.
Speaker 0 | 32:40.440
But no, really what’s,
Speaker 1 | 32:41.201
you know, that essentially.
Speaker 0 | 32:42.321
That we covered like the top three things that we covered though. What like we went over them, right. It’s like getting robbed by like, like sending money. Right. Because there’s a, like a link, right. That what was the second one? The second one was like, just, just review the top three that you see.
Speaker 1 | 32:58.953
Well, yeah. Yeah. So don’t, don’t click on a link. I mean, you should use something like a key that tells you the links are already known to be problematic, but if you. Don’t click on links without checking where they go. If you get a mail that says, hey, you need to log in and change your password, or you need to wire money, or hey, send me all the W-2s. Okay, yeah, that’s right. Don’t email for those things.
Speaker 0 | 33:21.024
Okay, so don’t click on a link. Don’t change your password and send money somewhere or DocuSign something, and don’t send all the
Speaker 1 | 33:29.187
W-2s. The other scam that people fall for, which you do get some protection. from some of the existing products like ATP is malware attachments. And the game there is the person will pretend to be your CEO and say, you know, I want to have everyone’s comments on this financial projection spreadsheet by the end of the day. And then you open that attachment, which isn’t actually from your CEO, and now you’ve got malware installed on your network. So immediately opening an attachment on the basis of a mail that appears to be from the CEO. Now, if you’re using Inky, it’ll just tell you, hey, that ain’t your CEO, red flag, don’t do anything with this, right? But at the very least be in general i think people need to understand the only way something bad is going to happen to you is if you take an action based on an email that’s not undoable like wiring money or you open an attachment or you click a link and therefore log into a site and give them information if you don’t do any of those three things email can’t harm you like just having it on your screen the pixels of the email are not going to hurt you right you’ve got to interact with it to cause problems or you’ve got to take action for there to be a problem. So we’re trying to make it really clear, visibly, don’t take action on this. This looks like a scam or we’re not sure it’s a scam, but hey, it’s talking about changing your password. Do not do that on the basis of just an email alone.
Speaker 0 | 34:49.376
Dave, I really appreciate the time today, man. If you had any final message, which I think that was your final message, but if you’ve got anything else to say, now’s the time, man.
Speaker 1 | 34:58.624
I would say, let us help you. The insurance policy you get from using a tool like Inky costs you a heck of a lot less than a single bad incident. It doesn’t have to be $30 million. I like to joke, it’s sort of a dark humor, right? But $30 million to buy a lot of software, right? We’re not anywhere near $30 million. You do one wire fraud that nails your company for $1,000. You already paid for our software for years. So the insurance policy is cheap and you should have it.
Speaker 0 | 35:26.871
Good point. Dave, thanks. And thank you everyone for listening. If you would like more information or you would like to get pricing on Inkey’s products, then go to thehowardstrategy.com. Or you can also email me at phil at philhowardsales.com. Everyone have a wonderful day.
03. The Top 3… “Dumbest Things Your Employees Do with Email” That are Worse Than Hillary’s Blackberry Exchange Server.
Speaker 0 | 00:01.764
Hey everyone, this is Phil Howard here and welcome to another thought-provoking, business-producing episode here on Telecom Radio 1. Today, we’re very fortunate. We’ve got Dave Baggett from Inky. And Dave, you know, just a little bit of backstory here because I always like to start with a story. We don’t want people just listening to technology stuff all day, but tell me a little bit about yourself, where you came from, and I want the craziest story, the first thing that comes to mind that’s… PG rated that comes from the past?
Speaker 1 | 00:34.605
All right. Well, I got some good ones. I’ll try to keep them at least PG 13. So I’ve been in software since I was a little kid. I literally grew up in the disco era and my dad was an electrical engineer working for the government and he bought this computer kit, like build your own computer from parts and not like. put the video card in parts like this is soldering components onto the motherboard kind of parts and so he did this six-month project where he assembled this computer you know and I’m like seven years old and I helped him he would say like get this resistor with these colors out of the box and give it to me and then he’d solder it in this thing was like a six-month project and I was just amazed when he turned this thing on it actually worked I was like this is amazing I didn’t think this thing would ever do anything this is crazy you But so, you know, we had a computer in 1977. And he likes to say that moment when he turned it on was the last time he ever touched that computer because basically I monopolized it. He actually built it for my mom because my mom’s a freelance writer. And back then, the idea that you could make edits on the screen and not retype your whole manuscript was like super science fiction far out. So she used this thing to write her books. But back in the day, I mean, this is like CRT. no color, you know, 80 columns of text was a big deal. I think the machine had 64k of RAM. It had the same CPU as Pac-Man. I mean, this is really old school. And so she would write her articles on there. And from the beginning, I sort of tried to learn to program, you know, reading Byte Magazine and stuff like that. There weren’t really, well, there was no Google or internet, so you couldn’t look stuff up online. You kind of had these paper listings you’d have to type in. figure out how to make them work. So I would write software for her that would do things like double-spaced the manuscript or put a header or footer on the on the pages like super advanced for the time. And one thing that came up recently was we found in my parents’basement a box which had the original manuals that I had made for this software, which remember she’s the only person who ever bought it right? I mean so like she paid me ten dollars for this software but I made a manual Like, here’s your user manual. And if you have any trouble, contact support. And I put my phone number, which, of course, was her phone number because I lived at home because I was, you know, nine. That’s awesome. At least pretending to do software sales since I was a little kid and sort of just got really into doing game programming like a lot of kids at that time, you know, because you couldn’t just go and buy a game. You know, there were games, but they were pretty primitive. So you could kind of make your own games that were similar. graphics and quality to the real ones. So it wasn’t like now where you have to have 500 guys to make a triple A game. You could kind of make your own little games yourself. So I did a lot of that and then ultimately went into computer science for real at the University of Maryland. Graduated from there and went to the artificial intelligence lab at MIT where I met these two guys, Andy and Jason, who had been doing games since like they met in Hebrew school in seventh grade and selling them. And so long story short, I left there, left MIT with a master’s and went to become first employee at this company called Naughty Dog, which nobody had heard of. And now it’s kind of like the premier game studio in the world and was basically their first employee. And we worked on this game, which was at that time called Willy the Wombat, ultimately became Crash Bandicoot, which is kind of the Sony PlayStation mascot game. And the funniest. at least PG story from Naughty Dog is we moved out to LA because we had a deal with Universal Studios. Universal Studios, the studio, really wanted to get into what they called at the time interactive, basically meant games. So they set up a division. They had a really impressive guy who had been an Atari named Skip Paul set up this division called UIS or Universal Interactive Studios. And we were one of the first developers they brought in. And the way it works is, you know, the studio gives you a big pile of money. In that case, it was like a million dollars and you make the game. And if you sell enough copies to earn back the million dollars, then you start making a royalty. So fortunately with Crash, it sold so much because Sony picked it up as their game and published it. We made a lot of money on the royalties. But one of the things is because it was in the Royal Studios, they gave us space on the back lot. So we were in Steven Spielberg’s bungalow. Nice. Literally in Spielberg’s bungalow. And in fact, one of the funny things was one of the first artists that Andy and Jason hired, Taylor Kurosaki, was working on the Dalek model for the U.S. version of Doctor Who. which nobody even remembers now, but there was a time in like 1994 when the BBC and Universal were trying to bring Doctor Who to America. And so they had all this, you know, artwork and collateral done for this U.S. version of Doctor Who, which never got made. And so we met Taylor and hired him away from making Doctor Who Dalek models to work on our models for Crash. But the funny thing is that, of course, on the backlot, you know, this is like the studio backlot. We’re right on the theme park. So like literally when our parents would come visit or whatever, we would just sneak onto the sneak onto the ET ride and like go on all the rides for free. And they had these little trams that would take people around on tours and they would sort of, you know, just make stuff up. Like basically the owner of the company, Jason, one of the two guys, the reason the company is called Naughty Dog is because he had a dog named Morgan and he’d walk Morgan around. And the guys on the tram would say, do you recognize that dog? You should. That’s the dog from, you know, he’d make up some show. It’s like a total lie. And all the people on the tram would go, oh, it’s the famous dog from whatever, you know, Lassie 4. So that was funny. And then the other thing that was the other hilarious story about that is, so in the back lot, you don’t have cars, right? Like you drive to work and you park in the garage, but then to get around the back lot, you’re pretty much taking golf carts. And so Jason and one of our… one of our other guys, Justin, who was assistant man, they were always trying to figure out how to make the golf cart go faster because it had a limiter where basically you can only go like 25 miles an hour. Governor, exactly.
Speaker 0 | 07:02.880
I’ve got a governor story for another day.
Speaker 1 | 07:04.721
I don’t know.
Speaker 0 | 07:07.022
I was going to say, there’s a lot of governor stories out there.
Speaker 1 | 07:09.903
One of the two, Jason and Justin, this is a good one because one of the two of them figured out the governor only works if you’re going forwards. You could go as fast as you want in reverse. So basically they ended up coming back from one of these, you know, golf cart runs where they had gone like 70 miles an hour down the hill and flipped the golf cart, killed themselves. And they also lost one in the parting of the red sea ride. They tried to drive the cart through there and it got flooded and to get a crane to pull the cart out.
Speaker 0 | 07:42.154
Oh wow.
Speaker 1 | 07:43.075
Universal did not like us.
Speaker 0 | 07:44.836
So we’ve got to go from, so we’ve got to go from that. We’ve got to go from this to email. I mean, really, how do you go from that to email?
Speaker 1 | 07:54.773
You know, it’s weird. Like, I’ve always been interested in hard technical problems. So I did two of the games. You know, I was basically, along with Andy, who’s one of the other founders of Naughty Dog, the two of us wrote all the code for the first game. And then we had two more programmers that helped us in the second one. And so I worked on the first two games and then made a big shift out of games and worked on this. other startup called ITA, which was kind of like Google of airfare. You know, we would compute the airfare prices for, you want to go from, you know, Boston to LA, here’s the prices and here’s a thousand options. And we wrote a full system to do that. And, you know, the first customer for that was Orbitz. So people remember Orbitz and Kayak and those guys, they sort of used our search behind the scenes and put a nice website on it. And then we also did a bunch of the airline websites. And so the transition from games. to travel search seems totally bizarre if you don’t know how programming works, but you know, in some ways, it kind of doesn’t matter what the domain is. An interesting problem is an interesting problem. There are lots of really hard problems that we had to work on to make Crash look as good as it did on that era of hardware. And then likewise, you know, making the travel search work, it was sort of when the idea of using a big pile of PCs and racks. to do a computation instead of a giant mainframe, that was like a new exciting idea. So Google was doing it, we were doing it, some others were doing it. And so we had to solve a bunch of these challenges. And people don’t remember, but the hardware then was a lot slower and more primitive than what we have now. So it was a challenge to fit a difficult computation like rendering the world of Crash on a PlayStation 1 or computing a billion airfare prices on a PC that fits in a rack.
Speaker 0 | 09:43.979
I would imagine.
Speaker 1 | 09:45.021
To email, basically email is very similar in some ways to travel in that there’s just a tremendous amount of accreted complexity in the industry. I mean, if you think about the airlines, they’re one of the first to adopt. networking and computerization and databases, right? They were doing this stuff in the early 60s. And one of the challenges though is when you’re an early adopter, then 40 years later, you’re stuck with a huge mess because people have just added on crap for 40 years and it’s never really been rationalized. So being an early adopter, you usually get penalized later. And indeed the airlines had created this mountain of complexity. It’s almost impossible. I mean, I remember reading a… study by IATA, which is the International Air Transport Association. They’re like the umbrella group for all the airlines in the world. They did a study, what would it cost to add a digit to flight numbers? So instead of having four digit flight numbers, they wanted to have five digit flight numbers because they were running out of flight numbers. They came back with an estimate of a billion dollars. So they basically did an 18 month study and assessed that the cost to add a single digit to flight numbers across all the systems would be a billion dollars. And that’s why there’s still only four flight. flight digits because they didn’t do it. And you can imagine all this complexity around things that people know intuitively, like Saturday stay over, right? Or, you know, advanced purchase, all that stuff’s embodied in a bunch of rules that have accreted over time. And email is kind of similar, right? I mean, email dates back to 1971, believe it or not. Email is so old that, in fact, the idea of HTML. was a really, really recent feature added to email. Like email used to only be plain text. The whole idea of having HTML and attachments and stuff, like all that was a grafted on bunch of stuff that happened in the 80s and 90s, especially the 90s. And so, you know, the idea that you can accrete all this complexity, then somebody’s got to come along later and sort of unwind it all and rationalize it all. And what really struck me about email was twofold. Number one, it’s kind of a mess from a usability standpoint. So we put a lot of effort into making the search work better and things like that. But also from a security standpoint, I mean, the internet in 1971, there was no remote consideration of security. It wasn’t even something that was on anybody’s minds. And so the email system, it has various hallmarks of being developed in that time in that it’s just completely and grossly insecure. An example is if you have a connection to a mail server and you’re allowed to send mail on that mail server, you can just put whatever you want in the front line. Pretty much. You can just say, I’m the president of the United States. I’m WhiteHouse.gov. President of WhiteHouse.gov. Send it. And that’s the way it’s always been. And so things like we’re working on now at Inky, protecting phishing, these are things that are just latent problems that have been around for a very long time because email is never designed to be secure. And so we’re retrofitting on top of it security features. And there’s all kinds of stuff like, you know, encryption’s been retrofitted on and digital signatures and attachments and HTML. And so in some ways, the crazy domain complexity is similar for email as it is for travel, travel search, even though they’re totally different domains. Right.
Speaker 0 | 13:13.555
So let’s give our, just to pause for a second, let’s give our general listeners, our layman. our lay folk like ourself okay like i’m the guy that would send that email with the president’s name in the front line i may have even done that um yep yep uh and i wanted to title this episode the three dumbest things employees do with email that are worse than a hillary clinton bez server that was what i was going to title this and i may still title this episode that but for the yeah exactly for the general lay folk what does inky do you Why should they have you?
Speaker 1 | 13:54.740
Yeah, so it’s a really good question. There’s so much crap and snake oil in the cybersecurity world now that I’m always really happy to answer that because I actually have a real answer, unlike 99% of the vendors out there. So if you look at phishing, right, it’s basically two kinds of attacks. And by the way, phishing, email-based phishing is like the most effective cyber attack there is right now. It costs nothing. It takes one sucker to fall for an email and you got them. It’s the perfect way to deliver malware. It’s the perfect way to perpetrate wire fraud. And it’s the perfect way to get, you know, identity theft, like people’s W-2s, right? So what are these people doing now? So what they basically do is, number one, they’ll try to impersonate somebody in your company. So they’ll send a mail, they’ll change the front line, and they’ll say, oh, I’m actually, you know, your CFO. And I’m going golfing. And sometimes they’ll even look at the social media profile of the person so they can say, you know, I’ll be at the Hamptons with Sally and the kids. So I won’t be able to do this wire. So get the wire out today and don’t bother me. So they make a very convincing looking message that’s forged, impersonating someone inside the company. asking you to do something and then because you don’t want to get in trouble with the CFO you go do it and it turns out well that actually money that got wired to an organized crime account and it’s gone. So that’s sort of case one. Very very effective that’s called spear phishing and case two is where you get an email that looks a lot like DocuSign or a Google mail and it says oh you better log in because you got to change your password or something so you go and then log in and it turns out you didn’t just log in to DocuSign. DocuSign, you logged into some attacker’s site, and guess what? Now the attacker knows your credentials and can log in as you to DocuSign, right? Or your bank. And so that’s what we think of as brand impersonation. So there’s this case one is sort of impersonating an individual, and case two is a brand impersonation. And what we’re doing at Inky is we have specific countermeasures to stop both of those cases. And in the first case, we basically can tell by analyzing the mail, whether it really came from your mail server. And so if it didn’t come from your mail server and it says it’s from somebody in your company, that’s a red flag, right? So we put a big red warning up and say, hey, this is an attempt to impersonate somebody internally. And we can black hole the mail or however people want to do it from the IT security standpoint. But the point is we can identify which mails are these impersonations. A brand impersonation case two is more interesting from a technical standpoint because there are what you’re really trying to figure out is. what brand is this mail trying to look like? And so if you get a real DocuSign mail, then the program should say, it’s trying to look like DocuSign, right? Because it is from DocuSign. So that’s sort of question one, what brand is it trying to look like? And then question two is, okay, well, it’s trying to look like that brand. Is it from a valid mail server for that brand? And so we can use cryptography to answer the second question. The first question is harder though, because we’re trying to look at a mail. with a program kind of like a person would. And what the attackers are now doing is they’re making the visual cues essentially invisible. So in the same way that Facebook looks at an image and says, do you want to tag that your mom? Because we think it’s your mom. They have machine learning models that do that. We have a similar kind of system that does that with imagery and HTML messages. And it can tell with 99 plus percent accuracy. gee that sure looks like the brand imagery from DocuSign you know or Bank of America or whoever and so what’s different about us is we’re able to catch these really nasty new waves of attacks that you can scrutinize the mail very carefully and still miss the fact that it’s a forgery and so the program’s able to look at the mail like a human but without getting tired you know, without missing any tiny detail. And I can give you some examples of these subtle details. They’re really, really clever on the part of the attackers. So really, we’re the only ones doing this kind of machine learning based stuff.
Speaker 0 | 17:56.389
So what’s the worst thing that you’ve seen? I guess what’s the worst thing that you’ve seen? And obviously, that’s what you help prevent. But can you give me like a, I don’t know, a testimonial or some kind of story or maybe horror story that would, you know, potentially get someone fired?
Speaker 1 | 18:14.564
Yeah, well, I have some examples of really eye-opening attacks that make people say, oh my God, they can do that. And then I know horror stories from the industry of, you know, there’s been an incident where $30 million wire went out that was fraudulent. The money was just lost. CFO was fired. You know, that’s a pretty bad one. I mean, I like to say $30 million to buy a lot of software.
Speaker 0 | 18:38.714
What about the general one that you’ve seen?
Speaker 1 | 18:41.075
It ain’t gonna be $30 million to buy our software.
Speaker 0 | 18:43.604
Yeah, but what’s the typical…
Speaker 1 | 18:44.984
Another example that people talk about.
Speaker 0 | 18:47.766
I mean, I just want like just one, just be one example of the typical everyday, it doesn’t need to be $30 million, it could be, you know, half a million dollars or even $100,000 or even $20,000 would be, I think, a fireable offense.
Speaker 1 | 19:03.415
Yeah, I mean, most commonly now we’re seeing the attackers either go lower on the amounts. So we’ll see lots of attempts to wire $1,000. and they’ll make a random number like, oh, it’s $1,532.18, right? So it looks believable. It’s a small amount. It’s below some threshold that requires extra checks. And sometimes we’ll see that being a widespread attack. They’ll do lots of those little ones, or we’ll see they’ll do one of those little ones as a probe. So I was just meeting with a customer the other day where they got a probe transaction that was something like $1,000, which they caught. And then they subsequently got one that was, you know, a million and a half dollars. So the attacker clearly was sort of probing with the small value and then trying to get the big whale amount secondarily. The other one we hear a lot about is W2s. So there are guys out there who really want to get detailed information that they can use for identity theft. And so there are famous examples where somebody says, hey, I need the W-2s for all the employees. And then the recipient thinks it’s really that person and sends them 18,000 W-2s, which then are now in some, you know, some database somewhere on the dark web. I mean, this stuff’s happening all the time. If you look at FBI stats on this, this is literally a billion dollars a year. This is costing US companies in just the wire fraud alone. So, I mean, it’s incredibly pervasive because it’s easy and cheap, right? And it’s easy to get caught up by one of these. You know, in terms of examples, my favorite example that I show people is there was an attacker who registered a domain that looks exactly like bankofamerica.com, except what they did was they replaced the M in America with RN, the letters R and N. which seems weird at first, but then if you look at that domain, bank of Arnerica, in most fonts on most computers, the way the ligatures work, that R and N look exactly like an M. And so literally I show this example mail, which is a perfect copy of a Bank of America mail, exactly the same HTML. We catch it because we see the logo imagery. And I show this to somebody and say, what’s wrong with this link? And even though they know something’s wrong with the link, they still can’t tell that the M has been replaced by R and N. And that doesn’t require some even more sophisticated stuff. Sometimes they’ll replace one particular kind of E, like a Latin E in Google.com. They’ll replace it with a Cyrillic E, you know, the Russian alphabet. And usually those look really similar and hard to detect, but you have to use funny domain names. You know, this Bank of America example is kind of like, you don’t even have to use any weird letters. You don’t have to use funny Unicode tricks. You could just, you know, replace an M with an R and another one is going to replace D with CL. In a lot of fonts, the L next to each other looks a lot like a lowercase d. And so I show these to people and they’re like, oh my God, this is like a whole new world for me. I realize now we’re so doomed. And I’m like, well, you’re not because actually we catch all that stuff. Right? So the good news is we catch it. Bad news is, yeah, these guys are getting really sophisticated.
Speaker 0 | 22:08.833
So what’s your role over at Inky? Just so people know.
Speaker 1 | 22:15.219
I’m the founder. Um, and I work a lot on, yeah, I work a lot on the sales. I mean, I’ve had a lot of influence on the technology. I’m not, I’m not a programmer on the project anymore. Um, if someone wants this product founder and like chief sales guy.
Speaker 0 | 22:29.110
Okay. Or if someone wants this product, how do they get it? What is it? Is it only a three 65 product or how do they, how does it work? How can they get it?
Speaker 1 | 22:43.142
Yeah. So, I mean, you know, It’s very easy to sign up for this because we use this mechanism called add-ins, which Microsoft added a few years ago. So as long as you’ve got a relatively recent exchange, now that’s certainly Office 365, but it also includes hosted exchange 2013 and so on. As long as you got one of those, it’s super easy. We’ll charge you $3.50 a user a month. for each user and you basically add this little URL into the admin panel of Exchange. And then the inky icon, which is a little octopus, shows up in everybody’s Outlook. And then when they have that thing open, it’ll analyze their mail in real time and tell them, you know, either this looks good and here’s information that we were able to verify about the sender. It’s really DocuSign or whoever. Or it’ll say red flag, orange flag, paid really close attention to this. Or in some cases, it can be configured just to black hole the mail. If the mail is bad enough, then it can just never deliver it.
Speaker 0 | 23:46.261
Now, and then is there like some sort of, is there like a quarantine? Is there like a quarantine or something like that?
Speaker 1 | 23:52.543
So you can set it up to quarantine the mail or black hole it. You know, we have all kinds of mechanisms that let the IT guys control the policy of how these mails that appear to be malicious. whether or not they get deliberate at all. And then, you know, how much information we present to the user and all that stuff is then tracked in an analytic system. So then the security,
Speaker 0 | 24:16.227
there’s a portal, there’s actually sort of portal or GUI. There’s like a portal or a GUI for an IT admin or say a partner. Now, obviously through CNSG, you know, if anyone wants to, if anyone wants to purchase this, they can certainly go to thehowardstrategy.com or they can email me, Phil at Phil Howard sales. Certainly all my agents can. can resell it. Any of the agency world can resell this product and you can come to me and we have a nice little special discount for you too. If you’re listening to this episode, just use coupon code telecom radio one. What about, what about Google docs? Anything there, anything with Google docs or they have to have an exchange?
Speaker 1 | 24:55.744
Yeah, it works with Gmail also. So we have a version that works with Gmail and G Suite and works as a Chrome extension. So you basically get, you know, for your listeners, it’s kind of hard to picture this. So I’ll try to paint the picture visually. The way it works is you open up the Inky panel and it just is like a separate side panel right inside your Outlook or Gmail. And then whenever you click on a mail, when it displays that mail, it also simultaneously displays Inky’s analysis of the mail. which if there’s nothing wrong with the mail, it’ll just say, okay, we were able to verify this came from, you know, whoever sent it. But if it’s suspicious or we know it’s malicious, we’ll put a big red warning up. So you see, you know, it’s not like a typical security product where it kind of silently does whatever and you’re left wondering as a user, what happened to my mail? In this case, generally the mail gets delivered and the user gets to see specific feedback on what we think is suspicious. Now, sometimes things can be wrong with mails that don’t mean there’s anything malicious. So links can be wrong. You can often see where mailing list mail will have a different reply to than the from. And that’s often a hallmark of malicious mails, but it’s very common in mailing list mail. So it’s not always the case that everything is black and white. It’s either malicious or not. Sometimes you can’t tell. And so we’ll say, well, that’s an orange flag. Just pay attention to this. And if it’s asking you to wire money or change your password, you know maybe don’t do that right confirm with somebody outside the email channel and so this same experience works in gmail too you get a little side panel because it’s like having a security guy sit next to you while you’re reading your mail saying yeah i don’t know if i’d click on that link it seems like all right yeah yeah that’s not from docusign i wouldn’t i wouldn’t log in a
Speaker 0 | 26:44.545
lot of other kind of larger enterprise companies that are still using things like lotus notes believe it or not is that something they should be doing And does this have anything to do with you? Okay, answer.
Speaker 1 | 26:58.850
I don’t have any dog in the fight. I mean, honestly, I don’t have a dog in the fight. So I’m happy to sell people a version that works with either Google Docs or what they call G Suite now or Office 365. I will say that to my mind, looking at the market and talking to CIOs a lot, because I do that as part of my job, obviously, I see a lot of momentum towards Office 365. So. I think if you’re not, you certainly should be moving to Office 365 or G Suite. And most of your peers appear to me to be moving to Office 365. And what’s nice about both of these ecosystems is, and Microsoft’s a little farther along, frankly, than Google is. The exact thing that we’re using to add this capability, these add-ins, they’re a general mechanism where vendors can create extensions that run right inside of Outlook or Gmail. And that’s… really cool because you’re not then dependent purely on innovation from Microsoft alone or Google alone. They’ve opened it up to other third-party ISPs like us that can add point solutions that address particular needs. And so that’s exactly why we focused on phishing. Microsoft, of course, has various security offerings, like they have something called ATP, Advanced Threat Protection. None of those things really addresses this newer phishing problem. pretty much the state of the art prior to inky is well if i see a url that’s been reported i’m going to block the mail but the problem is these newer mails they either don’t have urls or they have a unique url for each recipient so there isn’t a single url to block and we’re just seeing that this kind of url blacklisting approach is not going to work anymore and then on the other hand you’ve got the training software guys there’s one called fish me there’s no before and it’s great to train people to spot the signs of forgery. But the issue there is, you know, in bankofornerica.com, you can train people all you want. They can’t see something that’s invisible, right? There’s no training that’s going to make them see something that’s invisible. And the attackers aren’t stupid. So they know people are getting trained with the training software and they’re working around it now. So these add-in mechanisms let us do something very targeted. In our case, it’s targeted to this next generation phishing problem, but it also lets these other vendors. like us do this. And so that’s why I think you want to be on either the Office 365 ecosystem or the Google one. I think that you’re just going to miss out on these spot solutions if you can’t get on one of those two platforms.
Speaker 0 | 29:32.804
Well, let’s end with that last point that you were getting into, which is really your separation factor. So why Inky versus any other phishing software, which there’s probably plenty of out there and you know all your competition, but other than your days over at MIT and driving golf carts. or your friends driving golf carts backwards at speeds of 70 miles per hour or higher, and working on Crash Bandicoot and being a gamer guy, what really separates you versus the rest?
Speaker 1 | 30:11.382
Yeah, I mean, we’re just unique, right? I mean, we’re the only ones doing this kind of machine learning. You’ll see machine learning related buzzwords in the other guy’s marketing, but I haven’t seen any evidence that anyone’s actually doing analysis of imagery and text or domain names like we’re doing. And that’s really the key to catching this newer stuff. And we’re constantly adding these things too. So we have about two dozen of these heuristic machine learning checks and we’re adding more all the time. The add-in mechanism, by the way, lets us deploy things instantly. Like you don’t even have to restart your Outlook to get our latest version. It just shows up. So as we’re adding stuff, it just gets deployed without even IT guys doing anything. And the second thing is we’re unique in that the way we present the information is different, right? So we’re not a typical spam filter product or even the things that claim to look at phishing. They’re kind of working without the user knowing what’s going on. And so one of the things we get a lot of positive feedback on, in fact, it surprised me a little bit because I thought this was sort of a minor feature of our product. But it turns out it’s the thing that people remark on the most. unsolicited and that is hey I like the fact that users can see what he thinks is wrong with the mail so it’s a training function and a protective function and the users in the loop right so the user is able to see hey that particular link looks funny to me doesn’t necessarily mean it’s malicious but you should pay attention to that so it’s kind of implementing a bunch of these guidelines you’re trying to train people to follow but you’ve got your little robot assistant doing it for you and then calling your attention to the stuff it finds and i think you know as far as i know we’re the only solution that has either of those properties either real deep use of machine learning you know we use neural network based deep learning and and some other approaches um and we’re we’re as far as i know the only vendor that has anything like an add-in that actually interacts with the user i think both of those things are are really game-changing and both of those things are what you need to deal with this next wave of phishing attacks we’re seeing.
Speaker 0 | 32:12.128
Nice. So to review, the top three dumbest things employees do with email that are worse than a Hillary Clinton bed server are, number one, clicking on an email.
Speaker 1 | 32:29.415
You can’t really get worse than screwing up an election with your email habits. That’s kind of going to be… the hundred year story about email.
Speaker 0 | 32:40.440
But no, really what’s,
Speaker 1 | 32:41.201
you know, that essentially.
Speaker 0 | 32:42.321
That we covered like the top three things that we covered though. What like we went over them, right. It’s like getting robbed by like, like sending money. Right. Because there’s a, like a link, right. That what was the second one? The second one was like, just, just review the top three that you see.
Speaker 1 | 32:58.953
Well, yeah. Yeah. So don’t, don’t click on a link. I mean, you should use something like a key that tells you the links are already known to be problematic, but if you. Don’t click on links without checking where they go. If you get a mail that says, hey, you need to log in and change your password, or you need to wire money, or hey, send me all the W-2s. Okay, yeah, that’s right. Don’t email for those things.
Speaker 0 | 33:21.024
Okay, so don’t click on a link. Don’t change your password and send money somewhere or DocuSign something, and don’t send all the
Speaker 1 | 33:29.187
W-2s. The other scam that people fall for, which you do get some protection. from some of the existing products like ATP is malware attachments. And the game there is the person will pretend to be your CEO and say, you know, I want to have everyone’s comments on this financial projection spreadsheet by the end of the day. And then you open that attachment, which isn’t actually from your CEO, and now you’ve got malware installed on your network. So immediately opening an attachment on the basis of a mail that appears to be from the CEO. Now, if you’re using Inky, it’ll just tell you, hey, that ain’t your CEO, red flag, don’t do anything with this, right? But at the very least be in general i think people need to understand the only way something bad is going to happen to you is if you take an action based on an email that’s not undoable like wiring money or you open an attachment or you click a link and therefore log into a site and give them information if you don’t do any of those three things email can’t harm you like just having it on your screen the pixels of the email are not going to hurt you right you’ve got to interact with it to cause problems or you’ve got to take action for there to be a problem. So we’re trying to make it really clear, visibly, don’t take action on this. This looks like a scam or we’re not sure it’s a scam, but hey, it’s talking about changing your password. Do not do that on the basis of just an email alone.
Speaker 0 | 34:49.376
Dave, I really appreciate the time today, man. If you had any final message, which I think that was your final message, but if you’ve got anything else to say, now’s the time, man.
Speaker 1 | 34:58.624
I would say, let us help you. The insurance policy you get from using a tool like Inky costs you a heck of a lot less than a single bad incident. It doesn’t have to be $30 million. I like to joke, it’s sort of a dark humor, right? But $30 million to buy a lot of software, right? We’re not anywhere near $30 million. You do one wire fraud that nails your company for $1,000. You already paid for our software for years. So the insurance policy is cheap and you should have it.
Speaker 0 | 35:26.871
Good point. Dave, thanks. And thank you everyone for listening. If you would like more information or you would like to get pricing on Inkey’s products, then go to thehowardstrategy.com. Or you can also email me at phil at philhowardsales.com. Everyone have a wonderful day.
Share This Episode On:
HOSTED BY PHIL HOWARD
Dissecting Popular IT Nerds Podcast
Weekly strategic insights from technology executives who understand your challenges
Are You The Nerd We're Looking For?
ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.
The IT Leadership Podcast
Redefining How The Business World Sees IT
Hosted by IT Leaders... for IT Leaders
Resources
Recent Episodes
Company
- production@dissectingpopularitnerds.com
- Reach Us Through Linkedin
- +1 (215) 660-0058
© Dissecting Popular IT Nerds INC
All Rights Reserved | Terms and Conditions | Privacy Policy