David Rogers is a busy guy. He’s a CEO of his security firm, Copper Horse. He’s chairman of the Fraud and Security Group at the GSMA. He’s a lecturer at not one, but two universities. And now he is the recipient of an MBE in the Queen’s Birthday Honours list 2019 for services to cybersecurity. How does he do it all? With the right people by his side.
In this podcast, David breaks down his unconventional journey into the world of security, the importance of surrounding yourself with the right people, and yes, what it takes to write IoT security standards that get you recognized by the Queen of England.
Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.
Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.
David is a mobile phone and IoT security expert who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on security and privacy research for the Internet of Things. David chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation. He is a Visiting Professor in Cyber Security and Digital Forensics at York St John University and teaches Mobile Systems Security at the University of Oxford.
He has worked in the mobile industry for over twenty years in security and engineering roles. Prior to this he worked in the semiconductor industry. Most recently he authored the UK’s ‘Code of Practice for Consumer IoT Security’, in collaboration with DCMS, NCSC, ICO and industry colleagues.David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He was awarded the MBE for services to Cyber Security in the Queen’s Birthday Honours 2019. He blogs from https://mobilephonesecurity.org and tweets @drogersuk
Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week.
Jen Ellis: Hi, welcome to the third episode of Security Nation. For those who are new to the show, each episode we talk to somebody awesome who's doing something really cool to move security forward and they kind of tell us about what they've been doing and how it's worked, what hasn't worked, we learn from it. I am your host, Jen Ellis. I'm Rapid7's VP of Community and Public Affairs, and joining me as my cohost is the amazing Tod Beardsley. Hi, Tod.Show more Show less
Tod Beardsley: Hi.
Jen Ellis: How are you doing this week?
Tod Beardsley: I am kind of snotty. Getting over a summer cold. That's kinda great.
Jen Ellis: So this week, Tod, we're going to talk to David Rogers, who is an awesome person who does way too much and makes me feel like I've done nothing with my life. So I'm really excited that's coming up. In the meantime, we're going to get into the Rapid Rundown. Hooray! What's going on in the world this week?
Tod Beardsley: Oh, well, the big news for the last week or so has been the rollercoaster of the several Zoom security flaws.
Jen Ellis: Can you zoom through them?
Tod Beardsley: I can! The very short story here is that given a crafted link, you can kind of trick people into joining your Zoom meeting. And if they have their video to autostart, it'll autostart video and so then you can watch them.
Jen Ellis: Oh, creepy.
Tod Beardsley: Yeah, that's a little creepy. You know, everyone I know has like little stickers…
Jen Ellis: I was going to say, come on, people. If you are listening to this podcast and you have not covered the camera on your laptop, what are you doing with your life? Yup. You will find any vendor willing to give you a cover for your camera. Come on.
Tod Beardsley: It is the best swag ever. 'Cause like I break these things every six months, too. So, yeah. That, that was the headline. There was some debate over the scope of this thing. There's some debate over whether or not this is even a bug since you can configure this behavior away. And then Zoom did eventually deal with it and they did an update and everything was great and then it turned out, there was remote code execution in the component that the original discoverer was abusing and he was so close to getting it. And he definitely has been kicking himself since. The RCE was in fact discovered independently way back in March by the asset note team during a private bug bounty. It's not clear to me if they ever actually reported to Zoom or not, but this has been floating around.
Tod Beardsley: And then of course since the giant headlines around the Zoom snooping bug, the remote code execution issue got rediscovered by a few people, including the fine people at Apple. They publish a malware removal tool that runs silently on your operating system and has since probably uninstalled the vulnerable component for you. So yeah, this was a bug that lasted about three days, four days or so, with the ups and downs of, you know, disclosure, drama. And is it a bug? And oh, there is actually RC in there and now it's all gone. So you're probably fine by the time you hear this but if you're curious, you can always LS off your own operating system. You know, do all your, do all your forensics and find out what other interesting listeners you might have had running on your operating system that you didn't know about before. We'll see how this unfolds over the next couple of weeks, especially leading up to Vegas, right? Like there will be a lot of people talking about this and the kinds of things that go on that enabled this kind of thing.
Jen Ellis: Wait, is something happening in Vegas soon?
Tod Beardsley: As it happens! By the time you hear this, Vegas, Vegas time will be, what, two and a half weeks away?
Jen Ellis: Oh my god, don't say that, it makes me slightly nauseous. There's so much work to be done. So yeah, Hacker Summer Camp. So, for those who are uninitiated, Hacker Summer Camp refers to…
Tod Beardsley: That would be the Black Hat, DEF CON, Bsides, PasswordCon metastization of all the security conferences that happen in a given week in August in Las Vegas, Nevada, USA. It is the biggest gathering of hackers in the world, generally speaking. Chaos Computer Club probably comes close, but DEF CON is is the thing.
Jen Ellis: It's legit. And I hear a rumor that you're going to be doing something pretty awesome at Black Hat. You are going to be the quizmaster for Rapid7's security pub trivia event, is that right?
Tod Beardsley: Correct. Yeah. Rapid7 is running a customer appreciation lunch thing. If you're a Rapid7 customer, you'll probably hear about it in your email, or talk to your CSM or come to our website and Google around for it. We will be running a trivia event where I will be the quizmaster for that trivia. We're busily writing questions. It will be fun. A lot of K-Rad elite history, spot the hacker movie, is this a real virus name or fake virus name, things like that.
Jen Ellis: We should try and figure out a way of getting like a sly Security Nation plug in there somewhere. So then, I guess other Rapid7-y things, the party's happening. So for people who want to register for the big Rapid7 party, it's on Wednesday night, Aug. 7 from 10:00 until 1:00 or 2:00, I don't know exactly. If you've been before, you know what we're saying. If you want to register for that you can go to r-7.co/party2019. Alright, in the last 30 seconds, what else are you looking forward to in Vegas, Tod?
Tod Beardsley: So I'm more of a DEF CON guy than a Black Hat guy. I like Black Hat, it's great, it pays the bills, but DEF CON is where it's at. Honestly, like I said on Twitter the other day, there's no wrong way to DEF CON. You can DEF CON however you want.
Jen Ellis: There is a wrong way. People, what is wrong with you, take showers!
Tod Beardsley: I've never run into stinky people at DEF CON, but then again, I hang out at the pool a lot.
Jen Ellis: Wait a second, you're not really at DEF CON.
Tod Beardsley: That's the thing, it's networking, right? Like you can go to DEF CON and do nothing but networking and have a great time. I plan on spending most of my time around villages, around pools—there's a million pool parties to go to—QueerCon is back on, so that's great. But yeah, specifically I plan on spending time around the voting village, the IoT village, aviation and transportation stuff. Those are the things I'm interested in.
Jen Ellis: So exciting. Awesome. In our next episode, which I believe is Aug. 2, we're going to have some people on to talk about some other stuff that's happening in Vegas and Hacker Summer Camp. So look out for more information in the next episode. On this week's episode, we are going to meet with another of my fellow countrymen, David Rogers, who is an amazing guy, possibly one of the busiest people I know. He is one of those people who makes me feel like I am a lazy bum who sits around doing nothing all day, which actually might be true. I'll leave that to you to figure out.
Jen Ellis: So, how is he so incredibly busy? Well, on the one hand, he actually runs his own security firm, Copper Horse. He's also the chair of the Fraud and Security Group at the GSMA. He's on the executive board of the Internet of Things Security Foundation. He's a visiting professor in cybersecurity and digital forensics at York St. John University and he also teaches on mobile security systems at the University of Oxford. Just even saying all that was a little bit tiring for me, so I don't know how David manages to fit it all in. Seems to always be traveling and doing something interesting and exciting. So I'm looking forward to chatting with him today and finding out what he's been up to most recently. Hi, David! Thanks for joining us.
David Rogers: Hello. Thanks for having me on.
Jen Ellis: I'm amazed that you managed to find time for this.
David Rogers: Well I mean it's kind of ... I keep myself busy I guess.
Jen Ellis: So the chair of the GSMA thing, that's a pretty recent thing, right? Can you tell us a little bit about that?
David Rogers: Yeah, sure. So I was elected overall chair of the Fraud and Security Group at the GSMA, which that organization represents all the mobile network operators around the world. I've been involved, my company's been a member for a few years. I was the chair of the Device Security Group. So now I've got the sort of big task of looking after everything from the network to devices to whoever discloses vulnerabilities to them to whatever the topic of the day is. So yeah, it's a pretty big task and there's I think over 1,600 individuals in the main group and then a lot of other sub-groups and we've got some seriously good bright minds in there and we don't ... those people don't generally tweet or make stuff public, and they're all doing things behind the scenes.
Jen Ellis: Were you sort of sitting around one day thinking, "Oh god, I have this spare 30 minutes between 2:30 a.m. and 3:00 a.m., what shall I do with that time? I know. I'll take on being the chair?"
David Rogers: Well, it's kind of weird. I think the problem is you kind of want to make the world a better place and then you stupidly agree to do things and I have a problem with saying yes, I guess.
Jen Ellis: No, you seem very, very good at saying yes. You have a problem with saying no. See, this is what idealism gets you, David.
David Rogers: Yeah, I'm my own worst enemy at times.
Jen Ellis: But I'm very glad that we have people like you around that are willing to sacrifice so much of their time and energy and expertise into projects like this so thank you for what you're working on. I think it's interesting because you're doing all these amazing things, you're teaching at some incredibly well-respected, well-renowned universities, but you yourself left school at 16, is that right?
David Rogers: Yeah, yeah. Bit of a weird route. In the UK anyway, it's a bit of a weird route these days. So I did an apprenticeship and so you basically go to a training college -
Jen Ellis: Is that like you work for Donald Trump? Is that what that's like? You know, The Apprentice.
David Rogers: Yeah, but less painful I think, yeah, less televisions. Yeah, yeah, it's a bit more ... I mean I spent six weeks on hand skills, which is basically filing blocks of metal down and at the end of six weeks I'm telling you, you can file a block of metal flat. That's the kind of pain they put you through, and wiring houses and all this kind of stuff. It is crazy.
Jen Ellis: So I'm sorry, what were you actually apprenticing as?
David Rogers: So I was working for a company called Fujitsu and I was training to be in their semiconductor fab and what they would do is they would put you on this sort of first-year generic engineering technician training, basically. So you'd learn to weld, you'd learn to ... it was quite cool I guess, you know, blow up capacitors quite a lot, which annoyed the lecturers. And just generally learn the basics. In the second year, that's when you go in and they unleash you inside a semiconductor fab, which is I think also incredibly stupid to allow 17-year-olds to mess around.
Jen Ellis: It sounds kind of amazing, though.
David Rogers: Yeah, you learn quite rapidly how many possible ways it is to be pranked by various people, by the apprentices. So you learn quite quickly what tartan paint is and a long stand.
Jen Ellis: It sounds fantastic. Okay. And then how did you go from there into cybersecurity?
David Rogers: Wow. Okay. Actually the semiconductor fab closed down, as did much of the European semiconductor fabs at the time, and I ended up going to this mobile phone company. I had no interest in mobile phones and I worked ... I got a job as an engineer and I was only 19, I was kind of halfway through my apprenticeship and managed to blab my way into an engineer's job. So I started to write software there and design equipment for the factory.
David Rogers: We had this weird incident. So one of the things I would do is program the identities into phones and also program what are called the SIM locks into phones right at the end of the line, where we did a customization. And we had this incident happen in Portugal and the sales guys were like, "Oh yeah, these pirates, they say they're using Panasonic software and they're saying they got it from the factory and we need to identify it and you write the software, so can you go and identify it?"
David Rogers: And I'd never been abroad before and I was like, "Yeah, okay I'll do that." This is in Portugal. And I got out there and it was basically an undercover job and I was supposed to be posing as the buyer and I got told when I got to Lisbon Airport. So I thought, well I’ll roll with this and I got there and of course it wasn't our software at all. It was just random hacking software that had the word "Panasonic" at the top of it. But I was kind of on the plane back saying, "This is quite cool. Yeah, I want to do this stuff." And also it's early and this might be ... this might take people by surprise, there was no product security function. In fact the words “product security” didn't exist around that time.
David Rogers: So we just basically built that up from scratch and that's how I got into security, really. There was nothing and I guess a lot of people in my age group in this industry have had similar experiences, where there literally was nothing and you just had to start. And you're kind of flailing around and you're thinking "well maybe somebody else in another company, of course they would have done that or of course there's tools for this" and then you realize there just isn't and you just have to make it up as you go along.
Jen Ellis: You're pioneers.
David Rogers: Yeah, we did some cool stuff. I think some of the stuff I look back on, like that example, there's no way I would allow anybody to go and do that now that worked for me. They're not having fun.
Jen Ellis: They don't get to pretend they're James Bond, only you got that experience.
David Rogers: Yeah. I mean simply, I guess now there's a lot more rules around this and it's just a different world. There's a lot more formality. I mean, there's still a lot of fun stuff to be doing. I think also some of the bad guys are a lot nastier. That's what I feel, anyway.
Jen Ellis: I think that is probably true to some extent or at least maybe I think your average security professional has more exposure to some of those really nasty people. I do think it has certainly changed at least. Okay, so you got into security, you were super young. You had done half an internship. How did you end up in a situation where you now have your master's, you teach at two schools, you're chair of the GSMA, you're on the executive board for the Internet of Things, you're running a company? I mean this is a lot of different cool stuff, very senior stuff. How did you get to this point?
David Rogers: I don't really know, just by complete accident. To be honest with you, I've worked with some amazing people, I mean, some amazing people that I look back on and I can identify probably five people who I'd say had massive influence in terms of either helping me—what we'd now call mentors, right?
Jen Ellis: Yeah.
David Rogers: But you know, steering me along the right path at various points in my life. When you meet those kinds of people, maybe you don't realize at the time that they're going to help you as much as they have, but later on in life you sort of realize that actually what they said really influenced you and you remember stuff they said. So, because I studied part time through most of this, and I think also to anybody who's listening to this, I don't think there's any easy ways, right? Working hard is the root of all of this, so nobody sees all the rubbish nights where you're not going out with your friends and hammering away at the keyboard trying to write an assignment for something and you're on the verge of giving up all the time. That sort of, I think it's like persistence that gets you through. And I think in your worst hours, again I think that's where your friends can help and stuff as well that sort of push you over the line a little bit. But yeah, it is hard work. I think being in a position at a young age of leadership, for example. So...in their stupidity, they made me the head of project security at 23.
Jen Ellis: It sounds like they recognized your value.
David Rogers: I think they were desperate, to be fair. I think there wasn't anybody else to do it. But when you get people that are working for you that are sort of mid-50s, maybe ,and they're just not going to work for you, you know?
Jen Ellis: Yeah.
David Rogers: And now I look ... At the time you're really frustrated and you're like, I really need this person's help but they just don't accept that that young person can be their boss. It's really, really hard and you're kind of fighting two battles. Actually, I was listening to a podcast recently, it was Dan Snow's History Hit. Dan Snow's this British historian, quite a good guy, really good podcast to listen to, actually. And he did one on D-Day and he spoke to this guy called Captain David Render and he was 19 years old on D-Day and he was a second lieutenant. He ended up, you can listen to this story online, but he ended up commanding this sort of tank group and he makes the point that basically none of the guys that worked for him wanted to work for him and didn't respect his authority and he said he had two enemies, which were basically the Germans and his own men, and his own men were worse than the Germans.
David Rogers: And I think certainly when you're very young in a position of leadership, you have a much harder time and it feels irrational at the time and that's partly because it is, and you end up having to work doubly if not triply as hard to do your job, do a normal job and it can be very, very frustrating. And even now I'm not sure it gets any easier because there's always people that are older than you who want to somehow exert their authority over you. So I really, really relate to young people in positions of leadership in cybersecurity and there's a lot of people. And I guess again, there's no easy way. You just have to lead from the front and do twice as much work as everyone else just to gain respect.
Jen Ellis: I like hearing you talk about the value of mentors and I definitely echo that and think I have benefited a huge amount from people who've taken time to give me guidance and help me find my own direction, and it is extraordinarily valuable and it sounds like that's something that you try and pay forward as much as you can now that you're in a leadership position and further along in your career. Is that right?
David Rogers: Yeah. And you know, I mean it's sort of a weird thing, somebody asked me to write a course, a mobile systems security course for the University of Oxford, and I didn't really know about teaching, to be honest. But when I did it, I enjoyed it, and I think part of that is that sort of satisfaction that you get. And now it's a few years later now. I just actually went on hiatus just to try and reduce my workload a little bit, but...
Jen Ellis: What?
David Rogers: But yeah, I mean that's master's students so they're already professionals in industry so that's kind of an interesting experience because you're learning from them as much as they're learning from you. It's really interesting because you've got people from big companies who are on that course. But then also at York St. John, that's an interesting university because what again I was asked to teach there doing some cybersecurity stuff and particularly with an ethics slant because that university is a Church of England university. The chancellor is the Archbishop of York, who's a very senior figure in the Church of England and so they have this thing about ethics all the way through, so that was quite attractive.
David Rogers: There's a difference between ethical hacking and ethics. I've actually not seen that much ethics in ethical hacking to be honest, but that's a different topic. But this is undergraduates. That university also has a particular thing about taking people from disadvantaged backgrounds and there really is a difference. The University of Oxford is obviously the top university in the world for computer science at the moment (sorry, Stanford). And the difference between a smaller university and the backgrounds that some of these kids come from, is somewhat profound. And you look at the intelligence of some of these kids and they could easily be at Oxford, it's just that life circumstances have put them in a different category. So, some incredible work that I see those guys doing, too. And it does give you real satisfaction seeing those people come along and then go into careers, and I look on LinkedIn now and see them really doing well and wanting to do cybersecurity careers. It makes me feel really, really pleased.
Jen Ellis: That's great. I love it. That's really, really lovely. And I want to get into talking a little bit about some of the other ways that you are trying to make the world a better and safer, more secure place. All of which I think has resulted in you having a bit of an honor recently. So I think we're going to have to explain this for listeners that are not from the UK, but you were recently recognized in the Queen's Birthday Honours list and you're now what is it? You got a…?
David Rogers: An MBE.
Jen Ellis: Okay, can you explain that a little bit?
David Rogers: Well, not really, actually.
Jen Ellis: So do we just explain it by saying basically what it means is that you are deemed to have provided an extraordinary service in your field to the British people and that now people have to curtsy when they meet you. Is that a submission, we have to curtsy, we have to recognize that you're going to be hobnobbing with the queen...
David Rogers: Definitely don't curtsy. This is why I'm not coming to DEF CON this year.
Jen Ellis: Too many curtsies? Yeah. Because I had planned a full processional for you at DEF CON. I had got a scepter and orb, I was going to play the queen. It was going to be a whole thing. I'm very upset that you've basically torpedoed this idea. I had got a red carpet laid out, you know, I mean finally some real pomp and circumstance for Vegas and you're just ruining my plans.
David Rogers: I think there's quite a lot of queens in Las Vegas, but you know.
Jen Ellis: No comment. Okay. So I think the primary work that you got the MBE for and I really for people who have no idea what this is, I encourage you to Google it, it is a really big deal. There's not very many of these that happen and certainly for something that is as hard for the average person to relate to as cybersecurity to see people getting recognized for that in the Queen's Honours list is a really, really big deal.
David Rogers: Yeah. That is something that I wanted to say. It's really, really incredible apart from the fact that I think somebody's trolling me because I never liked the word "cybersecurity" and now it's attached to me for the rest of my life, so thanks, whoever that was. But having accepted my fate, the fact that four people got MBEs for cybersecurity. There were two people from Darktrace, there was a lady that's pioneered a lot of work around security insurance for small businesses, and then there was me. I think is amazing that there's recognition, finally people are getting recognized for doing work in this field because for years, right? I mean you know this, we've been kind of left to one side or there's been no money or it's kind of like, "Oh, don't go near the hackers."
Jen Ellis: Yeah, it's been a dark art. And we've been the unpopular stepchild.
David Rogers: Yeah, and now suddenly -
Jen Ellis: We're en vogue, is that what you're saying? We've become trendy?
David Rogers: Yeah. I wonder when we're going to go out of vogue.
Jen Ellis: It won't take long, I'm sure. I do really appreciate, though, the fact that you make a real point of drawing attention to other people who have done things and been involved in work and the fact that other people have been recognized with this. I think that's a sort of a real testament to your humility which I'm sure you're super excited that I just pointed out. That's going to work well for you. But also your collaborative nature and I think for the kinds of work you were doing and the type of progress you're trying to create, taking a collaborative approach is kind of essential, actually, and so that community orientation that you have is super valuable and I'm sure very much appreciated by others.
David Rogers: I guess there's some real advantages to that. You can do a few things yourself, but if you can work together with other people and do great things then you together win in a big way. You don't always necessarily agree with each other's points of views but I'm very much of the view of a consensus-based working pattern in terms of working with colleagues and working with other companies and stuff.
David Rogers: For example, through the GSMA and through the IoT Security Foundation. That is basically volunteers. It's individuals who come together and you end up making a lot of great friends that way. Don't ever feel that you're kind of stuck doing what you're doing or only you can do it. You might have to modify a few things you're doing and make some compromises but to do great things, you're going to have to work with lots of other people. That's the way I've always thought.
Jen Ellis: Yeah, and it sounds like you have a view that people will help if you provide an opportunity for them to do so. And that's been my experience as well by the way.
David Rogers: Yeah. You know in their own way as well. Everyone has something that they can contribute and that they're good at and it might not be the most obvious thing at the time but yeah, I guess this whole thing like cybersecurity ... I know this is going to sound really weird, but actually it is about people. If people are not motivated or they're upset, they're not going to do any work and you're not going to do great things together. So working together in a collaborative atmosphere where you all can respect each other's contribution I think is the best way and I know in infosec that can be really difficult because people have very strong opinions and we have a lot of incredible minds from right across the spectrum of people's skills and other things.
Jen Ellis: We should respect that. I think the different ways of thinking that people bring, the different levels of experience that people bring actually that's what rounds us out. That's what enables us to tackle problems in new and interesting ways. We have to be open to learning from each other. A lot of people who have the same experience and the same point of view as you do, they're not going to help you that much. You already have that covered. That's the stuff you brought. What else have you got?
David Rogers: Yeah I think it's very easy to slip into that, that sort of group mentality.
Jen Ellis: The echo chamber, yeah.
David Rogers: And I think that Silicon Valley's in this massive thought bubble and that's my feeling, but reaching outside your traditional views and your traditional circles is always good. And also compromise, having that strength to back down. You might believe 100% that you're right and you might know that you're right, but is that going to get you to whatever the objective is? And if it's just going to cause loads and loads of pain to the point where somebody might actively destroy your work or whatever, then that's not good is it? So you might have to compromise.
David Rogers: And I think again that's what I've always believed that being able to compromise is actually a strength. It's a power. It's a superpower.
Jen Ellis: I think it's a huge strength, a huge superpower, and I completely agree. And I think one of the areas that you have applied your superpowers, all of them, the ability to stop time and clone yourself and listen to other people and compromise is in creating the UK's Code of Practice for Consumer IoT Security, which I think is one of the big pieces of work that you did that contributed to you getting put into the Queen's Honours list, if I'm understanding that right.
David Rogers: I believe so. I still don't fully know, but I believe that's part of it, yeah.
Jen Ellis: So why did you ... So firstly can you just tell us a little bit about what the code is?
David Rogers: Okay. So the code of practice is really one of the outputs of a huge piece of work which is related to the UK cybersecurity strategy and the UK's been pretty world-leading in terms of its approach to taking all aspects of cybersecurity and essentially delivering on everything from education to national defense to business activities. I think that whole package, which essentially resulted in what we have in the UK, the National Cyber Security Centre, has been extremely successful and other countries are seeming to emulate it.
David Rogers: So part of that work was recognizing the fact that there is this thing that's rising which is the number of connected products in homes, which is part of what we call the Internet of Things. Those things, those products can cause harm to the user and they can cause harm to other people. So if we think in the case of something like a cheap webcam, that could be potentially hacked into and then people in their house spied on, so that's harm to the user. Or the other way, it could in some way be remotely compromised and then targeted as part of a DDoS attack or something against some other third party. And the user wouldn't even be aware. And that's probably the graver threat to national security, although there are a number of aspects as the Internet of Things gets bigger. There's a ton of safety threats attached to it.
David Rogers: So this whole piece of work was about what do we do about that problem and the Code of Practice is part of the overall piece of work.
Jen Ellis: How did you get involved in the code of practice? How did you ... Did you wake up one day and you were like, you know, I'm assuming it was like four o'clock in the morning or something and you were like, "Time to start my day." And you thought, "Today I will go and write a code of practice to solve this problem, even though I don't work in the UK government."
David Rogers: No. I mean my company does have some contacts with the Department for Cultural Media on the topics of mobile phone security and I've done a lot of work around the counterfeit problem. I was asked to sit on this committee of people that had been sort of brought in to sort of talk about this topic and again I stupidly put my hand up in the meeting and said I'd got a way I might solve this. Like an idiot, yea.
Jen Ellis: And everybody went yeah, that's a great idea. Thanks for volunteering, David.
David Rogers: Exactly. Everyone else sits back and goes, thank you very much, no action.
Jen Ellis: While they have another biscuit, yeah.
David Rogers: To be honest there were a ton of good people there. But I just felt that having done a lot of work in this space that maybe I could come up with something. So I ended up, I remember the exact conversation so I was down at ETSI, which is is a standards body, and they're in the south of France in a place called Sophia Antipolis. We sat outside having a nice sandwich in the sunshine, south of France. So I sat with a guy from the NTSC and there's a couple of people who won't like me mentioning Mirai, but our starting point was how would we have stopped Mirai. Amongst a ton of other things, I might add. So we just got into this whole conversation. So based on that first draft that I'd written, we started to think about things that we'd prioritize, things that would help the consumer, things that worried us as individuals about where all of this is going. Issues of privacy, issues of safety, and the very real threat I think that has been at the back of all of our minds and I guess particularly governments collectively is at some point, somebody's going to die. And that's the reality of it. Something will happen related to quality, related to malfeasance of some sort and so we recognize that the quality of these products particularly and that applies to security, is just absolutely garbage.
David Rogers: And so this has been going on for too long. The problem with default passwords has been around and known about for 40 more years. And that's the other thing, people can talk about all these really sexy solutions and issues like post quantum cryptography, things like that, which are issues. But staring us in the face is the elephant in the room of default passwords and things like software updates as well. I mean, less trivial I guess in terms of the fixes. I don't want to trivialize default passwords because that is not a trivial issue to fix. When is it acceptable? Can we have an enrollment password, for example? That might be acceptable.
David Rogers: So all of those discussions as you go along. But what we recognized was that we should do something that was really high-level that would be essentially a winner in the market because we can go to the nth degree as we've done time and time again and say, "This is the ideal thing to do," but nobody will implement it. So if you step back from that you say, "What was the point?" So we tried to get some middle ground in the language that we used that was understandable for both consumers and for implementers and for governments, but also in terms of the measurability of what we were doing and the achievability. So, for example, vulnerability disclosure is a good one. So we pretty much mandate that companies should have a vulnerabilities disclosure policy and they should act on it.
David Rogers: Now the reason why I think that's a good, easy thing to do now is because of the people who've come before. So 10 years ago had I said that, people would have laughed me out of the room, but now it's quite easy because of people like Katie Moussouris and other people who have done huge amounts of work to educate vendors and standardization bodies and other people that this is the right thing to do and that's come straight out of the security research community. It was actually quite easy for me to win the argument. It was an argument, but we won it. There is one of the top three of this Code of Practice.
David Rogers: This again is back to not doing things on your own. It's just the timing sometimes. And I think that's what we had here. We had an amazing team and you have met some of them, Jen. I just cannot believe some of the people I work with, the brains, the willingness, how hard they work, just the motivation from that DTMS team and the NTSC team, but also right across the security research community I mean people like Beau Woods and Josh Carmen, people like Ken Munro. It's just the timing is unbelievably good for this to be a success. I think that's the main thing here. You know it's not about what's written, it's about the timing of it.
Jen Ellis: I also think it's exactly as you said, it's been an evolution and where we are now, we stand on the shoulders of those who came before. As you said, Katie has done ... Katie and others have done incredible work on establishing best practices around coordinating vulnerability disclosure, creating these two ISO standards. Then there's the people who worked on the DMCA exemption for security research that helped sort of legitimize vulnerability disclosure and make a smoother runway for researchers to do the work that they do.
Jen Ellis: There's been lots of effort across the past couple of decades and it is amazing. Lots of people doing pieces big and small and I think you're right that there are lots of people in the community today super active in this area doing a huge amount to advance the cause and it is a team sport in that way. So it's great that you are acknowledging that.
Jen Ellis: So just quickly, what do you think some of the biggest challenges were that you had taking on this project? Because I mean it sounds like it was a pretty time-consuming, lengthy, complicated, multi-stakeholder process. I can't imagine it was smooth sailing all the way.
David Rogers: Yeah, yeah. I mean you can't win every battle. I think one of the biggest things actually was the time that it takes, for example, looking at the feedback and trying to rationalize that and trying to work out what the best path forward was and understanding people's motivations. I mean, without betraying confidences, some people were firmly against certain aspects of the code in terms of how it may impact their business and understanding that was very difficult. But again, it's about compromise and then working out where was the line. Where would you be prepared to stop in terms of compromise is very difficult. And sometimes that knocks your confidence I think as well and you begin to question whether you're doing the right thing.
Jen Ellis: You must have absolutely loved it then when I turned up at not even the 11th hour, but I think it was like the 13th hour and said, "I've got some feedback for you."
David Rogers: I mean I think you know this, right? The whole team has been entirely open to people giving feedback because we wanted it to work and we realized if this thing was launched and we haven't listened to people, it would just be a trainwreck. And so particularly I guess one of the challenges with one of the participants was it was the old line that always gets trotted out, which is, "You can't talk to the hackers." I've heard this so many times and in the past I've not been able to win those battles. But I think the respect with which the security community has now, the security research community, and the openness by which they've invited even senators to come to the main hacking conferences and stuff. I think there's a bridge now of people who understand that world but also understand the policy world. And they're realizing that the hackers are part of the solution, not the problem.
David Rogers: So I think that again was an easier battle to win. There was other stuff, right? So one of the things we realized was there was a lot of potential unintended consequences. So if you say for example you want to mandate software updates for two years, which would come in line with the new warranty, what would happen to those devices after two years? Would they end up all being scrapped? And does that cause this massive e-waste mountain or does it cause problems as they get recycled into Africa? And then somewhere like Ghana, which already has to suffer the consequences of poor recycling ends up with a further e-waste mountain. So these are really, really difficult challenges. And some of them we had to realize it was either out of our ability to deal with it but to acknowledge it.
David Rogers: Other ones, we wanted to tackle later. So a couple of topics that I would like to tackle are arounds for example the right to repair. That is a very, very difficult subject. Because from a security point of view, it doesn't sit well with repair ability, but we need to somehow square that circle. Another subject as well which I guess is an emergent subject which has been a lot of academic research on recently and people like Eva Galperin at the EFF have been looking at is we have all this fantastic smart home technology going into our homes, but that can be misused and it is being misused by abusers. And so in the UK now we have laws about coercive and controlling behavior. So it really, really disturbs me the way that this stuff that should be helping us is being used as a tool of abuse. I think we need to say something about that.
David Rogers: And I think going forward, we'll be reviewing this every two years, I think we need to start looking at that. It's quite a disturbing sociotechnical problem that we've got.
Jen Ellis: I agree. It's a huge issue and one that doesn't get anywhere near enough attention. And so it's great to hear about, like you and Eva doing work on it. Okay, so I'm going to ask you the final question, we're going to wrap up. Last question, this is always the last question I ask is, what advice would you give yourself or somebody else wanting to embark on a mission to advance security in their own way? What would you tell them to think about or to do differently?
David Rogers: Okay. So I would say be secure in your own mission. What I mean is if you truly believe in something, don't allow people to manipulate that with their view. Be true to yourself. If you believe in that thing, then pursue it. Because everybody has an opinion and people will also take the opportunity to knock you back and say, "You can't do this," or "You shouldn't do this." That may be the case, but that should be your own decision that you come to and your own realization. Don't be overly influenced by outsiders because if you take a positive attitude to what you're going to do and say, "I can do this," that's half the battle is winning yourself round. Because you will find, especially when you're working really, really hard and it's really late at night, which is not the best time to be thinking about these things, in your darkest hour. Just have faith in yourself and believe in your ability to do the right thing. If you are doing something that is helping other people and is going to benefit society then you will find that people are willing to come and help you that will support you. So stick to the plan.
Jen Ellis: I actually think that's great advice and I think it can be quite hard to do so finding that well of strength within yourself and sort of focus on mission is very valuable.
Jen Ellis: David, thank you not only for joining us. It's been great having a chat and hearing all your advice and your perspective on mentoring and everything like that. But also ... And the need for collaboration, which I love to hear about. But also thank you for everything you do and I really do sincerely mean that. I think that you have huge impact and I'm not just saying that because the Queen told me to. I know that you are a humble Yorkshire man but I think you should let other people acknowledge when praise is due and we super appreciate the work you do. So thank you very much and congratulations again on being on the Queen's Honours List and also congratulations on the success of the code and the fact that it's moving forward. I look forward to seeing what you're going to do next and I hope I can help in some way.
David Rogers: Thanks very much. And thank you Jen as well. You've been a great help on this work so I'm not going anywhere. Let's find the next thing we can solve.
Jen Ellis: Sold, I like that. I'm going to hold you to that and then you can come back on and talk about it in the future. Alright, thanks very much.
Jen Ellis: So that’s our episode. I want to say a huge thank-you to David. He’s a huge legend, super inspiring, I wish I could figure out a way to have the impact he does. I want to thank Tod for taking us through the Rapid Rundown, earlier in the episode and I want to thank Bri as ever for putting up with us and being amazing and keeping us on track. And I also want to thank our listeners, all three or four of you, thank you so much. We really value you. Check out the next episode, out on Aug. 2.