How Bad is IOT Security? - An Interview with Stephen Cobb and Tony Anscombe from ESET

Interview with Stephen cobb and Tony Anscombe of ESET:

Cyber Security Dispatch: Season 02
Episode 04

Show Notes:
On today’s episode of the Cyber Security Dispatch, we are joined by Stephen Cobb and Tony Anscombe of ESET. With decades of experience in the field, our guests have a wealth of knowledge and expertise to share, and they will be talking about their work that centers on IOT and securing home devices. We start off the conversation looking at their backgrounds in the industry and their connection to the RSA conference before looking more specifically at ESET and what the company does. We continue with the familiar questions around the cloud and then move on the main course of the interview where we discuss IOT. Our guests give us great insight into possible threats, the evolution of the hacker, and what sorts of security frameworks work in which instances. Towards the end of the conversation, we touch on GDPR and the future of IOT, which our guests are still somehow optimistic about despite their profession! So for all that and more, tune in and hear what they have to say.

Key Points From This Episode:

• An introduction to our guests and their roles at ESET.
• What brings our guests to RSA.
• High detection, low maintenance and avoiding false positives.
• Resistance to the cloud and what the slow migration means for security.
• The obvious relationship between cyber security and the Internet of Things.
• Practical and safe application of IOT in the home.
• Targeted attacks and specific ransomware.
• Looking at how these products in our homes can be leveraged by cyber criminals.
• The benefits of complexity and putting the pieces together.
• The reflected complexity of the criminal tactics.
• The ongoing struggle even as security technology develops.
• GDPR, cars that start with your phone, and the future now.
• Creating a ‘naughty list’ of companies to avoid?
• And much more!

Links Mentioned in Today’s Episode:
ESET — https://www.eset.com/
Stephen Cobb on Linkedin — https://www.linkedin.com/in/stephencobb
Tony Anscombe on Linkedin — https://www.linkedin.com/in/tonyanscombe
RSA — https://www.rsaconference.com/
Microsoft Azure —  https://azure.microsoft.com/en-us/?v=18.20
Amazon Alexa — https://developer.amazon.com/alexa
Android TV — https://www.android.com/tv/
Raspberry Pi — https://www.raspberrypi.org/
Rohit Ghai — https://www.rsaconference.com/events/us18/speakers/23131FE7650BFBDB-rohit-ghai
Sony — https://www.sony.com/
NIST — https://www.nist.gov/
Lincoln Aviator Smartphone Key — http://fordauthority.com/2018/03/the-2020-lincoln-aviator-will-have-a-smartphone-key-option/
WannaCry — https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/
KidSafe — http://kidsafefoundation.org/
Our Interview with Dr. Ron Ross — https://cybersecuritydispatch.com/dispatch/2018/4/30/a-postcard-from-the-future-an-interview-with-dr-ron-ross

Introduction:
Welcome to another edition of Cyber Security Dispatch, this is your host Andy Anderson. In this episode, How Bad is IOT Security, we talk with Stephen Cobb and Tony Anscombe. Researchers at cyber security company ESET. Stephen and Tony have been researching tax and network security for decades. We talked about how to potentially secure networks as we introduce lots of IOT devices. These two brit, ex-pats have all the cheeky humor you would expect from veterans working for years in the security space but still manage to keep a kernel of hope for the future.
Here is Stephen and Tony.

TRANSCRIPT

[0:00:44.5] Steven Cobb: My name is Steven Cobb, Senior Security Researcher with ESET North America, based in San Diego.
[0:00:51.2] Tony Anscombe: I’m Tony Anscombe, I’m a Global Security Evangelist for ESET based in the US but a work around the globe.
[0:00:59.7] Andy Anderson: Awesome, what’s bringing you guys to RSA?
[0:01:02.2] SC: We’ve been coming for quite a long time. Personally, I have fun reflections on the 1996 RSA with held at Fairmont, a much nicer location there. More convenient, I’m not so terribly stressful. What we’re doing this year with ESET is really bringing our full game, a lot of people don’t know that ESET has been around for 30 years and has been developing cutting edge security technology all that time.
It’s not like we made a product 30 years ago and sat on it. We’ve been using things like machine learning and threat intelligence and cloud based reputation, things like that for a long time, we’ve tended to be - don’t whether shy is the right word on what we’ve been doing but I like to say we focus a lot more on engineering than we do in marketing.
[0:01:48.2] TA: Yeah.
[0:01:49.1] SC: For a lot of people, we’re the largest security software company they haven’t heard of. We’re number four in the world in business customers over 110 million protection systems around the world. We’re in just about every continent, what did we say Tony 200 – 
[0:02:05.4] TA: Yeah, we have customers in 200 countries
[0:02:08.1] SC: But we have to say territories because there aren’t actually-
yeah, there aren’t actually 200 countries, we’re just everywhere.
[0:02:13.9] AA: You know, what’s interesting at our industry, there are around 3,000 vendors, right? That’s maybe 60% of the market, you know, just thousands and I talk with a lot of CISO s and they’re just like overwhelmed with all the tools that they have and the solutions that they have. Where are you finding that you’re kind of getting in, you know, obviously, your existing customers, what’s really grabbing them, are they sort of talking down the whole stack or they got points that they start to grab.
[0:02:42.8] SC: Interestingly, if you look at the buying decisions of a lot of vendors, management numbers, right? All the periphery things around an endpoint solution I think are there. When somebody looks at a testing chart, we have one of the last, well, if not the last false positive, right, in the industry. 
False positives can be more damaging than actually missing something. If you look at the people that get 100% in protection test, they typically have more false positives. You ramp up the detection by actually lowering the quality of product. One thing that ESET is not about is lowering the quality of our product. We take that very seriously.
[0:03:21.4] TA: Yeah, I think you know, historically, security implementation has always been this push pull between best of breed and the unified solution. What we’ve done is over the last 10 years, really expanded our product portfolio so we have encryption, we have two-factor authentication and we now have threat intelligence, we have rapid response tools, we have - our system inspector is a threat hunting tool that made where you to go anywhere in your network when anything is going on, we shut it down.
We’re introducing at the event, a single pane of glass to control over those. It is possible though for a large company - and we have some very large customers we can’t mention - to do all of their end point, from that one pane of glass, as Tony said, we really are very well-known for our low false positive rate and a high detection rate. 
[0:04:23.5] SC: And our low resources. Our client is super low.
[0:04:27.7] TA: Now, you can maybe tell we’re not the sales guys, we’re the researchers and the evangelist but yeah, if you’re talk to people, the first time I did an RSA for ESET, I think it was 2012 and I was go up to people, “Sir, sir, can I tell you about ESET?”
A lot of people, technical people, network administrators, security administrators pickup, “I’ve been using you guys for years, I just wish my company would.” You know, an endpoint product solutions is a placement sale at this point in time - all of the big companies have end point partition place - but over time, we’ve been getting better at marketing in a different share. Yeah, that low resources, one of them, the high detection rate. Really low maintenance.
[0:05:10.7] AA: I’m curious, you know, I was talking with a couple of different CISOs (Chief Information Security Officer), there’s kind of two things that I think they’re looking to do is kind of how do they think about as more stuff is happening in the cloud. I mean, this is not a new story but how are you securing that in terms of not you guys necessarily the security team thinking about the perimeterless network and you know, the internet is your network.
How do you guys sort of – how do you play in that world and how do you sort of see things evolving today but it’s happening a little slower than you would imagine based on the advertising if it’s still what? 50 plus percent, probably almost every corporate is not in the cloud; my sense is that number is going to continue to grow.
[0:05:54.5] TA: Our protection extends to the cloud, you can spin up a Microsoft Azure with ESET [inaudible]. We’ve always been very strong in server protection which is - it took about things that haven’t really caught on as well as they should, the number of companies that yeah, they got endpoint. They got laptops and desktops and workstations but they’re running email servers with them now or they’re running file servers and share folder. Yeah, I think, we’ve added network detection capabilities along the way and I think we’re well positioned to protect in the cloud in the virtual machines
[0:06:30.2] SC: But you also see a lot of companies deploying a mixed environment, so its hybrid. The cloud is not typically, I’m outsourcing this application place, single cloud provider, they’re interfacing back into the corporate as well so having that dual protection is really important.
[0:06:42.2] AA: Yeah, I mean, I was reading a few articles that you guys put out and you keep talking about sort of the real challenging pieces where all are maybe, it starts to actually, stuff that happens in cyberspace starts to go kinetic, right? We’re starting to see that, I mean, the Ukraine all of them, an hour, a little bit in Saudi Arabia or Saudi around those. How do you guys sort of think about that and it’s really the intersection of sort of IT and OT (Operational Technology) . Again, the timelines of – 
[0:07:10.7] SC: Yeah, we love that space. It’s a fascinating space and I think, you know, Tony’s been doing a lot of research on the IOT which really blends right into the OT because industrial control systems and you know, sort of stuff that was manipulated by industry in the Ukraine, black energy, those systems you know, are using old protocol.
That’s a lot, there’s a lot of that around but the newer control systems, using the same stuff as you know, your thermostat in the hotel room and you got a white paper on all the stuff in the home that you’ve been messing with.
[0:07:46.0] TA: Which kind of actually - it was kind of a coffee discussion with a bunch of researchers and type of, if I could actually start this secure, smart home but a basic smart home, something my mum might do to start adding a few cameras or start adding some motion sensors or not the big, smart home, the blinds and windows, et cetera.
Could I actually do this securely, your conclusion was, maybe? If you use big branded devices and you check they’re not vulnerable to start off? Actually, a little bit of the big vendors have started with security by design - they started once all over those issues. I think the biggest aspect of risk to most people is privacy. You know, if you start using Alexa to integrate these things and people might. 
Suddenly you’d have a  single point that has access to the data from all the devices. Now, if you attach, Nokia’s health bathroom scales, suddenly they know how heavy I am, what my body massive weight is. The problem is -
[0:08:53.1] SC: One of the things that I’m talking about in the presentation I’m doing, the boost, is what’s on your CEO ’s smart TV? We just introduced a product for smart TVs, protection product. Because there’s, you know, if you’re signing in there with your Gmail account, I’m looking to target you.
Not just as a CEO, I want to do, maybe a business email compromise, there was a ton of stuff on an Android powered TV. One of the points I try to make is that, we tend to think of the small stuff as being well, its a consumer problem, you know, it’s not that big of a deal but it all merges together, you know, there’s a very good possibility that the CEO’s Gmail accounts got some of his business stuff in it too.
You know, what we’re seeing, certainly in things like supply chain attacks, is the bad guys getting very inventive about where they get in to their targets. Yeah, we still got like the mass attack - random attacks with people with ransomware - but we also do a lot of great target attacks.
[0:09:56.6] AA: Yeah, it’s sort of like the spam version of attack. I’m going to get anybody who I can, right? Versus like a very spirit focused shock approach.
[0:10:07.3] TA: See, you have to think is that the cyber-criminal is also collecting the stage as well by companies a threat to mass amounts of data about individuals, if a cyber-criminal starts to -
Actually, talk of the tech is really rife with it.
[0:10:20.5] AA: Yeah, I mean, I think the line between criminal and corporate is kind of blurry and I think actually, I mean, the issues are both because partly because the retention that corporations have on data, right? The way that – I mean, certainly, they can hack my Alexa and be listening in my scale and what not -
[0:10:40.6] SC: If you look at - we’ve done a numbers surveys of public concern around digital security and yeah, compromise of personal identify and all the information is right up, criminal hacking is a serious concern. But also, accumulation of information, either by companies or governments of all those people.
I think if I do redo my survey later this year, I’ll probably find have that company aggregation is moving up in the wake of Facebook, Cambridge Analytica, and so on. It’s always been a concern but I think when we get these – behind the scenes look that we have at Facebook, then a broader and broader section of the public gets an idea what’s going on and they start to worry.
[0:11:25.3] AA: We touched upon a lot, I kind of want to circle back to, let’s talk about some of those devices, right? I have a Vizio TV, right? My listeners now, somebody’s going to know how to hack my Vizio TV. It’s not that sweet, I’m going to replace it soon. 
You know, I’ve had that TV for four or five years, right? In the normal IT world, that stuff’s starting to age out but that TV is decently built, it’s not that crappy, will probably last 10 years, the same for my thermostat, right? Some of the stuff is you know, the quality of the build is such but then there’s such a mismatch between it and sort of speed of change.
[0:11:58.5] TA: I think what your highlights is exactly why I had the conversation with our researchers back in October. People may introduce one or two devices into their hire not realizing they’re moving towards a smart moment. You might go on and buy a new Sony TV that’s an Android  TV to replace your – 
[0:12:18.7] SC: Vizio TV?
[0:12:19.2] AA: It’s a smart TV too, just a crappy one.
[0:12:22.4] SC: So, not so smart?
[0:12:23.4] AA: Yes.
[0:12:24.5] SC: Interesting, if you think about the threats that you might see on the TV, we demonstrated a mobile work Congress as well last month, a piece of malware running on the Sony TV, that actually was bitcoin mining and it was a app that you might download thinking you could bitcoin mine. If you’re putting up TV into standby, it could still - it was mining in the background even when it was off.
[0:12:51.1] AA: Yeah, which is interesting but what I worry about, I mean, the TV may have a decent amount of computing power, right? A lot of those, they have just tiny computing powers and so securing them is really, where do you put - even if you’re a light load, where do you put the security staffs, right?
[0:13:05.4] TA: It will fit on an android TV.
[0:13:07.0] AA: Yeah, but what about a nest thermostat or my bathroom scale I have visibility, all it needs is a way in and out, right?
[0:13:14.8] SC: I will tell you that our CTO (Chief Technology Officer) , he’s a Chief Operations Officer now. Years ago when Raspberry Pi came out, I mean, this is what I mean about this being a geeky company, right? He made it his personal mission to run our core detection engine on a Raspberry Pi. Where we can get pretty small and we can code it it - and I think that we’re looking at that space, what we are doing at the moment is looking at running the security on the home router, right?
That home router is the focal point. First of all, it’s where you know, the bad guys would get into the home and quite some time ago, we introduced the capability in our consumer product and map out the network - and see what’s on there. Which has always been there deep down in the command line, right? 
You know, we made an interface for it so that people can see what’s on there and then you know, run some protective code on that. It’s evolving and I think that Tony’s point is very good, we rent a house. We’re not going to replace the thermostat. But we brought the TV in and we’re really, I realize what I was doing when I got it, our wife is also secured. Which is I think it’s very interesting what this TV can do and as you think about all the stuff that’s on there. I mean, if you route an android device with a trojan code, you can pull everything off it. 
If you think of all the stuff, what is somebody watching on Netflix, where have they been going on the web, what YouTube videos have they watched, not to mention our Amazon shopping password, Amazon prime for video.
[0:14:56.3] TA: Let me give you an even more simplistic view, in our test, we tested with the Sam master [inaudible]. Now what damage - what data can I glean from this [inaudible]. Well first of all they requests it makes are in clear text. So it goes off and collects radio station acts that you are going to listen, in clear text. So suddenly I could be in the middle. I know your IP address and I know that you like jazz music. Those two things I know about you for a targeted attack and that’s the danger - security has to be there for that. 
[0:15:30.3] AA: Yeah and I am curious in a house environment, right? If you can’t put it on the actual devices, could you put the device next to the – I mean maybe it is in the router, maybe it is next to the router right? Because most of that traffic, some of that traffic is hopefully encrypted between the device and that router but then you then – 
[0:15:46.3] SC: It is kind of a mixed bag isn’t it all the encryption. 
[0:15:48.7] TA: Unfortunately.
[0:15:49.9] SC: Yeah but I think you can certainly look at everything that is coming in and out of the house, right? 
[0:15:55.0] AA: Like deep packet inspection with - could you decrypt it at the router if it has the private key? 
[0:16:01.9] TA: Actually one of the great tools in our product is - you mentioned it a kind of scanner - so it will actually draw you a map of everything that is connected to your address and it will tell you the common vulnerabilities - the things that are commonly vulnerable. So if you are using admin and password on a device, we will tell you. 
[0:16:20.2] AA: And that is why I mean it is great for the home. The number of corporates that I talk to in there like, “Just draw me a…” - no, you know it wasn’t a corporate, it was somebody at NASA. 
It was literally I took over, they were a senior person in the security stacking in there like, “You know I just want the corporate network. I just want to a map of the corporate network,” and the dude who could do it for her maybe died before he could give it to her, right? 
She was like, “There is no diagram.” I mean I think that that’s the scale of complexity is getting up and up and up, right? 
[0:16:55.0] TA: So you guys have a really good point because if you think about how things have moved, you know five years ago, you and I may have three or four devices at the home. Others you know with 19 and I don’t have a smartphone. Yeah but actually just the proliferation of – 
[0:17:10.0] SC: Phones and consoles, cameras and games so there’s all of this stuff. 
[0:17:14.7] TA: The SMB has become the enterprise and the enterprise has become something else. You know the number of devices that we are actually seeing and it is only going to get worse and since – 
[0:17:24.9] SC: And complexity tends to be the enemy of security. And you know I think there is a growing realization but you know there’s this tension between how fast we are doing the digital transformation. How few people we have to really understand it all to secure it, I mean the cyber security skills gap hasn’t gone away. It’s probably growing you know? So I think there’s this tension and in his keynote, Rohit Ghai was talking about this, you know we are in danger. 
So he uses his expression from tech plus to tech backlash right? And yeah it is a worry I have - because contrary to popular opinion or perception most security people - certainly in [inaudible] - aren’t in it cause they like telling people not to use stuff. 
They’re in it because they really love this technology and it just really annoys us that people have abuse it so we try and secure it. But it is worrying that we might hit roadblocks to this disappointment of very beneficial to us then because we have outpaced our ability to secure it, to understand it or even the case of big networks to actually be mapped. 
[0:18:36.9] AA: Yeah and I mean a phrase I hear a lot in terms of the intersection between security and complexity and that they are inversed but I was actually talking to Dr. Ross, the Dune Nunez director and just came out with this new sort of cyber resiliency standards right? Which is really interesting because it is actually I think we are reaching the point where complexity can actually be a benefit because now that you can’t – the glass is already broken right? 
But now we can take those shards and if we can reform them into a new glass in seconds that it doesn’t really matter that it was broken or that we have actually six glasses and we are always pulling a new one. Like complexity dynamism changed right? Like those things can actually – 
[0:19:26.2] TA: Look, I don’t think we get rid of the asymmetries. You know the asymmetric aspect of being the bad guy favors the bad guy because the security has to be right 100% of the time. They only need to be right once and then – 
[0:19:39.8] AA: Well then but we talk about that again all the time and it is like but if you have defense in depth, you have multiple levels of failure, you are going to force them to be right, right once and right again and if you have dynamism you got to be right today however quickly you spin around. 
[0:19:54.0] SC: Don’t get me wrong. If you do security properly, you could be very, very well defended. The problem is and I mean the NIST work is fantastic, we were involved in creating the framework but that’s a document right? Get that into the real world that’s what we tend to see. You know if we have customers, they are using their product, call at us and say, “You know I am infected how could that possibly happen?” 
Well when we look at it, its usually because there was this one system they didn’t have it running. It is one of the reasons why we put a lot of money into educating the client - free education for the user base, but also try to make it as fool proof as possible so that our product will alert if somebody tries to turn it off and make it so that they can’t turn it off, but I think we are always looking at how we can do it and we have a pretty good idea of how it should be done - but getting that done across the whole stack of industries is difficult now. So you end up with a poorly secured small business that is a vendor to a larger business that is a vendor is a larger business and depending you know that’s the target because its all there. 

[0:21:08.3] TA: I think you also need to look at the motivation and the resources of the back person - of the bad guy inside - what is it that’s motivating them, is it that they want to cause disruption to somebody in tech or in the government or an organization or other internal [inaudible]. One thing I don’t think we think enough about is actually as you said that dynamic defense and resilience - at the same time those cyber criminals are also deploying machine learning to actually attack the whole. So they are becoming more complex and more dynamic. 
[0:21:43.1] SC: Yeah when you take a deep dive in something like industry, the complexity of the code and tricks they use to get into the system are really quite impressive - I hate to say that - but if you think that asymmetry that I mentioned, if you think about it like this, I am using AI to defend my systems but I need to make sure that that works properly, I do quality control. Bad guys don’t have to do quality control. 
The history of malware is literary where: things that went really badly wrong because somebody was writing some malware and they go, 'Let’s see if that works,' it didn’t. They crushed a bunch of machines. 'Let’s try it again, let’s see if that works,' - there is a whole bunch of ransomware out there that you can’t even decrypt because it was so badly written. So the bad guys they don’t care about false positives and bad code they just keep going.
Whereas to deploy and this ties into your point that balance between false positives and detection, you know we have to get that just right or else people aren’t going to use the product and that balance to get it right is I think harder than getting it wrong which is not to say I mean the world is still running. We are still using the technology but I worry sometimes that a new generation of technology comes along, a new idea comes along and they go all right. 
It is solved, it is still going to be a struggle until essentially the less bad people try to do fewer bad things. 
[0:23:03.8] AA: Yeah I am just curious in the – I think I am really interested in GDPR (General Data Protection Regulation)  and what is happening, what will happen there because I think some of the balance may change because what are the criminals going to steal, if they are going to steal from me right? They are going to try and steal my social security number or other sort of identifiable stuff from a company or even for myself right? But when that stuff is no longer valuable when they take it - 
I mean because what are they going to do with it? They are going to take it to a bank and open an account but if that bank is starting to think about smart ways to authenticate and they are not going to use the social security number for what it was never supposed to be which was a unique identifier, right? Like you know I think there is that sort of idea of collective action, right? At least I hope in the world that there are more good guys than bad guys and so how – 
If you have a society where you are thinking about okay - and the scale that you guys are it’s like how do you start to put that also into your customers, to understand that the idea that they are collaborating together because there are only the number of cops in New York City versus the people who live in New York City, and yet it is an incredibly safe place right? 
[0:24:11.5] TA: We have always liked the expression that security is everybody’s responsibility. So last year we put up a whole bunch of free security training Eset.com/cybertraining. We have 8,000 people complete it and the way we set it up was so that a company or any organization could go and sign up their employees for it so they could actually use it as their first line of security awareness training. 
So yeah I think as a country, as a community, around the world we have to pull together. I think GDPR is interesting and I think that it is waking up the American consumer to the kind of protections that you have taken for granted in Europe. 
And yeah I don’t think you can do this job if you are not fundamentally an optimist because you are just going, “Oh no this is too bad.” But you have to tamper that optimism with realism. I mean you know we’ll be having cars soon in fact Lincoln just announced with a new Lincoln Aviator, your phone is the key. 
I mean come on, you know that is the new age. We look at that and then we go, that’s very cool. On the other hand phones have been really, really badly hacked and you know I coined this term a couple of years ago: jackware, you’ve got to open your car with your phone and it says, “Well that’ll be ___ points of the Bitcoin,” because they have taken that out mean I assume you drive?
[0:25:28.9] AA: I do, yeah. 
[0:25:29.9] TA: When was the last time you updated in the info system in the cloud with that?
[0:25:33.5] AA: I mean it like in 2006 like never right? But I think – 
[0:25:37.6] TE: What is this if we don’t think of the other devices.
[0:25:40.2] AA: But I have been waiting for the security companies, I’ve been waiting for the designers to say, “You know what? We expect this,” right? And if they try and brick it, you are going to pull the chip out that’s like it is somewhere in the glove compartment so it is not hard to get to and the chip is worth cents, right? 
And so that’s a question of design like I would love to unfortunately God did not give gifts in equal measure and to expect the populous to get smart on this, right? 
[0:26:05.6] TA: No again that is another balance that is very difficult. I really don’t like the victim blaming when there is a breach for example, right? Because it is hard enough keep - unless it is a really stupid thing that the company did that they really shouldn’t have but with the consumer, you know we tell them to do these things but in the end a lot of it is beyond their point of control. 
What we need people to do is to be good at the things they can be good at which is not reusing passwords. Not clicking on fishy stuff but we have to do a better job post as security vendors but also I think in term of our gulliments - you know Microsoft’s call on the keynote for this - you know be this more coordinated in action because if we could lower the temperature of the abusive activity of technology that would be a big first and to your point earlier, where is it going? 
If you look at the two big things last year, WannaCry in terms of malware - I’ll bet you that was not criminal wanting to take money, that was sort of nation state, pseudo nation state output. And you know that is something I think we could do a lot more work than we’ve put through.
[0:27:14.9] AA: Yeah, this is great. I really appreciate it. Anything else before we close?
[0:27:18.8] TA: I appreciate the chance to talk about this topics and I appreciate you covering it because you know one of the things that is very difficult to do is get out the word to everybody. We think we do but then we bump into somebody on the plane who has never heard of this stuff
[0:27:34.3] SC: I would say one thing, everything you connect you should think about security and privacy before you commit to it.
[0:27:42.4] AA: And I would love – you know we talked ahead, I think it was before we were recording - about marketing and how you get your name out and I would love you guys to just come up with a naughty list, right? Don’t buy any of this stuff, right?
[0:27:55.8] TA: Right, name and shame. 
[0:27:56.8] AA: Right, if you are doing it already and I know you’ll piss some people off but you know what? In these days you would garner incredible amounts of attention and love from this entire community and hell, don’t put your name on it. 
Maybe just do it in the background and come up with literarily the naughty list because I think people need that, right? And you know partner with consumer reports with somebody. 

[0:28:19.9] SC: Consumer reports is actually running pretty in depth analysis system. We are trying to come up with metrics of security and company pieces of software and so I think yeah, that is one of the areas. There are the independent researchers who will name and shame. We have a very big on responsibility of disclosure because we know people naming and shaming as we have only two days to fix include. 
[0:28:42.2] TA: There are some organizations that are starting to certify IOT devices. I mean specifically in the – there is a KidSafe based here in the US that look at children’s devices that are IOT connected devices. So for example they’re using an IOT toys and they are actually putting a seal of stamp sealer. I think we are stop of a process. I liken IOT to WiFi. If you and I drove down the street 10 years ago, we could connect to everybody’s WiFi because it was unprotected. If you look at IOT devices today, there is massive amount of insecure devices out there; in 10 years’ time, I'd like to think that we can sit at this table, and we can't drive down that street and connect to anybody's devices. I hope it’s just a transition. 
[0:29:29.3] AA: Yeah and I am curious to see your product where I can drop it in my house and start to see what is connected right? 
[0:29:35.2] TA: Yeah, we will send you one and since we got it, we’ll send you Stephen's. 
[0:29:39.3] AA: Yes, I live in New York. Come by, check on my shitty TV, nah. 
[0:29:43.1] TA: Well if you get a smarter TV and it is running android we’ll send you the product and check it out.
[0:29:51.1] AA: Thanks so much.