March 19, 2024 • 49 mins
Marten Mickos has been navigating Silicon Valley innovation waves for a quarter century and counting, first on the eastern edge of the Atlantic, then into the valley. Web 1, Web 2, OpenSource, Hybrid Cloud, the list is long, including notable stops at MySQL (acquired by Sun), Eucalyptus (acquired by HP) and his current extended run at the helm of HackerOne.
Please join me in welcoming Marten to Turn the Lens
Here is how ChatGPT describes the episode
—
In the latest episode of "Turn the Lens" with Jeff Frick, we are thrilled to welcome Marten Mickos, the visionary CEO of HackerOne. Titled "Marten Mickos: Curiosity, Learning, Hackers, Transparency," this conversation takes us on a journey through Mickos' profound insights on the cybersecurity landscape, the pivotal role of individual curiosity in innovation, and the transformative power of transparency in leadership.
Mickos delves into the essence of HackerOne's mission, emphasizing the crucial balance between human ingenuity and technological advancement. He shares his optimistic view on cybersecurity, drawing from his extensive experience to highlight how collective defense mechanisms and ethical hacking are reshaping the way we secure our digital future.
As we navigate through the evolving challenges and opportunities in cybersecurity, Mickos' leadership philosophies shine a light on the importance of fostering a culture of continuous learning and adaptation. He eloquently discusses the impact of AI and machine learning, not only on HackerOne's operations but also on the broader societal implications of these technologies.
Join us for this enlightening discussion that transcends the conventional boundaries of cybersecurity, offering a glimpse into the mind of one of the industry's most forward-thinking leaders. Mickos' journey at HackerOne is not just about combating cyber threats; it's a testament to the power of curiosity, learning, and the relentless pursuit of transparency in building a more secure and understanding world.
Tune in to "Turn the Lens" on LinkedIn Live and YouTube to explore these themes and more, as we uncover the secrets behind HackerOne's success and the visionary leadership of Marten Mickos.
—-
(Back to Jeff. Grammerly Premium (which I can’t unlock) has some issues with ChatGPT grammar correctness, clarity, and delivery. AIWars)
More laughter and essential questions and human paradoxes than might not be apparent from that description.
I hope you can join us for this premier event.
And yes, it will be available on demand after the fact
Marten Mickos: Curiosity, Learning, Hackers, Transparency | Turn the Lens with Jeff Frick Ep29
YouTube - Click Here
Transcript and Show Notes - Click Here
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
All right, we're ready to go then
So Marten
I'll just count it downand we will go.
Okay. Sounds good.
In 3, 2, 1
Hey, welcome back, everybody.Jeff Frick here,
coming to youfrom the home studio
for another episodeof ‘Turn the Lens.’
And I'm really excitedabout this next guest.
I looked it up, last time wetalked was April 2020.
(00:20):
It was right when thepandemic was hitting
We had no cluewhat was going on and
thankfully hehad experience
in remote work.So we talked about that.
But that's not what we're going to talk about today.
We're going to talk aboutmuch more interesting things.
So welcoming in throughthe magic of the Internet.
He's Mårten Mickos the CEO of HackerOne.
Marten, great to see you.
Thank you, Jeff.
Great to be back here with you.
(00:42):
Really lookingforward to it.
So crazy, right?
Four years alreadysince that last time we talked.
Marten - Time flies, time flies, yeahJeff - What a difference in the world, huh?
So hopefully we're all adjusted
to Zooms and remote work, but let’s
Let's get into security and HackerOne.
So before we get intoHackerOne specifically,
give us kind of your overview of where things are
(01:02):
from kind of an info security space.
You know, the attack surfaceis always getting bigger
the sophistication of the attacks is getting better.
The grammar from the Nigerian emperors
is getting betterin their emails.
What's kind of your take onkind of the state of
of info security, as you kind of sit at a really high level.
(01:22):
In our observation.
Information security or cybersecurity is
a giant, giant ship that's turning slowly,
but it is turning
The market is $200 billion per year,
lots of vendorsselling lots of services.
And when wediscuss the business,
we must always highlight the challenges,
the problems, the threats, the calamities that can happen.
(01:43):
So it looks like it's a terrible spaceand everything is getting worse
In reality, I would saycybersecurity is
already improving our livesalready making us safer.
But it's such a giant ship,so it will take
a decade or two to fully turn it.
But the changes are significant and we have.
We are often remindedof the breaches,
(02:04):
but we are not reminded of the breaches
that didn't happen and there are many more of them.
So I'm an optimist
and I think there's data to back it up that actually
it's better now and peopleare more accustomed to
being on their guard themselves,
being a little bit cynical
when somebody issending them a message,
like my employees regularly get text messages from me, where I'm
(02:26):
from, me, where I'm asking for gift cards and other things
and they know that it's fake.
What about this concept that we hear some time
that everyone is going to get hacked eventually?
It's just when you find out about itand how much time, you’ve
you know, how much time they’vebeen in there before you find out.
And then what
Then what you do about it.
And then the other piece you said,
we don't hear about the stuffthat didn't go wrong.
(02:47):
It's kind of likethe offensive lineman.
You know, he can blockthat defensive guy for 99 plays,
but if he gets throughon the hundredth and makes a sack,
that's the only one that we readabout in the newspaper.
That is true.
It's very important that we make surethat when bad things happen,
that they are contained and haveas little of effect as possible.
And we do that by buildingzero trust systems
(03:08):
where breaches can’t spread very easily.
And we also do itby reacting very fast,
because the sooner you react to,the better you can stop it.
It's a little bit like like a pandemic.
When it starts going,
you have to declare an emergency situation immediately.
Like San Franciscodeclared a COVID emergency
even before theyhad their first case.
(03:30):
And it's similar with cybersecurity that
you have to take the strongest action very, very quickly.
And then there's much less
less of a downside,
less of problemsfurther down the chain.
So tell us a little bit about HackerOne
and give us kind of the 101
I think you've been therefor about eight years now.
It's a very different assetin a company's portfolio
(03:51):
to combat cybercrime.
So give us kind of the 101
What is HackerOneall about?
You know, what's kind of your go to market?
Give us the basics for peoplewho aren't familiar with the company.
Happy to do so.
I'll now start from sortof a layperson's perspective
so that anybody can see where we are.
First of all, cybersecurityincidents happen
basically of two reasons
gullible people and vulnerable software.
(04:13):
We don’t deal withthe people side.
We deal with the software side.
So we help our customers
make their software resistantto all kinds of attacks.
And we do thatby finding the holes.
So we come to you and hackinto your systems until we break in,
and then we show you, Jeff, howwe did it and you can fix the hole.
(04:34):
So this is calledethical hacking.
We do it with the help of a freelancecommunity of security experts.
We have over 2 million of themsigned up on our platform.
You don't need that many for your program, but
we need that army of ethical hacking
to be able to always have
the right skill at the right volumefor anybody who needs us.
We do this for the U.S. Department of Defense.
(04:56):
What we do it for the big techcompanies, for Goldman Sachs,
Capital One, Zoom, Salesforce,
all of these know that
no matter how well they build their software,
they need the externalunbiased scrutiny of it.
So even if you have the smartest people in your company
they have bias, ownership, biasof what they've built and deployed,
(05:18):
an external personwill be able to see the
the vulnerabilitiesmore easily.
And that is what we deliver to
thousands of companiesaround the world.
We have found about half a millionof security vulnerabilities
in our history, and thereare more to be found,
no doubt, but that pretty good results so far.
(05:38):
So is this similar to
we hear about penetration testing,which is oftentimes somebody might
use that as a requirement towork with a company
as kind of an external test as to the
to the security of the system.
Is it really just trying to penetrate?
Are you going in duringthe development phase of the codes
to find stuff before productionwhere within the code's lifetime
(05:58):
would a company employeeHackerOne ethical hackers?
It's a very good questionwe do Pentests
so if you are used to doing Pentestsyou can do is with us.
The main distinction is
we do it with the externalfreelance community that we have
that's much more powerful, much more skilled,
much more up to date with their skillsbecause they learn every day.
We do Pentests, we do vulnerability disclosure programs
(06:21):
bug bounty programs,source code reviews.
So we have an offering,
a set of offerings that spans
the entire software development lifecycle,
and we can come in for a short term
or for a long termor for a continuous program.
So many, many more optionsthan with a Pentest
But one of the offerings we do is
very much a Pentest
like you have been buying themfor decades already.
(06:43):
Right?
So I used to go to RSA (Conference) a lot
and I used to alwaysfeel really sorry
for the CISOs when I was walking around the halls
because there's literally hundredsand hundreds and hundreds of vendors
and a ton of them are new.
And I always think,how as a CISO do you allocate your
security budget?
You guys again are an interesting niche
in this portfolio of all theseapplications and hardware devices.
(07:05):
How do you help CISOsthink about budgets?
Because they can't obviouslylock everything down
and how then they can incorporate your services
to either extend the budget or, you know,
cover an area that nothing else coversvery effectively because,
Oh my goodness,RSA is a whole lot of vendors.
It is thousands of vendors,not hundreds.
(07:26):
And that's the challengeof cybersecurity
that it has so many dimensions and nuances
that you need a lot of vendors,
but nobody can keep track of all of them.
What we do is very,very unique in this whole space.
First of all, we are a preventative service,
which is the best you can get,
like get the service before anything bad has happened.
You save money, you save time,you save stress, you are much more.
(07:48):
You can sleep much better at night
because you knowyou took the right actions.
Within this world of preventative services,
there are many ways to test your software.
You can you do your own Q&A.
You can do Pentesting
You can do source code reviews,you can scan them.
There's many, many things you can do,
but there's nothingthat reaches
to the level of exploitability as ethical hacking.
(08:11):
Because when our testers come in from the outside,
they can only find holesthat actually exist for the outside
and they are paid more,the more serious that it is.
So they will find the most critical,most exploitable,
most elusivevulnerabilities,
those that otherwise would be exploited by
(08:33):
nation state hackers, criminal hackers, hacktivists and others, so
So we're sort of at the top of the pyramid.
They're findingthe most critical ones.
And therefore, for a company,we become the.
Sort of the beacon of information
you look at what you find through your HackerOne program
and that's instructs you
how you should code,
develop your code,
(08:54):
how you should test your code,
how you should look at your other streams of vulnerabilities.
Because what comes throughour system is signal.
It is the most criticalvulnerabilities,
and it's easy to decidewhat to take action on
because here's anotherproblem CISOs have.
It's not that they don't hearabout the problems,
its that they hear about hundreds of problems every day.
(09:16):
So how do they decidewhich ones to take action on?
You have to prioritize every queue.
You have to prioritize the and triage the incoming stream.
And we do that for them.
So we come to you and say
we found 700 vulnerabilities,
but here are two you must fix immediately.
And that makes lifemuch easier for the customer.
And then you've talkedabout bug bounties
(09:37):
and in some of your social media posts,
you bragged about all the moneythat you guys have been able to pay
the ethical hackersto find bugs.
How does the structureof an engagement work between
You, HackerOne,
the company that's bringing you in,
and this army of ethical hackers?
What would be kind of a typical engagement
or how does one kind of look?
So a very typical one is a bug bounty program that runs continually
(10:01):
and the company comes to us to sign up with us.
They don't know the hackers typically.
They don't know who they are,but we know.
So we act as the bridge of trust.
The hackers can trust usand therefore can trust the customer.
The customer won't do any harm to them and vice versa.
The customer, by trusting us, can trustthe hackers that nothing bad will happen.
And then we open up a program
(10:22):
like we have a bug bounty program for Uber
and we have one for Zoomand Salesforce
and we tell the hackers to come inand look for ways in
and we say, if you find a regular vulnerability,we may pay you $200 for a find.
If you find a critical one, we may payyou $20,000, $50,000, even $100,000.
(10:42):
So there's a meritocracyand a competitive competition
for the most demanding the most exploitable vulnerabilities.
And of course, the hackers are competitive spirits.
They will go and look for the most exciting thing.
And when they find it, they report it via us to the customer.
They get paid.
And of course, the customerhas saved 100 times more,
(11:05):
like if they pay out $100,000for a vulnerability
that could have led to a breach
which on average costs $4 millionmany times much more.
Of course, it's a no brainerfor the customer
that this is one of the bestspent money they could ever do.
And they pay when the vulnerabilities are found.
So they don'tpay for nothing.
(11:25):
They pay for actual value that they receive.
So that's what makes the model so powerful,
You know, that what you're getting is true value.
You're payingaccording to the value to you.
And when our hackers have now
received over $300 millionin total in hacker rewards,
that looks like a large number.
(11:46):
You should compare it to thethe savings that we have caused
by avoiding and averting breaches,which is difficult to assess,
but it's on the order of hundreds of billions of dollars
over our history of ten years now.
And do just allocate a budget per month
towards the bug bounty program?
Is there some cap?
(12:06):
Is there, you know
who's making the judgment
between the $200 bugand the $20,000 bug?
I assume there's sometricky nuance in there.
As a customer, you decideyou can come to us and say,
HackerOne, can you handle all of this for me?
I'll give you a
fixed amount per year.
You handle everything else for me and we will do so.
Some customers are veryknowledgeable and progressive
(12:28):
and they want to be part of the pricesetting and bounty setting themselves,
which is fine, but you don't have to, we
we have so much data now at HackerOne
we have by far the largest
database of vulnerabilities, bounties ever paid, hackers
We know them all.
We can set the prices
and we can operate the programin the most efficient way.
So it actually
(12:49):
like ten years ago when you started a bug bounty program,
there was a lot of work for you.
There still is work, but it's much, much less now because
HackerOne as a platform vendor,has learned to automate the work
and we benchmark it across the whole platform
so we know we are paying the right price.
Not unlike if you go to Airbnb and yourent out your apartment or your home,
(13:12):
Airbnb will tell you how much you should charge.
They know.
Jeff - because they’ve got the dataMarten - they already have an idea
Yeah, so it'ssimilar with us.
So it's much, much easiernow than it used to be
like years ago.
Share a little of the experienceof the bug bounty person,
the person who's out there,
you know,who are these people?
Do they work full time on this?
(13:32):
Do they workgenerally on one campaign?
Do they work for youand other types of campaigns?
You know, kind ofwho are these people?
How do they get in the business?
What's kind of their profile?How do they spend their days?
The first thing to know is like with any community,
it is a set of communities.
There are many groups,many subgroups,
(13:53):
many different types of personalities and career paths and so on.
So there isn't just one type of ethical hacker.
There are many, many types,
but there are some things that are common for most of them.
And the first oneI must mention is
they have curiosity more than most,
like they arethese thinkers
who like to take their toys apartto see how they work,
(14:15):
who try to outsmart the video game they're playing,
who try to outsmart this,outsmart that
their curiosity is driving them.
Just that
that is the main reasonwhy they are so good.
And of the ethical hackers we have,
many are seasonedcybersecurity experts.
They could be softwareengineers, principal engineers.
They've seen everything,
(14:36):
but many are young.
Half of them are 24 or younger.
They do not have a college degree yet.
half
One more time,
half are 24 or younger and do not have a college degree.
Marten - Exactly Jeff - And this is like a half a million people
because you said you have like 1 or 1.2 million hackers or whatever.
Marten - Yes,Jeff - Wow.
And this provesthat the skill
(14:58):
comes out of your curiosity more thanit comes out of formal training.
They are autodidact.
They learn on their own,they Google, they read, they test, they try
and they figure it out on their own.
So that is the most definingcharacteristic of them.
And we had a live hacking event herea year ago where I participated.
The winner was a 17 yearold hacker from Japan
(15:21):
who had flown over from Tokyoto come and work on our hacking event.
He won the whole competition.
He was the best
and he still struggled a bit
with speaking English because he hasn't done much of it, like
You saw there, this raw curiosity and intelligence
intelligence in this young person
who was figuring out problemsthat nobody had seen before,
(15:43):
like this hacker of ours really detected problems that
others couldn't even imagine.
And then you realizethe power of ingenuity,
the power of curiosity,the power of just figuring it out
and trying to outsmartwhatever you're dealing with.
Right.
And I would imagine having a program like yours
gives the opportunity for someone like that kid
to actually build a careerdoing this full time,
(16:05):
not have to get areal job,
Jeff - you know, on the sideMarten - Very, very much so.
Very, very much so.
I have predicted a few years agothat within 15 years
we will produce 500 CISOs for the world's corporations out of these ranks
So there we get entrepreneurs coming out.
We have one hacker from India whowith this friend started a company.
They sold it for $100 millionto SentinelOne (PingSafe)
(16:27):
Like it is truly a start of greatnessfor you anywhere in the world.
We have I know of a hacker in Egypt who applied to M.I.T.
and had no other real credits than showing
his hacking accomplishments at HackerOne.
So he printed hisprofile page with all the
(16:49):
the scores and numbersand everything
and sent it to themas proof of his capabilities.
So it is a true equalizeron this planet.
It brings out the best of peoplewho have a knack for cybersecurity,
and then we bring it to the benefitof any company that has software
deployed in the worldand connected to the Internet.
(17:11):
Interesting.
So you said you were feelingpretty positive about things.
And one of the thingsthat you mentioned
that's in the arsenal
is this idea of pooled defense
and that thefact in security
and you've already mentioned it a couple of times
here that, you know
you guys documentthe bugs that you find,
you document vulnerabilities
and that there'sactually more good guys
(17:32):
on the good
on the white team
than the bad guys
that are workingin this pooled defense.
So it's interesting comingfrom your open source background
that it seems like security is justanother great opportunity
for people to share informationto the benefit of all
like you did in open source, now in security,
so that when one person finds the vulnerability,
(17:54):
we can all share in the benefit of that.
So I wonder is you can speaka little bit to pooled defense,
What it's all about.
A very important point here.
And it often starts with the notionsort of the cynical, sinister notion that
the criminal has to succeed only once,
but the defenders have to succeed every time in defending,
and then it feels miserable.
(18:14):
And we think, okay, it's just a matter of time
before we get hacked by a criminal.
But in those situationsof an asymmetric threat
where one small group can cause a lot of harm,
it is also conversely true
that pooled defensewill always outrun them.
They are always moregood guys than bad guys.
There are always more defendersthan there are attackers.
(18:36):
And if you can bring the defenders together,
it's superior in speed, power, might compared to the
adversaries you are, you are defending against.
And that is the mechanismwe do here.
So it's not enoughto have one person
who's good atfinding vulnerabilities.
We need to have all of themso that for every situation
(18:56):
we just statistically overpower the enemy
and the adversary coming at us.
And as you said,
we have over 2 million peoplesigned up on our platform to hack.
Not all of them are good hackers yet
but they’re, like it's not the active population,
but it shows theinterest of the world
of coming to help it.
And the number of black hats in the world,
(19:17):
the number of criminalhackers in the world, is
order of magnitude,hundreds of thousands.
If you take all the statesponsored groups
in all kinds of rogue nations,
if you take all mafia groups,
criminal syndicates,whatever they are,
it won't add up to morethan a few hundred thousand max.
And we arein the millions.
(19:38):
So we're showing that
that we have more positivepower than there’s negative power.
We can outrun them,we can outsmart them,
we can do all these thingsif we work together.
So that's the fundamentalmathematical model of
of what we do.
But it does require this pooling of the defenses,
learning from each other,defending together.
(20:00):
And this is how mankind
has always defended itselfagainst asymmetric threats.
It's not specificto cybersecurity.
It applies to any similar situation.
Right.
But it just seems like it's
like for a lot of situations,people are going to want to hold back
for their competitive advantage
over their,
(20:20):
over the rest of the people out there.
But it seems like security isone of those things where, you know,
we do wantto pool,
we do wantto share
because, you know, we're not
we may be competing outin the marketplace, but
neither of us want to get, you know,kind of taken out from the back
True, but in old school cybersecurity,this was not the case.
(20:41):
In the old world, cybersecurity was a secretive practice
only for those withwith a clearance to do so.
You kept the bad news secretso that it wouldn't spread.
So the mindsetwas different.
Now we are shifting and then
so cybersecurity is becominga much more open
and we're actually learningfrom aviation safety of all places.
(21:02):
In aviation safety, everypiece of safety information
is shared freely among all airlines,whether they compete or not,
because theyknow that
safety stands above everything elseand you must work together on it.
So they have no worries there.
They may keep competitiveinformation from each other.
They might befierce competitors,
but safety informationthey share freely.
(21:23):
We are now getting itinto cybersecurity as well, where
customers and vendors are realizingthat sharing is the only way to
to fight the threats and that there'sjust one way to do security.
And it is together.
So it's finally happening,
which is great because it wasn't always the case.
And there are stillsome pockets where
(21:45):
where they are thinking that you have to
keep it secret and within just a small group.
But the small groupcan never
stand against the threats that we are facing.
Right, Right.
Okay, so that is then the segue that I'm going to take
to get to open source, because you
Marten - right, yeah, yeah, I forgot the open source dimension Jeff - are a big open source guy
Yeah, no, we're going to go there
But, you know, you tell a story
in a podcast I listened to getting ready for this
(22:07):
that when you were at MySQL
and I said it the proper way,so I don't have to give you a quarter.
You were in a lawsuit
against a big guyand you were the little guy
and you guys used
you used a strategy of radical transparency to win
and you did itnot only at MySQL
the story you tell where someone would ask a question
(22:29):
and you guys would just answerthe question in the documents
and then return the answerback in the documents.
So, you know, and you answered every query
that everybody ever asked in the early days
of really supporting that community.
So this idea of radical transparency.
And then when you talked about it in the lawsuit,
when everyone else is trying to be secret
and you're just putting it all out there,
(22:51):
just here it is, make your own judgment.
It's a really different wayto think about information.
It's a different wayto think about competition.
It's a different wayto think about the world.
But I think in the worldwhere information is infinite
and at our fingertips,it's really the application
of the information and
it's about sharing.
It's not about being secret anymore.
The power’sin the sharing.
(23:11):
The power’sin the sharing.
And I learned this inthe open source world.
That's very true.
But we do it for competitive reasons.
We want to win.
We want to beat the heckout of our competitors.
There's no doubt about that.
We just know that transparencyis such a powerful tool that it
in a way scares awaymany competitors.
I do it even today with HackerOne
(23:33):
some of our most strategicdiscussions we have internally.
We write up as blogpostings and other texts
and publish on in the world,
because our modelis such that
the more people understand what we are doing,
the more powerful the model gets.
And you must have a certain conviction to do it.
But it's importantto know
that we're not doing it out for charitable reasons.
(23:56):
We are not doing itfor the love of this planet.
Although we dolove this planet,
we are doing it to provide better cybersecurity
and to advance HackerOneas the leading vendor in this space.
But it is amazing what you can do with transparency
because there are so fewwho are ready to go there.
So if you go there, you get all the spoils,
(24:18):
you get all the benefits from it.
Right.
The other great story from that chapter that you shared was
was making MySQL bigger than it was
by talking about bigger issues thanthe ones that you guys solved directly.
And I think the one that you said
you got famous for was
you were the only personin open source
that knew how to make moneyin open source.
So if that's what people are interested in hearing about,
(24:41):
that's what I'm going to talk about.
And really blowing up kind of the presence of MySQL between,
you know, having a position on open source,
which is kind of new and innovative,
as well as this radical transparency
to make MySQL and really change the dynamic
of that evolution really in computing around the databases.
(25:02):
I agree.
This one I learned from others who have
built categories in industriesand who know that
when you are a CEOor a leader of a business,
you tend to look at your own interestand your own business.
But what you should do is ask,
What does your audiencethink about every day?
What is their big problem?
And their big problem is probablylarger than what you represent.
(25:25):
So if you can gointo their world
and address the topics they are thinking about anyhow,
you get an audience in a way you wouldn't do
if you're just sticking to your own value prop and product and you say,
Let me tell you about my technology.
Nobody wants to hear about technology.
They go to Wikipedia to read about the technology,
(25:47):
but they do want to discussthe essential questions
like today, an essential question is
How do we govern artificial intelligence?
Like, do, should governments take action?
Should they not take action?
Should it be liberal or openor governed or closed or what?
And it turns out now that
what I learnedthe hard way
(26:08):
over 20 years in open source software,
these principles are usable in the AI context.
And we are, we have customers who come to us
to hear our thinking about these things because
me and many others have seen how it played out in the early days of open source.
And now we see similarchallenges in the world of AI
(26:32):
and we need to get it right
because otherwise companieswill not succeed,
societies will struggle.
So this governance questionis becoming an essential part
for anybody who wants to besuccessful in either producing AI
or makinggood use of AI.
So that's an example.
And I would recommendit to anybody.
(26:53):
And I think like leaders do that, they
they know how to speak about topicsthat the audience is interested in
not topics they are themselves interested in
or they are but
Let me follow up on thatwith the governance in AI,
because I think the governance of AI,
it's interesting to look at governance in privacy and security
because, you know,
we fall back to this fundamental issuethat we have in the States,
(27:16):
you know, kind of states rights versusnational rights where, you know,
we don't have a national breach notification policy.
And I just think it's interesting,if you look at Europe as a contrast,
say, with GDPR,
that they can actually organize
as a set of countriesmore effectively
than in the states we can organize as a set of states
(27:37):
that come up with some consistency around rules.
And I know kind of California (Consumer) Privacy Act (CCPA)
is a little bit potentially taking the lead in
setting some kindof a national benchmark
for others to follow.
But if we look at the governance in security,
it does not bode well for tryingto manage governance in AI
until we get a little bit better at
(28:00):
finding some consensus around some of these issues
and not being quite so contentious around
kind of the states versus national,you know, regulations.
That is true.
But the problem isglobal, essentially,
and we have to reachglobal accords on AI
even back inViking times,
the Vikings knew that you build nations through passing laws.
(28:23):
They had a saying that with law you build a nation.
And today when our lives are becoming governed by AI,
we have to know that we will needregulation to govern AI
because AI's governing our lives.
So it's clear that
that regulation and governancewill be very much needed.
At the same time,we must leave room for
(28:44):
the scientists to work on their science.
And I use here a metaphor
from natural sciences.
It is very important that every
not everybody, but those who can
can learn about physicsand nuclear physics.
And we should not limit the
availability of learningsabout nuclear physics,
(29:04):
but we should regulatethe use of nuclear materials,
the nuclear power plants,nuclear weapons, all of these,
they must be tightly,tightly regulated.
But physics as a scienceshould be very open as it is.
You can go anywhere and studytechnical physics today.
So similarly with AI,we need to protect
The science part of it,
(29:24):
The evolution ofthat mechanism
so we can build better and better
machineries, automations, whatever we build.
But at the same time, onceit comes to how it is applied,
we may need strict regulations to make sure that we are not harming mankind
with this great innovationthat we have produced.
(29:46):
And that is a difficult contrast,and balancing act to know whether we
where we should be open and liberal,
and where we should have strict governance rules
So it will take a whole village
to come up with those rules.
I don't think Europeor U.S. is
either of them has the right answer
or are ahead like we need the
(30:09):
we need the collectivethinking of Europe,
which is useful when you defineregulations and accords.
But we also need theindividualism that
especially in the San Francisco Bay Area represents.
So I think we need both.
Yeah, I do too.
And I think we definitely saw I mean,
Dr. Rumman Chowdhury, who used to be at Accenture, doing ethics there
(30:29):
her great line is, you know,
you can go faster if you have good brakes.
You know, good brakes enableyou actually to go faster.
And I was like,that is
that is genius becauseit's absolutely true.
If you have good brakes,you can go faster.
You can do more.
Having some edge of a limitation.
That's brilliantly said. It's so true.
(30:50):
It is so true.
And we must move
like there again we cometo the competitive side
that we are competing against
other companies, maybe other nations,other belief systems.
And we need to showhow good we are
at building out AI so that it can serve mankind,
it can solve medical problems,
it can solve many essentialproblems that society
(31:10):
will need to have solvedvery soon.
Right? Right.
Very good.
I want to shift gears a little bit
and talk about some of your leadership philosophies.
You've been at this for a while.
We share, you’ve shared a lot of notes on LinkedIn, etc..
But one of the things you said
that I think is just profoundis in talking about learning.
(31:31):
And, you know,we want people to learn.
We need to learn.The world is changing.
We all need to belifelong learners
and we want to create great conditions for learning.
But the truth of the matter is welearn fastest when we touch the stove
and we have to pull our hand back.
We never touch a stove again.
And it's this weird paradox
that you want to help peopleand we want to help them learn.
(31:52):
I almost think of itas parenting is like,
the more you help your kid,the more you're hurting your kid and
and let not letting them falland scrape their knee
and learn the lesson.
Because I think, as you saidin that quote,
there's just somethings you have to learn.
The hard way.
Wonder if you can you know, how do, how do we
how do we square that circle?
Yeah, I wish I knew the full answer to the question because
(32:16):
I love it when it's fun to learn.
You get together
and if you're kids,you build Legos and you learn,
or if you're grown ups,you build companies.
But it's sort ofthe same thing
and you learn so fastin a positive environment
and then you hit a major setbackand it burns you so badly.
And you realize in that moment
you learned ten times more than you had learned
(32:36):
from the positiveinteractions.
And I don't know what universe intends
with this mechanism
other than we probably need both.
Like, we probably should have thispositive learning in everything we do,
but then we should build our resilience so well that
when the negative learning,the painful learning happens,
(32:57):
that we really recover from it and
take the learningand not suffering
right
Like whenI was a kid
and we had visitors from America visiting us in Finland.
my the
our guest pointed out to my motherthat me, I was maybe four years old.
I was standing there holding a sharp big knife in my hand, and he said
(33:19):
But Elisabeth, won't your sonnow cut himself?
And ostensibly she responded to him and said
Only once,
Whether that's true or not,I don't know.
But it's a beautiful story
that, like you must takea little bit of
of that pain and it burning to learnreally really how something works.
(33:41):
But if life is only that, then you become like it's miserable.
If life is only learning in a fun way,
then maybeit become
it doesn't becomeas deep as it should be.
So whether we like it or not,life must be hard at times.
Life must be tough.
And if you can't overcomethose situations, then
(34:02):
you won't feel the sense of accomplishment.
Because when I go back to great things that have happened
and like take MySQL which turned out so wonderfully and we
and we rememberthe moments
we always remember the hard moments,
and then we sort of smile and hug each other and they defined us.
(34:23):
And so I'm realizingthat it couldn't have happened
without the setbacksand burning our fingers
and making a really stupid mistakeand having to sort of
come back and step higher.
Right.
And because last we spoke,
you talked about a time where you madea strategic error as a CEO.
(34:43):
It may have still been at MySQL.
Was that yesterday or the day before yesterday or
It was a while ago.No, it was a while ago.
But she said you were waitingyou were waiting to get fired.
You’re just like sitting in your office
waiting for, you know,
for them to come inand take you out.
And instead your team backed you up
and said, yeah, you made a mistake,
but that was yesterday.
(35:04):
Now we need to still go forward.
You're still our CEO,
so pull up your pants and let's get to it.
Really interesting moment.
And I'm sure you look backat that quite often.
Yeah, they did.
They said, ‘Okay, Marten, you you caused this problem, you messed up’
But now you owe it to usto lead us to victory.
And I couldn't argue against thatlike I was ready to give up.
(35:26):
I thought, like,I better just disappear
and let somebody else come in.
But then I realizedthat they were like
they had a demand on methat if I had hired them
and I had promised them a great adventure,then I would keep leading.
And it was really
a pivotal pointfor myself,
seeing that sort of supportfrom my own team.
(35:48):
Like it.
It's a reminder that when you aredoing something significant,
you must have a lot of confidence in yourself.
But there must be somebody elsewho has even more confidence than you,
because there will come a pointwhere you feel like giving up
and somebody else has to remind you
that you shouldn't
or you couldn'tor you mustn't,
(36:10):
or it's not an option.
And it's it's,
it's, it's like I don't know.
It's very
it shakes you really deeply when it happens,
but that's the wayyou ultimately overcome anything.
Right? Right.
So talking about technology,
you've been in it for a while,a few yesterdays.
(36:30):
You've seen some major, major waves.
Major, major waves.
So MySQL was, you know,
change the way databases operate
change pricing on databases forever.
Then you're at Eucalyptus,you're doing hybrid cloud
before hybrid cloudwas cool.
Still early days of kind ofpublic cloud really taking off.
And now you're in securityand the infosec side.
(36:51):
So one of the things I was talking to someone the other day
I said, you know, it seems like every technology in Silicon Valley
only lasts about three innings, two innings, before it gets
some other wave, you know,kind of crashes over the top of it.
When did you get here?
What did you come to the Bay area?
Did you come with the
MySQL to SUN acquisition?
And I'm just curious,your take,
(37:12):
seeing all these waves of innovation
for, you know,since 2000,
you were there in 2000when I was there.
Jeff - and went through that madnessMarten - well, my
my spirit movedto Silicon Valley
30 years ago and I moved toSilicon Valley 20 years ago.
Like my body followedten years later,
because back in the nineties,in Europe, I was
(37:35):
like I was learning about Silicon Valley.
I realized this is the placeI have to be part of it.
So I handled sales deals and business relations with Silicon Valley.
So I've loved itever since.
But I thinkit is
it is the beauty of specificallythe San Francisco Bay Area that
that there's a sensibilityfor when a new trend
becomes really significant.
(37:57):
And of course many
start too early like at Eucalyptuswe were far too early so
that was one of the reasonsit didn't flourish as it should have.
But there's always somebodywho gets the timing right
and then everybody joinsand everybody makes it a massive,
a massive shift of industrylike Web 2.0.
That's happened afterthe dot.com
bust and we started buildinginteractive web applications.
(38:20):
It was a wonderful,wonderful time.
We didn't know it was Web 2.0 when we did it.
It was only called soa few years later, when
Tim O’Reilly came up with thethe moniker for it.
But you're right thatthese last ten years 20 years
and then a new thingcomes and takes over
it doesn't replace the old onethe old one still remains there
(38:40):
but it's just not themain focus of things.
And that is partthat's what innovation is.
You have to build it, package itsuch that, commoditize it
so that it can bejust a standard piece.
And then you go onto the nextand the next and the next.
But if
I'm sorry, I'm goingso deep into this,
but it's not just buildingon top of the previous layers.
Sometimes you go back to a lower layer
(39:01):
and you start again,
like back in the eighties and nineties, the
the microprocessor architecturewas a big thing
and building them was a huge business
and then it became commoditizedand everybody had similar processors.
Now we're backinto the age
where it matters what silicon you're running on and
you can get a lot of benefit there
(39:22):
and a lot of VC money
for startups is spent on compute infrastructure today, so
So here we have a going backto a situation where again
silicon is the difficult partand it will attract more money,
more attention, more solutionsuntil it again gets commoditized.
And our focus movesto another layer in the stack.
(39:47):
Well, NVIDIA's doing pretty well with the
with the AI Silicon for this round so what's
Jeff - what is your take on kind ofMarten - Crazy well
Jeff - the currentMarten - Yes
the current thing
both AI in general and GenAI specifically, I think
You know, GenAI is a pretty specific application but
How do you see this trend relative to the other ones?
How do yousee it impacting,
(40:08):
you know, what's going onat HackerOne
both within your customersand the way they develop code,
the way you guys attack code.
What’s kind of your take on this,this latest wave to crash upon us?
Yes. So quickly to comment on HackerOne,
the more new technologies,the more you need security.
So it is a massive boostof our business.
But let's first look atthe main thing of AI
(40:31):
and what it can now do.
We see the early inningsof amazing new services
and we are just amazed and in awe,
But actually it's a little bitlike the first Internet browsers
that we think they're amazing,but they're actually pretty primitive.
So it will get much, much better.
What I think is happening, fundamentally is that
(40:51):
like we tend to think that an LLM is good at knowing things
and having intelligence anddoing things in the tech world,
what it really is good at is understanding human beings.
So we are finally getting to a point
where you can speak to a computer
and it knows what you mean,
right
So an LLM is trained on training data,
(41:12):
but in a way it'strained on human beings.
It is being trained on how to interact with humans.
So everything you and I have learned about computers
keyboards, coding,
all these things
may becomelike commoditized.
or become a niche.
And the new thing to interact with the computer
is voice and direct and for anybody,
(41:35):
you don't have to bea computer educated person.
You could be anybody of the 8 billion people living on this planet,
that is a massive shift.
And once you do that,
you can have the LLM's call other functions.
They could be other learning models.
They don't have to be large.
They can be small,they could be specialized.
(41:55):
And suddenly there's oneLLM that understands you.
Maybe it's trained on you alone.
Maybe that's what it does.
All the LLM doesis learns your behavior.
And then you go to it and say,
Get me some food, get me some information,
get me some program,get me some dates with other people,
like whatever you do,and it will start doing it for you.
(42:15):
That is a massive, massive shift in society that
is difficult for us technical people to imagine
because we areso technical.
We would like to seetechnical benefits
like we are bothered whether AI can calculate an equation correctly or not,
but we forget that the real value is probably in
regular human beings doing regular things
(42:37):
faster or better or morethanks to AI
I think you're so spot on.
I think that is so underreportedin this current trend.
Both the fact that that voiceinterchange is finally works
for the way to interact with a computer instead of a QWERTY keyboard,
which is designed specificallyto slow us down
(42:58):
slow us down
and two, not only doI have voice interaction,
but I have voice interaction witha massive supercomputer somewhere.
So I saw something todaywhere someone said, you know,
why should you learn how to code
the whole idea that you won't have to code?
You'll just, please do this for me.
And I think it's really interestingwhen you look at autonomy
(43:19):
in vehicles and dronesand all these things where
it’s such a democratization, say,with an autonomous drone
where you don't have to flythe drone anymore,
you tell the dronewhat you want it to do.
So like in an industrial applicationwhere they measure,
you know, volumetric measureof a pile of coal at a
at an electric utility plant, you don'tfly, you don't have to fly it anymore.
(43:40):
You just tell it,go do this and
do it every day
and charge yourself up and report backand we'll have longitudinal data.
I mean, it's really differentwhen these things
when the democratizationgets to the point
where I can tell it what to do and it'll do it versus really,
you know, controlling what it does,which is a different level.
True.
But the need for complex problemsolving will always exist.
(44:03):
So when people say you don't haveto learn coding anymore,
that's not really true.
No, a lot of people will need to do coding.
A lot of people will need to do problems
problem solving that is akin to coding.
It's just that this universeof what AI can do will explode.
So maybe it's just1% of the world,
but the world will be somuch larger than this
there will be plenty of workfor software developers or
(44:25):
mathematicians or statisticians or whatever
difficult work you are, you are being trained for.
So I don't think it will go away.
But I do think that themain impact on society
will be in pretty mundaneeveryday things that now can reach
anybody on this planet,and not just those who
(44:46):
who have grown up with laptopsand computers and programing.
Right.
Well Marten, we’re getting to the end of our time,
I want to ask you a question
we talked about brieflybefore we got started,
which is your business problem,which is good news, bad news.
So for your customers,it can be good news.
We found the bugs.
You can shut down that vulnerabilityand not get hacked.
(45:08):
Or it could be bad news or good news I guess
we didn't find any bugs.
So, you know, you're kind ofin this interesting
position with the customers.
You want to find bugs.You don't want to find bugs.
They want you to find bugs.They don't want you to find bugs.
What's the right amountof bugs to find?
How does that, all work out in practice?
Yeah, that's the eternal enigmaof our business model that
(45:30):
If I come to you and say, Jeff,I know all your vulnerabilities.
Is that good or bad?
And, when I
we find a lot of vulnerabilities in systems
somebody might thinkshort term that it's bad news.
We think it'sgood news.
And then after a while,
when we don't find vulnerabilities anymore,
that's evenbetter news.
And it reminds us ofthe fundamentals here.
(45:52):
That's when you cantrust the discipline
and scrutiny of the testing,any result is good news
If you can't trust theperson or mechanism
that's doingthe testing,
no results willhelp you, so
So when you know thatthey are testing well,
You will value it.
It's like when you go to a doctor to test for something.
(46:13):
If they find something
you may be sad, but you're thankful that they found it
right.
If they don't find anything,you're also very happy
because you knowthat they looked very hard.
So similarly, in our business,we have to go in with this
like Zen, like
calmness as to whetherwe find or we don't find
because we know that givenwe have the best people to test
(46:37):
that can be foundon this planet,
it's good either way.
It's good if we find it's good if we don't find.
And the best customerswill enjoy both sides.
And know that is the essenceof staying in shape,
keeping the software in shape
Sometimes you find something,you fix it.
Many times you don't find anythingand you can be happy,
(46:57):
but you can't be happyif you don't test so hard
that you alsofind some.
So it's a weird, weird philosophical balance
that I've had to
learn and come to enjoy in my job at HackerOne
And it's a wonderful
like there's somethingvery eternal,
like there's some eternal truth about that,
like learning by burning your fingers
(47:18):
or learning ina fun way
that you can't disassociate themthey belong together,
although they are contrasts and opposites.
Right.
And you've spoken to anotherpodcast that you know
that it's ongoing and continuous.
It's never over and you had this great line.
you said, ‘If you can't beat them, keep beating at them’
which, you know, goes backto this kind of never ending
(47:41):
1% improvement,1% improvement, 1% improvement.
And you know, after a while
you can make some pretty significant gains.
Yeah, you can only
the only goal you can set in cybersecurity
if you're an end user, a customeris to be better than yesterday.
That's the only thingyou can wish for.
You can't be fully secure.
You can't eradicate all problems.
You can't buy allthe products you need.
(48:02):
You can't buy allthe services you need.
There’s justIt's not possible,
but you can everyday get a little bit better.
And when you do that,you will have less problems
than everybody elseand you'll come out a winner.
But it's, that's how you do it.
Yeah,
Well, Marten, your enthusiasm in this role
is palpable through your posts and etc..
(48:24):
So it really looks like you've found a great place
and you're having a ton of fun in this cool
kind of marketplace of people doing great work.
So it looks like it's working out really well.
I love hacking people.
I love hackingyou.
All right.
It's a wonderful business.
So thank you, Jeff.
This was a really cool conversation.
Great questions.I enjoyed them very much.
(48:45):
Thank you, Marten.
I always appreciate it.
And we'll seeyou online.
Thank you. We will.
All right.
He's Marten. I'm Jeff.
You're watchingTurn the Lens with Jeff Frick
thanks for watching
thanks for listening on the podcast.
We'll see you next time.
Take care.
Awesome.
That was great.
Thank you. Yeah, that was fun.
Well, thank you, sir.
All right, we're ready to go then
So Marten
I'll just count it downand we will go.
Okay. Sounds good.
In 3, 2, 1
Hey, welcome back, everybody.Jeff Frick here,
coming to youfrom the home studio
for another episodeof ‘Turn the Lens.’
And I'm really excitedabout this next guest.
I looked it up, last time wetalked was April 2020.
(00:20):
It was right when thepandemic was hitting
We had no cluewhat was going on and
thankfully hehad experience
in remote work.So we talked about that.
But that's not what we're going to talk about today.
We're going to talk aboutmuch more interesting things.
So welcoming in throughthe magic of the Internet.
He's Mårten Mickos the CEO of HackerOne.
Marten, great to see you.
Thank you, Jeff.
Great to be back here with you.
(00:42):
Really lookingforward to it.
So crazy, right?
Four years alreadysince that last time we talked.
Marten - Time flies, time flies, yeahJeff - What a difference in the world, huh?
So hopefully we're all adjusted
to Zooms and remote work, but let’s
Let's get into security and HackerOne.
So before we get intoHackerOne specifically,
give us kind of your overview of where things are
(01:02):
from kind of an info security space.
You know, the attack surfaceis always getting bigger
the sophistication of the attacks is getting better.
The grammar from the Nigerian emperors
is getting betterin their emails.
What's kind of your take onkind of the state of
of info security, as you kind of sit at a really high level.
(01:22):
In our observation.
Information security or cybersecurity is
a giant, giant ship that's turning slowly,
but it is turning
The market is $200 billion per year,
lots of vendorsselling lots of services.
And when wediscuss the business,
we must always highlight the challenges,
the problems, the threats, the calamities that can happen.
(01:43):
So it looks like it's a terrible spaceand everything is getting worse
In reality, I would saycybersecurity is
already improving our livesalready making us safer.
But it's such a giant ship,so it will take
a decade or two to fully turn it.
But the changes are significant and we have.
We are often remindedof the breaches,
(02:04):
but we are not reminded of the breaches
that didn't happen and there are many more of them.
So I'm an optimist
and I think there's data to back it up that actually
it's better now and peopleare more accustomed to
being on their guard themselves,
being a little bit cynical
when somebody issending them a message,
like my employees regularly get text messages from me, where I'm
(02:26):
from, me, where I'm asking for gift cards and other things
and they know that it's fake.
What about this concept that we hear some time
that everyone is going to get hacked eventually?
It's just when you find out about itand how much time, you’ve
you know, how much time they’vebeen in there before you find out.
And then what
Then what you do about it.
And then the other piece you said,
we don't hear about the stuffthat didn't go wrong.
(02:47):
It's kind of likethe offensive lineman.
You know, he can blockthat defensive guy for 99 plays,
but if he gets throughon the hundredth and makes a sack,
that's the only one that we readabout in the newspaper.
That is true.
It's very important that we make surethat when bad things happen,
that they are contained and haveas little of effect as possible.
And we do that by buildingzero trust systems
(03:08):
where breaches can’t spread very easily.
And we also do itby reacting very fast,
because the sooner you react to,the better you can stop it.
It's a little bit like like a pandemic.
When it starts going,
you have to declare an emergency situation immediately.
Like San Franciscodeclared a COVID emergency
even before theyhad their first case.
(03:30):
And it's similar with cybersecurity that
you have to take the strongest action very, very quickly.
And then there's much less
less of a downside,
less of problemsfurther down the chain.
So tell us a little bit about HackerOne
and give us kind of the 101
I think you've been therefor about eight years now.
It's a very different assetin a company's portfolio
(03:51):
to combat cybercrime.
So give us kind of the 101
What is HackerOneall about?
You know, what's kind of your go to market?
Give us the basics for peoplewho aren't familiar with the company.
Happy to do so.
I'll now start from sortof a layperson's perspective
so that anybody can see where we are.
First of all, cybersecurityincidents happen
basically of two reasons
gullible people and vulnerable software.
(04:13):
We don’t deal withthe people side.
We deal with the software side.
So we help our customers
make their software resistantto all kinds of attacks.
And we do thatby finding the holes.
So we come to you and hackinto your systems until we break in,
and then we show you, Jeff, howwe did it and you can fix the hole.
(04:34):
So this is calledethical hacking.
We do it with the help of a freelancecommunity of security experts.
We have over 2 million of themsigned up on our platform.
You don't need that many for your program, but
we need that army of ethical hacking
to be able to always have
the right skill at the right volumefor anybody who needs us.
We do this for the U.S. Department of Defense.
(04:56):
What we do it for the big techcompanies, for Goldman Sachs,
Capital One, Zoom, Salesforce,
all of these know that
no matter how well they build their software,
they need the externalunbiased scrutiny of it.
So even if you have the smartest people in your company
they have bias, ownership, biasof what they've built and deployed,
(05:18):
an external personwill be able to see the
the vulnerabilitiesmore easily.
And that is what we deliver to
thousands of companiesaround the world.
We have found about half a millionof security vulnerabilities
in our history, and thereare more to be found,
no doubt, but that pretty good results so far.
(05:38):
So is this similar to
we hear about penetration testing,which is oftentimes somebody might
use that as a requirement towork with a company
as kind of an external test as to the
to the security of the system.
Is it really just trying to penetrate?
Are you going in duringthe development phase of the codes
to find stuff before productionwhere within the code's lifetime
(05:58):
would a company employeeHackerOne ethical hackers?
It's a very good questionwe do Pentests
so if you are used to doing Pentestsyou can do is with us.
The main distinction is
we do it with the externalfreelance community that we have
that's much more powerful, much more skilled,
much more up to date with their skillsbecause they learn every day.
We do Pentests, we do vulnerability disclosure programs
(06:21):
bug bounty programs,source code reviews.
So we have an offering,
a set of offerings that spans
the entire software development lifecycle,
and we can come in for a short term
or for a long termor for a continuous program.
So many, many more optionsthan with a Pentest
But one of the offerings we do is
very much a Pentest
like you have been buying themfor decades already.
(06:43):
Right?
So I used to go to RSA (Conference) a lot
and I used to alwaysfeel really sorry
for the CISOs when I was walking around the halls
because there's literally hundredsand hundreds and hundreds of vendors
and a ton of them are new.
And I always think,how as a CISO do you allocate your
security budget?
You guys again are an interesting niche
in this portfolio of all theseapplications and hardware devices.
(07:05):
How do you help CISOsthink about budgets?
Because they can't obviouslylock everything down
and how then they can incorporate your services
to either extend the budget or, you know,
cover an area that nothing else coversvery effectively because,
Oh my goodness,RSA is a whole lot of vendors.
It is thousands of vendors,not hundreds.
(07:26):
And that's the challengeof cybersecurity
that it has so many dimensions and nuances
that you need a lot of vendors,
but nobody can keep track of all of them.
What we do is very,very unique in this whole space.
First of all, we are a preventative service,
which is the best you can get,
like get the service before anything bad has happened.
You save money, you save time,you save stress, you are much more.
(07:48):
You can sleep much better at night
because you knowyou took the right actions.
Within this world of preventative services,
there are many ways to test your software.
You can you do your own Q&A.
You can do Pentesting
You can do source code reviews,you can scan them.
There's many, many things you can do,
but there's nothingthat reaches
to the level of exploitability as ethical hacking.
(08:11):
Because when our testers come in from the outside,
they can only find holesthat actually exist for the outside
and they are paid more,the more serious that it is.
So they will find the most critical,most exploitable,
most elusivevulnerabilities,
those that otherwise would be exploited by
(08:33):
nation state hackers, criminal hackers, hacktivists and others, so
So we're sort of at the top of the pyramid.
They're findingthe most critical ones.
And therefore, for a company,we become the.
Sort of the beacon of information
you look at what you find through your HackerOne program
and that's instructs you
how you should code,
develop your code,
(08:54):
how you should test your code,
how you should look at your other streams of vulnerabilities.
Because what comes throughour system is signal.
It is the most criticalvulnerabilities,
and it's easy to decidewhat to take action on
because here's anotherproblem CISOs have.
It's not that they don't hearabout the problems,
its that they hear about hundreds of problems every day.
(09:16):
So how do they decidewhich ones to take action on?
You have to prioritize every queue.
You have to prioritize the and triage the incoming stream.
And we do that for them.
So we come to you and say
we found 700 vulnerabilities,
but here are two you must fix immediately.
And that makes lifemuch easier for the customer.
And then you've talkedabout bug bounties
(09:37):
and in some of your social media posts,
you bragged about all the moneythat you guys have been able to pay
the ethical hackersto find bugs.
How does the structureof an engagement work between
You, HackerOne,
the company that's bringing you in,
and this army of ethical hackers?
What would be kind of a typical engagement
or how does one kind of look?
So a very typical one is a bug bounty program that runs continually
(10:01):
and the company comes to us to sign up with us.
They don't know the hackers typically.
They don't know who they are,but we know.
So we act as the bridge of trust.
The hackers can trust usand therefore can trust the customer.
The customer won't do any harm to them and vice versa.
The customer, by trusting us, can trustthe hackers that nothing bad will happen.
And then we open up a program
(10:22):
like we have a bug bounty program for Uber
and we have one for Zoomand Salesforce
and we tell the hackers to come inand look for ways in
and we say, if you find a regular vulnerability,we may pay you $200 for a find.
If you find a critical one, we may payyou $20,000, $50,000, even $100,000.
(10:42):
So there's a meritocracyand a competitive competition
for the most demanding the most exploitable vulnerabilities.
And of course, the hackers are competitive spirits.
They will go and look for the most exciting thing.
And when they find it, they report it via us to the customer.
They get paid.
And of course, the customerhas saved 100 times more,
(11:05):
like if they pay out $100,000for a vulnerability
that could have led to a breach
which on average costs $4 millionmany times much more.
Of course, it's a no brainerfor the customer
that this is one of the bestspent money they could ever do.
And they pay when the vulnerabilities are found.
So they don'tpay for nothing.
(11:25):
They pay for actual value that they receive.
So that's what makes the model so powerful,
You know, that what you're getting is true value.
You're payingaccording to the value to you.
And when our hackers have now
received over $300 millionin total in hacker rewards,
that looks like a large number.
(11:46):
You should compare it to thethe savings that we have caused
by avoiding and averting breaches,which is difficult to assess,
but it's on the order of hundreds of billions of dollars
over our history of ten years now.
And do just allocate a budget per month
towards the bug bounty program?
Is there some cap?
(12:06):
Is there, you know
who's making the judgment
between the $200 bugand the $20,000 bug?
I assume there's sometricky nuance in there.
As a customer, you decideyou can come to us and say,
HackerOne, can you handle all of this for me?
I'll give you a
fixed amount per year.
You handle everything else for me and we will do so.
Some customers are veryknowledgeable and progressive
(12:28):
and they want to be part of the pricesetting and bounty setting themselves,
which is fine, but you don't have to, we
we have so much data now at HackerOne
we have by far the largest
database of vulnerabilities, bounties ever paid, hackers
We know them all.
We can set the prices
and we can operate the programin the most efficient way.
So it actually
(12:49):
like ten years ago when you started a bug bounty program,
there was a lot of work for you.
There still is work, but it's much, much less now because
HackerOne as a platform vendor,has learned to automate the work
and we benchmark it across the whole platform
so we know we are paying the right price.
Not unlike if you go to Airbnb and yourent out your apartment or your home,
(13:12):
Airbnb will tell you how much you should charge.
They know.
Jeff - because they’ve got the dataMarten - they already have an idea
Yeah, so it'ssimilar with us.
So it's much, much easiernow than it used to be
like years ago.
Share a little of the experienceof the bug bounty person,
the person who's out there,
you know,who are these people?
Do they work full time on this?
(13:32):
Do they workgenerally on one campaign?
Do they work for youand other types of campaigns?
You know, kind ofwho are these people?
How do they get in the business?
What's kind of their profile?How do they spend their days?
The first thing to know is like with any community,
it is a set of communities.
There are many groups,many subgroups,
(13:53):
many different types of personalities and career paths and so on.
So there isn't just one type of ethical hacker.
There are many, many types,
but there are some things that are common for most of them.
And the first oneI must mention is
they have curiosity more than most,
like they arethese thinkers
who like to take their toys apartto see how they work,
(14:15):
who try to outsmart the video game they're playing,
who try to outsmart this,outsmart that
their curiosity is driving them.
Just that
that is the main reasonwhy they are so good.
And of the ethical hackers we have,
many are seasonedcybersecurity experts.
They could be softwareengineers, principal engineers.
They've seen everything,
(14:36):
but many are young.
Half of them are 24 or younger.
They do not have a college degree yet.
half
One more time,
half are 24 or younger and do not have a college degree.
Marten - Exactly Jeff - And this is like a half a million people
because you said you have like 1 or 1.2 million hackers or whatever.
Marten - Yes,Jeff - Wow.
And this provesthat the skill
(14:58):
comes out of your curiosity more thanit comes out of formal training.
They are autodidact.
They learn on their own,they Google, they read, they test, they try
and they figure it out on their own.
So that is the most definingcharacteristic of them.
And we had a live hacking event herea year ago where I participated.
The winner was a 17 yearold hacker from Japan
(15:21):
who had flown over from Tokyoto come and work on our hacking event.
He won the whole competition.
He was the best
and he still struggled a bit
with speaking English because he hasn't done much of it, like
You saw there, this raw curiosity and intelligence
intelligence in this young person
who was figuring out problemsthat nobody had seen before,
(15:43):
like this hacker of ours really detected problems that
others couldn't even imagine.
And then you realizethe power of ingenuity,
the power of curiosity,the power of just figuring it out
and trying to outsmartwhatever you're dealing with.
Right.
And I would imagine having a program like yours
gives the opportunity for someone like that kid
to actually build a careerdoing this full time,
(16:05):
not have to get areal job,
Jeff - you know, on the sideMarten - Very, very much so.
Very, very much so.
I have predicted a few years agothat within 15 years
we will produce 500 CISOs for the world's corporations out of these ranks
So there we get entrepreneurs coming out.
We have one hacker from India whowith this friend started a company.
They sold it for $100 millionto SentinelOne (PingSafe)
(16:27):
Like it is truly a start of greatnessfor you anywhere in the world.
We have I know of a hacker in Egypt who applied to M.I.T.
and had no other real credits than showing
his hacking accomplishments at HackerOne.
So he printed hisprofile page with all the
(16:49):
the scores and numbersand everything
and sent it to themas proof of his capabilities.
So it is a true equalizeron this planet.
It brings out the best of peoplewho have a knack for cybersecurity,
and then we bring it to the benefitof any company that has software
deployed in the worldand connected to the Internet.
(17:11):
Interesting.
So you said you were feelingpretty positive about things.
And one of the thingsthat you mentioned
that's in the arsenal
is this idea of pooled defense
and that thefact in security
and you've already mentioned it a couple of times
here that, you know
you guys documentthe bugs that you find,
you document vulnerabilities
and that there'sactually more good guys
(17:32):
on the good
on the white team
than the bad guys
that are workingin this pooled defense.
So it's interesting comingfrom your open source background
that it seems like security is justanother great opportunity
for people to share informationto the benefit of all
like you did in open source, now in security,
so that when one person finds the vulnerability,
(17:54):
we can all share in the benefit of that.
So I wonder is you can speaka little bit to pooled defense,
What it's all about.
A very important point here.
And it often starts with the notionsort of the cynical, sinister notion that
the criminal has to succeed only once,
but the defenders have to succeed every time in defending,
and then it feels miserable.
(18:14):
And we think, okay, it's just a matter of time
before we get hacked by a criminal.
But in those situationsof an asymmetric threat
where one small group can cause a lot of harm,
it is also conversely true
that pooled defensewill always outrun them.
They are always moregood guys than bad guys.
There are always more defendersthan there are attackers.
(18:36):
And if you can bring the defenders together,
it's superior in speed, power, might compared to the
adversaries you are, you are defending against.
And that is the mechanismwe do here.
So it's not enoughto have one person
who's good atfinding vulnerabilities.
We need to have all of themso that for every situation
(18:56):
we just statistically overpower the enemy
and the adversary coming at us.
And as you said,
we have over 2 million peoplesigned up on our platform to hack.
Not all of them are good hackers yet
but they’re, like it's not the active population,
but it shows theinterest of the world
of coming to help it.
And the number of black hats in the world,
(19:17):
the number of criminalhackers in the world, is
order of magnitude,hundreds of thousands.
If you take all the statesponsored groups
in all kinds of rogue nations,
if you take all mafia groups,
criminal syndicates,whatever they are,
it won't add up to morethan a few hundred thousand max.
And we arein the millions.
(19:38):
So we're showing that
that we have more positivepower than there’s negative power.
We can outrun them,we can outsmart them,
we can do all these thingsif we work together.
So that's the fundamentalmathematical model of
of what we do.
But it does require this pooling of the defenses,
learning from each other,defending together.
(20:00):
And this is how mankind
has always defended itselfagainst asymmetric threats.
It's not specificto cybersecurity.
It applies to any similar situation.
Right.
But it just seems like it's
like for a lot of situations,people are going to want to hold back
for their competitive advantage
over their,
(20:20):
over the rest of the people out there.
But it seems like security isone of those things where, you know,
we do wantto pool,
we do wantto share
because, you know, we're not
we may be competing outin the marketplace, but
neither of us want to get, you know,kind of taken out from the back
True, but in old school cybersecurity,this was not the case.
(20:41):
In the old world, cybersecurity was a secretive practice
only for those withwith a clearance to do so.
You kept the bad news secretso that it wouldn't spread.
So the mindsetwas different.
Now we are shifting and then
so cybersecurity is becominga much more open
and we're actually learningfrom aviation safety of all places.
(21:02):
In aviation safety, everypiece of safety information
is shared freely among all airlines,whether they compete or not,
because theyknow that
safety stands above everything elseand you must work together on it.
So they have no worries there.
They may keep competitiveinformation from each other.
They might befierce competitors,
but safety informationthey share freely.
(21:23):
We are now getting itinto cybersecurity as well, where
customers and vendors are realizingthat sharing is the only way to
to fight the threats and that there'sjust one way to do security.
And it is together.
So it's finally happening,
which is great because it wasn't always the case.
And there are stillsome pockets where
(21:45):
where they are thinking that you have to
keep it secret and within just a small group.
But the small groupcan never
stand against the threats that we are facing.
Right, Right.
Okay, so that is then the segue that I'm going to take
to get to open source, because you
Marten - right, yeah, yeah, I forgot the open source dimension Jeff - are a big open source guy
Yeah, no, we're going to go there
But, you know, you tell a story
in a podcast I listened to getting ready for this
(22:07):
that when you were at MySQL
and I said it the proper way,so I don't have to give you a quarter.
You were in a lawsuit
against a big guyand you were the little guy
and you guys used
you used a strategy of radical transparency to win
and you did itnot only at MySQL
the story you tell where someone would ask a question
(22:29):
and you guys would just answerthe question in the documents
and then return the answerback in the documents.
So, you know, and you answered every query
that everybody ever asked in the early days
of really supporting that community.
So this idea of radical transparency.
And then when you talked about it in the lawsuit,
when everyone else is trying to be secret
and you're just putting it all out there,
(22:51):
just here it is, make your own judgment.
It's a really different wayto think about information.
It's a different wayto think about competition.
It's a different wayto think about the world.
But I think in the worldwhere information is infinite
and at our fingertips,it's really the application
of the information and
it's about sharing.
It's not about being secret anymore.
The power’sin the sharing.
(23:11):
The power’sin the sharing.
And I learned this inthe open source world.
That's very true.
But we do it for competitive reasons.
We want to win.
We want to beat the heckout of our competitors.
There's no doubt about that.
We just know that transparencyis such a powerful tool that it
in a way scares awaymany competitors.
I do it even today with HackerOne
(23:33):
some of our most strategicdiscussions we have internally.
We write up as blogpostings and other texts
and publish on in the world,
because our modelis such that
the more people understand what we are doing,
the more powerful the model gets.
And you must have a certain conviction to do it.
But it's importantto know
that we're not doing it out for charitable reasons.
(23:56):
We are not doing itfor the love of this planet.
Although we dolove this planet,
we are doing it to provide better cybersecurity
and to advance HackerOneas the leading vendor in this space.
But it is amazing what you can do with transparency
because there are so fewwho are ready to go there.
So if you go there, you get all the spoils,
(24:18):
you get all the benefits from it.
Right.
The other great story from that chapter that you shared was
was making MySQL bigger than it was
by talking about bigger issues thanthe ones that you guys solved directly.
And I think the one that you said
you got famous for was
you were the only personin open source
that knew how to make moneyin open source.
So if that's what people are interested in hearing about,
(24:41):
that's what I'm going to talk about.
And really blowing up kind of the presence of MySQL between,
you know, having a position on open source,
which is kind of new and innovative,
as well as this radical transparency
to make MySQL and really change the dynamic
of that evolution really in computing around the databases.
(25:02):
I agree.
This one I learned from others who have
built categories in industriesand who know that
when you are a CEOor a leader of a business,
you tend to look at your own interestand your own business.
But what you should do is ask,
What does your audiencethink about every day?
What is their big problem?
And their big problem is probablylarger than what you represent.
(25:25):
So if you can gointo their world
and address the topics they are thinking about anyhow,
you get an audience in a way you wouldn't do
if you're just sticking to your own value prop and product and you say,
Let me tell you about my technology.
Nobody wants to hear about technology.
They go to Wikipedia to read about the technology,
(25:47):
but they do want to discussthe essential questions
like today, an essential question is
How do we govern artificial intelligence?
Like, do, should governments take action?
Should they not take action?
Should it be liberal or openor governed or closed or what?
And it turns out now that
what I learnedthe hard way
(26:08):
over 20 years in open source software,
these principles are usable in the AI context.
And we are, we have customers who come to us
to hear our thinking about these things because
me and many others have seen how it played out in the early days of open source.
And now we see similarchallenges in the world of AI
(26:32):
and we need to get it right
because otherwise companieswill not succeed,
societies will struggle.
So this governance questionis becoming an essential part
for anybody who wants to besuccessful in either producing AI
or makinggood use of AI.
So that's an example.
And I would recommendit to anybody.
(26:53):
And I think like leaders do that, they
they know how to speak about topicsthat the audience is interested in
not topics they are themselves interested in
or they are but
Let me follow up on thatwith the governance in AI,
because I think the governance of AI,
it's interesting to look at governance in privacy and security
because, you know,
we fall back to this fundamental issuethat we have in the States,
(27:16):
you know, kind of states rights versusnational rights where, you know,
we don't have a national breach notification policy.
And I just think it's interesting,if you look at Europe as a contrast,
say, with GDPR,
that they can actually organize
as a set of countriesmore effectively
than in the states we can organize as a set of states
(27:37):
that come up with some consistency around rules.
And I know kind of California (Consumer) Privacy Act (CCPA)
is a little bit potentially taking the lead in
setting some kindof a national benchmark
for others to follow.
But if we look at the governance in security,
it does not bode well for tryingto manage governance in AI
until we get a little bit better at
(28:00):
finding some consensus around some of these issues
and not being quite so contentious around
kind of the states versus national,you know, regulations.
That is true.
But the problem isglobal, essentially,
and we have to reachglobal accords on AI
even back inViking times,
the Vikings knew that you build nations through passing laws.
(28:23):
They had a saying that with law you build a nation.
And today when our lives are becoming governed by AI,
we have to know that we will needregulation to govern AI
because AI's governing our lives.
So it's clear that
that regulation and governancewill be very much needed.
At the same time,we must leave room for
(28:44):
the scientists to work on their science.
And I use here a metaphor
from natural sciences.
It is very important that every
not everybody, but those who can
can learn about physicsand nuclear physics.
And we should not limit the
availability of learningsabout nuclear physics,
(29:04):
but we should regulatethe use of nuclear materials,
the nuclear power plants,nuclear weapons, all of these,
they must be tightly,tightly regulated.
But physics as a scienceshould be very open as it is.
You can go anywhere and studytechnical physics today.
So similarly with AI,we need to protect
The science part of it,
(29:24):
The evolution ofthat mechanism
so we can build better and better
machineries, automations, whatever we build.
But at the same time, onceit comes to how it is applied,
we may need strict regulations to make sure that we are not harming mankind
with this great innovationthat we have produced.
(29:46):
And that is a difficult contrast,and balancing act to know whether we
where we should be open and liberal,
and where we should have strict governance rules
So it will take a whole village
to come up with those rules.
I don't think Europeor U.S. is
either of them has the right answer
or are ahead like we need the
(30:09):
we need the collectivethinking of Europe,
which is useful when you defineregulations and accords.
But we also need theindividualism that
especially in the San Francisco Bay Area represents.
So I think we need both.
Yeah, I do too.
And I think we definitely saw I mean,
Dr. Rumman Chowdhury, who used to be at Accenture, doing ethics there
(30:29):
her great line is, you know,
you can go faster if you have good brakes.
You know, good brakes enableyou actually to go faster.
And I was like,that is
that is genius becauseit's absolutely true.
If you have good brakes,you can go faster.
You can do more.
Having some edge of a limitation.
That's brilliantly said. It's so true.
(30:50):
It is so true.
And we must move
like there again we cometo the competitive side
that we are competing against
other companies, maybe other nations,other belief systems.
And we need to showhow good we are
at building out AI so that it can serve mankind,
it can solve medical problems,
it can solve many essentialproblems that society
(31:10):
will need to have solvedvery soon.
Right? Right.
Very good.
I want to shift gears a little bit
and talk about some of your leadership philosophies.
You've been at this for a while.
We share, you’ve shared a lot of notes on LinkedIn, etc..
But one of the things you said
that I think is just profoundis in talking about learning.
(31:31):
And, you know,we want people to learn.
We need to learn.The world is changing.
We all need to belifelong learners
and we want to create great conditions for learning.
But the truth of the matter is welearn fastest when we touch the stove
and we have to pull our hand back.
We never touch a stove again.
And it's this weird paradox
that you want to help peopleand we want to help them learn.
(31:52):
I almost think of itas parenting is like,
the more you help your kid,the more you're hurting your kid and
and let not letting them falland scrape their knee
and learn the lesson.
Because I think, as you saidin that quote,
there's just somethings you have to learn.
The hard way.
Wonder if you can you know, how do, how do we
how do we square that circle?
Yeah, I wish I knew the full answer to the question because
(32:16):
I love it when it's fun to learn.
You get together
and if you're kids,you build Legos and you learn,
or if you're grown ups,you build companies.
But it's sort ofthe same thing
and you learn so fastin a positive environment
and then you hit a major setbackand it burns you so badly.
And you realize in that moment
you learned ten times more than you had learned
(32:36):
from the positiveinteractions.
And I don't know what universe intends
with this mechanism
other than we probably need both.
Like, we probably should have thispositive learning in everything we do,
but then we should build our resilience so well that
when the negative learning,the painful learning happens,
(32:57):
that we really recover from it and
take the learningand not suffering
right
Like whenI was a kid
and we had visitors from America visiting us in Finland.
my the
our guest pointed out to my motherthat me, I was maybe four years old.
I was standing there holding a sharp big knife in my hand, and he said
(33:19):
But Elisabeth, won't your sonnow cut himself?
And ostensibly she responded to him and said
Only once,
Whether that's true or not,I don't know.
But it's a beautiful story
that, like you must takea little bit of
of that pain and it burning to learnreally really how something works.
(33:41):
But if life is only that, then you become like it's miserable.
If life is only learning in a fun way,
then maybeit become
it doesn't becomeas deep as it should be.
So whether we like it or not,life must be hard at times.
Life must be tough.
And if you can't overcomethose situations, then
(34:02):
you won't feel the sense of accomplishment.
Because when I go back to great things that have happened
and like take MySQL which turned out so wonderfully and we
and we rememberthe moments
we always remember the hard moments,
and then we sort of smile and hug each other and they defined us.
(34:23):
And so I'm realizingthat it couldn't have happened
without the setbacksand burning our fingers
and making a really stupid mistakeand having to sort of
come back and step higher.
Right.
And because last we spoke,
you talked about a time where you madea strategic error as a CEO.
(34:43):
It may have still been at MySQL.
Was that yesterday or the day before yesterday or
It was a while ago.No, it was a while ago.
But she said you were waitingyou were waiting to get fired.
You’re just like sitting in your office
waiting for, you know,
for them to come inand take you out.
And instead your team backed you up
and said, yeah, you made a mistake,
but that was yesterday.
(35:04):
Now we need to still go forward.
You're still our CEO,
so pull up your pants and let's get to it.
Really interesting moment.
And I'm sure you look backat that quite often.
Yeah, they did.
They said, ‘Okay, Marten, you you caused this problem, you messed up’
But now you owe it to usto lead us to victory.
And I couldn't argue against thatlike I was ready to give up.
(35:26):
I thought, like,I better just disappear
and let somebody else come in.
But then I realizedthat they were like
they had a demand on methat if I had hired them
and I had promised them a great adventure,then I would keep leading.
And it was really
a pivotal pointfor myself,
seeing that sort of supportfrom my own team.
(35:48):
Like it.
It's a reminder that when you aredoing something significant,
you must have a lot of confidence in yourself.
But there must be somebody elsewho has even more confidence than you,
because there will come a pointwhere you feel like giving up
and somebody else has to remind you
that you shouldn't
or you couldn'tor you mustn't,
(36:10):
or it's not an option.
And it's it's,
it's, it's like I don't know.
It's very
it shakes you really deeply when it happens,
but that's the wayyou ultimately overcome anything.
Right? Right.
So talking about technology,
you've been in it for a while,a few yesterdays.
(36:30):
You've seen some major, major waves.
Major, major waves.
So MySQL was, you know,
change the way databases operate
change pricing on databases forever.
Then you're at Eucalyptus,you're doing hybrid cloud
before hybrid cloudwas cool.
Still early days of kind ofpublic cloud really taking off.
And now you're in securityand the infosec side.
(36:51):
So one of the things I was talking to someone the other day
I said, you know, it seems like every technology in Silicon Valley
only lasts about three innings, two innings, before it gets
some other wave, you know,kind of crashes over the top of it.
When did you get here?
What did you come to the Bay area?
Did you come with the
MySQL to SUN acquisition?
And I'm just curious,your take,
(37:12):
seeing all these waves of innovation
for, you know,since 2000,
you were there in 2000when I was there.
Jeff - and went through that madnessMarten - well, my
my spirit movedto Silicon Valley
30 years ago and I moved toSilicon Valley 20 years ago.
Like my body followedten years later,
because back in the nineties,in Europe, I was
(37:35):
like I was learning about Silicon Valley.
I realized this is the placeI have to be part of it.
So I handled sales deals and business relations with Silicon Valley.
So I've loved itever since.
But I thinkit is
it is the beauty of specificallythe San Francisco Bay Area that
that there's a sensibilityfor when a new trend
becomes really significant.
(37:57):
And of course many
start too early like at Eucalyptuswe were far too early so
that was one of the reasonsit didn't flourish as it should have.
But there's always somebodywho gets the timing right
and then everybody joinsand everybody makes it a massive,
a massive shift of industrylike Web 2.0.
That's happened afterthe dot.com
bust and we started buildinginteractive web applications.
(38:20):
It was a wonderful,wonderful time.
We didn't know it was Web 2.0 when we did it.
It was only called soa few years later, when
Tim O’Reilly came up with thethe moniker for it.
But you're right thatthese last ten years 20 years
and then a new thingcomes and takes over
it doesn't replace the old onethe old one still remains there
(38:40):
but it's just not themain focus of things.
And that is partthat's what innovation is.
You have to build it, package itsuch that, commoditize it
so that it can bejust a standard piece.
And then you go onto the nextand the next and the next.
But if
I'm sorry, I'm goingso deep into this,
but it's not just buildingon top of the previous layers.
Sometimes you go back to a lower layer
(39:01):
and you start again,
like back in the eighties and nineties, the
the microprocessor architecturewas a big thing
and building them was a huge business
and then it became commoditizedand everybody had similar processors.
Now we're backinto the age
where it matters what silicon you're running on and
you can get a lot of benefit there
(39:22):
and a lot of VC money
for startups is spent on compute infrastructure today, so
So here we have a going backto a situation where again
silicon is the difficult partand it will attract more money,
more attention, more solutionsuntil it again gets commoditized.
And our focus movesto another layer in the stack.
(39:47):
Well, NVIDIA's doing pretty well with the
with the AI Silicon for this round so what's
Jeff - what is your take on kind ofMarten - Crazy well
Jeff - the currentMarten - Yes
the current thing
both AI in general and GenAI specifically, I think
You know, GenAI is a pretty specific application but
How do you see this trend relative to the other ones?
How do yousee it impacting,
(40:08):
you know, what's going onat HackerOne
both within your customersand the way they develop code,
the way you guys attack code.
What’s kind of your take on this,this latest wave to crash upon us?
Yes. So quickly to comment on HackerOne,
the more new technologies,the more you need security.
So it is a massive boostof our business.
But let's first look atthe main thing of AI
(40:31):
and what it can now do.
We see the early inningsof amazing new services
and we are just amazed and in awe,
But actually it's a little bitlike the first Internet browsers
that we think they're amazing,but they're actually pretty primitive.
So it will get much, much better.
What I think is happening, fundamentally is that
(40:51):
like we tend to think that an LLM is good at knowing things
and having intelligence anddoing things in the tech world,
what it really is good at is understanding human beings.
So we are finally getting to a point
where you can speak to a computer
and it knows what you mean,
right
So an LLM is trained on training data,
(41:12):
but in a way it'strained on human beings.
It is being trained on how to interact with humans.
So everything you and I have learned about computers
keyboards, coding,
all these things
may becomelike commoditized.
or become a niche.
And the new thing to interact with the computer
is voice and direct and for anybody,
(41:35):
you don't have to bea computer educated person.
You could be anybody of the 8 billion people living on this planet,
that is a massive shift.
And once you do that,
you can have the LLM's call other functions.
They could be other learning models.
They don't have to be large.
They can be small,they could be specialized.
(41:55):
And suddenly there's oneLLM that understands you.
Maybe it's trained on you alone.
Maybe that's what it does.
All the LLM doesis learns your behavior.
And then you go to it and say,
Get me some food, get me some information,
get me some program,get me some dates with other people,
like whatever you do,and it will start doing it for you.
(42:15):
That is a massive, massive shift in society that
is difficult for us technical people to imagine
because we areso technical.
We would like to seetechnical benefits
like we are bothered whether AI can calculate an equation correctly or not,
but we forget that the real value is probably in
regular human beings doing regular things
(42:37):
faster or better or morethanks to AI
I think you're so spot on.
I think that is so underreportedin this current trend.
Both the fact that that voiceinterchange is finally works
for the way to interact with a computer instead of a QWERTY keyboard,
which is designed specificallyto slow us down
(42:58):
slow us down
and two, not only doI have voice interaction,
but I have voice interaction witha massive supercomputer somewhere.
So I saw something todaywhere someone said, you know,
why should you learn how to code
the whole idea that you won't have to code?
You'll just, please do this for me.
And I think it's really interestingwhen you look at autonomy
(43:19):
in vehicles and dronesand all these things where
it’s such a democratization, say,with an autonomous drone
where you don't have to flythe drone anymore,
you tell the dronewhat you want it to do.
So like in an industrial applicationwhere they measure,
you know, volumetric measureof a pile of coal at a
at an electric utility plant, you don'tfly, you don't have to fly it anymore.
(43:40):
You just tell it,go do this and
do it every day
and charge yourself up and report backand we'll have longitudinal data.
I mean, it's really differentwhen these things
when the democratizationgets to the point
where I can tell it what to do and it'll do it versus really,
you know, controlling what it does,which is a different level.
True.
But the need for complex problemsolving will always exist.
(44:03):
So when people say you don't haveto learn coding anymore,
that's not really true.
No, a lot of people will need to do coding.
A lot of people will need to do problems
problem solving that is akin to coding.
It's just that this universeof what AI can do will explode.
So maybe it's just1% of the world,
but the world will be somuch larger than this
there will be plenty of workfor software developers or
(44:25):
mathematicians or statisticians or whatever
difficult work you are, you are being trained for.
So I don't think it will go away.
But I do think that themain impact on society
will be in pretty mundaneeveryday things that now can reach
anybody on this planet,and not just those who
(44:46):
who have grown up with laptopsand computers and programing.
Right.
Well Marten, we’re getting to the end of our time,
I want to ask you a question
we talked about brieflybefore we got started,
which is your business problem,which is good news, bad news.
So for your customers,it can be good news.
We found the bugs.
You can shut down that vulnerabilityand not get hacked.
(45:08):
Or it could be bad news or good news I guess
we didn't find any bugs.
So, you know, you're kind ofin this interesting
position with the customers.
You want to find bugs.You don't want to find bugs.
They want you to find bugs.They don't want you to find bugs.
What's the right amountof bugs to find?
How does that, all work out in practice?
Yeah, that's the eternal enigmaof our business model that
(45:30):
If I come to you and say, Jeff,I know all your vulnerabilities.
Is that good or bad?
And, when I
we find a lot of vulnerabilities in systems
somebody might thinkshort term that it's bad news.
We think it'sgood news.
And then after a while,
when we don't find vulnerabilities anymore,
that's evenbetter news.
And it reminds us ofthe fundamentals here.
(45:52):
That's when you cantrust the discipline
and scrutiny of the testing,any result is good news
If you can't trust theperson or mechanism
that's doingthe testing,
no results willhelp you, so
So when you know thatthey are testing well,
You will value it.
It's like when you go to a doctor to test for something.
(46:13):
If they find something
you may be sad, but you're thankful that they found it
right.
If they don't find anything,you're also very happy
because you knowthat they looked very hard.
So similarly, in our business,we have to go in with this
like Zen, like
calmness as to whetherwe find or we don't find
because we know that givenwe have the best people to test
(46:37):
that can be foundon this planet,
it's good either way.
It's good if we find it's good if we don't find.
And the best customerswill enjoy both sides.
And know that is the essenceof staying in shape,
keeping the software in shape
Sometimes you find something,you fix it.
Many times you don't find anythingand you can be happy,
(46:57):
but you can't be happyif you don't test so hard
that you alsofind some.
So it's a weird, weird philosophical balance
that I've had to
learn and come to enjoy in my job at HackerOne
And it's a wonderful
like there's somethingvery eternal,
like there's some eternal truth about that,
like learning by burning your fingers
(47:18):
or learning ina fun way
that you can't disassociate themthey belong together,
although they are contrasts and opposites.
Right.
And you've spoken to anotherpodcast that you know
that it's ongoing and continuous.
It's never over and you had this great line.
you said, ‘If you can't beat them, keep beating at them’
which, you know, goes backto this kind of never ending
(47:41):
1% improvement,1% improvement, 1% improvement.
And you know, after a while
you can make some pretty significant gains.
Yeah, you can only
the only goal you can set in cybersecurity
if you're an end user, a customeris to be better than yesterday.
That's the only thingyou can wish for.
You can't be fully secure.
You can't eradicate all problems.
You can't buy allthe products you need.
(48:02):
You can't buy allthe services you need.
There’s justIt's not possible,
but you can everyday get a little bit better.
And when you do that,you will have less problems
than everybody elseand you'll come out a winner.
But it's, that's how you do it.
Yeah,
Well, Marten, your enthusiasm in this role
is palpable through your posts and etc..
(48:24):
So it really looks like you've found a great place
and you're having a ton of fun in this cool
kind of marketplace of people doing great work.
So it looks like it's working out really well.
I love hacking people.
I love hackingyou.
All right.
It's a wonderful business.
So thank you, Jeff.
This was a really cool conversation.
Great questions.I enjoyed them very much.
(48:45):
Thank you, Marten.
I always appreciate it.
And we'll seeyou online.
Thank you. We will.
All right.
He's Marten. I'm Jeff.
You're watchingTurn the Lens with Jeff Frick
thanks for watching
thanks for listening on the podcast.
We'll see you next time.
Take care.
Awesome.
That was great.
Thank you. Yeah, that was fun.
Well, thank you, sir.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.