Mike Gruen:
You're listening to the 401 Access Denied podcast. I'm Mike Gruen, VP of engineering and CSO of Cybrary. Please join me and my cohost, Joseph Carson, chief security scientist with Thycotic, as we discuss the latest news and attempt to make cyber security accessible, usable, and fun. Be sure to check back every two weeks for new episodes.
Joseph Carson:
Hello, everyone. Welcome to another episode of 401 Access Denied. I'm your host, Joseph Carson, from Thycotic, and joined with me today is, of course, Mike G. Mike, do you want to give yourself a bit of an introduction?
Mike Gruen:
Yep, Mike Gruen, sometimes called G, so if you hear that, that's what that is. CSO and VP of engineering here at Cybrary. I'm super excited to talk today, and we're, well, once again joined by Josh Lospinoso from Shift5. Josh, why don't you give a quick intro?
Josh Lospinoso:
Sure, yeah. Josh Lospinoso, founder/CEO of Shift5, a OT cyber security company.
Joseph Carson:
Cool. Awesome. Today is going to be an interesting topic. We're going to take a bit of segue from the normal looking at different ... technologies and threats and trends, and we're going to get into ... One of the things ... One thing that I do often is, when I go to different events, we tend to go around all of the booths, and we take a look at all of the trends and what's happening, and what's new, and what's interesting. There's a game we tend to play, which is buzzword bingo. You get your things that's in the list, which is: This looks like it's real. This looks like it's interesting and needs further research. The other thing is, really, what's really bullshit and such.
Joseph Carson:
That's ultimately what we look into, and there's a lot. One thing is the cyber security industry is really good at doing is creating a lot of new buzzwords. We like to do new trends, come up with new ideas, new basically labels for everything. Ultimately, what we're going to do in today's show is really pull some of those apart, is really look into the reality of what really it is, and what does it mean? What is the reality check of a lot of these buzzwords that you see in the industry? Whether it being looking around in booths, whether it being the messages you get in email, or things you ... in webinars and so forth, or the collateral and messaging that you get in a lot of products.
Joseph Carson:
We're going to pull back and look through and really check on some of those things. Josh, going to yourself, what's the latest buzzwords you've heard in the industry? What's the terms that has everyone excited, or what's the silver bullet of security? What's going to save us all?
Josh Lospinoso:
Yeah, I think the big three villains in this discussion, which we'll definitely cover in this episode is ML, AI, and quantum. What's so dangerous about these terms is that there's always a kernel of truth to what these things are and how they're going to have pretty profound ramifications on cyber security and, frankly, potentially human lives in general beyond cyber security. But, as ever, it's the way that these things get applied and universally hyped up around essentially everything. I guess blockchain was there a couple years ago, and we've gotten off of that sugar high, and we're realize that, okay, maybe there are some contexts where decentralized trust could be really important, but it's not going to solve everything, right?
Joseph Carson:
Right.
Mike Gruen:
Wait, hold on a second. Blockchain's not going to solve everything?
Josh Lospinoso:
Sorry, man. You heard it here first.
Joseph Carson:
It's not going to save humanity, that's for sure.
Mike Gruen:
Right. I think quantum's an interesting one to start with just because I think back all the way to when I was first getting started in my career and quantum computers. I was starting in '96, '97. I remember SSL started coming out. I don't remember exactly how old but around that same timeframe, and how quantum was going to change everything, how encryption wasn't going to matter once quantum computers were a real thing, and so and so forth. I feel like nothing has changed in 30 years. I feel like quantum, we've made about as much ... It's always just out of reach. It's always just there, and I'm curious what your guys' opinions are on that.
Josh Lospinoso:
Yeah, maybe ... I don't know if the listeners, if they are read onto what quantum computer ... Maybe it would be a good thing to just through a 30-second ...
Mike Gruen:
Oh, it's just something you put in front of anything to imply big, fast, new, super good.
Josh Lospinoso:
That's right. Yeah, yeah, yeah. It just means more better. But I could give it a shot, and then maybe we could go around. I think it would be maybe a good basis because it really is ... If you don't understand at least the high level of how quantum computers differ from classical computers, it's basically impossible to determine what is real observations about where cyber security is going versus total misdirection.
Mike Gruen:
Right.
Josh Lospinoso:
Basically, traditional computers, classic computers operate with transistors that exist in basically states of zero and one, and they're deterministic, right? And everything that we've built modern technology on depends on these states of zero and ones, and everything is built up from that. When you get down into the teeny, tiny world of nanometers, things get really weird, and what makes intuitive sense to us about how objects behave in the universe completely breaks down. We don't really have good intuition. The famous physicist Richard Feynman who says anybody who says that they understand quantum mechanics, have an intuition for it, is totally bullshitting because it doesn't make any sense.
Mike Gruen:
Right.
Josh Lospinoso:
Essentially, you've got things that can exist in a probability of states, but they're not zero and one, they're tending towards one or the other. Some crazy mathematicians were like, "Hey, what if we make a computer out of these things that exist sort of in this superposition of zeroes and ones?" Instead of calling them bits, which is the zero and one of classical computers, they exist in this superposition state, and then we call these qubits, right? For right now ... Sorry, maybe we could stop there and maybe see if that explanation makes sense because, insofar as it does ...
Mike Gruen:
I think it's going to make sense to the people. At least, it makes sense to me because I've been following it for a while, and I think what was interesting back in the '90s, one of the other comparisons was in the biological world, where you can use bacteria and other bio-computers to do very similar things of trying to test everything at once.
Josh Lospinoso:
Right. It's awesome, yeah.
Mike Gruen:
Just due to probability, you're going to get the answer.
Josh Lospinoso:
Right, right.
Mike Gruen:
At least bio-computing hasn't continued that hype that quantum has, but, yeah, the multi-state, the idea. I think the key to the whole quantum is that the idea is that you're able to process things in parallel in this ... Because everything's in multiple states simultaneously.
Josh Lospinoso:
Right.
Mike Gruen:
You can do things massively parallel or whatever. It's hard to ... If you don't know the physics, it's hard to ...
Josh Lospinoso:
Totally, correct.
Joseph Carson:
And yeah, getting into the qubits, it's really getting down to it's the difference between that and binary and bits. What we've traditionally known is that where a bit can be either on or off, as Josh is ... In a qubit world, I can be in actually up to four different states at any one time. Therefore, basically, the computational power of that is significant to what our traditional computers had the capability of doing. It really gets into is that the taking advantage of them is actually ... The difficult part is creating algorithms that can actually be processed in a quantum-computer world. That's the challenge. One of the things I've seen is that the likes of ... You've got these hybrid ones. You've got, of course, it's the D-wave and E-wave coming from ... I think it was Google and NASA.
Joseph Carson:
Then, of course, you've got IBM's version of the Quantum One. All of these, what really they're looking for is they're hybrids at the moment, which is really where they're at. They're not into true quantum capabilities, but the ... When you think about it is that the idea is they're looking at that you can put in all moving objects in space, all planets, asteroids, comets, and put it into these algorithms. What a quantum computer could potentially do is tell you when those comets and asteroids could actually collide with the earth. Ultimately, that's the power that they have the capability of doing, but we're to getting that close to capability. Of course, our concern in the security world has always been that you take that same type of computational power, and you apply to prime numbers, and that actually then weakens the security of traditional encryption today. That's the concern.
Joseph Carson:
There is these hybrids that do exist, and I believe China still has one of the computing ... The one that has the most qubits capabilities, but I did learn a lot. It's not about how many qubits you have. It's actually the quality of the qubit itself, and that makes a big difference. Ultimately, the concern here is that, eventually, if someone does get the capability of taking a quantum computer and targeting against prime numbers and traditional encryption, anything that we've encrypted historically in the past is publicly available or available to that person that they could break the encryption.
Mike Gruen:
Right.
Joseph Carson:
That's the major concern, from a quantum perspective. Are we there yet? I don't know. I just get from what I can publicly available and what I hear, but my understanding is that getting to true quantum is still a long way to go.
Mike Gruen:
Yeah, that's my understanding as well, and I think one of things to understand about what are quantum computing and regular computing, at least from a traditional computer-science perspective, is the notion of NP, NP complete, NP, problems that are difficult for a computer to solve but very, very fast to prove. If you have the solution, you can verify that that is the solution in polynomial time very, very fast.
Joseph Carson:
Right.
Mike Gruen:
But actually coming up with the solution takes a long time, and that's what is at the heart of encryption is this ability. It's really, really hard to break the code, but once you have the answer, it's very, very fast to compute the solution. Quantum basically is looking at taking this whole class of problems and turning them from very, very hard into very, very easy, like anything else, like sorting a bucket of strings, which is polynomial. Being able to do that with non-polynomial problems. That, I think, at the heart. That's what the heart of encryption is. It's these functions that are hard in one direction but easy in another. Otherwise, we wouldn't be able to do banking online in any type of real time.
Josh Lospinoso:
Right.
Joseph Carson:
Yeah, there was an interesting series recently on the same topic, which was Devs. I don't know if you got to watch the series Devs, which was interesting. It got to the point where it was looking at using similar computational power. If you took all the data that we had around us about how everything happened, that it could, actually, one is it could look into the future and also look into the past as well and ... to take all the objects. Again, this ... I did listen to an interesting audiobook recently on a similar subject, which was the science of science fiction, which is also a really interesting topic as well. This is about all the things we see in the movies on the science-fiction side of things and really looking at the science of that. And really think from quantum side of things is that we do know the aspects of it, and we do know the possibilities, but getting there, getting to really utilizing it for its value that it can provide is probably some years away, I believe.
Mike Gruen:
Yeah, sure.
Josh Lospinoso:
Yeah, I think it's also really important to specify which kinds of encryption are subject to getting totally broken apart by quantum. So ...
Mike Gruen:
Yeah, that'd be great, yeah.
Josh Lospinoso:
Yeah, so you guys have basically eliminated it, but just to be really explicit about it, there's two broad classes of encryption, at least as far as this conversation is concerned, symmetric and asymmetric. Things like doing a banking transaction online require what we call asymmetric or public key cryptography, where there's a public key. I'm going to encrypt some data using that key, and the only person who can decrypt it is the holder of the private key that corresponds to that public key, right? So much of what we do in modern society depends on the security of that crypto system, and, Joe, as you mentioned, the math that underpins the security of that crypto system right now can be broken by quantum algorithms, right?
Josh Lospinoso:
If you're talking about elliptic curve or integer factorization, these are problems that are like ... A quantum computer can solve them very quickly, and things will break. If we get quantum computers, the way that things are set up, people that are using these very, up to now, secure algorithms are going to be in deep trouble, right? The world's not falling. The sky is not falling. I'm an optimist about this. There are quantum-resistant algorithms that are in active development right now, so there's things that ... I don't understand these, but I know that they exist.
Josh Lospinoso:
There's lattice-based cryptography. There's hash-based cryptography and code-based cryptography. All of these things, basically, the Shor's algorithm, which is the algorithm that breaks all of the current public key crypto systems, doesn't work against these new ways of doing encryption. I'm hopeful that we're ... That quantum computers aren't going to destroy the world. I think there's a lot of active discussion about when do we start migrating to these quantum-resistant things, and we'll see. It could be decades before we see practical quantum computers. You're almost certainly not going to see one on your cell phone, I think.
Mike Gruen:
Right.
Josh Lospinoso:
You have to ... To get qubits, you have to have actual absolute-zero temperatures. It's just pretty insane.
Joseph Carson:
Walking around with a refrigerator in your pocket.
Josh Lospinoso:
Exactly, yeah, very, very, very ... Yeah. So probably not going to happen, but anyway I thought that would be helpful. Symmetric key algorithms, like AES, are already quantum resistant.
Mike Gruen:
Right.
Josh Lospinoso:
So they don't ... You don't really have to worry there. I thought that would just be another to our point of people get really hyped up about quantum computers destroying encryption. It's always more nuanced than that.
Mike Gruen:
Right.
Joseph Carson:
Correct. It takes a specific ...
Mike Gruen:
I suspect ...
Joseph Carson:
Yeah.
Mike Gruen:
Sorry, go on, Joe.
Joseph Carson:
Yeah, it's a specific type of encryption that's exposed.
Mike Gruen:
Right.
Joseph Carson:
As long as you have one of the, let's say, factors, you can actually reverse. Typically it's basically created from two prime numbers and very large prime numbers, and that's the concern is if you've got a public key, if you've got some references, then you can actually map it back to a private key. But, as you mentioned, with a symmetric, there is no public key piece of it. It's all about making sure that you exchange the key in a secure manner, and that's not exposed to quantum.
Josh Lospinoso:
Right. Yeah, and given cipher text, a quantum computer can't just magically create plain text out of that.
Mike Gruen:
right.
Joseph Carson:
Correct. Again, you get into one-directional hashing mechanisms, especially what things like passwords are kept in, is also, depending on how well you assault it and how much can, let's say, mathematical complexity you put into it, then those are also resistant to attacks as well.
Mike Gruen:
Right. I think it's clear, based on human history, when we'll see those resistant algorithms really making it into mainstream, which is about five years after the first quantum computer breaks something.
Josh Lospinoso:
That's right, that's right.
Mike Gruen:
Right.
Josh Lospinoso:
Yeah. But it also highlights ... Oh, sorry. I was going to say this also highlights a really important feature of crypto systems, which is, in my opinion, one of the reason that PGP hasn't really taken off among the security community, which is perfect forward secrecy. This is a really important aspect of modern cryptographic systems. That may be a little bit of a tangent but may be helpful to dive into a bit because it gets to the point that you're getting to.
Josh Lospinoso:
Perfect forward secrecy is this idea that if an attacker is able to compromise the key material for one communication, it won't compromise all the communications between those two parties, right?
Joseph Carson:
Correct.
Josh Lospinoso:
If you're able to recover the key for a session, it doesn't tell you anything about the other sessions. Diffie-Hellman is an algorithm that gives you perfect forward secrecy because of this session-key concept. This just underlines why it's so important to have this kind of security built in so that if you update the security protocols, you have session keys rather than some sort of global encryption key.
Mike Gruen:
Right.
Josh Lospinoso:
So PGP, in contrast, doesn't have perfect forward secrecy, and this is one of the major objections in the security community. It's why we don't use it.
Joseph Carson:
Wasn't PG the original algorithm using, it was the base of the randomness of the mouse movement that created the key. I think that was the original ...
Josh Lospinoso:
Right, right.
Joseph Carson:
How the key was originally created was how you moved the mouse around.
Mike Gruen:
Right.
Joseph Carson:
And that's how it actually ...
Josh Lospinoso:
Yeah, yeah.
Joseph Carson:
The mathematical computation was done.
Josh Lospinoso:
Yeah, I think, basically computers, as you mentioned, because they're deterministic, it's actually surprisingly difficult to get randomness out of computers.
Mike Gruen:
Right.
Josh Lospinoso:
So there's this funny example. I think it's Cloudflare has these lava lamps set up that they actually derive keying material from.
Mike Gruen:
There's a number ... Yeah, there's basically hardware devices. That's the only way you can really get true randomness, having hardware devices that are measuring various things.
Josh Lospinoso:
Right. Right. Like radiation from space and all sorts of LEDs, yeah.
Mike Gruen:
Right, right. Temperature, humidity, and ... Right, exactly right.
Joseph Carson:
That moves into that quasi-prime side of things where we're talking about music as a source of randomness.
Josh Lospinoso:
Right, right. Yeah, yeah, yeah, yeah. Certainly, when I play music, it's definitely random.
Joseph Carson:
Getting into ... I think quantum definitely, if we can look at it from a buzzword, it's definitely something that is real, but the true value of it is likely going to be years away. If somebody does get access to a quantum computer, probably the last thing they're going to be wanting to do is break encryption. They're going to be wanting to use it, I'm hoping, for the benefit of other things that are more valuable to society.
Mike Gruen:
I don't know. I think it has to do with the state act ... My guess is it's a state actor that's going to get it first, and then they're going to ... They're probably going to use it in both positive and negative ways to benefit ...
Josh Lospinoso:
I think that's probably right.
Joseph Carson:
Like all technology. All technology is used in the same ...
Josh Lospinoso:
I think that's probably right.
Joseph Carson:
For the audience, yeah, it is something, but will you have it in five years in your pocket? Definitely not. It'll be a very cold device.
Josh Lospinoso:
Yeah. Although you can mess with these things. There are pseudo-quantum computers now, like we're going to add all kinds of fancy prefixes to things.
Mike Gruen:
Pseudo-quantum.
Josh Lospinoso:
You can actually download environments were there's a virtual machine that pretends it's a quantum computer, and you can use languages. I think it's Q#, or there's some other ... Where basically you can program against the quantum computer, and it'll simulate qubits, essentially. If you're interested in these sorts of things, even though you're not going to get the performance of a quantum computer, you can at least get your brain wrapped around how these things work.
Joseph Carson:
Yeah, and if you are interested in actually learning about it, one thing I remember when I was doing, four or five years ago, getting into ... Because I was ... In Estonia, they use a lot of, was it, innovation areas. There's a lot of discussions into different technologies, and one thing that I was working on, again, back then was blockchain and quantum. And there was ...
Mike Gruen:
Ooh, look at that: blockchain quantum.
Joseph Carson:
Yeah, blockchain quantum. An there was a guy ... If you remember ...
Josh Lospinoso:
Here we go.
Joseph Carson:
There's a guy in Australia, so just look up Australian guy qubits, and there's a lot videos of him explaining. So if you're interested in actually spending some time in YouTube listening to qubits and how it works, there's an Australian professor that really explains it in a very professor-like manner, as they all do.
Joseph Carson:
Next buzzword I think that Josh did mention as well is around the AI, and I'm always ... I prefer to call it AI, but this gets into the big topic of what does the A really mean when we talk about it? And also ...
Josh Lospinoso:
And what does the I mean?
Mike Gruen:
I know what the I is. The I ...
Mike Gruen:
The I is if.
Joseph Carson:
So this is a big one, and I can tell you, when I go to events, and I go listen to webinars and different vendors, the big buzzword is around how they're using artificial intelligence to make organizations and people and society safe. And that it's this new silver bullet that will actually solve all problems. For me, I'm always looking at the realist side of things, so I'm just interested, Josh, from your view, what's your thoughts around AI itself?
Josh Lospinoso:
Yeah, I think the critical question, I was tongue-in-cheek before, but what is intelligence is, I think a really important question because, to say what artificial intelligence is, you can't really define that without understand what you really mean by intelligence. Where I think it becomes shorthand, right? Where the term is actually used outside of a scientific context is to get a machine to do tasks that would be normally required by a human being, right, and that's an imperfect shorthand, but I think that's what most people mean when they say AI, right? I think maybe starting there, but intelligence itself is a non-trivial concept. What is intelligence? Do plants have intelligence? Do bacteria have intelligence? I would think we would all say that people and monkeys and whales probably have intelligence, but where do you draw the line on that is, I think, a pretty important question to answer.
Mike Gruen:
I think about it in terms of the ... I can't remember the exact quote, but the suitably ... Technology looks like magic. At some point, suitably complex technology just is magic. They're ... I think, when I think about AI, that's where I start to go is the complexity of the system is approaching to the point where its decision-making is so complex that I can't really explain it because there's so many nuances. It's taking in so many things. I can't explain how I make a decision.
Josh Lospinoso:
Right.
Mike Gruen:
You know what I mean? To me, that's magic that's happening in my brain. AI, it's when computers get to that point where you're no longer really able to fully communicate how that decision is. That's where I draw that line is in artificial intelligence.
Joseph Carson:
Yeah, so for me, it's ... Based on, Josh and Mike, your descriptions, it reminds me of something I did 20 years ago. I had a problem with a server that kept, let's say, running out of memory, and the application was crashing. I created a little thing that we would probably, based on our terminology, we could call it artificial intelligence. I taped a pen to the top of a remote-control car and actually scheduled it in order to actually drive into the button on the computer to reset it periodically so I didn't have to. Is that replacing me from going and pushing the button myself to actually doing it in an automated way? For me, that's really where I draw the line is that I think doing things that ... There's certain tasks that humans do that just physically cannot be replicated by a computer by the traditional sense.
Joseph Carson:
For me, what I've always been saying is that ... That's why I struggled with the term artificial intelligence because everything we do is all about automating human tasks, and I don't think automating human tasks is truly the same as artificial intelligence. That's the misunderstanding is that we are sometimes confusing automated human tasks or artificial intelligence. When you look at the reality, when I go to a lot of the vendors who talk about AI, and a look under the cover, what they're doing is they're automating somebody looking at a log file. They're automating somebody going and analyzing mass amounts of data and then trying to come to a conclusion. For me, that's just automation. For me, it's automated intelligence, not so much artificial. It's just taking tasks that a human would do that computers can replicate. It might, to your point, be more complicated and look like magic because some of those algorithms do get very, very complex.
Joseph Carson:
I can remember I actually participated in a summit last year, the ... digital summit, and last year's event was on governments' policies around artificial intelligence. We got into a big discussion around what did it truly mean. Ultimately, what it got into ... I liked IBM's term of the A was they call it augmented. When you get into the, let's say, doctorate side of things or the educational and the professors, they call it artifact intelligence. It's all about artifact collection. And then they're ...
Joseph Carson:
For me, I tend to call it automation. To truly differentiate between what true ... The one thing I have seen that gets closer to it is when they're looking at, let's say, automatically translating text into other languages, natural language processing. When you're looking at being able to listen to me speak, not knowing what's coming, and then be able to properly translate that correctly into another language. My definition is that when I really get to see true artificial intelligence is when a program that's only been trained to, let's say, do natural language processing on English and actually can then learn German and then automatically translate German without human intervention. That's what I think about something that is truly getting closer is when they can truly learn themselves.
Mike Gruen:
Yeah, I think the learning or the self-modification aspect is also an important part, but going back to on the AI side, I think about ... One of the problems Josh and I at RedOwl were facing was how do you identify someone who might be leaving an organization, right? Because that's, from a security perspective, people who are leaving, they're somebody you want to watch for whatever reason.
Joseph Carson:
They're going to take a lot of the data with them.
Mike Gruen:
Right, they're going to ... Right. Or they're going to ... Yeah, whatever. Or they're disgruntled, and they're going to delete everything, whatever it is. How do you identify someone who's unhappy and potentially going to leave? Me, as a manager, I can get a feel for people who are disengaging and how to ... But how do you get a computer to look at whatever behavior they can actually observe ... Whatever behavior computers can observe about the people within the system and get it to identify someone it thinks might be ready to leave.
Mike Gruen:
I think what we worked on and what was interesting was I remember sitting down with the mathematicians, and we went through all these things, and we needed to be able to check that our math was right. How do you even do that? That's where I started feeling like, okay, now we're getting into the real realm of artificial intelligence because we have these models. How do we actually know that they're right? The only way to know they're right is to actually use them on old data sets where we know what the answers were. I remember sitting with the mathematicians, and I wrote my version of the algorithm, and then they would actually have to hand-compute things in order for us to make sure that my math was right and they're math was right. And 50% of the time, I was wrong; 50% of the time, they made a mistake somewhere in their Excel spreadsheet, and it was a nightmare.
Josh Lospinoso:
And 25% of the time, you were both wrong but thought you were right.
Mike Gruen:
Exactly. Right, right. Oh, right, who knows how many times we both came up with the same answer, but it was the wrong answer?
Josh Lospinoso:
Right.
Mike Gruen:
That's a great point. I have no idea. Probably 50% of the time. But, yeah, so to me, that's where artificial ... That's where we were starting to get into artificial intelligence, where that model was so complex, and there were so many things going on that it was something that I, as a human, do, and I do it intuitively, and I couldn't quite explain exactly how I do it to a computer. It's not just a bunch of if statements. It's a buildup of all of these different things and then putting it into a model. I think that's where we start getting closer and closer to real artificial intelligence and machine learning and actually looking and having the computer observe things, training itself, making changes to its own algorithms and so and so forth.
Josh Lospinoso:
Right.
Mike Gruen:
Then you get to the point where the machine has transmuted itself so many times that the original programmer has no idea what's going on in there.
Josh Lospinoso:
Right.
Mike Gruen:
And I think that's basically YouTube and Facebook in terms of their recommendation engines. Nobody really knows why this video is being recommended to me, and I think that when it comes to cyber security and looking at logs, I think those concepts, those are buzzwords that are used in the cyber security space to do what you were talking about, Joe, which is, yeah, we've automated the looking at these logs, but the fact of the matter is I could actually explain, if by if, what that computer is doing looking at those logs and flagging things.
Joseph Carson:
The algorithm ...
Josh Lospinoso:
To a point.
Mike Gruen:
It really is just a bunch of if statements.
Joseph Carson:
The algorithm is not self-learning.
Mike Gruen:
Right.
Joseph Carson:
The code itself is still the original algorithm code that was actually done with a developer.
Josh Lospinoso:
Exactly.
Mike Gruen:
Exactly, exactly.
Josh Lospinoso:
And the way ... I think what we're talking about is the idea of cognition, right? It's having this base of knowledge and then experiencing and sensing things, and then interpreting that into new knowledge, right, that becomes part ...
Mike Gruen:
Right.
Josh Lospinoso:
So I think of kids, right, and this is ... If you've been a parent, and you watch a child grow, it's the best worst thing that will ever happen to you, right? But watching a three-year-old compile new information, try out sentences, see what happens in response to the sensory inputs, and then generate knowledge, it's the most amazing thing to watch, right?
Mike Gruen:
Right.
Josh Lospinoso:
And so, having programmed a lot of computers in my life and doing my best at parenting children, which is basically impossible, there's a fundamentally different feel to those things because one carries out your instructions faithfully and literally no matter what the result is, and the other is going through this very messy process of cognition. To me, they are fundamentally different. They feel fundamentally different. To your point, G, we start talking about these systems that are very flexible in the way that their instructions work, and they're compiling information and input and presenting new outputs to the world and then iterating on that. That definitely, to my mind, gets a lot closer to cognition.
Mike Gruen:
Right.
Josh Lospinoso:
Right.
Mike Gruen:
What's interesting, I think, a couple years ago, we went to an event here. The University of Maryland at College Park, we are on their property, essentially, and we use the same underlying ISP that they have, right? This ISP has to ... They have to transfer huge amounts of data because they're connecting research environments. When I say huge amounts of data, this is the first time I've ever heard someone talking about large data sets, and then they started talking about the size of these data sets and how far they have to transfer them. And it's like, wow, that's actually really a large data set, like petabytes and petabytes.
Mike Gruen:
One of the things that was interesting that they talked about, what he was calling for, because he was talk ... The talk was mostly to scientists and researchers and how they're studying the sun and studying and planets and all these different things and all these algorithms that they're using to make, for example, planes that should not be able to fly that are in no way aerodynamic, but you put enough sensors on there, and the computer can fly this thing despite the fact that it has no business flying. He was basically saying, hey, wouldn't it be great if you all took that stuff that you're doing and applied it to the network data that I'm generating? So these giant transfers, the data data generates generates data, essentially.
Mike Gruen:
It's like these giant network transfers are doing all of these things. How would I even detect that there was an intrusion? With all of this network stuff that's going on, how would I even know what's going on within the network? If you were to take that scientific research that's being applied to astrophysics and stuff and apply it to this, wouldn't that be awesome? I think that's were there would actually be true AI in security, but unfortunately most of the companies that you talk to that talk about AI and security aren't doing that. They're doing a lot of if statements.
Mike Gruen:
Right, and so I think that that's ... I would love to get to that point. I thought that that was a great talk, and it was very inspirational. It reminded me of a previous conversation with Josh around, hey, there's all these different areas where we could be putting really smart people to work that are in these hard sciences to solve problems, and here's a problem that's actually really ripe to be solved, but there's not as much interest in it for whatever reason.
Joseph Carson:
Yeah, and, Josh, we discussed previously about the one that DARPA was running between ... And the Air Force and doing the ... yeah, the dogfights against the AI pilots.
Josh Lospinoso:
Yeah, the dogfights, yeah.
Joseph Carson:
We had discussed ... And I remember I saw my cousin was posting about it as well, and they're having a big discussion, and it was all about artificial intelligence, one, and pilot, zero, in regards to the competitive side of things. I've even seen the same, and it's one of the discussions we even look at with Kasparov in chess about playing basically against the so-called artificial-intelligence systems. Because it's such ... When you look at those, there's such set rules. There's a set of rules that they have, and that's the point where, when I look at it, it's not the pilot versus the other plane. It's not the chess master versus the computer player. What ultimately it is it's the pilot against an algorithm.
Josh Lospinoso:
Yep.
Joseph Carson:
If you understand how the algorithm works, then you're actually ... You find the weaknesses. You find the flaws, just like we do in software development. When you look for ... Your penetration tests, you're looking for flaws and vulnerabilities in code, so you can take advantage and exploit it.
Mike Gruen:
Right.
Joseph Carson:
It's the same with these systems is that you're looking for vulnerabilities and flaws. Kasparov's playing against the machine, really, when he should have been playing against the algorithm, finding out its weaknesses and understanding. The same with the pilots is understanding about where there's weaknesses in the algorithm, not looking at from equal to equal because it's not equal. Ultimately, when I got down to it, I looked at it, and I made the comment and said it wasn't pilot, zero, artificial intelligence, one. It was pilot, zero, dev, one.
Josh Lospinoso:
Right.
Joseph Carson:
It was the developers who created the algorithm who ultimately won.
Mike Gruen:
Right.
Joseph Carson:
That, I think, for me, is a big difference as well that we have to get into reality.
Mike Gruen:
I think there is a difference, though, between, say, chess and flying planes or other things because chess is a ... All the information is known. It's a perfect ... Computers should be really good at that type of problem, right? I shouldn't be able to ever beat a computer at chess because all of the information is known. It's 100% known. Flying a plane, playing other games where there's hidden information, once we start seeing computers really beating people there consistently, that's where you're starting to get into it.
Josh Lospinoso:
Sure.
Mike Gruen:
But I think, Josh, can you ... We started talking about it a little bit. We talked about AI, and we started talking about, well, self-learning and stuff like ... Maybe it would be helpful to talk about AI, machine learning.
Josh Lospinoso:
Sure.
Mike Gruen:
Is there a difference? Why are these two different ... Why do people ... What are they? Yeah, maybe that would be a good place to go.
Josh Lospinoso:
Yeah, so I'll give you my take on it, and I think there's a lot of discussion around these things.
Mike Gruen:
Right.
Josh Lospinoso:
Full disclosure, I did an advanced degree in statistics, and so I have a very strong opinion about how all of these things hang together, so take this for what it's worth. But ultimately, as we were talking about artificial intelligence, to my mind, ha, means that cognition. It's basically trying to create cognition in a machine, right?
Mike Gruen:
Right.
Josh Lospinoso:
Machine learning is more of a broader class of techniques for solving problems, and so this is where you're talking about things where you either have an inference problem, like you're trying to classify something into one group or another, or you're trying to ...
Mike Gruen:
Hot dog or not hot dog, I think.
Josh Lospinoso:
Hot dog, not hot dog, exactly. You're trying to predict a value in the future given previous history of things, or you're trying to separate data without really knowing the truth, but you have some glob of data, and you want to pull it out in interesting ways, right? Then a very closely related field, but certainly distinct, is statistics, which is basically you have a hypothesis, just a scientific hypothesis, about something. You collect data, and then you build a model that is constructed in such a way that when you put the data into it, the model gives you some result, and that result tells you about your hypothesis. It tells you either, hey, this data supports your hypothesis, or there's just not enough evidence to say one way or the other, right?
Josh Lospinoso:
That's how I think about how all of these things hang together. I don't even know if that's really useful for practical purposes, but when we use these terms, that's how I think about things. Statistics is very scientifically based around answering scientific questions. Machine learning is a collection of techniques for predicting, classifying, separating, and doing practical things with that. AI is about cognition.
Mike Gruen:
Right, but I do think ...
Joseph Carson:
Absolutely, and ...
Mike Gruen:
But I do think that machine learning is ... To my definition of AI, machine learning is actually closer to artificial intelligence in the sense that it's looking at previous things and using that information to model, modify, and ...
Josh Lospinoso:
Sure.
Mike Gruen:
You know what I mean? And I think artificial intelligence is just a term that's been around for a long, long time.
Josh Lospinoso:
Right.
Joseph Carson:
I think there is a big ... There is a difference, though.
Mike Gruen:
Yes.
Joseph Carson:
Is, with machine learning, it's really about ... We use the same for predicting the weather. That's one of the areas. You've got your constants, and you've got your variables, and it's about playing around with those different mechanisms to see how far off you are based on the data that you have. It's really about coming up with enough data to get your probability close enough and accurate enough.
Mike Gruen:
Right.
Joseph Carson:
And based on major different variables, then you can determine if one changes, therefore the result will change. That's really going to get into ... So it really ... Absolutely, Mike, what you were talking about is, I think, machine learning. AI can't have AI without machine learning.
Mike Gruen:
Right.
Joseph Carson:
It's a big part of it. It's a component. It's an input. It's a factor, but, when you get into AI, I think the difference is is that, for me, it's all about self-healing, self-creating. It's about, when the developer wrote it, that it will actually continue recreating itself as it goes forward. When a developer comes and looks at that code again, it's not the same code it was when they wrote it at the beginning.
Mike Gruen:
Right.
Joseph Carson:
It's self-evolving, self-improving, but one of the biggest challenges, and it's, I think, an issue, is getting the ethics, ethical coding, and non-bias coding. This is really where you get into the challenge is that how do you take it out of the decisions and so forth?
Mike Gruen:
Oh, yeah, no, the bias. Yeah, the problem is, right, there's still a human that programmed it. There's going to be biases. You look at any of these AI systems, they have bias baked in because somebody had to come up with the initial set of rules.
Josh Lospinoso:
Yeah, there's this great book called Weapons of Math Destruction that talks about this exact issue. And so you have ...
Joseph Carson:
Interesting. That's high on my reading list.
Josh Lospinoso:
Yeah, yeah, it's pretty good. There's definitely an agenda behind it, but I think it's one that's argued reasonably. I have a couple comments about this bias thing because it's really interesting. One is you can collect data that just has bias in it, so depending on how you sample your data, you're going to end up with some sort of bias potentially built into that unless it's like a lab environment, and you can do clear A-B testing. You're also going to have bias based on how the model works, right? There's this famous statistician called George Box, who said all models are wrong; some are useful. Right?
Mike Gruen:
I think his quote is more famous than he is, but yes.
Josh Lospinoso:
Yeah, no ... for sure. For sure, it is. I'd like to ... So this question of statistics versus ML, I think it's really illuminating to how we build biases into models, right? In the machine-learning world, when we're trying to draw an inference about something, for example, we're predicting whether ... Recidivism in inmate populations is a really good example to talk about, right?
Mike Gruen:
Yes.
Josh Lospinoso:
If you take historical data, and you plug it in blindly into a classifier or some sort of deep-learning model, right? Which, funny enough, this all ties together, but it's a stylized version of how we thought the brain worked a few decades ago, right? You train these neurons. They'll come up, ultimately, with a classifier that says, yes, this person will commit another crime, or, no, they will not, for making paroling decisions. It turns out these systems are super racist, right?
Mike Gruen:
Right.
Josh Lospinoso:
Super, super racist. Whereas, if you ... It's harder, but if you were to use a statistical model where you know how the model is constructed. You know which data you're putting into the inputs and how those parameters are coming out, you get a bit more insight into how each of the factors of a person's attributes, whether that's their history while they were in prison, it's their age, it's their demographic information. You can get a better sense for how these things are affecting the decision to parole or not.
Mike Gruen:
I think it's important to explain why that system is racist. It's racist because what you've done is you've codified all of the racism that was built ... Everything that was in the original model, all of that data, was coming from what was a systemically racist system in the first place.
Josh Lospinoso:
Right.
Mike Gruen:
So you've just codified it, congratulations.
Josh Lospinoso:
Right, right, exactly, exactly. The problem here is essentially that the machine-learning models are incredibly opaque, right? They're built in these ... They're fascinating, and they do incredible stuff. They can drive cars, these convolution ... their own networks and stuff. It's amazing. Don't get me wrong, it's amazing, but there's a fundamental problem of introspectibility. You can't look into these models and say, oh, this is why this algorithm is making this decision. It's static, so it's not like these things are necessarily evolving over time, but they're just very opaque. Whereas statistical models, at least the good ones, you can go in, and you say, oh, these parameters are affecting the outcome in this way. Right? ...supposed to be that way.
Mike Gruen:
And, again, I think that's ... That's also another reason why I think of machine learning being actually a little bit more like ... Going back to your talk about kids and watching them and so and so forth, right? I don't think anybody would argue that a kid that's raised by a racist family is probably going to be racist.
Josh Lospinoso:
Totally. Totally.
Mike Gruen:
And so it's that same ... It's a very similar ... If this is the data you're putting in, this is result you're going to get out of it, which makes it a little more ... Obviously, these two things are connected. Statistics is definitely much better, and I've worked on an NLP company, and I remember talking to them, and they were ... There were a number of linguists that were very pro the statistical approach and very anti a statistical approach. It was always fascinating to watch those arguments unfold.
Joseph Carson:
I think we're getting to the point your result is only as good as the data that you put into it.
Mike Gruen:
Right.
Josh Lospinoso:
Totally, and the machine you put it into.
Mike Gruen:
Right.
Joseph Carson:
...you put into as well.
Mike Gruen:
Right, and the developer that makes that machine, I think.
Josh Lospinoso:
And everything.
Mike Gruen:
So it's all crap is what we're saying, I think.
Josh Lospinoso:
It's all crap.
Joseph Carson:
At the end of day, it has human nature built into it.
Josh Lospinoso:
Totally.
Joseph Carson:
That's the ultimate impact is that if we get ... I think probably the only true thing is that, eventually, if you get to a point where it's completely decentralized, the developers who are creating it ... This reminds me of even some of the work I did in the past. When I was working on something, I didn't have the bigger picture. I didn't know what I was working on. I was working, and I had one piece of the puzzle. I didn't know who I was working with, I just knew that this is what I needed to create, and then that puzzle goes into something else, and then it is used for whatever. But if you get into that model where the person doesn't know what they're actually participating in, then you get closer to, and you get many people working that way that they don't know each other, then that gets a bit more closer to de-sanitizing it.
Mike Gruen:
And I think multiple people working on the same problem, but, yeah, sorry.
Josh Lospinoso:
Are you trying to say decentralized AI, ML development on the blockchain is the way we're going to solve all of these problems? Because if that's what you're saying, sign me up. I think ...
Mike Gruen:
I think we need to make sure that there's quantum computers involved in this.
Josh Lospinoso:
Oh, right, of course.
Joseph Carson:
Oh, yeah, of course.
Josh Lospinoso:
Of course. That's how you do proof of value is on the quantum computer.
Joseph Carson:
Quasi prime in music.
Josh Lospinoso:
Exactly, yes. You have to play classical music to the quantum computers, yeah.
Mike Gruen:
Absolutely.
Mike Gruen:
I think this horse is sufficiently beaten.
Joseph Carson:
Yeah.
Josh Lospinoso:
We've solved all the problems, guys.
Mike Gruen:
That's also ... By the way, I would like to point out another difference between artificial intelligence and raising kids is you can beat a computer.
Josh Lospinoso:
Oh, my God. I think we'll cut the podcast off before that.
Joseph Carson:
That's bringing it to a whole new level ... you won't be able to beat the computer if it gets classified as a citizen.
Mike Gruen:
Right. It does bring up an interesting thing around artificial intelligence and at what point do they have rights and stuff like that, but I think we can hold off on that conversation.
Joseph Carson:
Actually, yes. Yes, actually, just to ... There is an interesting thing in Estonia, actually, there is an algorithm in Estonia which is called Kratts. Which is interesting. I don't know why they called it Kratts just because Kratts is an evil goblin who comes along and steals your things, but that's what they called it. They called it Kratts. This is their, let's say, government artificial intelligence official. If you've got a question, this bot has the ability to go off and find out all the previous types of questions similar and respond to it. It's almost like a government service official that is there to answer questions of citizens. It really got into official designated ... It was recently as an e-resident citizen type of thing.
Mike Gruen:
Wow.
Joseph Carson:
They also even looked at the one in Saudi Arabia that's got classified as a citizen as well, the robot, whatever it was. I can't remember the name of the ... Suzy or whatever it was. But, yeah, this gets to the point. When these devices start getting equal laws to ourselves and equal standings, that's a whole direction where it can go.
Josh Lospinoso:
Yeah, reminds me of Microsoft released this Twitter bot in 2016. Do you remember? It was called Tay.
Mike Gruen:
Yeah, yeah, yeah. Right, right.
Josh Lospinoso:
Within like 16 hours, it was spouting conspiracy theories. It was going on these racist tirades, and they had to shut it off.
Mike Gruen:
Right.
Josh Lospinoso:
But it didn't even last a day. I think what we're saying is people are awful.
Mike Gruen:
Right. What I think ... Yeah.
Joseph Carson:
We just need to act responsibly. We have responsibilities, and it's important to stay with ... Sticking with the ethics side of things, that's critical.
Mike Gruen:
Right.
Josh Lospinoso:
Sure.
Joseph Carson:
I think, to sum it up is that, eventually, at some point in time, beat your computer today while you can because at some point in the future you may not be able to do that. I think, if we go through all of the buzzword bingos that we tend to play in the cyber security world is that some of them are reality. Unfortunately, a lot of them are labels more than what they really actually do. Some are a bit further away than others. If we're talking about quantum computing, it is a path. It is a direction. It is reality, but it's years out before we even get the benefit of it.
Joseph Carson:
If we get into looking at artificial intelligence, I think it's probably more accelerated in other industries than in the cyber security industry. I think, if you pull back the covers in cyber security buzzwords, that, for most companies, it really is about automation. Maybe they do have a large value for machine learning participating and contributing to that, so I think machine learning is a massive contribution and value because it really ... But it really comes down to, Josh, as you said, it's as good as the data you put in and the model that you've actually created to what you're really going to get in the results because, ultimately, people who created the code ... It is biased by nature.
Josh Lospinoso:
Yep.
Joseph Carson:
I think, ultimately, there is positives. Hopefully this was valuable for the audience and interesting. I think the final from Mike is that blockchain isn't going to solve all your problems.
Mike Gruen:
That ... I'll say this.
Joseph Carson:
It's not going to solve all your cyber security problems either.
Mike Gruen:
Right. I'll say this. I know, when I talk to cyber security vendors, the ones that impress me the most are the ones that say, right off the bat, this isn't AI. This isn't machine learning. This is just statistical analysis, right? We're analyzing the data. We're automating things so that you don't have to, and they're very clear about that. To me, when somebody says that, and I think very specifically. I don't mind naming their name. Signal Sciences, our first call, that's the way that call was. It was amazing. He was like, no, we're not going to pull your chain or your blockchain, for that matter, and say we're doing all these things. We're doing just pure statistics. It's pure analysis. It's not machine ... It's not these things. It's not these crazy things that are buzzwords.
Joseph Carson:
So what you're saying is they ...
Mike Gruen:
I think that's an important thing when you're looking at vendors. I think that's an important thing to take away.
Joseph Carson:
What you're ultimately saying is they hired good developers. That's ultimately truly what you're saying.
Mike Gruen:
Right, and smart marketing people that aren't trying to just ... They're just trying to sell you.
Josh Lospinoso:
Sell you, but they're not trying to sell you.
Mike Gruen:
Right, yeah.
Joseph Carson:
Trying to change the message.
Mike Gruen:
Right.
Joseph Carson:
Yeah. The value is that what really companies should be selling is their developers who are really the ones that's really behind creating it, and rather than trying to create some fictionist message at the end of it. Josh ...
Mike Gruen:
Josh, any ...
Joseph Carson:
Any final words?
Mike Gruen:
Yeah, any final thoughts from you?
Josh Lospinoso:
Yeah, no. This had been awesome, guys. Thanks for having me on. I think what would ... I've been thinking a lot about embedded medical devices recently and cyber security of those things. A couple weeks ago, Neuralink, which is one of Elon Musk's companies that's doing the brain machine interfaces, had some really interesting engineering achievements in making implants on your cranium possible. I think that actual just ... We talked about artificial intelligence and cyber security. We could probably have an episode about intelligence and cyber security and how these devices are going to be implanted all over our bodies eventually and how the hell we secure those things would be, I think, a pretty interesting ...
Mike Gruen:
Yeah.
Joseph Carson:
Yeah, I think absolutely. It's the combination of both cognitive science and neuroscience together. That's really what it's coming into.
Josh Lospinoso:
Right, right.
Joseph Carson:
Because when you start not making computers better, but you start making people better with computers embedded.
Josh Lospinoso:
Right, right. The future is going to be weird.
Mike Gruen:
Right, but people are the worst. We're never going to make them better, anyway.
Josh Lospinoso:
Probably make them worse, if we're being totally honest.
Joseph Carson:
Absolutely. Again, Josh, many thanks for having you on. It's been a great discussion as always.
Josh Lospinoso:
Yeah, thanks for having me.
Joseph Carson:
And for the audience, yeah, for the audience out there, I really want ... If you've got buzzwords or things that you want us to talk about in the future, feel free to throw them on either through social, send us a message, post it up. If there's buzzwords that you see that you would like us to discuss, we're more than happy to bring into the conversation. At the end of the day, safe out there. Make your choices wisely when you're going to look for solutions. Try to actually pull back what the reality is and don't just go off the marketing buzzwords. Again, many thanks, Josh. Mike, as always, great having a chat. For the audience, stay tuned every two weeks. Catch up with us on the 401 Access Denied. Stay safe, look forward to it, and take care. Thank you.
Josh Lospinoso:
See you.