Leah Culver of Breaker and Tom Sparks of YC Answer Your Questions About Security and Podcasting | Transcription

Transcription for the video titled "Leah Culver of Breaker and Tom Sparks of YC Answer Your Questions About Security and Podcasting".

1970-01-01T01:41:24.000Z

Note: This transcription is split and grouped by topics and subtopics. You can navigate through the Table of Contents on the left. It's interactive. All paragraphs are timed to the original video. Click on the time (e.g., 01:53) to jump to the specific portion of the video.


Introduction

Intro (00:00)

All right, so how about we start with some questions from Twitter? I actually think this one might have been on Facebook. So Brady Simpson asked, "How do we deal with the ever-increasing pressure from governments trying to get into devices? Tom, do you have an opinion on this one?" I do. So I think one of the most important things to think about is that some of this is just legislation-based. However, some vendors do actually care about the privacy and security of their users. Apple's been pretty good about it. Microsoft has actually done a lot of work for this. Previously, when BlackBerry was still a thing, they were basically number one. But right now, Apple's pretty much the most consumer-friendly in terms of security for just your personal devices. They give you a lot of options. They do a lot of stuff behind the scenes to make it really easy. Your passcode is actually backed by some really, really cool stuff. Your fingerprint reader on your phone is pretty simple. It works pretty much all the time. So that's easy security stuff.


Security And Authentication Discussions

Neil Renicker (01:04)

The government trying to subpoena the information from your devices is a lot bigger can't it warms. It kind of goes back to the Constitution essentially, like 4th Amendment stuff. So Search and Seizure is really kind of in the air with electronic devices. This kind of goes all the way back to the 1960s in terms of personal privacy. In the 60s, the government came up with something called echelon, I believe. And that was basically trying to get data to spy on spies. In the 90s, it was Clinton trying to do stuff to catch more spies, basically. And with email and stuff becoming more and more prevalent, they just put in this giant apparatus to do surveillance on the American population. So vendors when they tackled this kind of have to go, "What can we do without taking off the government?" Apple's done a good job of basically saying, "No, we're not going to give you the keys to things. If you want to get into somebody's phone, you're going to have to basically get around the protections we've put in because we don't want to make something that's intentionally insecure." And they've done pretty well with that. They've gotten some flack from some people.


Pats key opinion on this (02:30)

So as a layperson, what precautions are you taking with your own data? I think for the most part, as long as you use the key code and any sort of like biometric authentication on your devices, you're in a good spot. If you don't do any of that, you're just kind of in the wind. The government has pretty deep ability to surveil you. So your phone is probably not really going to be the vector they go after the most unless you're sending encrypted messages and stuff. If you've got signal, they probably want to see what you're doing. But if they can subpoena you and you don't have good protection on your phone, you're just going to see what's there. They can't make Apple decrypt what you've got. If you've got an Android phone, you're much less well off. So it's really just legislation and using good technology. I believe the pixel 8 or what is it? The new Samsung phone has some pretty neat stuff built into it. It's got good security. What about you, Leah? Do you do anything in particular? Actually, so I have an iPhone and I have some little paranoia things. I know how to turn off the phone. So if I was panicked. So I actually just got the iPhone 10. So I have the facial recognition. But I always had, I always tend to get the latest iPhone. So I had the touch ID as well. And the interesting thing is I think it's much easier for law enforcement to access your phone via touch ID, like you're saying through touch ID or facial recognition. But the nice thing Apple does is if you have three failed attempts or if you shut off your phone, you have to re-enter your passcode. And that's much harder for them to access. So I've practiced like powering down my phone. I tend to only put one of my thumbs in the thumbprint so that if I needed to, I could use my other thumb and just pretend like, oh, it's just, I'm nervous. It's not working until it locks me out. I don't know. Is that all weird and paranoid? But that's great. But I feel like it's a price you pay, you know, it's like the trade off for using some of the convenience features. Yeah. But what about on the company side? So a breaker? How do you guys think about security? Sure. That's a great question. So we basically follow sort of standard web service practices. We have an API on the back end on the front end, basic iOS stuff. So big, stickling, a big thing for me is keeping private data in the keychain. It's an iOS developer and not in any other local files, especially not in NS user defaults or putting it in info.plist file. Don't put stuff in there. You can unzip an app directory to look at anyone's info.plist, which is great.


Convenience vs. security (05:18)

I actually use it to find out what other apps are doing for certain Apple-specific settings because they have these weird configurations that you can do for interoperability with other apps. And it never seems to work. So I was just like download people's apps and unzip them and look at their info.plist. But yeah, just making sure that as an app developer, when you're storing sensitive data, such as passwords, user names, any PII, personally identifying information about people that you are doing so in a thoughtful way. And I think there are a lot of best practices about this. And I don't want to go into all of them, but it's pretty easy to just Google and find out what they all are. And just to be aware of it, just to know that you have sensitive data and power and to be really aware of that you have a responsibility as an app developer to protect that data. And for actually it was interesting, I was thinking about cloud services and the government accessing cloud services. And for my last job is at Dropbox and a lot of other companies do this as well. They publish all of the requests from the government. So the legal team publishes them all online through a disclosure report every year. So you can see what gets asked for. But yeah, and it's part of the most companies today who are behaving well don't want to be overly generous with providing data to the government, but under certain legal conditions it is necessary. So, but making that all very transparent to users when you sign up for a service, knowing sort of how they deal with government requests. Cool. Well, let's go to Brady's second question then. So he asks, why is AuthTech changing every few years from ubkeys to two factor auth to thumbprint to face recognition? What are we optimizing for speed and reliability or security? What's next? Or just what's cool? Yeah. Honestly, like the face ID thing, I think I like the an emoji, like the making animals talk and yeah, I kind of like that more than the actual security part of it. But yeah, it's this trade off between convenience and security, right? So I think a lot of these new technologies coming out are for convenience. I'll see her Tom's thoughts on these things too. I mean, all this stuff is actually really old. It's just the thing that we're actually using it now. Like I went back and looked and two factor auth kind of started with one time passwords. That stuff was originated in the 1880s. So it's really not new. Really what it is is people are becoming more aware of their own security. They want to make sure that whatever personal data they have doesn't get out there. Most people have really terrible passwords and they're sort of like, oh, okay, even if I have this terrible password, if I use this little thing, it'll keep my personal data safe. And I think that's good. I mean, I don't think that the way that we implemented is necessarily what matters. I think it's just the fact that people are using it more and becoming more aware. I think speed and reliability are really important. When you look at what's available, I think if you go back, I have a laptop from the 90s that has a fingerprint reader on it. We never really used it. But it was the thing that you could use.


Update on multi-factor authentication (08:52)

It worked pretty well, actually. Now it's just more ubiquitous. There's more multi-factor auth and things. I think looking forward, I think we'll even see probably like DNA ID. I mean, sensors are getting smaller and smaller all the time. You can detect so many different factors. Humans have unique chemical fingerprints even. So you could have something where it's like, oh, my phone smells me or something like that. Yeah, heartbeats. Yeah. I've seen recently. That's pretty cool. What's interesting about this is that like, it's not just about two, like we talked about two-factor authentication. What it really is, is multi-factor authentication and having those factors be of different types. I'm going to try and remember the different types. But there is something you know, something you are, like biometric. What's another one? Something you have. So a device. So a device biometric and something you remember like a password. And so having two different factors, I think is the key for two-factor authentication. So like a UB key is a device or if you have authenticator on your phone, like an authenticator app, that's like a device one. The thumbprint facial recognition is biometrics. And there's pros and cons to each, right? So what I find super interesting is I love the convenience of the face and the thumbprint. But what's really nice about the device and something you remember is you can replace it. So if it were to get stolen, so if someone takes a cast of your thumbprint, it's a lot harder to change your thumbprint than it is to change your password, right? So a nice security feature is the ability to change something. If you feel like it's been compromised to make a new password or to change up your device, the device one's a huge pain in the ass because every time I get a new iPhone, I spend the next like hour switching over all my authenticator keys, that's like, oh my gosh, it's just a pain.


Joel on multi-factor authentication (10:34)

I just did it. Did you read the post about the mask faking out the iPhone X? That's so freaky. Yeah. Have you tried to replicate it? Do you have mask making materials? Do you have work on it? Yeah, but it's super scary because it's not like you're going to change your face, right? So having it as a second factor or having that is the, I guess it's the first factor, right? It's the first protection. But having the passcode as the backup for that is super important. Okay. Something that you can change, right? Yeah, I've just been wondering if there's like a line for you guys where you're like, you know what, face ID?


Aaron on biometric authentication (11:20)

I'm good. Like, I don't need this right now because I'm going to like, just like you said, there is a point at which if someone hacks you or figures out away or some exploit, it's open forever. Are there certain like, or is the convenience also for security-minded people just so high that you opt into it? I love the convenience. So I'm a big one password user. So I don't actually know any of my passwords except my one password. And now it's two taps, I think. You tap once on the button that says, look up my password and it does the face or watch condition. I don't want password. And then you tap the password that you want to enter. It's just because it knows what site it's on or whatever. And it's just so fast. It's just tap, tap. Whereas, you know, I've been using password manager for ages and it's such a pain to like switch apps, like get the password, copy it, paste it in. So it is the convenience is phenomenal. But what is the risk that I hope no one takes a mask in my face? So do you use any two-factor devices or biometric stuff? Yeah, I mean, I, well, I don't do as much data center stuff anymore, but, you know, definitely done a lot of the biometric off stuff. If only enough, a buddy of mine was the first person to break the touch ID on the iPhone. He also recently published something about the guys who did the mask thing. What do you mean by break? You like copied someone's fingerprints? Basically, yeah. I mean, there's a few things that Apple did to try to make sure that there's some liveness and some other stuff, but you know, it's hardware at the end of the day. So it's not, you know, it's a little fallible, but it's not bad. Yeah, like there's the setting on the facial recognition where if your eyes are closed, it won't read your face, which is really crea- because I assume that's like to protect yourself, you could just close your eyes. It's so obvious. It's not like the left thumb, right thumb thing that you're talking about. Like if you show your phone to your face and you close your eyes, someone's knows that you're trying to fake it. I guess, but I guess did you guys know? I mean, I didn't know about this. It's a really weird feature. Yeah. So someone Tom asked specifically about YC. So Rick Deacon asked what precautions does YC take to protect data?


What are current security concerns in cryptocurrency? (13:38)

So, I mean, we deploy, you know, best practices. We don't do anything, you know, super, super scary. You know, we, we just make sure that we know where our users are. We make sure that people use strong passwords. We use, you know, strong encryption VPN. Yeah, VPN is an easy one. You know, we have some dedicated hardware and stuff for VPNing. So that that is kind of a little harder to remotely get into. But, you know, best practice stuff, we stick to it. You know, we do not, you know, have nuclear secrets or anything like that. So, you know, I'm not worried about someone parachuting in with, you know, machine guns and chainsaws. You know, our stuff is pretty, it's pretty open. I mean, if you're a YC founder, your data is well protected. And we want to make sure that that stays that way. But, you know, we're not going to, you know, do DNA ID to get into something right. So, you know, we do, we do a pretty good job of just making sure that everything's pretty buttoned down and code views. That's kind of the biggest thing. You know, that's, that's all pretty, pretty easy. Our developers are great. So, we're lucky in that aspect. So, yeah, it's a really good team. So, that helps.


What is the future of YC startup security? (15:05)

I would agree with that. Rick also asked another question. He asked, what is the future of security for startups? Do you guys have strong opinions here? I think there's a good trend of people just not reinventing the wheel for security. Reinventing the wheel is pretty much the worst thing you can do. I mean, every time we see, you know, a big hack, it's because if somebody did something where they're like, oh, I'm going to be really clever and reinvent this thing. And like, cool. You know, you forgot this one thing where if you add an extra zero or something, like, oh, hey, look, this password is unclear. So, that, that happens. I think outsourcing auth is a really important thing. You know, a lot is great. You know, Samuel is great. Most companies don't really need to worry about auth, you know, in that way, you know, Facebook auth is great. It's ubiquitous. It's pretty solid, you know, well-run company. You know, it's, it's everywhere. You don't need to reinvent that wheel. I think, you know, moving forward, like really, it's just going to be what companies need, you know, most startups don't need, you know, crazy military grade stuff. They don't need HSMs. They don't need TPMs even. Your phone is a TPM in it, but like, you know, it's so ubiquitous that you don't need it. So having, you know, something like, oh, auth just removes the need for really trying to have to build it in a lot of security. You know, beyond that, a lot of CI's continuous integration softwares have, you know, things where you can just sort of turn on like code checking. You can do, you know, easy, easy bounce checking. You can do a lot of security stuff just automatically. And it's really nice. You know, you don't even, I mean, most developers do care somewhat about it, but, you know, when you get the intern in and they're like, oh, yeah, I think, you know, I wrote this great function that, you know, has, you know, one thing in it, right? Like, they're not necessarily going to know. So that's why having some oversight is good. But, you know, frameworks eliminate a lot of these problems. There's a lot of really great frameworks out now. I think really now more than ever, there's a lot, just a lot of really good stuff. Go has some pretty interesting stuff in it, just in terms of, you know, programming level security. You know, I made the joke the other day that, you know, if you're, if you need random numbers, the best way to get them is to use a language that doesn't have any sanity checking in at all. And new developer. Yeah. Because they won't even know that they don't, that they need to do memory management. There's something already there. So yeah. And Leah, would you advise the same thing?


How do you balance security with user experience? (17:42)

I totally agree with Tom. I think when you're looking to build a website or an app or something, to use BEX practices is the way to go. And these things are sort of open standards and open protocols for a reason, because large teams of people work on it. So I worked on OAuth, the first version, which is maybe not as good as subsequent versions, but worked on the first version. But it was a large team. I'd say at any given time, we had, you know, 20, 30 people working on different parts of it. And I'm personally not a security expert. I'm a security hobbyist. So it was fun to work with folks from like Google, Yahoo, Mint.com, like financial institutions, who definitely had more at stake in terms, rather than I was working on a social network at the time, a little less at stake than financial data. But it was nice to have them sanity check, especially all the algorithms for hashing and to make sure that like we were kind of doing things in a way that could protect against known attacks, things that people knew were like, you know, vulnerabilities and vectors. But nowadays, like as just an app or web developer, you don't have to think about any of that, right? Like you have to use Facebook login. It's like you download an SDK and you like follow the instructions and it just works and it's secure and fantastic. And face, let Facebook deal with it, right? Like it's really great. But that being said, I do think there is still room to innovate on sort of the user experience side of security. So that's when we talk about things like Face ID or like sort of new, what can we do now that we couldn't do, you know, 10 years ago that we would have liked to, right? So some of that stuff is fun to play with.


Im always interested in things like user login (19:24)

I'm really interested. So after working on OAuth, I'm still really interested in sort of like user login. And all of the especially preventing against targeted attacks is like one of my like fun hobbies. And so some of the stuff you see now that I'm super interested in is when you log in on a new device that you get an email about it, if your password changes that you get notified, how do you prevent, you know, someone changing the email address and changing the password at the same like too close together. Some of those things are just like product things to think about. Like if you're developing a product that you need to be secure, like what can you do in the case of both sort of just general attacks to get data from your database or the more like targeted attacks, which is kind of, I don't know why that's interesting to me. I just find it like fascinating, especially in the age of like Instagram celebrities and things like, I think it's pretty interesting.


Are There One Or Two Security Concerns, But No One Talks About In The Crypto Space? (20:08)

And and people in general aren't super good about security. So how can we as app developers protect someone in the case that they do have a terrible password? Well, I think you saw it, you know, with people porting phone numbers for crypto stuff in particular. Oh my gosh. Those are giant. Those are horrible. It really brought to attention how bad the cell phone companies were prepared for multi-factor authentication. Like I don't use my phone for multi-factor authentication. I would highly recommend against it. You mean SMS? Yeah, not using SMS or phone calls or anything like that is a fact as a factor as a factor. So you use Google authenticator? Yeah, yeah, or a similar application. There's like Othi. There's some other ones. They're pretty good. Okay. Or or Ubiti or, you know, any of these. There's a lot of other options. I just, you know, like when you were relying on someone who gets probably paid minimum wage to sort of like be phone support. I don't know if I would be counting on that. No, totally. And do you have crypto thoughts in general? So safe. I told you this before the podcast, Tom. I get a name wrong every time. Seif Olahe asked, what are the most recent security concerns in crypto or cryptocurrency? Just be clear. I think really it's just, you know, it's new. People are getting used to it. You know, people are sort of inventing their own languages to go along with them. You know, what we were talking about earlier with Ethereum the other week where somebody kind of deleted a really important function out of a contract. You know that that stuff will happen and you know, people will just, you know, take that lesson and move on. I don't think cryptocurrencies are necessarily more or less secure than anything else. I mean, cash, if you leave it on a table, somebody's probably going to walk off with it. You know, we saw a lot of early Bitcoin stuff go away because people were using like horribly insecure hosting stuff. You know, hopefully people don't continue that, but I'm sure it will. I mean, people leave their wallets with, you know, passwords of like one, two, three, four on their laptops. Some people, I have seen wallets stored on public anonymous FTP sites with like a password of like one. You know, you, it's like basic stuff. I mean, you know, you can't protect users from themselves really. I don't think, I don't think crypto specifically has a problem. I think it's interesting to see how people are using it. I think it's kind of nice that, you know, you can have it be so ubiquitous. And it's sort of like, it sort of brings power back to the people who use it a little bit versus like with cash or like, oh, central bank, you know, you have to do this, but I'm not a crypto libertarian on this issue at all. Yeah, I actually, I'm fascinated by, I love the blockchain as a technology from like a database ledger kind of perspective. And actually, I have a podcast to recommend since I work on a podcast.


Is Decentralization Really All Itseems To Be? Or Is It Just Built On The Old Systems? (23:26)

Yeah. There's a show called Invest Like the Best. And they have a three part series called Hashpower. And it's on the technology behind the blockchain and Bitcoin and also investing. And I think they have a couple other topics that they cover sort of like kind of a broad look at everything to do with cryptocurrency. And I loved it because I didn't, I knew sort of the general idea, but I didn't know like the history or like so much in depth about it. But it was excellent. And what is interesting to me personally is distributed versus centralized systems and how they play out. I feel like the blockchain is the first really distributed system we've seen become quite popular in recent memory. I mean, the internet itself is a large distributed system. So I can't say it's like the only really interesting distributed system. But what we've been seeing with the internet is a centralization. Like, we've been seeing centralized powers, especially with the large tech companies now really consolidating right like Facebook having eight of the top 10 apps in the app store, right? So the like large of massing a power and user data with very few companies. And what's interesting to me about the blockchain is taking that back a little bit. And there is some centralization around the blockchain. Like there are like mining conglomerates, there are services that will host and store your data for you. So cloud services instead of using like a physical device to store your private keys, you could use a cloud service. And what's interesting about that is like the insurance factor of it. So when you think about like banks and how your money is insured, seeing these companies come up with like, now we're going to ensure cryptocurrency. And it's like, oh, this is interesting, right? It's basically like rebuilding a banking system built for like the internet age. It's really, it's super interesting. And I'm not sure how it's all going to play out. And I agree, some of the biggest security concern right now and say the number one is user error, right? I totally agree with that. I think that that the fact that it's decentralized kind of protects against a lot of like fraud or malicious intent by centralized power. But it makes it really hard to recover your data, if anything happens. Yeah, so fascinating. Yeah, so I mean, it's kind of like measure twice cut once before you send someone a bunch of Ethereum.


Podcast Production And Testing

Favorite Podcasts (25:54)

Yeah, this has happened a bunch on just private slacks around ICOs. People post fake it like they'll steal the avatar from the creator and create an account in that slack and then post an address like a minute before the ICO will happen. And it's just like, it's torrent of money flows to them. And it's all skin and it's like, huh, there we go. Gone. Yeah, oh, wow. Yeah, yeah, just be very careful. I don't know. I have no idea how one establishes trust with cryptocurrencies other than by using centralized systems. It's very difficult. Yeah, I don't know. Well, you did mention podcasts and we should talk about podcasts here. So let's jump up to Kat's question. So Kat Mignalik, partner YC through a question out. Let's start with the first part. What are your favorite podcasts? Oh, that's a great question. And actually my big thing is, I want to just put a plug for a breaker here. You should follow me on breaker and you can easily see what my favorite podcasts are. What's great about breakers? It's social. You can see what people are listening to. You can see what they subscribe to. You can see what people are liking. You can see what podcast episodes are hot. Actually, I found this hash power series because it became popular on breaker. Got a lot of attention, a lot of comments. And it's not I normally wouldn't listen to a podcast called invest like the best. But it definitely was an interesting series. So podcasts that don't exist that I wish did. I think there's like right now on breaker, it's a lot of tech. It's a lot of startups. It wasn't that in the early days with a few users. We have more true crime, comedy. So what I guess, what I'd like is I personally love storytelling. So I'd like to hear more diverse stories. So stories from people you wouldn't normally hear on podcasts. I guess that would be my request. So if you out there are listeners and you think you have something unique to say, go for it. Before we go further, Tom, did you have a favorite podcast? So don't really do a lot of podcasts. But I think my favorite sort of equivalent of that is called the life of Boris. It's about this Slavic YouTube dude who like posts, videos and does a bunch of Q&A with his fans. It's pretty funny because it basically hearkens back to a lot of the cold war era stuff. It's kind of fun. It's pretty goofy. He talks about all kinds of stuff. The gamut of video games, cars, cooking. I learned how to cook a bunch of Russian stuff from it. So I kind of like that kind of variety. But otherwise, I mean, I think the podcasts that are missing for me are just really in depth, security stuff. There's a lot more blogging around that kind of stuff because you can't really show a breadboard on a podcast. But I definitely would like to find out about it. So I'm definitely interested in ways that I can find new stuff.


Past Mistakes (29:08)

So I'm definitely going to probably spend a little more time with Berkor. Yeah. I'll second the request for security podcasts though. I listened to a ton of SWIFT podcasts and a couple Python ones. And I've been less able to find more general security DevOps, that sort of thing. So that's definitely an area that someone could make up on. Yeah, I've been so impressed with the Berkor search. That's my favorite part by far. Yeah, I really like that. So Kat asked a second question and she asked, "What mistakes did you make with your first company that you know not to repeat on the second?" And Tom is a founder as well. So this is a valid question for both of you. Yeah, I'm curious what Tom has to say. Yeah. Oh, mistakes? I don't know. I mean, like, let's see, I've been doing startups since I was like 15 years old. So I've seen a lot of mistakes. I think one of the biggest ones is just poorly spending your money. I worked at a startup where we had a shag carpet, walled music room. I'm pretty sure that I knew what else happened there. You know, we spent ridiculous amounts of money on things. We bought Napster for like a month. Yeah, right? I know. So like acquired Napster, acquired Napster for a month and then gave it back. So like, there's all kinds of weird stuff like that that happened in sort of like the early boom. You know, now I think money, even though it's pretty easily available to entrepreneurs, I think you know, still paying attention to where you spend your money is key. Like, some of some of the PG's early stuff about, you know, like don't go get an office, work out of your house. You know, a lot of the YCE's is really, really stuff that I recommend people stick to because it's just, it's so easy to be like, oh yeah, I got all this money. I'm gonna go get a flashy car. I'm gonna go get a nice office. I'm gonna go, you know, buy the best screens and stuff for me. And then they just spend their time, you know, derping around on like trying to be like, whatever they feel like makes them a successful founder rather than, yeah, playing startup. Scene stirring, I think is kind of another good term for it. I mean, those parties are fun, but they don't get your company anywhere. So other people's movies are playing stuff. Yeah. Just take the fruit. Yeah. So I'm in the opposite. I'm so frugal. All of my startups have pretty much run on, I don't know, steam, air. So yeah, we're still, even breaker is still very frugal as a company. But I've definitely had other issues. Mine, when it's sort of the opposite, it's asking for help. So going out and trying to build, I think I've always thought, oh, I can build it. I should just build it as opposed to how do I get other people involved in my company? How do I have other people care about this? How can we build something better together? How can I listen more to users? How can, you know, and now everything we do with breaker is super user feedback focus. It's just what do people want? Let's just build what everyone wants. And it's just a totally different approach than I'm building something that I want for myself. Right. So it's been much more rewarding, like building things because people actually are asking you for them is just so it's easy to do. It's a little hard to get over the ego of like, oh, there's a bug here and someone's talking about it or hey, you don't have this feature yet. I'm sorry. But that's really been a huge, huge change for me. The other thing is more personal. My first few startups I struggled with myself as a founder and not really fitting the mold of what I thought a startup founder would be like. Same for a developer starting off even as a developer. I used to get these programming books that were like developers like us and they'd have pictures on the front that look nothing like me. I was like, I don't know. So it's figuring out and it's not just like the way I look, but it's also my personality. I don't feel like I am a startup founder. But that is also sort of coming to terms with that is like I have this mantra every day that I get up and I say I can only be the best person that I am. Like sort of be true to myself and that I don't have to be exactly like Steve Jobs or Mark Zuckerberg or Elon Musk. That's never going to happen. I would say that's also a good thing. Yeah. Yeah. But you know there are definitely like a wider variety of founders out there that don't get as much like glory in the press and the media that are still phenomenal. Founders running huge companies just maybe less exciting than. Yeah. Or just like less flashy. I mean it's just chance and maybe running a business that's not particularly sexy, which is always hard. So you mentioned user testing now that you guys are a little bit bigger than you were during YC, like giving it to me and being like, hey, what do you like about? Yeah. How are you doing user testing at a larger scale now?


How You Test Your Users (34:08)

Yeah. We have several different ways that we collect data from users. We have just an in-app bug reporting tool. It's kind of the most direct. You can actually just send us an email. If you take a screenshot in the app, it actually prompts you like, hey, did you see a bug? Do you want to send it to us? Which is great. It's a tool called Bug Life. So we love Bug Life. We use Mix panel for implicit user testing. This is actually, I would say, almost more valuable than what people tell you is what they do. So we use it for things like testing retention, doing funnels, so knowing when people drop off in a particular, like if we want them to take a particular action, what happens that they tend to not do that? A/B testing. So we actually, we don't do a ton of A/B testing, but we do with things like search and discovery, do more A/B testing and sort of like, what do people actually want here? What are they actually tapping on? What are they listening to? What gets them excited? So those are probably our two biggest tools for collecting user feedback. We are starting to do more user experience testing, and we're about to send out our first survey, which I'm always a little bit like, oh, I don't know if it's a little survey.


Surprises in using the podcast app (35:14)

I like that people reach out and give us feedback directly. We get a lot of email feedback. Have there been any surprises in the product you designed and how it ended up being used? Oh, yeah, definitely. I'm trying to think of a good example, but there's like stuff every day that just, you know, the way that I use a podcast app is not the way that everyone else does. And we sort of in our mind have this like ideal user of who you want to be a breaker user, and it's not like a hardcore podcast listener. We're not on the extreme of the spectrum, like you're listening to podcasts all day, and you're very fussy about your settings. But on the other hand, it's someone that we want to be more long-term engaged with the product. So it's not just someone who's going to drop in and listen to one episode. We really want to, you know, get people into podcasting and get people into listening to podcasts the same way that you would like watch Netflix, right? Like, we want people to be as excited about a new episode of their favorite show as a podcast as they are the next episode of their favorite show, which is exciting and really fun. And I think there's a lot of room for podcasts to grow to really fit that. And I hope that breaker can be part of that. Like the whole industry of podcasting needs to grow in order for it to be a really exciting business opportunity. I mean, I think it's 250 million a year now in like ad revenues, which is like tiny considering how much people talk about podcasting. Yes. Yes. I think there's definitely room to grow. And that was one of the reasons I started breakers. I was looking for a market that wasn't saturated, that wasn't that was growing, but could be accelerated by technology. Why do you think the iOS podcast app is so popular? Because it comes installed on the phone by default. I know, but Apple Maps is garbage. And it like Apple Maps got usurped by Google Maps, right? I guess it might be better now. I haven't used it. Yeah. Well, hopefully breaker will take over and be the thing. Yeah. I mean, this is what we're going for. It's like, how do you become better than what comes installed on the phone and that's it's a hard problem. Yeah. Okay. But a fun one. Absolutely. Yeah. And so backtracks, who's actually our podcast host, they tweeted at you. They asked what's the most difficult challenge in podcast discovery. So for, I have a very strong opinion on this. I will lay it out there. We do episode discovery, not show discovery. The distinction there is there are a lot of podcasts being produced these days where a particular episode will really get you. So it's more topic based episodes or story based episodes. There's a couple, there's a few podcasts that are like, or many podcasts that are serialized formats or have like a longer story to tell. But when we're talking about individual stories, I think what gets people hooked on a podcast is a good story. It's like watching a good clip of SNL, right? Like sometimes you just want to know what the good, good parts are. So for us, we want to highlight the good episodes based on users liking them, listening to them, commenting on them. And that's what we highlight in Breaker. It's what is hot right now, not based on like, so Apple uses editors. They have people who go in and say, "Hey, you should like this show," because we as an Apple editor think it then's like, "I just want to know what's the best episode right now. Like what's the one that everyone's listening to?" Yeah. And so Alan Lee, so you mentioned H Netflix before Netflix podcast, Alan Lee asks, "I love Breaker.


Alan Lee podcast pitch (38:27)

How's Breaker going to be the Netflix of podcasting in the future?" Alan Lee with the long-term vision, basically giving our pitch. So that's sort of what we, our goal is to become this source of really great content. What I find interesting is I think that podcasts are getting better in quality in terms of the storytelling and the shows, but I don't know that they've quite reached the level of the Game of Thrones of podcasts. That's when we talk about a lot. It's like right now we're seeing some of these really good podcasts, but we haven't hit the show. I mean, we've had Serial, which was a big, big popular show, a big popular podcast, but where, you know, and it's really a chicken and egg problem. Like if we had that show, would it be just distributed across all podcast networks? Could we actually make money off of that kind of show if we had a show big enough? But is there a big enough audience on Breaker yet to make it interesting to have a big show? So I think we're kind of taking the approach of trying to gain a large audience using Breaker and then be able to present them with unique content that is of the quality of something like a Game of Thrones or a House of Car to produce, but it's actually much cheaper and easier to produce a podcast than a television show. It's like 100x more expensive to produce a television show than to produce a podcast, a quality podcast. Are you working on your own yet original content? I am not a, I don't make podcasts. I'm definitely on the technical side. I have much respect for people who are storytellers. I actually just went to a live podcast, Hey, famous weekend or a live podcast show. They were actually playing back an episode that they hadn't aired of Love and Radio. I'll give them a shout out, but it was, it's super interesting. And I got to talking afterwards about storytelling and how it in itself is a skill. And I just don't have any time to work on developing, developing that, but Craig, you, you have a podcast. Working on it. Yeah. Do you have any questions? Yeah. Do you feel like your strategy has evolved over time, sort of like given feedback from listeners and how have you, how has the podcast changed? So this is the second podcast I've done. So the first podcast I did was called Salt of the Earth, and we interviewed small business owners that were funny.


Producing the Podcast (41:06)

And it was a great podcast. I had a lot of fun doing it, but finding guests was really hard, especially because they're often, you know, just obscure small business owners. And so not only is that difficult, but then distribution becomes a real challenge. So that's super hard. Like distribution across like almost every podcast is super difficult. So with this one, we do YouTube and YouTube works really well. Aside from that, my strat, like in terms of host style, I don't know what you mean. Yeah. Yeah. Your approach to how you do interviews, because you both interview shows, right? Yeah, they're both interview shows. I've recognized how important it is to control the energy in the room. And as the host, it's totally on you. A lot of people think, Oh, you know, I'll just bring in Lee and Tom, and they're going to be super fun. This is going to be great. And you are both super fun. But that's not the case. Like you have to like have a certain energy about you and keep it going. Transitioning is always difficult between subjects. And I think one thing that's maybe obvious to the listeners and the YouTube people is that I introduce people in the podcast edit, rather than having people introduce themselves, because that can be a little like it kind of takes the air of the room. If someone's not used to introducing themselves. Oh, yeah, I guess, would you say that startup founders are better at introducing themselves than salt of the earth interviewees? It's totally sales. Right. Like if you're good at sales, you can really like come and like make it super engaging. But more often than not, people are just like, you know, they're just modest, right? So like both of you guys are coming and it's like, hey, you know, like I'm Leon. I work on breaker. And it's cool and everything. But the reality is that you have to you want to get someone hooked really early on in the podcast. And so that's when the energy has to come. So if you start out with like, Hey, Leah, what do you do? Yeah. Then it's not quite as good. So yeah, I would do that. We edit the podcast. I think a lot of people are like, I don't have to edit. Like, I'll just go. And I feel like I think a lot of people don't realize how edited a lot of the most popular shows are. Oh, yeah. I just in an interview on a show called hack to start, they edit them. I didn't realize it because it has a very natural interview type feel. So I listened to a few episodes and I went on the show. And so I then could compare what I said versus what came out. And it's so much better. What came out. Very heavily edited without sounding edited, which I thought was amazing. And I know you do a little less editing. It's not that much. Yeah. Yeah. I really admire Joe Rogan's podcast, because like they can keep like a three hour conversation, like at high energy and fun. And they transition pretty well.


Data Points And Passive Sharing-Informed Analyses

A Pet Peeve Music and Pods (43:49)

And that's something that I've been trying to get better at doing, but it's difficult, especially video, right? Because the continuity becomes an issue. If you're just like cutting all over the place, whereas if you looked at the time and like the time something was recorded for the cereal and then like placed it back into the episode, it's all over the place. Yeah. And actually that's something I wish I saw more podcasts do. So another request for podcasts is to incorporate music legally, of course, sounds, sort of using exploring audio more as an art form. I've definitely listened to some pieces that do that. And it does make a huge difference. It's not necessarily the best thing for like interview type shows. But there are shows and stories you can tell where adding those elements in really helps. Yeah. I would also say to podcasters, definitely transcribe yourself, because Google is not friendly to audio. And you want that like index stuff right there. Yeah. It's pretty cheap to do now. Which is actually something we're thinking about starting to do for Breaker too, and get into like future ideas. We have some pretty crazy ideas. Yeah. I mean, if you can talk about it, let's do it. So we do want to eventually transcribe podcasts that are on Breaker, which is pretty much every podcast.


The Blindness Problem (45:02)

However, right now there's some options where you can pay to have things transcribed, either by a human or a robot to varying degrees of success. But they're fairly expensive and cost prohibitive for something like Breaker, where we have millions of episodes. What else do you guys want to talk about? I found a company doing what I did with Crypto Seal when you live it now. And like they have more adoption. It's kind of funny. They're called the N of key. And they're basically doing secret management for app developers. I love all of the... I think there's a huge opportunity in security to do sort of secret management. Like right now things are just like, oh, put in an N variable or whatever. It's like so bad. And for us, as soon as you have a team of more than like two people, you need to be sharing all sorts of private information. And with companies, it's like if someone joins the company, you got to set it all up. If they leave, you have to somehow like revoke all these tokens, right? So it's pretty terrible right now. I think there's a huge opportunity there. Yeah. I mean, that was the thing that we tried to address with Crypto Seal was that we had all felt the pain of managing secrets and stuff like that. And some secrets were more secret than others.


Security (46:15)

But it's still a tough problem. It's still something that developers hate to deal with. People still share passwords and like spreadsheets and stuff like that, which just kind of makes me want to hide my head, my hands. But there's technology coming out there for it. I believe Lyft actually published something that's actually kind of useful. It's pretty interesting. This is an area where I have a lot of background because I've got a patent on it all. But it's interesting to see what things come back around in terms of security. But password management still, it's a huge problem. Nobody really does it all that well, especially for developers. It's a huge pain in the bot. So anything that makes that easier, I'm all in for. So that's kind of neat. Beyond that, I think if somebody wants to fund a DNA sensor for your phone, I think that's probably going to be a good market. I know that there's some companies out there doing some more sort of weird bio-aware sensors. And I think that'll be pretty interesting. If you look at the last five years with people paying attention to all their personal metrics and stuff, everybody's got to fit bit. Everybody's got something that tracks their steps or whatever. I think that stuff is going to be pretty interesting. It's going to get more in depth. Five years will probably have a scale that'll be like, "Oh, you should probably cut out eating this, or you should eat more of this," or something like that. I think we'll see some pretty interesting consumer technologies come out of weird potentially security stuff. So if you weren't working at YC, what startup would you work on? I mean, start. I mean, I definitely think that there's a lot of room for more security stuff. I think there's a lot more things that can be done with end-user metrics. If you go back and look at a good example for security is DDoS. It's still a thing. It's been around forever. The first big DDoS, I remember, was against eBay in 1997 or something. That's 20 years ago. So this is still a problem. They're just getting bigger and bigger and bigger. My current method of mitigation is telling people to go get CloudFlare. It's the simplest thing.


Zeitles analysis of Data Points (48:49)

I think there's going to be more stuff in that space, especially as people start publishing more interesting things. I think that the internet's still in its infancy in a way because Facebook is like micro-blogging for everybody, but it's really not. It's not that ubiquitous. People, Instagram is a little bit more ubiquitous. People take pictures of their food all the time.


Capture Track Darknet Mass-ArpeNeter Query IIIP Smear TradeMagnet Gulftire Re worsehang 3-Playcheck LuckyTable Moswe CavTarget Darkwhereis Galois Grenade (49:12)

That's whatever it is. It's interaction. I think we'll have people doing more life-blocking kind of stuff.


Startups Passive Sharing(Breaker) (49:27)

I think when we see more of that, we'll get a lot more interesting perspectives on people. Yeah. I love this thought. I love that you're getting into biometrics. I love passive sharing as a concept. There aren't very many apps currently that do it. They're like, "Oh, could there be another social network?" Something I'm fascinated by and haven't seen it done super well is like, for example, a breaker and things like Spotify tell you what you've listened to and show other people what you've listened to in the past. It's like a passive behavior. Not intentionally sharing that. But there was for a while, I think, Path did some really interesting stuff with passive sharing. If you had these monitors turned on, you could publish that right now. A lot of the health data and sensors, even things like Fitbit aren't extremely social. You can see other people's step counts, but they're not everything that you could potentially be sharing. It's questions of, "What is interesting to see?" I'm a lurker. I love it. My favorite part of breakers is seeing what people listen to. I'm like, "Ooh, so and so it listened to this episode. Oh, that's so interesting." Is there incognito and breaker? We're actually really discussing that pretty heavily right now. We've had a lot of users. When we were very small, we didn't get as much request for privacy. Now we're getting a lot more. We're figuring out how we want to do privacy on breaker right now. If you have thoughts on it, it's on a send email. All right. What's your email? I'm thinking about it. Feedback@breaker.audio. You send it to feedback. I actually see every single email that goes to feedbacks. I don't think it's going into a black hole. We actually do look at that. If you have thoughts on how you want privacy implemented, we really want to encourage people to share what they're listening to. Passive is the easiest way to do it. You don't have to think about sharing it. It's not tricky. There's this level of comfort. How comfortable are you with sharing that? I remember getting a streaming music service for the first time. I actually used the audio. Having people see what I listened to, it's like, "Oh my gosh, this is so interesting." No, I don't care. I listened to Hanson's Christmas album, "This Winter," no big deal. If you weren't working on breaker, do you have thoughts on startup you might be into? I actually would probably work on an open source project. I'm fascinated with the idea of, right now there's a lot of, I'm going to sound really trite saying this, but there's a mobile and web development are pretty separate. I'm fascinated by projects like Swift on the server and react on the device. But I think there's a little too idealistic still. I think I would want to work on practical reusability and frameworks. I love Swift. I'd love to get involved with what IBM is doing with Swift on the server. I don't know, that's not super exciting.


Starting With Cybersecurity

Get started with cybersecurity (52:20)

I'd go a little bit more back to my open source roots and work on it. I've never built a framework or worked on a language. I would love to do that. It's a point in my life. Yeah, totally. Cool. All right, guys. If someone wants to get into security or building podcatchers, what would you recommend? What should they check out? There's honestly not a lot of stuff out there. I used to tell people, "Oh, if you're really then interested, go to DEF CON." That's not really a great idea because it's just not. It's fun, but the amount of learning you might get done will probably be erased by the amount of partying you do. I think just trying to read through blogs and stuff like that. Honestly, Hacker News has some pretty good security stuff to get submitted to it. Hacker News is a great resource. Capture the flag. Activities have been super fun. That's how I got a little more into it was trying that. I'm still terrible, by the way. I'm no good at catching. It's a little bit beyond me, but that helped me learn some of the techniques and some of the common exploits. They start to follow that. I don't know how close are things that you do in a Capture the Flag event to real-world security issues. It depends upon how well they were set up. I guess I won't really totally go into my heavy background, but there's a lot of stuff that you can simulate pretty easily. There's a lot of hilarious technology that's still around from when I was a kid that people were breaking into left and right. You'd just laugh. I think a good way to see that kind of stuff is really... If you want to go into the weeds, you can look through Shodan and find something interesting there. Then start to read up on how it works. The IoT security is going to be a really big thing. Getting pieces of common IoT equipment is pretty easy. It's maybe 10-15 bucks. You can get a little programmable computer, essentially, and start poking away at it. I dug into MicroPython and submitted some patches and did some cool stuff with some boards and had a lot of fun at cost-meeting in a 10-box. You can get started pretty easily doing some of the basics. If you're looking for ways to learn how to exploit stuff, you can actually, insecured.org, has some really great mailing list stuff on it. You can see what's new. Looking through new, CVEs is an interesting way of learning about stuff. There's really not a great way to get an intro aside from having somebody mentor you or essentially breaking the law right now, which I do not recommend. I was like, "Oh, capture this like you're like, 'Oh, breaking the law.'" I'll take you one step further. Do you have any favorite last questions from podcasts?


Philosophies that are silly (55:36)

Okay. Is there any common philosophies and software development or security that you disagree with? I mean, there are some old-school methodologies of things where it was really kind of security by obscurity. That stuff is just BS, basically. I think if you want to be a good software developer, you have to be good at the tools you use regularly. I know, I think, three or four programming languages. I don't think that's really super useful advice. I know law code. I know some pretty silly stuff. Doing esoteric stuff is not recommended on either side. I don't think I can think of a methodology that would be good or bad. I think some people rely a little bit too much, maybe on source code control. I feel like maybe the Git security model is pretty bad when you compare it to some of the older stuff, but the usability you get out of it is way, way higher. I don't think those things really go together. I don't know. Yeah, I think I just fall on the side of being really good with your tool rather than always looking for the newest tool. Because it's been tiring to me with my limited experience as an engineer, where it's like, "Oh, you have to use this language or this framework or this thing." And just like, "How about we just get really good at Python or choose your tool?" But that would be mine. How about you? That's a really good one.


Specialization Theory

Stop being a jack-of-all-trades (57:23)

Oh, man, I just had some in the night. I just forgot them all. That was such a good one. I love it. Yeah, yeah.


Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Wisdom In a Nutshell.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.