A̶l̶m̶o̶s̶t̶ every route in cybersecurity lands on empathy. Despite its ultimate goal of protecting data, information security remains a people-focused discipline, with paths that lead to it as varied as they come.
Yet the magic happens when hackers with the most unconventional backgrounds use their hacking skills to break down things and reconnect them in surprising ways. My guest, Pete Herzog, a humble giant in the cybersecurity space, is the perfect example of this.
Pete is the Co-founder and Managing Director of ISECOM and the Co-founder of Urvin AI, Mewt, and Invisibles. On top of his immense contribution to cybersecurity, his diverse range of interests also materialized in a collection of fascinating neurohacking tools.
Join us for an exploration of the hacker mindset at the intersection of hacking, neuroscience, and music!
Pete's unconventional route to cybersecurity has a lot to teach us, as does his innate ability to combine multiple disciplines in remarkable ways. I talked to Pete about Hacker Highschool, the project he started to bring cybersecurity education to teenagers, the spark that lit the creation of neurohacking music and Invisibles, the Open Source Security Testing Methodology Manual (OSSTMM), his thoughts on trust, empathy in cybersecurity, and much more.
Tune into this episode to get:
A glimpse into Pete's background and how his passion project - neurohacking music - started (4:00)
Insight into Pete's "unconventional" background and how it molded his approach to cybersecurity (16:30)
Why our difficult experiences are what (should) make us empathetic (23:30)
Why Hackers Highschool is such an important project for this community (26:00)
Pete’s thoughts on "zero trust" and the creation of the OSSTMM (31:10)
Pere is an experienced hacker with a profound understanding of security, AI, and business.
As an active security researcher, investigator, and threat analyst, he develops tools and techniques to deliver exceptional services for clients facing unique challenges.
Known for his discretion, straightforwardness, and dependability, Pete has co-created the OSSTMM, a standard for security testing and analysis, and continues to lead its research efforts with an international team.
Pete's also the co-creator of Hacker Highschool, a free cybersecurity curriculum for teens. While he is rarely available for conferences or training, he makes time to video conference with classrooms, offering guidance to students in security.
- Pete on Twitter
- Pete's post on what cybersecurity is about
- Pete's tweet on being nice in cybersecurity
- Hacker Highschool
- Invisibles' website
- @GenXBanshee tweet on Pete's Invisibles neuro hacking music
- Xavi De La Iglesia
- Binaural Beats
- Transcranial direct-current stimulation
- OSSTMM (The Open Source Security Testing Methodology Manual)
[00:57] Andra Zaharia: The people who know today's guest have just absolutely wonderful remarks about him. That's because Pete Herzog is one of the most interesting people in cybersecurity — not just interesting, but he's a deep thinker; he is an avid researcher; he's a great human; and he's a very, very generous contributor. And honestly, for me, he's a role model for what you can achieve in this field if you commit to it, if you put all of yourself into it, and if you let your curiosity drive you through the various stages of your life. Some people call him a visionary, and some people call him unconventional. And those two things go so well together because Pete is a brilliant security professional and one of the few scientists in this space, in the sense of his methodical approach to everything. We talked about neurohacking, and how he actually created music that helps your brain either go to sleep or achieve things much faster and with more efficiency than you would have expected. This is just a side project for Pete because his body of work is absolutely monumental: from creating a standardized methodology for testing open-source security to elaborating principles of trust that help you define whether a computer system is trustworthy or not, to also creating hacking lessons for teenagers. He's just gone across the board to create valuable resources that have influenced other people's lives and personal and professional trajectories. It has been such a privilege to talk to him, and I promise you, there will be a part two of this conversation. But until then, I hope you enjoy his fascinating stories. And I hope that you follow his work and dive into the resources he's created because they are truly exceptional.
[03:17] Andra Zaharia: It's a privilege to have you on the Cyber Empathy Podcast; it's a privilege to be able to find out more about your work — not that there's not so much about it online. But I want to help more people discover it, enjoy it, and draw inspiration from it. So, thank you for being here.
[03:34] Pete Herzog: Thank you. It's totally my privilege to be here. You've built quite a reputation for yourself, and I'd be foolish not to say yes. So, thank you.
[03:43] Andra Zaharia: I'm really truly humbled by that, especially because I feel like what we see from your work is kind of the tip of the iceberg. And I was hoping that today we'd get a chance to look at some of the things that are down there, under the surface. And one of the things that jumped out at me, while I was trying to put together the things that I want to ask you, is something that someone wrote about you on LinkedIn: "Pete is a humble giant in the cybersecurity space." And I felt that is such a fitting description for all of your work. So I wanted to start with a passion project of yours that will give us an unsuspecting, kind of surprising, very interesting intro to this conversation, which is your music-related project, which is invisibles.cat. So, tell me a bit about that. How did you end up making music for hackers?
[04:43] Pete Herzog: So, I would say it was probably around 2009 when we started playing in neuro hacking. It was more about, "How can you hack the brain?" It has to go back even further. So, back in when I first started professionally, I would say like '93, '94, I was really into this zine that you had to order called 'Pills-a-Go-Go'. And they would hack over-the-counter medicines into things that they wanted — different chemicals, different drugs, things like that. And then, of course, eventually, the Drug Enforcement Agency shut them down. And everybody on the subscription list received a subpoena for whatever. And we were on the list, too. If we ever showed up in Oregon, we would be arrested or something — it was really dumb, but I liked it. I liked the fact that they were trying things, that they were hacking things, and they were testing on themselves. And years later, I'm at a place where we're established. And we're understanding more and more about security, and about looking into social engineering, and why people fall for it. And so all of this kind of comes together with all of our research. I was fascinated with the idea of hacking the brain, this whole neuro-hacking thing. And we did it like we do everything else: you study how it works to the best of your ability, and you look into it. So my wife is a hell of a researcher; she deep dives into everything she wants to do. When somebody had a brain scan because they had headaches, she learned how to read the MRI from brains and knew what she was looking at. Because actually, all the information is online, you just have to find it and read it. I'm talking about actual studies, medical textbooks, things like that. I'm not talking about Facebook; I'm talking about actual learning how to do things. So she's somebody that helps me a lot in doing these things, and we deep dive into this, and we said, "Okay." So the first thing I think we built was a transcranial direct current stimulation device. These are things that basically put a small voltage through certain sections of your brain. And whether it's positive or negative has certain effects. I mean, when we first started, 2009, there were some websites where people were talking about it or chatting about it. But it wasn't very big. Now, you're going to find thousands, if not tens of thousands, of articles about it. Different sections of brains have been thoroughly mapped; different voltages, all this stuff, and that didn't exist.
[07:08] Pete Herzog: We're just really interested because it seems like a type of magic; you're putting in a little bit of voltage, and you're getting some sort of benefit out of it. And so, the first ones we did were like this headband that would hold these metal diodes in place. But, of course, you need to use salt water in order for it to get to your skin, which then, of course, burns your skin. And so, when I first started doing this, and some of the other hackers, they would have these scars on their heads from where the metal would burn into them. And it wasn't until much later that we actually figured out a better system. So, one of the things that we wanted to do was, so I had this partner that we worked with, and he was interested in getting better at tennis, and he knew that tDCS had a way of helping you learn physical skills faster. And it was being used by the military and things like that, like for sharpshooters, and how do you learn these things. So, he wanted to be able to wear tDCS. You wear it for up to 30 minutes, and then you get about three hours of enhanced learning time. So, you could, supposedly, what would take months of learning, he could get down in days, if not weeks. We ended up building it into—this is the first prototype, I still have it here—it's a ball cap. And inside, it has ten plates, and these—well, this one's just ten, you can see—but this is the sponges for your kitchen sink because they're easily removable and throwaway. So, you would soak these in saltwater. And there's Velcro throughout the inside of the hat, and you could place the things where you wanted it, in a general way.
[08:47] Pete Herzog: Now, of course, we've gotten much more specific and much more smaller. So, while you're wearing it, while it's on, you have a green light; and the moment there's connectivity, you will get a red light. And, of course, tin does not corrode from the saltwater but the sponges do. So, we started playing with it and doing a lot. And I started using it for writing articles. And I probably burned down my brain. But I would just really just focusing on getting an article done in like two hours what used to take me days, and I just started cranking out articles for things. And we started really getting into this; I really liked the idea. And at some point, we came across stuff with sound, then binaural beats became a thing, and there were a few others like the god sound. So there's a lot of crap science about it. So you kind of have to dig through it and try to find out what it is. So, the first problem happened was COVID. Everybody was working from home. I had kids at home. And so, it was difficult to focus. It was difficult to get work done. So, I looked into what we could do. And of course, there were sounds and things you could put together for focus. But they actually made me dizzy over time, because it's just static. So, it's different kinds of static at different frequencies and they'll have names like pink noise or brown noise. So, we started playing. I was like, "Man, it'd be better if it was actually music if it sounded like something." So again, deep dive into what sounds, what things bring focus, trying to look into what makes somebody focus on something. And I was talking to this musician I knew, who was currently out of work because they couldn't tour because of COVID—a pretty big-name band here in Spain is called Blah Mote. And I talked to them. He was the main singer, lead singer, and writer. So, he agreed that I would make a template for what the sounds have to fit in and what we needed exactly. And he would try to produce music that fit within that template. It was kind of a clunky way of doing it, but we learned over time how to do it better and better, and he ended up making a bunch of songs. Some of them didn't make it; we're looking to—they were the wrong type. And then we would sort of switch them over. We did some motivation music or we called "Morning Coffee" music, it just gives you a feel-good jolt in the morning. And we played around with that.
[11:10] Pete Herzog: But in the end, we released an album, which we ended up putting on Spotify and Amazon Music and a couple of others, which is called Logical Flight. Logical Flight is just music that makes you focus. It starves your brain of dopamine is the idea so that the only reward you get is the work you do. That was the theory we're trying, the hypothesis, or whatever. But it worked really well. We tested it and we gave it out to a lot of people who tried it on everything from cleaning the house to trying to do work, but it was also supposed to block out human voice sounds as well. So there was a lot to it; I think it ended up working really well. I still use it all the time. As a matter of fact, I was fixing a ceiling this weekend. And I played it because it's work I hated, and you're just reaching over your head the whole time. So, I played it just to ger-- and it worked. You're supposed to zone out to the music completely, which happens, and then you just think about the work, and then you get it done. And I actually was able to accomplish it. Then we kind of left it out there. And I didn't really market it, I dropped the ball because I'm really great at making things and I'm really bad at selling things. So, I just kind of left it out there. And we made a website; actually, my wife made the website. And now, my oldest daughter is also working for us and doing designs and things. But most of the stuff was done by Xavi. As far as music goes; I just made the template and the research. COVID got swept under the rug and people started touring again, and things happened. And so their band started going well again, and things were happening. So, he did his thing. We did ours. And then I still had everything sitting there.
[12:56] Pete Herzog: So, the next problem came, which was the anxiety that everybody had; there were insomnia issues and all that. So we're like, "Well, let's try to make music for people to fall asleep." And again, it was a deep dive into research and how people don't want to be bored to sleep. So, the whole classical music thing doesn't really work unless you like classical music. And if you do, then you're going to pay attention to the music and not fall asleep. There's a lot of a lot of things that are happening there. And so, we started looking into what tones and frequencies and beats and natural sounds. And so, it's really a lot of information you have to collect and then sort of build into a template. We had hired a new guy for threat hunting, who used to be a heavy metal guitarist and music producer. So I said to him, "Hey, can you do something with the sounds? Play this for me, see what the sounds like." And he sent me a few audios back. I was listening to it, I thought, "This sounds like Rammstein. This is like some sort of electronic heavy metal." So I went back to him. I said, "Do you think we can make heavy metal sleep music?" And he said, "Absolutely not. It's the stupidest thing. It doesn't make sense." And I said, "Listen to those tones again, and tell me that it doesn't sound like metal to you?" And he says, "Yes, it does." I said, "Well, we have the template." I made out the template, and very strict, and he had to do a lot of hacking around some of the sounds because some of the guitars and the drums don't fit; they're too high. So, you have to keep tones low. You have to keep the beat at a slowness, but it's complicated because you have to distract people first. So, the idea is the music distracts within the first 30 seconds, gets your mind off because most people can't sleep because their minds are too busy. So, it distracts them. And then, it gets simpler as the song goes on. And some of the songs are anywhere from five to eight minutes, but they get simpler. They get less complicated, but in a way that sort of lulls your brain and lets you then fall asleep. So, we finally got five of the seven songs. We ended up making maybe 12 or 14—that's just what he told me about. So, he sends me five that he finished, polished, and everything in the end. We always send them back and forth, and I say "no" to this or that, or "change this." He sends me five, and I get them at night. And just before bed, I'm laying in bed there, my wife and I are just laying there, and I was like, "Ah, he sent me the songs."
[15:28] Pete Herzog: So, I start playing the song on my phone, and we're listening. He sent two versions, headphone and room because it matters on whether or not if you're using binaural and things like that. So, anyways, space matters. And I'm listening to it, trying to just listen to it. And I turned to my wife and said, "What do you think?" And she's out. So I sent her the next day, I said, "Tell me, you were just really tired or was it the music?" because she was one of the bigger critics of it because it's weird. I have to admit, it sounds weird. But she says she doesn't know; she was listening to music, and then she just fell asleep. So, who knows, we're gonna do a lot more tests with it. Like I said, five songs, happy to let other people try it out. And once I have all seven, they're gonna be on Spotify, or Amazon Music, or whatever.
[16:14] Andra Zaharia: That is absolutely fascinating, because of many of the aspects because it ties hacking. Again, it superimposes hacking on anything that we do because it's the same thought process of breaking down things of looking into them, on reconnecting them in ways that are surprising. And that get the sounds that makeup music to do something else entirely that they usually do, which is the essence of hacking itself. And I was wondering if this story actually connects to the fact that you have a bachelor in arts but you've spent your entire life in cybersecurity, which seems, to many people outside the industry, and even perhaps to so many people in the industry, it still feels like an antagonistic relationship, to kind of build your work on. But what's the connection there? It feels like music kind of bridges this, the different experiences.
[17:12] Pete Herzog: So, back when I went to university, they wouldn't allow me to take computer science because my math grades weren't good enough. Because, remember, everything was done on a mainframe, and personal computers when I was the school, there wasn't much. So most of the programming was still done on mainframes, for the most part. And that's what we had at the university. So they basically said "no" to me, and I didn't know what to do. So, I sort of stumbled through university; you have two years in America to take your core classes and then you need to pick a major before the end of that. I did work in the computer lab, which was interesting because professors would come to me with this locked software. And I would hack it on the disk and basically crack the software for them, so they could use it for their class, which caused its own trouble sometimes. But it was interesting. And then, I had access to Macs when they came out and PageMaker. And we were cracking software and making fake IDs. So, I was heavily involved in computers; I still liked computers, I just couldn't study it. And then I was mixing classes, like I was looking into advertising and journalism. So, I was taking all sorts of writing things and interested in English, because maybe I'd go to law school — I wasn't sure. I stumbled into the library one night while the cleaners were there. So, the computer lab was in the basement of the library. And there was also a cigarette machine, the old style where you pull the handle, take a chunk and the cigarettes fall. And I had figured out how to hack those machines to get cigarettes out. But I didn't smoke so I didn't care. So, I would just pull out cigarettes to sell or trade. And in this case, the cleaners came down and I gave them packs of cigarettes, if they would let me go in the library, follow them into the library, which was after hours. So, I could go behind the desks and look at all the books that the professors put away because they have the answers.
[19:07] Pete Herzog: So, I went there and lo and behold, I find this terminal. There are these two terminals there. Of course, there are no logins, no passwords, nothing. I get on, and I'm fascinated; I have no idea what I'm looking at —this blinking thing. I mean, here, I knew PCs and everything. And I just had no idea what I was looking at. They had books there, so I started looking, learning about Telnet, FTP, all this kind of basic stuff, which sounds ridiculous now. But I started playing around, and I was like, "Oh my god, I'm connected to a computer in Sweden, or I'm connected into Michigan, or whatever." And I think it was the time when ARPANET was transitioning to what's known as the Internet now, and I asked them, "How can I get an account?" because there was a thing called email, and I could get in but I couldn't have people send me messages, which I wanted to do for whatever reason. And they said, "No, no, to get on this network, you have to be a science researcher," and then somebody else from the back said, "Or a librarian." So, I thought, "I'll just be a librarian." And that's where my focus was. And I spent all this time with these terminals. So, when I graduated, it was funny because I went out to California with my best friend. He got a job at Intel as an engineer, and he just wanted somebody to help him set up the apartment and everything while he started work. He couldn't do things, couldn't even set up a bank account; we kind of looked alike. So, I would take his ID and set him up with stuff, and he paid the bills. We did this, and he would come back and tell me all about these new chips they're building. And then, there was an advertisement for a job from the CDC. They were in the area, in Sacramento. And they were hiring for people to edit data and send it back to Atlanta.
[20:51] Pete Herzog: So, I went for the interview. And one of the things that I could do was work with computers. I knew how to troubleshoot them and I knew how to send things via FTP. That got me the first job doing that, which then led to me moving to Atlanta and working there full-time at some point, which then led to medical school, which then I dropped out of and led to—because of more internet stuff. And I was in charge of the medical lab where they had the computer lab where they were teaching medical computing. So, all of this sort of just grew, and security was part of it. I mean, security was always part of my life; I had security guard jobs. And when I was in college, I was in beer stings, which is—they take a kid who's under 21 and drive them around to try to buy beer. And of course, if they sell you beer, you get arrested, or whatever. But I never had the heart. I'd social engineer them; they would sell me the beer. And I'd be like, "No, no, they're outside. Never do this again." It's not like we were wired or anything. I said, "Take it away from me and send me out. Now. Take it, take it!" So, I was really into the whole security. I guess, beer's things were sort of pen-testing. And this was just sort of all evolved along with growing up with networks and being part of it. And I was talking about this the other day; in those early days, I actually wrote an article that got accepted by '2600 Magazine' on hacking NetWare. This had just a long history. And that's why, I mean, security is just a thing, and computing is... Well, I wouldn't say computing more networks. So it all sort of fit together. So, I was good at technology and hacking. And that's sort of where this came from.
[22:37] Andra Zaharia: We got lucky that you were so passionate as to overcome all of these obstacles and all of these absurd limitations that sometimes get young people to be disengaged with school—is just one of those things that, let's say, not the arbitrary, but what seems arbitrary limitations that get people to fall out of love with things that they're truly passionate about. But fortunately, we're not one of those people.
[23:07] Pete Herzog: Not everything was out of good intentions. I was heavily bullied in high school, to the point that when I was in college, I started kickboxing. Once I was out, I joined a Fight Club—literally I was part of fight clubs. But hacking gave me power. I mean, I didn't know that eventually, all of our lives would be online, and it would give me that much power. Now, it's an insane amount of power. But back then, it was just enough to kick them off of mail servers and ruin their day on AOL. And, if you go back far enough, and wipe out their directories. It gave me a power I didn't have when you're young and you feel very powerless. It allowed me to have this kind of revenge if I wanted to. Again, it wasn't always like that; it's not like I was seeking out people from my past—it was more if somebody dealt with me in a negative way at the present time, then I would be able to do something back. So again, it was a mix of things. I don't want people to think that it just was all roses in my life. I had pain, and hacking was something that allowed me to have power when I had none, over a lot of things and a lot of injustices. I think that's sort of why I still do a lot of free work for people who suffer injustice all the time. I mean, revenge porn, at least twice a month we hear from somebody where they want it taken down or something dealt with. So there's always trouble.
[24:40] Andra Zaharia: There is, but in my opinion, I think that there are a lot of people who share similar backgrounds, who felt not seen, who felt on the outside of social groups, and they found their people online and in groups of hackers in the beginning of what now became a major commercial industry, but was for such a long time, something very obscure for only the initiated, and so on and so forth. There are true bonds. And there's a lot of camaraderie because people share these values. But at the end of the day, this desire for justice and for fairness and for equality, have transformed into people who are molding and influencing how security evolves, and how security influences many of the other decisions that shaped technology and ended up shaping society at large, which I think is powerful. So, those idealistic objectives that were born from not being seen, from just being on the other side of so much unfairness, and so much pain in many cases, like Jason Streep, shared in a previous conversation, it's things like these that eventually turned into something good and something powerful, and then this desire to give back because if you don't know what those experiences are, it's hard for you to understand why it's so important to help these people overcome their own issues, whether it's revenge porn, like you mentioned, whether it's teens getting bullied online, and whether it's misinformation and all of the other things. So our difficult experiences make us empathetic. If we choose that level of, let's say, self-development, if we choose to integrate these experiences, instead of rejecting them and trying to just shove them somewhere really deep and dark, and get away from them. So, I really appreciate you sharing all of these things so openly.
[26:43] Pete Herzog: We ended up doing a program called "Hacker High School." So, in about 2003, we start this thing for teenagers, teaching cybersecurity to teenagers, which was a huge flop up until about 2014. Because kids didn't have cell phones, they didn't have mobiles, so nobody thought, "Why do they need to know cyber safety, cybersecurity?" The word "hacking," "hacker high school," was such a negative term; schools didn't want to touch it. So, we basically had some religious schools, and homeschooling, and military schools—they were using it. But it was slowly growing. About 2004, it really took off. We started in 2003. We also built the very first Cyber Range ever, for anything, for these kids to test on, and practice. So, we ended up doing a lot of things, along with LaSalle University in Barcelona. So, my wife and I put together this huge thing; we started making all these lessons. And the problem was that you couldn't have kids under 18 sign a contract that they're going to be ethical, that they're going to do the right thing. It's absolutely ridiculous that people try to make them sign a contract. But that is an issue. How do we keep them on the straight and narrow? How do we teach them to be powerful enough? And we found two things. One was, we teach them to be powerful enough to know how to catch people so that they know they can be caught if they do something wrong. So, you teach them to understand how to catch people before you teach them how to do bad things so that they know what they're looking for. So they know how somebody would catch them. Of course, that's just a starting point.
[28:19] Pete Herzog: And the other thing we do is we teach empathy. All the lessons we write and a lot of stories, because kids learn best through narrative. So, we have a lot of stories in there. And those stories have a lot of empathy: about family, about understanding what other people are going through when they get hacked, what they feel—cyberbullying. So, you see it through the eyes of the character, and you feel what they feel when they go through stuff. I think, overall, that's been so much more powerful than having them sign a contract that says they'd be ethical; that they just understand what others are going through. Now, Hacker High School has been growing and growing. I think we're up to 15 or 16 lessons now. We've had sponsorships from Microsoft and IBM. It's a great program. I think we get about 300,000 downloads a month on the lessons. So, it does well. We're coming out with some classes, and now we're mixing it with eSports so that there's a game element to it; they play video games which reinforce the skills that they learn. But empathy made a huge difference in how we got accepted by schools. That, and the fact that the students teach themselves. So, the lessons are written to teach yourself, and not for them to try to get learning from a proctor or a teacher. Part of the reason too is because teachers just can't—they just don't have the time.
[29:44] Andra Zaharia: And plus, it gives them a lot more independence, agency, and, like you said, self-confidence that that's something they can do. Because this learning how to learn, I feel, is the most important contribution that school can have on our lives. Because when we know how to learn, we can do it by ourselves our entire lifetime. And hopefully, we'll be doing this because it benefits our health and helps us adjust to life and society and everything else in the meanwhile. Speaking of things that you created that actually help you do things yourself, you are the co-creator of a hugely important standard for security testing and analysis, the "New Open Source Security Testing Methodology Manual," which has a catchy acronym that you remember. One of the core tenets in there is that "trusting everyone is insecure, but trusting no one is inefficient." And I thought you could share just a few key things of what this means, especially for people who hear about the "zero trust" model everywhere. But we need to understand the nuances of it because it feels another one of those binary things that either pushes you into an all-or-nothing situation. And there's a lot more to that nuance helps us understand things better, and I feel also assimilate them in a more efficient way.
[31:07] Pete Herzog: Well, "zero trust" has become this buzzword. And I think they're now coming around to actually giving it some sort of meat behind it. It was just a buzzword that sounded good; it was completely impractical. And now they're trying to define it. But there's no real industry standard behind it. I think people are just jumping on the bandwagon. When we worked with trust, actually, it was an EU project, we were part of a really big one, on building an open trusted computing system. And so, in three and a half years, we had to build trust metrics. So we did a huge deep dive on how do you measure trust—to know you have a trustworthy computing system. Yeah, we ended up defining I think, 10 properties of trust. And now, we're at 15 and we're learning more all the time. But the idea here is that there are properties of trust that say, "Okay, if you complete all of these things, then you have something completely trustworthy, and you can rate them from zero to 100%." Or you can get better with your qualifications on how you do it. We've done a lot of work on that. But the idea here is that trust is one of those things that people just do badly, overall. It is a vulnerability; it gives access, just like a door. So what's the difference between me walking in, or you letting me in? It's the same thing: I get in. One is abuse of trust, and the other is me breaking in. It's so bad, which is why phishing and ransomware is so bad because humans suck at trust; they just do. When we look at the trust properties, one of the interesting things we found was that you can manipulate somebody by just breaking or lying on one trust property. If I fulfill one trust property for you in a way that you believe it, out of 15, that might be enough for you to go. Now, cynical people, you would think, need a lot more, but they actually only need three. And again, I don't have to be truthful; I just have to make you think I'm telling the truth about those three. It's something that you can really use to manipulate people—oh my god, what a horror I would have been if I knew this stuff when I was a teenager. It's scary effective. But it allows us to measure trust; it allows us to count things and understand. And this is where we come back to it: is that trust is one of those things that is necessary.
[33:33] Pete Herzog: The whole human experience is based around trust, and trusting people only if they trust you; there are so many anecdotes in every culture about who you can trust, and when you can trust them, and what they look like. And what physical attributes make somebody more trustworthy. I mean, it's pretty brutal. And of course, the fact that you can manipulate and lie over them. And you can do some neuro hacks to make people think they feel one way or the other. And that's a whole other conversation that I think we need another interview, another talk to go over because it's absolutely fascinating, the whole trust thing, that zero trust doesn't even come close to touching, nowhere near. It's such a complicated, complex matter. It's as complex, if not more complex, than us trying to design security systems because here you're designing security systems for human beings who are resilient to being safe. They just want to get the job done. You ask anybody, would you rather be fired for breaking security protocols in your company, and having to go to the next company and say, "Yeah, they fired me because I hit reply on an email." They would rather do that than get fired for sucking at their job. So, they're always going to go around security measures to do their job, especially if they can do it better. So, I mean, trust is such a complicated subject. So we used to ask this question that said, "If you could take a pill that would make you trust everyone, because trust is a good thing, if you could take a pill that would make you trust everyone, would you take it?" And of course, everybody would say, "No, of course not." And we had one guy who said, "I would, if everyone else had to take it too." And I find that just a wonderful statement overall.
[35:32] Andra Zaharia: It is. It truly is.
[35:33] Pete Herzog: Because it would be nice. That's a utopia if you can actually trust people.
[35:38] Andra Zaharia: It would alleviate so much tension and break down so many barriers. But until that happens, we're going to feed off all of these great resources that you've given us, and all of these wildly inspiring and interesting stories that you've shared today. And I'm sorry, we have to wrap up this conversation. But if you're ever up for it, I would love to do a deep dive on trust, and how just the inner workings of that, and what that means, and how it gets reflected into technology behaviors and our choices.
[36:10] Pete Herzog: I think people are dying to hear that, actually. I think it needs to be done. So, send me an invite of when you want to do the next one; we'll go into part two about trust.
[36:19] Andra Zaharia: Promise, promise. Thank you so much for everything, Pete. This has been absolutely wonderful. Thank you for everything that you do. You're one of the best people.
[36:27] Pete Herzog: Thank you, and you're a shooting star.