Leah Culver of Breaker and Tom Sparks of YC Answer Your Questions About Security and Podcasting
All right, so how about we start with some questions from Twitter. I actually think this one might have been on Facebook, so Brady Simpson asked, "How do we deal with the ever-increasing pressure from governments trying to get into devices?"
Tom, do you have an opinion on this one?
I do. So, I think one of the most important things to think about is that some of this is just legislation-based. However, some vendors do actually care about the privacy and security of their users. Apple has been pretty good about it. Microsoft has actually done a lot of work for this previously when Blackberry was still a thing; they were basically number one. But right now Apple is pretty much the most consumer-friendly in terms of security for just your personal devices. They give you a lot of options. They do a lot of stuff behind the scenes to make it really easy. Your passcode is actually backed by some really, really cool stuff. You know, your fingerprint reader on your phone is pretty, pretty simple. It works pretty much all the time.
So, you know, that’s easy security stuff. The government trying to subpoena the information from your devices is a lot bigger can of worms, and it kind of goes back to, you know, the Constitution. It’s essentially like Fourth Amendment, Fifth Amendment stuff. So, search and seizure is really kind of up in the air with electronic devices. You know, this kind of goes all the way back to the 1960s in terms of personal privacy. In the 60s, the government came up with something called Ashkelon, I believe, and you know that was basically trying to get data to spy on spies.
You know, in the 90s it was, you know, Clinton trying to do stuff to catch more spies basically. And with email and stuff becoming more and more prevalent, they just, you know, put in this jain apparatus to do surveillance on the American population. So, vendors when they tackle this kind of have to go, "Well, what can we do without, you know, ticking off the government?" Apple's done a good job of basically saying, "No, we're not gonna give you the keys to things." You know, if you want to get into somebody's phone, you're gonna have to basically get around the protections we've put in because we don't want to make something that’s intentionally insecure. And they've done pretty well with that. They’ve gotten some flack from some people.
But, so, as a lay person, like, what precautions are you taking with your own data?
I think for the most part, you know, as long as you use the key code and you know any sort of like biometric authentication on your devices, you're in a good spot. If you don't do any of that, you’re kind of you’re just kind of in the wind. You know, the government has pretty deep ability to surveil you. So, your phone is probably not really gonna be the vector they go after the most unless you're sending encrypted messages and stuff. If you've got Signal, they probably want to see what you're doing. But if they can subpoena you and you don't have, you know, good protection on your phone, you're just — they’re gonna see what's there. They can't make Apple decrypt what you've got. If you've got an Android phone, you're much less well-off.
So it’s really just, you know, legislation and, you know, using good technology. I believe the Pixel 8 or the new Samsung phone has some pretty neat stuff built into it. It's got good security.
What about you, Leah? Do you do anything in particular?
I'm actually, so I have an iPhone, and I have some little paranoia things like I know how to turn off the phone. So if I was panicked, I do actually just got the iPhone 10, so I have the facial recognition. But I’ve always had — I always tend to get the latest iPhone, so I had the Touch ID as well.
And the interesting thing is I think it's much easier for law enforcement to access your phone via Touch ID, like you're saying, through Touch ID or facial recognition. But the nice thing Apple does is if you have three failed attempts, or if you shut off your phone, you have to re-enter your passcode. That's much harder for them to access. So I've practiced powering down my phone. I tend to only put one of my thumbs in the thumbprint so that if I needed to, I could use my other thumb and just pretend like, "Oh, it's just I'm nervous; it’s not working," until it locks me out. I don't know. Is that all weird and paranoid?
But that’s great. But I feel like it's the price you pay, you know? It's like the trade-off for using some of the convenience features.
Yeah, but what about on the company side? So, at Breaker, how do you guys think about security?
Sure, that’s a great question. So we basically follow sort of standard web service practices. We have an API in the backend and on the front end basic iOS stuff. So, a big thing for me is keeping private data in the keychain as an iOS developer, not in any other local files, especially not in NSUserDefaults or putting it in Info.plist. So I don't put stuff in there. You can unzip an app directory to look at anyone's Info.plist, which is great. Like, I actually use it to find out what other apps are doing for certain, like, Apple-specific settings because they have like these weird configurations that you can do for interoperability with other apps and it never seems to work. So I was just like downloading people's.
But, yeah, just making sure that as an app developer, when you're storing sensitive data such as passwords, usernames, any PII (Personally Identifying Information) about people, that you are doing so in a thoughtful way. And, you know, I think there are a lot of best practices about this, and I'm not — I don't want to go into all of them, but it’s pretty easy to just Google and find out what they all are and just to be aware of it, just to know that you have sensitive data and power. And to be really aware that you have a responsibility as an app developer to protect that data.
And for actually, it’s interesting. I was thinking about cloud services and the government accessing cloud services. And for my last job, I was at Dropbox, and a lot of other companies do this as well. They publish all of the requests from the government. So, the legal team publishes them all online through like a disclosure report every year. So you can see what kind of requests they asked for.
But, yeah, and it's part of the — most companies today who are behaving well don't want to be overly generous with providing data to the government, but under certain legal conditions, it is necessary. So, but making that all very transparent to users when you sign up for a service, knowing sort of how they deal with government requests.
Cool. Well, let's go to Brady’s second question then. So he asked, "Why is auth tech changing every few years, from U2F keys to two-factor auth to thumbprint to face recognition? What are we optimizing for speed and reliability or security? What’s next or just what’s cool?"
Yeah, honestly, like the face — I do you think? I think I like the Animoji, like making — yeah, I think I like that more than the actual security part of it. But, uh, yeah, it's a straight-off between convenience and security, right? So, I think a lot of these new technologies coming out are for convenience.
No, I would say here Tom's thoughts on these things too. I mean, all this stuff is actually really old. It's just that the thing that we're actually using it now. Like, I went back and looked, and two-factor auth, you know, kind of started with one-time passwords. That stuff originated in the 1880s, so like it's really not new. Really what it is is people are becoming more aware of their own security. They want to make sure that, you know, whatever personal data they have doesn't, you know, get out there. Like, most people have really terrible passwords and they're sort of like, "Oh, okay, even if I have this terrible password, you know, if I use this little thing, it’ll keep my personal data safe." And I think that's good.
I mean, I don't think that, you know, the way that we implemented is necessarily, you know, what matters. I think it's just the fact that people are using it more and becoming more aware. You know, I think speed and reliability are really important when you look at what's available.
I think if you go back — like I have a laptop from the 90s that has a fingerprint reader on it; I never really used it, but it was the thing that you could use. It worked pretty well, actually. You know, now there’s just — it's more ubiquitous. There’s more, you know, multi-factor authentication. You know, looking forward, I think we’ll even see probably like a DNA ID. I mean, sensors are getting smaller and smaller all the time; you know, you can detect so many different factors. Like humans have, you know, unique chemical fingerprints even. So, you could have something where it’s like, "Oh, my phone smells me" or something.
Yeah, what's interesting about this is that like it's not just that — like we talked about two-factor authentication. What it really is is multi-factor authentication and having those factors be of different types. I'm gonna try and remember the different types. But there is something — is something you know, something you are, like biometric, and what’s another one? Something you have, so device. So, device, biometric, and something you remember, like a password.
And so having two different factors, I think, is the key for two-factor authentication. So, like a U2F key is a device, or if you have an authenticator on your phone, like an authenticator app, that's like a device one. The thumbprint, facial recognition is biometrics, and there's pros and cons to each, right?
So, what I find super interesting is I love the convenience of the face and the thumbprint, but what's really nice about the device and something you remember is you can replace it. So, if it were to get stolen, so if someone takes a cast of your thumbprint, it's a lot harder to change your thumbprint than change your password, change your face. So, a nice security feature is the ability to change something if you feel like it's been compromised, to make a new password or to change up your device.
The device was a huge pain in the ass because every time I get a new iPhone, I spend the next like hour switching over all my authenticator keys. It's like, "Oh my God."
Yeah, I just did it. Did you read the post about the mask faking out the iPhone X?
Yeah, have you tried to replicate it?
You have masks making materials?
Yeah, but it's super scary because it's not like you're gonna change your nose, right? So having it as a second factor, or having down as, I guess, it’s the first factor, right? It’s the first protection. But having the passcode as the backup for that is super important.
Okay, huh, something that you can change, right?
Yeah, I've just been wondering if there's like a line for you guys where you're like, "You know what? Face ID, I'm good. I don't need this right now," because I'm gonna — like you just said, there's a point at which if someone hacks you or figures out a way or some exploit, it's open forever. Are there certain lines or is the convenience also for security-minded people just so high that you opt into it?
I love the convenience, so I'm a big one password user. So I don't actually know any of my passwords. I set my one password and now it's two taps. I think you tap once on the button that says, "Look up my password," and it does the face or watch cognition. Okay, and then you tap the password that you want to enter. It's just because it knows what site it's on or whatever and it's just so fast.
It's just tap-tab, whereas, you know, I've been using a password manager for ages and it's such a pain to like switch apps, like get the password, copy it, paste it in.
Yeah, so it is — the convenience is phenomenal. But what is the risk?
That I hope no one takes a mask of my face. Do you use any two-factor devices or biometric stuff?
Yeah, well I don't do as much data center stuff anymore, but you know, definitely done a lot of biometric authentication stuff. Funnily enough, a buddy of mine was the first person to break the Touch ID on the iPhone. He also recently published something about the guys who did the mask thing.
I would do — you mean by break? You like copied someone's fingerprint, basically?
Yeah, I mean there's a few things that Apple did to try to make sure that there's some liveness and some other stuff. But, you know, it's hardware at the end of the day, so it's not — you know, it's a little fallible. But it's not bad.
Yeah, like there's the setting on the iPhone for the facial recognition where if your eyes are closed, it won't read your face, which is really creative. I assume that's like to protect yourself; you could just close your eyes. It's so obvious; it's not like the left thumb, right thumb thing that you're talking about. Like if you show your phone to your face and you close your eyes, someone knows that you’re trying to fake it, I guess.
But I guess did you guys know — I don't know. To someone, Tom asked specifically about YC, and so Rick Deacon asked, "What precautions is YC taking to protect data?"
So, I mean we deploy, you know, best practices. We don't do anything, you know, super, super scary. You know, we just make sure that we know where our users are. We make sure that people use strong passwords. We use, you know, strong encryption. VPN?
Yeah, VPN is an easy one. You know, we have some dedicated hardware and stuff for VPN-ing, so that is kind of a little harder just to, you know, remotely get into you. But, you know, best practice stuff, we stick to it. You know, we do not, you know, have nuclear secrets or anything like that. So, you know, I'm not worried about someone parachuting in with, you know, machine guns and chainsaws. You know, our stuff is pretty — it’s pretty open.
I mean, if you're a YC founder, your data is well protected. We want to make sure that that stays that way, but you know, we're not gonna, you know, do DNA ID to get into something, right? So, you know, we do a pretty good job of just making sure that everything's pretty buttoned down, and code reviews, that's kind of the biggest thing.
You know, it's all pretty, pretty easy. Our developers are great, so we’re lucky in that aspect.
So, yeah, it's a really good team, so that helps.
I would agree with that. Rick also asked another question. He asks, "What is the future of security for startups? Do you guys have strong opinions here?"
I think there’s a good trend of people just not reinventing the wheel for security. Reinventing the wheel is pretty much the worst thing you can do. I mean, every time we see, you know, a big hack, it’s because somebody did something but they’re like, "Oh, I’m gonna be really clever and reinvent this thing." And like, cool, you know, you forgot this one thing where if you added an extra zero or something, like, oh hey, look, this password isn't clear.
So that that happens. I think outsourcing auth is a really important thing. You know, OAuth is great; you know Sam'l is great. Most companies don’t really need to worry about auth in that way. You know, Facebook auth is great, it’s ubiquitous, it’s pretty solid; you know, well-run company. You know, it’s everywhere. You don’t need to reinvent that wheel.
Hmm, I think, you know, moving forward, like really it's just gonna be what companies need. You know, most startups don’t need, you know, crazy military-grade stuff. They don't need HSMs. They don't need TPMs. Even your phone is a TPM in it. But like, you know, it’s so ubiquitous that you don’t need it.
So having, you know, something like OAuth just removes the need for really trying to have to build in a lot of security. You know, beyond that, a lot of CI, continuous integration software's have, you know, things where you could just sort of turn on like code checking. You can do, you know, easy balance checking. You can do a lot of security stuff just automatically, and it’s really nice, you know?
I mean, most developers do care somewhat about it, but you know when you get the intern in and they're like, "Oh yeah, you know, I wrote this great function that has, you know, one thing in it," right? Like they’re not necessarily gonna know.
Yeah, so that’s why having some oversight is good. But, you know, frameworks eliminate a lot of these problems. There’s a lot of really great frameworks out now. I think really now more than ever, there’s a lot of just a lot of really good stuff. You know, it has some pretty interesting stuff in it just in terms of, you know, programming level security.
You know, I made the joke the other day that, you know, if you need random numbers, the best way to get them is to use a language that doesn’t have any sanity checks.
You know, a new developer, yes, because they won't even know that they don't — that they need to do memory management. There’s something already there.
So, yeah. Leah, would you advise the same thing?
I totally agree with Tom. I think when you're looking to build a website or an app or something, to use best practices is the way to go. And these things are sort of open standards and open protocols for a reason, because large teams of people work on it.
So, I worked on OAuth. The first version may be not as good as subsequent versions, but I worked on the first version, Vaduz. It was a large team. I'd say at any given time, we had, you know, 20-30 people working on different parts of it.
And I'm personally not a security expert; I'm a security hobbyist. So it was fun to work with folks from like Google, Yahoo, Mint.com, like financial institutions who definitely had more at stake in terms of security. Rather than I was working on a social network at the time, a little less at stake than financial data. But, it was nice to have them sanity check, especially all the algorithms for hashing and to make sure that like we were kind of doing things in a way that could protect against known attacks and things that people knew were, like, you know, vulnerabilities and vectors.
But nowadays, like, as just an app or web developer, you don't have to think about any of that, right? Like you have to use Facebook login; it’s like you download an SDK and you like follow the instructions and it just works and it’s secure and fantastic. And at least, like, Facebook deals with that, right? It’s really great.
But that being said, I do think there is still room to innovate on sort of the user experience side of security. So that’s when we talk about things like Face ID or like sort of new and what can we do now that we couldn’t do, you know, ten years ago that we would have liked to.
Right? So some of that stuff is fun to play with. I'm really interested. So after working on OAuth, I'm still really interested in sort of like user login and all of the especially preventing against targeted attacks is like one of my like fun hobbies.
And so some of the stuff you see now that I'm super interested in is when you log in on a new device, mmm, that you get an email about it. If your password changes, that you get notified. How do you prevent, you know, someone changing the email address and changing the password at the same time too close together? Some of those things are just like product things to think about.
Like if you're developing a product that you need to be secure, like what can you do in the case of both sort of just general attacks to get data from your database or the more like targeted attacks, which is kind of — I don’t know why that’s interesting to me; I just find it, like, fascinating, especially in the age of like Instagram celebrities and things like. I think it’s pretty interesting.
And people in general aren’t super good about security, so how can we, as app developers, protect someone in the case that they do have a terrible password?
Well, I think you saw it, you know, with people porting phone numbers for crypto stuff in particular. Those are giant — those are horrible. It really brought to attention how bad the cell phone companies were prepared for multi-factor authentication. Like I don't use my phone for multi-factor authentication; I would highly recommend against it.
You mean SMS?
Yeah, not using SMS or phone calls or anything like that as a factor. So, use Google Authenticator?
Yeah, yeah. Or a similar app, man. There’s like Authy; there’s some other ones. They're pretty good.
Okay, hmm. Or U2F keys, your other options. I just think, you know, like when you’re relying on someone who gets probably paid minimum wage just to sort of be phone support, I don't know if I would be counting on that, you know?
Totally. And do you crypto thoughts in general? So, safe! I told you this before the podcast, Tom. I get a name wrong every time. Say Phil LA. He asked, “What are the most recent security concerns in crypto?” Our cryptocurrency, just to be clear.
I think really it’s just, you know, it’s new. People are getting used to it. You know, people are sort of inventing their own languages to go along with them. You know, what we were talking about earlier with Ethereum the other week, where somebody kind of deleted a really important function of a contract. You know, that stuff will happen, and you know people will just, you know, take that lesson and move on. I don’t think cryptocurrencies are necessarily more or less secure than anything else.
I mean cash, if you leave it on a table, somebody's probably gonna run off with it. You know, we saw a lot of early Bitcoin stuff go away because people were using like horribly insecure hosting stuff. You know, hopefully people don’t continue that, but I’m sure it will. I mean, people leave their wallets with, you know, passwords like 1-2-3-4 on their laptops. Some people will. I have seen wallets stored on public anonymous FTP sites with like a password of like 1. You know, it’s like basic stuff.
I mean, you know, you can’t protect users from themselves, really. I don’t think — I don’t think crypto specifically has a problem. I think it’s interesting to see how people are using it. I think it’s kind of nice that, you know, you can have it be so ubiquitous and it sort of brings power back to the people who use it a little bit versus like with cash or like, "Oh, central bank; you know, you have to do this," but I'm not a crypto libertarian on this issue at all.
Yeah, I actually — I’m fascinated by it. I love the blockchain as a technology from like a database ledger kind of perspective. And actually, I have a podcast to recommend since we’re kind of — there’s a show called Invest Like The Best, and they have a three-part series called Hash Power, and it’s on the technology behind the blockchain and Bitcoin and also investing. And I think they have a couple of other topics that they cover, sort of like kind of a broad look at everything to do with cryptocurrency.
And I loved it because I didn’t — I knew sort of the general idea, but I didn’t know like the history or like so much in depth about it. But it was excellent.
And what is interesting to me personally is distributed versus centralized systems and how they play out. I feel like the blockchain is the first really distributed system we’ve seen become quite popular in recent memory. I mean, the Internet itself is a large distributed system; I can’t say it’s like the only really interesting good system. But what we’ve been seeing with the Internet is a centralization. Like, we’ve been seeing centralized powers, especially with the large tech companies, now really consolidating, right?
Like Facebook having eight of the top ten apps, and the i in the App Store, right? So they — like, large amassing of power and user data with very few companies. And what’s interesting to me about the blockchain is taking that back a little bit. And there is some centralization around the blockchain, like there are mining conglomerates; there are services that will host and store your data for you.
So cloud services instead of using like a physical device to store your private keys, you could use a cloud service. And what's interesting about that is like the insurance factor of it. So when you think about like banks and how your money is insured, seeing these companies come up with like now we’re going to insure cryptocurrency. And it's like, "Ooh, this is interesting," right?
It's basically like rebuilding a banking system built for like the Internet age. It's really — it’s super interesting, and I’m not sure how it’s all gonna play out. And I agree, some of the biggest security concerns right now and say the number one is user error, right? I totally agree with that.
I think that the fact that it’s decentralized kind of protects against a lot of like fraud or malicious intent by centralized power, but it makes it really hard to recover your data if anything happens.
Yeah, so it’s fascinating.
Yeah, so I mean it’s kind of like measure twice, cut once, before you send someone a bunch of Ethereum. Yes, this has happened a bunch on just private slacks around ICOs. People post fake it like they'll steal the avatar from the creator and create an account in that slack, and then post an address like a minute before the ICO will happen. And it’s like this torrent of money flows to them. And that’s all — let’s get — and it’s like there you go, gone.
Yeah, wow.
Yeah, yeah. Just be very careful. I don't know. I have no idea how one establishes trust with cryptocurrencies other than by using centralized systems. That’s very difficult, yeah, I don’t know.
Well, you did mention podcasts, and we should talk about podcasts here. So let’s jump up to Kat's question. So Cat Mini Alec partner Will I see threw a question out. Let’s start with the first part: What are your favorite podcasts?
Oh, that’s a great question. And actually, my big thing is I want to just put a plug for Breaker here. Follow me on Breaker. You can easily see what my favorite podcasts are. What’s great about Breaker is it’s social. You can see what people are listening to; you can see what they subscribe to; you can see what people are liking; you can see what podcast episodes are hot.
Actually, I found this Hash Power series because it became popular on Breaker. It got a lot of attention, a lot of comments. And it’s not — I wouldn’t listen to a podcast called Invest Like The Best, but it was an interesting series.
So, um, podcasts that don’t exist that I wish did? I think there’s — like, right now on Breaker it’s a lot of tech; it’s a lot of startups. It wasn’t that in the early days with few users. We have more true crime, comedy.
So, what I guess what I’d like is I personally love storytelling, so I’d like to hear more diverse stories. So, stories from people you wouldn’t normally hear on podcasts. I guess that would be my request. So if you out there are listeners and you think you have something unique to say, go for it.
Before we go further, Tom, did you have a favorite podcast?
I don’t really do a lot of podcasts, but I think my favorite sort of equivalent of that is it’s called The Life of Boris. It’s about this, you know, Slovak-like YouTube dude who that hosts like videos and like does a bunch of Q&A with his fans. It’s pretty funny because it basically, you know, harkens back to a lot of the sort of Cold War era stuff. It’s kind of fun. It’s pretty goofy.
You know, he talks about all kinds of stuff, like, you know, the gamut of like video games, cars, you know, cooking. Like I learned how to cook a bunch of Russian stuff from it, so like, you know, I kind of like that kind of variety.
Hmm. But otherwise, I mean, I think the podcasts that are missing for me are just like really in-depth security stuff. There’s a lot more like blogging around that kind of stuff because you can’t really show like a breadboard on a podcast, right?
But, you know, I definitely would like to find out about it.
So, I’m definitely, you know, interested in ways that I can find new stuff.
So, Kat asked a second question, and she asked: What mistakes did you make with your first company that you know not to repeat on the second?
And Tom, as a founder as well, so this is a valid question for both.
Yeah, oh, mistakes. I don’t know. I mean, like, let’s see. I’ve been doing startups since I was like 15 years old, so I’ve seen a lot of mistakes. I think one of the biggest ones is just poorly spending your money.
I worked at a startup where we had a shag carpet-walled music room. I’m pretty sure that I knew what else happened there. No, we spent ridiculous amounts of money on things. We bought Napster for like a month.
What?
Yeah, right? I know. Absolutely required. Napster acquired Nasir, gave it back. So like there’s all kinds of weird stuff like that that happened in, you know, sort of like the early boom.
You know, now I think money, even though it’s pretty easily available to entrepreneurs, I think, you know, it’s still paying attention to where you spend your money is key. Like, you know, some of PGs early stuff about, you know, like don’t — don’t go get an office; work out of your house.
You know, a lot of the YC ethos is really, really stuff that I recommend people stick to because it’s just — it’s so easy to be like, "Oh, yeah, I got all this money; I’m gonna go get a flashy car; I’m gonna go get a nice office; I’m gonna go, you know, buy the best screens and stuff for me," and then they just spend their time, you know, derping around on like trying to be like whatever they feel like makes them a successful founder rather than playing startup.
“Scene-stirring,” I think, is kind of another good term for it. I mean, those parties are fun, but they don’t get your company anywhere.
Yes, oh yes, yes. I’m the opposite. I’m so frugal. All of my startups are pretty much around on, I don’t know, steam air. So, yeah, we’re still — even Breaker is still very frugal as a company.
But I’ve definitely had other issues. My one is sort of the opposite; it’s asking for help. So going out and trying to build — I think I’ve always thought, "Oh, I can build it; I should just build it," as opposed to, "How do I get other people involved in my company? How do I have other people care about this? How can we build something better together? How can I listen more to users?"
How can you know? And now everything we do with Breaker is super user feedback focused. It’s just what do people want? Let’s just build what everyone wants. And it's just a totally different approach than I’m building something that I want for myself, right?
So, it’s been much more rewarding, like building things because people actually are asking you for them. It’s just so — it’s easy to do. It's a little hard to get over the ego of like, "Oh, there’s a bug here, and someone’s talking about it," or "Hey, if you don’t have this feature yet, I’m sorry," but that’s really been a huge, huge change for me.
The other thing is more personal. My first few startups I struggled with myself as a founder and not really fitting the mold of what I thought a startup founder would be like. Same for a developer starting off.
Even as a developer, like, I used to get these programming books that were like developers like us, and they’d have pictures on the front that looked nothing like me.
Say it's figuring out — it’s not just like the way I look, but it’s also my personality. Like I don’t feel like I am a startup founder, but that is also sort of coming to terms with that is like I have this mantra every day that I get up and I say I can only be the best person that I am.
To like sort of be true to myself and that I don’t have to be exactly like Steve Jobs, or Mark Zuckerberg, or Elon Musk, right? Like, I’m not; I’m never gonna happen.
I would say that's also a good thing.
Yeah, yeah, but you know there are definitely like a wider variety of writers out there that don’t get as much like glory in the brothers in the media that are still phenomenal founders running huge companies, just maybe less exciting than, yeah.
Or just like less flashy or, I mean, it's a chance and maybe running a business that’s not particularly sexy, which is always hard.
So you mentioned user testing. Now that you guys are a little bit bigger than you were during YC, you like giving it to me and being like, "Hey, what do you like about it?"
Yeah, how are you doing user testing at a larger scale now?
Yeah, we have several different ways that we collect data from users. We have just an in-app bug reporting tool. It’s kind of most direct. You can actually just send us an email. If you take a screenshot in the app, it actually prompts you like, "Hey, did you see a bug? Do you want to send it to us?" Which is great. It’s a tool called Bug Life, so we love Bug Life.
We use Mixpanel for implicit user testing, and this is actually, I would say almost more valuable than what people tell you is what they do. So, we use it for things like testing retention, doing funnels, so knowing like when people drop off in a particular — like if we want them to take a particular action, what happens that they tend to not do that?
A/B testing, so we actually — we don’t do a ton of A/B testing, but we do with things like search and discovery do more A/B testing and sort of like what do people actually want here? What are they actually tapping on? What are they listening to? What gets them excited?
So those are probably our two biggest tools for collecting user feedback. We are starting to do more like user experience testing and we’re about to send out our first like survey.
I’m always a little bit like — survey, like I like that people reach out and give us like feedback directly. We get a lot of email feedback.
Have there been any surprises in like the product you designed and how it was and ended up being used?
Oh, yeah, definitely. I’m trying to think of a good example, but there’s like stuff every day that just, you know, the way that I use a podcast app is not the way that everyone else does.
And we’ve sort of in our mind have this like ideal user of who you want to be a Breaker user, and it’s not like a hardcore podcast listener. We’re not on the extreme of the spectrum; like you’re listening to podcasts all day and you’re very fussy about your settings.
But on the other hand, it’s someone that we want to be more long-term engaged with the product. So it’s not just someone who’s going to drop in and listen to one episode. We really want to, you know, get people into podcasting and get people into listening to podcasts the same way that you would like watching Netflix, right?
Like we want people to be as excited about a new episode of their favorite show as a podcast as they are the next episode. Which is exciting and really fun. And I think there’s a lot of room for podcasts to grow to really fit that.
And I hope that Breaker can be part of that. Like the whole industry of podcasting needs to grow in order for it to be a really exciting business opportunity. I mean, I think it’s 250 million a year now in like ad revenues, which is like tiny considering how much people talk about podcasts.
Yes, yes. I think there’s definitely room to grow, and that was one of the reasons I started Breaker. I was looking for a market that wasn’t saturated, that wasn’t — that was growing, but could be accelerated by young technology.
Why do you think the iOS podcast app is so popular?
Because it comes installed on the phone by design.
No, but Apple Maps is garbage. And it like — Apple Maps got usurped by Google Maps, right?
I guess it might be better now.
I think — hopefully Breaker will take over. And this is what we’re going for. It’s like how do you become better than what comes installed on the phone? And that’s — it’s a hard problem.
Yeah, okay, fun one, absolutely.
Yeah, and so Backtracks, who is actually our podcast host, they treated at you. They asked, "What’s the most difficult challenge in podcast discovery?"
So far, I have a very strong opinion on this.
All right, I will lay it out there. We do episode discovery, not show discovery. The distinction there is there are a lot of podcasts being produced these days where a particular episode will really get you.
So, it’s more topic-based episodes or story-based episodes. There’s a couple — there’s a few podcasts that are like many podcasts that are serialized formats or have like a longer story to tell.
But when we’re talking about individual stories, I think, what gets people hooked on a podcast is a good story. It's like watching a good clip of SNL, right? Like sometimes you just want to know what the good parts are.
So for us, we want to highlight the good episodes based on users liking them, listening to them, commenting on them, and that’s what we highlight in Breaker. It’s what is hot right now, not based on like — so Apple uses editors. They have people who go in and say, "Hey, you should like this show because we as an Apple editor think it." Then it’s like I just want to know what’s the best episode right now. Like what’s the one that everyone’s listening to?
Yeah, and so Allen Lee, so you mentioned Netflix before. Netflix of podcasts only asks, "I love Breaker. How’s Breaker going to be the Netflix of podcasting in the future?"
Allen Lee with the long-term vision, basically giving our pitch. So that’s — that’s sort of what we are. Our goal is to become this source of really great content.
What I find interesting is I think that podcasts are getting better in quality in terms of the storytelling and the shows, but I don’t know that they’ve quite reached the level of the game of Thrones of podcasts. That’s what we talk about a lot. It’s like right now we’re seeing some of these really good podcasts, but we haven’t hit the show.
I mean, we’ve had Serial, which was a big, big popular show, a big popular podcast. But we’re, you know — and it’s really a chicken-and-egg problem. Like if we had that show, would it be just distributed across all podcast networks? Could we actually make money off of that kind of show if we had a show big enough?
But is there a big enough audience on Breaker yet to make it interesting to have a big show? So I think we’re kind of taking the approach of trying to gain a lot of audience using Breaker, and then be able to present them with unique content that we — that, you know, is of the quality of something like a Game of Thrones, House of Cards.
I mean, it’s a challenge. I mean, even Hardcore History is like five episodes a year, and it’s him and other, like, staff working on that show.
Yeah, it’s difficult to produce, but it’s actually much cheaper and easier to produce a podcast than a television show. It’s like a hundred acts more expensive to produce a television show than to produce a podcast.
A quality podcast, are you working on your own yet?
Original content?
I am not. I don’t make — I’m definitely on the technical side. I have much respect for people who are storytellers. I actually just went to a live podcast taping this weekend or a live podcast show. They were actually playing back an episode that they hadn’t dared.
I loved — and radio showed up! But it was super interesting, and I got to talking afterward about storytelling and how it in itself is a skill. And I just don’t have any time to work on developing that.
But, Craig, you have — do you feel like your strategy has evolved over time sort of like given feedback from listeners, and how have you — how does the podcast change?
So, this is the second podcast I’ve done. So, the first podcast I did was called Salt of the Earth, and we interviewed small business owners that were funny, and it was a great podcast. I had a lot of fun doing it, but finding guests was really hard, especially because they’re often, you know, just obscure small business owners.
And so, not only is that difficult, but then distribution becomes a real challenge. So that’s super hard. Like distribution across, like almost every podcast is super difficult, so with this one, we do YouTube, and YouTube works really well.
Aside from that, my strat — like in terms of host style, I don’t know what you mean.
Yeah, yeah. Your approach to how you do interviews, because it uses both interview shows, right?
Yeah, they're both interview shows. I've recognized how important it is to control the energy in the room. And as the host, it’s totally on you. A lot of people think I’ll just bring in Leah and Tom and they’re gonna be super fun; this is gonna be great.
And you are both super fun, but that’s not the case. Like you have to collect a vassar ton energy about you and keep it going. Transitioning is always difficult between subjects. And I think one thing that’s maybe obvious to the listeners and the two people is that I introduce people in the podcast edit rather than having people introduce themselves.
Because that can be a little like — it kind of takes the air out of the room if someone’s not used to introducing themselves.
Oh, yeah, I guess. Would you say that startup founders are better at introducing themselves than Salt of the Earth interviewees?
It’s totally sales, right? Like if you’re good at sales, you can really like come in and they like make it super engaging. But more often than not, people are just like, you know, they’re just modest.
Right? So, like both of you guys are coming as like, "Hey, you know, like I’m Leah, and I work on Breaker, and it’s cool and everything." But the reality is that you have to — you want to get someone hooked really early on in the podcast, and so that’s when the energy has to come.
So if you start out with like, "Hey Leah, what do you do?"
Yeah, then it’s not quite as good, so yeah, I would do that. We edit the podcast. I think a lot of people are like, "I don’t have to edit; I’ll just go." And I feel like I think a lot of people don’t realize how edited a lot of the most popular shows are.
Oh, yeah. I just did an interview on a show called Hack to Start; they edit them. I didn’t realize it because it has a very natural interview-type feel. So, I’d listen to a few episodes and I went on the show, and so then I could compare what I said versus what came out — and it’s so much better what came out. Very heavily edited without sounding edited, which I thought was amazing.
And I know you do a little less editing; it’s not that much.
Yeah, yeah. I really admire Joe Rogan’s podcast because they can keep like a three-hour conversation like at high energy and fun. And they transition pretty well, and that’s something that I’ve been trying to get better at doing, but it’s difficult.
Especially with video, right, because the continuity becomes an issue if you’re just like cutting all over the place. Whereas if you looked at the time and like the time something was recorded for the serial and then like placed it back into the episode, it’s all over the place.
Yeah, actually that’s something I wish I saw more podcasts do. So another request for podcasts is to incorporate music — legally, of course. Sounds sort of using exploring audio more as an art form.
I’ve definitely listened to some pieces that do that, and it does make a huge difference. It’s not necessarily the best thing for like interview-type shows, but there are shows and stories you can tell, and adding those elements in really helps.
Yeah, I would also say to podcasters definitely transcribe your stuff because Google is not friendly to audio, and you want that like indexed stuff right there. It’s pretty cheap to do, which is actually something we’re thinking about starting to do for Breaker too and get into like future ideas.
We have some pretty crazy ideas.
Yeah, I mean, if you can talk about it, let’s do it.
So, we do want to eventually transcribe podcasts that are on Breaker, which is pretty much every podcast. However, right now there are some options where you can pay to have things transcribed, either by a human or robot, to varying degrees of success, but they’re fairly expensive and cost-prohibitive for something like Breaker where millions of episodes.
What else you guys want to talk about?
Mmm, I found a company doing what what I did with Kripke Sealant when he's living now and like that they have more adoption. It's kind of funny; they're called NF ki, and they're basically doing secret management for app developers.
I love all of the — I think there’s a huge opportunity in security to do sort of secret management. Like right now, things are just like, “I’ll put in an N variables,” like so bad. And for us, as soon as you have a team of more than like two people, you need to be sharing all sorts of private information.
And with companies, it’s like if someone joins the company, you got to set it all up. If they leave, like you have to somehow like revoke all these tokens. Right? So it’s pretty terrible right now. I think there’s a huge opportunity there.
Yeah, I mean, that was the thing that we tried to address with Crypto Seal was that, you know, we all felt the pain of managing secrets and stuff like that. And some secrets were more secret than others, you know, but you know, it’s still a tough problem.
It’s still something that developers hate to deal with. People still share passwords and like spreadsheets and stuff like that, which just kind of makes me run and hide my head in my hands. But, you know, there’s technology coming out there for it.
I believe Lyft actually like published something that’s actually kind of useful and it’s pretty interesting. You know, I mean like this is an area where like I have a lot of background because like I’ve got a patent on it all. But you know, it’s interesting to see what things come back around in terms of security.
But password management still, it’s a huge problem; nobody really does it all that well, especially for developers; it’s a huge pain in the butt. So anything that makes that easier, I'm all in for. So that’s kind of neat.
You know, beyond that, I think, you know, if somebody wants to fund a DNA sensor for your phone, I think that’s probably going to be a good market. I know that there’s — there’re some companies out there doing some more sort of weird bio-aware sensors, and I think that’ll be pretty interesting.
You know, if you look at, you know, the last five years with people paying attention to all their sort of personal metrics and stuff like — everybody's got a Fitbit; everybody's got something that, you know, tracks whatever their steps or whatever.
I think that stuff is gonna be pretty interesting; it's gonna get more in-depth. You know, five years, we’ll probably have a scale that’ll be like, "Oh, you know, you should probably cut out eating this," or "You should eat more of this," or something like that.
I think we’ll see some pretty interesting consumer technologies come out of, you know, weird secure — potentially security stuff.
So, if you weren’t working at YC, what startup would you work on?
I mean, I definitely think that there’s a lot of room for more security stuff. I think there’s a lot more things that can be done with like end-user metrics. If you go back and look at like a good example for security is DDoS; it’s still a thing.
Like it’s been around forever. You know, the first big DDoS I remember was against eBay in like 1997 or something. That’s 20 years ago right now. So, this is still a problem; they’re just getting bigger and bigger and bigger.
You know, my current, you know, method of mitigation is telling people to go get CloudFlare. It’s the simplest thing. You know, I think there’s gonna be more stuff in that space, especially as people, you know, start publishing more interesting things.
You know, I kind of think that the Internet's still in its infancy in a way because, you know, yeah, Facebook is kind of like microblogging for everybody, but it’s really not — it’s not that ubiquitous. You know, people, you know, Instagram actually is a little bit more ubiquitous. People, you know, take pictures of their food all the time and like then, well, that’s kind of mmm, whatever it is, it’s interaction.
I think we’ll have people doing more sort of like life blogging kind of stuff and I think when we see more of that, we’ll get a lot more interesting perspectives on people.
Yeah, yeah, I love this thought and I love that you’re getting into sort of like biometrics. And I loved passive sharing as a concept and there aren’t very many apps currently that do it.
So, people say, "Oh, how could there be another social network?" And something I’m fascinated by and haven’t seen it done super well is like, so for example, Breaker and like things like Spotify tell you, you know, what you’ve listened to and show other people what you’ve listened to in the past.
And it’s like a passive behavior, not like intentionally sharing that, but there was for a while — I think Path did some really interesting stuff with passive sharing, sort of if you had sort of these monitors turned on, you could sort of publish that.
Right now, a lot of the health data and sensors, even things like Fitbit, aren’t extremely social. You can kind of see other people’s step counts, but they’re not everything that you could potentially be sharing.
But it’s like it’s questions of — so what is interesting to see? I’m like kind of a lurker, so I love like my favorite part of Breaker is like seeing what people listen to, and oh, that’s so interesting.
Is there incognito in Breaker?
So we’re actually really discussing that pretty heavily right now. We’ve got a lot of users, so when we were very small, we didn’t get as much request for privacy, and now we’re getting a lot more.
And so we’re figuring out how we want to do privacy on Breaker right now. So if you have any thoughts on it, send us an email.
All right, what’s your email?
I’m thinking about it: feedback@breaker.audio.
Okay, you send it to feedback; I actually see every single email that goes. It’s not like it’s going into like a black hole; like we actually do look at that.
So, if you have thoughts on how you want privacy implemented, we really want to encourage people to share what they’re listening to, and passive is the easiest way to do it. Like you don’t have to think about sharing it; it’s not tricky.
But then it also — there’s this level of comfort. Like how comfortable are you with sharing that? Like I remember getting a streaming music service for the first time. I actually use the R Do, but and like having people see when I listen to you, it’s like oh my gosh, no, like I don’t care. I listen to Hanson’s Christmas album this winter; no big deal.
Oh man!
And if you weren’t working on Breaker, do you have thoughts on a startup you might be into?
I actually would probably work on an open-source project. I’m fascinated with the idea of right now there’s a lot of mm I’m gonna sound really trite saying this, but like there’s a mobile and web development are pretty separate.
I’m fascinated by projects like Swift on the server and React on the device, but I think — I think there’s a little too idealistic still. Like I think I would want to work on practical reusability and frameworks, and I love Swift, so I’d love to get involved with what IBM is doing with like Swift on the server.
So, yeah, I don’t know; that’s not super exciting. It’s a I’d go a little bit more back to like my open-source roots and work on — I’ve never built a framework or worked on a language, and I would love to do that.
Yeah, yeah, totally cool.
All right, guys, so if someone wants to get into security or building pod catchers, what would you recommend? What should they check out?
That there’s honestly not a lot of stuff out there. You know, I used to tell people, "Oh, you know, if you’re really then interested, go to DEFCON." That’s not really a great idea because it’s just — it’s fun, but you know the amount of learning you might get done will probably be erased by the amount of partying you do.
So, you know, I think just, you know, trained. Like read through blogs and stuff like that. You know, honestly, Hacker News has some pretty good, you know, security stuff to get submitted to it.
Yeah, Hacker News is a great resource.
Capture-the-flag activities have been super fun. Like that’s kind of how I got a little more into it was trying that. I’m still terrible; I’m no good at it because it’s like a little bit beyond me, but that helped me learn some of the technical techniques and some of the common exploits, and they set — start to follow that.
I don’t know how close are things that you do in a capture-the-flag event to like real-world security issues?
Mmm, it depends upon how well they were set up, I guess. I won't really totally go into them — like my heavy background — but like there’s a lot of stuff that you can simulate pretty easily.
There’s a lot of — there’s a lot of hilarious technology that’s still around from like when I was a kid that people were breaking into left and right, and you just laugh. I think a good way to see that kind of stuff is really, you know, I mean, you know, if you want to go into the weeds, you can look through Shodan and find something kind of interesting there and then start to, you know, read up on how it works.
You know, the IOT security is going to be like a really big thing, and getting pieces of common IOT equipment is pretty easy. You know, it’s like maybe like 10, 15 bucks you can get a little programmable computer essentially and start poking away at it.
Like I dug into MicroPython and like submitted some patches and did some cool stuff with some boards and like had a lot of fun, you know? It cost me, you know, ten bucks maybe.
So you can get started pretty easily doing some of the basics, you know. If you’re looking for like ways to learn how to exploit stuff, I mean, you know, that you can Google. You could actually Insecure.org has some really great mailing list stuff on it; you can sort of see what’s new.
You know, looking through new CVEs is kind of an interesting way of learning about stuff. There’s really not a great way to get an intro aside from like having somebody kind of mentor you or essentially breaking the law right now, which I don’t do.
Not recommend.
I was just like — you like, "Oh, breaking the law?"
Yeah, it’s like I’ll take you one step further.
Do you have any favorite last questions from podcasts?
Okay, is there anything — any common philosophies in software development or security that you disagree with?
I mean, there are some sort of old-school methodologies of things where it was really kind of security by obscurity, and like that stuff is just — mmm, it’s BS basically, you know?
I think if you want to be like a good software developer, like you have to, you know, get good at, you know, the tools you use regularly. You know, I know like three or four programming languages. I don’t think that’s really super useful advice.
Yeah, I know LAL code; you know, I know some pretty silly stuff. Doing esoteric stuff is not recommended on either side, so I don’t think I can think of like a methodology that would be good or bad.
I think some people rely a little too much maybe on like source code control. I feel like maybe the Git security model is pretty bad when you compare it to some of the older stuff.
But, you know, the usability you get out of it is like way weirder, so I don’t think those things really go together.
I don’t know, yeah. I think I’d — I just fall on the side of being really good with your tool rather than always looking for the newest tool because that’s just — it’s been tiring to me with my limited experience as an engineer where it’s like, "Oh, you have to use this language or this framework or this thing."
And just like how about we just get really good at Python or, you know, you know, choose your tool, but yeah, that would be mine.
Yeah, how about you?
That’s a really good one. Oh man, I just had something that I do — that was such a good one; I loved it.