The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.
The Audit - Presented by IT Audit Labs
Quantum Computing's Impact on Cybersecurity with Bernie Leung
Explore the intriguing intersection of quantum computing and cybersecurity... It’s closer than you think.
In this episode, special guest Bernie Leung from Autodesk shares his expert insights on how quantum computing is reshaping the cybersecurity landscape. Discover the challenges and breakthroughs in encryption practices as Bernie breaks down complex concepts like the Shor Algorithm and discusses practical steps for adapting to this new era of cybersecurity.
In this episode, we dive into:
- The essentials of quantum computing and how it could revolutionize encryption.
- Current encryption vulnerabilities that quantum computing could exploit.
- An introduction to post-quantum cryptography and the new standards on the horizon.
- Practical uses of quantum computing in cybersecurity today and what we might see in the future.
- How governments and businesses are preparing for quantum threats, including updates in regulations and security protocols.
This discussion is not just theoretical; it's a guide to understanding and preparing for the quantum leap in data protection.
#QuantumComputing #FutureOfCybersecurity #Cybersecurity #InfoSec #PostQuantumCryptography
Welcome to the Audit presented by IT Audit Labs Today. We're joined by our usual cast, nick Mellom and Eric Brown, and our special guest today is Bernie Leng, and he's from Autodesk, and we're going to be talking today about post-quantum encryption. So, without further ado, here's Bernie. Can you give us a little background, Bernie, and tell us about your career path, and then we can jump into the post-quantum encryption? Absolutely.
Speaker 2:Thanks, we can jump into the post-quantum encryption, absolutely Thanks. I really appreciate this opportunity to discuss this topic. It's kind of important. But before I do that, I want to make sure I give a disclaimer. This presentation going forward is basically not a reflection of my current employer, autodesk, so none of this is a representation of their position, nor what they're thinking of, and this is all coming from me directly, so I just want to make sure that that's clear on that. So just give me a little background. But where I? You know what my journey has been to up to this point here.
Speaker 2:I started out working for, you know, having my own small company in Chicago.
Speaker 2:It's about like 12 consultants or so dealing with cybersecurity back in the days, back in the early days of 2000 timeframe there.
Speaker 2:So in about like 10 years ago with 2014 or so, I see that the trend of cybersecurity is really ramping up big time and I was trying to hire people in locally in chicago area and it's not easy, I could say, you know, even it's a tough thing.
Speaker 2:So I decided to to branch out into the california area. When I jumped to california, I actually hooked on to two very high profile cyber security person. One was a former cio of the white House and the other one happens to be the US Air Force chief software officer. So I reported on them directly and that really opened up my eye as to what security, in the sense of, like, the nation in the large corporate, a large ecosystem, what is it that we're dealing with? So, and that led me to a little step here and there and so on, and now I'm currently working in the uh, well, looking at a liaison for the federal government and uh and my current company. So that's where I'm at right now. That's, you know journey, last 25-year journey, I would say well, bernie, thank you for that.
Speaker 3:Can you talk a little bit about how you got into encryption that's a pretty broad field and then quantum. How do you bring those two things together?
Speaker 2:I think we come back to the basic question why do we even need encryption? First of all, All we're trying to do really is to keep secrets, certain secrets that we have. Now you say, hey, you know, only government has secrets. Well, that's so true. We have secrets as well. Our secret, a thumbprint, is our secret, right, Because that identifies me. That's not going to go away with me anytime soon. So how do you keep a secret? You keep a secret by, you know putting a lockbox, you know a safe, but if it's going to be digital, you encrypt it. You basically put the encryption on it and that's where we are at right now. That's what encryption really does is to keep secret for as long as we could and, being in cybersecurity, our job really is to keep that secret. Keep your secret secret. That's really our job.
Speaker 3:And then what about the quantum piece?
Speaker 2:Yeah, that quantum piece is an interesting thing too To keep a secret. We have been doing this for as long as we know. There's different technology in secret. Back in the Roman Empire days they had secret too. They used these I don't know, these little charts that they gave it to you and then get some carry to run out there and give that secret command to the generals and so on. So secret's been around a long time.
Speaker 2:How we encrypt that is changing based on technology. Now in secret we have two pieces that we needed to worry about. One is that data, that information that you got to keep encrypted. That's one thing. But the other piece is that data, that information that you got to keep encrypted. That's one thing, but the other piece is that transmission Right. So I personally like the Roman Empire. The first thing is we have that, that little chart that they use. That's that's one part of it. The other one is the courier, the guy who's riding the horse over the other place. If, if, don't either one of those compromise, the secret is no longer a secret. So in the current day we have the same thing too. We have what's called now, what we call the data at rest and data in transit, but those are the two terminology we use nowadays.
Speaker 2:We have used different technologies to keep those and one of them that we all know about, we hear a lot about, is TLS 1.2. Whatever it might be, you know your http, your website, you all use those, those, those capabilities right now. And the tls uh, majority of them have. This protocol uses an rsa protocol. We've been using that actually since 1970s or so at least. Governments we use since 1970, but it's kept secret, government kept secret secret until about like 1990 so that that became publicly used and we've been using in the public environment since then and we trust that. We trust that quite a bit because of the fact that it's been tested. It's been proven all that well, not proven, but it's been tested all this time and we've come on the patches for it well, until 1997.
Speaker 2:Uh, this is one person by the name of Shor, a mathematician or scientist I would say. Shor came up with this algorithm called Shor Algorithm and he said well, with this Shor Algorithm, with enough computing power, quantum computing power, I can break that LSA security within very short time. And what do you mean by very short time? Very short time is what they call a, I would call them a log log time. You know, exponential time is pretty easy. In the two, four, you know two, four, eight and things like that. Log log time is in the amount of tens, hundreds, thousands. You can solve that problem in that kind of a timing. So that means. So that means your TLS encryption could be solved by quantum computing in a very short order of time. Well, what's that gonna do to us? Our data is no longer available. That encryption key we've both so fully relied upon for so many years is no longer valid when that capability is available to us.
Speaker 3:Generally we can understand that encryption essentially is a secret key and then you can use compute power to essentially guess what the password is, and the more compute power you put against it, the faster you're going to be able to guess it. And I think every couple of years there are tables that are published to say that an eight character password in 2024 can be cracked in six minutes. Let's just say and then if the compute power continues on a linear scale, by 2030, a 12 character password could be cracked in, say, six minutes.
Speaker 3:Right, and then these aren't exact terms but there's a chart that kind of depicts or tries to guess what compute power will be needed to crack a particular length of password and it depends on how many characters you're using numbers, letters, other characters. So when we talk about encryption and we talk about quantum the quantum piece and we did a podcast episode where we did a deep dive on quantum with bill harris, uh, but that's a pretty heavy topic. So can you maybe break down for us, bernie, just the quantum side, and I, I know there's uh, we kind of talk about it in terms of like Schrodinger's cat and apologies, nick, this is a little early in the game, right.
Speaker 3:It's early, but I mean with Schrodinger's cat, it's the premise is there's a cat in a box? Is there's a cat in a box? And again, apologies, nick you look in the box. You don't know if the cat's dead or alive until you actually look in the box and quantum, apparently it can. It's either, or it's both alive and dead at the same time, and then when you look at it, that determines the observation, determines the state that it's in Right, right, all in good. On paper, I think we can all grasp that. But when it comes to reality and it comes to actual quantum mechanics, quantum equations that are dealing with encryption, how do we go from that theoretical piece to actually being able to encrypt things in a quantum fashion?
Speaker 2:And I would say that instead of looking at encrypting it with quantum at this point here, our capability now is to reverse and say the secret you have now could be cracked by quantum computer. That's what we add today. But we will talk about a post-quantum cryptography. We'll talk about that in a little bit. But in the initial time, why is it that we even bring this topic up? Why is it governments all worry about it and all that stuff? First of all, because of this public-private key, rsa, rsa, public private key situation that we're talking about, that we actually keep our conversations and so on, secret. That is based on a from a mathematical this factoring we call factoring. You take two prime factors. You go through a month by an algorithm. At this rsa algorithm come up with two private keys. The two keys are public and private keys and if I keep my private key and the two numbers, I can give you the public key, I can publish a public key and we can have a conversation. I can know to verify who you are and then you can use that to send things back to me and so on. Qualify that the Shor's algorithm. What it did was it said. I can solve that problem, that secret, private key. I can solve that problem. Now, given enough quantum, I can solve that problem. So it's no longer a public-private. What you think is a public-private key secret is no longer so.
Speaker 2:How does the quantum do it faster though? Oh, the algorithm is what makes a difference. It's based on the theory. That is not based on theory. If we're going to use this capability in a traditional classical computer, it's going to take us forever. That's the reason we've been so lax on it. We say, hey, we don't need to worry about it. But the way that quantum computing does things and this algorithm that Shaw came up with, it's basically inter-relationship of, instead of just one and one relationship. Now they look at in a matrix format, multiple relationships to solve a factoring, strictly a factoring, mathematical, um calculation right, so it's. They just saw a, a single purpose. You solved a single-purpose algorithm, but just so happened that this algorithm is very useful in security. Now, quantum computing granted, you were talking about Schrodinger's equations, all that stuff that's used in many other areas as well. We know that. But this is strictly on one algorithm that's based on quantum and they solve this public-private key problem.
Speaker 1:You know, bernie, how long do we have, with the current state of things, before quantum computing is able to crack all of these encryption methods that we've been using?
Speaker 2:Well, the come back to the same thing we were talking about earlier was the fact that we are able to factor these you know, do it to do to the prime prime numbers, actually basically where you know the show shows algorithm and basically the RSA works as you take two prime numbers, you put them together, multiply them with a bunch of bunch of manipulations and you come with your private, public key and for the way, the way we have it now, the prime numbers are pretty long. And so all these algorithms, if you're going to have this long prime number, it'll take a while. It'll maybe take another 5, 10 years before we get there. Yet the prediction is 5, 10 years, a number of quantums, what they call qubits, to get it done. But in the meantime you say, well, is it real? Does it really work? Can I prove? Can you prove it to me? Um, so ibm did prove that about maybe 10 years ago. So maybe not, maybe not that 10 years ago, maybe five years ago they took some really simple numbers. You know three and five. Now ibm has already come up with 100 qubits on this one here, and I know that you know, as we go along, you know as we go along, the number of qubits will go and go up. You know so.
Speaker 2:So the question come back to you, joshua, is how long do you think we would take it? The prediction is, with maybe five, ten years or so, that our current prime number, that the length of it will be. You know what could be broken could be broken now, but that depends a couple things. One you know are there computings? You know, are we could be broken? Could be broken Now, but that depends a couple of things. One you know are there computings? You know, are we going to have that increase in quantum computing capability, qubits, as we go along? Could it be faster, could it be slower? I don't know yet. We don't know yet.
Speaker 2:So that leads to the question about why is it we're talking about now. Why is it? As a matter of fact? I'm sure you have seen something. Even the White House came up with a directive to the federal agencies. We have started taking actions on this, and the action that they said is you can come up with a quantum encryption. They didn't say that. They said you need to start taking inventory of what is important to you, what are the secrets you need to keep. That's in five years time. That is still going to be important. Like I said, your grandmother's secret recipe that's going to be forever. That needs to be forever. I need to keep inventory of that. So that's what we're talking about at this point in time. That's why this is bringing up to be such high level of importance to the federal government and, frankly, to us as well.
Speaker 3:Yeah, absolutely so. So, bernie, we were talking about how classical computing, which is the computing of today, encryption uses prime numbers to create these mathematical sequences that are difficult to crack or to break. And with quantum, somehow quantum computing is able to do that many times faster, just due to the way that the qubits can break apart those algorithms. And maybe, if you could give a cliff notes on that, how does a quantum computer work faster at factoring prime numbers than a classical computer?
Speaker 2:Well, I don't think I would be able to explain that in this short time. I'll be honest with you. Sure, yeah, I know it's a very, very complicated mathematical discussion on there, and Shor's is the one who actually wrote that discussion there. Shor's algorithm is what we keep referring back to. Like SHA-256, for example, no not that one SHOR is a different person, but they are both involved in the data at rest and data in transit, and you're correct on that.
Speaker 3:It sounds like you have to have a last name that starts with S to even do anything with encryption. That's my takeaway.
Speaker 2:Yeah, that's a good point. Think about that.
Speaker 4:I would agree with Eric on that.
Speaker 2:Yeah, that could be right.
Speaker 3:You're talking about Shor's equation for quantum. Yeah, that could be right. You're talking about Shor's equation for quantum.
Speaker 2:Yeah, that's correct. That's Shor's algorithm for that and there's another one for the Shar stuff. The Shar we talked about there's Grover. Grover has that side of solving that problem and Grover turns out to be from a quantum standpoint is not as efficient. So that would take a lot longer. But the public, public key side is the one that's actually being pretty correct. Uh, rather easily.
Speaker 2:But the look at it, if you are able to crack that transmission when you and I are talking, you can crack the transmission and then track that key in between. There. I can probably get that key already. You know, because the SHA-256 is not a public-private key, it's a single encryption key going back and forth, right. So if I can track that traffic going through, it's easier for me to go from there, take whole traffic, full conversation, and grab those keys and then decrypt the actual message in between. So they are related. They're certainly related that we need to have both.
Speaker 2:But we talked about the fact that it is all based on this prime factor, this prime number. You know, this prime number that's short, it will crack the prime number and the way they did it is there's a couple of things happening between as well, even if the algorithm, the prime number itself, are easily I would say not easily guessable. It is guessable because we get those prime numbers from a certain source and what we call a pseudo prime number, pseudo random number, right, that's how it generated the prime numbers. It calculated from a pseudo random number and pseudo meaning. You know, we get a pseudo random number generated from maybe the hour or the clock which goes around 24 hours, right, we know that. Uh, it might come from, uh, I don't know things of that nature, right, which has a rhythm to it, and shore's algorithm actually takes able to look at that from a larger standpoint and look at that rhythm and say, you know what? Because with the way quantum handles it, I can handle those rhythms and they use, you know, for your transforming or the good chess, or I get into pretty detail about how that works there and get those, and that's why you can go reverse that and find out what prime numbers are.
Speaker 2:What, if we have a prime, we have a, a random number generator that's not pseudo. Is that possible? Yes, there is actually turns out possible, because we could have we could photons coming in, the photons that hit your, hit your watch, or whatever it might be. Those are not cycles, those are not 24 hour cycles, right, a cosmic, cosmic, I don't know. Whatever, whatever photon, whatever time comes and hit that thing. Those are not predictable because those are definitely a random occurrence, because nature is random, right, nature in that sense is random. So there are people actually out there now that's providing those random numbers. That is not generated by a pseudo random number generator, but it's actually generated by a pure random situation.
Speaker 3:So, Bernie I don't know if you heard about this when we're talking about random number generation, I think it's Cloudflare We'll have to fact check this, but I think it's. Cloudflare has a wall of lava lamps and they point a camera at the wall of lava lamps and they're using the motion of the quote-unquote lava in the lava lamp to generate that random number.
Speaker 2:Yeah, no, I didn't hear that, but that's a good way to do it. That's a good way to do it because those are random natural nature occurrences which we can predict in the same sense not like a clock with 24 hours we can predict those.
Speaker 2:And they don't come in, you can still say it comes in a external factor. I'm not so sure there's an external factor because of heat. You can say that heat because of the heat generated by the lava lamp, because we have 60 cycles, remember, electrical comes in 60 cycles, so the filament could be a 60 cycle. On that one I don't know. Somebody might be able to figure that out, but I don't know.
Speaker 3:And I think they say that the randomness of people walking by and moving the air or the door opening or the ambient temperature all factors into the randomness of how the lava moves.
Speaker 2:Yes, that is, yeah, those are good, good way to get a true random number coming in. And that is one of the areas that we can take nowadays, one of the big steps we can take nowadays to kind of get that into place, to protect some of these things here. Now, of course, you and I myself, and as individuals, we can't do that very well yet because we don't have the other layers on top of it.
Speaker 2:But there are products out there, the systems and products out there, that have built those layers on top of it now and we can look at our vendors and say, hey, you know what, do you have that in in place already? If you do, have you have that in place? And I know at least I can trust you that you have the random number? That's a lot more difficult to crack than the ones that we've been using the last 10 years well, I'm going to look at lava land differently now that's a good name brand, by the way.
Speaker 2:Come and think to think of it.
Speaker 4:So, bernie, you've been talking pretty deeply about this stuff too, and one thing that we are, and everybody's talking about it as AI right, we talk about it daily, weekly. I'm really curious to get your take on. You know what's the intersection, you know from your industry or you know the quantum with AI. Are you seeing that currently or do you anticipate it growing even more?
Speaker 2:You know, I've been thinking about that quite a bit and there isn't a whole lot of talk about AI and quantum coming together today yet. But I can surely see that coming together Because, if you think about it, quantum has all these qubits, what we call qubits. You know that interact with each other and all that stuff going down, going down the, you know, going in this chain, in this, in this chat, in this. I don't call it, what do you call it? Chain in this machine, whatever it might be right.
Speaker 2:But you look at AI. Ai in the sense it's very similar in that you have one layer, neural networks, one layer, another layer, another layer, and you feed those things across that way as well. That's what the neural network does. If you think about, those two kind of come together because they're still layer, leading layer, and layer One does it in mathematical way, the other one does it well, it's still also mathematical way. So I can certainly see the link, how those two to come together. Now I don't think I have an algorithm for it or an idea how to do that yet. Well, I would certainly see that in some bright scientists will come up with an idea as to how those two could come together. So yes, I would certainly. I do keep an eye on that piece anyway.
Speaker 1:Keeping an eye on these advancements in technology and whether it comes to quantum or AI. From my understanding, it's mostly larger companies like Amazon or Alibaba or Intel that have quantum computers. Is there a threat, an immediate threat, in the near term, or is this kind of stuff that we have time to prepare for in the cybersecurity industry?
Speaker 2:Thanks for bringing that up. Thanks for bringing it up. That is something we do need to prepare for right now. There is a thing called a theory going on right now, called Harvest Now and Decrypt Later. What it means is because you and I are talking right now, this conversation is routed through a bunch of routers out there, a bunch of ISPs out there. They all keep this information. They could keep all this information that we're talking about right now. It's encrypted, granted, at this point, but they can keep it, this drive to achieve Keep that five years from now. They can use quantum and break this conversation up, whatever it is. If I'm going to tell you my secret recipes or my grandmother's recipe now, five years from now, they can crack that and figure out that thing there.
Speaker 2:So, yes, this is a step that we need to take right now to look at and say, hey, that's reason why the inventory is so important to figure out. Where is it that we're gonna have the vulnerability in our system? Are we taking? Certain things have a long term? Security issues something that we want to keep forever. So we have a time frame where we know right now, lifetime of that secret. What is that lifetime?
Speaker 2:The secret would be if it's going to be 10 years, the secrets you've only been good for 10 years. No, take that. But we also know a quantum will come, coming in five years time. So that would be five years time. So we have five years in between. That's comparable timeframe that we need to worry about. So, yes, we need to start taking inventory of what is it that we want to keep. If something doesn't look forever, we best start taking action on those. But if something is going to be like the secret is only good for another three, four years, well, I wouldn't worry about those, because quantum by the time a quantum computer comes around, that secret is no longer important anyway. So, yes, not everything is on the same level of criticality right now, but certain things are.
Speaker 4:Yeah, I think you talked about it a little bit earlier, bernie like what the government is doing right now. Are you able to expand on that? You were just touching on it a little bit there on that.
Speaker 1:You were just touching on it a little bit there. I'd just like to piggyback on what Nick's question there and say, yeah, what? Maybe the government, of course. But also, are there any other post-quantum encryption solutions being implemented in the market today?
Speaker 2:There are standards being proposed by the government and I'm glad to say this is not just US government, this is a worldwide government. Every government is looking at the same problem here and I'm glad they're working together on this thing here, so they're looking at those. Right now we have three what's called post-quantum cryptography algorithms that proposed, and they are not the same kind of algorithm that we have been doing mathematical based. You know that's not what it was. It just mathematical. Actually, we face that term, but it is not a. It's based on a different kind of uh thinking. They use what they call lattice based um algorithm now, or thinking now on those things here. So it's a different way of looking at how you encrypt things, how do you find those um, how you find the keys and they space it on a lattice-based solution.
Speaker 2:At this point here, like I said, there are three standards proposed. Nobody has came up with a product for it yet, but there's still a discussion about when that would become available. So, step one get the standard in place. First of all, get that in place.
Speaker 4:And.
Speaker 2:I think that could be rather quick. In a matter of like a couple of years or so, I think we could have a standard and now the companies themselves can start working on an actual product to solve that problem. The good news is these algorithms, these three standards right now, when you sign on the three standards, they will be on public domain. It's one of the given requirements. If you're going to have this sort of thing, you will provide it to public domain. So many companies could use the same idea and come up with their own product algorithms and so on to implement these standards. So that's good news. Like I said, this is the worldwide government doing this already. So that's good news for all of us.
Speaker 3:So, bernie, what work or what are the projects that you're working on in this field? Can you elaborate on those?
Speaker 2:I cannot talk about those in the standpoint from what my employer is doing Autodesk. I cannot talk about that on myself. I can talk about that On myself. I can talk about what I do on my spare time and so on. I certainly am going into looking into a lot in the algorithm side of it, just the quantum algorithm itself how does that work? And using different tool sets out there IBM tools, whatever my tools I have available that I'm using those tools to formulate my own idea about how to solve these problems here as well. The good thing is these tools are available for free. Well, as long as I don't use it, you know outrageously, but they are available for free. So I have to spend my free time to do that.
Speaker 3:So yes, If people want to go and learn more about this, do you have some recommendations for them? Maybe books or podcasts or articles? Where could people go to find more information?
Speaker 2:Yeah, there are quite a few places actually that publish that out there. Now the one I'm talking about, a company called IDQ. Now the one I'm talking about, a company called IDQ I don't mind bringing them up a company called IDQ that actually talks about the capability for random number generation, how they wrap random numbers, so you can look at their publications. Of course IBM has that quantum computing capability, what they call the QISKIT, q-i-s-k-i-t. You know has that quantum computing capability. What called called? They call them the uh quiz kit. Q I s, k I t. You know they have that tool out there for running, uh, quantum simulations or actually real quantum computer. You can even build that too, so you can use those tools, uh, to actually learn some of those things. The other if you really want to get well into the part about the encryptions and so on and about p-quantum cryptography, you can certainly go into government side of it and look at NIST standards. If you just type in NIST and post-quantum cryptography, you'll get a bunch of information from them as well.
Speaker 3:Earlier in my career, as IPv6 was coming out, I had always said you know, I'm probably going to be retired by the time IPv6 comes out. It's just a headache that nobody wants to deal with, right and. But now, unfortunately, I'm working on a couple of projects that use IPv6. And I've said the same thing about quantum. You know, hopefully I'll be retired by the time quantum comes out, but it doesn't look like that's the case. It sounds like it's here today. It's almost right around the corner and we're probably unprepared for Quantum. Right, we can't even deal with the security risks that we have today, let alone add on top of it Quantum. So it's probably an area that we all need to become better at and certainly learn a lot more about.
Speaker 2:We know it's coming. It's just a matter of like you know you're prepared now or you won't wait till the issue before you prepare. But take priority, look at it from a priority standpoint. What is it that you want as a company? What is it that you're crown jeweling you keep? From a private, from a corporate standpoint, from a personal standpoint, I probably need to worry about a little bit, about a few things here and there. As far as quantum, nothing much, but maybe my thumbprint. I just want to make sure that whoever's keeping my thumbprint understand the security of that piece. You know things like that.
Speaker 1:We were talking about. We frequently talk about things we can do to help ourselves protect our loved ones and our own personal computers and businesses. Eric, one of his favorite pieces of advice is to lock your freeze your credit. Is there anything we can be doing right now to kind of be forward thinking in our own home businesses, personal computers and things like that to prepare for this down the road? Do we need to start coming up with? Like 30 character passwords.
Speaker 2:I don't think password is as important as two-factor authentication.
Speaker 1:Two-factor authentication.
Speaker 2:Two-factor authentication probably is the one that we need to start thinking about. More importantly, two-factor authentication could be as simple as just having a company, just like the bank, send you another password, send you a code into a computer, into your cell phone. Those are important items. Just taking two-factor authentication is much more important than even think about a 60-character password. That, today, is more important. So, yes, those things are important. Yeah, multi-factor authentication is absolutely important.
Speaker 1:How is this going to affect cryptocurrency? You know crypto has become really big in the space. You know we all have some crypt. It's right in the name, right cryptography crypto. So how do you see this impacting that space?
Speaker 2:well, crypto. Um well, one thing good about crypto is the current the cryptocurrency the, the secret part of it. It's not that long live. You think about it because if I trade my crypto, that's already gone because of my value has changed already and my keys have changed already. What is important, however, is that crypto key itself. That key is important because that basically represents yourself and have it out there. That's still not as big a problem because they can always change that down the road. They say you know what I'm going to implement this one here, uh, this new, you know, quantum post quantum, uh, cryptography. Now you all switch over to this news capability. That's okay, we can still switch it over, right, so it doesn't bother so much in the cryptocurrency standpoint because our life on that the secret need to be kept is relatively short compared to other things out there, and I would sure hope these cryptocurrency companies will be looking at it already before five years comes up. So think about how they're going to implement these things in there.
Speaker 4:Well, I feel like I've learned so much today. I'm just like why I bushy tailed.
Speaker 1:Listen to that eric and nick, do you have any other questions that we might want to to get in before wrapping up today?
Speaker 3:well, I do have um some questions here from some, uh, some feedback we got from some of the listeners of the podcast, not related to crypto or encryption, but there's two. The first is well, it's more of a statement, so we had asked for some feedback on the new kit and, for those of you who have listened a couple of times, you know that Nick's got these hairless cats or whatever, and he decided to get a third one. Didn't have a name for it, so Jackie S gave a suggested name, nick here, and it is Egger, allen, paw and maybe Epi for short. So I don't know what you thought about that one.
Speaker 3:And then the second one. We'll keep it in the running, good. The second one was more of a question for you, nick, on social engineering. So this one comes from Dan M, it looks like, and Dan's asking if he wants to get into social engineering, what is a way that he could?
Speaker 4:do that? That's a great question actually. Put me on the spot here. I think one thing that we get into and I've talked to with other people about, with social engineering, is, wherever you go, you can be practicing it in your head. Let's say you're at a restaurant, right, and you're waiting for your waitress or waiter to come back. You're watching where they're going, how long it takes them to get from, maybe the back of the kitchen back to your table. Well, you know, maybe start working on counting that out in your head or making notes of those things, because those are tactics we might use if we're social engineering some business, right, if we're watching how long it takes for, you know, maybe the front desk employee to go make her rounds, and that might be our way in or out.
Speaker 4:So I think there's opportunities in everyday life to practice or sharpen our sticks for these tools, and it could be anything from what I just described. You know, going out to eat. It could be talking to, you know, a family member or a relative. You know picking up on these little cues, you know dropping these little hints, and maybe you know I'm not advocating to do this to your family, but just seeing how people might react to a different situation and see if you can pull them along in a conversation, something that might help you. You know out in the world doing these events, but you know really the best way to do it is just to get into it is just to do it right. You know there's tons of YouTube videos out there. That's kind of where I got my start, watching people do it every day, and then I do that a lot when I'm out with my family I watch. You know people's mannerisms. You know how they react when you say different things.
Speaker 4:I think I read a book a long, long time ago maybe close to five, 10 years ago. I think it was called how to tell if somebody is lying to you, and that was an interesting book to read. And I think that you know ties into the social engineering world is because you're you're really looking for those cues on a somebody's lying to you or if they're actually believing what you're saying, and that might change your tactics when you're actually doing it. So I gave a lot there of what I think. But you know I gave this advice to somebody that asked me the similar question not that long ago. When you're out every day, you know practice those little cues, you know count out the steps it takes somebody to get somewhere, how long it takes them to get back and work on. You know how you might go about either breaching that room or you know where you might go to either drop that payload with a shark jack or something of that nature. So hopefully that answers the question, but that's a really good one.
Speaker 1:Just to piggyback on that, Bernie, if someone's looking to get into the post-quantum encryption space, what could they be doing in their career? To be filling out their resume?
Speaker 2:I would say step one is to understand what we talk about at TLS, the current environment that we're dealing with right now. Why is it even vulnerable at this point here? So you've got to be able to speak to, why are we bringing this topic up first of all? Um so, understand TLS, understand, you know, the shore algorithm and the shark 256 or whatever. You understand those things first of all. And then number two is actually getting into looking at some of these discussions about, um, uh, like I said, go into the NIST discussions, those NIST publications. They do go into detail about what their current thinking is, how the lattice-based algorithms coming up, how do they work. Those are very heavily mathematical discussions. Those are very heavily mathematical discussions. But we don't have to be that. We could be the one just basically bringing that tool out to the public for the adoption part of it. But still understanding where the basics are in those things I think would help a lot.
Speaker 1:You're in Chicago right now, bernie. I know you've spent some time in LA and in Hawaii as well, but in the Midwest here, looking for recommendations for restaurants in Chicago. Can you let our audience know what your top eats are?
Speaker 2:I love Italian food myself and, of course, I love Chinese food as well, but I like Italian food, so I would suggest going to Italy. You know it spells E-A-T-L-I-T-A-L-I, italy. Right, I like it, it's a good place. It's a nice restaurant. They have multiple restaurants upstairs, actually, and a grocery store along with it, so if you'd like to make your own Italian food, you can go there as well.
Speaker 1:Do they allow you to bring your cat with you. You know what?
Speaker 2:I think we're pretty friendly as far as pets are concerned. Here I've seen dogs, but I've never seen cats yet. But you know what? It's always a first time.
Speaker 1:Nick, you're in. Bernie Lung, it's been really fun chatting with you today. Thanks so much for your time. We look forward to staying in touch with you and hearing about the developments. Hopefully, five years from now, we're updating our audience about the advancements that you've been making with your team and once again, bernie Lung from Autodesk. You've been listening to the Audit presented by IT Audit Labs. I'm your producer, joshua Schmidt. You've been joined today by Nick Mellom and Eric Brown. Please like, share and subscribe. If you'd like to hear more cybersecurity info, this is your spot. We have bi-weekly episodes every other Monday. Tell your friends and hope to see you down the road.