Q&A With Trail of Bits Co-Founder Dan Guido

Q&A With Trail of Bits Co-Founder Dan Guido

If you’ve been following crypto for any amount of time one of the things that stands out is that security measures only seem to be discussed in the wake of the latest hack or fraud. The pressure to put new software out in the fast-paced blockchain world is high and as Dan Guido knows too well, many developer teams only think of security as an afterthought. In a wide ranging interview, we talk about how an illness-filled year in high school sent Dan on his way to create Trail of Bits, one of the pre-eminent software security firms. The DAO hack of 2016 finally pulled the firm into the crypto world and the firm’s business there is growing at a rapid clip. Dan came to my attention after Amber Baldet recommended I speak to him. You can read the Amber interview here and check out Trail of Bits here.


Matt Leising: Where were you born and where did you grow up?

Dan Guido: I grew up outside New York on Long Island. I went to public high school out there and moved to New York City for college. I went to a tiny little university called Polytechnic University and while I was attending, they were purchased by NYU and I graduated with a different degree than what I started with <laugh>.

DG: While I was there, I was a troublemaker, I hacked into various things inside the school while I was a student. I went there because I wanted to pursue a career in security. I knew that at an early age. And I figured that a really fun way to show up to the security club was to hack the security club's website and then introduce myself while walking in the door, like, ‘Hey, I'm the guy who just hacked your website.’ <laugh> That made me a lot of friends except for the one person who was in charge of maintaining it.

DG: That was a great experience going to college there because I got to meet a lot of people that were there for the same reason. They had a really robust security program when not a lot of other universities did. Importantly, they were a NSA center of excellence, which is a special certification program that universities can achieve when they have a robust amount of coursework and research programs focused on nothing but security.

ML: That's the National Security Administration, the NSA?

DG: Agency.

ML: Yeah, agency. Sorry.

DG: No worries. I mean, nobody even knew who they were until like 10 years ago, so <laugh>.

ML: Edward Snowden changed all that, didn't he? Hold on, let's go back just a little bit. Tell me a little bit more. What were you like as a kid? What did you like to do? Were you into sports? Were you always on the computer?

DG: So I've always been a really nerdy kid. I grew up reading “Star Trek” books and I really liked computers, but two factors really played into my early childhood. First is my dad's a gym teacher. He's a football coach. I played three varsity sports. I started on the football team. I was a second string quarterback, a first string safety. I played on the baseball team, I ran track and I was good.

DG: I'm an athletic guy. But midway through high school, I got afflicted with a really bad Crohn's disease flare up, but I got a double whammy. I got mono and then I got a Crohn's flare up and I lost 30 pounds and I never really played sports again. So for the period of about a year, my entire 11th grade, I just didn't go to school. And while I was at home, all I was doing was messing around with my computer. So it was a time in my life when I really got to dig deep into the area of work that I now have. And I think that accelerated my intellectual career while it really set back my athletic one.

ML: I'm sorry to hear that. My wife had ulcerative colitis and we went through many bouts of that over the years. And it's just horrible.

DG: Yeah. I'm lucky. My case is not like super terrible. And the drugs that I'm on helped me a lot which is part of the reason why I had a really bad COVID issue earlier in December because the immunosuppressants that they give you these days are actually really effective at turning off your immune system <laugh>. So that's great for Crohn's but bad for COVID.

ML: So would you say that you were into sports, your dad was a gym teacher until that Crohn's episode kind of knocked you off course. And then did the nerdier side of you take over, or were you also a nerd and a jock at the same time?

DG: I bridged the gap. Like I was doing LAN [local area network] parties [for playing video games] and stuff when I was 15 years old <laugh> and I was playing on all these sports teams. I was always the awkward kid that sort of fit in with all the techy, computer nerd guys, and kind of fit in with all the athletes. I was just kind of an awkward participant in both of those things. But not going to school for a year really gave me an opportunity to hyper specialize. I think it really set me forward when it comes to my intellectual development, because I wasn't really challenged by school. I used to get top marks in all the classes that I took without trying too hard. So not going to school allowed me to self direct more effectively than what my teachers were providing.

ML: What did you focus on in that year, what interest did you really dive deep into?

DG: So I think I learned a lot about security that year. I got a laptop and I put Linux on it and I started learning about how to crack passwords, how to break into WiFi networks. I finally progressed past the stage of using AOL punters, right? <laugh> You find a couple forums online and start reading about stuff and I think I learned actual effective security skills back then. So I ended up causing a lot of trouble because as I did come back to school -- at the same time, obviously, I was really into video games and I was really annoyed that I couldn't play them while I was at school. So I ended up hacking into the high school's computer network a handful of times.

Learn more about AOL punters here

DG: But like a good hacker. I didn't get caught. Right? Like all good hackers don't get caught. So I ended up getting the administrative password for the entire district and gave it to my friends. They could install Need for Speed III on the lab computers. And then they got caught using it. And when the high school principal was looking for someone to blame, he realized ‘ah, you Stooges, like none of you guys could have done this. We know that it was somebody else who gave you the password. We think it's Dan.’ But he never could pin it on me. So I kept doing stuff like that.

ML: So your friends didn't give you up?

DG: No, no. One guy got a five-day suspension.

ML: Snitches get stitches, right?

DG: Yeah. He's still salty about that. When I talk to him now, my friend Ed, if I call him up on the phone, he's – I'm 37 now I think he's 36 – and if I call him up on the phone he's still like, ‘yeah, I still hate you for that one time when I took the fall for the stupid thing you did.’ <laugh>

ML: That's really funny about the hacking the high school system. Do you know the NFT artist Tyler Hobbs?

DG: No.

ML: He's really big in NFTs, in generative art. His older brother got him into computers and his older brother hacked into his high school computer system, but got caught and got expelled. I've been doing these interviews with different people and it's really funny how there's echoes of all these things that come up with folks who are really prominent and who've made a career out of this.

Read More: Tyler Hobbs and the Random Power of Generative Art

DG: I think what's changed – it's different nowadays because I think that's something you'll hear from somebody around my age group. You know, around my age group hacking into your school, it was safe to the point that the worst thing that could happen to you is you get expelled. In the last 10 or 15 years or so, it switched where now when you hack into schools, they call the cops on you and you end up getting into legal or criminal trouble when you get caught. And I don't think that schools are as safe of an environment to experiment like that as they used to be.

DG: But on the other hand, the thing that changed in the last 15 or 20 years is now the are a lot more opportunities to exercise those skills in places like capture the flag competitions and war games online that never existed back in 2003 when I was in high school. I see that a lot of kids now are coming up instead of through messing around with their friends on like forums and IRC channels and hacking school networks – a little bit more they're coming up through competitive CTF tournament or eSports.

ML: Something sanctioned.

DG: Yeah. It's sanctioned. They're ranked, like they have a website called CTF time where people have global rankings of competitiveness and capture the flag. It's nuts.

Capture the Flag infosec competition info here

ML: Do you think that overreaction to hacking into a school system comes from our post-September 11th world? Is it like, ‘oh my God, that's terrorism.’ Is that the vibe you get?

DG: I think it's just a general culture of fear from people. People already didn't understand what’s happening, but back in the early 2000s or late 1990s it wasn't as consequential because computers weren't as integrated into daily life. And now when you see it, it's extremely scary. It's like this weird ghost in the machine where people don't know what to trust and everybody knows somebody else whose been affected by a hacker or by ransomware. So you end up getting more of an extreme emotional response. And pulling up the phone and quick dialing 9-1-1 or whatever, or calling the cops is much more front of mind, even though I don't think it should be. If you're a school administrator, you should be in touch with the students you've got <laugh> and you shouldn't have to react according to the book.

“It was a lightbulb that went off in a lot of people’s minds in the security community of, wow, there are actual security issues in this code and they result in a direct financial loss and people are angry about it.”

ML: What did your mom do when you were growing up?

DG: My mom's a homemaker. She babysat kids from my dad's coworkers and friends and stuff around the neighborhood. So we always had <laugh> people lying around the house. I found it kind annoying, because I really liked focus, quiet, reading kind of time. And there were always a group of kids floating around.

DG: I mean, my dad was a gym teacher for like 35, 40 years. He just retired this year, and he was a football coach, a wrestling coach and a lacrosse coach. He was the coach for all that stuff at my school. So when I played football, he was my coach. When I wrestled he was my coach. But I didn't play lacrosse.

ML: Do you think being an athlete and that experience in all those team sports has helped? Did that help you in any way when you started to get into the security side of tech and in your career today?

DG: It definitely helped the general development of competitiveness and being able to strategize about what techniques or what process or what approach is going to work to win the game. It’s kind of the same thing. What I enjoy about hacking is that it's not always a fight against the computer. A lot of times it's a fight against a human on the other end of the screen.

ML: We'll get to Trail of Bits in a minute, but Trail of Bits is obviously a team sport in a sense, right? You guys are getting projects, I was watching a podcast you were on where you got 250,000 lines of code dumped on you. You need a whole team of people to attack that, right?

DG: Yeah. I mean it's a team sport. So security is obviously like a multifaceted sort of problem. It's not just, you know, how do I fix this line of code here? You need to think more strategically around what software architecture makes sense. And do I have a software development process that produces secure code and generally what's the environment of risk that I'm operating in, and what does that mean for the way I should run my company and build the product? So, on one hand that's kind of like a team activity, but on the other hand, I'm a businessman, I'm a pointy haired boss now <laugh>. I have to build a company and as an entrepreneur it's tremendously challenging to take something that starts with just yourself performing services with like two other guys and turn it into 80 people.

If you are into security this is a deep conversation that mostly went right over my head

DG: I never felt like this would be the hard part, but I actually feel more challenged today, 10 years into building the company, than I do from the first year or two. Raising my hand and saying, ‘yeah, I can hack stuff for money.’ That was the easy part. <laugh> I think everything got harder after that.

ML: So it sounds like that year you had to yourself really put you on this path. And then you found Polytechnic that seemed sort of geared to this security world. Are you one of those lucky kids that when they were in high school figured out what they want to do and were able to go about it? Was that where this path all started for you?

DG: A little bit? I mean, I think when I was in high school, I knew I wanted to do something in tech. I figured out that I should be a computer scientist when I was in high school. And I don't think I really put two and two together with the security stuff until I got to college because while I was in high school, security was a means to an end. Security was a way for me to play video games at school. It was a way for me to pull pranks on teachers. It was a way for me to have fun. It wasn't because I'm like, ‘oh, I want to be a security engineer.’ It wasn't until I got to college that I realized that this is a career path. And there's all kinds of different things I can specialize in. And there's a lot of other people who want to do the same thing. And it's not just a hobby fun-time activity where I can pull pranks on people. This is like a real 100% full time thing.

ML: That's really interesting. In my case, I think if something that you can turn into a career starts as something that's fun, that's a huge deal. As a writer, I never knew I'd be a writer when I was older, but I remember in seventh or eighth grade in English class I'd write stories and I'd make everybody in the class laugh. And I loved that. You know, it was just fun.

DG: You get a feedback loop.

ML: Yeah, exactly. It felt good. And it told me that it was something that I was good and it came easily to me. So I think that's really fascinating when people have that innate ability that then later the light bulb goes off and they go, ‘oh God, I could do this as a career.’

DG: It's kind of the same way that successful products get made. You don't just sit down and think, well, what product am I going to make today? And then you end up building this abstract nonsense that helps nobody. And then on the other hand there's products at Trail of Bits, we have a static analyzer for Ethereum smart contracts called Slither. And where that came from is we were thinking, we've audited so many smart contracts and we just got so bored of finding the same bugs every time. Can't we just make something that finds these bugs we already know about? And then we ended up creating what is, I think, the industry's most authoritative static analysis toolkit for smart contracts.

Trail of Bits released publicly its findings on zero-knowledge proof vulnerabilities and other issues in December

DG: And we've had other opportunities. For instance, we have another project that we tried to kick up about six months ago where we said we should make a tool that finds cryptographic vulnerabilities.

DG: And we all sat down and said, okay, let's do it. And it became this like over engineered hulking monster that solved no problems. <laugh> Because it wasn't really solving a specific issue for us. Whereas now we're thinking about, okay, well, zero knowledge [proofs]. So we know we have a list of issues. We have like 30 issues that we know about that we've documented in this ZK docs repository, and we've got code samples for how to implement it correctly. Can we write a tool that finds them when they're implemented not correctly? So now it's a much more straight-line path of, well, if we just build this, then we won't have to do this later and it's much more productive.

ML: What years were you at Polytechnic in university?

DG: So I was there from 2003 to the end of 2008. I actually maybe a little bit into 2009, but I got a four year degree. I really should have gotten a master's because I was taking graduate courses when I was there. I had this rebellious streak and I really didn't like to pay attention to rules. So I obviously just skipped all the freshman requirements and went straight to graduate CS courses. <laugh> And then at the same time, I kept missing a semester here a semester there because I kept having issues with Crohn's. So it took me about six years to get an undergrad degree. I ended up with the very last class that I took was freshman physics <laugh>. It was so bad and backwards. I would not recommend anyone do that.

ML: It took me six years to get my undergrad too, but that's because I was in Santa Barbara, California, and I didn't want to leave <laugh>.

DG: Yeah. I could see that. That's a beautiful area.

ML: So were you kind of right there with the Bitcoin white paper, if you're in computer science and it’s 2008, 2009. Was that something that was on your radar?

DG: I had no idea that was going on. <Laugh> I didn't know anything about that. I mean, I'm a security expert. So all I knew about back then was studying different exploit techniques that were coming out and I was watching the introduction, the very first version of [annual hacking competition] Pwn2Own. And I was looking at Metasploit changing from Perl to Ruby and becoming the dominant platform people used to write software exploits. And I was learning about new exploit mitigations that came out.

DG: Those are the kinds of things that interested me and I was not involved in cryptocurrency at all until specifically the DAO hack. That's when I realized that it was – it was a lightbulb that went off in a lot of people's minds in the security community of, wow, there are actual security issues in this code and they result in a direct financial loss and people are angry about it. This might be interesting for me to look at and that's what motivated people in Trail of Bits to start looking at it. And that's how we got started. [in crypto]

DG: I dabbled in Bitcoin back in like 2013, but it was just dabble. I had some paper wallets and it was kind of a side show. I think I own like one Bitcoin.

ML: So Trail of Bits got started in 2012?

DG: Yes.

ML: Okay. So you're obviously doing security stuff, but it's not until 2016 when the DAO hack happens that crypto comes onto your radar. Tell me, how did you find out about the DAO?

DG: Well, so, Amber [Baldet, co-founder of Cloyvr and former JPMorgan blockchain lead] had been whispering in my ear for at least a year up until that point. Like, ‘hey, this thing is real. You should take a look at cryptocurrency. You should take a look at Ethereum. You should look at Quorum. I'm getting paid to do this at JP Morgan. I think there's money involved. Like, try it, see what you think.’ And I kind of was like, ‘yeah, Amber, that sounds cool but I don't know anything about that. I'm really good at this other thing. I'm gonna stick with that.’ And then when the DAO hack happened, it was this confluence of factors where I remembered the things that she had told us. She also sent some people to go meet me at a meetup group that we run. So I started seeing people in person who were like, ‘hey, I'm here at the security meetup, the one Trail of Bits runs, and I want to know about security because I'm working in cryptocurrency.’

Read More: Q&A with Amber Baldet, Former JPMorgan Blockchain Lead, Cypherpunk and Privacy Guru

DG: So all three of these factors – Amber plus the people at the meetup plus the DAO hack happening were like, okay, that's enough stuff. I've been pushed off the edge of the cliff. I know that there's an opportunity here.

DG: I think that there's a couple different ways that we could have seized that opportunity. And the way that we did was like very Trail of Bits. It was, you know, we could have just gone out and hacked a bunch of smart contracts by hand. But instead we built a symbolic Ethereum virtual machine and used it to perform verification, to find bugs across the entire blockchain. <laugh> We just took it to an extreme that nobody else really would've expected.

ML: What I find fascinating about that, a lot of people were screaming that there were huge bugs in the DAO. Peter Vessenes had pointed out a few him and [Emin] Gun [Sirer] had pointed out a few, he even called for a moratorium, but nobody got the actual bug that was the one that was used for the exploit until the hacker did it himself.

DG: Yeah. I mean, that's how it is. The techniques are usually incubated by the offense faster than they're incubated by the defense. Not to say that defense is a losing game. That was how I got my start in the industry was trying to prove that was a myth that attackers only need to win once, but defenders need to win all the time. Totally not the right approach to use. But it is true that the offensive community obviously has much more of an incentive to invest in developing offensive techniques. Therefore it comes as no surprise that they understood what re-entrancy was before anybody else was really talking about it.

DG: But yeah, we built this piece of technology that enabled us to foundationally improve and comprehensively evaluate the security of Ethereum, of smart contracts, on day one. And then from there, we started offering services on top of that, and that's where the Trail of Bits blockchain business came from. So now, fast forward and really Trail of Bits is about building foundational tools. It's about operating like a research lab. It's about sharing the knowledge that we have. So all of our tools are open source. We've also developed property testing tools. We've developed static analysis frameworks, we've built reverse engineering tools. We showed up on the scene and it was just nobody else had seen this sort of activity before. We took it much more seriously than I think a lot of the other – like you were saying – there were people complaining on Twitter about Ethereum smart contract security, but Trail of Bits got to work. And we actually built tools that changed the game in order to produce more secure smart contracts.

DG: I think a lot of people recognized that and it lifted the community up. And now a lot of people followed after us. They said, ‘oh, this is how you do it.’ So now you've got other blockchain security firms that are trying to replicate that approach or follow on from it in the years since.

“There’s going to be security haves and have-nots, and it’s going to extend not just from individual projects, but also to blockchains.”

ML: Was there something about Ethereum with smart contracts underpinning all that that appealed to you more or made more sense to you than Bitcoin, where the code is there, but it’s basically kind of static and it's just about moving something from A to B? Was the dynamism of Ethereum more appealing to you?

DG: Oh yeah, totally. I mean, the capabilities offered by Ethereum mean that there's also more capabilities to go wrong, right? <laugh> So that's much more fun for us to work with. The opportunity to maintain state on the blockchain opens a lot of doors for what kind of products you can create, but it also opens a lot of doors for the creativeness that you can kind of apply to aid in their security as well.

DG: We've worked on Bitcoin before as well, but like you said, it's kind of developing against a specification. It's a slow moving code base. And the level of complexity is lower and they have actually been highly studied as a code base, I'm honestly shocked that people haven't found more severe bugs inside of that layer one code base.

ML: You're talking about Bitcoin?

DG: Yeah. Bitcoin.

DG: We've reviewed the consensus algorithms that many different blockchains use. We're hired directly by foundations that sponsor blockchains, not just smart contracts. But I do think the kind of opportunity for our expertise to be used is much greater on smart contracts.

ML: Are you in this because, like you've said, there's going to be a lot more problems when there’s a lot more attack surface, I guess. And you're waiting for that business to roll in, or does the technology also impress you? Where do you come down on that? I’m not saying this very well, sorry. Are you just waiting around to fix all the crap? <laugh> Or do you think that this is going to be something that changes the world?

DG: No, no. So I don't ever want to find the same bug twice. That was the motivation behind creating a static analysis framework and a verification tool. And all these other things, because I'm in it for the intellectual challenge, I don't want to get bored and I get bored by finding the same bug multiple times. So I really want to make sure that every time we look at blockchain technology or smart contracts, that we're solving a new problem, and that means releasing foundational tools to the industry. That means helping address the fundamental root cause issues that produce those by people developing on them. So we're very communicative. We're very collaborative. We're engaged with people that are building the foundations. I want to make it harder for other people to build blockchain security companies.

DG: <laugh> I don't want there to be this massive industry of security experts that have to go down and track down every individual bug. That's a failure scenario. I want it to be very difficult to find these sorts of bugs and for only the best people to be able to. And I want those best people to be Trail of Bits, obviously.

DG: To be blunt, I am not in this because I think blockchain is going to change the world. It might, it might not, it's not my decision to make. I'm in this because it is an extraordinary intellectual challenge that enables us to apply our expertise in a way that is highly valued and helps lots of people. That's why I'm doing this. I'm a technologist, right? I'm not a gung-ho crypto guy.

“Security was a way for me to play video games at school. It was a way for me to pull pranks on teachers. It was a way for me to have fun.”

ML: That period of the DAO in 2016 obviously ended in a bust, but we've come around and we're in like version 2.0, I guess of DAOs. Have you seen changes in the way people are approaching code and what's your experience been like to see, you know, Flamingo DAO or PleasrDAO some of these other ones come along five years later? It seems like they're popping up in all sorts of different areas, not just in the tech Ethereum world but for all sorts of different uses. What's that been like for you to see?

DG: Yeah. So a couple things happened in the meantime, obviously the whole ICO boom and bust happened, which was phenomenal in that we’re beyond it, because that was a whole bunch of people who were just out to scam individual investors and didn't really have the intention to build robust products that stood the test of time. So I was very lucky that we didn't have much exposure to that and managed to navigate and avoid many of those firms and only work with people who were much more interested in the technology, that were not there to make a buck, but there to build something cool. I am very glad we're beyond that because those people didn't really have an interest in security. What they had was an interest in telegraphing to the public that they were trustworthy and they wanted to buy my voice to say it, which obviously I kind of anticipated and side stepped.

DG: On the other hand, since then we've still got this bimodal distribution where there are security haves and security have-nots. There are lots of blockchain companies that have done extraordinary amounts of investment into their own security. They've done software verification. They have really detailed specifications and they have team members with a detailed understanding of security of what they need to do to build a successful product in this space.

DG: And then there's a lot of people who are kind of fly by night that like to ship code to production every day, who don't understand how to robustly test the software that they're building. And they don't have the expertise to even understand what they're missing. And those are the kinds of companies that you see get hacked all the time. On the other end of it, the people that have invested -- there are companies out there that have managed billions of dollars in value that have not suffered security issues and they kind of keep their heads down.

DG: Obviously you don’t want to paint a big target on your chest, but I think that that's what a lot of people reading the news about security miss, is that there are actually people doing extremely good. Now obviously there are people that are doing extremely good that still run into issues, but the point is that it is possible to do well, even in an environment that is filled with external threats.

DG: So that's what I'm seeing now. I think some other interesting things that have happened on the security front are there aren't really a lot of traditional security companies that have tried to provide services to the blockchain industry.

DG: And I think it's because of a couple of factors. One of the most important is that obviously there's just a lot of history to catch up on. You need to be really good at your job. When you're auditing regular software, it's okay if you miss a couple bugs. It's okay. If you're trying to audit a web app you can give them some improvement. And if they suffer some kind of issue, they can issue a patch and they can make some marketing communications and PR and spin it and move on from it.

You can follow Dan on twitter here

DG: But it is actually really hard to do a good job on smart contracts in particular, because you need to have more advanced knowledge of things like automated program analysis and cryptography, which actually not a lot of security experts have.

DG: The orthodoxy in security was very much that in order to solve security, you need to build with the best tools like compilers and analyzers. And you need to have a language that prevents you from screwing up. A safe language, you need to be developing code in Java and not C. It needs to be memory safe. It needs to be type safe. There needs to be less potential for issues. On the other hand, what you've seen in the Ethereum space is that the languages – well, not just the Ethereum space, but really all smart contract languages in general – just have an extraordinary amount of sharp edges. You can shoot yourself in the foot so easily and not know it. They have reinvented every security issue that we eliminated from modern languages like Rust and Go and Swift. They've reinvented it in brand new languages against everyone's better advice.

DG: But in that reinvention, they're running on these blockchain platforms where they are amenable to analysis. The programs are small. Because they're simple to analyze these programs are inherently more testable. So you can take all the problems that you've got in terms of language design, compiler design, and you can fix them by testing them extraordinarily well. And that's really backwards to what most people in security understand, but we've managed to figure it out and really embody it as a way of performing services that I think other companies would find hard to navigate.

ML: Speaking of test nets, are you familiar with Andre Cronje?

DG: Yes.

ML: What do you think of his approach where he says, ‘I test in production.’ Is that sort of the yin to your yang?

DG: I think so. Yeah. He's phenomenally successful and I think that his products are satisfying their user's goals, but I don't think you need to leave it up to luck. I don't think you need to leave it up to chance. I think that you can still operate at the speed that he's operating and you can have the kind of fallbacks. You can have the safety measures. You can have the testing to back it up. ‘Hey, I think the code does this. Here's the proof.’ And right now, I'd see him as a challenge for me. It's not a problem that somebody like him has this approach and advocates it, it's that the tools that we have built are not easy enough to use yet that they can be adopted by somebody like Andre effectively, simply and quickly to match the kind of development approach you'd like to use. So that's, an opportunity for me.

"I test in prod" isnt meant to be a joke. It is suppose to make you cautious and encourage carefull review of my work. "test" is still the keyword there. @fubuloubu articulates this better than I can. If you are a builder, please read. Also, @fubuloubu has great security insights https://t.co/qH30aCxWx3

— Andre Cronje 👻🐸 (@AndreCronjeTech) August 17, 2020

ML: Are you always trying to help a company or a startup before they launch or have you ever gone on the chase? Like when something's been hacked and somebody comes to you and says, ‘Hey, we need your help to go find out who did this right now.’ Do you have any favorite stories about anything like that?

DG: So we really try to avoid operational responsibilities for products. We're the big brains that you want to use to think really hard about software while you're building it. So we do a lot of stuff on the design phase. We do a lot of work on stuff that's on paper. We'll help people write specifications. We'll help them simplify the architecture that they've chosen to use. We'll help them build tools around the development process and figure out how to monitor it. So all that stuff is where we fit in best. But once you launch into production, you can't depend on an external company to do that monitoring for you. It is your core business to understand your product and be able to manage it. And if you depend on somebody else for that, you are not doing your job.

DG: We always want to make sure that we're building capacity at our clients instead of building dependency. I don't want any of them to depend on me for anything.

DG: One thing we didn't get into is I was actually a faculty member at NYU for seven years after I graduated. I taught night classes and <laugh> my dad, while he's a gym teacher, not like a math teacher, I still have a lot of that spirit of education in my blood.

ML: I noticed you called yourself the Hacker in Residence there [at NYU].

DG: That's right. <laugh> Yeah that was kind of a recognition that I had stuck around the lab for so long at Polytechnic that they came up with that title to give me because they're like, ‘you're doing a whole lot of stuff way outside the domain of just teaching the class now.’

DG: So they invented that title for me. And since then they've given it to other people. But yeah. So what Trail of Bits is about is we are trying to build capacity for security at our clients, improve their security and maturity so that they're able to trust themselves more as time goes on. You know, I can tell you that on projects that we work on we will never not find a high severity bug. There is just an untold number of extremely severe hacks and bugs that could have happened if that product had gone to production, if they had not worked with us. And that's just a matter of routine, but we explicitly try to avoid stuff where we're operationally responsible for monitoring something or helping people track down issues in production. The biggest example is the zero knowledge thing that we did last month.

DG: We've been reviewing nothing but these threshold signature systems for cryptocurrency, for blockchain software, for a while now. We have a dedicated team of cryptographers that does nothing but cryptography. And that's one area that we've worked in. And we noticed that there were some systematic failures that were present across the entire ecosystem.

DG: So after discovering one of those systematic failures, we did a comprehensive evaluation of everybody. So it started with Binance’s code, but then we worked down the list and I think there were about 10 other companies where we found the exact same issue present in all our code. We did a big, massive vulnerability release the second week of December. But then obviously in Trail of Bits style we're not going to just report a bug. So we also release that ZK docs repository and code samples and pretty soon a vulnerability finder.

ML: It's the open source ethos that you've had with everything else that you're doing.

DG: We want to build a continuous improvement cycle. I don't want to just like scream out into the void and fix one bug. There's just too many bugs to do that.

ML: What is the state of the smart contract in your opinion right now? You've been looking at these for six years or so. Are things getting better or worse? People seem to be flooding into the space, like you've said, some people take security seriously, some don't. What's the trajectory in your opinion right now?

DG: I think the status quo is probably going to remain for a while. There's going to be security haves and have-nots, and it's going to extend not just from individual projects, but also to blockchains. I see a lot of blockchains launching where they're building a developer community and they're forgetting to include security. And as a result, it will honestly sabotage every project built on top of that blockchain.

ML: How do you forget that?

DG: It's not really like a forgotten thing, it's just hard to acquire, and somebody needs to focus on it and build it. Security engineers just won't magically show up, you have to bring them to the table.

DG: So I definitely see that in the next two years, there's a lot of like Ethereum killers or whatever that are coming out, that all purport to offer faster consensus and all these other extra features. And I think that people are kind of competing on execution speed. They're trying to figure out transaction finality, how quickly can I execute code on my blockchain? What they really should be competing on is how often will smart contracts on my blockchain explode unintentionally. And it's tougher to measure. It's squishy, but it's just as important. So we're lucky that we have a couple of blockchains and smart contract ecosystems that we're firmly embedded into.

ML: Has there been a project that you can think of that you're proudest of? Where you found something beforehand that was just going to be absolute, total misery had it gotten through <laugh>?

DG: I think there's a lot let me scroll through the list here. I mean, I don't wat to put anybody on the spot either. I think what I'm really proud of is actually the work we have done on blockchain software outside the blockchain industry. That's another really interesting thing that Trail of Bits has that I don't think other people do. We are getting paid by the government to work on blockchain software. And we're getting paid by large institutions that are in finance, that are in technology, to work on blockchain software and help them evaluate the risk of it. To help them mitigate the risk of it and to help them build security enhancements.

DG: That's something that a lot of the other blockchain security firms – they're what I call like ‘blockchain native.’ They don't exist outside the blockchain industry. So they don't have the opportunity to work on projects like that.

ML: Do you see those other industries like government or finance, do you think blockchain is going to have an application there in some shape or form?

DG: I think it's something that they have to reckon with. I think that a lot of retailers now have to reckon with the fact that a lot of people have a lot of cryptocurrency that they're possibly willing to spend. And the nonprofit space has to reckon with the fact that there are a lot of people that are willing to donate money in cryptocurrency and the government and national security and law enforcement needs to reckon with the fact that lots of crime happens facilitated by cryptocurrency. And not only that, but national security threats. North Korea and Russia use cryptocurrency to achieve the end goals of their states. So it's not something you can ignore. Whatever distaste or love for the field that you've got, it's there and it's not going away.

DG: So that's why I'm glad to be here and glad to be an expert in the space that offers a sober opinion on it. I don't want to be a guy who's just like, ‘yeah, it's going to change the world. And it's gonna totally restructure entire industries.’ I'm very sober about it. I'm just here to be the security expert. I'm here because I find it fun and challenging.

ML: That's amazing, Dan. Thank you so much for this. It's been fascinating talking to you. And it's great to have your sober perspective when there's so many people who are saying the dollar's going to go away and Wall Street is going to crumble and all hail Bitcoin. It gets to be a lot to deal with. So again, thank you. It's been fascinating. I'm going to ask you, is there somebody that you respect or somebody who you think you you'd like to hear more from that I could try to talk to for this kind of interview?

DG: That’s a good question. I don't know. I'd have to think. I mean, usually I would've said Amber <laugh>.

ML: Yeah, Check.

DG: If I do think of somebody I'll send you an email.

ML: We can definitely do that.

[Ed note}: Dan later emailed to suggest I speak with Rick Dudley, so I’ll reach out to him.