(Keynote) Made in SA - For the world - Haroon Meer

okay good morning folks the really worthy title we'll get to in a little bit for the most part I want to start by saying thanks and sorry um and thanks mainly because it's early in the morning and normally like I try to avoid Keynotes because they not as meaty and there's an old person either trying to sell you stuff or trying to give you advice that's slightly outdated um so yeah thanks thanks a lot for coming I've seen lots of talks in my time seen a few Keynotes and most of them pretty routinely were garbage um so I'm sitting a low bar someone before the talk told me this secret to life is to set a low bar um yeah so so most Keynotes are generally garbage and and part of the reason is we're talking about it like it's a quirk that you start getting invited for Keynotes when you're old enough that what you do no longer matters as much so you kind of make sure that the person keynoting just doesn't have the right amount of experience for you but like there's that old sunscreen song that says giving advice is a form of nostalgia so the person giving it to you thinks more of it and it's kind of all of you to kind of take it so thanks um and well I want to say sorry because you'd already have noticed I say a lot sometimes I repeat myself and repeating myself mainly I mean if you've ever watched one of my other talks or ever heard parts of it there's some things that I say a lot some topics that we talk about a lot and it's not just because we're lazy in part it's because it's the stuff we believe in and and so that doesn't change too much from day to day and we end up talking about it a fair bit the other thing is that I use a lot of quotes in my talk and mainly that's because I'm lazy and quoting other people just means that you don't have to actually think for yourself of for the Skinner the last thing I want to say sorry for upfront is that some of it will sting um and and mainly some of it will sting because in part like that's what the morning talk is for like other people will give you actual practical stuff that you can verify I'm gonna give you hand wavy stuff that you can't hold me to but almost every time I've gotten useful advice from someone it did sting a little because you wouldn't have been doing doing it the wrong way if you didn't think it was right and and when somebody nudges you it stings and and so I guess the first quote that I'll use or the first URL that I'll refer to is if you get one of those things that sting give it five minutes um and and this was actually a blog post that Jason freed from 37 signals had put out a while back and he's got this really interesting story where he went he went to a talk that someone gave someone said something that he felt was egregiously wrong and after the talk he goes during q a and he immediately pounces on the guy like you said this and this is why you're wrong and you didn't think about that and he says the speaker looked at him and said man give it five minutes like like Let It settle and and he's got this whole post about it that's that's worth reading but he says look like the speaker has spent time thinking about it he spent time putting this thing together and what he was doing was instantly reacting to it and instantly figured out why the guy was wrong and and sometimes like it's worth just giving it five minutes just to think about it if nothing else it gives me a chance to leave the room I guess one of the things is a perfectly reasonable question is well why you should bother listening to me there's no very good answer to that for the most part I've been really lucky in my career so I got to play in a bunch of different spaces um spent a bunch of time with the other two old guys in front hacking on stuff um in the early 2000s like we broke into things all over I spent a small stunt sea sewing and now we've got a company that builds security software and and for the most part the only reason that applies here is because I've been lucky enough to be a part of doing research that that played internationally or Building Products that sell internationally and and if not just from my experience like I've got to see people I worked with and so you can tell or or you get to tell like here's the sort of person who does work that becomes first class research or here's someone who builds a product that that has legs and for the most part that's my early appeal to Authority that says I've worked with some of these people and I can kind of tell the difference and this is what I've noticed um so what's the talk about you should be really afraid because we're five minutes in and I'm just getting to that now um but that's the point of the keynote and I'll ramble a little bit for the most part I'm going to share some links so even if my talk is complete garbage you get some links that you should take away and read um and what I want to talk about is why so few cyber security products make it from South Africa into the world so intersect is one of them and that's cool that might put for the sponsors there you go um but um they're still shockingly few of them and and if you take security research some of our stuff has made it to the world stage but not a lot and and there's lots of us and cyber security is not that new in South Africa like we've got people who've been doing it for decades now and and the numbers are still surprisingly low and the question is why um I'll start with why we don't make great software or great software companies and and one of the things that should be obvious is if you're a student graduating from our universities today you in the same position as a student graduating from MIT or Caltech like we've got the same internet the same laptops we're building on the same AWS we've got access to the same open courseware people leave MIT and want to start Google and Facebook and people leave our universities and want to work at one of the big audit houses like like that thing just puts us on a different trajectory where our best want to work at a company at best they end up at a bank doing Java web interfaces um and so part of the question is why and and the moment you ask this question again I think it's just one of those things that's empirically true right we don't have that many software companies and and there are other products that need lots of Investments but software doesn't which is interesting because if this topic ever comes up one of the first things people go to is that South Africa doesn't have great software companies because we lack good VC ecosystem and like I've got strong thoughts about venture capital and why most of it is pretty terrible for the security industry but even if you look historically you'll see lots of great companies didn't do huge amounts of VC raises like Apple at 3 million MailChimp raised nothing and they currently worth billions so so venture capital on its own is not the reason why we are or aren't making great software and and the answer is almost tautological we don't make software because we don't make software like it's just not something we get used to doing and and what you'll see and I've been ranting about this for many years is that in South Africa we end up becoming a nation of consumers like by default we think that software is there for us to use we use these big companies it's just not something that we put together and what's worse about it is it's not just that we end up thinking that we can't do it we start to think that all the people around us can't do it and it's it's interesting like like I know intersect and we've worked with them from way back but I can tell you as a local software company even at my previous at the previous security company that we had most of our customers by far were International when when we built things to Canary we didn't sell much of it locally at all we did no local sales we sold internationally and then some local customers happen to come along like the big Banks and the large financials and in part it's because locally people judge local software differently to how internationally they judge software one of the joys of of Silicon Valley is the way they've embraced failure okay and if if you take the average like walk down any Street in Silicon Valley and you'll find their coffee shop is trying out a new access control method a new way for people to try paying for their coffees and you'll see a lot lots of terrible terrible products right like if you remember Twitter and how it sucked in its early days and the difference is if something like that comes out from a South African company lots of us will be the first to tear that product down and talk about how junk it is okay and the truth is all software is junk like if if you look at reports of software on early Teslas like people were literally sshing into devices and controlling onboard computers and and when this whole kerfuffle happened a very famous security dude much who's even older than the guys in the frontier um much stood up and said look that's how software happens like like that's it's messy and that's what happens and in South Africa we kind of lack compassion for our people building that kind of software we tear down very quickly and in the end what it means is that nobody here does it um instead we just use the international stuff and and for this you can get all biblical um because that talks about no profit is accepted in his hometown but but it's a little bit uh more than that when it comes to local software there's a genuine feeling that locals can't do it and and with all evidence to the country but but the worst part is it creates this horrible Loop right where our best then leave because they can't build software here and then what you left with is people who can't build software and then when they try building software it's terrible and you get to say look the software is terrible why should we pay for that um and one of the solutions for it is just that we need to build more stuff we need to get used to people building more stuff for those of you who remember FTP you slightly date yourself but but everyone who was using FTP for a while was using wuftp and nwu he was literally Washington University FTP and and if you wanted to practice on a memory corruption bug class you could just do it on wftp because chances are they made that mistake with lots of lots of all went to that University and cut their teeth holding that software and learned how to actually ship real software and if I had to ask you what software South African universities have shipped in the last few years um I don't know about you but I'd be hard-pressed to answer anything and and again with all of the stuff you see there's this cycle um you see the universities and government have a part to play government needs to give projects like this to fledgling software companies if if you look historically you'll see young article cut its teeth building databases for the government like that's how that stuff happened but nobody in this room controls that and and so for the most part I think what the people in this room need to get used to is being less judgmental now I'm not saying this so that we can start having sucky software products I'm saying it so that we can start having software products and with iteration software products that suck today will hopefully suck a little less and eventually start getting better but if nothing else you should watch it at the Tui just for Anton ego's speech um the the new needs friends um unless you're dealing with cryptocurrencies in which case they need no friends and it should all be burnt to the ground so so that's my wife on uh building products and and talk about software security research and it's probably gonna sting slightly more for everyone in this room just for the show of hands how many of you here identify as security researchers whether it's part-time or something you want to do shout places ends okay there's a few so so the certain question here that I mentioned at the beginning which is just Why South Africa's software secure why our research output is so small and and you could say that we are small country that's isolated but but if you look historically you'll see other small countries you'll see great stuff from Argentina like like the argentinians have been doing memory corruption exploits that have surprised the world since the early 2000s if you look at Poland they had like the LSD team they had Joanna ratkowska they heavily represented in the world you look at the Australians you look at the kiwis like lots of small places have produced lots of great security research on the world stage but South Africa hasn't and and the question that we have to ask is why like why don't we and and like you don't end up with too many answers other than us like like for for other things you can blame ecosystems and you can blame lots of stuff but but for security research stuff at this point it's just us there's no great limitations that stop us like we're not doing it because we're not doing it and again because the topic becomes harsh to read I'm mostly going to cheat and refer to this paper that that I've often quoted if any of you have not read Richard Hemmings you and your research like it's awesome I wish I was you because like reading it for the first time it's mind-blowing and and it's so good that that you should periodically read it again whenever you can and in in this it was actually a talk Richard hemming gave to a bunch of scientists and and he was talking to them about what makes the difference between scientists who do great work he calls it first class work and scientists who don't and and Emperor is amazingly good like he goes through a whole bunch of things motivation work life balance How to Succeed after you've become a success so it's totally worth it if if nothing else comes out of this talk you should go read this paper and it'll still be totally worth it and and one of one of the things that that Hamming starts with in the paper is he says look you've got to start by by admitting to yourself that you want to do great work that that you want to do first class research and this was already in the 80s but but he talks about how already people kind kind of shy away from saying they want to do that like people are slightly embarrassed to say you know actually I want to present that black hat and there's no reason to be ashamed of it right like like a few years ago I worked with Dominic from Sen's post and and very early on we were talking about he was slightly embarrassed to say like he enjoyed the rush he gets talking at a at a public conference and that's nothing to be embarrassed by like people like being recognized by their peers and one of the things is just to admit that that's what you want and then you work for that thing like like there's nothing wrong with one thing it's really smart people to think that you're smart wanting to speak at black cat is is cool like it's it's changed lots of the trajectory of lots of people's careers and and as a starting point just saying yep I want to do this stuff is is important um but then Hamming gets like again in the first few paragraphs to a really tricky thing where he turns around and says how did I do this study like like what made me do the study about what makes great scientists and and for him he worked on the Manhattan Project and he talks about how he's there with Hans bet what Fermi with Feynman and he says I was there to fix computers and I saw that I was a stooge and of course his being self-deprecating like he's invited to work on the Manhattan Project but but it is interesting because almost all the goodness that comes out of his paper comes from this from this sort of self-awareness that says there is great stuff happening there are people doing this amazing work but I'm not and for one of those particularly stinging things I'll tell you that in my experience South Africans have we have a super unusual trait like we joke about it sometimes with some of the other researchers that I know but if if talk to the average South African it manager he'll have really good advice for you on how Steve Jobs should have run apple or how Elon Musk should run Twitter and and deep in his bones or her bones he's convinced that that's the way that should go and and you see the same for research where you talk to lots of people who've never published research internationally but are super convinced the only reason is because they just didn't get around to it yet and and in and In from from taking stock and going no actually I want to do that thing that thing is really hard to do I'm going to put in the work to do that thing instead it lives in this kind of vacuous space that goes like I could do that if I had the time or I could do that if my organization was different and and in a way this lack of self-awareness is is almost the opposite of of what you see in the in the Hamming case it's this question that says how do you rank your output or how do you rank your research is something that that modern culture kind of frowns upon you're not supposed to be that competitive you're not supposed to to look at yourself that way but Heming makes it clear that if you want to do first class work what you have to do they do it like what are the trade-offs they making in their life and and again it's something that it's really easy to fool yourself with okay it's one of those things that every part of your mind wants to convince you that actually you are hellva flake you just didn't do maths uh in matric and if only you did maths instead of doing what you did you'd be hellva too okay but but for anyone who's worked with hellval knows however they know that he's been totally dedicated to his craft for 20 years and and the reason he's hell-wise because of that and the reason I'm not is because I'm not so hemming starts and goes okay you've got to do this and and then he talks about luck so so in this topic of of how much does Luck play a part in in whether you do great work or not and and I'll come back to this in a little bit but to this question this question that says if if you deep down believe that you are quality researcher one of the questions you should be asking yourself is just why you haven't published good research yet and again like you always have really good reasons for it okay there's there's always stuff and and inside you know you're capable of it but you just haven't and again it ties in to the earlier topic that says we start getting really comfortable just consuming security research a few years ago more than a few years ago now because we old we we started con uh in gauteng and we had this huge fight slash discussion on whether we should do badge hacking or any of the other conference entertainment stuff that happens around security conferences and I was totally against it and and I was horribly overruled and I still think I was right but for the most part you see even security conferences today very quickly Veer down towards containment you go to the conference you do add some LEDs to a badge you learn how to become a DJ you do stuff like that okay and I didn't want it for zacon because I felt it was disrespectful to the speakers like somebody worked months to put a talk together and instead of listening to the speaker you're now sitting there trying to put LEDs on and I by the argument that that for some people it introduces them to electronics but you start to see to see everything push us towards pure consumerism and and even conferences become like that where it's actually a quick shot of work people go in they attend it they had a nice time and they go home and yeah it's it's one of those things that you're just gonna have to change if you want to do quality research and and whenever why they haven't done a research you'll start to see people say they didn't have the time they didn't have org support