Podcasts

Things That Scare Us

W. Curtis Preston, Chief Technology Evangelist

In honor of Halloween, we recorded an episode where we talk about the things in technology that scare us. (We know it’s a little late, but we recorded it in October.) Both Stephen and Curtis talk about one thing that keeps them up at night. Spoiler alert: they’re backup-related. Both of them are about things that people believe or think that don’t match reality, or a reality that’s scary that many don’t seem to acknowledge. As usual, you learn a few things while having fun.

[00:00:00] W. Curtis Preston:

This week on No hardware Required. We’re talking about things that scare us with me, as always, as my co-host, Steven Manley. Thanks for joining.

Hi, and welcome to Druva’s No hardware required. I’m your host, w Curtis Preston, aka mr. Backup, and I have with me the scariest person I could pull up for Halloween. Stephen Manley, our cto. How’s it going, Stephen?

[00:00:25] Stephen Manley: It’s good. I’ve, uh, I’ve just been burying bodies in my backyard, so I, but it’s Halloween. It’s important that it’s realistic. People can see through the fakes, so you, you gotta find some real bodies.

[00:00:38] W. Curtis Preston: Have you seen the one that’s the, that’s the takeoff of the, um, uh, stranger things are, are, are you up to date on the

[00:00:47] Stephen Manley: I, I, I’m, I’m, I think I’m only through season three on Stranger Things,

[00:00:51] W. Curtis Preston: Well, there’s a, there’s a moment in the, in the current Stranger things where one of the characters is like up in midair, like. Like 10 feet in the air like this, and they’re like being held up by a mysterious power somewhere out there. There was a guy that did that, like had a very realistic person and he used like fishing line and stuff, so that it, it really looked like a person was suspended in midair and his neighborhood was so inundated with traffic that they, they made them take it down. Sometimes things are just too good.

[00:01:26] Stephen Manley: Yep. Yep.

[00:01:28] W. Curtis Preston: But, uh, so, so I, I, I thought, you know, in honor of this, you know, lovely all Hallows Eve that we would talk about things that scare us. I mean, let’s face it, we’re, we’re in an industry that is basically a fear-based industry. I, I remember somebody giving a, a critique. Of backup.

He’s like, I, I wish that backup companies wouldn’t be so fear driven in their, um, in their marketing. And I’m like, But what else would we do? We would, would, it would be like, you know, you should buy backup because we’re fun.

[00:02:07] Stephen Manley: That was, that was exactly where I was going. I’ve not met anyone who said, This is just so great. I just love doing this. This is, you do it cuz you have to and

[00:02:17] W. Curtis Preston: I

[00:02:18] Stephen Manley: it cuz you’re

[00:02:19] W. Curtis Preston: like, I, I do this because people have to. Right. Um, and I mean, it’s, it’s like, it’s like life insurance. No, no one’s ever met a fun life insurance salesman, right? Um, you know, you buy life insurance because at some point, you know, there are two things that are certain, right? Death is one of them.

And, uh, and even when you die, the other one is still certain, right? Um, but I, I thought we’d talk about the things that scare us. Um, and because so many , so many things scare us, and, and I thought I’d let you thought, I’d let you go first.

[00:03:00] Stephen Manley: All right, so, so, so I know you probably everybody sitting there thinking, well, okay, this is a podcast, it’s Druva, it’s data protection, and clearly I’m gonna say ransomware, but I’m not gonna say ransomware. Just too obvious, right? So, so now if you,

[00:03:18] W. Curtis Preston: say that, but now I can’t.

[00:03:20] Stephen Manley: see this is exact, I’m poisoning the well for you as well.

So for me, it, it, it’s this, the number of customers I’ve met now in the last three months that when I bring up, is your Microsoft 365 protected? Is your Salesforce protected or, or your cloud applications protected? And they kind of go, well, well no, that’s just built in, right? And you say, Nope, Nope. Thought, thought we’d sort of established that you’re responsible, shared responsibility model.

And they just go, Alright, I gotta go make some quick phone calls to, to figure out what we’re gonna do. So this scares me a lot because so many people just think, Oh, it’s in the cloud, it’s in a SaaS app, right? It’s all taken care of. And the answer is no.

[00:04:04] W. Curtis Preston: Yeah. And, and the thing is, it’s not like, I mean, again, there are, there are those who disagree with us. There are those who are, who, who, who are intelligent people, technical people. And they’re, they tend to be, of the Microsoft 365 ilk., I don’t typically hear this about three, about Salesforce. I don’t typically hear this about Google Workspace, but I do hear it in the Microsoft 365 world, and I think it’s because 365 has a number of.

Backup like features. They, they, they mimic backup. They use words like restore, but it’s not a restore. Right. I talk about that a lot where I say, Look, it’s really just a fancy database. When you delete something, you’re not actually deleting it. You’re just setting a flag on that database record. And when you restore it, you’re just bringing it back, right?

You’re not actually restoring it. Uh, you’re just unsetting a flag. And, um, I, I know that there are even, um, That there are even additional features like retention policies that again, 365 advocates are like, Look, if you just properly use 365 policies, you don’t really need backup. And, and the thing is, Microsoft doesn’t say that that retention policies are backup.

Right? They’re like, this is, this is not a back. It’s really about e e discovery is what retention policies are about. Um, and. Then the thing is that for each one of these platforms, right, so 365 Salesforce, Google Workspace, and I’m gonna say aws, I have a story. That goes, that is from each of those platforms of what happens when things go wrong.

And in the 365 case, uh, I dunno if you remember the KPMG story, where somebody, um, they, they, uh, deleted the. By using retention policies, by the way, the feature that these other guys

[00:05:58] Stephen Manley: to preserve the data.

[00:06:00] W. Curtis Preston: Yeah. Actually ended up deleting all the data. They deleted 140,000 employees, private chats like that, and no, there was no backup.

Right. Um, so it’s like, Yes, there are some things that that can, that can mimic backup if, if used properly. Mind you, The man page for, by the way, that shows my age and, and

[00:06:25] Stephen Manley: you went man, page, that’s pretty good.

[00:06:27] W. Curtis Preston: page. The man page for, um, retention policies, 27 pages long, right? Um, like just, just this one feature.

[00:06:37] Stephen Manley: Right.

[00:06:37] W. Curtis Preston: Um, so if used properly, it can do things that mimic backup, but you know, if, there’s also the thing that I’m worried about , right? I, I have the same fear that you have. It’s like, I just worry that there will be, because it, it will happen, right? It, it, it might not be you statistically speaking. It might not be you.

It also might be you, right? And when that happens, it will be what we call an rpe. You’re familiar with that?

[00:07:07] Stephen Manley: A resume producing event.

[00:07:09] W. Curtis Preston: Exactly. Exactly.

[00:07:11] Stephen Manley: I think, I think the other thing that. You know, and, and I’ve had this conversation a lot with people, is you get, let’s call it old guard versus, versus young guard. And, and I used to be the young guard, right? So back when, again, filers came out and snapshots, and I was, I was sitting there on the other side of you saying, Oh, you don’t need backups.

You got snapshots and replication, and oh, Curtis, you’re a dinosaur. Um,

[00:07:39] W. Curtis Preston: I, and I was a am

[00:07:41] Stephen Manley: Mind you, That was 20 years ago. But it’s, it’s a lot of that same conversation where, like you said, snapshots are enormously useful and these retention policies and all the things that Microsoft and AWS and Google do, they are enormously useful.

We’re not saying they aren’t a key part of your data management policy and even potentially some of your recovery policy. But there are problems they don’t solve. And, and so, so I think, you know, we’re, we’re fated to see the next generation make the same mistakes we did, which is no, no, I don’t need anything else.

And then the bad things will happen and we’ll come back and we’ll say, you know, I said the same thing 20 years ago about snapshots and then a whole bunch of systems, uh, you know, went bad because one bad software update affected your primary and your secondary copy and suddenly you really wished you had a copy somewhere else.

[00:08:31] W. Curtis Preston: Yeah, that’s the thing. It’s like, so, um, are we in a different world where Microsoft 365 is programmed by ai, right? Like it is still programmed by humans, Right? Which means it still has issues and, um, the, and there are people that are directly attacking that. So, yeah, that I completely, I think of all the things that I worry about this idea of, cuz you know, if somebody says, Curtis, you know, what, should we back up? My answer is all the things. Right? Um, I’ve never met a storage system that didn’t need some kind of backup. And, and, and let me be specific here, right? That, you know, the most basic definition of a backup is a 3 21 rule.

And, and, and the 365 Salesforce, et cetera. Doesn’t meet that definition. It’s not another copy of the data in another location. It’s not, it’s not even a copy. It’s just, uh, Yeah. So, yeah. So I’m with you. Um, but, but, but I’m gonna have to say, if I think about me and I think about the stuff that is freaking me out these days.

I’m not gonna say ransomware specifically, but I’m gonna. Those bad people out there that are coming for your backups. Right. Um, you know, I remember to, to my memory, it was 2014 that I remember seeing sort of the first vestiges of ransomware and that ransomware was easy peasy. Right. It was like I just, and I remember.

Everybody backs up everything, right? Like everything in a corporate world, like, yes, this is gonna affect my dad who doesn’t back up his computer. And it turned out, by the way, it turned out to affect my dad’s. Business partner who ended up, uh, paying $500. Those were the good old days, Paid $500 to get his business back cuz he happened to have his business on his personal computer.

That, that got,

[00:10:42] Stephen Manley: right.

[00:10:43] W. Curtis Preston: you know, hit with ransomware. That that’s, that’s the good old days that all you need is a decent backup. Now it’s not, The thing is, it’s not just ransomware, it’s targeted and we can sort of tie this to the other. It is targeted attacks on systems that are specifically designed for those types of systems.

Right there, there was an article just a week or two ago about. How they’ve figured out how to target 365, right? How that basically they know how to log in, they know how to reduce the number of versions to two, right or to one, and then just change the file twice and boom, you don’t have any more backup, right?

Um, and yes, retention policies can kind of help with that, but you know, you know what, the percentage of Microsoft employees are Microsoft customers that use retention policies. It’s. 5%. Like it’s, it’s really

small.

[00:11:40] Stephen Manley: if it’s a 27 page man page,

[00:11:42] W. Curtis Preston: Yeah, Exactly. Exactly. It’s

[00:11:45] Stephen Manley: to set up.

[00:11:46] W. Curtis Preston: Yeah. And, and, and it comes with a cost, right? It’s not like, it doesn’t cost to use it per se, but it can increase your storage cost, which increase your cost.

But anyway, um, so, but, but the, the ones that really, as a person who has spent my whole career, You know, since I got out of the Navy, which was in 93, you know, dedicated to making sure that all the things were backed up, the idea that the bulk of the world is using. . Um, like if we look at our competitors, right, without naming any of them, I can think of two very big competitors, one of which would be like a really big competitor that keeps ending up in the upper right hand corner of, you know, that report, right?

They’re based on a Windows based operating system. And then you have that other company also based on a Windows based operating system. I was never a fan of that. Right. I remember actually when I was, before I came to Druva, which coming up next week by the way, will be five years. Um, well I should say this week based on when this will go live.

Um, That I remember going around and I remember talking to one of these companies and, and at this point I was just an independent, you know, backup expert. And they were like, Well, what do you think about our cert, our current position in the marketplace? And I was like, You need to start supporting something other than Windows.

This is going to be a problem with you. And I think I was a pretty good prophet. Depending on which company we’re talking about, right? There was an article just the other day that talked about, wasn’t it Seven Windows vulnerabilities that you can use them to target that particular backup vendor.

Um, and I’m like, Hello? I, I told you this five years ago.

[00:13:43] Stephen Manley: Yeah.

[00:13:43] W. Curtis Preston: talked to some of the people over there. I have good friends that work over there and they know it, right? Um, they know they have to address this issue, but it’s, it is a big ship to turn. Um, you know, I used to be on an aircraft carrier. It’s a one mile turning radius.

It’s a, it’s a little bit, it’s a little bit like that, and if you turn tighter than that, you know, all the planes fall off and that’s, that’s a bad day.

[00:14:05] Stephen Manley: does it, Does it really? I assume it’s too big to capsize, but uh,

[00:14:10] W. Curtis Preston: Yeah, it wouldn’t capsize, but it would be a really rough day, uh, for anybody topside, I would say. And all the planes are tied down, but, you know, whatever, um, what could possibly go wrong, but, um, the, yeah, it’s, it’s a bit, but that’s what, to go back to the question, that’s what has me laying awake at night is these companies that are specifically targeting these well known, well used backup systems that are just sitting there, and some of them have responded, actually, I think the two companies that I’m talking about have responded with. Um, Linux-based storage systems that you can put your backups on. They also support backing up to the cloud and using object lock. That’s all great.

But I recently learned, and again, this is all because these companies, Are targeting them. I recently learned that because their encryption is based on the har, it’s based on the, I, I forgot what it’s called in windows, but it’s based on like a key that essentially is, is unique to that machine. I think that, I think that’s what it’s called, a machine key.

And that, um, so they encrypt like the usernames and passwords for the admins using the machine key. And then, um, you know, store that on the machine. And so long story short, you can Google this company , how to hack this company’s database. And you can get in and easily download the database. It’s a SQL Server database.

Download the database, use the machine key to decrypt said database, and now whether you’re using a Linux box or a, or a, you know, whatever you can restore. And exfiltrate those backups and then use them for the second, You know, I talked about 2014 easy peasy backup stuff. This is about exfiltrating data because backups can’t, um, can’t help if your data’s been exfiltrated.

But the problem here is the backup system is being used as exfiltration. And I just think, I just think there’s so many people that just don’t understand how much danger they’re in. And yes, I understand that we sell a solution to this problem and everybody’s gonna think, Well, I’m just, I’ll tell you what, tell me, tell me I’m wrong.

You know, I’m, I’m the, I’m the, the guy on the table, you know, the meme with the guy on the table with the, the, you know, change my mind.

[00:16:38] Stephen Manley: Yeah. I, I, you know, I think, I think the biggest thing that people don’t understand right now is, is. How, even when we see the numbers, right, um, you know, you see numbers, there’s a ransomware attack every two seconds, et cetera, et cetera. So, so when I was in London, um, you know, we, we were doing an event and I just ran the numbers right, in terms of the, per the, sort of, the percentage of the world’s companies in London, et cetera, et cetera.

And it, and it, it makes it a little more real when you go, like that day a thousand companies in London would’ve been hit with ransomware. A thousand that’s in one city. Right. And I get, London’s a big city, but that’s one city. So, so, so I think people don’t understand how overwhelming this thread is. And, and, and to your point, you think, wow, who’s, who’s taken the time to go crack these, these 10 different backup software?

Tell me, everyone is taking the time to, to figure out how to do it because there’s so much money in it, and, and so, so that’s, that’s the piece I think as, as big and scary as we say, ransomware is, it’s bigger and scarier than what you’re thinking right now because it is so ubiquitous and it continues to expand because it’s paying off.

The bad guys see that it pays off. And, and the other point Curtis made is, and sometimes it’s not about the money, right? These state sponsored attacks are just about creating chaos and creating pain. And so you look at the environment we’re in right now, and, and again, I get it, every backup vendor, every security veteran, ransomware, ransomware, ransomware.

But it’s worse than what you think. It’s just worse.

[00:18:18] W. Curtis Preston: Yeah. So these are the things that scare us, . So I, I know you didn’t mention it, but see mine is really scary.

[00:18:25] Stephen Manley: Oh it is.

[00:18:26] W. Curtis Preston: like, if you’re not scared, if you’ve got a blase attitude about this, I don’t, I don’t know what to say, you know?

Um,

[00:18:35] Stephen Manley: Well see. And what I’d say is then you combine yours with mine and boom, there it is. A bit of a perfect no,

[00:18:42] W. Curtis Preston: Yeah. So they, Yeah, they are directly targeting, Yeah, they’re directly targeting 365 for sure. And you’re like, Oh, I don’t, I don’t need to back up. I’m good.

[00:18:51] Stephen Manley: Yeah, it’s,

[00:18:53] W. Curtis Preston: is, you know, Um,

[00:18:55] Stephen Manley: safe. I’ve got, I’ve got my recycle bin. What could go wrong? Well,

[00:19:00] W. Curtis Preston: Yeah. You know, and to, to go back to your, like the retention policies that they do have, they’re just simply not designed. What you have is a, it’s for e-discovery, not for point in time restore. Um, and I know that there’s this one book about administering 365. There’s this one person who I keep talking. To and about online and you know, his chapter on backup is like, Well, strictly speaking you really don’t need to backup.

But even he who is pretty much anti backup, he’s like, Well, unless you wanna be able to respond to like a really major ransomware attack or do a point in time restore, or something like that, like right

[00:19:40] Stephen Manley: Which is kind of the point of

[00:19:42] W. Curtis Preston: Which is what we’re talking about. Yeah. Yeah. But we’re just, we’re just FUD flyers, That’s what we

[00:19:48] Stephen Manley: That’s, that’s, I’m, I’m fud That’s, I’m gonna get a t-shirt printed with that now. FUD

[00:19:54] W. Curtis Preston: FUD flyers. Yeah. You know, there’s a phrase I’ve used a lot, which is just because you’re paranoid doesn’t mean nobody’s out to get you

[00:20:02] Stephen Manley: Exactly. You should actually look behind you right now. No, uh,

[00:20:08] W. Curtis Preston: Right. Well, hopefully we’ve scared the crap out of everybody cuz that’s what the day is all about here in America. Uh,

[00:20:16] Stephen Manley: the tricks. There are no treats anymore.

[00:20:19] W. Curtis Preston: are no treats. Uh, you know, I remember the years ago I went to a, a, a, uh, uh, what do you call a trade show and I was speaking on the stage and there’s a guy. Spoke, uh, was speaking after me, and I was, you know, talking about my usual shtick with backup and whatnot.

And then, and then, and he came up and, and, uh, he said, um, he goes, Yeah, you know, you’re, you’re, you’re, um, you know, I like the, the way you do it. You sort of give ’em all the, you give ’em all the stuff that they need to be afraid of, and then, and then you tell ’em the solutions to, to those things. He goes, Yeah, the, my presentation, um, I don’t have the second part, he just, he just

[00:21:01] Stephen Manley: just scare him and walk

[00:21:02] W. Curtis Preston: Yeah, he was a cyber guy and what, what he, his point, this is pre ransomware days, his point is there are real, very bad people on the other end of these cyber attacks. And his main core point is if you think it’s a good idea to retaliate,

not such a good idea. Right? Cause he’s like, there are people with like weapons and like, you know, Right.

Yeah, that’s what he was saying. He’s like, You don’t, these are, these are not like script kiddies. Uh, yeah. He’s like, These are really bad people that you don’t wanna mess with. Right. Maybe call the fbi, Maybe not, but whatever you do, don’t just.

[00:21:45] Stephen Manley: Don’t do it

[00:21:46] W. Curtis Preston: Retaliate yourself. Yeah. But, uh, anyway, well, with that lovely positive note, we will end this episode of No Hardware Required.

Uh, remember to subscribe so that you don’t miss an episode. And of course, here at Druva, there’s no hardware required.