Tech startup CTO: nobody likes passwords
One day a computer scientist got a phone call nobody wants to get – that super-cool software tool he’d designed had just been hacked. That inspired him to change career and become a cybersecurity specialist – and in doing so, he found that the skills he’d developed in his old job were invaluable to his new one.
We spoke to cybersecurity expert and startup cofounder Bojan Simic for our dedicated YouTube channel. This is a transcript of the edited version of the conversation – to access the original footage, please click on the link at the bottom of this article.
Could you start by telling us how you got into cybersecurity and where that decision has led you to today?
I started out as a software engineer. A few years of working in that space, I worked on a really amazing application. And this was for a Fortune 100 client where we allowed people to do their performance reviews online – before that it was people doing everything on paper with pencil.
So we created this application. As you can imagine, performance review information is pretty sensitive, especially when it gets to the executive leadership level. We deployed this application, it was a huge home run: people loved it overall. A few months later, I got the dreaded phone call, which was: “Hey, that application that you wrote for us that everybody likes? It just got hacked.”
And it was something that got me down a career trajectory of cybersecurity, because at that point I just latched on to it, and I dug and dug until I got to where I am today.
Speaking of which, you are now running your own startup. Could you tell me a bit more about that?
Yes, so I'm the CEO and CTO of HYPR, a cybersecurity startup based in New York. We focus on this concept of eliminating passwords and shared secrets. And really it is an amazing experience: when you run a startup you get to hire some of the most brilliant people, and you get to solve really difficult problems. And we're solving the problem of the password. Think about some of the very few things that all of us on the internet have in common – like using a search engine, a browser, a password.
The dreaded password!
Of course! Nobody likes them, but they're there.
"It will take a few years for everybody to be in a passwordless state. Passwords will always have a place, just like people ride horses today - it's just not the primary mode of transportation like it was a hundred-something years ago."Bojan Simic, cofounder of cybersecurity company HYPR
How close are you to a breakthrough?
With any sort of cybersecurity breakthrough, there's always the early adopters – and this is really applicable to any technology. And so for us, the early adopters are the businesses that have the most to lose if they keep using passwords. We work today mostly with financial services – companies that move a lot of money and therefore want to get rid of the biggest attack vector, which is the password. The Verizon data breach report came out last week and 60-70% of cybersecurity attacks still get started with a username or password that is improperly used or configured.
It will take a few years, I believe, for everybody to be in a passwordless state. Passwords will always have a place, just like people still ride horses today – it's just not the primary mode of transportation like it was a hundred-something years ago. We think about the password in the same way.
Is there anything else, day to day, that really inspires you on this job?
One of the things that never gets old to me is seeing people's faces when they first see a demonstration of a passwordless user experience: showing up to work, not having to use a password to get into your computer, not having to use a password to sign on to a VPN or any web-based browser applications, and being able to close the lid on your laptop at the end of the day not having typed in a password. That is something that five, seven, years ago never seemed possible – but it is possible today for many businesses.
When I spoke to you before about resisting the temptations of becoming a black-hat hacker, you told me that you keep yourself grounded by comparing your life in the US to the one you might have had in the Balkans, where your family is originally from. Some countries have fewer opportunities than others, and there's a lot of inequality in the world. I'm thinking in particular of the metaverse and cryptocurrency: they talk about it being a level playing field. Do you think those developments can be a force for good in the world?
You're talking to a startup cofounder – I'm an eternal optimist, so I have to believe that it's going to be a force for good! I think that the more things we can expose everybody to in terms of information that they're able to ingest, the better it is for the world. One of the most dangerous things is a lack of education, and whatever medium it is – whether it's the metaverse, the internet, a magazine, or newspaper – people need to be educated. And then the smart people, the good people, will make the best decisions for themselves given the resources that they have.
And yes, some of those will become unethical hackers and some of them will do malicious things, but I think that good will prevail, because there are some amazing people out there who just don't have the opportunity to let their creativity show.
If you could have a one-to-one with anyone inside or outside of your industry, who would it be?
Satoshi Nakamoto, just because I'm an applied cryptography nerd! For those of you who don't know who that is, it's the anonymous person who wrote the Bitcoin white paper. But if he is not alive then I would say – and only if he had to be completely honest – [North Korean dictator] Kim Jong-Un. I'm a bit of a politics junkie, so I would just love to understand that mindset.
Do you have any unusual hobbies, stuff you like to do away from work that might surprise people?
I used to be an amateur boxer, and that is still a bit of a hobby. The other one is I'm a huge real-time strategy video game nerd. I spend weeks at a time playing Age of Empires or StarCraft, which are two of my favorites.
Young, aspiring hackers who want to hone their skills and maybe make a career out of cybersecurity and pentesting – what advice would you give to them?
First of all, don't do it unless you have permission. Especially if you are in a Western nation where the chances of you getting caught are extremely high. And second of all, there's a million bug-bounty programs out there. Join all of those and see what you can do. Prove your skills and really take time to learn.
Learn how software works. Lots of “script kiddies” as they call them, young people who get started in the cybersecurity space, just learn how the tools work overall without really understanding why they work and how software is built. If you're trying to get into cybersecurity, take half of your time and just start writing software. Because if you're able to get into the head of a software engineer, you will be able to make more progress in terms of hacking applications – assuming you're doing it legally!
"Most people in cybersecurity do not have a software engineering background, and that was shocking to me, because I find it's essential."Bojan Simic, cybersecurity expert and former software engineer
And of course that's how you started, because you were a software developer – I assume those skills stood you in very good stead for your subsequent career change?
Of course. It was amazing when I first started in cybersecurity: a lot of my peers were from the networking space, for example, and they didn't really know how software was written or how it worked. I was able to excel at what I did because I knew how people wrote software and the best practices they used – and typically where they took shortcuts. I was able to exploit that and be successful in that part of my job.
It's kind of surprising that other cybersecurity professionals wouldn't already have that as background knowledge...
Most cybersecurity people do not tend to have a software engineering background, and that was shocking to me, because I find it's essential. A lot of the technology is pretty well thought out, and it's rare that there are vulnerabilities found in those, but in the application layer of software, human error is just everywhere! And people who know how to build software are able to take advantage of it – if they know how to use those cyber tools as well.
Would You Rather…
Next we asked Bojan some more light-hearted, quick-fire questions related to the cyberworld. Maybe to bring up the pace a little, or maybe just because we could…
If you had to do it, gun to the head, would you be a black-hat hacker or a burglar?
I already spend eight hours in front of a computer, minimum, per day – so I would say burglar.
You either have to use the same password for all your devices, or run your favorite device under tap water for a minute…
Cold tap water, no problem at all!
You either get paid $1,000 in a stablecoin or $5,000 in a randomly selected decentralized cryptocurrency....
Randomly selected decentralized cryptocurrency – especially with what happened recently! [The collapse of stablecoin TerraUSD]
Yes, that question doesn't carry half the bite as it did before! Next up… Do you want to wear a hooded sweatshirt every day for the rest of your life, in stereotypical hacker fashion, or never wear one again?!
Rest of my life. Given my profession and the industry I'm in, it wouldn't be that unusual!
If you could only have one cybersecurity tool, which would it be: antivirus or a VPN?
VPN. Antivirus doesn't provide you with any sort of privacy. And so for me, it's the VPN for that reason. And also, the efficacy of antivirus is debatable.
Would you rather have biometric authentication or hardware tokens?
Biometric. Because I am extremely good at losing things.
Yes, I suppose you're not going to lose your eyes – or I hope not anyway! Would you rather use Mac or Windows?
Would you prefer to have a computer for a brain or a robot voice?
(laughs) Just because we're already heading there as a species, I would say a computer for a brain.
Quiz section: Cyber or street?
Finally, we quizzed Bojan to see if he could tell which of the following names belong to cybercriminal gangs, and which to old-fashioned street thugs.
Correct! Space Pirates?
Yes, they're a group thought to be of Asian origins who recently hacked the Russian aerospace industry. OK, next up… The Firm?
Correct, that was the Kray Twins, who were very notorious in the UK in the 1960s. BlackMatter?
Yes. Last but not least... Outlaws?
Isn't that a fictional [version of a] real gang?
Trick question! Outlaws are a biker gang and long-standing rivals of the Hell's Angels. But it’s also the name given to a ransomware outfit identified by a cybersecurity company [CYE] that I interviewed. Anyway, thanks for being a good sport with those questions – and for taking the time to talk to us!
Thank you for having me, it was a pleasure!
More from Cybernews:
Subscribe to our newsletter