Script

Hi, all curios mindes. I have been listening to Mo Gawdat’s Scary Smart audiobook for the last couple of days. I think if you love sci-fi, it is a must to listen to masterpiece.

While he was reading the book, I was amazed by his brilliant humor. Despite the fact, he is talking about a serious topic.

As I’ve already talked about, I’m a fan of sci-fi. I love to wander around in alternative realities and explore how we could live our lives differently in a different time, with different technologies and ideologies. And I return to my reality, sad and hoping I’ll have the opportunity to experience it in my lifetime.

In the book, Mo presents a little game. Sci-fi or sci-fact. It is a very simple game. He tells you some techs infamous sci-fi movies, and you can decide it is a sci-fi dream or a sci-fact, and it is already here with us, helping our lives.

Thank you, Mo! This game made my day! It helped me to stop, look around, and appreciate all the wonders I possess and all the resources I have access to, and it helped me to fire up my excitement for the wonder that will come in my lifetime.

The book is all about AI, but not in a techy, hard-to-understand science mumble-jumble. It is more like a philosophical, ethical speech about how we should teach our child the yet still innocent superhero like Being the AI.

What values will it learn from us? Will it decide to save us, or will all be just collateral damage? This idea got me thinking. The book is very philosophical, so as my little thought experiment.

So the AI will learn from us. It will learn how we interact with each other. And we will trust it to serve us and make our live better. It will probably not need a great presence in our physical world. It will learn how we treat each other int he cyberspace.

Some may know I was developing a state-of-the-art security solution, and I still have the passion for cybersecurity. In cyber, we have the concept of Zero Trust. In a simplified version, it is like: “Never trust, always verify”.

If You never heard of it, you are one lucky guy. What this concept teaches you is never ever trust no one. Not your business partners, not your boss, not your manager, not your clients, not your colleagues. not your devices, not your infrastructure. Never ever.

Always verify the policy requirements are met; if not, ban the access. How nice concept, isn’t it?

Think about it. In real life, is this concept really a viable option? Nobody trusts nobody. Let’s start with a business example. So I need to buy something. I found the provider. I want to have it. But I won’t pay for it until it is delivered. But the supplier not deliver it until it is paid.

Remember, the basic concept here is: “Never trust, always verify.”

Another example: I want to have a job. I apply for a position. But I will not work till I get my first payment. The company will not pay me until I deliver my first month of service.

Can you imagine what our law system would look like in a zero-trust environment?

When someone asks me about security concepts or, more precisely, about zero trust, I’m tempted to say you need to trust at some point. Without trust, you have to do everything yourself. And our society was built upon collaboration. So we need to trust each other.

The concept I would like to introduce to you is Trust but verify. In this concept, we trust everybody, but we always verify that they are acting with good intentions. If we notice any bad behavior, we investigate the root cause and try to resolve the issue together.

The idea behind the concept is the majority of people do not want to hurt us. There is no black-and-white distinction between actions. I said this purposely. We do not want to punish the other because they made a mistake. We would like to help them understand and help them to resolve their failure.

Well, unless they really tried to do harm, but to handle this act, we already have laws.

In cybersecurity, we have many concepts. The most famous one is black-and-whitelisting. This is actually two concepts, but I try to keep it simple. If you are good, you go on the whitelist, and we will never bother you again. If you are bad, you will never receive presents from Santa again.

You may think this is silly. There is no such thing as black and white everything is grey. But looking at the firewall level, we usually see three actions regarding network connectivity.

We can ALLOW a packet, and it will pass the firewall. We can BLOCK a packet, and the sender will have no clue about what went wrong. Or we could decide to RETURN, and some other rule will decide if we should allow or block a packet.

Can we do better? Yes, we can. Have a concept called Application Greylisting. This concept is similar to blacklisting. We can have, whitelist those we trust, and blacklist those we do not. And greylist for those not yet verified if they are trustworthy. We will block them till they verify their intentions.

So this concept is a bit better. And if we can provide guidance on why this happened, then we can help resolve the issue. Most of the time, this guidance is missing, and we just punish the victims even more.

This is why I loved working on the BitNinja project. I was built around the concept of greylisting. And what I learned about cybersecurity while I was with them is. I know nothing about the reality of cybersecurity. Nor the victims who were marked as attackers in many other security solutions.

But when we helped them and taught them, they learned. And with their knowledge, we learned new ways how we could help the next victims.

I hope this idea will influence someone. I hope My children will not learn zero trust. And AI will be our child. I hope we stop blaming victims. I hope we will learn how we can help each other. And more importantly, learn how to trust in the other.

Thank you, Mo, for your book Scary Smart. I’m almost finished with it. And I can wait to listen to your other works.

I would like to close my thoughts with my closing quote from my other channel GoSecNinja. Let’s make the internet a safer place together. I hope we will see each other next time.

Thoughts

Maybe I should use these script parts as transcripts.