Skip to content
InTechnology Podcast

#89 – Cyber Attacks, Bank Fraud, & More: Cybersecurity with Greg Lavender

In this episode of Cyber Security Inside, Camille and Tom chat with Greg Lavender, Chief Technical Officer at Intel, about his career path, his experiences in banking and security, and his intriguing stories that illustrate cybersecurity ideas. The conversation covers:

  • Greg’s career path from his interest in computers as a kid, to his coding career, to his experience in banking security, to his current position at Intel.
  • How you always need to assume you are going to be targeted, especially as a business or corporation, for cyber attacks.
  • Some of the procedures and security measures you follow to stop a cyber attack as soon as possible.
  • How cyber security is changing because of the increased amount of data and product, and the increased usage of both of those.

And more. Don’t miss it!

 

Check out the Security Begins with Intel® webpage here: https://www.intel.com/content/www/us/en/security/overview.html

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

 

Here are some key takeaways:

  • When we think about security and security careers, we aren’t talking about a theoretical idea; it is something that affects people daily and can have huge impacts on lives.
  • This interview is with Greg Lavender, Intel’s Chief Technical Officer. He was introduced to computers early, and many years of coding professionally has led to his current role with the company.
  • Greg realized early on that what makes a computer fun is what you can connect it with and who you can engage with. It opens up new possibilities and opportunities for development.
  • When he worked at banks, he really began to understand what goes into cybersecurity, and what you need to prepare for. Whether it’s cyber attacks, phishing schemes, or malicious actors, a lot can come up when you are dealing with money. This is especially true in an age where we have mobile banking and employees working from home.
  • Resiliency in security has been a topic that has come up more and more. Rather than constantly being in a cycle of detecting and protecting, we need to be working towards a mindset of learning from breaches and incorporating what we learned.
  • One of the keys to responding to and preventing wide scale cyber attacks is a network that is agile and flexible. If you have a network that you can quarantine part of without taking down everything, you are in a much better position. And it has to be seeded into every part of your critical infrastructure.
  • An added difficulty is that the surface area of possible attacks is constantly growing. Whether it be the cloud, data in RAM, encrypted data… We are creating new data at a high rate. You have to assume you will be attacked, and learn how to mitigate it.
  • Greg tells several stories about what he has experienced in his position and what he has learned from it. There are methods to detecting and eradicating malware and other attacks that he has witnessed and used.
  • One story that he told was about a CFO approving a request for a wire transfer that was fraudulent. He walked us through the process that was needed to address the situation, which included notifying the FBI, following jurisdiction, and working with the Financial Crimes Enforcement Network, or FinCEN.
  • Business and large corporations are not the only ones at risk for cyber attacks and phishing. Individual consumers are also at risk. Attackers target everyone.
  • Something that is overlooked is that the oftentime the worst and least secure usernames and passwords actually belong to security people. “Admin” for username and password is not secure, but it is very common. Part of what needs to happen is education and checking each other to ensure these gaps are not left.
  • Trust is a very important part of security and needs to be included in each part of the security design process. It can’t just be about making your own individual product secure, but about bettering security entirely.
  • Greg shares an interesting story about his experience with device theft at an airport. He talks about how physical security and cyber security intersected to find his device. It was a great example of executing a kill chain.

 

Some interesting quotes from today’s episode:

“My father, he put me in a special school in Washington, DC, where I learned binary hexadecimal octal arithmetic in the third grade… I didn’t know what it was or what it was used for. I just knew that it was sort of this kind of funny math that you could do and come up with crazy numbers.” – Greg Lavender

“I still remember the day, you know, when you would do all your downloads at night so it’s not to congest the internet during the day.” – Greg Lavender

“When you work in networking, you work in security from the get go. My whole career, it’s like security and networking have gone hand in hand.” – Greg Lavender

“I got a real live awakening to the real world of state-sponsored cyber attacks, malicious actors – both insider and outsider – money laundering, and of course anti-money laundering mechanisms, phishing attacks, you know, bank fraud. I mean, it’s pretty scary actually. Just the sheer scale and size of what’s required in a large global organization with employees running around with mobile phones and laptops – how to secure the edge and then how to protect the core.” – Greg Lavender

“A bank certainly understands how to make computing resilient, networks resilient, software resilient, but it’s very expensive. And most organizations can’t afford it. And this is why the attack surface is so porous.” – Greg Lavender

“You have to assume that the advanced persistent threat is always there. You never feel secure. I remember briefing the board once and they said, ‘Greg, can you give us the guarantee that we’re not gonna be hacked?’ I said, ‘No, I can’t.’ …You’re only as good as the last attack.” – Greg Lavender

“Every consumer – not to scare everybody – but every consumer is at risk of these fake wire transfers… So if you get phished, you know, for making some payment that you think is legit, but it’s not legit, your recourse for getting that money back is near nil.” – Greg Lavender

“There’s an old saying about home security. You just make your house more secure than your neighbor’s. Right? But if we just do that, you know, we didn’t really solve the problem for the neighborhood. You solved the problem for your house, but you didn’t solve the problem for the neighborhood.” – Greg Lavender

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

[00:00:35] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always is my eminently qualified and probably overqualified co-host Camille Morhardt. Hi, Camille. 

[00:00:49] Camille Morhardt: Hello.

[00:00:51] Tom Garrison:  So today is a special podcast for us because we have our very own CTO, Chief Technical Officer, uh, Greg Lavender from Intel. And Greg, for those of you who don’t know, Greg came to Intel with a pretty extensive background–most recently, he was at VMware. But he spent a lot of his career actually working in investment banking and he has some really incredible stories to share about cyber security and living it on the front lines. Because when you’re dealing with that much money, you can bet that there’s going to be thieves and crooks and everyone else trying to get at that.

[00:01:39] Camille Morhardt: Yeah, he’s a complete nerd, right? He’s a math genius, did computer science sort of really early on and knows everything there is to know technically; but also—which I’m not sure if this is so common–he can tell an amazing story. Uh, everything from, you know, being kind of behind the scenes in IT and security to just actually a regular person, you know, going through airport and having something happen to him, that’s a security incident.

[00:02:10] Tom Garrison: They’re great stories. And I think it’s a good lesson for all of us when we think about security and it’s not just a theoretical practice here. This is something that, in some cases, people’s lives depend on, on security–certainly their life’s fortune resides on, on whether something is held safe or not.  And it’s good to know that we have somebody like Greg with all of his expertise, helping protect that information and protect that data and protect that. 

[00:02:43] Camille Morhardt: Yeah, and really great and fun to be able to just sit back and have a casual conversation with him about what it’s like to be in the job that he has.

[00:02:53] Tom Garrison: That’s right. All right. Well, let’s jump right into it.  Our guest today is Greg Lavender. He is Intel’s Corporate CTO and Senior Vice President and General Manager of the Software and Advanced Technology Group. He joined Intel in June of 2021 from VMware, where he served as Senior Vice President and CTO. He has more than 35 of experience, spanning software, product engineering, and advanced research and development.  So welcome to the podcast, Greg. 

[00:03:27] Greg Lavender: Thanks for having me. Uh, I’m happy to be here. And, uh, you made me feel really tired saying all those things about 35 years in the industry; but I’m highly motivated every day.

[00:03:38] Tom Garrison: That’s great. Now 35 years is quite an accomplishment in and of itself, not just to mention the levels that you’ve achieved; but 35 years in this industry is definitely saying something.

[00:03:47] Greg Lavender: Well, 25 years of that, I was writing code. So I’ve only, only for the last 10 years, if I’ve been sort of in the senior technical management role. 

[00:03:54] Tom Garrison: Well, that’ll give you a good perspective then of what we want to talk about, and I didn’t really go into it in your introduction, but, uh, I know that you’ve spent time at various companies beyond VMware, but actually in the wild at companies like some of the investment banks and so forth.  And so I thought it would be great to, first of all, for you to just share a bit of your background and then some of the, the stories. When we think about cyber security, like, what does that mean for you as somebody who’s actually lived it out in these companies? Extra sound here

[00:04:29] Greg Lavender: Yeah. I mean, without taking up all the time on the, resume, just say that I was sort of born fortuitously, I suspect.  I call myself a “Sputnik baby” in the sense Sputnik launched I think it was in 1958. I wasn’t born until ’61; but my father was a career military guy–cold warrior, I guess we call it. And so I was introduced to computers at a very early age. In fact, my father, he put me in a special school in Washington, DC, where I learned to binary hexadecimal octal arithmetic in the third grade. 

[00:04:59] Tom Garrison: Wow. 

[00:05:00] Greg Lavender: I didn’t know what it was or what it was used for. I just knew that it was sort of a, this kind of funny math that you could do and come up with crazy numbers.  And so, uh, then he taught me basic fortran programming when I was a young teenager and helped me get my first computer built, which was a Heath kit, which had an 80/85 processor in it. So I’ve been doing software development, you know, since I was like 14.  

As a professional, I pursued one problem.  My first job outta school was implementing TCP/IP in the early days, 1983. And, um, imprinted on this idea of large scale distributed computing at that point. And that’s my whole career; no matter where I’ve worked, I’ve pursued that singular problem. 

[00:05:36] Camille Morhardt: Why did you imprint on that? 

[00:05:38] Greg Lavender: Well, I mean, having built a computer when you’re sitting at home you’re programming, and I was writing Dungeons and Dragons video games and stuff like that, you know, at some point you sort of realize that  until you connect the computer to something else, it’s a lot more fun.

So I was, I was early subscriber with bulletin boards, had a 1200 baud haze modem, like many other people. I thought that was fast at the time. So once you, once you got connected into bulletin boards and you realized there were communities of people like yourself, that you can interact with and engage with, that was when it really made the computer fun.

So I sort of got really into this whole idea of connecting your computer into these networks and my father his work, they were one of the early nodes on the internet. And so I got introduced to ARPANET, you know, very early when I was in high school. And, and then my first job outta school was writing protocols for ARPANET. 

[00:06:25] Tom Garrison: Wow. Yeah, there’s a, there’s a lot of things that you’re describing actually that, uh, are similar in, in regards–my father was also in IT and, you know, he had the terminal at home that we had, he would dial back into the VAX and do work from home.

And, and if for it keeping things up and running, but yeah, it’s a different world and you’re exactly right that like the power of the computer, when it’s by itself is, is somewhat limited. But as soon as you can connect it to other things, it opens up a whole new set of possibilities, which of course we take for granted today. But back in the day, it was a really, really big deal.  

[00:07:00] Greg Lavender: I still remember the day, you know, when, when you would do all your downloads at night, so it’s not to congest the internet during the day, right? 

[00:07:10] Tom Garrison: Yeah. So, I know part of your background, you were, uh, working in some of the investment banks and I, I know our listeners love to hear real life stories about security and cyber security and implications thereof.  So do you have any stories that you could share with us about your times at the banks? 

[00:07:29] Greg Lavender: Well, I mean, obviously when, when you work in networking, you work in security from the get go.  My whole career it’s like they security and networking have gotten hand in hand.  I took a little break from my tech career, got tired of building all the widgets operating systems, servers, storage, networking, switches routers, and went to Citigroup. They recruited me there to go out and build arguably the largest global private club in banking. And I didn’t think they were serious, but when I got there, I realized they were serious and I hadn’t been there very long and they said, “well, we’re gonna give you all the cyber security engineering.”  CISO set policy, the SOC was in IT operations that ran the security operations centers, which we had a distributor around the globe for resilience seeing redundancy. 

And so, you know, I got, I got a real live awakening to the real world of state-sponsored cyber attacks, um, malicious actors, both insider and outsider money laundering–and of course, anti-money laundering mechanisms, Phish attacks, you know, bank fraud. I mean, it’s pretty scary actually. Just the sheer scale and size of what’s required in a large global organization with employees running around with mobile phones and laptops, how to secure the edge and then how to protect the core.

And so to me, it was, um, like I had two jobs. I was sort of the CTO to build the sort of private cloud and at the same time you have to secure it ‘cause banks are highly secure and regulated.   Like, uh, Willie Sutton the famous bank robber from the 1930 said, “why do people rob banks? That’s where the money is.” So now the money’s, the money’s bits. It’s a lot easier to steal bits than walk into a branch and rob haul off cash. 

It’s, it’s both, uh, exhilarating in some cases. And there were certainly lots of, um, you know, serious events that happened. I can’t tell you all the details about them all, but let’s just say it’s like being in a war zone. And one of my favorite cartoons from that era–it wasn’t that long ago –ting at his feet and he’s telling this sort of cyber war stories; he says, “yeah. And there was this time when the Chinese overran our firewall and we had to throw more CPU in memory to, to, to overcome the breach. And we beat, we successfully beat them off.” So like all of us, all guys in the future will be telling these cyber war stories, ‘cause hopefully this generation will fix all these problems. 

[00:09:36 ] Camille Morhardt: So I’m wondering we’ve seen this kind of–well, first of all, I wanna find out if you, if you see this too, and then where, where you take it from there–this kind of evolution from like detect, protect, detect, you know, then we sort of respond, we add respond, and then it seems like now we’re moving this world of everybody is likely to be breached at some point somehow one way or the other. And it’s kind of more of a, a function that organizations need to move toward resiliency. 

And I’m interested in what that means to you. I’ve heard it sort of described as, you know, an ability to bounce back, of course, but broader than just mitigating the specific vulnerability or problem that you found and kind of incorporating it into learnings–both what you’ve learned inside and outside your organization.  But could you talk a little bit more about where the world is headed in terms of what resiliency means or if you believe it’s headed there?  

[00:10:36] Greg Lavender: Well, I mean, that’s a, it’s a huge, huge challenge. I mean, I certainly know a lot about resiliency. Haven’t worked in a global financial company, our most critical application processed on average $5 trillion worth of payment flows per day and could never go down.  Right? So that was an average day; volatile day, it was as high as 7 trillion globally. And so, you know, a bank certainly understands how to make computing resilient, networks resilient, software resilient; but it’s very expensive. And most organizations can’t afford it. And this is why the, attack surface is so porous. 

The actual amount of cost that it takes to really secure these environments make ’em resilient, not just against cyber attack; there are malicious insider events where, you know, you have to assume that the advanced persistent threat is always there. You never feel secure. I remember briefing the board once and they said, “well, you know, Greg, can you give us the guarantee that we’re not gonna be hacked?” I said, “no, I can’t.” And they go “well, but you’re spending close a billion dollars a year to defend this place. I mean, how much is it gonna cost?” I go, “I don’t know. I got 170 some products, security products deployed globally. We think we’re pretty good. We benchmark selves against other banks, we talked to the federal government. That there are various agencies that do this to sort of assess and get external assessments all the time, vulnerability threat assessments, but you you’re only as good as the last attack.”

And so, you know, the vectors are always changing. The tactics are morphing and so you have to be ever vigilant.  You can’t keep building the firewall higher and higher. That’s insufficient. A lot of it’s behavioral. And, you know, you have to be very, very clued into the different attack vectors and your business processes have to be modified, not just technology business processes have to be adjusted, so they’re resilient.  So, you know, I’ve had to deal with ransomware attacks that were spreading like wildfire. Therefore you have to have a very agile network that you can quickly quarantine without taking of the whole business. Right. So, you know, it’s okay, well, Italy’s infected well, quarantine, Italy, but don’t quarantine Zurich.

So, you know, it really does it drives all of your systems, architecture, application architecture to address the existential threat of these security breaches, particularly around data.  And now it’s even more complicated there’s data, rest data in flight. We sort of know how to deal with those, but with data in the cloud or data, even in ram in the cloud and encrypted comes a potential, another attack vector.

So the surface area just keeps getting larger and it.  Frankly, it seems to the attack vectors outstrip the defenses. So you have to assume that you will be penetrated, you will be attached, you will have data stolen and how do you mitigate that and keep the business operating and deal with the risk and deal with the, the faculty, the negative publicity that comes along with it.

[00:13:10] Tom Garrison: Is that what you mean by when we spoke earlier, you were talking about the cyber kill chain. Is that what you’re referring to there.

[00:13:17] Greg Lavender:  Yeah, that’s part of it. We had Let me give you an example of an event we had was, uh, a contractor entered a branch in Morocco, and they’d used a USB stick that had some malware on it and stuck it into their laptop. And then their laptop was on the corporate network at a branch. And we detected it after it was already, you know, crypto locking SharePoint files. And so, so at that point, that’s what meant when you first you gotta quarantine the network path, ‘cause the things moving laterally, right? It’s very aggressive. It’s moving at the speed of photons.  First, you gotta block it from spreading further then you gotta go eradicate it. You gotta go, you know, kill it where it’s living so it doesn’t penetrate further. You know, at some point you almost have to go cut off your arm, you know, get a block, active directory.

So then you got all these employees that can’t log in, ‘cause you’ve not just blocked active directory for that subpopulation of your IT services. So, you know, you have, you have a set of graduated or escalated behaviors you have to execute to do that. 

And then there’s the cleanup. Do you pay the Bitcoin ransom to unlock the files? That’s when you find out which files aren’t actually being effectively backed up. Right? Okay. Critical business files typically are backed up, but let’s say, you know, the stuff on your home, your home SharePoint, one drive, wasn’t backed up. And so you either lose that data ‘cause you don’t wanna pay the Bitcoin ransom.  I’ll tell you this:  all banks have Bitcoin reserves as part of their risk reserves, if it becomes necessary for critical data to, to recover it. And you have malicious insiders that do crazy things as well. 

[00:14:42] Camille Morhardt: So it sounds like it’s part of the plan and it’s been part of the plan for a long time. Do you see any kind of new types of threats evolving?  Like what are we gonna be dealing with in the next three to five years on the threat landscape? 

[00:14:57] Greg Lavender: Well, I’ll tell you an interesting case. I actually, I, after I left Citi group, uh, I got a call from a former colleague of mine who was a CFO for a, uh, a, a supplier of technology, the semiconductor industry; they had acquired a company and one of the executives in that acquired company had received a, what appeared to be a official email from the CFO, asking him to do a wire transfer to a correspondent bank in Hong Kong with the destination bank in Macau, for $3 million. 

It turned out it was a fraudulent request, but the, the executive for the subsidiary processed, it, approved it. So this wire goes out, with the discovery after it’s already gone out. The, the CFO who was a former colleague of mine called me and said, “you know, what do I do? You know, given your experience?”  I said, “where did this occur?” He says, “in Boston.” I said, “first call the, I know the procedure, ‘cause I was involved in a number of these incidents with Citigroup. I said, “you call the Boston FBI field office. You file the criminal complaint. Cause you first have to file a complaint.” He goes “well, but the, the banks in Hong Kong,” I said the FBI has an office for financial crimes in Hong Kong.

Right, but you gotta follow it in the jurisdiction which should occurred. I said, they’ll then act activate FINCEN–the Financial Crimes Enforcement Network. You hear all about the Russian oligarchs losing access to their funds and their properties, the Financial Crimes Enforcement Network FINCEN that goes after them with the FBI.

So notify FINCEN; FINCEN has the ability to stop the wire. Okay. So long story short, he was able to recover the 2.6 million and stop it.  I don’t want, I don’t wanna make this my side job, but I’m just saying, I knew what to do because I had that experience.  But if he hadn’t called me that money would’ve been gone. Cause you have to move very, very fast to shut it down. 

[00:16:38] Camille Morhardt: So are those the kind of threats that we’re expecting and the near horizon here? 

[00:16:42] Greg Lavender: Yeah, every consumer–not to scare everybody, but I mean, every consumer is at risk of these fake wire transfers.  I mean, go do a wire transfer from your brokerage account or your bank and you’re giving all these warnings about, okay, if, make sure you wanna do this, ‘cause the banks, once you submit, “yes,” the bank’s not accountable for it. So if you get phished, you know, for making some payment that you think is legit, but not legit, your recourse of getting that money back is near nil.

So I think, you know, every person is essentially subject to this, if you have an email address or a text, you can get a text. Very clever, very masquerading kinda events. 

[00:17:16] Tom Garrison: You know, I think that, that we all have heard of stories of people that get tricked out of. Somehow, releasing a lot of money and, and it’s, it’s terrible to hear, which I wonder from your perspective, Greg, where do you see the opportunity for a company like Intel, where obviously we’re deeply entrenched  in the technology and our hardware underlies the data centers it around the world, the, the clients that around the world.  Like what’s your perspective as CTO on how can we help? I know we can’t solve everything, but how can we help? 

[00:17:52] Greg Lavender: First, I mean, our, our product portfolio has, you know, sophisticated security technologies in it; but we’ve gotta drive more adoption of them like threat detection technology that’s in our client computing devices, not just vPro, but our client devices.  But, you know, TDT has a machine learning algorithm that detects certain signatures of code execution paths that that are considered threatening or identifiable malware. And we then alert like Microsoft Windows Defender so that Defender can take action. 

So we’re sort of detecting, but we’re not fixing right. We’re alerting to something else to fix it. But many customers don’t subscribe to it cause they don’t, they don’t wanna pay, I don’t know the fee, you know, to kind of get the proactive alerts ‘cause vPro can then sort of quarantine the machine, wipe the machine, reinstall, the operating system, boot it back up. So we have the capabilities, but I think, you know, it’s from a, from an engineering perspective, we’ve delivered them, but you know, does the market actually have the sophistication to take it on? So I think we rely on partners a lot, do that. And I, I keep suggesting that we should move further up the software stack and actually deliver those services ourselves are certainly closely with partners like Microsoft, which we do. 

And then on the server side, I think, you know, we have our SGX technology, which if you use signal messenger for your secure communications–I do for all my international communications–it’s built on SGX. It runs inside of Azure cloud on SGX and uses our secure enclave technology to secure your contacts, your communications, and that software it’s all open source code. So if you take open source code, running it on our secure SGX technology with our attestation service that we provide through our IPAZ organization, we already have a lot of the pieces.

So there’s a lot of opportunity. We have all the pieces, but we really gotta bring it together as a solution and as a service and then monetize it ourselves and not let somebody else monetize it for us. 

[00:20:04] Camille Morhardt: I wanna ask you a question about trust, because I think we’ve seen in the, in cyber security, you know, again, possibly this evolution from safety to security, then we incorporate privacy as we deal with, um, people having more and more personal information floating around.

And now I think we’re hearing the word “trustworthiness” come up and I’m wondering, you know, from your perspective, what does “trust” mean if it’s something related to a large enterprise providing compute? 

[00:20:36] Greg Lavender: It’s another little factoid from my time at Citigroup group. I mean, we had a very sophisticated user X3 letter agency employees that we had hired into our vulnerability threat assessment team–our own sort of black hats and red hats.  And we, we always red teaming each other. So we were always sort of trying to be our, be our own attacker and discover vulnerabilities that we’d overlooked kept those teams independent so that they weren’t colluding on things or trying to look better than we were. But one thing I’ve sort of learned, uh, this whole experience is that most of the industry is producing technology that’s rife with security flaws, and sometimes I’d wanna deploy some new security technology, it takes me nine months to ring all the security defects out of it. And here’s, here’s the really dirty secret of the industry: the security vendors had the worst security passwords in the clear user credentials, login, username, password admin admin in a publicly readable file on the directory of, of some device.  Right? And, uh, look at Open SSL Heartbleed bug–and I was there at Citigroup when that hit.  Open SSL was embedded in and all of our 25,000 branch routers from Cisco and Cisco gave me a two-year plan to remediate it. “You’re gonna ship me 25,000 new ISR, Gen3s–that’s an integrated services router.  “You’re gonna send 25,000 of them FedEx out to all my locations. And I’m just gonna swap out the device with the new software and I need it done by the end of next Friday.” And they did it, but they had to bear the cost of that. I, I couldn’t wait two years to open back up.  Yeah, two years, that was their plan to go out to every site and upgrade this, you know, upgrade this offer–you couldn’t do it over the wire or something; but as a customer who was spending, you know, a couple hundred million dollars a year with Cisco, I get away with that. But, but other people don’t.  

And there’s all this risk associated with the supply chain of software. SolarWinds was the big wake up call for that. And again, we have to teach everybody and everybody understands the professional responsibility to write secure software. And we’ll do all the scanning and all the things we can do and try and minimize false positives on things that aren’t really security defects, but we have to take it seriously ourselves.  The whole industry has to do this because we’ve essentially left a lot of the doors open. There’s an old saying about like a home security. You just make your house more secure than your neighbors. Right. But if we just do that, you know, we didn’t really solve the problem for the neighborhood. You solved the problem for your house, but you didn’t solve the problem for the neighborhood.

We as Intel need to be the trusted party that can solve the problem for the whole neighborhood for the world. And so, you know, you’ve heard about all the metaverse. Oh yeah. Like we should have the Intelverse; Intel should basically create a secure reality of technology from the, we do this already from the firmware to the BIOS, we can attest to the authenticity of the CPU and the firmware that’s been signed–and that the system is booted into a known state that’s not infected. And then from there up all the way through the hypervisor, to the operating system, to the IAS, the PAS, the containers of the service Kubernetes, we need to in ensure all of that is, is a confidential computing fabric. 

And we have the technology to do that and more coming. I want Intel to lead the industry and be the trusted party to deliver confidential computing with all the partners that will contribute with us, the Linux community, the open source community, Microsoft, Dell, HP, VMware, whoever I think we can pull this off is just gonna take us to get serious about it.

[00:24:12] Tom Garrison: And you just mentioned One Source. Greg, can you talk just briefly about what it is and what it promises to do, or at least our vision for it? 

[00:24:20] Greg Lavender: One Source is a program to get all of our source technologies could even be RTL, you know, into any specifications, any code, you know, anything that represents our IP, that we all have it into the GitHub repository. But we were a little lax in the way the controls were set up initially. So that’s been remediated as we speak.

Think of this as like it’s the company’s intellectual property in electronic form. We need to treat it that way. Your code, you wrote it; but, you know, we gotta treat it as our trust relationship with our customers. That we’re good stewards of all of our source technology and to our best of our ability it’s not vulnerable in sort of obvious ways. There may some unobvious ways that we’ll discover, but we have to take this view just like we can, your, with your financial portfolio, do you let, just anybody go play around with your financial portfolio?  No.  You manage it carefully or you have somebody that you pay to manage it carefully for you, and you keep a close eye on it. Think of software as essentially it’s part of our financial intellectual property portfolio. You may be, you know, the one that’s developing it, but we have to protect it as an asset for the company and for our customers.

[00:25:24] Tom Garrison: No, that’s great.  You know, Greg, one of the things that, uh, you shared with us before this podcast was, uh, as part of your time at, at Citibank, you had an interesting trip through London Heathrow. Regarding your device. And I, I think our listeners would enjoy hearing this story and what you had to go through. 

[00:25:45] Greg Lavender:  Yeah. Yeah. So I have a regimen when I go through the security terminal: I take my jacket off, put my luggage bag down. I put my computer bag. I take my laptop, iPad, whatever phone. I stick it in a tray together. So I’d done this, but I, I didn’t take my shoes off ‘cause my shoes had never set off the alarms in most, most other airports. And I walk through this, uh, gate, you know, the alarm gate and it dings and the guy says, “take your shoes off.” So I go back to take my shoes off, stick ’em on the conveyor belt. And I walk back out to the other side and I get there and there’s my luggage. There’s my computer bag. And there’s my tray with my jacket in it. And the tray with my laptop—it’s a gray Macbook Pro Intel-based, you know, in that gray tray. And then there’s a stack of trays where the guys had taken all the, you know, empty trays and stacked them up. And I thought they must have just stacked it in the stack ‘cause they didn’t see the computer sitting in the bottom of it ‘cause they’re both gray.

So I made them unstack ’em and it wasn’t there and then they go like, “well, you must have left it on the, on the bus or your cab, you know, you didn’t bring it.” “No, I just took it outta my bag.” And I was trying to remember like, who was in, there was a woman in front of me, and then there was another guy in front of her. They went through the gate and then I look up and I see these security cameras, you know? And I said, “well, look, whoever took my laptop is on a video somewhere from that security camera.” Uou know, here’s the CTO of Citibank–and I didn’t tell about who I was–I said, “I wanna see the video.” “Well, we can’t take you there.” And I said, “well, I wanna talk to the, the airport police.” So pretty soon these two officers come jogging over and I explained what happened. They’re taking my statement. And I said, “look, whoever took my laptop is on that video camera. Get that video camera.” So one of the guys left to go to some control room.

He comes back like 10 minutes later and he has on his cell phone some video clip of the guy that was a head of the woman in front of me, who, who looked and saw that I got sent back to take my shoes off, reached over and took my laptop out of that tray stuck it in his bag and went into the main terminal area.

And so what I was impressed with is these Bobbies, these, these  police, um,  they texted that picture of that guy to all the gate terminal agents. They intercepted him just as he was boarding a flight to, uh, Prague. And so I went over there thinking, okay, “I need my laptop cause I gotta go catch my flight.” And they wouldn’t give it to me ‘cause they have to impounded it as evidence. 

The good news is I always, uh, I’m paranoid cause I’m a security guy, as well as a networking guy. I always had my firm password on. Right. So you can’t boot the device app up, you know, without the firmware password, if you’re trying to hack it; my hard drive’s always encrypted. And I always have my backup drive encrypted, so I can always USB it into something else and decrypt it. 

So anyway, they wouldn’t give it back to me. They arrest this guy, I get on my plane. That night as my plane pulls up to the terminal, the flight attendant says, uh, “would Mr. Greg Lavender, please see the police.” 

[00:28:32] Tom Garrison: That’s usually not a good thing when you exit the plane.  

[00:28:35] Greg Lavender: And I notice everybody looking around trying to figure whose this criminal Greg Lavender, that the police talk about? And I sort of like, I don’t, I, I don’t know what was going on. I thought maybe I had the, on something wrong.  So I get off the plane, and there are these two officers with rain dripping between the, you know, the carriage and the plane and they have my laptop wrapped up in plastic and they hand it to me. As I walk off the plane and, and apologize for the inconvenience. 

[00:28:57] Tom Garrison: Wow. 

[00:28:58] Greg Lavender:  So I wrote a letter of commendation–I got their names–and I wrote a letter of commendation for both of them to the captain of the airport police. I wasn’t going to leave that airport without knowing who on that video has stolen my laptop.  You know, that was, that was my executing, the kill chain. 

[00:29:13] Tom Garrison: That’s a great story. 

[00:29:14] Greg Lavender: And by the way, the police told me that Heathrow Airport was the number one airport for the laptop theft. And that there are people that will buy a ticket to get through the security so that they can pilfer for the laptop. So they hit, they catch ’em with two or three. 

[00:29:27] Tom Garrison: Wow. We’re not quite done yet because we do have on every episode, a segment, we like to call “fun facts.” So I’d love to hear what, uh, what fun facts you would like to share with uh, our listeners. 

[00:29:48] Greg Lavender: So I’m always trying to push myself to learn new things. I’ve just learned that you can’t get into a groupthink or, you know, think that you know it all.

And so I’ve been reading this book, uh, I’ve actually finished reading it, but I, I really like it. I’m reading some deeper stuff. It’s by this, um, uh, Judea Pearl who’s, uh, Turing Award-winning computer scientist. Who’s worked in probabilistic reasoning. 

So I’ve always been a math geek. And so I like this kind of stuff, but Judea, Pearl, uh, published a book that that’s readable by a larger audience called The Book of Why. And it’s really about cause/effect reasoning and how standard probability theory is sort of wrong in this regard. And what’s interesting about it is there’s also a British scientist named Karl Friston–Karl with a K,  F-R-I-S-T-O-N. And he’s a neuroscientist who is most likely to win the Nobel Prize for his, uh, time research in brain imaging and understanding brain function. And he’s mapped out what he calls causal dynamics in the brain. And it, it appears, I think this is where, where the really interesting fun fact is it appears that Judea Pearl’s statistical theories and the actual functioning of the brain and cause/effect reasoning match.

[00:30:52] Tom Garrison:  Hmm. 

[00:30:53] Greg Lavender: So today’s, AI/ML could very well be nascent and still, and could be replaced by this type of reasoning. Cause obviously humans are very good at causal reasoning with imperfect information. And all the training and machine learning and inferencing things we do today is also in a sense artificial–that’s why it’s called AI; but what if we could actually start to develop technologies that more match the actual functioning of the brain? So I think, I think my personal view, and maybe it’s just ‘cause I’ve had, you know, a lot of experience to think about these things is that when, when the actual biological science matches up with the, the mathematical science, that’s when you make big leaps and discoveries and new technologies.

[00:31:35] Tom Garrison: Hmm. Sounds great. Thanks for that. Uh, Camille, how about you fun fact 

[00:31:42] Camille Morhardt: In the spirit of learning new things, um, and doing math and calculating angles, should you ever be finding yourself, replacing a kitchen cabinet on a Sunday in Cloverdale, uh, on the coast and suddenly need one extra part and all the hardware stores closed within an hour and a half of you, you will be happy to find out I bought probably the world’s most expensive hinge driving all the way to Salem to get it because I had to finish. But subsequently discovered that the Cloverdale Feed Store is open until five o’clock and has all kinds of hardware parts. So for anybody who needs to know that (all laugh).

[00:32:23] Greg Lavender: You should post the Google Map location of this hardware store. (all laugh)

[00:32:27] Camille Morhardt: Yeah, drum up some business. 

[00:32:32] Tom Garrison: That’s right. Yeah. Well, so my fun fact is, uh, completely different from both of you. It actually has to do with lightning.  As a kid I remember my parents, if it was scary, especially if I was scared, they would say, okay, “when you see the flash count number of seconds” and, and I think it was for every second, it was a, my aisle away or something like that.

Uh, what I found fascinating was that in the year 2020, a single flash over Uruguay and Northern Argentina lasted 17.1 seconds. Can you imagine that? I mean, I think of lightning as like a, like a static electricity kind of thing, or, you know, a little bit longer than that, but it was 17.1 seconds. And that, uh, nipped the old time record of 16.7 seconds. So who would’ve known that is just a tremendous amount of energy. 

[00:33:28] Greg Lavender:  You should apply to National Public Radio for the remember, there’s this guy whose name was Dr. Science.  “I have a master’s degree in science.” We should start like the doctor science channel here at Intel.

[00:33:38] Tom Garrison: I’d love it. I’d love it. I’m fascinated by this stuff, but Hey Greg, so thank you so much for joining us today. It was a, it’s a really good time that you spent with us to, to share with your background was a really good stories. I think everybody’s gonna enjoy it. And also looking forward to what we are working toward at Intel. So your insights were valuable there and thanks for spending the time with us. 

[00:34:00] Greg Lavender: Thanks a lot. And I didn’t tell you all the really scary ones.  (Camille laughs) 

[00:34:35] Tom Garrison: More for later.

More From