How AI and Deep Fakes Are Transforming Security and Customer Trust - ML 160

In today's episode, they delve deep into the intertwining worlds of technology, security, and innovation with Aaron Painter, CEO at Nametag.

Special Guests: Aaron Painter

Show Notes

In today's episode, they delve deep into the intertwining worlds of technology, security, and innovation with Aaron Painter, CEO at Nametag.
Aaron kicks things off by underlining the cultural facets in hiring, emphasizing the virtues of being good listeners, intellectually curious, kind, and respectful while achieving tangible results. We also explore the collaborative spirit in group product planning and the pivotal role of diverse perspectives.
From there, Ben takes us into the fascinating—and somewhat unnerving—advancements in deep fakes, particularly in image generation, and their implications for security and entertainment. This discussion also touches on the complexities of preventing deep fake attacks and the critical role of technology in mitigating these threats.
Michael weighs in on how physical devices and user verification limit fraudulent deep fake activities, while Aaron offers invaluable advice on latching onto growing fields like AI for future-proofing your career. We also delve into a riveting recount of Ben’s early data science days, offering a glimpse into the tech evolution from Hadoop to cloud computing.

Our conversation spans intriguing analogies, from the oil industry to AI, and examines the crucial shift toward cloud technologies, underpinned by end-use cases and consumer demands. We discuss the pressing need for secure identity verification in the digital age, exploring multifactor authentication and the delicate balance between security and user experience. Additionally, the episode covers Microsoft’s impact on global economies, with Aaron sharing heartfelt insights from his illustrious career.
Join them as they navigate these compelling topics and more, offering a wealth of knowledge for developers, tech enthusiasts, and anyone keen on the future of technology. Tune in and prepare to elevate your understanding as we unfold the latest in machine learning, AI, and technological innovation.

Socials

Transcript

Michael Berk [00:00:05]:
Welcome back to another episode of Adventures in machine learning. I'm one of your hosts, Michael Burke, and I do data engineering and machine learning at Databricks. Today, I am joined by my cohost,

Ben Wilson [00:00:16]:
Ben Wilson. I prepare slides for summit talks at Databricks.

Michael Berk [00:00:21]:
And and they're so beautiful. Yeah. We have summit. We're recording prior to summit, and this would be published after summit. But, yeah, there's so much prep that goes into that annual conference. Yeah. Anyway, today, we are speaking with Aaron. He spent 14 years of at Microsoft, and he moved up from marketing manager all the way up to this fancy title of VP and general manager of Microsoft Business Solutions and Dynamics 365 for the Greater China Region.

Michael Berk [00:00:50]:
And we'll be getting into that career growth as well as scaling out that product later in the podcast. But after Microsoft, he served as as CEO at Cloudreach, and most recently, he is CEO of NameTag, which is the first identity verification solution for help desks. So, Aaron, as we were discussing before you we started recording, you scaled the Microsoft Office Suite through 31 different countries. And, an aspect of my job is doing sales as well, even though it's a post sales role. But often with Databricks, I don't have to pitch that much. This product sort of speaks for itself and where it doesn't,

 Aaron Painter [00:01:25]:
people use other tools.

Michael Berk [00:01:26]:
So in your experience, did you have to sell such amazing tools like Word, Excel, PowerPoint, or did you just have to drop them into the right place at the right time?

 Aaron Painter [00:01:36]:
Yeah. I loved I think first thank you for having me on. It's, I'm a huge fan of Databricks, and I'm a big fan of the show, so it's it's great to be here. You know, I I love Microsoft. I was, again, there 14 years as you mentioned. I started in product, for the office business, and it was a it was a crazy time because we had this incredibly successful desktop application suite that people used. We were starting to come out with new back end solutions, think SharePoint, sort of the infrastructure layer that powers, the front end apps now. We called it the system at the time.

 Aaron Painter [00:02:06]:
We didn't really know the direction that it would eventually become, which is, you know, now Office or Microsoft 365. But the the process of kind of thinking through what that meant was was massive on every scale. For the client apps, we would figure out what we want to build next, and you have these long shift cycles where you'd say, okay. We're gonna have teams that are doing research, teams that would conceive of what features are needed based on customer requests and market research. Market research was kind of bizarre because you go and ask people what they want, and it's, it works great. I'm happy. You know, it's almost like the old Henry Ford quote. You know, if you ask people what they wanted, they would say sort of a faster course.

 Aaron Painter [00:02:42]:
And Office was similar. People loved it. They were happy with what it did, and they didn't necessarily have a road map in their mind. So we had to conceive of what we thought could be next as technology was getting better. And, eventually, that meant bringing, you know, the power of back end technologies and collaboration across an enterprise to make the front end apps even richer. It was super fun. I loved it. I got to work with a lot of great people.

 Aaron Painter [00:03:03]:
And then, you know, shifted gears into really working in Microsoft's go to market. I served as chief of staff for Microsoft's head of international, mentioned their head of go to market. It's about 60,000 people, you know, half their avenue of the company, half the people. And very much it was how do you become successful in different countries? What does it mean to be a global, you know, US based multinational doing business in different countries around the world? How do you bridge, you know, kind of a global solution into local partner ecosystems, working with local governments, local customer needs? And I loved it. We worked in a lot of big countries, but one of the things I found most exciting actually was countries that were getting bigger themselves and emerging. And so I started working aggressively on opening Microsoft, not just Office, but Microsoft as a company in these new countries, where we'd be the first person, the third person, you know, where do we find office space, what do we sell, how do we transact, what partners do we work with. And so it was super entrepreneurial or felt entrepreneurial inside a big company, and that to me was just a a wild plus.

Ben Wilson [00:04:06]:
I got all this action for you. Go ahead. Yeah. You before we started recording, you mentioned, yeah, I went to Brazil when their their economy started booming. Do you ever sit back and think about, like, hey. I was selling businesses across a lot of different industries, the very productivity tools that they need to accelerate their business growth. Because you can't really function as a, like, a modern business without these tools. They're so fundamental to just your day to day operations to be efficient.

Ben Wilson [00:04:38]:
Did you ever did did the team ever sit back and be like, are we actually affecting the economy here, like, helping this this happen? And I'm curious to hear your your opinion on that or, like, your your thoughts on what that realization might mean.

 Aaron Painter [00:04:54]:
You know, we we definitely did. And, actually, even deeper. Mean, it was kind of the reason I joined Microsoft in the first place. I I was so I grew up sort of as a business geek. Like, I was never that into, like, sports, and I just love companies. Like, I'd walk down the street, and I'd be like, what does this company do? How did it get started? Like, what what what was the business they were trying to solve? And I got really into tech early in life because I felt like tech was an enabler for business, that companies who use technology in new ways could just build better businesses. And Microsoft was kind of on the forefront of that, particularly in the nineties. Right? They brought these technology and arguably these productivity gains to society in a way that was truly measurable on gross national product or GDP levels.

 Aaron Painter [00:05:36]:
Later on, I'd say other companies like Amazon might have contributed that in just high scale ways, pre AWS even. If you make people more efficient and they don't need to go to the store and they can order online, you actually get productivity gains as a society. And it's very much the same thing in Microsoft. Although, in the early days of it, we, you know, had these client apps, and everybody was using Word and Excel and and Windows even. But particularly in emerging markets like Brazil, like China, our usage numbers were incredibly high, but people weren't actually paying for it. And so, yeah, it was crazy. When I, you know, moved to Brazil, I I was sort of the first foreigner we had there. I said first when they asked me to come, I said, I I don't speak Portuguese, and most of you don't speak English.

 Aaron Painter [00:06:16]:
Like, you know, is this meant to be? And and they said, hey. We wanna learn from from different cultures. We wanna learn from what you've seen around the world and another parts the world where Microsoft had become successful. And so I went and I started learning Portuguese, and the team kinda all practiced their English, and that was a whole other journey to talk about. But, gosh, did it feel cool? I mean, the moment I would land at the airport in Sao Paulo, you you would literally walk through and you would see all these computers running windows. You would see the screens, you know, that were projecting the next flights, like running windows. And they're like, oh my gosh. We are sort of everywhere.

 Aaron Painter [00:06:47]:
Like, we are foundational in how people do things. And then it became very real because one of the first projects I had to work on in running Windows was a a time zone. It was like a daylight savings change that the government had requested. And we were sort of on this crunch with with engineering to say, can we update Windows to reflect this daylight savings time change that the government requested? And if not, sort of would it be like, you know, the year 2000 issue? Like, would it bring the Brazilian economy to a standstill if we didn't get this patch right? And it just again underscored your point, the importance and the reach you sort of had with software at that time. And this was obviously things that really accelerated and software under undermined so much of our lives and businesses today, but I I really felt it in a a very visceral way at that point.

Michael Berk [00:07:33]:
How does it make you feel?

 Aaron Painter [00:07:37]:
Res like, a huge sense of responsibility. And you're like, hey. We have to get this right. We have to be really responsible in the code and what's built, how it's shipped, how it's maintained. And, you know, Microsoft's attitude towards open source has certainly evolved over the years. But in those early days in particular, that was kind of the ingrained feeling of Microsoft was, hey. We have a responsibility by making software that people rely on, meaning we need to be investing in updating it, keeping it fresh, continuing to make sure it's secure, like it's having the features and the requirements that people need. And the early feeling was commercial software providers were best equipped to do that rather than rely on an ecosystem of people that were sort of contributing a voluntary way.

 Aaron Painter [00:08:18]:
Obviously, now we see enormous benefits in open source software in a lot of places, but I think Microsoft always really felt that responsibility around commercial software that if we were gonna make something, gosh, we had to do a really good job in keeping up to up to date and current, and sometimes maybe we did that better than others. But we had this sense of responsibility that people were relying on us. And, like, anytime you're in sort of a leadership position and people are relying on you, you take that really seriously.

Ben Wilson [00:08:45]:
Yeah. And when you're a market leader to that level I've noticed this in Microsoft products in particular and and, like, in the office suite. A lot of times, you know, they got there first, like, in a lot of this stuff. Right? And then you see maybe a year or 2 delayed that your competitors or people that are attempting to compete or even, like, similarly sized companies that are out there, and they're like, let's let's see if we can go after a little bit of this business. You see them just copying features to the point where it looks slightly differently, but underneath, like, the back end code is almost identical. Like, the the functionality is almost identical. What was your take on seeing stuff like that over the years where you're like, okay. I see see what you're doing in Google Sheets.

Ben Wilson [00:09:40]:
This is a online Microsoft Word. You know, it's basically 365 with a a extreme subset of features, but you start seeing stuff like the format painter, which that was a Microsoft thing. Like, nobody else had that, or if they did, it didn't really work. Not like it does in in all the Microsoft suite. Then you start seeing that bleed out into the into competing products. What's your what is your take on that? Is that a measure of success? Like, hey. We got this product right because people are copying it.

 Aaron Painter [00:10:10]:
In some ways, there's always sort of flatter here on that, and they could argue the same thing that if people are pirating it because they like it. If they like it so much, they wanna use it even if they don't wanna pay for it when there are other great, let's say, open source or other free tools they could be considering. Yeah, that means you kinda got something right. But it's I think in the early days, Microsoft had this really great think tank around collaboration. And what does it mean to create collaborative, you know, productivity based software tools. And Microsoft was early in that. Google then became sort of one of the first larger scale competitors in thinking about, oh, well, we can reinvent it with Workspace. And what does it mean to collaborate in a document a new way or to do email in a new way? And that was actually kind of exciting.

 Aaron Painter [00:10:51]:
And and look gosh. The last 15 years in particular, you see the rise of Slack and then during the pandemic, especially so many new companies that are now really innovated in this productivity space. And there's a lot to be learned. Like, innovation certainly doesn't only happen in one place or one company, but there was this period where Microsoft was kind of early in really thinking through what productivity software, productivity tools meant. So, Michael, to your question, it was also interesting, you know, as Google started getting bigger in their productivity suite, we had to think about how to go to market in different ways and engage with customers around that. Because Google was growing those sales force, and they were talking to big enterprises and why they should move to Google and kinda drop Microsoft. And as Office 365 then was starting to come together and integrated cloud services overall, we we realized one of the big learnings was we sort of would lead with what's new. And so if we went into a customer engagement and said, hey, we wanna talk to you about the cloud and how Office is moving to the cloud and hear all the benefits of that.

 Aaron Painter [00:11:48]:
Oftentimes, customers would say, wow. I I didn't know Microsoft was doing this. Maybe I've heard a little bit from Google, but, wow, it's so exciting to hear you're doing this. But, actually, I'm not ready for it. I wanna buy on prem still. I'm not quite ready to move to the cloud. I don't want my my emails looking somewhere else. I wanna know where that server is, and I wanna maintain it.

 Aaron Painter [00:12:03]:
Okay. And we'd say, that's fine. You take your time. But by leading with what was new, it sort of it actually got the deals done for the traditional on prem stuff as well. And then eventually, licensing evolved, and if you bought 1, you kinda had access to on prem or in the cloud. But it allowed us to sort of deposition in a way, really cleverly actually circumvent what Google was trying to do in penetrating with enterprises because customers knew they'd heard from us. Oh, Microsoft does that cloud thing too. I'm just not ready for it.

 Aaron Painter [00:12:30]:
But, actually, I also know I have the licensing rights to move to it when I'm ready. And I think that was sort of this big moment that allowed 365 to grow and, frankly, Google not to quite take the enterprise mass at that time that, you know, they might have wanted.

Michael Berk [00:12:44]:
That's super interesting. I would expect there to be some trepidation from customers if you overwhelm them with new tech, but they actually liked it. They said they they felt comfortable and were like, alright. We'll use a less advanced stack and know that we can go to this more advanced stack should we choose, and they they like that flexibility.

 Aaron Painter [00:13:02]:
Yeah. They might not have we might not have pitched as less advanced, but on prem versus in the cloud, for sure. You know, another interesting thing we found in, I got very involved in college and MBA programs at Microsoft. And what do we do? How do we find new people, new talents in the industry, and bring them in? And how to help make them successful. So I got really involved and kind of be the business leader for our college MBA hiring, for example, across Asia later on. And one of the things we started experimenting with was where do you put new grads in roles that are also been really hard or with really important big customers. And we started to learn that if you put people in kind of front facing roles sort of selling cloud, they were highly incredible. You know? So if you brought someone who said, hey.

 Aaron Painter [00:13:45]:
I'm kind of a digital native. Like, I've grown up using these cloud tools. Let me tell you, big enterprise customer, why, you know, Microsoft in the cloud or Office 365 is is great, and here's what it does, etcetera. People really trusted that. Like, they were actually more credible than, at that time, someone would be like, oh, no. I've been working in on prem for a long time, and let me tell you, you know, don't worry about this cloud thing. Actually, newer grads or people early in their career were highly credible to talk about what was new and why cloud mattered. And so it it actually helped us kind of symbol symbolize that to our customers, and think, help bring credibility and allowed some of those people early in their career to have incredible impact very early on because they represented sort of what was new in the transition we were trying to make.

Michael Berk [00:14:28]:
That's fascinating. That's super cool. I I that sorta makes sense. Like, when you bring in the seasoned data engineer that's done 30 years in on prem. Like, yeah, they can compare and contrast for sure, but maybe buzzwords flow less naturally or something. That's that's super cool.

 Aaron Painter [00:14:47]:
Rooms for diversity, but it was very, very helpful having that kind of the new voice to the table. And most importantly, it felt new grads that gave them confidence. Right? They're like, oh, just go in and be yourself. Just talk about how you use tools and how you interact with software and how you think about productivity. And it was very authentic, and customers knew that and they felt it. And having that voice at the table in addition to others really made us more effective.

Ben Wilson [00:15:12]:
Yeah. I remember, and what was it? It was about 15 years ago. I was at a very large company and heading up the, like, the dataset, like, the data science group there. And we were needing to migrate to a much larger, data storage tech stack. This is pre Spark. This is Hadoop days, like, right around when Hoot first got launched by Yahoo. And we're like, well, we don't wanna manage this whole system ourselves. We built a prototype, but it takes 4 people, like, 24 hours a day just to keep this thing running.

Ben Wilson [00:15:50]:
So Cloudera reps came in. And I remember there was there's a guy who is, like, his mid fifties, and he'd been doing on prem stuff forever. Really knowledgeable IT, like, Linux admin type guy. And he was just like, yeah. You know, I know that, you know, people are talking about running stuff on AWS. You know? I don't know about that. You're gonna wanna keep it. You know, buy a big server here and the the farm will live fine.

Ben Wilson [00:16:22]:
And then there's this this young recent college grad who's, like, 24 years old. He's like, nah. I think cloud's gonna be the future. And he was, like, listing out the reasons why. And everybody just started listening to the the young guy, because he was like, oh, yeah. I interned at he was actually interned at Microsoft, and a couple other companies. But he had more street cred, just because of the fact that you'd been exposed to all that stuff. And then he asked the the older guy, like, how long you've been at Cloudera? He's like, oh, this is my first month.

Ben Wilson [00:16:56]:
What did you do before this? Oh, I worked at IBM. I'm like, okay. So, maybe you don't know what too much about cloud.

 Aaron Painter [00:17:05]:
It's one of the best piece of career advice I got early on was actually this guy, Jeff Rakes, who at the time ran the office business, and then went on to run the Gates Foundation and other things. And, you know, he sort of said, like, fix yourself to something that's automatically growing. Because then no matter how good you are, like, it's already growing, and you will just make it grow better and faster.

Ben Wilson [00:17:25]:
Mhmm.

 Aaron Painter [00:17:25]:
And, obviously, I spent a lot of time in emerging markets that aligned really well to that. But I think today, in particular, when you think about AI, like, that's a natural area for people, you know, early in their career. Like, yeah, it makes a lot of sense to attach to an AI motion. Like, that area is growing where we have so much innovation happening. This is clearly going to be such a core part of our future. Like, attaching yourself to something that already has momentum behind it means you're you're going to grow. The only question is at what rate or how much. And that's why I get so excited when I see people, you know, newer earlier in the career particularly jumping into AI right now because I think it it poses well just for for industry as a whole.

Ben Wilson [00:18:03]:
I've seen even seen in companies that are doing have, like, sort of established products that are starting to embed, you know, large language model functionality, and you can kinda tell who's got that entrepreneurial spirit even at an established company. Exactly as you said, like, what you were doing at Microsoft in building those emerging markets. You can like, I I see it in Microsoft products now, because the culture's definitely shifted towards that, I think, particularly in the in the Azure business. Or it's like, they'll be early. They'll ship something. And, you know, we have meetings with, our our compatriots on the the Azure ML side, and they'll tell us, like, yeah. We're shipping something early. It's not not super great right now.

Ben Wilson [00:18:45]:
We're fine with that. We wanna learn from it. And then you see, you know, people kinda kinda dunk on something at first. They're like, oh, this this kinda sucks. It doesn't really work real that well. And then you come back 6 months later and talk to that same person who is who's trashing that product, and you're like, hey. Do you use that thing? And they're like, I I use it every day. It's so good.

Ben Wilson [00:19:06]:
And it it's interesting to me seeing that epiphany that happens with that change when an entrepreneurial focused enterprise software company, it puts that risky move out there first in order to learn and get feedback and iteratively improve on a product until it's it's so good you can't not use it. And then everybody's just like, yeah. This is great. Compare that and contrast that to some products that'll hold off and wait until they have something that's really good and then try to launch that. And they're so late to the party, nobody cares anymore, or they just do the quick thing. Like, everybody's doing Gen AI. We need to get something out there. They they get a tiger team of engineers to work on a prototype, basically, ship it, and then never update it.

Ben Wilson [00:19:52]:
And everybody's like, yeah. That that that service sucks. It's like, look at how Microsoft or AWS or Google has, like, surpassed them over time. How do you, from your perspective, instill that in a team of engineers and product people to think like that, think like an entrepreneur in a big company like Microsoft?

 Aaron Painter [00:20:15]:
I like to focus a lot on what the use case is. In some ways, like, in the broadest sense, you might think of it as the app. You know? And when I spend a lot of time at, you know, Cloudreach, which is working with large enterprises and how do you move to the cloud, and what does it mean for your business? How do you transform? I spent actually quite a bit of research time thinking about the early adoption of other major mediums like electricity. And, like, sort of what made electricity get big? Well, electricity actually was a huge infrastructure layer, so to speak, that added value, but it was the apps that you put on top of electricity. First, it was the light bulb. Eventually, coincidentally, it was companies like RCA and then eventually General Electric and, many other industrial conglomerates we now think of that exist. Basically, they created apps. They created the television.

 Aaron Painter [00:20:59]:
They created the radio. They created things that allowed you to plug into what electricity had enabled. And so and you didn't go and say, oh, I wanna buy electricity. You said I wanna buy a radio. Oh, yeah. Okay. That uses electricity. I'm glad I have electricity, and I pay my electric bill.

 Aaron Painter [00:21:13]:
And in a way, cloud actually felt like the next evolution of that, and it was like electricity. It was sort of this utility that got created, but what are the amazing things you can do with it? And then when we started seeing, okay, Microsoft 365, Office 65, or, you know, other collab tools. Oh, wow. My documents sync across things. Or, wow, I can access this from multiple browsers. Those sort of apps, those pieces of software that were using it were better because they were using cloud technologies for sure. But AI, it's one of these things. I mean, you both know so well.

 Aaron Painter [00:21:44]:
People have been in this field and the machine learning generally for for decades. And, you know, so often I meet academics who now were like, gosh. I've been in this for a long time, and now suddenly I'm popular. People wanna work with me, and they want me to be advisors. They want me to help with companies or come start companies. And Chat GPT for me in many ways was sort of that first app that made the power of certain large language models and then elements of AI more mainstream and something that people wanted. And it's now driven even more usage and consumption of the underlying technology. And so as you see it in in products, as you see the benefit of LLMs, the benefits just of AI technologies pop up in more and more products, It's it's driving the use of electricity.

 Aaron Painter [00:22:24]:
It's driving the consumption of cloud, driving more data center construction and build. But it's it's because someone's trying to say, wow. It's so much easier if I can write this email and it does this. Or if I can, you know, have something write an article for me or create this creative work or, you know, as AI infuses in these products, we're seeing, like, applications for the technology. And that's what people get excited about, and that's what they buy. And then we we all get to think about how do we architect and engineer underneath it to make it happen. But I it's those end user use cases to me that really drive the sort of the right sets of behavior.

Ben Wilson [00:22:57]:
So if we were taking this analogy to a different place about you mentioned oil earlier. Would you rather be the oil company drilling for oil in the Gen AI space, Or would you be rather be the refiner or the the the owner of 10 gas stations? So 10 gas stations would be, like, 10 killer apps. The refiner would be middleware that's making, you know, fine tuning possible and orchestrating and and serving models and and all that stuff. Or, you know, the the oil driller would be research institutions like OpenAI. We're trying to further the the technology. Where do you think the money is and, the most effective, like, expenditure of time and resources for a company?

Michael Berk [00:23:50]:
And wait. Let me add a 4th category, which is the oil drill manufacturer.

 Aaron Painter [00:23:58]:
Yeah. I

Ben Wilson [00:23:59]:
TensorFlow and PyTorch.

Michael Berk [00:24:00]:
That's a great

 Aaron Painter [00:24:03]:
question. Great some analogies. I, I think a little bit depends on who we are in the equation. And and partly, it may be a little bit complex to say, but I I do think like we saw with oil, there are enormous economies of scale. And so we ended up seeing large companies, hence the concept of a monopoly and, hence, Standard Oil even is probably the best example, that when you start to bring in the power of, all of those things, whether you're making you own the train tracks or you own the barrels that the oil is transferred in or you more and more of those pieces you own, the more you can make the experience, operate more efficiently and frankly with better economics. And so I would argue there there will be large players that have the capital to invest to go build a lot of those infrastructure components that we need, whether that's, you know, doing the drilling, building the drill bits, doing the refining. I get most excited about, sort of as an entrepreneur, and I think and and with the ecosystem and the community of just great engineers out there that we all spend time with, I get most excited about what you're gonna do with that oil, right, or what you're gonna do with that foundational tech. Because I think in that case, the opportunities and the ideas frankly are limitless.

 Aaron Painter [00:25:12]:
And in in a way, like, you like, you know, early day cloud brought us the infrastructure layer. Well, great. There's sort of we didn't really have the platform layer. It was IaaS, PaaS, and SaaS, and we always been a long time talking about IaaS and SaaS, but we didn't really talk about the the platform layer in between. And, interestingly, I think LLMs in particular are starting to be that that platform layer that maybe a few large companies have the ability to invest in and produce. But, gosh, there's so much then think about it the layer above if you can rely on that. You're no longer relying just on infrastructure, relying on that platform. And the space for innovation there is just enormous.

 Aaron Painter [00:25:47]:
So if I got to choose, I would be there. I would be, how do I take advantage of those infrastructures that are being created to go invent new things and new verticals and new solutions and new scenarios, enable things that otherwise haven't been done? That's the innovation across all 3, but I get really excited about kind of that that top layer.

Ben Wilson [00:26:05]:
Interesting. It's a great answer.

Michael Berk [00:26:09]:
Yeah. It is. But name tag sort of seems a bit lower than those end use cases. It's more infrastructural. It has at least to me.

 Aaron Painter [00:26:18]:
In name tech? Yeah. Yeah. So, you know, name tech came about because it's such a simple thing. But, yes, at the start of the pandemic, I I had a bunch everything was going digital as we know, and branches and offices were closed. And I had a bunch of friends and family members who had their identity stolen. I said, alright. This how does this happen? Like, let's figure this out. I'll be a good friend and be a good son.

 Aaron Painter [00:26:37]:
We'll jump on the phone. We'll figure this out. And we call these customer support help desk hotlines. Everybody would be like, well, before I can help you, I have a few very important security questions to ask. And they were a joke. Right? What color? What street did you live on in this year? What's your birth date? And it turned out someone had called before we did and answered those brilliant security questions and then was able to take over an account. So it sort of how is this possible in today's era of technology? How is it that, you know, we don't know who's behind the screen, let alone by where they're human or which human it is? And so we said, alright. Where does this exist? It exists, in the world of KYC, know your customer, which is like, I open a new bank account, and if it's a remote account opening, someone might ask me to take a photo of my ID and take a selfie, and then they sort of check a regulatory compliance box that I've been verified as whoever I say I am.

 Aaron Painter [00:27:26]:
Now we said, why why is it they do that, but then when you call the transact, the bank doesn't rely on that information anymore. They jump to these security questions. Like, something is wrong in this equation. Why is it not reusable, that identity verification you went through? And as we learned about it, it turns out that a 100% of the platforms, and there are a lot of them out there, that did this identity verification existed in a browser based environment. Desktop or mobile, it was browser based. And at the time when we started this 4 years ago, we actually said, well, that's just susceptible to digital manipulation. Like, in a simplest sense, like, you could literally make a PDF, you know, of your fake driver's license, and there's an upload button on most of these sites, and you would upload the fake PDF you made. Like, pre gbt being able to essentially say, here's my photo.

 Aaron Painter [00:28:10]:
Make me a California driver's license. Save as PDF. It was just too easy to manipulate that flow. So we said, how do we fix it? And so we invented this concept that if you take the same thing you did in that browser, but instead do it exclusively on a mobile device, you could have very different experience. It would be same for the end user. Scan your ID and take a selfie. It'd be faster. It'd be a bit slicker because it's a native mobile experience.

 Aaron Painter [00:28:34]:
But more importantly, we could use all the modern features in a mobile phone to make the process much more secure because we could, for example, take advantage of the secure enclave. So we know that there's a cryptographic connection inside the walled garden of, let's say, Apple's App Store that it's difficult to digitally inject, right, or to manipulate some file into that flow. We know that the cameras on the device are being used for our data collection process. And then we're able to take advantage of other things in telemetry from the device, like the 3 d depth map camera. Example to say, is this person human? And we've since done a whole bunch more. But the ability to take this identity verification flow out of a browser and into a mobile phone turns out we could make it much more secure. And then, by the way, turns out we can also make it reusable. And this concept that once you go through an identity verification flow on a mobile device, we can leave an encryption key in the secure enclave.

 Aaron Painter [00:29:26]:
And then if you come back the second time, on the same device, we can say, hey. We recognize you. And one of our patents became this concept of selfie chaining. Just asking you to take a selfie, comparing the selfie to your earlier selfie and back to the government ID. And then another patent became this concept of, well, what happens if you get a new device? You know, how do we trust the new device? And we just ask you to scan your ID and take a selfie again on that new device. But so we we had to invent this new way of doing identity verification. But then it was like, there are a lot of places that need to know who's behind the screen. Where is it most precise? Where is the was the pain the strongest? And for us, we got pulled then very much into this concept of, account recovery.

 Aaron Painter [00:30:05]:
And here's what happens. In a world today where there was a reset my password button on a website, it doesn't work anymore if you add multifactor authentication. If you add MFA to an account, there's actually no longer a self-service button. It is, oh, you're locked out? Call the help desk. And if you have to call the help desk, you have this risk of basically the human who answers the phone being good enough at asking you those security questions to decide if they should unlock your account and let you get back in. And so one of our earliest customers was HubSpot, and HubSpot said, hey. You know, we're rolling out MFA to a lot of our customer base. And as a result, people are getting locked out.

 Aaron Painter [00:30:41]:
They're calling out desk. It's expensive. It takes a while. The help desk reps don't know if the person is who they claim and if they should reset the account. So we use our identity verification technology to give those help desk reps a tool. They could send a request and know who they're talking to and know if they can trust the identity of the person who claims to be the account owner and reset their account. And then they went to next step, and they automated it. And so now in HubSpot, there is actually, like, I'm a I'm locked out button, and it says you have 2 choices.

 Aaron Painter [00:31:06]:
Contact support, takes 48 to 72 hours, or click your unused name tag and get right back in. And that became the start of what are now a whole bunch of other customer journeys and employees sort of workforce journeys where we use the strong identity verification to reset and unlock accounts when people are otherwise, locked out.

Michael Berk [00:31:26]:
Cool. So is that a platform to you, or is that a end service?

 Aaron Painter [00:31:31]:
I think of it as an end service, although we call it a platform because in the concept of you can use it in a variety of different use cases. So we typically find is people roll this out, let's say, for their workforce. They wanna introduce self-service MFA resets and recovery to their company. It's a better employee experience, more secure, faster, way cheaper because you don't have the help desk call. But then companies come back to us, and they have all these other ideas. And that's where this platform element kicks in because they say, hey. People contact HR to change their payroll. HR needs to verify it's them.

 Aaron Painter [00:32:02]:
Hey. We hired new people, and we send previously, we would send a personal email address, their credentials for the first time. That's not really secure. Can we use this as a way to issue secure credentials? People call the help desk and say, oh, I wanna add access to Databricks. I'm not a user. And help desk says, well, before I could do that, I need to make sure that you're who you claim to be and you should be an authorized user. And so people find all these other use cases to put secure identity verification into their flow as sort of a step up channel, And that's been just really exciting to see.

Michael Berk [00:32:32]:
That's awesome.

Ben Wilson [00:32:33]:
Yeah. From the few times that I've seen that migration happen, like, I don't know if my bank uses your service, but it uses some of the stuff that you've explained. So So resetting the password, I remember a decade ago, it was like, yeah. Put in your PIN and just confirm that, you know, your last four of your social. I'm like, this is public knowledge. Like, you can get this information from a lot of documents that are sent to my mailbox. So super insecure. Nowadays, yeah, it's it's fingerprint scan on my phone.

Ben Wilson [00:33:11]:
It's validation of, like, like, a a time sensitive key that's sent to my personal email with that fingerprint, and it has to you have to take us, like, a selfie real quick. So maybe it is your service, but, that, like, will unlock your account. But you can only do certain things in it until you've, like, reset some other stuff that takes a little bit of time. And, like, within the the confines of work access at Databricks, Michael can tell you as well. There's a lot of steps involved in accessing any of our systems, and a lot of them are very, very locked down now. Because while you can't get a customer data per se, like, you can't see what they're doing with data, You used to, in engineering. Can't anymore, and we're happy about that. But the those additional layers of security, it's kinda one of those things that you notice in hindsight after there's no more near misses that are reported.

Ben Wilson [00:34:17]:
And we noticed the same thing when we instated all the security policy 5 years ago or something. There are all these things where people were doing white hat hacking, like, trying to assume somebody's identity and then report it to, you know, executives to be like, hey. I was able to get access to this system as, you know, the CTO or something. And then all of a sudden, it's just silence. Like, hey. This doesn't happen anymore. And there but those white hat hackers, we now have 3 times as many of them. And they're just like, yeah.

Ben Wilson [00:34:46]:
We have to find, like, really creative things to do, like, going to somebody's desk and taking pictures of of things that are on their screen maybe. And even then, a lot of that stuff just doesn't work. Do you see these services as something that a lot of people don't think is is sort of, like, sexy tech? But once they is it something that they will go out and and seek after they've had an incident, or is it something that people are like, yeah. We're we'll listen to what you guys are saying.

 Aaron Painter [00:35:20]:
It is a great question. We've had a couple inflection points in the business, and one was last August, with MGM, where prior to MGM, you know, companies like HubSpot and Reddit, actually a bunch of inner domain providers, like, they had seen this, and they had implemented things proactively. And then MGM happened, and, basically, an an employee you know, a bad actor called the help desk at MGM and said, I'm I'm an employee. I and I'm locked out of my MFA. The help desk rep did not k. You know? They tricked the help desk rep in less than 10 minutes. Help desk reps reset credentials. The bad actor went in and deposited ransomware and did all of these bad things and you know, sort of brought MGM down.

 Aaron Painter [00:35:57]:
Like, it's so mainstream now that there's a 60 minutes episode on this. And so prior to that, we were sort of having these conversations like, hey. Have you thought about the social engineering risk at the help desk? And some people be like, oh, yeah. It's interesting. Post MGM, it sort of became, no. My board of directors is asking me how I'm dealing with the, quote, MGM risk. It's unfortunate that's become, like, MGM's brand, but it's a it's that widespread. And unfortunately, the bad actor groups that targeted MGM have just been running wild since.

 Aaron Painter [00:36:26]:
And so, you know, q4 alone last year, I think something like another 230 large enterprises also got attacked in the same method that took down MGM, and this year has just been no no exception. The learning has been that MFA is only as secure as the reset or recovery process associated with it. And for most companies, the reset process is still, send me an SMS. Oh, but, yeah, I don't have access to that phone. My phone number changed, or if I'm a bad actor, I can accomplish a SIM swap because I called the telco and I said I got a new phone. They don't have a way to verify me. I transfer that phone number over to the new phone as a bad actor, and I have control of SMS. And that's the primary way even in the most sophisticated VMFA tools today is still that.

 Aaron Painter [00:37:09]:
And so what we've done is we say keep whatever you're using for MFA and, you you know, Okta, Duo, Microsoft, Entra, but let us surround it with this concept of secure identity verification when someone needs to recover. And then we reach into, you know, the Duo Okta, etcetera platform and do the reset once someone's been verified. But that became the second big inflection point. When we launched that full self-service MFA reset functionality, frankly, 8 weeks ago, it's just been it's been wild. It's it's sort of a gap in the market. It's a gap from these MFA providers. And the best solution before, by the way, went after FMGM. Okta's advice was do what they call visual verification, which is maybe a little bit it sounds like what happens for you folks internally.

 Aaron Painter [00:37:46]:
Like, let's jump on a video call or go take these photos or come into the desk and do and then we had this concept of the deep fake scammer happened in Hong Kong a few months ago. We can talk about that. But if the concept was trust whoever's on the video call and then we see examples where you suddenly can't trust who's on the video call, then even that idea of doing visual verification is expensive and manual and slow as it was, also doesn't work. And so it's, it's just it's today, this is the hack of the moment. Like, if you wanna go bring down a company, the easiest way to do it is to call and not pretend you were the one who owns an account and that you were locked out. And for most companies still, their techniques at solving that are incredibly primitive.

Michael Berk [00:38:26]:
You hear that, listeners? If you wanna bring down a full company, just call the help desk. But I had a question sort of bringing it back to a lot of the times we've just been discussing. Why did you choose this as your area of focus, and what sort of, I'm not quite sure what the word is, but what industry trends or, just directions of the entire world are you betting this brand on and this company on?

 Aaron Painter [00:38:55]:
We security and identity seem to have merged. And what we felt was, particularly in this era of kind of market trends around deepfakes, so much of the conversation is on deepfake detection, and I don't think that's sufficient. The bunch of companies have deepfake detectors and, you know, in the world of identity verification, liveliness detectors. And my trouble with that is it's an AI arms race. It's literally can my model defeat the bad actor's model in creating some sort of deep fake? And I I think that just like all battles, like, some will be lost, many will be lost. And in today's world often, even if the bad actors have created great technology, companies might not have deployed it in time. So the bad actors will often be ahead in being able to create deep fakes that are more relevant and more realistic than the tool to detect them. And so the concept is, can we use, more features that we as an industry have created than pure AI models detect deep fakes in addition to things like cryptography.

 Aaron Painter [00:39:52]:
Right? When you suddenly add cryptography and the concept of using a mobile device in the secure enclave and the cryptographic benefits of that, cryptography with biometrics, does this face match that face? With AI models, is someone, let's say, trying to take a photo of a screen or are they capturing something that's not what we intend? Suddenly, you have a much stronger arsenal to compete against people that are using AI generated deep fakes. And so that that sort of that market trend of, gosh, this growth of deep fakes, the growth of edge AI generated content will make the process of verifying someone even more difficult, and we believe that the Internet is moving away from full anonymity. I would argue that platforms have a responsibility to know who is behind an account even if, let's say, you're a social platform and you're you let people have a pseudonym or an alias. Great. But, by the way, if you don't know who's really behind that, then you actually can't remove a bad actor from the platform. You can't stop a bad actor from coming back or doing malicious things or being harassing, you know, other users on the platform. Let alone, by the way, if it's your workforce. Like, you can operate under the email alias of your company, but you really need to know as an IT department who the human is behind that screen when they're logging in.

 Aaron Painter [00:41:04]:
And so these these just meta trends we felt like aren't going away. Security is becoming more important. The best we sort of have as an industry is MFA, and MFA has this major weakness. And so that's what's allowed us to say, you know what? Let's just double down on this and, frankly, keep accounts protected. And if we can do that, we can create a just a safer Internet and and world in general.

Ben Wilson [00:41:23]:
Imagine if the current x, previously known as Twitter, and Meta's flagship product. If they had this technology to validate and do a true verified, not just this account is verified as being this person like you'd get with celebrities or whatever. But the person writing this post has been verified as being this person in this session. Do you think that would have had an impact on the political landscape of the last 6 years in America?

 Aaron Painter [00:42:00]:
I think it's fundamental. You're absolutely right. In fact, that's where we started. So we thought, hey. If we do secure any verification, social platforms need Dating platforms need it. Like, the concept that you go on a dating platform and you log in with a social login, and then if things go really well, you're gonna meet up in person with someone. And then today, the default becomes like, oh, hey. Before we meet, my pick your family member or friend, ask, can you just send me a copy of your ID? Because I'm a little nervous to meet up in person.

 Aaron Painter [00:42:25]:
Like like, that's the gold standard today. Like, there are these digital platforms where trust really matters. And I I where you're going, I I agree with a 100% with. I think the other concept people do other with deep fakes is watermarking. And a lot of the big tech companies have said, oh, we can watermark this content. So the White House today says, you know, when we release a video of Biden, don't worry. We're gonna watermark it so you know it came from the White House. Okay.

 Aaron Painter [00:42:46]:
Great. But if you wanted to do, you know, was it last week, the Mexican ambassador the UK ambassador to Mexico, the so there's a person in Mexico, and there was a video released of them holding a gun at their staff, and it was inappropriate, and the ambassador stepped down. Like but this wasn't a super high quality fake. It was blurry, like someone recorded it. That that has harm. That has impact. And maybe it was true. Maybe it was not.

 Aaron Painter [00:43:10]:
I have no idea. But the point is that you need to verify when someone submits content. And that's the role I feel like these social platforms have is you should know who is submitting this content. Then at least you can assess if the content real or not, but you'll know that there was person behind it is claiming accountability for uploading that content. And I think the social platforms today are are still wildly underserved, and they're we've we've had this lack of trust in in social networks and the information that comes from them because they are not doing a good enough job in in verifying the submitter of that content or who's behind the username on the platform.

Ben Wilson [00:43:43]:
Do you think it's only gonna take federal legislation to make that happen? Because it doesn't seem like any of them are like, they definitely have the humans and the technology to to make this happen. Like, this would be not exactly trivial for them to implement, but very doable. They're not interested in it. You know? But do you think that that's the the only thing that's gonna make this happen is, like, hey. Congress is finally gonna grow up for a moment and be like, this is a serious threat to, you know, the existential existence of our society in general. If we don't do something about this before it becomes a real serious problem? Yeah. I think

 Aaron Painter [00:44:28]:
you're seeing growing waves of regulation, particularly in protecting minors, particularly on things like age verification. Well, not quite there. I guess, generally, I'm a believer in the free markets on it where I feel like platforms have an opportunity to come in and distinguish themselves or differentiate themselves by being ones where people can trust the content, the people behind it, what submitted, other things. The other weird angle though that not surprising, I guess, but you've seen some experiments from Meta. Actually, they've done some particularly in in Australia and New Zealand around sort of this this concept, and their implementation is not yet correct. But one of their drivers for it was and they they started charging for it. Right? You can sort of have a paid verification. But along with the paid verification was better customer support.

 Aaron Painter [00:45:10]:
And that's sort of the interesting thing is today again, let's say you're locked out of your Gmail account or you're locked out of your Instagram account and it's your your business relies on it. Their methods of doing account recovery on those are incredibly difficult because, again, they don't know who's really behind the account. So if you call and say, hey. For some reason, I'm locked out. They actually have a very difficult time of knowing who's who's who it is. And it turns it to be expensive, frustrating, etcetera. So one of the drivers of the verification has been support, which I don't think any of us expected. But, again, it further emphasizes how important it is for them to, at certain moments, in that case, when someone's locked out, to know who's behind the account.

Ben Wilson [00:45:47]:
You would think that those companies who use a product like yours would just say, hey. Let's just put this into the API requests, you know, effective firewall to the to the app. And, yeah, we can get a a UI notification that, like, yep. This person was verified. They logged in via this means. It'd be it'd be really interesting to me to see how many posts would be instantly taken down from social media platforms because I know there's been a lot of conjecture out there about, like, oh, you know, 60% of all posts on these social media platforms are done by bots or or bot farms or human bot farms effectively, you know, state actors that are trying to influence elections and stuff.

 Aaron Painter [00:46:33]:
But if

Ben Wilson [00:46:34]:
they just purged all of that or if you had a filter, it'd be like, hey. Don't show me junk. You would think that the customers would be like, yeah. This I'm a I'm a true believer of this platform now.

 Aaron Painter [00:46:47]:
Well, thank you. I I think you're absolutely right. You might maybe in I like the filter concept. Maybe you trust it less. Maybe there's a room for people people to have an anonymous view and that person to be anonymous. Maybe there's even good reason behind it. But then you can have an ex you know, healthy sense of skepticism. Like, well, this person I'm a big fan now of saying, you know, person and channel.

 Aaron Painter [00:47:05]:
Like, you might have the channel might be a you know, if it's a large group text message thread and someone comes in, you don't really know who they are and they suddenly share something. Well, the channel might not be trusted and the person might not be trusted. Right? It it gives you gives you more context to be able to make those calls. But what one of the technology breakthroughs that has had had to happen to enable some of this is this concept of reverification. And the reason why even if identity verification was done in a more secure way, let's say, exists on the mobile phone as opposed to a browser, even when it's done in a more secure way, the challenge you have is how do you continually know that it's still that person without asking them every time, let's say, to scan their ID again and take a selfie again? And you kinda want that ongoing nature. I learned this from a very large home sharing platform, shall we say. Let's not call it Airbnb, but think of it that way. Where the they said goal they set out to have was, how do I, mimic the hotel check-in experience? When you go to hotel, you give your credit card, you give your ID, they check you in.

 Aaron Painter [00:48:02]:
And so they wanted to be able to have kind of a verified profile so that you the person could be trusted. The challenge was they only do it once. So now the way they do it, again, might be open to fakes and not super secure. But regardless, it only happens once. So then you get sort of a verified check mark, and this is the similar approach that x and others are taking. Oh, your account has now been verified. Cool. But if my account is compromised, my credentials are shared, someone takes over my account because they say I'm you know, they're they're me and I'm locked out, whole variety of things, then that profile, that verified check remains.

 Aaron Painter [00:48:36]:
And so you can have a verified check on your housing rental platform for years, and it doesn't actually mean it's you. It means at one point, someone went through kind of a mediocre process of trying to verify your identity. That is not enough to trust it. What you really want is, hey. I I'm reverifying this person each time. Let's say they sign in, maybe with just a selfie that we've compared back to earlier selfies back to the government ID. So we're not doing, like, a face ID superficial scan of face ID is secure, but it doesn't know whose face it is. It's comparing the face you enrolled in the iPhone to your so, again, I don't know who that is.

 Aaron Painter [00:49:09]:
But you you want the ability to reverify the person. So that green check mark, so to speak, is valid at the moment, not at a once in one time in history that happened. That's just hard to trust.

Michael Berk [00:49:22]:
Yeah. It's funny how we're getting like, trying to reverse the digital aspect of being digital. Like, I feel like we should just send a hair sample every time or something. That might do it. That's super interesting. Okay. I had one more question for you. You clearly have a lot of experience building and growing products.

Michael Berk [00:49:43]:
What are some of the tenants that you lead with at name tag that have made the business successful so far and you think will continue to make the business successful? Yeah.

 Aaron Painter [00:49:53]:
We have a bunch of values that we found really common and the people that have joined us, and we lived them. But, and they're they're important voice on on integrity and intellectual horsepower and curiosity. But sort of overriding thing that I was able to learn a lot of my time at Microsoft and other places in working outside the US, became something that I ended up writing a book about in 2017. And it was a concept of listening. And that when an employee feels listened to, they carry that to their customers. And one of the the folks who helped me realize this actually was totally unrelated. Well, they they are partly tech now, but Warby Parker, we know the eyeglass manufacturer, super cool at retail stores and online. And the culture at Warby, particularly in its early days, was, you know, when you start and you're new in the company, you you would stand up in your 1st week and kind of all hand meetings and you would share something about yourself that was kind of vulnerable and you could build trust within the team.

 Aaron Painter [00:50:47]:
But the culture was when you listen to those those reps, let's say, on the phone, they they were hunting for feedback from customers because they knew whatever they learned, their management would care, and their management wanted to listen to what they had to say. And so they felt respected because they were listened to as employees, and that meant they were out and and making their customers feel respected because they were deeply listening with curiosity to what the customers might share. And that value of being able to listen and and, Ben, I know, first of all, you had some really interesting comments around kinda what I would argue is, like, digital listening, like using telemetry and usage data as a also a method to listen. But this concept of listening is one that we've really tried to engrain a name tag. And, frankly, most of our, our innovations, our products have come from listening. It's when, you know, HubSpot CSO said to us, hey. Can I use you for this? Like, had we been like, no. No.

 Aaron Painter [00:51:36]:
No. We do this other thing. We do social media verification. We don't do help desk stuff. We would have missed that. And by listening and being open minded to that, I was like, hey. Tell us more. What are you trying to solve for? Turns out a lot of people were trying to solve for that and even more in in recent months.

 Aaron Painter [00:51:51]:
And so that allowed us to shape product. We work with a lot of big tech companies now, and they're incredible partners because they actually push us. Like, oh, hey. Can I use you this way? Oh, have you ever thought about this? Hey. We're also trying to solve this problem that we think identity can fix. And you can't take every suggestion. You can't take every feedback, every feature request. But by listening to the underlying needs that they're trying to solve for, it allows us to frankly stay one step ahead.

 Aaron Painter [00:52:14]:
Same thing with fraudsters. We see a lot of really bad crazy fraudulent activity attempted fraudulent activity, but we learn from it. And we always have a few layers above, and then when we learn from new fraud techniques that we've prevented, we at least see what people are trying, and then we invent new fraud techniques that will prevent people from trying those things in the future. And so this this concept of listening for us has really been core in just how we develop product, how we go to market, and, frankly, just how we try and behave as a company.

Michael Berk [00:52:43]:
Ben, I'm curious your take as well. But, Aaron, do you hire for this, or do you train for this, or both?

 Aaron Painter [00:52:50]:
I think it's a cultural aspect, which means when you find consistent values in people that we want them to be good listeners, obviously, in, like, an interview process. We want them to be intellectually curious. We want them to be kind and respectful to other people's opinions and still get things done. So, yeah, we look forward as a value statement when we're hiring, but, then we we kinda have to live it. And, again, it doesn't mean every piece of feedback is taken or everyone is always right, but it means, hey. Let's give this a little bit of space to be curious. Is this is there something here that we might be missing? And we spend a lot of time on sharing what we're learning. We do group product planning, for example, where we get together and say, what have I heard from customers? What have I heard from the market? What have I heard from analysts? What have I heard from the press? And we sort of all put that into what do we wanna go work on for the next quarter.

 Aaron Painter [00:53:31]:
Because each person has heard different things, and when we can share those, we find the commonalities, and that typically leads to what we should prioritize.

Ben Wilson [00:53:39]:
Yeah. With what you mentioned earlier about you're finding the latest ways that people are are doing stuff. And since your company is sort of a trailblazer in this big visual verification, You know? You can if anybody if the listeners are curious, go to the website, look at their blogs. There's a lot of patents on there, like, a lot of cool stuff about the integrations. But with, the fact that you're early into this and doing this, at the same time with the conflicts of the soon to be released extremely hard to detect Gen AI image generation, photorealistic ones. I've seen some previews of them, and they are crazy, because we're we're working on one right now at Databricks. And it's, it's truly impressive. Like, I can't tell the difference between generated, you know, high res 4 k resolution, a headshot of a person doing something, and you're like, that looks like a professional photographer took that.

Ben Wilson [00:54:44]:
Like, I can't tell the difference between that and an actual photograph. And it it's even capable of generating metadata that seems realistic. Like, what camera was it shot on? What focal length I'm looking at it? Like, okay. It says 1.8 f stop. That actually looks like what the focus of this generated content is. That's crazy. So when you detect stuff like that, it almost seems like you guys have a a potential other thing that could go down the route of something that MITRE does, with their CVU reports. You're classifying attack vectors.

Ben Wilson [00:55:21]:
It could be, like, another thing you guys get into. Like, hey. Here's a newsletter that we're publishing for the security community. We're the experts here. Here's all the crazy stuff we've seen in the last 2 weeks. Be on the lookout.

 Aaron Painter [00:55:34]:
You're you're spot on. We it's funny if we share it, anecdotally. We share back with customers. We do fraud reports often, and they find so much value in them. But we don't we haven't institutionalized that yet and gone public with some of those findings. The the the key thing, though, is I think you're right. The pace of deep fakes getting better and better at the acceleration is just is wild. And in some ways, it's really exciting, by the way.

 Aaron Painter [00:55:55]:
Like, there's I did article today. This reported this great thing on, like, deepfakes for good, And it's fun. There are all these really useful cases. You know? Just like you have one the other day on on dementia. Like, you'd imagine a dementia patient, having access to deep fakes of family members that make them feel comfortable and calm. And, you know, I mean, there there's so education, reliving historical events, being able to think about, the you know, ask a historical person the context to which they made decisions or how would they make decisions in today's world. Like, there are a lot of fun besides entertainment and media uses for deep fakes. But what we found is that and this is the time that we spend, like, to your point with WhiteHat hackers.

 Aaron Painter [00:56:33]:
Everyone gets really excited about and and we've had some let me tell you. We made the coolest deep fake. You'll never believe it. And they have you seen this tool? And they show. I said, that's amazing. How are you planning to deploy it now to to trick call an identity verification system? And they're like, oh, you know, I'm gonna. And the way that deep fakes are deployed is really important to understand, and there are typically 2 key ways. 1 is what's called an injection attack.

 Aaron Painter [00:56:56]:
And an injection attack is by far the most common way. The best way to understand an injection attack is the equivalent of, what happened in Hong Kong a few months ago. There've been more and more facts coming to light on this, so I'll say very high level. But conceptually, it was a finance controller in Hong Kong, a, quote, CFO based in London. CFO in London said, finance controller, can you do some wire transfers? This controller was a bit skeptical. The CFO said, here's a link to a video call. Why don't you come join? A bunch of us are talking about this. And turns out on that video call were a bunch of live deep fake emulators of executives in the company.

 Aaron Painter [00:57:29]:
So the controller felt comfortable and said, oh, I recognize these people. Oh, that makes sense. Okay. I'm gonna go ahead and proceed with these transfers. Few more nuance details, but that's the high level. And the concept there is is just like a Zoom or a Teams call, we have the ability to select a microphone, to select a camera. Those platforms were made to make that really easy. And so, conceptually, what you're doing is you were selecting a live emulator software that is injecting a real time deep fake into that flow, and then we trust it.

 Aaron Painter [00:57:56]:
And that is very hard to know the difference of today, when you're using video conferencing tools. So that that's basically what happens. If you make this most advanced deep fake ever amazing, the question is how are you gonna deploy it? And the main way to deploy it is through an injection attack. And so you you if it's a web based identity verification flow, for example, it's actually really easy to deploy that deepfake. When it's cryptographically sealed in the secure enclave of the mobile device, it turns out is wildly more difficult to deploy an injection attack and to trick the, you know, secure enclave of the iPhone that you are actually the camera of the iPhone. There are ways to do it, but it is significantly more difficult. And so an injection attack is the primary way. If you shut down an injection attack, you are limiting the ability to use a deep fake in those kind of scenarios.

 Aaron Painter [00:58:41]:
And that's the difference between prevention or detection and prevention. Detecting it is an arms race. Preventing it can actually be an architectural solution. The other key way that people do it are presentation attacks. And this is where you would think of it almost like mission impossible style. Like, I'm gonna wear a three-dimensional mask of, you know, someone else's face, or I'm gonna print with an expensive 3 d printer or fake ID, and I'm gonna try and hold it up to the cameras. And when you do those sorts of things, that's where, in our case, we benefit from the advanced telemetry in a mobile device to get a lot more context when we're making assessments of the information that's presented. We know it's come through our secure channel, through our secure, you know, camera capture, talking to our app, etcetera.

 Aaron Painter [00:59:22]:
But then we also get all this other telemetry data to evaluate. Most basic example might be the 3 d depth map camera on the front of the phone. Right? To know is that person three-dimensional, are they holding up a photo or video of someone? And then a whole bunch from there. And so thinking about how deepfakes are used is really important because it it actually gives me some comfort knowing that as advanced as the deepfake tools get, we can still use other tools in our arsenal to assess if they're being deployed or not. And that to me is frankly the only way to to prevent them from being used in scenarios where we don't want it.

Michael Berk [00:59:54]:
Heard. Super cool. Yeah. I think until there's, like, 3 d physical systems that well, even if you are requiring that the user device be taking the picture, that is an amazing limitation in itself. Like, they they and a bad actor would theoretically need the physical face and the physical device, and combining that is pretty unrealistic.

 Aaron Painter [01:00:20]:
And it turns out, in our case, a physical device. We do 0 trust on the devices. We actually don't rely for the preenrollment or trust. So then if it's a net new device, we just take all the advanced telemetry from the device to say, let's use that, you know, in the evaluation process. And then if it's around the same device, we will trust it to a degree, meaning we'll trust it for just, for example, a selfie on the second go. If it's a new device, then we have to we go through sort of a reenrollment device for that device. So it's sort of always a zero trust principle when you're when you're making a call.

Michael Berk [01:00:47]:
Sorry. I have one more question. I thought I didn't, but I do. What are the limitations of MFA in terms of industries? For instance, you see financial institutions using it, governments, the CIA. Where's sort of the the line of people trusting MFA as a robust security measure?

 Aaron Painter [01:01:06]:
Today, I think the guidance is pretty consistent. Like, MFA works. There are different types of MFA you can implement. You know, SMS verification is technically m f MFA, not a reliable method. So think of MFA with an authenticator app or think of it with the UB key or some, you know, device based, cryptography or encryption applied to it. But, it's not sufficient. Or then even within that, you have sort of phishing resistant MFA approaches. And most of the MFA providers today have varying degrees to which you can deploy their technology.

 Aaron Painter [01:01:34]:
That oftentimes that people haven't deployed MFA, they haven't deployed sort of phishing resistant MFA. That's sort of table stakes. In the world of security today, every account should have it. The reason why we don't is the the frustration. The user experience is actually quite poor. You know, it's more labor. It's harder to access sites. So if it's an employee's account into your corporate network, yeah, then you can require it.

 Aaron Painter [01:01:55]:
Right? When it's you're trying to access some consumer based website, you have to sort of ask, is this thing important enough to protect that it needs MFA to sacrifice to user experience friction? The challenge is regardless of what you do there, MFA and all those points today is vulnerable because of the reset and recovery process. So as if you've implemented great phishing resistant MFA or you've given a YubiKey and you have hardware device signed, then I'm gonna put in this key each time up. All amazing. You know, I after the Silicon Valley Bank issue, you know, it was last year, I remember calling all the banks, and I was like, great. The bank we work with, we care about security. I wanna I wanna tell me to understand your processes. And only one of the big commercial banks said, oh, don't worry. We allow YubiKey.

 Aaron Painter [01:02:37]:
I was like, oh, that's great. I'm so excited. I'm gonna use a YubiKey to access the bank account. And then he said, so what happens if I lose my YubiKey? He's, don't worry. We just send you an SMS to your phone number on file. And you're like, so the YubiKey is total theatrics. Like, what is the point of me having YubiKey if all I have to do is call and say I lost my YubiKey? Because anybody can call and say that they're me and that they lost the YubiKey. And so this concept of both provisioning, obviously, knowing who the account holder is, but particularly this moment of recovery, that is the weakness in MFA, and it is the weakness today that people are exploiting wildly because it comes back to this idea of social engineering.

 Aaron Painter [01:03:14]:
It's not about the technology of MFA that's safe or not. It's only as good as the the help desk rep who gets the call and their ability to sort of be the identity interrogator and the frontline to assess if your account should be reset. That is insane to me that that's the security of all of our infrastructure across all industries, relies hopefully on MFA. And then if it does, it relies on that help desk rep taking the call and doing a good job with that. It's scary.

Michael Berk [01:03:40]:
Just to double down on the question, what where do you see name tag stopping being used in terms of severity of security?

 Aaron Painter [01:03:50]:
Oh, today, we, we are a significant step up, method from what exists. And so, the people we talked to are in that full spectrum. Our proxy simplest way, today, if someone's implementing MFA, we feel like it's an account worth protecting. So then they're a good match for us. If, let's say, you're accessing your, cnn.com, Fox News, New York Times, like, I don't know. Those accounts don't have MFA. Like, does it matter if they do? I don't know. Good debate.

 Aaron Painter [01:04:16]:
But, you know, your bank account, your Internet domain name, your insurance policy, like your corporate email, yeah, those matter. So for us, they're great proxies. We then, though, have a lot of other interest from very highly sensitive security organizations and, you know, government oriented organizations that that care and need a solution for remote. So when you get into the military, you know, it's kind of a bit of a cat card in the US. Like, you actually have a physical card, and you have insert the physical card. And by the way, often if you lose that physical card, you have to go in person and get it. Or you operate in a secure environment where there's no Internet access. Alright? And so therefore, you're not gonna use a mobile phone.

 Aaron Painter [01:04:53]:
So those kind of become environments that have solved it in a different way. But if you're a military family member who's accessing something and you're not you're off base and you need remote verification, actually, the the best thing on the market is is us today. You know, short of going to that physical place and getting something new again. In the remote sense of verification, we just we just happen to have sort of the cutting edge approach right now.

Michael Berk [01:05:15]:
Right. Well, in summary, we talked about a lot of really interesting things. Some things that stood out to me, 1, pitch what's exciting and new, but make sure you also meet the customer's needs. And if you have newer employees, specifically new college grads, typically, they're better at pitching the cutting edge digital native type of thing. Align yourself to products and fields that are growing because even if you're not very good, as long as you can stand on the surfboard and not fall off, you'll be riding the wave. LLMs are similar to a platform layer. And some cool uses for MFA included content publishing, specifically for social media like Facebook posts, and then also securing the password reset. And finally, when an employee feels listened to, they listen to customers, which gives leadership better information, and it makes your organization better at decision making.

Michael Berk [01:06:01]:
So, Aaron, if people wanna learn more about you, book, name tag, where should they go?

 Aaron Painter [01:06:07]:
Well, 1st great summary. Thank you a ton for having me on. We try to make a bunch of content in the space and just stay on top of developments and news and things like that, particularly on LinkedIn. So check us out on LinkedIn, on the web, you know, getnametag.com. Feel free to reach out or connect with me personally. I just love hearing from folks, especially people that love AI, people that wanna engineer great solutions in this space. Like, I'd love to connect.

Michael Berk [01:06:29]:
Alright. Well, thank you, Aaron, for joining. Until next time, it's Michael Burke and my cohost. Ben Wilson. Have a good day, everyone.

Ben Wilson [01:06:36]:
We'll catch you next time.
Album Art
How AI and Deep Fakes Are Transforming Security and Customer Trust - ML 160
0:00
01:06:42
Playback Speed: