RMX PARLEY: Shahid Mahdi on Cybersecurity in Web3
Joe Therrien Kelly
March 15th, 2023

I sat down with Shahid Mahdi (an expert in cybersecurity and cybercrime) to talk about infamous hacks and breaches, the intersection of blockchain and energy technology, how to protect yourself in web3, how crime shapes culture, and much more. What follows is a transcript of our conversation along with the corresponding audio.                                                                                                                              -Joe



JOE: Hi. I'm Joe. At RMX, we're all about bringing culture to the blockchain. For this series, we're going to be talking to some of the best minds in Web3 about what excites them in the culture. Today's topic is cybersecurity within the blockchain universe, and we're talking with Shahid Mahdi. Shahid is a product manager EnerKnol, a market leader in energy intelligence. EnerKnol’s signature product is the EnerKnol Platform, a comprehensive software solution that aggregates all public regulatory, legal, and investment information within the energy, ESG, climate, and environment space and consolidates it into one centralized software solution. Shahid is also pursuing a second master’s in cybercrime and cybersecurity at NYU’s center for global affairs. Shahid, it's great to be with you. Let's kick off with the big picture. What are some trends you're seeing and eternal that could relate to blockchain and crypto in general?

SHAHID: Joe, great to be here. Absolutely. So I can dive into some of the high-level regulations we're seeing across the country at a federal and state level.

So interestingly, I think like all good things, crypto and blockchain has been the subject of a lot of regulation at the legislative and utility level. Interestingly, at the legislative level, it's more to do with some of the financial provisions to safeguard customers, especially in light of things like the FTX debacle that we've obviously all been paying attention to. But I think a big part of it comes down to this notion of repudiating crypto and blockchain away from any kind of association with financial crime and more as just a common instrument that everyone can really participate in.

Obviously, EnerKnol has a slight focus on energy, and a lot of energy companies are trying to leverage blockchain technology to, again, just facilitate their operations. You don't really see energy companies using cryptocurrencies as their kind of lingua franca as of yet, at least. But definitely, there's a lot of interest at the, you know, to bring it back, a lot of interest at the state and federal level regarding how to, you know, just leverage this technology in the future because they know it's here to stay.

JOE: Sure. I'm curious, what do you think is the benefit of blockchain or crypto regulation and rulemaking? And if - whether or not you think the U.S. is going in the right direction, it seems like they're legislating the heck out of a lot of crypto right now. You think that's the right move?

SHAHID: Interesting. I think it's probably well, here's the thing. So again, I think any good thing becomes regulated. We'll see it with artificial intelligence and machine learning models, too. I know we'll maybe chat about ChatGPT and Bard and all that later, but the thing is, I think there's an inherent tendency in the U.S. to regulate anything so that it just abides by some kind of governmental standards. Now, I'm sure if you espouse, like, a kind of “Wild West Internet” libertarian approach, you're diametrically opposed to this because again, you believe in this future in which everything should be decentralized, there should be no kind of centripetal authority that administers all this. And so the U.S. has been pretty quick to act upon regulating blockchain crypto by mainly through this BSA called the Bank Secrecy Act, which works with FinCEN. FinCEN is essentially like a financial crimes network that specializes within cryptocurrency. And of course, I can share some anecdotes with you later. Now, the FTX dilemma is probably going to incur - in the same way that, you know, let's say Enron or Colonial Pipeline, which let's get into - the FTX thing is one of these watershed moments that now will probably awaken the entire legislative and financial system to further regulations within the space, because now there is this entire notion that, okay, well, FTX was again like the symbolic Enron, where people who trust these kinds of charismatic messianic figures like Sam Bankman-Fried with their money are making the wrong thing. So it's kind of moving in the wrong direction. And I think it's a good move at times to just avoid this, you know, Dutch tulip style bubble, in which I know a very entertaining story that had a lot of trajectory on the celebrity front was, you know, people like Kim Kardashian and Justin Bieber being sued for essentially having their own stabilized coin that due to their celebrity, they'd pump up. And then, you know, obviously, they had the power to just sell it at their will, which is no different from like a kind of Jordan Belfort-style pump and dump scheme.

So all of this is to say, I think, you know, it's such a multipronged issue and I don't think the fix to them is going to make crypto go away or Blockchains go away. I think a lot of especially some major banks actually really embrace blockchain specifically more so than they do crypto. So but point is, I think that with all good things will be regulated and we'll see it just increased tenfold.

JOE: Sure. Yeah. I mean, you mentioned FTX, which is obviously like a violation of trust between CEOs and the community around them. I'm wondering, though, like more specifically if you think there are big concerns regarding cybersecurity, not just individual actors and people making kind of dodgy financial moves with their companies 0 I mean, that's going to be a problem in web2 and web3 - but just more specifically, cybersecurity within web3, and with all the transparency you get with web3-

SHAHID: Yeah -

JOE: -if you think that's ironically a good safeguard, given the integrity of, like, the ledger or something just your thoughts on that -

SHAHID: - Yeah, absolutely. No, I think I think integrity is a great word to thematically set it up because a large part of the promise and the lucrative nature of blockchain and crypto, etc., is this notion of authenticity or integrity, as you mentioned and I think now that is also the inflection point through which a lot of hype sort of happened. So one industry kind of buzzword that actually a lot of legislation at EnerKnol that we see, as mentioned, at least in quotes, in a colloquial way is this idea of “cryptojacking” in which you can just, in the same way that you'd find a vulnerability within your, you know, this logic software we’re recording on, or Google Chrome that you have to keep updating. You know, a lot of adversaries have been able to hack into a blockchain bridge or a blockchain ledger or redirect a wallet to essentially obtain funds for their own advantage. So it sounds pretty comical that this breakneck technology and this web3 world is actually, we're finding, pretty prone to the same vulnerabilities and exploits that the conventional, you know, let's say web2 world was was privy to.

Now, I think it is a rose and a thorn in terms of the decentralized nature of things where. Okay, you're accentuating the transparency and the ability for more stakeholders, good and bad, to come into the arena. But it's important to realize that this is all still very much in its infancy. You know, the story of, shifting gears to A.I. for a second, like the story of ChatGPT and Bard or - excuse me, specifically Openai's ChatGPT reaching a million users within, like, five days. I think we lose track that the level at which developments occur is so rapid that we lose track of how young this all is. And so now I do think a lot of cybersecurity firms like Mandiant is a big one, SirTek and Proofpoint. They've redirected a lot of their resources and attention to the blockchain world because they know there's just, frankly, money to be made. But whether heightened transparency is a safeguard. I'm not sure it is only because, again, I think people, good, bad, and ugly will all rush to this blockchain arena as an advantageous place to do their bidding, whether that's to steal money, whether that's to take advantage of NFT forgeries, which, of course, we'll get into in a second. In the same way, I think it's kind of a facsimile of the Internet where you can use it for good or bad. But there's just this uncertain new world of decentralization that I think we're still trying to understand the benefits and the cons of.

One quick story that I'll also share, which comes to mind is the story of Colonial Pipeline. And I and I mention that because I think that was an interesting watershed moment for blockchain and cryptocurrency on the national level in terms of a cyber hack. So, Colonial Pipeline, long story short, is a very significant oil and gas, oil and natural liquefied gas excuse me, pipeline that runs through a large part of the East Coast in May of 2021. They were hit by this ransomware attack, by issued by this provider - a ransomware as a service provider, they call it - named Darkside, originating from Russia. And essentially what happens, which it's pretty scary, is that your methods will pop up on your computer saying, look, you have to pay us $5 million in crypto and usually in Bitcoin by X date if you don't pay by x date, it'll triple. And until you do this, everything will be locked. If you fail to meet the timeline, everything on your laptop will be deleted.

Now you can imagine what kind of panic this causes in a large, substantial corporation, which, you know, thousands of employees have their personal and financial information locked within. Then the other aspect of all this, which, and again, we can get into the story further, is that it really cemented the idea that ransomware adversaries want to use cryptocurrency as their language, as the ways in which to receive money. Now, a lot of the experts at the government level was able to actually track down the payment and actually pay Colonial Pipeline back. But the funny thing is the price of Bitcoin had actually fluctuated so much between when it was stolen and when it was paid back that the same amount of bitcoin was exchanged, but when they got it back it was only worth 2 million. They paid 5 million.

JOE: Yeah

SHAHID: And so that - I'm rambling on. But that's I think the volatility of something like that.

JOE: Sure. I mean, with Colonial Pipeline, maybe you could just for our listeners talk about why these ransomware groups try and receive compensation through, you know, bitcoin or other cryptocurrencies.


JOE: And maybe you could even explain exactly what a ransomware group is and how they function and operate -

SHAHID: Yeah, sure.

JOE: Just to give a little more clarity.

SHAHID: Absolutely. So I can start there. Ransomware is kind of what it sounds like on the turn. It's essentially a form of malware. Malware is just a technical term for any virus that is promulgated onto someone else's device and which it will, again, as I briefly mentioned earlier, it's going to encrypt all your files or lock everything on your computer or on an information technology network and say, ‘look, you have to pay this amount by this date. If you don't pay it, the amount I'll triple if you don't pay it at all, will either A release all your information, you know, to the public domain or B, simply you just delete absolutely everything.’ And so ransomware has become a real weapon of choice for a lot of attackers. I think it inhabits a lot of the key qualities that a cyber adversary would like in the sense that it's pretty easy to launch. All it takes is a simple exploit within a system or a simple, you know, hacking into Joe Kelly's account and getting into, you know, his Google Docs or RMX or whatever.

JOE: Yeah.

SHAHID: So it's very easy to launch. It also has, I think, just this level of scary notoriety to it where it's not it's quite simply just like stealing your files and sending them out. It's, you know, locking your entire system, causing panic, trying to make a statement that will eventually, you know, trickle out into the public sphere. And, of course, so many companies, from logistics to trucking to electric vehicle manufacturers to anything under the sun, ransomware is by far the most prolific adversary that's gone after all these industries, because they know so many of the operational technology systems that these companies are working with, especially like, you know, whatever UPS or FedEx, like some kind of bread and butter, simple function companies, their systems are probably really outdated. And so it's really easy for a ransomware group to get in there. Now, the ransomware groups are also interesting because they kind of abide by a code of ethics where I know Darkside in particular, which, by the way, is no longer around because I think the US government, you know, really cracked down on them, or at least they claim to not be around. The code of ethics they abide by is like we don't go after hospitals, we don't go after schools, we'll go after companies that can afford to pay us. So obviously, Colonial Pipeline is a multibillion-dollar energy administrator that has, I think, you know, 400-500 million dollars a year in revenue. And so they will go after companies. They know they can pay them, but they have this they are trying to espouse this Robin Hood mentality of, you know, we're taking from the rich and kind of distributing it to, you know, what have you. And we have this in the same way that I think hacker groups like, you know, like anonymous, like they believe they're on some moral mission to remedy the, I don't know, capitalist ills that have permeated through society or what have you. So. And then I think the last thing I'll say is that I think, yeah, they, they've espoused the bitcoin and the crypto world because I think as many people know you know and crypto first came around in 2010 after - from this, you know, mythical Satoshi figure who invented all this, whether it's a group of people, whether it's one person we don't know, it was actually used for for the dark web. It was used to like buy guns and, you know, exchange drugs. And it didn't have a good association. If it did have a good association, I'm sure a lot of us would be very well off because a lot of us probably would have gotten into the game a lot earlier. So I think when you trace the history of Bitcoin and crypto, it actually has this funny link between the presence of the ransomware groups and hacker groups using it for ill means and then its origins as like this murky thing that we didn't quite understand back in the early 2010s.

JOE: Right on. I just want to ask - back to the ransomware groups.


JOE: What can someone do? Like if one of these groups attacks your organization, are you meant to pay them or do you call a specific agency or authority or whatever to help you out - or negotiate with you like? Or how does it all how could that play out potentially?

SHAHID: Yeah, it's a key question that I think a lot of companies don't ask until they're getting the hacked, you know, the heck hacked out of them, the hack-

JOE: The Hackening.

SHAHID: Yeah, the Hackening, and essentially what you want to do is, unfortunately, with criminals of that caliber. The first thing to keep in mind is that you don't even know if they're going to pay you back. So the general consensus is to not really engage in the same way that, you know, you don't want to engage with like, “you don't negotiate with terrorists” is like the kind of U.S. homeland security saying - you don't want to do so with a ransomware group because, again, they're probably operating under like a very aggressive agenda. They might themselves be amateurs. They may not, you know, they're not necessarily the smartest guys in the room. They may just be someone who took advantage of old software. What you want to do, essentially, is, if you are hit, you know, if RMX is hit tomorrow with a ransomware attack, you want to call up a reputable cybersecurity firm like I think FireEye, Mandiant Proofpoint is one I mentioned earlier. These guys know what to do and they know in a way that's not that different, like a hostage negotiation. They know what to communicate to these guys. They know how to, you know, maybe kind of counter-hack them and see and trace and see what's going on there. And a lot of the key instruments that are being promulgated by market leaders like Darktrace, that you can simply insult, you know, and get on board. And it doesn't even cost that much, especially in the long term when the cost of remedying data breaches in the millions, they'll know how to kind of track the metrics and interestingly take advantage of like the blockchain network in the same way the FBI did after Colonial Pipeline to trace what exactly is going on and how you can best mitigate it.

So you know, my advice personally and I think the industry advises to not pay the fee Colonial Pipeline for example they did pay it, out of panic - and panic is the worst mentality to be in because of course, yeah, you can make rash decisions, but I think panic also hinders your understanding of the operational situation. And what I mean by that is when Colonial Pipeline was hacked, the hackers actually didn't mean to shut off the pipeline. They just wanted to get money and get out. So they not to get too technical, but the hackers hacked the information technology system of the pipeline, not the operational technology system, the operational technologies, but switches it on and off. So if Colonial Pipeline knew what to do, they wouldn't have had to shut off the pipeline. But they shut the pipeline out of panic because they said, ‘oh, my God, like now we're going to, you know, we have to turn off everything immediately,’ like in that classic kind of cliched film thing of like pulling the plug and but again, I think if you have if you have a good education and a better understanding of the crisis that you're in because it does feel like a scary crisis, then you'll be able to make pragmatic decisions. And those are incurred by, I think, these private security companies, which are probably just going to be more responsive than CISA or the federal agencies because they are, you know, I think, just very bureaucratic.

JOE: Sure. So top of mind, two other big cautionary tales, of hacking - the stuff that comes to mind are like the Lazarus Ethereum attacks or the Opensea NFT theft.


JOE: Could you maybe speak to some of the commonalities between these stories and the Colonial Pipeline breach?

JOE: Yeah, they're anything like the uniform in these adversaries and the way they approach these, you know, these hacks. Yeah, for sure. So the two that you mentioned are kind of the big bread and butter NFT / blockchain, pertinent cyberattacks that have happened. Yeah. And I think in doing so, again, I think this is interesting because it speaks to our first question about regulation. And I think these two will be remembered in like the kind of like the annals of cybersecurity as being like the first two big hacks. And they're pretty they're, they're, yeah, they're different. There are differences in there are commonalities. The differences are. So the Lazarus theory attack it was by a North Korean hacker group. Essentially what they did is they took advantage of something called the bridge on the Harmony Blockchain Network, and they were able to through, again, a probably a very simple, easy exploit, like an outdated software or someone's login credentials being pretty weak, investable, etc., something probably really simple. Despite the, you know, high-tech nature of all this, they were able to control what is called the Multisig wallet. and again, through this idea of authenticity, were able to impersonate the owner of this wallet and then basically just kept directing large fees back to their, large fees in the form of tokens back to their wallet. And so they're actually able to get off with around $97 million worth of assets, which is actually pretty insane.

JOE: Yeah.**

SHAHID: **I mean, if you imagine like a like you don't hear of a robber going into a bank and making off a hundred million. But the point is, when this is all digital, the physical notion of it is completely circumvented. So so the key points there are they took advantage of the blockchain bridge and were able to just because they had control of the entire blockchain, they're able to just grab every kind of token they got. Obviously, Ethereum, which is a big one, but they also got some of these other random coins, like Sushi things, really tiny coins that they thought were just easy to permeate that probably just have very quick, simple, you know, fun websites that are, you know, meant for like everyone to be a part of. And if you're including everyone to be part of it, you're also including the bad guys.

So that was one story. And then the other one that I got to quickly, the OpenSea NFT theft. That's a pretty simple one. Essentially, OpenSea is this very reputable verified marketplace for Nfts, but it wasn't initially and essentially what the adversaries did there. And the details are still kind of murky about who is really behind it. If as a group of people or if it was a single hacker, they were able to basically fool through good old email phishing, you know, just clicking a sketchy link. They're able to fool a lot of users and say - again and fooling people is the industry term for that is social engineering. It's like it's a tale as old as time. It's in, you know, Leo in ‘Catch Me if You Can” is social engineering - it’s basically scamming people through impersonations or telling people what you want to hear. They were able to get folks on the OpenSea network to partially sign a contract, and then they would act as like the beneficiary to who needed - that was necessary to make that contract come to life. And in doing so, they were able to, again, just direct $1.7 million worth of NFTs to their actual, you know, holding network or whatever, whatever you want to call it, basically their own network. Now what's interesting about the OpenSea NFT theft is that the theft, unlike the Colonial Pipeline or the Ethereum one, the currency was NFTs. They stole $1.7 million worth of NFTs. Not 1.7 million dollars or what-have-you. So I think that was a pretty interesting, you know, first instance of NFTs being used as being the currency through which you steal things. Now, that hasn't happened so much since. And I think that's also interesting because it is also predicated on this idea of being, you know, again, nonfungible one of one. They are the ultimate image of authenticity almost to a literal degree.

So I think in all these stories that we've told, whether it's Colonial Pipeline or whether it's Opensea, the NFT, whether it's Lazarus - they all fall into this category of authenticity. And authenticity is actually most promulgated by the idea of blockchain, right? Because the idea is that everything's open, everything's decentralized. You can - you don't have to bow down to an inherent regulator or a governing body.

But if you're doing that, then you're you know, you're in the Wild West, so I can stop there. But yeah, plenty of interesting stories and many more as well.

JOE: Yeah, no, I'm super interested. So at RMX actually, one of our team members, Jessica Kanter, had an NFT stolen, BFF bracelet and she wrote this really incredible Mirror post about it, which you can check out, I’ll link to that-


JOE: In the show notes. And it you know, she was also talking a lot about the importance of ledger and cybersecurity and all that kind of stuff and took it as a lesson. But ultimately, I mean, NFTs are art. And like any art that people collect, it's really like a store of value as well, and as you mentioned, authenticity is so important to what makes an NFT an NFT. So I'm curious, like, it's hard to steal, say, a famous painting, that is one of one, and then to resell it - because you, people know it's stolen. I mean, The same with an NFT that's stolen. So I'm wondering about like NFTs - besides this OpenSea case you were talking about, being targeted as contraband by ransomware? What's the value of stealing NFT for a cybercriminal? Because I'm sure if it's something that is one-of-one or can be traced, I mean, it seems like it'd be hard to flip that. If you could just speak to that a little bit.

SHAHID: Yeah, definitely.

JOE: That'd be super helpful.

SHAHID: So based on a few case studies, they estimate that over $100 million worth of NFTs have been stolen in the past year. And I think I really like the covenant that you make with the actual physical, you know, conventional art market, because I think some of the commonalities, ironically enough, are still there, where you have this question of authenticity, the question of provenance, which is basically the term for like, where does it even come from and, with NFTs especially, there was so much hype and there was such a kind of tulip style gold rush towards them that I think cybercriminals knew that, okay, people will do whatever they can to get their hands on a - I don't know, a Bored Ape or, you know, one of the NFTs and maybe,

JOE: a Cursed Emoji.

SHAHID: Exactly. Because, you know, like Pokemon cards, like gold bars. And in throughout history, like, if it's a hot commodity, people want to get their hands on, especially when the entry to the market is at such a low barrier where you are - and in quite an amazing way, to just log on, you know have our wallet and go on to RMX or whatever and get one of your Cursed Emojis and boom, I don't have to go to an auction house. I don't have to call like a middleman at Sotheby's or Christie's and, you know, do this whole bidding process. And whether it's the sneaker market, whether it's StockX, whether it's, you know, all these cultural verticals that have really permeated hype and forces, I think are predicated on hype. And so people I think but social engineers and scammers found is that people will really do anything to get their hands on one.

Now, this trickles into the whole kind of black market hacking conversation in which cyber criminals knew that, okay, again, this technology is in such infancy, it's probably pretty easy to hack. And again, through pretty easy means, again, it might be phishing, it might be launching a worm, which is my favorite. I just love the name worm for a virus. But it's basically a kind of literally that crawls through a network and you know, it'll, for example, go onto your Microsoft Outlook or Google Drive for RMX and I will just keep going to other people's computers and worming its way through which I again -

JOE: Watch out for worms.

SHAHID: Yeah, you got to watch out for those worms. Worm never really has a good connotation in anything, anything digital. But, but, but again, people are willing to do anything to secure their energy and to take advantage of that low barrier to entry. Now people are willing to also pay up for the demands to get their prized possession back. People may not be you know, they may not have an amazing house or an amazing car, but if they have a Bored Ape that is such a valuable commodity to them. I know the actor Seth Green paid over $300,000 to recover a Bored Ape of his now. Well, we laugh at that, but he probably did that because he made an investment thinking that he Bored Ape - and to an extent he might be right - and is now worth, you know, or is going to be worth millions of dollars. Now if anything his might be worth significantly more because it's like oh that's the Bored Ape that was stolen, you know.

JOE: Yeah.

SHAHID: So in the same way that there's like that notoriety around the Mona Lisa because it's been stolen a lot. So that's one part of it I think the hype which I've spoken to. And then the other part is it is they want the other part of it excuse me, is that I think there are a lot of methods through which cybercriminals can attack NFTs. So one common theme we've seen is this idea of watch trading in which they will actually, through sophisticated identity means be on both sides of a transaction and they'll pump it up, you know, and then and they'll have the basically garner hype and speculation and then sell it to themselves for a really high price. It's kind of like a distorted way of short-selling in the conventional financial market too. They look to -and then, you know, I think the other piece of it that I'll speak to, just for brevity's sake, is just like plain and simple, fraud, an NFT that's not really an NFT, an NFT, that might be an image, an NFT then might come along with a certificate of authentication, which is just bogus. And you've seen it. That's a tale as old as time. You see it in the watch market, you see it in the art market, you see it in the sneaker market, anything. There will always be a demand and a market for fake goods, and it's no different when it comes to this, again, invisible clandestine world of the NFT market. Which is so interesting, considering it's all based on authenticity, as you said.

JOE: Yeah. Well, okay, so you've done an excellent job, I think, in scaring our listeners about all the terrifying things that can happen to them and worms

SHAHID: Worms!

JOE: and more of that kind of stuff. I'm wondering if you want to maybe touch on some just even just basic steps-


JOE: That web3 company employees or founders should take to safeguard themselves?

SHAHID: You've got to get the worms out first. You know, you worm it all

JOE: You gotta deworm.

SHAHID: In all sincerity. This is such an interesting thing, because some of the most sophisticated companies in the world which spend millions of dollars on tech assurance and cybersecurity, you know, steps, it all comes down to human error because you can have the most sophisticated network in the world and still be excuse me, still be prey to an insider threat. An insider threat is basically it - (laughs) - just thinking about worms again.

JOE: (laughs)

SHAHID: But insider threat is basically someone who at your own company unwittingly leads to a cyber breach. So, for example, if you guys are all in the RMX office and you know you mentioned Jessica or yourself gets an email from. I don't know, something that looks really reputable because these guys are only getting more advanced saying, “hey, you know, RMX, my name is Shahid, I want to do a podcast with you guys on cybersecurity.” You're clicking on it and boom, you've got a worm

JOE: You’ve let the worm in.

SHAHID: You’ve let the worm in! And again, it can take so many forms, it can be called, you know, one popular weapon in the arsenal is our root backdoor, which basically means it can control your computer and, like, move your mouse around from somewhere remote they can. You know, all sorts of different methods are there now in terms of the basic stuff. So my point in saying all that is insider threats like quashing those, making sure that people are educated, making sure people know what to do in terms of contingency plans.

So, you know, if the RMX server is under a ransomware attack that you guys have, you know, your file is somewhere else. You have what a lot of companies call it digital twin of your entire network located somewhere else. It can be as simple as, you know, storing it on a cybersecurity server or another, like placing it in the trust of like a Darktrace or one of these, you know, big industry players, etc.. Other things I think, come down to the, the quotidian and the mundane. Like two-factor authentication is a pretty simple place to start. You'd be surprised by, you know, every part of our life now is, is like 2FA, but like Colonial Pipeline, for example, like they didn't have it. So it was pretty easy for the hackers to just get in.

I remember the CEO, whose name is escaping me, something Blount. (Joseph Blount) He was testifying before Congress and he said, “I can assure you the password isn't colonial123” But the point is, it probably was something simple as that, especially when, you know, like 30% of people's password is password one or something like that, you know, so pretty simple steps there. But I would place emphasis on this idea of the digital twin. A lot of cyber consultancies are coming up with that and they're finding a big use case is in like municipal networks. So for example, if the New York grid goes down and Con Edison is hacked and the electricity is turned off or water is turned off, they basically have another facsimile they can draw from, they can refer to and then. In doing so, they can assure the continued flow of operations that ever, you know, your lights are on their computers charging. Your phones charging. And in the meantime, they may be dealing with like a national crisis, but you won't know about and therefore there won't be panic, there won't be stock market diving, there won't be reputational damage, which again, is like a whole other ballgame in and of itself.

So there are some steps, I think, which is to say that the ultimate steps between a web3 company and an energy power plant are not that different because everything now is on this Internet of things IT network where it's all connected so that that comes with things being smarter when it comes to things being more hackable.

JOE: Sure. So, yeah, all these companies I want to talk about. Maybe like you mentioned, it's not that different between energy companies or a company like RMX. So a lot of these companies across various industries worry that disclosing news of a cyber breach will, you know, reputationally hinder that link.


JOE: So how could we maybe circumvent this to, you know, get a further dialog or, you know, just general transparency around, like, cybersecurity?

SHAHID: Well, I mean, that's exactly right, because no matter what happens. If I mention Enron, you only think about obviously, the fraud they ran and the problems they got into. And I think it's a bit unfair because when I mentioned Colonial Pipeline, like, yes, they may have been able to handle that in a better way, and yes, they should have had the necessary excuse with the necessary cyber regulations in place to prevent something like that from happening, especially when it comes down to something as simple as education. But it's also not fair to forever castigate Colonial Pipeline as being this, you know, weak company that fell to its knees. And now, well, you know, no one has any kind of confidence in. And I think the tragedy is that, yes, a colonial pipeline is a multibillion-dollar company. But if you're like a small business and you get hacked and none of your customers ever want to order flowers from you again, that's pretty like damaging in the long run.

JOE: Yeah.

SHAHID: I know that one step that has been taken is the form of their called ISACS, which is basically, long story short, these information resource centers that public and private companies pull together to basically share knowledge within. So they exist within the financial world. They exist within the healthcare world because obviously, hospitals are a big target as well. They exist within all these different kinds of industries. And I think that that's a step in the right direction to again, just repudiate the shame out of being attacked, because unfortunately, it will just be inevitable, whether it's NYU, whether it's RMX, whether it's Colonial Pipeline, like all these pretty much every company in the world. It's like there are people trying to hack it as we speak all the time, probably. You know, Apple and Google right now are probably paying several teams in their offices, hundreds of thousands of dollars to try and hack into their networks before you do. Before they do. And if people are more curious about this, if you go to any publicly available blog of Google Chrome's or Apple's or whatever, there'll be what's called the changelog of all the patches they've made. And some of them will be pretty nuts. It'll say, I remember there's one, I think a few months ago of Apple saying calmly and casually, “Oh yeah, by the way, there was this massive exploit we found in every single iPhone, iPad, laptop, but we patched it up.” And that's interesting because they'll bring it to light after they've already taken care of it.

JOE: Right.

**SHAHID:**But again, not every company has the resources and the expertise and the in-house. You know, product knowledge to have that happen to them. So I think the ISACS are a good way to go forward. And then I wonder if regulation, again, going back to our first question, will help in terms of being discreet. I mean, a lot of the ransomware attacks that maybe happened today across the world aren't being reported because they just don't want people to know. And they say, you know, let's just deal with this internally. And we don't we have no obligation to tell our customers. Which is also a bit of a slippery slope, because then what if, you know, your information on on iPod was completely compromised and you're paying for that you have the right to know that. So. Slippery slope but I think, you know, that's one instance where regulation could really help out for sure.

JOE: So just to take a maybe step back. and go big picture a little bit. You talk a lot about how like anyone is vulnerable to a cyber attack. I'm wondering, though, if maybe more specifically is the, like, decentralized nature of web3 and maybe a company that's really like web3 native, ts that an advantage or disadvantage in your opinion? Like when combating mitigating cyber, you know, combating or mitigating cyber threats?

SHAHID: You know, in the long run, in my opinion, and I don't speak on behalf of any government agency or company, frankly, but in my opinion, I think it's probably an advantage. And the reason why I say it is because the level of transparency within the blockchain network in having this integrity-based ledger is probably just better than the alternative. I know that's maybe not the most sufficient explanation, but I do think that's a key point that I'm sure a lot of experts have heterogeneous opinions about. I think it just allows for more stakeholders, it allows for more authority to come in and help. The slippery slope, again, is whether you want to again, like if there are these libertarian digital cowboys out there, like if they want the government to come in and like interfere with their blockchain and all that, because it seems to be predicated on that, on that idea that we don't want banks or authorities or centralized figures interfering at all. So I do think the decentralization is an advantage. What remains to be seen is how authorities, you know, even like CISA, which is a cybersecurity agency at the federal level, is going to try and get their fingers in the pie, so to speak, because they I think the one thing government fears when it comes to. Blockchain and rapid technologies to develop that are maybe unbeknownst to them, is that they want to figure out how to decriminalize it and basically take advantage of it. And then, you know, again, inevitably, I'm sure they'll be there trying to figure out, and again, I'm not an expert on crypto taxation, but I'm sure they're trying to figure out ways to make that equitable as well.

So all this is to say I'm curious about, to what extent those governmental bodies will get involved and their level of intervention or interference, depending on how negative or positive that is, will influence this idea of web3, because I'm sure, you know, again, as we see EnerKnol we see so much legislation pumped out about, you know, regulations on crypto mining and you can only use this amount of power and you have to disclose this to the authority. So the regulation is happening at a breakneck speed. It's just a matter of how resistant will web3 be to welcoming that and will. You know, sovereign governments let them survive without their say or without, you know, someone being at the table to say, okay, well, you can't do that with the NFT or you can't do that with RMX because, you know, the ‘New York State Digital Act of 2023’ says that's not sure.

JOE: So, yeah, I mean. We're coming up on our time here, I want to wrap things up - I have this one last question I want to get to, and it kind of is a bit related in that-


JOE: -you're talking about, you know, putting regulations on anything that is so rapidly evolving is super difficult. And I think that's been a major challenge for web3 and crypto.


JOE: And all that kind of stuff. I'm super curious, there’s a lot of buzz right now around these language model dialog systems.


JOE: You know, most famously ChatGPT - we have Google’s Bard. I know it's a bit unrelated to cybersecurity, but while I have you here, just wondering about your thoughts on these-

SHAHID: I mean, it's certainly you know, first and foremost, it's like from a personal perspective, it's like amazingly exciting. I mean, working at EnerKnol we are above all predicated on being a search engine to help people obtain filing. So if there are APIs that Google or Microsoft are going to launch with these large language models that could revolutionize our business and which you could say, yeah, instead of searching for ‘legislation that begins with the word solar’, you can just say, you know, “hey EnerKnol, show me all like, ‘why? Why is the I don't know, New York Public Service Commission issuing a ruling on this topic.’” And it would just be able to answer that question in a very informal, instantaneous way. So first and foremost, I think it's obviously just super exciting. And I do think, you know, not to hype it up. And I know I've spoken about being cautious of hype, but it is an inflection point, not that different from the advent of cloud computing or artificial intelligence, even in its essence with IBM Watson and stuff like that. So I think absolutely huge news. What seems to be happening is definitely a bit of an arms race between Microsoft and Google. So OpenAI, which I know Elon Musk is actually a huge stakeholder in, with Sam Altman, who is a key figure at Y Combinator, one of the biggest incubators in the world. They, you know, launched ChatGPT. It was absolutely insane. And I think. The general press like, and by general press, I mean like the Wall Street Journal and The New York Times types like they were quick to say, like, okay. What's this going to have in terms of an effect on education, journalism, copywriting? Will it push a lot of jobs into, you know, obsolescence? I don't know if that's going to happen. I think there are still limitations on human nuance. I always found that, I mean, just to be somewhat related or to keep it kind of related. Like if you think about drones and warfare, you know, on one hand, you can replicate them. They don't have emotion. They will carry out their mission. They are kind of obsolete because they're programmed to do things in a certain way. But, in every case, you need a human in the loop to switch it off or to, you know, to maintain some kind of control. And I know in this kind of like Blade Runner sci-fi world, we feel like in tandem with Ray Kurzweil as like singularity theory, like has so far exceeded human capacity and did so a long time ago in terms of computing speed, in terms of, you know, ability to carry out objectives. But there's there are something kind of human that's missing in terms of nuance, in terms of correction, in terms of the ability to reflect on things, which sounds, I think, kind of intangible, but I think is an important aspect of anything that is like communicating to you. So yeah, I do think there is going to be a bit of that nuclear arms race between Google, Microsoft. I'm sure Amazon will integrate it into Alexa. I'm sure Apple integrate into Siri and it will revolutionize some labor markets. I'm not sure to what extent just yet. I don't know yet. For example, like in the energy world, if it's going to, you know, make anything particularly obsolete. And in terms of cybersecurity, I think its applications are still a bit nascent, but a lot of. Cybersecurity firms have really embraced AI in terms of their in terms like the software they deploy because they just find that they can, like, detect patterns. That's essentially what is like better art than any human ever is like detecting patterns. And so when it detects like, okay, X, Y and Z happened within seconds, it can cross that out in a way that no security officer or cybersecurity specialist on a human level can detect. So that is, I think, essentially the main advantage there.

However, I think it's still, you know, very early days. There's a lot of hype around it. I'm very cautious about things, a lot of hype, which is why I'm also you know, I've always been even, like a little reluctant. But like when crypto first came out, I mean, yeah, I'm sure some of us wish we weren't, because we'd be a little bit more well-off. But I am still wary about it. But I think it's something that I and many other people, you know, have so much more to look forward to, but also a lot to learn about what it's really capable of and what its limitations will be because it really is not perfect despite the hype. So yeah, some interesting things like in how it's changing the way we're going to search in the future.

JOE: I definitely think it will be the new way that people use search engines will be more communicative style with like yeah, with this AI. But at the same time I think it's funny, like people will Google, they Google differently these days - where I feel like most people, if they're looking for, say, a new mattress or something, maybe ten years ago you would Google ‘best mattress near me’ or something. And nowadays you're Googling like ‘best mattress near me Reddit’ because you want to see people, real people talking about this thing that you value, like these human opinions. And I think that's a huge part of searching. And it's like, well, yeah, we're looking for like specific information about. You know ‘who was president during World War II’ or something. That's something you'd Google and you want just a straight answer. But yeah, you can never replace this more human element that you're concerned about for so much of searching. And I think there will always be a place for humans in that.

SHAHID: Yeah. And I think people will naturally crave that. I think, you know, we live in these times it's like cyclical trends where. Everyone will rush towards ChatGPT and Bard and use the heck out of it and then do the greatest I can. You know, I do miss, like hearing someone's recommendation or I always am curious, like, how is it going to work with advertising? Because that essentially is what has led to Google being this multi, you know, near the trillion-dollar corporation is ad sales and I wonder like. Yes, there are already algorithmic things at play, too. To show you the mattress that you should buy or whatever. But is ChatGPT? Like to like what? What is going to be its opinion on how to like bounce ads towards you? Because if you receive an ad from Google based off your search history and then ChatGPTR it seems like do something different. Like, how are they going to reconcile that? And I think that's also weird, weird

JOEP I think it's going to go the way of like targeted ads where your whatever your assistant is, your chatbot, you're dynamic with them as you get to use this, use your same search engine more, more. It'll be like, ‘Hey, I know you're looking for a mattress and I know this is the kind of stuff you like,’ so it's going to maybe feed you like a version. It's like asking a friend who knows you for a recommendation. They know that you don't like, you know, maybe they're like, ‘Oh, I know you like a softer mattress. So, like, this is kind of what I've gathered based on your searches for soft blankets.

SHAHID: Yeah, it's true like that.

JOE: Sorry to, like, stretch the mattress metaphor beyond -

SHAHID: I was stretching the worm metaphor. Yeah.

JOE: Yeah, ‘I know you love worms. So this is like a recommendation based on that.’ (laughs)

SHAHID: *(Laughs)*Yeah.

JOE: Okay, so we're kind of running up on time here.


JOE: I just want to. If you want a chance to plug EnerKnol-

SHAHID: Yeah, sure. Yeah, no Joe you did a fantastic job of introducing it earlier, essentially, it’s his goal is to consolidate the energy regulatory universe into one simple software solution. We obviously are, as you can tell by our name, we initially focus on energy and the environment, but we're finding that based off the sheer scope of what we can focus on in a regulatory manner. We have information on telecoms, on, you know, water utilities, on obviously cryptocurrency and blockchain. So anything in the public domain where you're able to not only observe but also track and get email alerts on. So I highly recommend if anyone is interested in even just playing around with I don't know whether you're interested in energy or not - there's a completely free seven-day trial of the platform. And yeah, if you have any questions, please like I also want to offer my contact info, I'm happy to chat about anything related to what Joe and I talked about today. But yeah thanks to you.

JOE: Yeah we'll link all this in the show description. So yeah. Before I let you go, we do at RMX as part of, you know, putting culture on chain. We do a weekly list of recommendations from the team. I don’t want to put you on the spot, but do you want to share any recommendations for our listeners - that could be maybe what you're reading or watching or listening to or a product you're really into, really anything.

SHAHID: Well, the recommendation on a kind of more like the frivolous note is I'm very I've become very into the slowed down reverb kind of micro-community on YouTube, but they just take songs they do at the moment. The song is released and then they'll slow it down and add this reverb. And they always put these, like, generic animated guests that just keep going. But there's something about like, does it kind of refashion the song and produces an entirely different track? And I think I don't have to talk, but I think like one thing I do like about TikTok, at least from an external perspective and I, you know, I suppose like Instagram reels as well, is that it's kind of given birth to all these remixes and mash-ups and anything that is like sonically bringing in innovation I think is very cool. So yeah, I would definitely check out, you know, folks, if there's a song you like, just go on YouTube and type in, you know, song by artist, slow down reverb. And chances are some, you know, person has already made a version of it. So check that out. Other than that, Joe, I'll put you on the spot. What's a good film for me to watch? Because you're a good friend of mine. You're a film expert.

JOE: Oh, man. I just kind of revisited the Before trilogy, Richard Linklater. And it's just such an incredible series of films. I was having such a good time this weekend rewatching those.

SHAHID: It’s Ethan Hawke?

JOE: Yes, it is. And Julie Delpy. And it's filmed over like 30 years or so, one movie every ten years. just this progression of this relationship. So good. Great stuff, folks. Really not related to cybersecurity at all, (laughs) but it's a great, great little piece of art for you, we’re all about spreading good culture here. So. Yeah. Shahid, thank you so much for thank you for this episode. Now, of course, getting our listeners. Yeah. And I will share all the links to everything you just guys so people could reach out to you through that if they want to know more.

SHAHID: Perfect, guys. No, thank you so much. It's been an honor. And I just want to say, you know, I've been engaging with the RMX community a little bit on Geneva and all your other channels and Cursed Emojis is very cool and Yung Jake is actually an artist I followed on Instagram many, many years ago, so it's very, very cool that you guys are collaborating with him and really excited for whatever's next.

JOE: Yeah, lots of cool stuff coming. Thanks for plugging Geneva. Definitely make sure to follow us on Twitter. RMX_PARTY and support Geneva. There's a link to join our Geneva in our Twitter description. Also, all of this will be linked in the show description. Thank you so much, guys. We'll see you on the next one.

SHAHID: Cheers.



Follow @RMX_PARTY on Twitter and come join our community in Geneva.

Be part of our genesis mint! To learn more, visit RMX.PARTY.

RMX product design and identity led by Paige Libadisos and Madeline Bouton. Banner by Madeline Bouton.

Subscribe to RMX.PARTY (🔀,🔀)
Receive new entries directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.