LAS VEGAS—Former presidential candidate John McAfee fears for the future of cybersecurity policy in America. But the computer security entrepreneur stills sees a world of opportunity.
He sits across from me at a table at Buca di Beppo, a link in an Italian restaurant chain here at Bally’s, which holds the biggest annual North American computer hacker conference, DefCon. Next to him sits Eric J. Anderson, who goes by Eijah in hacker circles and serves as chief technology officer of McAfee’s newest venture.
And because McAfee is a cross between Ted Nugent and Alice Cooper in computer security, a film crew is taping us.
“What’s that you’re drinking?” McAfee asks me.
I inform him of the contents of a Negroni—gin, Campari, sweet vermouth—and he orders one for himself. Anderson, who rarely drinks, orders a Bloody Mary with extra olives that McAfee tries to steal, along with a white-sauce cheese pizza.
McAfee, trained as a software engineer in the late 1960s, is best known for creating McAfee Antivirus in 1987, one of the earliest computer antivirus programs. In 2010, 16 years after he left the company he’d founded, Intel bought it for $7.68 billion. (Private-equity firm TPG is now set to buy a majority stake of it in a deal valuing it at $4.2 billion.)
In 2012, McAfee made international headlines as a fugitive of Belize, in connection with a murder investigation. And then, last year, in a quixotic bid that ultimately went nowhere, he ran for president of the United States, first as the nominee of the newly formed Cyber Party, then as a Libertarian. He eventually lost the nomination to businessman Gary Johnson.
Anderson joined forces with McAfee earlier this year, when MGT Capital Investments, recently renamed John McAfee Global Technologies, bought his Demonsaw encrypted file-sharing and communications technology. He developed Demonsaw over several years, while programming artificial intelligence on Grand Theft Auto at Rockstar Games. He left the company in January to devote his attention, full-time, to Demonsaw.
“Fire or massively retrain every employee in the U.S. government responsible for implementing cybersecurity. Seriously.” — John McAfee, CEO, MGT Capital Investments
McAfee and Anderson, who at DefCon announced that a commercial version of Demonsaw would be available in the first quarter of next year, make an unlikely twosome: McAfee has a reputation for having ingested many known recreational pharmaceuticals and for stretching the truth of his technical prowess to the point of incredulity, while Anderson is a vegetarian who neither smokes nor does drugs. He is a grassroots hacker who shies away from the limelight as he seeks to restore consumer privacy.
But they share a passionate disdain for the tech industry’s reliance on selling customer data to score big profits, and they believe that decentralized, hard-to-track Demonsaw technology is today’s answer.
In this part 1 of our Q&A with the duo, we discuss the cybersecurity policies of the two leading candidates for U.S. president, Hillary Clinton and Donald Trump, as well as the alleged attempts by Russian hackers to influence the outcome. In part 2, we focus on their mutual vision for MGT, and what they describe as their attempts to change the computer security paradigm.
What follows is an edited transcript of our conversation.
In terms of cybersecurity policy, for whom would you tell people to vote?
McAfee: You’re asking me whether I should advise you to choose a case of the measles or a bladder infection. It’s something I can’t answer for you. We’re dealing with basically two known, and at the same time unknown, entities.
Anderson: Gary Johnson, whom you said you’d never vote for—
McAfee: I’d rather deal with what’s possible. What’s possible is Hillary Clinton or Donald Trump. What’s impossible is Gary Johnson winning (barring something radical). We’ve got these two choices.
Hillary Clinton understands virtually nothing about cybersecurity. It’s very obvious, from her actions. She can’t even handle something as simple as her own email server.
“We’re walking a very fine line. If we do not include in our technology race or our knowledge race all of those tools and techniques, and everything else that black-hat hackers use and have, we will lose.” — John McAfee, CEO, MGT Capital Investments
Anderson: Hosting and managing an email server is not easy, especially for somebody without a technical background. A good leader chooses good, smart, intelligent people to act on his or her behalf. And (at least with respect to her server), she failed to do that.
What did you think about Jeff Moss and other old-guard hackers at Black Hat endorsing Clinton?
McAfee: I cannot comment on why people would endorse any candidate—what rationale, or motivation, or sort of drugs they may decide to take.
Anderson: I’ve thought about this a lot. It’s the fear of Donald Trump. It’s fear of the state of this nation, and somebody who rules with a fist of emotions and revenge, and without logic.
Sounds like you’re endorsing Hillary.
Anderson: Here’s my problem with Hillary: I’m scared of her antiprivacy stance. I’m scared of the antiprivacy stance proposed in our Congress and in the Senate. In the absence of a good choice, the only logical choice is not to choose.
That’s the problem we find ourselves in now: Do we vote for somebody who potentially could be a tyrant triggered by emotional outlash, or do we vote for somebody with no competency in cybersecurity who, along with the entire Democratic Party, has taken a variety of antiprivacy stances in the past? The problem is that neither choice is good.
McAfee: I’ll answer your question about who has the better cybersecurity policy: It’s really clear that it’s Donald Trump. And it’s only because he’s run enough businesses to understand that you cannot succeed without proper delegation, and that the delegate chosen is going to make or break that part of what you’re doing. Because he’s been watching the political chaos surrounding Hillary due to her technological incompetence, he will choose the best he can find.
If you had the ability to create the U.S. cybersecurity policy, what would be on that platform?
McAfee: No. 1: Fire or massively retrain every employee in the U.S. government responsible for implementing cybersecurity. Seriously. Our government has become staggeringly stale, run by sick, tired, old people. No one is ever fired for incompetency. And people who hire the first incompetent person are still going to be hiring the second incompetent person.
So, in all seriousness, you know what I would do? I would, here at DefCon, have 100 booths saying, “We are now hiring. We are paying twice whatever you are being paid, provided you are the best. We don’t care if you have a purple mohawk and a pierced nose, and you want to smoke weed all day long. What we care about is what can you do and what have you done.”
If you’re going to build the best safe in the world, whom do you hire? You hire the best safe cracker in the world to design it. Isn’t this the problem with cybersecurity? We’re walking a very fine line. If we do not include in our technology race or our knowledge race all of those tools and techniques, and everything else that black-hat hackers use and have, we will lose.
And how would you deal with a situation like we’re seeing with Trump, where it appears that the Russians are meddling in his favor?
McAfee: Whoever says it’s the Russians or the Chinese is either lying to themselves or purposely lying to you. How hard would it be to hack somebody and make it look like Eijah did it? Probably half the people here at DefCon could do it in a way that no one in the government could possibly figure out.
Hackers have become much more advanced than those trying to protect against them. We’re like puppets on their strings. You know how easy it is to spoof an IP address? Thousands of programs will do it. You can do it multiple times, and it can’t be traced back to you. You can make it point to anyone you want. The fact that it points to anybody at all tells me that’s not the person who did it.
“Do we vote for somebody who potentially could be a tyrant triggered by emotional outlash, or do we vote for somebody with no competency in cybersecurity who, along with the entire Democratic Party, has taken a variety of antiprivacy stances in the past? The problem is that neither choice is good.” — Eric Anderson, CTO, MGT Capital Investments
If you have the wherewithal to pull off a hack of that nature, you’ve got the wherewithal to hide who you are. Otherwise, you shouldn’t be hacking. You know this.
So when someone says, “Oh, the Russians did it,” well, that’s because someone in the incompetent government cybersecurity collective said, “We traced it back, and it sure looks like the Russians because they used a hammertoss, which the Russians always use.”
If I’m the Chinese, and I want to make it look like the Russians, I’ll learn how to use hammertoss.
McAfee: I’m not saying they’re lying. There are two ways of getting information: looking at what happened and tracing it back technically, which will never get you an answer; and being the best friend to the guy who it, such that you were sitting behind him while it was happening.
If you get it the second way, it might possibly be true. If you get it the first way, you’re fooling yourself. The very first thing anybody here—grab a random DefCon hacker—would do to make it look like the Russians is study all their past known hacks. What percentage of the project is social engineering? What percentage is current technology? Did they use hammertoss all the time, or did the use it only 50 percent of the time?
I would study that for a few months, until my mind-set became that of a Russian hacker, and I would just do what a Russian hacker would do. And I would fix the links back to all of the IP addresses of somebody I didn’t like in Russia.
The fact that our government doesn’t understand this simple concept is proof that it’s clueless. They are misleading themselves by believing that we can identify a source of an attack through the techniques that they are known to use. That’s all the stuff we can spoof.
What does a sane cybersecurity policy look like?
McAfee: You have to get better people. People who understand what the threat is. Are you trying to protect yourself from a family member, a neighbor, a government agency? Every case is different.
What does the Pentagon need to protect itself against? It’s friggin’ obvious, right? What does the Office of Personnel Management need to protect itself against? That wasn’t so obvious until 21 million records were apparently taken by the Chinese.
The Pentagon doesn’t need to protect itself from people trying to empty individual bank accounts. And what I need to protect myself against is going to be far greater than what you need to protect yourself against, I promise you. I’m a high-profile target.
What do you think the U.S. government needs to protect itself from?
McAfee: First and foremost, itself!
Anderson: The problem with cybersecurity is that it’s way too complex. Individuals need simple interfaces, like those of Apple, which made a lot of decisions to streamline its users’ experience. The underlying algorithms for cryptography, too, are extremely complicated. I’m not a cryptographer. I’ll never be a cryptographer. But I can use crypto correctly.
We need brilliant engineers to convert these technologies from complexity to simplicity. It’s art more than it is science. Engineers are not artists by definition. At the code level we are, but at a higher level, it takes training and a special type of engineer. And that evolution to that higher-level artistic way of abstracting ideas and knowing what the average individual needs is in the minority of thought.
McAfee: Here’s a concrete example: The problem with corporate intranets is that the number of connected devices is exponentially increasing. The “we need to protect ourselves from ourselves” concept here is that when we configure a firewall for 1,000 devices, the chance of making an error is about 100 percent.
So we developed a device called Sentinel. It’s ready to go; it works; you can test it. The configuration of this device consists of the following: Take the cord, and plug it into the Internet.
The human element is gone. The only possible flaw could be that we screwed up our algorithms, which I can assure you we have not. We are good at getting algorithms correct—and terrible at making the user protect himself from himself.
Protecting yourself from yourself in a corporation is using a system where a firewall takes five people five weeks to configure. And even then, you know that hackers can find 15 holes in 15 days. So after you plug this sucker (Sentinel) in, it tells you that you have someone coming up on Port 80 here—shouldn’t be happening, as the IP address is somewhere in Russia—do something.
We’re now able, within a few milliseconds, to identify a hacker’s first intrusion attempt. That’s a big change from the way it’s done now—searching for the signs of the hackers’ activities within your system.
Good God. As with the Office of Personnel Management, which took two years to find out that it had been hacked, by then it’s too late. They’re in your system!
Read part two of our Q&A with John McAfee and Eric Anderson, in which we discuss their business vision and plans.