When I went back into the workforce after my last degree in 1996, I made a big leap and returned to Canada to join a small team of passionate people in a brand new company called Signal 9 Solutions. I packed my bags and headed to the village of Ashton, Station Ontario not far from Ottawa, where thanks to my friend (and boss) Phil Attfield, I had a bed in Phil’s basement, which had just flooded to due a thaw and snap freeze; I drove a green-minded, propane power Chrysler K-car with AM-only radio. This was the dream if you can believe it a quarter century later.
The mission of Signal 9 was to make much more robust and strong cryptography and VPNs than the market had: the world of PKI, asymmetric encryption, and small key sizes wasn’t going to cut it. We were making symmetric crypto usable at scale, fast and devilish to break. We drew a lot of attention for the next four years, but we also accidentally did something bigger than we understood: we created the world’s first personal firewall. And back then, people were up in arms about how a personal firewall was not only an oxymoron but impossible!
James Grant led the Windows client development that led to ConSealPersonal Firewall, for those that remember the sub-brand. As a company of effectively 9 people, it was thoroughly a group effort. I spent a lot of my time wearing many hats, from testing to documentation and became the person doing support and effectively pro-bono training when needed.
At the time, we thought a personal firewall would be too hard to use; but sales at $75 an instance kept going up, up, up. We brought out updates, and people hungrily devoured them. We brought out a new version that was easier and more automated with ConSeal Private Desktop, and sales boomed. In the end, McAfee acquired us and I moved to California. But that’s another story.
It was somewhere between these two product releases that I became a Defender and a generic security guy and ex-bouncer (as I had previously been) as opposed to someone who enjoyed the technology of security for its own sake, though that was certainly true.
It happened with a support email in my inbox with the subject “thank you for saving my son’s life.”
A woman who shall remain nameless wrote to me to thank me for all we had done for her family and her son. Now this was a surprise because while you know you are protecting and helping people, it wasn’t every day in 1998 that you got an email from an average, non-technical home user about how you had changed their family’s lives. It turns out that her son had some fairly severe learning disabilities. The promise of the early Internet was to provide her with new options for education, for interaction, for living a full life, which was transformative.
But there was an ugly, disgusting downside.
They were targeted by attackers. Intentionally. Because, as it turned out, the resources for learning and education being made available on the Internet provided attackers-in-training with fresh, live targets for practice.
Yuck. In a word: disgusting.
It made me very angry and put a real person worth defending in the crosshairs. It ceased to be a job perk or an exercise in imagination - it crystallized and became very real for me.
In those days, there was a self-delusion in our industry that was quite common: that hacking was ok if we only hacked those in the know. It was ok to target those who understood what they were doing and were “in the game too.” Yes, we had cybercrime and we talked about nation states engaging in active operations, but weaponized professionals weren’t supposed to do this sort of attacking of the weakest members of society.
And my company, my friends, my work, my personal firewall changed all that. On that day, the veneer was torn away and I saw the heart of cyber darkness and knew that I was a Defender.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.