Kerry Cox Jr. of Simplified Network Solutions talks about his recent work with Project Sierra, data encryption, the risks often overlooked in our ever-connected world, and how working for the government has helped to shape his career and views on the importance of Internet security.
Cameron Philipp-Edmonds: Today we are joined by Kerry Cox Jr. He’s going to be speaking to us about Project Sierra. Kerry, to start things off, can you tell us a little about yourself and your role at Simplified Network Solutions?
Kerry Cox Jr.: Yes. Like you said before, my name is Kerry Cox. I actually started Simplified Network Solutions because I became concerned about how easy it is for people to pretty much snoop or spy our private lives. Currently, I’m working for the Department of Defense as a network engineer and also as an information security officer. What that entails is me giving a lot of training in the latest techniques as far as to what hackers are doing—how they eavesdrop and what tools they’re using.
Project Sierra came from a combination of different things. The whole NSA, Eric Snowden leak, talking about all the information that they were capturing by Googling on the Internet, which was a problem. It was a problem but it wasn’t the problem. Having said that, with my job, I get a lot of training. I was, as far as training, to get certified in CEH:certified ethical hacking. All that does is just keep up to speed with everything's that's going on out there on the Internet.
While starting with this training, I ran across a couple of tools that were out there. At the time they’d been out there for about two years, all the Shodan HQ. If you're not familiar with Shodan HQ basically it does on the civilian level what the NSA was doing, in my opinion. That's just my opinion only. I don't know what the NSA is says because I don't work for them.
What it was doing was it was cataloging all IP addresses of all connected devices in the entire world regardless of what your region is and it was auditing your security posture. That went with your digital router, your file server at home, your computers. Your web panel is the biggest issue. Security cameras that businesses use, and even a couple of government agencies that were exposed to this type of audit.
I dug a little deeper into it and Forbes put out an article saying exactly what this web site does. If you're technically savvy enough you can tailor the software into querying this database of IP addresses and security postures and getting it to exploit anybody that you want. To me that was the biggest issue that I saw at the time as far my training was concerned, because a lot of these hacker techniques are outside the region of the average user who just post an Instagram picture.
What this did was it lowered the barrier of entry into either one just going into random people's networks, their home networks, and doing whatever it is they want to do or it could even target somebody if they were exposed. If I were a malicious hacker, and that's the term we use: hacker. If I were malicious, and let's say I were an ex boyfriend or something like that, the first thing I would do is just look for my target's IP address on this web site and if it's up there, then I'd see if it already has a security posture that is being audited from that target.
Having said all that, I personally encrypt all my traffic leaving from my house to the Internet with a site-to-site GRE route. It was pretty difficult to use, even with what I do for a living. I've been doing this for about ten years, a little more than ten years. The first time, it took me about a month to find the proper hardware for the proper service to put all this stuff together and then I kind of let it go.
Then, I wanted to go back to it and there were some updates that went out and it still took me another two weeks of understanding to get it to a working condition. That's where I got to the point where I am now with the Kickstarter. That's why Project Sierra was started. It is, in a nutshell, a consumer-grade networking encryption device for the average user, with a touch-screen interface. So instead of uploading or installing different type of running configurations or sig files to the router and then try to set up a VPN. This will do it automatically from a touch-screen interface on the top of the router itself.
Cameron: Right, so it really makes it much easier for the average person to encrypt their data and make sure that they're anonymous.
Kerry: Exactly. At the very least being anonymous. Having said that, just to go on the other side of it, there's nothing that's 100 percent secure in networking, in computers, period. Point blank—end of story. You can always make it more difficult, add another layer of security or try to get down to the most granular level, but someone's going to find some type of opening.
I'd also like to be able to provide some type of live updates once a vulnerability has been exposed and be able to push that out to the individual. So kind of like Windows update, if you will, and I use that term loosely. Once that vulnerability is out there, it needs to be patched. You can push it out there and it's not really an issue.
In this day and age with connected devices, it's not enough at this point in time for you to have a firewall outside of your connection that protects your home. Firewalls don't protect you from your trasffic being intercepted between point A and point B. That's kind of what the Project Sierra aims to do.
Cameron: Right, and then one of the benefits of also being able to be anonymous online is that you can surf the Internet without geographical restrictions. So beyond the immense entertainment value that can be gained from being able to browse different selections of sites like Netflix or accessing Hulu and YouTube completely unrestricted, what other value is there to geographically unrestricted Internet access?
Kerry: Well, the reason why you have different geographical service is because it's based on VPN server technology, the further out your server is from your physical location, then the slower your connection is going to be.
I'm in Virginia right now. For one, the United States is wired pretty good in the world, next to Japan, Korea and Europe and all that kind of stuff. Having said all that, when I'm in Virginia and I pick a server on the East Coast in D.C., I'm not going to notice too much lag so I can still stream, I can still play video games without too much latency. I can definitely download and browse the web without any real notice in the degradation in quality. That's the number one reason to have servers all over the world: is to avoid degredation of quality.
Two, it'll also bypass filters. That's not really a problem here in the states and if I'm ever able to be fortunate enough to serve this unit worldwide, if that individual user is filtered from certain sites and certain things that are happening within that country—the government just filtered all their communications from Google, Twitter, and maybe even Facebook. All you'd have to do is select that. It would encrypt your connection from that point to wherever you want to be and actually bypass that server. I've done that several times around the world and it pretty much works without an issue.
Cameron: All right. Fantastic.
Kerry: In all honesty, I just believe in just an overall concept of being able to use the Internet freely. It shouldn't matter what my IP address is because I should have, not a complete and total expectation of privacy, but there should be some level of privacy where I don't have about five or six different civilian web sites and the government auditing everything that I was doing. Regardless of what I'm doing and determining what my security posture is within my home network and then exploiting that security posture. If it just so happens that I'm an average user and I use a simple word with a number, within that password—that shouldn't leave me vulnerable to just any attack. Those are the main reasons for the geographical location.
Cameron: Okay, and you talked about security there. As the Internet becomes more and more embedded in our everyday lives, we tend to lose understanding of just how constantly connected we are. Pretty much everything is connected. There's people who have their refrigerators connected to the network of things. Do you think this leads to consumers having a false sense of security or is it more of them having a misunderstanding of the risks that are associated with having this ever-connected society?
Kerry: I don't think at this point with everything that's going on and with everything that's been reported in businesses and in the news that consumers really have any true sense of security while using the Internet.
But I definitely think that they're misunderstanding the risk. Let's say if I wanted to do something malicious, I would just go to this web site that has a vast database and fish in one of two ways. You can take a big net and cast it and capture a lot of fish or you can use your fishing line to reel in and capture one fish.
In this digital age, people are misunderstanding the risk because I can go to a database and using the approach of casting a wide net. If I need to do something illegal, I can take over their network and funnel all of my traffic, do all my malicious stuff through their network, and bounce it around and then attack whomever I want to from that client. That's the first thing.
Second off, people don't understand usually what the default settings are. A lot of the big companies they try to make it as secure as possible. A lot of the stuff isn't badly misconceived, but most of them don't so at the very least you would have that so-called lock on your front door, so people can't welcome themselves in based on only your default settings because as a general rule in the security community, default passwords are bad and people don't change them.
Cameron: Yeah, absolutely.
Kerry: That's the biggest thing. People don't understand exactly what the risk is with the always-connected world now. That's pretty much what we live in. It's gotten to the point where there needs to be an extra layer.
Cameron: Yeah, I agree. I think a lot of people don't understand. I think one of the biggest issues now is for people who have always grown up with Internet—the Internet's always been there. They still think that there's this right to privacy with the Internet. In your opinion, how much is there a right to privacy on the Internet?
Kerry: In my opinion, I stick with the ananlogy that the Internet is the information superhighway and it is just like a regular highway. Having said that, you have a certain level of privacy that you expect when you drive down, let's say, I-10, I-95, I-40 or something like that, whereas you can't just get pulled over by the police and get searched without probable cause. That's the type of privacy that I think people should assume or that they should have on the information superhighway. Now having said that, just because you're encrypted and you can't be tracked at the most simplest level, just doesn't give the person, even though they have privacy, it doesn't give them the ability to do whatever it is they want because there's still laws that as a society will have to abide by.
If we have probable cause based on searches. Your privacy is gone if you're doing something wrong. That's how it works for the Internet. But that's at a governmental level. I can't pull you over. Kerry can't go and pull Cameron over on the highway and say, "Let me check your trunk. What do you have in there? Who are you?"
But me as Kerry, if Cameron is susceptible on or has gotten lost within this database, it's pretty much the same thing. Now I'm in your house. I'm in your file server. I'm in your computer. I'm in your iPhone, iPad, Android devices, even your Xbox, and anything that has a camera. You know like you said your refrigerator? I can even see in your next device, definitely, because I've taken over your router and your service connection.
In my opinion, it's serious. It's extremely serious. At this point, I'm surprised that nobody's even thought to even take it this far. On top of that, it's about a balance between privacy and the public safety, too. I have seen both sides. I can understand both sides of the argument.
Cameron: Okay. One of the great things about Project Sierra is that it does add that extra layer. It really kind of helps you protect, like you said, extra connections that people don't take into account, like for instance on your Kickstarter you talk about baby monitors and central air system and other personal devices. Why should people be concerned with protecting personal devices and keep people from hacking their A/C?
Kerry: Well, as far as your thermostat, that's at a level of how you behave. If you're talking about a A/C and you're a target. That's the first thing you have to realize. If you're a target and I want to say that, okay, your A/C is always off between 8:30 in the morning til about 4:30 in the afternoon. Well, I can pretty much assume that nobody's at the house.
Cameron: Oh, wow.
Kerry: This is high-level robbery or identity theft at that level. What's the other example you used. Did you use baby monitors? Same thing. You think you're being secure or you're watching what's going on in your house to make sure nobody's there, but I can use that double-edge sword against you. I can watch your house and make sure you're not there. I might even be able to shut it off while I go in there, so you don’t know what's going on. You're not going to even think anything of it because it just looks like the network's malfunctioning or something like that, so it's simple. The whole thing is to just establish a pattern of behavior. That's the biggest thing as far as all the connected life is concerned. To me that's scary.
Cameron: Oh, absolutely.
Kerry: Your home alarm is more or less becoming wireless network-enabled. I mean, I can even get weather on mine now, but I trust the company that I'm with to encrypt that connection between there and their servers. But you can still use that as a bug because you can plug in there, turn it on. There's starting to come software where you can turn it on devices like that with your cellphones, really, your Android and your iPhone. You can turn on the microphone to eavesdrop on somebody. You can turn on the camera.
Kerry: That's really what it all revolves around. I can do a research paper on this. I'm pretty sure people have as far as what the real risks are for having a connected and unprotected smart home.
Cameron: Right, and like you said earlier, if you are one of those targets, if you don't have that extra layer of protection it just makes it all that much easier.
Kerry: Yes. I think extremely easier.
Cameron: Now, to kind of switch gears here a little bit, you served in the U.S. Army. How did that help to advance your career and kind of lead you to where you are today?
Kerry: Well, it did it in two ways. One, the experience. I got to actually use and understand lots of different encrypting devices. Now it's got to the point where it's available to the average person for free if you are downloading and now hot to implement it. It's as good as what we used while I was serving in Iraq and Afghanistan. That kind of helped me put this big puzzle of just available resources together into one little pretty box that I call Project Sierra at this point.
Also, to be able to delegate tasks because right now Simplified Network Solutions is a company comprised of all contractors. I'm able to find out or come out with the requirements that I need, put everything together and have one section work on one thing. Like you're calling me now, so I have a PR section. I have a finance team to finance the PR section. I have an engineering team that's ready to put this whole thing together. Once the time comes I can build Project Sierra from scratch because right now I'm using a lot of commercial, off the shelf parts and put it together as a prototype and then be able to execute. That's kind of how my work has been influenced with Simplified Network Solutions.
On top of that, that's kind of what I did once I got out the army and started working with the contractors for Lockheed Martin. The difference between Simplified Network Solutions and Lockheed Martin is the money.
I was on a contract, just to maybe tell you a short side story. I was on a contract that was probably about to be pulled. Me and another of my co-workers were able to get it picked up and become successful. That was because they're able to sit down and find out what the requirements were to work it out. At our level, if there was something that was outside of our expertise, like coding, I can do it a little bit but I'm not a strong coder and I'm not a fast coder, I'd have to look everything up on Google and it takes a lot of time and at that point: time is money.
I take that experience and apply it to Simplified Network Solutions and Project Sierra and I can put everything together being the spearhead of this project. That's kind of how it helped me out, bringing everything all full circle now at this point to where I am right now, while trying to get funded through Kickstarter.
Cameron: Okay. Yeah, and to kind of wrap things up here you kind of talked about your Kickstarter there a little bit. What are the next steps for Project Sierra?
Kerry: Okay. If the Kickstarter were to get funded, then I'm actually going to go into an actual prototype for production. Right now, they're really waiting for funding. If it doesn't work with Kickstarter... well, the good thing about this is I'm still getting exposure so I might do another one after this. But then after if it doesn't work out, we're going to seek investors.
I have electrical engineers, software engineers and mechanical and firmware engineers ready to put all this together. They have the requirements that they need. They know how I want to do it and how I want to implement it. At this point, I'm as far as I can go without having an investment or an infusion of cash from Kickstarter or crowdsourcing.
If people feel as passionate as I do about securing the network, even though it's one of those passive type of players where you don't see it happening right then and there, but you know it's working, then those are the people that I'm trying to impress to get some type of funding through.
Cameron: I think you make a really great argument for it and you're very passionate about it. We really appreciate it. Once again, this was Kerry Cox, Jr. of Simplified Network Solutions. He spoke to us today about Project Sierra. Thank you so much, Kerry.
Kerry C. Cox Jr. is the founder of Simplified Network Solutions, LLC and the Lead Designer of Project Sierra. His combined experience comes from more than ten years serving in the U.S. Army, working for Fortune 500 companies, and Government institutions. Kerry has been involved in designing, deploying, and managing mission critical systems and networks.