David Schwed on how Halborn is an award-winning ethical blockchain hackers to secure your stack end-to-end (Episode 336)
David Schwed joins us to discuss on how Halborn is an award-winning ethical blockchain hackers to secure your stack end-to-end.
David L. Schwed is Chief Operating Officer at Halborn, an award-winning blockchain cybersecurity firm that uses ethical hackers to provide end-to-end cybersecurity advisory services and products to Web2 companies and over 250 Web3 organizations, including Coinbase, Avalanche, and more. Previously, he has held roles at a senior level for BNY Mellon, Merrill Lynch, Salomon Smith Barney, Citigroup, and Galaxy Digital. He is also the founding director and professor of the cybersecurity Master’s program for the Katz School of Science and Health at Yeshiva University, where he is their practitioner-in-residence.
Want more resources around this podcast? Keep up to date on the latest articles here.
The following transcript was created using artificial intelligence. There will be some grammatical errors below.
00:00:21:13 – 00:00:34:22
Richard Carthon: Hello everyone, and welcome to another episode of Cryptocurrency, your host here with Richard Carthon. And today we’ve got a special one for you, which I think is going to continue to be very critical as we continue to evolve as a web3 community. So we have David
00:00:36:11 – 00:00:44:14
Richard Carthon: Sweet, who is part of Shelburne, which is the elite blockchain cybersecurity that all of us here need to learn more about. So, David, how are you doing today?
00:00:44:27 – 00:00:46:07
David Schwed: I’m good. Thanks for having me on.
00:00:46:28 – 00:00:53:05
Richard Carthon: We appreciate it, Manuel. Before we dive into Hogben, let’s first learn a little bit more about yourself. Can you give us some background?
00:00:53:18 – 00:01:24:29
David Schwed: Yeah, sure. So I spent the early part of my career in traditional finance, you know, the City Corp., Citigroup, Salomon Smith BResume Auto-Scroll arney
, Merrill Lynch being my Mellons of the world, various information technology roles, whether it’s infrastructure, obviously gravitated towards cybersecurity as well as risk management and audit. And 2008 and I had a little split in my career. I, I co-founded a telecommunications company as well as going to law school. And I ran my company for about ten years. We were acquired back in 2018.
00:01:25:09 – 00:01:55:09
David Schwed: And from there I took on the role of Chief Security officer for Galaxy Digital. I stayed there for about a year, had an itch to get into academia, so I left Galaxy to become the director of a cybersecurity program for a university in New York Yeshiva University. While I was there, also working for Subsea Cable Company, because the company that I had co-founded was a telecommunications company. And then from there, I went over to be my Mellon as their global head of digital assets technology to help build out, you know, the digital asset strategy. And then from there, I’ve held Lorne as their chief operating officer.
00:01:56:02 – 00:02:02:04
Richard Carthon: And so a very dull career saying that is that is so amazing and a.
00:02:02:06 – 00:02:09:16
David Schwed: Little bit all over the place. I was just like looking back. You know, I’m happy with all my decisions, but at the time, it definitely seemed I was going a little over the place.
00:02:10:11 – 00:02:41:15
Richard Carthon: Now and that’s that’s excellent. You were able to get a lot of backgrounds that I think are very critical for the shaping of where blockchain and web3 are headed. We need more will groundedness so that we can start to fill a lot of these gaps, to make a lot of potential to put out. Companies start to jump into 2.5 and then eventually get to the 3.0. But we can get into that a little bit later. But. You have such an interesting journey that when you first got your toes into the crypto industry working at Galaxy.
00:02:41:22 – 00:02:51:12
Richard Carthon: What made you decide to go in that direction? You know, with with security, there’s obviously always a. Ton of different opportunities that you could pursue. Why did you go in that direction?
00:02:51:22 – 00:03:26:07
David Schwed: Sure. So that was my first professional career in crypto. I actually got introduced to crypto in 2012. Unfortunately, from a from a technological perspective, I you know, at the time I didn’t think that it was going to worth anything. So while I was an early purchaser, it was just a few tokens just because I wanted to see what the technology was like. So in an opportunity arose in 2018 to now dive headfirst into crypto. You know, I’ve been a fan or efficient at it from the sidelines for like about six years. So for me to jump in and for me it was really around the challenge of this is new.
00:03:26:09 – 00:03:57:12
David Schwed: This is a new and emerging technology at the time. There’s no playbook, there’s no run book, there’s no framework of how to set up a cybersecurity program and how to protect digital assets. So for someone like me, I run towards challenge and I run towards something that just really interests me. So for me, this was, you know, just a combination of I love this new and amazing technology. I think it’s going to be a disruptor, I think is going to be the future. And then on top of that, it’s, you know, it’s challenging. It’s it’s how do we stand up a cybersecurity program when, you know, this is a new threats, new threat actors, you know, new types of attacks.
00:03:57:22 – 00:04:01:16
David Schwed: So for me, it was really more about the challenge as well as the love of the technology.
00:04:02:20 – 00:04:44:06
Richard Carthon: They understand it is challenged challenges the name of the game, then you definitely pick the right one. We never fail to see new challenges that arise being in the space or at least being cognizant that it was around. Now, for the last decade, you have seen a lot of. Peaks and valleys, bull and bear markets. Technology evolves. New coins and tokens enter the market and unfortunately, some frivolous exchanges in different pockets of time. So as we look at how blockchain security, what is it that you’re aiming to accomplish with with this company and how would people be or how would different organizations be able to utilize it?
00:04:44:27 – 00:05:22:01
David Schwed: Sure. You know, our mission Simple, our mission is really it’s to protect the ecosystem. And we do that through securing the entire project. So, you know, we’re not necessarily narrowly focused on performing a smart contract audit, you know, or doing like a web pen test. What we’d like to do is we take a look at the project and then from a risk based perspective, identify where the potential exploitation points of the vulnerabilities in the infrastructure, the architecture or the code. And then we’ll we’ll help protect it. You know, I think I think it’s important for, you know, for people to realize that, like I said, like this is it’s such a new technology that or there’s like no framework and there’s no one book.
00:05:22:03 – 00:05:48:19
David Schwed: So, you know, I think it’s it’s really it’s important for for people to understand that there’s no silver bullet in crypto that, you know, it’s it’s really it’s a strategy where you have to deploy multiple different lines of defense, whether it’s working with an external auditor or whether it’s having a bug bounty program, you know, hiring an extensive internal staff of a chief security officer as well as security engineers. But there’s a multifaceted approach that organizations need to do in order to provide the requisite level of protection of their application.
00:05:49:24 – 00:06:19:06
Richard Carthon: Definitely. And I think it’s good that you’re not looking at this from very like, hyper focused area between blockchain audits and everything else. There’s a lot that that goes into this, you know, just looking at some of the different, you know, companies you’ve worked with, you know, Salon, a yacht club store chain, Avalanche, Dapper Ocean, that’s I mean, you have some big interested names. What is it about these different ecosystems and companies that you know, Phil, that Halle Berry is the right solution to help support them?
00:06:19:28 – 00:06:57:21
David Schwed: Sure. It’s a great question because, you know, it really comes down to, you know, how do you evaluate and how do you find a vendor that you know, that you trust? And in this space, you know, there’s there’s not a lot of there’s not a lot of people that are that are skilled in order to do the job that help one does. You know, obviously we have competitors. So it’s not like, you know, we have a control of the market of the talent, but there isn’t a lot of people out there that really fully not only understand the ecosystem and understand the threats, but also have the requisite background from a cybersecurity perspective. So I think, you know, we were very early to the market and what we were doing at the time, and we were able to build a company and a culture that attracts some of the best talent in the world.
00:06:58:02 – 00:07:31:29
David Schwed: And I think it also speaks to our hiring practices, you know, in order to work at Holborn. There’s a lot of hoops you have to jump through in order to even get an interview. You know, there’s multiple capture the flags to demonstrate, you know, your knowledge because, you know, normally, like the interview process is more theoretical and not practical. And, you know, we’ve all made bad hires where, you know, you’re interview somebody and they’re saying the right things. And, you know, you feel like they truly understand and they get it. But for how long? It’s really you know, and again, not to borrow or to be cliche, but it’s proof of work. You know, before we even speak to you, we want to see that you’re able to, you know, do the work that you would be doing, work in Melbourne.
00:07:32:08 – 00:08:01:27
David Schwed: So for us, I think that’s really where we were able to identify the best talent is by making them go through these, you know, multiple capture the flag exercises as well as, you know, looking at the right candidates. You know, there’s two different types of thought process. One is let’s go out and grab celebrity developers and train them how to be cyber security experts. You know, we felt that the approach on the other side was the right approach. Let’s find some amazing red team offensive. You know, hackers or engineers that just love breaking things and let’s take them and let’s teach them blockchain. And we found that that was the model that worked for us.
00:08:03:02 – 00:08:33:18
Richard Carthon: I think that’s a good way of looking at it, too, because when you look at I mean, who are the people that you’re trying to defend from the hackers themselves? So why wouldn’t you go and get talent that would know how to think like them and be able to defend against it? And, you know, just looking across some of your core services between security advisory, advanced penetration, smart contract audits, DevOps and automations. When you were first starting this and you were working with some of these different ecosystems and companies were, where do people typically start? Like what is the path of becoming as secure as possible?
00:08:34:26 – 00:09:15:22
David Schwed: Well, there’s what people are doing and then what they should be doing. So I’ll I’ll answer from both perspectives. You know what what I see right now in the market and I think it’s it’s it’s somewhat concerning in some respects is and it’s understandably so. I don’t think anyone’s intentionally making poor decisions. But what’s happening is, you know, you’re having these projects that are getting, you know, $5 million in seed funding, $12 million in seed funding. And that’s great, right? And we’re giving capital to people to build projects on these ecosystems. But, you know, that’s not the type of budget that’s going to allow them to go out and hire, you know, a 5 to 10 person cybersecurity staff and really go through a secure SDLC process, you know, to do their own internal code reviews, to do their own architectural reviews.
00:09:16:05 – 00:09:48:09
David Schwed: So what’s happening is a lot of these projects are either not hiring cybersecurity people or they’ll hire one person, you know, who’s more on the strategic level, and then they’ll look for outside firms to come in and look at the code after the fact. And, you know, just if we borrow what what what an auditor’s role is in the Web two world or the traditional finance world is really to provide an anticipation station, not necessarily to do the work on behalf of the clients, to look for the vulnerabilities and find them. It’s supposed to be sure it is. It’s secure when you provide your audit or stamp of approval that there’s an attestation that everything is secure.
00:09:48:23 – 00:10:18:08
David Schwed: And we’re not seeing that. We’re seeing a lot of code come over to us that’s, you know, just riddled with vulnerabilities or relative critical abilities. And that’s that’s not the case for everything. You know, there are many times we’ll get a report where, know, we won’t really find anything critical. We’ll find some mediums or loads. But more often than not, we’re identifying some major critical vulnerabilities, which to me telegraphs that there’s a root cause issue in a lot of these projects where they’re not hiring the right staff. You know, they should be hiring the same types of hackers and engineers that we have on our side. So we are truly an independent review of it and not necessarily like the first review of that code.
00:10:19:11 – 00:10:46:27
Richard Carthon: Yeah, I think that’s a good way of putting it. As I look over here to give a stamp of approval, you’re not here to like. Fix everything. But with doing that and as you’re looking at Web three and unfortunately, a lot of these companies are kind of working backwards in that capacity. It kind of feels like it’s one of those challenges that you face between like startup versus enterprise and like, how do you find the balance of the in between? What’s been your approach to kind of trying to fill that gap?
00:10:47:14 – 00:10:52:01
David Schwed: Yeah, And I mean, that’s that’s a great point. You know, it’s.
00:10:53:18 – 00:11:26:26
David Schwed: The, you know, the enterprise market. And in Web three things are different, right? Like the risks are a lot heightened. You know, these are bare assets. You know, anybody that’s gets control of any one of these, you know, equities tokens, you know, whatever word you want to use, asset, they have it. So what worked in the startup world, in the fintech world, in Web two, it just it doesn’t work in web. And and I think that’s where the challenge is, because the one book that people are doing in Web three was fine in the Web two world, you know, you can just go out and buy a whole bunch of different types of vendor tools.
00:11:26:28 – 00:11:49:14
David Schwed: You can run them through static and dynamic code analysis. And and you’re generally going to reduce the risk that the risk profile by a significant amount. But here in Web3, you know, any vulnerability can lead to a complete loss of funds. So we need to be looking at things through a much different lens and we need to generate a new playbook when we’re creating these startup fintechs. And I think that’s really where the challenge lies today.
00:11:51:11 – 00:12:15:15
Richard Carthon: I agree. And. As we look at where we’re headed in 2023, as we continue to evolve into the future, Unfortunately, 2022 is riddled by a lot of black swan events that was self-induced by, I think, overleverage and greed and just straight up fraud. How can companies continue to protect themselves as we head into the future?
00:12:16:15 – 00:12:52:09
David Schwed: So I think part of it, it’s our own fault, right? And I think you hit that you hit the nail on the head. And, you know, I always tell people, stop chasing the yield. You know, if if you’re if you know, you’re getting a 20% return in the traditional financial markets is giving you 4%, that 16% has to come from somewhere. So it’s either coming from criminality, it’s coming from just YOLO ing loans without any sort of risk profile. So I think part of it is on us that we are gravitating towards projects that are giving us 100 to 100 extra basis points. And I think we need to demand better security and we need to abandon demand, better risk management as users of these different applications.
00:12:52:18 – 00:13:33:00
David Schwed: And I think using security and using proper risk management should be the differentiator for programs. You know, for someone who is obviously, you know, in this field. If somebody was advertising, hey, listen, here’s our security profile and it’s like top notch and they go through and I’m reading this amazing playbook, but they’re offering me 8%. And another project that has no white papers and no security is offer me 10%. I’m going for the eight. And I would tend to think that most people would do the same. So I think, you know, as a whole, as a community, we need to demand things to be a little bit more secure. So part of the issues on us and I think the other issue too, is just this race to really something to market or to release new features in order to one up, you know, one of your competitors.
00:13:33:07 – 00:13:58:09
David Schwed: And I think that’s the problem, too. Not that we necessarily need to slow down because it’s great that everybody’s developing and everybody’s building, but you can pump the brakes a little bit in order to establish a little bit more oversight and a little bit more control. So I think just in general as an industry, we you know, we are part of the problem because of what we’re demanding. And then I also think that a lot of these projects should be taking on security, not necessarily as an afterthought, but part of their actual offering itself as a as a feature.
00:13:59:18 – 00:14:32:14
Richard Carthon: Yes. And the part of the yield that I want to spend a little bit more time on is that I think it really went overlooked that when when people are offering these types of really large yields, you know, a lot of the places where you can get those types of yields. Web3 is all about custody. And in order to participate some of these deals, you have to basically give up your custody and pray that you get it back. So in the traditional bank, when you give the banker money, you’re basically trusting them to give your money back. And because of the FDIC, $250,000, you’re covered, you’re insured.
00:14:32:16 – 00:14:56:16
Richard Carthon: You are get that money back because of laws put in place to protect you. In crypto, there’s no such thing. And we’re seeing that right now between all the bankruptcies, between things like Celsius and even looking at Blockfi and some others. How critical do you think it is that people continue to understand the tradeoff between Self-custody and not?
00:14:57:07 – 00:15:27:25
David Schwed: Yeah, I think it’s huge and I think education is definitely something that’s that we need. You know, I have a not even heightened but actually like start you know, there’s just people that are just entering into this market on the retail side that just doesn’t understand what they’re doing. So to understand, you know, the whole not my you know, not your keys, not your crypto, I think most people have heard that term but don’t like fully actually understand that. So they don’t necessarily understand the, you know, the differences or the nuances between, you know, custody being on an exchange or self-custody on a ledger versus using a wallet software.
00:15:28:04 – 00:15:59:21
David Schwed: So I don’t think they truly fully understand the risks that go along with everything, because you’re right, you know, like just in the traditional financial system, it works the same. It’s really the same thing. You know, you deposit money in a bank, they take that and they loan to somebody who’s getting a mortgage. The difference is banks have capital reserve requirements. They have risk management profiles when they’re looking at the client, you know, their risk profile before they giving out a loan. That same structure set up on the crypto side, except there’s no capital reserve requirements. So whatever you’re depositing, they’re just lending out and they’re just lending out on incredibly risky loans.
00:15:59:24 – 00:16:30:11
David Schwed: So I think just also understanding that there are no regulatory requirements from a capital reserve perspective or from a risk management perspective that just inherently it’s more risky when you’re making a deposit in certain exchanges. I think the other thing also is to look at from a jurisdictional perspective, look to see where the exchange is hosted. You know, in the beginning days of crypto, people were running towards jurisdictions with no oversight because let me just launch a product and I don’t have to worry about the regulators knocking on my door. And I think we’re looking back now and, you know, that wasn’t a great choice for some people for depositing funds in certain different entities.
00:16:30:26 – 00:16:41:09
David Schwed: So I would just advise everybody that wherever you’re depositing your funds, look at the particular jurisdiction that that exchange is located in and make sure that that government, you know, from a regulatory perspective, is protecting you.
00:16:42:27 – 00:17:15:20
Richard Carthon: I think that’s well said. And. Ultimately we are the end user. The consumer need to do better with education and understanding how a lot of these things work. I think there’s way too many people who saw crypto as the get rich quick opportunity in money without understanding what was going on. And a lot of people suffered in 2022 after a really bullish 2020 2021. People wanted to get diversified into it, but didn’t really do their own research into understanding how to also protect themselves in the process.
00:17:15:22 – 00:17:47:23
Richard Carthon: And so I think 2022 was a huge lesson. I think as we look into 2030 and into the future, people are going to be a little more wary and a little more careful as they as they look at this as an investment opportunity. But, you know, I think you’ve given us a lot of really good information and things to consider. And I would like to wrap up with a couple of fun questions. And the first one I like to ask is you’ve now been in the space for several years. You’ve known about Bitcoin for over a decade. If you could go and impart wisdom to yourself, one or two pieces of wisdom.
00:17:47:25 – 00:17:51:08
Richard Carthon: When you first got started in this space, what would you tell yourself?
00:17:51:25 – 00:17:52:14
David Schwed: Quite a lot of it.
00:17:55:19 – 00:18:29:18
David Schwed: No, I mean, honestly, nothing different. You know, I’m a technologist at heart, so for me, you know, I’m happy that I found it when I did. So that way, you know, I could really, truly, you know, wrap my head around the technology and understand it. You know, I guess if I had to pick something, you know, definitely maybe spend a little bit more time paying attention to Ethereum when it launched, you know, at the time, I don’t think I really could wrap my head around the potential impact, you know, to digital assets from, you know, from EVM and from smart contracts. You know, that is obviously such a differentiator between the two. So I think that would be my only thing is, you know, when when a theorem came out to really dive headfirst into that project.
00:18:31:03 – 00:18:50:00
Richard Carthon: And for the new Web3 company that’s about to hit the market, they, you know, started to build about or seed funding or they just raised seed funding. What what would you tell them as far as things that you seriously need to be considering? And at least if they haven’t done it yet, they need to have it in their mind to get it checked out, etc.?
00:18:50:16 – 00:19:26:04
David Schwed: Sure. You know, security, no matter what your project is, security is going to be important. So whether it’s called them or they’re going to result in a loss of funds, which is really where most people brought their head around when they think about security. The other piece of it is just also reputational risk. You know, if there is a failure in your project or even if there’s a hack and there’s minimal funds stolen, you’re going to lose trust in the ecosystem. So my advice would be take security seriously and devote a decent portion of your budget to hiring security staff and not just the fees out. You know, that’s that’s the other issue, I think, or the other concern I see a lot of projects making is they think just, you know, that one hire is going to be the silver bullet.
00:19:26:26 – 00:20:00:18
David Schwed: And just like with any discipline, there are people that are experts in different areas of cybersecurity. So there’s not one unicorn that knows every single thing about cybersecurity, which is why there’s a whole department generally, you know, and the role of the CSO should be more strategic, not hands on keyboard. So, you know, we see a lot of smaller projects that want that unicorn of the strategic CSO versus the hands on CSO versus security engineers. So so I think it’s really just understand that you’re going to need probably at least 3 to 4 people to begin with and ideally upwards of 10 to 15 at a certain point and to really build out security foundationally and not as an afterthought.
00:20:02:12 – 00:20:33:12
Richard Carthon: I think that’s a really good reminder. I know that a lot of people I speak with prioritize and say how important security is, but I don’t know that they are thinking about it in that skilled form, especially as they scale out and as they potentially get bigger because there’s nothing that can be worse than you put all this work in. You’re starting to get to the heart of everything. And because of one hacker coming in and taking all your funds, you lose your reputation, you lose all your momentum, everything else. So something to keep in mind, everybody. But David, thank you for all the information.
00:20:34:00 – 00:20:37:02
Richard Carthon: What is the final spot that you want to leave with everyone here today?
00:20:38:06 – 00:21:09:14
David Schwed: Educate yourself, you know, understand how the technology works and not just be a, you know, a passive user of it. You know, the big thing, you know, that I would just tell everybody is, you know, token approvals. You know, that’s the one thing that I keep shouting from the rooftops is, you know, people think that their phones are safe because they’re sitting on a ledger. You know, when you’re interacting with an app like, you know, any one of us two swaps, you’re authorizing them to have access to the tokens that are sitting in your wallet. And I don’t think people fully realize that. And that’s where we’re seeing a lot of the malware and, you know, the the crypto hacking and hijacking, you know, taking over people’s phones.
00:21:10:12 – 00:21:26:15
David Schwed: So, you know, I would just advise people to really understand what you’re doing when you’re approving transactions or giving authorization. And just I would tell everybody, you know, go to Etherscan and look at token approval and, you know, just make sure that you have granted access to your wallet, to, you know, to different smart contracts that you know, you’re not aware of.
00:21:28:09 – 00:21:44:10
Richard Carthon: Great. Final thought. Thank you so much for that and for all the great reminders of all things security and all the ways that we can be educating ourselves to be more prepared for where Web3 is headed and even where ways that people can learn more about Halliburton and all the things that you have going on.
00:21:44:23 – 00:21:55:27
David Schwed: Yeah, sure. You can follow us on all our socials on now. We’re on Twitter. We have YouTube where we do AMA’s, and then we also do Twitter spaces where we bring on different guests each week. And you obviously can always check out Halliburton dot com as well.
00:21:57:01 – 00:22:05:14
Richard Carthon: Perfect. Well, again, David, thank you for all the information. Definitely enjoyed this conversation. And for everyone listening, as always, stay cryptoquant.
00:22:07:08 – 00:22:09:19
Richard Carthon: Thank you for joining us for another episode of cryptocurrency.
00:22:10:00 – 00:22:12:28
Richard Carthon: Cryptocurrencies, A cryptocurrency and blockchain education platform.
00:22:13:03 – 00:22:20:23
Richard Carthon: Bridging the gap between curious newcomers for just discovering the space and the thought leaders are shaping its future. All opinions expressed by Richard Carson.
00:22:20:27 – 00:22:28:19
Richard Carthon: The cricket team and their guests on this show are exclusively their own opinions on this show, and any other crypto print production is.
00:22:28:21 – 00:22:30:24
Richard Carthon: Exclusively for informational purposes.
Crypto Current will be guiding all of you who are new to the cryptocurrency world to becoming a cryptocurrency and blockchain expert. Crypto Current was founded to give access to information to everyone on current events occurring in cryptocurrency and blockchain in a digestible way. Since its creation, we have created content that impacted thousands of people through its podcast, blog, and social media.