Juggling Chainsaws: How Amanda Gorton fought Apple & the DMCA while building Corellium

Your fledgling startup has just been sued by one of the most powerful companies in the world.

How do you defend yourself?

And keep your company afloat?

This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.

Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very
best option we have.

We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA’s release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.

About this episode

Your fledgling startup has just been sued by one of the most powerful companies in the world.

How do you defend yourself?

And keep your company afloat?

This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.

Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very
best option we have.

We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA’s release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.

Meet our guest

Amanda Gorton

CEO of Corellium

Amanda Gorton is co-founder and CEO of Corellium, which provides an Arm-native cloud platform that virtualizes mobile and IoT devices across iOS, Android, and Linux. Corellium enables never-before-possible security research, development, and quality testing of apps, firmware, and hardware on Arm. Previously, Gorton co-founded and was the CEO of security startup Virtual, which was acquired by Citrix in 2014. She earned a degree in classics from Yale University.


[00:00:00] Dave: Hey, welcome to security voices. Amanda

[00:00:03] Amanda: it's really great to be here. Thank you for having me. 

[00:00:05] Dave: Cool. So Jack is not making it today for all of y'all who are listening. He is busy, busy with life and family and probably a bit of work thrown into so wish Jack the best back east. And today we've got Amanda who's the CEO and founder of Corellium.

Corellium has been. In the news due to a whole bunch of things. First off, the first articles that I read were a great article explaining how cool it is, what Corelli built. And it was focused on being able to finally do a whole bunch of research on iOS and do it without having to do crazy set up and acquire a bunch of devices.

And so on. Useful for security quality, a whole bunch of other things. So like an awesome test platform. You don't have to get your paws on a bunch of hardware like that is worthy of the Forbes article that y'all had. Subsequent coverage has tended towards the, I wouldn't say salacious, but like, oh my God, there's a lawsuit.

And things seem to have gone wrong between Corellium and apple and so forth. So. We'll focus a bit of energy there, but there's a whole bunch of other interesting things to talk about, but since it commands the headlines and so forth, well, we'll touch upon. And I guess like a couple of things before we get into this for the audience.

So first off, I'm not a lawyer and we talk about cases that are out there. Now we have to be careful. Will there may be a bit of editing here. We'll see. We'll see how well-trained I am. If I can avoid putting a man in awkward spot. Secondly, not a journal. So this may be a little awkward in some regards there, any of you have listened to previous episodes and thought, wow, he can handle that better.

Know this intrinsically third, no political agenda here whatsoever. I come from Michigan and a long, a family full of independence. So we pride ourselves on our, on our free thinking. So with having disclosed all of the. And hopefully an objective perspective. Let's, let's dive into this and there's one area of this that I'm not objective at all as a founder, as someone leading a startup.

Oh God. Is it a lot of work? I can't imagine Amanda, what it was like. Do we know your normal stuff, having all your normal business plans. And then, oh, here comes a lawsuit from apple and this huge legal distraction. How did you handle the case, which seems to have gone at least somewhat in your favor so that.

Reasonably well, and still run the business at the same time and keep your brain from exploding. Like, what were your tactics? What did you do in order to handle it? 

[00:02:53] Amanda: I'm not entirely sure. My brain didn't explode. It was, it was fucking miserable. If I'm permitted to save.

Yeah, it is. I wouldn't worse. We should, on my worst enemy, it was really, really miserable. It just, like you said, it, it takes so much time and energy away from what you want to be focused on, which is of course your startup. It's serving all the users and creating better and better products. And instead you're, you're warding off legal threats and trying to Wade through discovery and trying to figure out what the DMC actually means.

It was an adventure, it was two years long. And, and to top it off the cherry on top, you know, COVID hit right in the middle of it. So that was a fun addition. Yeah. So, you know, Part of it. You, you do, like you said, you have to kind of compartmentalize and you, you just, you toughen up, you power through. I, I grew up on a farm in Kansas city.

I would attribute some of my, I dunno, mental toughness or perseverance to, to that background, because I think you just, you get to a point where if you've been on a farm, you kind of, you know, that you, you just have to buckle down and you work hard and you get through it. And whether that's mucking stalls or having to jump on a bunch of calls with lawyers, you just, you know, I, I think at a certain point.

You just mentally learn how to cope with it and you push on through and you hope for the best. I don't know if you're, if you're a star wars fan, there's a line from rogue. One that I really love. It's something to the effect of we'll take the next chance and the next until we win or the chances are spent.

And that's kind of, that's my philosophy. You know, you just, you just keep pushing on you, keep taking the next chance and you either win or. 

[00:04:50] Dave: Fair enough. Is there anything during that time and dealing with the lawsuit that you, that you stopped doing, they said, you know what for now, I'm just going to set this aside or did you literally just say, okay, it's going to be two more hours a day into the evening, or did you drop a hobby?

Like what? It's a balloon squeeze, right? Like what had to give 

[00:05:11] Amanda: oh, So true as a fellow founder, I'm sure you're aware that there, there really isn't time to give, you know, you're already devoting a hundred percent. I read something from another founder. Once that was, it was something to the effect of everyone in life has certain goals.

You know, you want to be healthy, you want to eat right. You wanna have good relationships with your family. You want to have friends and a social life. If you're a founder, you can pick up. You can either, you can have a successful business and you can have great friendships, but you're, you're not going to be able to commit to exercising every day or whatever.

I generally think there's some grain of truth in that, in the sense that you, you can't do everything you have to pick. What is most important to you when you get sued by apple? You don't get to pick any of those. You, you, everything goes off the table. I, I will, for the last two years, I think I've no joke.

I probably work from. 7:00 AM to 12:00 PM most nights, including weekends. And it's just constant non-stop which with COVID was fine because I didn't have anything else to do in 

[00:06:18] Dave: that thousand piece puzzle can wait. Right? 

[00:06:22] Amanda: Exactly. 

[00:06:22] Dave: Exactly. Foods getting delivered either way. There 

[00:06:26] Amanda: you go. There you go. 

[00:06:30] Dave: Oh, so it was just a huge hit on your personal life.

It sounds like. And to a certain degree, any hobby that you might've pretended to have before then? Yep. 

[00:06:40] Amanda: I love gardening and I actually, I love puzzles. I'm a huge puzzle nerd and I love to read, and I have a mountain of audible backlog that I wished I could get to, but it'll wait, it'll get there. I think we're a little out of the woods.

[00:06:57] Dave: Yeah, the time will come. The time will come. So what's the, what's the state of the lawsuit now. And how much of your attention is back on the business? Like, just give us a rundown as to where you guys sit and the company Corel. Liam is you guys started in 20 17, 20 17. Okay. And when did the lawsuit itself come through?

20 19, 20 19. So you had it, you had two years effectively, right around two years before this hit and a relationship with apple beforehand. I mean, it started out, it seems like it started out relatively cordial and then it kind of took a turn. That's 

[00:07:38] Amanda: safe to say, you know, we actually. Co founded another company before Cornellian called virtual, which was a little bit of a predecessor.

We, uh, had an offer from apple to buy that company. So we, we actually have a pretty long history with apple and I'm pretty friendly, friendly relationship. We wound up not, not selling to apple, of course. And that was the first company we sold to Citrix. Instead they came in with a better offer. I think for that company, when we were making the decision on where to go.

Uh, pretty a pretty major part of that decision was based on the company culture at Citrix. We, we were. Introduced to mark Templeton, who is the CEO at the time. And mark was just, he was so engaged and welcoming and he had such integrity. Whereas the culture at apple was, it was a little standoffish. It was, it was very siloed.

We didn't feel as connected to the leadership and, and weren't as convinced that they were. As enthusiastic about the technology, the Citrix deal was also better monetary deal. It was also just an overall better package. It turned out to be a really great experience. And it was something that I see as very formative in the sense that I, I definitely look to mark as an example of kind of the type of CEO that I want to be.

[00:09:02] Dave: Yeah. I've heard really good things about, I mean, just sort of random connection, but last week I was out to happy hour with a friend whose mark was on his board and yeah, he was saying very similar things. Just great guy. Really top-notch board members, CEO, and so forth. So yeah, oddly enough. So you'd sold virtual and I'm going to go out on a limb and say that company was also about virtualization.

It's just a hunch, right? 

[00:09:34] Amanda: Great. 

[00:09:36] Dave: Yeah. Searing insight. 

[00:09:39] Amanda: That's what we come for. 

[00:09:43] Dave: What was the concept for, for Corellium and what was the core of the idea? What was the big problem you're trying to solve? Was it really, we need more research security research on these platforms. It needs to be easier. And there's a real opportunity here, or was it something else?


[00:09:58] Amanda: nailed it. We all had a background in, in various types of mobile related, either development or testing or security research. And I think. For me personally, I worked at a mobile device management startup. That was actually where I, where I met Chris. One of my co founders. We both felt like the difficulty managing devices, obtaining devices, trying to test and develop and maintain that that device farmer or a test lab was so cumbersome.

It just felt like somebody should be doing something better. And then on top of that, trying to do. Security research on iOS devices, of course was immensely challenging. They're so locked down. Yeah, so we, I guess we just, we, we felt like there was, there was this great opportunity to make a product that would both facilitate security research in a way that couldn't be done on real devices and to facilitate a better overall.

Testing and developing and securing experience for engineers who are working with not just mobile devices, but also, you know, any ARM-based device. So our platform is actually, it's not, it's not just iOS. We do anything. ARM-based we kind of started with iOS because that's where we had a background and we're where we were familiar, but we had grander visions, I suppose.

And we. Added Android, and now we're doing IOT as well. And so we really kind of look at our platform as an armed device, virtualization 

[00:11:35] Dave: plans. Got it. And who, who's the typical customer? Is it a security researcher or is it quality folks more interested in just like, oh God, I need to test my app, my software across all this stuff.

And it's a pain in the neck to get all the devices. Get the same, you know, experience debugging and experience in the rest of it, or is it mostly like what's the split between quality and security? How does that, and I may not have got it right at all. So feel free to repurposing it. No. Oh no. 

[00:12:05] Amanda: I, I think you're, you're you're spot on.

Historically. Our market has primarily trended towards the security side. As we have evolved, you know, we've added more users on the quality side. I think when we first started, we were very much anchored in the iOS jailbreak community and the security research community. And so. When you start somewhere that's, that's generally where you, you grow your biggest base first.

So it was kind of a natural, natural outcropping of that, that we had a stronger foothold insecurity to start with. But over time, it's, it's definitely evolving. And I think there's even within the security space, there's kind of an interesting sub-segmentation between. Folks looking at the security of devices themselves.

So device firmwares versus folks looking at security of applications, application testing, I think is an interesting one and a challenging one, because if you're looking at mobile applications, say. If you're developing a mobile application, or you want to test the security of an application, you still have to have all this physical hardware, but you, you don't really need the whole package.

You just want to be able to run that sort of that base operating system. But whether it's iOS or Android, it's just a huge challenge. To your point earlier to test across all of those different versions and device models and platforms. And we try our best to make that a little easier. 

[00:13:42] Dave: Yeah. There's an interesting point made by someone and it'll just, I don't want to take a big detour on this, but if it was mentioning, I had someone ask recently and say, all right, tell me which one's more secure iOS or Android.

Like which one should you be more worried about if you're running the device? And I won't betray where this person came from or the background or anything like that. But, you know, hands went up for each one and then he said, it's Android. And it's not for the reason that you think it's, there's such a diversity of devices and operating systems and the telcos will hold back on updates and so forth.

That chances are like just due to interoperability issues alone. It's really hard to. To build something that'll run across Android devices. If it's an exploit and malware and everything. Whereas with iOS you're force fed the updates and everything is so controlled that actually getting an exploit to work on iOS is marvelous.

If you're at a nation state or so on, because you know, it's going to work across all the devices, you don't have nearly the testing issues. So. I'd imagine you guys see quite a bit of that. You just, I, you know, you have like this much variety of small amount of variety for iOS and it, oh dear God. Like amount of writing for Android.

Does that sound about right? And that's 

[00:15:06] Amanda: very aptly we'll put it. Yes. I completely echo that sentiment. It's a, you know, I think historically there's. Very apple driven mantra that iOS is the more secure platform. I guess it depends a little bit on your threat model, but I completely echo the sentiment that by and large, you probably are more secure on Android.

There are different threats, so things, depending on how good your security hygiene is on your Android device, you can definitely get yourself into hot water or if you're downloading shady apps or something, but, 

[00:15:40] Dave: but that's anything. And this was kind of the classic thing. I did a fair amount with mobile security back in the, in the early days.

God, it was. Like 20, 20, 2009, 2010, something like that. And the sentiment was, and I think this is true today. It's just the curation that apple has done has kept the most of the Croft out of the app market. Whereas with the Android marketplace and apps, there, it's a lot more, you have to be a lot more cautious is I'm not sure if that's still true, but I bet it is.

[00:16:14] Amanda: I think that's, it's true to a degree, I think in terms of maybe security threats, that's probably true, but it's interesting, you know, lately there was, I think his name was Costa. There was a guy on Twitter, kind of pointing out certain scam applications on apple and how they were kind of getting through the approval process and.

It's always a challenge when you're working with a locked down system, like apples to validate those types of claims, where, you know, in an open system like Google, it's a lot easier to figure out, you know, to, to scan things or to, to see the results. But the, it makes, uh, you know, the comparison of. 

[00:16:55] Dave: Yeah, directionally, it sounds right.

Which is a pretty crappy test for truth. Yes. Yes. It was true at one time. It seems like it still would be. Yeah. Let's talk about where you guys sit with the lawsuit. So there was a judgment that I believe came out in the favor of Corellium early this year or last year. What year 

[00:17:17] Amanda: is it anywhere?

So the summary judgment was issued in December 20, 20 end of last year. 

[00:17:28] Dave: Got it. Yep. So it was, it was a good Christmas there's presents under the tree. Lots to sell it. Yes. 

[00:17:34] Amanda: Yes, indeed. It was, it was fantastic. It was honestly so unexpected. I think I can say this. So we were actually anticipating the inverse.

So we thought that the summary judgment and we'd come down in our favor on the DMC CA but not on fair use. We were quite surprised and pleasantly surprised. 

[00:17:54] Dave: What was the argument on fair use and what did the court. 

[00:17:58] Amanda: It's a lot to unpack. Um, the judge issued like a 40 page rulings, so there's a lot there, I guess in a nutshell, the, the argument can probably be boiled down to fair uses is it's a complex affirmative defense to copyright infringement.

And it's essentially, there are sort of four, what is the right term? Points on which the fair use finding is evaluated four factors. I think. We could parse those all out, but my intuition and I'm not a lawyer, but my intuition is that the gist behind those four factors is to try to help the court figure out if the public good outweighs the harm to the copyright holder.

I E if you're doing something that. Is is publicly beneficial, whether that's maybe performing satire or creating a copy to criticize something or do commentary, and you're not harming the market for the copyright holder. I you're not selling knockoffs, knockoff books or something. Then, then there's a sort of the, the courts will gravitate, I think, towards finding a fair use.

At a, at a high level, I would sort of speculate that the judge felt that the good that our platform provided outweighed any. To apple, if there was any 

[00:19:29] Dave: at all. Got it. So that's a big moment, but the DMC CA portion of this still goes on the digital millennium copyright act. And for those who vaguely remember what this was is if you go back to the, the bygone era of Napster, my favorite audio galaxy, all the things that were happening in the nineties.

The late nineties when it was just bonkers, the music, the whole entire entertainment industry was losing their minds. We ended up with the DMC getting signed in, in 1998, the heady days of the late nineties by bill Clinton and. Here we are. We still have it 20 plus years later. And it has five titles in it, I think is what they're called.

One of them. The first title one, I think is the one that's that's probably in play here. Did I get it right? Yes. Yes. Okay. And it has to do with access and use and all sorts of stuff. It's funny. I was listening to someone, explain it this morning and I burst a brain vessel because they got into it and they said, so it's actually not a DMCA violation to go in and a jailbreak, a phone to install what application you want.

Totally cool. But. If you go in and you unlock a phone and you actually take a phone that was intended to be for a T-Mobile for sake of argument, move it to Verizon. That's actually a violation of the DMC. So things get weird fast when you. Uh, law that was from 23 years ago to the year of our Lord, 2021.

And try and understand exactly how this stuff applies. It's fresh and fun. And 

[00:21:25] Amanda: that is, that is the right way to describe it. Technology has just changed so much and changed so rapidly. The DMC just hasn't been able to keep up and it creates all sorts of weird tensions and makes it very difficult to.

Parse, even for seasoned lawyers. Now imagine a Florida jury trying to understand all that it was. 

[00:21:50] Dave: Yeah. And is that as, so where's the case right now? So the DMC side of this is, is undecided. It's going to go to court. Is that it? 

[00:21:59] Amanda: So we actually are, our court date had been set and moved several times.

Thanks to COVID, but we were all set to go to trial in. August. And we had a. Forced mediation with apple right before trial was set to begin. We managed to resolve, sorry. I'm having to choose my words very carefully because even though it's public, I'm still not supposed to sort of talk about the settlement agreement.

So we managed to arrive at a settlement, which involves them dropping or dismissing their DMC related claims. So fortunately we all avoided having to go to trial over, over the DMZ. 

[00:22:43] Dave: And forced mediation, I think is just a kind way of saying the court doesn't want to deal with this crap. Like we're just going to step in and see if we can get the two parties to a better place without having a trial with a whole bunch of Floridians, having to understand.

You're spot on. 

[00:23:00] Amanda: Yeah, exactly. I don't think anyone was very enthusiastic about that idea we spent, I don't know how many hours trying to create PowerPoints and decks to just distill this idea down to something that. We fought a fellow average Floridian with no technical background might be able to understand.

And honestly, I don't think we ever nailed it. I was very relieved. We didn't have to go to trial over that. It was, it's not just the DMC itself. It's also, our technology is really. It's difficult to understand if you're not a technical person. I mean, if you understand what virtualization is, you're, you're home free.

But if you're trying to explain it to a lay person that, you know, you create a virtual version of an iPhone. I mean, it's, it's, it's a challenge. So I, 

[00:23:50] Dave: you know, Yeah. Yeah. I mean, I ran Norton for a period of time and had to explain things like behavioral anti-malware and sooner terms. I don't 

[00:24:01] Amanda: envy. 

[00:24:02] Dave: It was, it was a good mental muscle to build.

And like you said, there's lots of times where you get to the end of it. And it's, I don't think this is awesome, but this is probably about as good as we're going to get. Grandma just doesn't need to understand and true intrusion prevention, signatures. Where does the lawsuit stand today? 

[00:24:20] Amanda: So the TMCA claims were dropped, but apple has filed an appeal for the original copyright infringement claims.

So for that summary judgment, and so Apple's appeal brief. I think they filed on last week, last Friday, something like that. And 

[00:24:39] Dave: so very recent. 

[00:24:41] Amanda: Yes, very recently. And we are. Gearing up to file our reply and then they will get a second reply and then there will be Amicus briefs, and then there will be oral arguments.

And I think all of that will, you know, it will happen over the next year or so. So it's kind of, it's very much in the background for me right now. I don't have to do as much or be as involved nearly as much as I was in the case before. And we have absolutely stellar, phenomenal lawyers. But actually the firm that did Google, the Oracle, they know their shit.

And, uh, I think they'll do a really phenomenal 

[00:25:17] Dave: job. And what's the, hopefully we can talk about this, but what's the gist and kind of planning the English of the copyright claims. What are they contesting 

[00:25:28] Amanda: the easiest way to say it is that, so they have these iOS files that they make freely available online.

The way our platform works is when, when a user in the cloud goes to create a new virtual device, we download their iOS file from their servers and we run it in our virtual machine and the user can then interact with it and run apps on it and inspect it, do all that, all that kind of stuff. And so. Their argument is that when, when we are downloading it, we are making a copy of it and we are violating their, their copyright.

When we do that or 

[00:26:12] Dave: infringing, 

[00:26:15] Amanda: it's an interesting case because they kind of insinuate that we make. Knockoff iPhones, that, that we are kind of creating perfect replicas, like as if somehow we've rewritten iOS from scratch and just created this perfect replica of iOS. It's kind of, you know, it's more like if you were hosting files online, made them freely available and someone else was downloading them and you were saying, Hey, wait a minute.

I don't want you to download them 


[00:26:43] Dave: do that. It could go on for a long time. The DMC portion is settled. The GMCA remains. For better or worse let's you know, I would imagine. Part of Apple's reticence. And I'll say this so that you don't have to. And it's just my kind of musing is there's probably a portion of this where it's like, do I love someone hosting a platform?

That's doing a hell of a lot of research on iOS that's outside of my control and so forth. I can imagine them getting squirrely about. And not liking that. And there's all sorts of things here. And a lot of this is like there's folks who have really dealt and delved into the ethics of security research and vuln research in this area.

So I'm going to scratch at the surface of an admittedly and incredibly complex topic here, but you get into it. And where I end up with a lot of this is. Would I rather have a young company hosting this who I think is relatively objective or what, I rather have apple hosting it and offering it up and be kind of prey to whatever they want to do with it and managing the story or God forbid what I want the government to be doing something like this, if they could.

And I'll tell you like, As much as I don't love any of those options, but provided that the young company behaves ethically. To me. And I trust the ethics of a, you know, maybe of a young company, more than the government and more than apple simply because they don't have the inborn biases and some of the temptations, not that the people are any different or better or worse, let's set that aside, but Apple's going to have a bias in this.

They have a horse in the race. They're going to want to manage the optics and on the government side, We've saw this with eternal blue and everything that's happened with the NSA. It's like they have no incentive to share this information with you, if it furthers intermission and other areas, and that's not going to go away.

And I'm not sure we want that to go away to a degree too. So you end up with it and it's. So if we assume that it's a good thing, that people can effectively do security research, you end up at least inside my skull with a pretty good argument that like a corral Liam or something a lot like a gorilla Liam should probably be the ones providing this service.

That's kind of where my, my head ends up on it. And I don't imagine that's a particularly controversial statement with you, but, but part of my premise on. As the ethics of the organization providing it because there's a whole bunch of ethical vulnerability and security researchers out there and organizations that would want to do this, but there's also folks who clearly are probably not folks.

We, as, as a security committee would want you selling. Your product too. We're letting them use your platform. So I guess my question to you is how do you manage that? You have an internal ethics bore. How do you approach that conundrum? 

[00:30:00] Amanda: I think your analysis is cogent and I it's, it's definitely not controversial with me.

I share your sentiment. That it's important for any company. A company like ours to, to consider the audience they're selling to and to consider how their product could be used. I personally feel that as a company, as a CEO, it's imperative to consider the ethics of what you're selling and how you're selling and your impact on society.

And so this is a, it's a question that I find very important and it matters a lot to me. So we do have a fairly, I guess, robust vetting process. I think we can always do better and we're always constantly striving to improve. But I guess to unpack a little bit about, about how we approach things, there's a sort of certain level where.

Certain companies come in and they're kind of household names and there's not really a vetting process there, you know, if Microsoft or Facebook or whatever it comes in, that that doesn't really require vetting. It's when there are companies that we sort of don't recognize the names or they're coming to us from overseas.

That's when we start to apply a more rigorous vetting process. So we have, we have two products. We have both a cloud product and an onsite product. And our vetting processes for both of those are a little different. We're a little more stringent with the onsite product. We generally, so for the cloud product, we gate access.

So we require a request for an invitation. So we, we never just sort of let anyone on arbitrarily. When, when an invite is, is requested, we, we generally first look to see where's the request coming from. Is it from inside the us or is it from outside the U S there are certain regions that we just don't support that whittles things down and makes, makes things a little easier.

So China, Russia,

anything on the embargo list? Of course. Yeah. Um, and, and then sort of beyond that, we, we just don't really have the bandwidth to deal with. Regions like Africa or most of, you know, central Asia. So, so we just sort of say, you know, we're not ready for that. And we'll maybe open access there a bit later, we use geography to help us limit the scope and then.

From there. We, if we don't recognize a company, we will, we will do research on it. So we'll look them up on Google and, and we're, we're essentially looking for, you know, is this a legitimate company? Do they have a web presence? What kind of work are they doing? And then from there, you know, you, you kind of start to whittle things down into a process of, well, the.

Kind of borderline or I can't find enough information and we have a kind of review process for that. So we have not sort of an official advisory board, but we have a group of. Throughout the security industry, where if we really don't recognize something or we just want some second eyes, then we tap folks and say, Hey, do you, do you know who this is that you do?

You recognize this name? And, oh man, we've definitely had some, some really interesting applicants. Candidly we've we've had some that we've repeated. To the FBI. And we've definitely got requests from in a, so dark matter, the whole shebang. And we just, it's inevitable and actually, uh, kind of, kind of, I guess, maybe a little bit embarrassingly or kind of a funny story.

We, so we started in, we started selling in 2018 and our first. Customer was asthma security and they became our reseller. We started selling more. We started expanding our sales beyond just using them as a reseller in 2019. And this was sort of pre like when anyone actually knew it in us. So we engaged with them at infiltrate and none of us really knew who they were or what they were doing at the port at that point.

So we, you know, we kind of started talking with them at infiltrate and. They seemed like a really good fit for the platform they seem to be doing. And, you know, stuff though is in our wheelhouse. And I think we even invited them to do a trial, not knowing kind of who they were yet. And then. We, we, you know, we started digging in on them and started doing a little bit, you know, a little bit more vetting and kind of, it was really, it was before, you know, any, you know, articles or anything had come out.

And one of our contexts was like, yeah, you should be really careful around them. And yeah, so we just sort of, you know, politely kind of cut off contact and they were honestly like, they, they didn't want to use. Product. Like they didn't want to actually test on anything. They wanted us to ship them as server so they could test.

And that was like, okay, red flag. So, you know, it's a, it's a, it's a process. And we, we try to be very careful, but it's still. Imperfect. I don't think there's ever a way to, to catch everything. And, and I guess as, as a kind of mitigation, you know, we have, we aren't able to sort of shut down a remote server, but we do have a kind of license expiration.

So very worst case. If God forbid we did sell to someone, we found out they were doing something. Violated our terms and we needed to, to shut them down. At least we, we could, at the end of their, their current term, we could make sure that the service was discontinued. 

[00:35:50] Dave: It strikes me that there's, there's only so many ways to do this.

I've heard clear view AI, very controversial company, facial recognition. I'm sure a whole bunch of folks have heard about it. We've talked about it in the podcast. You know, they basically have a hard rule that says we only sell to law enforcement and. I forget who else? And kind of national defense clearly wouldn't work for y'all.

Another one that I've heard of similar situation. So I think this is, this is common. You know, this is really not unusual, talked about an ethics board so that they had an internal ethics board that everything had to go through and it had to get the approval of the ethics board before we go on. So. And I think almost all of these, start out with some sort of geographic distinction and the policy kind of follows.

So it's super interesting to me, basically how much is happening now inside smallish companies with respect to arbitrary rating on ethics, around sales and usage and so forth. It's like, And you play this out a little bit and you see like, you know, what's happening with Facebook. It, it doesn't take too much to get you back to like a Neal Stephenson, snow crash scenario, where you've got like the world divvied up by companies each with their own rules and so forth.

I think we're, we're, we're quite a ways away from snow crash, no matter how many times, like Facebook renames itself, but it definitely kind of takes your head in that direction at times. 

[00:37:23] Amanda: I don't think there's enough public discussion within the security industry about ethics and about the implications of ethical questions and trying to standardize how to approach these types of things.

[00:37:38] Dave: I think the future of the BMCA is, as we look at this, I mean, I've done some using there's clearly, and I believe there's a carve out in the DMC for security research. Isn't there. If I'm not mistaken, 

[00:37:52] Amanda: There is it, you know, it's a little problematic because it's a little vague. So, so it exists, but whether or not it actually protects security research, the way it was intended or the way security researchers might hope it would there.

There's a bit of a question mark there. 

[00:38:09] Dave: Um, can you get into that at all? Or is that territory that's best left to people's own research? 

[00:38:15] Amanda: The phrasing of the DMCA, and this is not just for the security researching assumption, but in general for, for the whole law, it's, Kavio added in ways that phew, I think with the security research assumption, if I'm not mistaken, if you, you, you, you need to have the permission of the copyright holder.

And so if you're, if you're performing security research on. Piece of software and you haven't gotten explicit permission to do that research. Then it may not be considered good faith security research, or if you are, if you're performing security research on this is it's getting a bit into the weeds, but there's a description of what the security research can be performed on.

And there was a question in our case of web. Performing research on say iOS or even iOS applications qualifies under the definition of what security research means, whether it has to be more a computer or a computer network. It is fraught with ambiguity. And that creates, I think, a really unfortunate chilling effect on security research because it, it puts the, the legality or the safety of security research in limbo, which, which is silly.

You know, security research is, is so critical. There, there are so many instances where independent security research has, uh, has exposed vulnerabilities that have impact had global impact. 

[00:39:44] Dave: I'll say, so I was kind of musing this morning as I was dusting up on this a bit. And I was thinking, how does the NSA releasing Guidara play into all of this, right?

Yeah. You know, you've got basically a tool that's released like Ida pro, at least I think it's German, or at least it's, you know, it's European and the DMC is U S only. So U S law. So you looking at your, like at the point to where the NSA releases a disassembly tool as freeware. How does that play into this?

It's like it's, it's, it's creates a really interesting tension on the DMC CA when you see the government releasing a very popular and very capable disassembly tool, who's really the primary intent. Like isn't masked whatsoever for security and vulnerability research. It creates an very interesting tension on MCA that I don't, I haven't seen explore.

I think 

[00:40:51] Amanda: you're spot on. I completely agree. And I think it's difficult to. To tease apart the, or to call it, you know, the difference between say Deidre and Quilliam right. So in both cases you could download an IPS w and use the tool to explore. The, the target, you know, copyrighted work. And so I guess, w what's the difference?

You know, why is one permitted and one, not there, there are a number of tools that I think this applies to, and it may speak to Apple's true intentions that hypocrisy or descriptive. 

[00:41:33] Dave: Yeah, well, and I think what it, what it speaks to as well as just how antiquated the DMCA is now. And it's, and I mean, look, it's, it's far from alone.

A lot of the stuff that's that if I understand correctly, like a lot of the lawsuits that come in and security stem back to the computer fraud and abuse act of 1984. So, I mean, by, by that standard DMC is pretty darn new. Like. It's pretty, pretty novel, pretty fresh, but by the standard of what it was intended to do versus where we are today, it just, it looks a little.

A little aged to be kind, and we're kicking this around beforehand, and this was the rest of my, my morning musings here was wow. With everything that's happening with web three and blockchain and NFTs. And I hate to say it I'll say crypto. Okay. Because that's how people want to hear it. Even though I know it makes certain people's ears bleed in the security community.

Yeah. Looking at your like, so if DMC was born, when we were trying to solve really important digital scarcity problems with DRM and all sorts of other crap that didn't work and web to solve the problem by basically creating services that made it easier, you know, your Spotify, your Twitters and everything else with web three, with a really decentralized but clear ownership model where we can create digital scarcity.

It almost. And this is, you know, my, my crazy thinking. I get way too early and I ponder things like this. I was like, do you even bother to replace the DMC at some point? You know, or do you just like, just gut the whole thing and restart because. Right now, it seems a little old fast forward to where web threes got its talents more inside the industry.

And it's even clear what the eventual outcomes are. You almost are better, just a weight and blow it up and restart in five years. And this, again, this is totally my musing, but just, just, uh, early morning thoughts by Dave Cole, react to that or not. Amanda. 

[00:43:45] Amanda: I don't, I don't necessarily disagree that I, I'm not sure that there's enough.

Well, I think you're spot on that. The rapid change of pace of technology law has a hard time keeping up with that, and I'm not convinced that we'll be able to achieve enough. Forward momentum or enough, uh, enough change to make the DMC really fairly balanced in, in protecting copyright boulders while also.

Giving way to the practicalities of, of technology today and particularly around security 

[00:44:22] Dave: research. And look, if I can protect, if I can protect my ownership by a cryptographic signature, then at the end of the day and through this decentralized network, like. Those provisions. Aren't really that interesting to me anymore.

So I wonder if this conversation just doesn't go away or at least it dramatically changes. And 10 to 20 years as the concepts of copyright and the networks for sharing and the power shifts from these centralized networks into more of the makers and the artist, which is, is the way the wind seems to be blowing.

It's going to be super interesting to find out. Yeah. All right. Well, let's um, let's start to wrap things up here. We do a turbo round first question in it is what's the last thing that you read now in the least portion of the lawsuits done and everything else. What's the last piece of media that you took in that you really, really impacted you?

What be it? A, a podcast, be it a book, be it a movie unit. It's 

[00:45:34] Amanda: been a while since I've had time to devote to reading. I used to read all the time. I think the last thing I read that that really impacted me was a book called the fish that ate the whale. And it was about a sort of Russian is really immigrant in the United States who became the banana king.

It's it's a really fascinating lens on the history of. America's relationship with central and south America strongly recommended. I really, I read a lot lately about, well, historically for the, for the case, I was doing a lot of reading around guerrilla warfare and, and military strategy as a way to develop my skills in dealing with apple.

I think for what it's worth, the art of wars is, is worth it. Look, you know, it's, it's, it's a, it's an oldie, but a goodie 

[00:46:27] Dave: oh, sun zoo. Yeah. Yep. All right. Throughout all of the mayhem of the start-up and apple and everything else, when you need to. We need some, some great advice. A shoulder to cry on. Who's on your speed dial.

Who do you go to? 

[00:46:44] Amanda: My dad? Yeah. It's it's so it's, it's a bit cliche, but it's my dad. 

[00:46:52] Dave: That's awesome. So what's, what's getting better in security. If you were to like look at it and we're where it can be such a dismal industry, but you're an entrepreneur and entrepreneurs often have an inherent optimism in spite of all the craziness that they go through.

And uncertainty is usually like a thread of optimism where you can S you can see things that are getting better. And certainly you have an interesting vantage point given what Cornellian does in the security community. What do you see getting better? What's improved in the past 12 months and what are you optimistic?

The first thing that 

[00:47:27] Amanda: comes to mind is diversity. I've not been in the security industry, uh, as long as others, and sometimes I'm not even sure I'm really in the security industry at all, but I think that at least from my vantage point in the last 12 months or so, I, I see, uh, an increase in, in the presence of.

Non CIS white males having a voice and an impact and being featured. And I think that's a really positive progression. I also think that there are positive trends in. Basic. Well, let me roll that back a little. I think that ransomware has been terrible and it, and it has been prolific, but I think a potential outcome of that, or some fallout of that has been a little bit of a better.

Understanding or messaging about the basics of security hygiene. And so I'm cautiously optimistic that there, you know, there's a little bit more familiarity with things like MFA or just securing your networks. And so I'm, I'm kind of cautiously optimistic that maybe. Basic enterprise hygiene. We'll we'll get a little bit better.

[00:48:46] Dave: Yeah. Yeah. I mean, it's certainly been all over the, uh, the headlines. Yeah. Yeah. And it was funny, like right before this, I was on Twitter and there was a tweet from Jenny easterly, you know, kind of use MFA 99% reduction in. Yeah. It's, it's something we wouldn't have. We just wouldn't have seen a couple of years ago.

[00:49:09] Amanda: Absolutely. And, and Google, I think is, is taking a, uh, a strong initiative and essentially forcing users to use MFA. Yeah. So, I mean, we'll see, who knows. 

[00:49:21] Dave: There's always, when you start messing with people's gasoline and their meat, you know,

[00:49:31] Amanda: I guess that's what it 

[00:49:31] Dave: takes. Maybe at least, at least, you know, in the U S yup. Yup. Cool, cool. Cool. All right. It's been delightful talking to you. We both have to go back to our respective startup experiences. So trying to put the hard hat back on and go back in. So nice meeting you, Amanda. Thanks so much for joining us.


[00:49:53] Amanda: thank you so much for having me. It was such a pleasure.