The content of this article is personal with thoughts, anecdotes and observation. They do not reflect the position or view of my employer.

Today marks my last day in the offices of SecuringSAM, the hacker team who prove themselves to the Telco world by breaking into domestic routers before fixing them. I'll be sad to go, but I have to move on to Hysolate for a few days, then switching over finally to Illusive Networks before I fly home. At which point, I'll have spent a month in Tel Aviv this year.

The Atmosphere

First things first - the atmosphere. So much effort is made by the company and CEO Sivan to make everyone always feel included, cared for, and that they're a critical part of the wider team. Everyone is equal. Yes, there are a couple of Team Leads and Sivan ultimately has veto, but there is no tension in the air whatsoever. On the contrary, I think you'd have trouble to impose any kind of rigour and hierarchy here. It isn't needed anyway - everyone is always busy and working hard without any need for whip-crackers.

Cookies, Lunch, Beer and more Cookies

The rumours which reach the corporate world of Start-Up food haven't been exaggerated. There are jars and whole drawers full of cookies, nuts and breakfast bars. Cheese on toast? That's an option too. There is fruit as well but somehow that doesn't seem as popular. The coffee and tea is also unlimited and freshly ground from the machine so for coffeeholics like me, I'm pretty content here.

One of the more novel ideas is a Thursday evening happy hour (equivalent to Friday evening in Israel). Employer-paid beer boxes are brought out of the fridge and the CEO gives a short recount of the week's achievements before toasting and everyone drinks until the end of the working day. Music comes out, and everyone begins to unwind for the weekend. I like this mentality. We had a couple of evenings out too which were great fun.

Office Dogs

Throughout this entire Team8 building, each floor has a collection of dogs who provide company, games and happiness for the staff. I saw similar at Amazon HQ in Seattle where dogs get to come into their office and keep their owners company. Amazon even pay for an on-site dog crèche so the pets are looked after whilst their owners are busy, meaning they don't have to be locked in at home all day. According to SeattleDogSpot there are 1500 dogs registered on the company database.

From what I've seen of the Team8 premises the dogs have free roam of the office to play, or curl up on beds besides desks when they want some chillout time. I don't even own the dogs and having them around is uplifting for me, since they'll come and rest their heads in my lap or just swing by for petting and attention while I'm working. Whatever your view on dogs in the office may be, I feel I can make a fair assumption that if anyone tried to say they couldn't come into a business anymore when it was previously allowed, people would consider not coming in themselves.

Nina with Eylon
Nina wants more belly rubs

Some more notes on Food

Something which is apparently quite common in Israel is for your employer to sponsor your lunch. From what I've heard it's one of those funny-money deals where a lump sum is added to your salary but only if you take that money and put it on a special card which you can use at nearby food outlets and restaurants. Whether funny-money or not, this idea of the employer paying for lunch does two things...

Firstly, as you'd imagine, it builds up the team spirit and gets people sitting and eating together. Many businesses have shared eating areas and so that isn't unusual. What is unusual is the psychology behind having your lunch bought for you by your employer, and I had it explained to me something like this...

It's like helping your friend move house. If they say you'll be paid in beer and pizza you'll be delighted. Helping your friends and getting treats? Result. But, if you were helping your friend move house and they offered you £5, you'd feel awkward or even unwilling. Another example is surveys. If you are told you'll get 50p for taking part in a survey, you'll probably keep walking, but if instead you're offered a thick slice of pizza you'll likely take the time. They cost the same to the surveyor, but one is seen as a greater incentive and reward than the other. The same is true for employer-provided lunches, there is something more satisfying about having your lunch paid for by the employer than getting the equivalent cash - if that is even an option.
Office Fridge of Memories

SecuringSAM - Why and How

Now that I've vented my enthusiasm for the workplace, on to what this team actually builds.

Almost every home in the western world has elements of what the Telco business calls Customer Premises Equipment or 'CPE'. The term covers many elements but typically the term refers to domestic routers and firewalls provided by an Internet Service Provider (BT, Virgin, Comcast, Sky etc.) to uplink the customer's home to the broadband service they've paid for. Not only does it 'give you internet', but it also serves as the central choke and control point for the connected devices in your home.

In recent years the security capabilities of these devices has grown exponentially as flash memory and processing power have become more affordable. However there are still a set of capabilities that still need addressing.

  • The domestic router doesn't (often) act as an enforcement point to spot malicious traffic.
  • Having simple functionality for customers to isolate devices from one another in 'zones'. Some routers have the capability in their hardware (but it is rarely accessible) and others don't have it at all (SecuringSAM has found a very clever way to achieve it on either).
  • In line with the concept of 'Zones', there is no support for auto-categorisation or detection of Internet of Things devices. This is the idea of a Nest automatically being put in the 'Smart Home' zone when it joins the network and stopping it from talking to your laptop.
  • The capability to inspect and infer behaviour and classification from traffic, using Deep Packet Inspection (DPI).
  • Patching out security vulnerabilities of the router, and malicious traffic signatures in minutes.

I can't give away all of the technical goodies I've learnt in my time here (obviously). What I can do though, is say that SecuringSAM have achieved all the points above. That in itself isn't the most impressive aspect though. Any manufacturer could put these capabilities on their routers if people were prepared to pay enough for powerful hardware and enterprise-grade software. What SecuringSAM has done is commoditised these features and built a framework that allows them to inject their software onto near enough any domestic router and apply their feature set on top of the stock firmware. This means that in principle all Sky, Virgin, Telefonica etc. have to do is provide some flash memory space for the SAM software and everything is fine.

That is an important point though - Space. Free space. Finding it.

Relatively speaking, domestic routers are not expensive to manufacturer. All businesses want to keep costs down though, so only the bare minimum hardware required to have a satisfactory user experience is installed. For instance, a router manufacturer might tell a Telco that they can have devices with 32MB, 64MB, 128MB etc. of flash storage and 64MB, 128MB, etc of RAM. Then a decision has to be made. Does the Telco software engineers build software to fit lower-end devices (and save money) or does the business buy devices with extra capacity which will allow for more features but with a lot of spare headroom afterwards. You can guess which wins out.

Since the Telco software engineers are forced to work in a small space to begin with, they use clever tricks to compress their software down to fit on the flash storage and operate within the memory constraints, but with little to no spare overhead. The SecuringSAM team are often working with constraints of 4-6MB of flash storage space, and 8MB of RAM. To put things in perspective, Gameboy Advance game cartridges have four times that amount. The SAM agent has to be extremely conservative on flash storage but also in running memory. On top of that the processing power in these units is very low, but the SecuringSAM team explained to me that the lower level they can work with is a 400Mhz single core, which most of today's commodity routers exceed.

Proving Capability

Even though 30% of Israel's Bezeq-provided routers have SAM installed, other providers are tentative to get involved. They want SAM to prove capabilities on their hardware but when it comes to providing the original unlocked firmware for the SAM developers to work with, they don't deliver. So the SAM developers have to prove themselves twice over - once to show their code works, and twice because they have to break into the routers of the providers and install themselves in the same way malware creators do! It is the ultimate way of catching commercial and corporate attention - "Hey, I just broke the thing you've sold to your customers, and the software we create fixes this, interested?".

On Day 2 of being in the office, there was celebration when one engineer compromised a popular router which a well-known provider in Europe sent to the SAM labs. It had been a challenge for weeks but now with it beaten there was an avenue to install the SAM agent and demonstrate to that provider the capabilities of the software. Hopefully, that provider will look to work with SAM when they hear the news and see the demo.

A PCB extracted from a router in the SAM office

Having the SecuringSAM agent installed on the router itself is a key differentiator for the company in comparison to others who are building similar services. By running on the router itself no additional hardware needs to be installed on the premises (which may mean truck-rolls for the Telco), customers don't have to risk botching the installation, or pay large amounts of money for the appliance ($100!) and those are just logistical points. From a security architecture perspective, you need isolation, analysis and enforcement to occur on the unit that relays the data in the first place. That's not to say that solutions which sit outside the router, (before, after, or parallel) don't work. It's just that performance-wise they'll never quite equal enforcement on the router itself. Any external solution in-line has N+2 network hops to and from the router which adds latency.

Engineers like Netanel design and build the ultra-lightweight agent which runs on the routers.

Despite still identifying as a Start-Up, there are many attributes that SecuringSAM has which puts it ahead of that category. There are paying customers (30% of Bezeq, Israel's leading provider) and several trials running with other providers internationally. On top of that, the company just successfully closed a strong USD$12million in Series A funding.

That's it. I've had a great time here. To close up, here is a photo of Nina. Eylon brought her to my desk to pose for one last photo.

Nina 'The Cute' Saadon