Secure Communications in Embedded Systems with Ismael Valenzuela and John Wall

John Wall

BlackBerry is a Canadian company known for its pivotal role in the smartphone Market during the 2000s. Today, BlackBerry has adopted a major focus on cybersecurity. John Wall is the SVP and head of BlackBerry QNX, overseeing engineering, product and operations. Ismail Valenzuela is the Vice President of Threat Research and intelligence at BlackBerry where he leads threat research, intelligence and defensive innovation. John and Ismail joined the podcast to talk about cybersecurity at BlackBerry, including secure communications and embedded systems. Gregor Vand is a security focused technologist and is the founder and CTO of MailPass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile@vand hk.

Gregor Vand

Hi, John and Ishmael, welcome to Software Engineering Daily.

Ismail Valenzuela

Hello. Thank you, Gregor, for having us.

John Wall

Yeah, great to be here.

Gregor Vand

Great to have you both here. Both from BlackBerry, which is a company that I'm sure our listener base definitely know of, but I also suspect that quite a few listeners maybe don't know of it beyond the handset business. And I'm sure many had handsets back in the day like myself, a product that I love dearly. And, you know, today we're not here to sort of rehash the history of BlackBerry. You know, there's. I read the book Losing the Signal. It's a very good book if the history lesson is what someone wants to dive into. And you know, that inspired a film as well. So that's where we'll kind of leave that. Today we're going to be speaking about the QNX platform and we're also going to be speaking about threat intelligence and cybersecurity at BlackBerry, which is a huge part of the company offering. Today we're going to start with you, John. You have quite a deep history with the QNX side of the business. Love to just get a bit of a history actually on you first. Like what was your sort of journey through? I mean, I think QNX is quite, excuse the pun, embedded in your work history.

John Wall

Absolutely.

Gregor Vand

And then. Yeah, how has that sort of led into QNX today?

John Wall

Yeah, I mean, some will say I came with the building. So I've been at QNX since 1993 when QNX was a private company building embedded Software running on x86 PCs. At the time, really focused on industrial automation and factory control and medical devices. Then towards, you know, as we got closer to the 2000s, we started getting into automotive. We had Delphi as our first customer. So Delphi being A part of GM at that time spun out and we were doing systems for gm. And there's a little company in Germany that noticed what we were doing called Becker that happened to be owned by Harman. Harman. When you think of JBL, Harman, Kardon, etc. And the biggest part of the Harman portfolio was the Becker Automotive Group in Germany. They bought us and we really started getting heavily into automotive. I personally was the person that was nominated to interface to the parent company. So I built a team. That team was there to serve the parent company in all their programs. Very, very difficult. Lots of automotive programs, infotainment programs, a lot of pressure, seven days a week, 14 hour days, regular trips to Germany, a lot of yelling, getting screamed at by automakers. But it was an amazing journey. It taught us a lot. And then in 2010 we got sold to BlackBerry and it was very interesting because it was a technology buy, wasn't, you know, for revenue or for anything else. It was strictly a technology buy. And the idea was for the QNX operating system to become the foundation of the BB10 phone. Interestingly enough, while I was managing the group that was interfacing to our parent company, once we got bought by BlackBerry, the kind of independent part of QNX started working for BlackBerry on building the handset. And I kind of stayed back and said, no, I want to continue this automotive thing that we're doing. I want to continue to sell QNX as an independent product. And we kind of rebuilt QNX for from that point on. And you could imagine in those days, 2010, BlackBerry was still a huge company. QNX was a rounding error in comparison to the amount of revenue that was coming in from the handsets. So I was able to keep my head down, kind of operate out of sight and start to rebuild qnx. And we really started focusing on not just infotainment, but where the cars were going with autonomous drive, focused on safety software. And obviously as the company's fortunes in handsets started to diminish, QNX started playing a bigger and bigger role. As we got more successful in automotive, as cars and other devices out there became more software defined, especially when you're thinking about mission critical software, mission critical devices, that is what our products serve. We started to grow within BlackBerry and become less of a rounding error and a little bit more important to the revenue of the company. And that brings us to where we are today, where, you know, we feel that we have a very good future ahead of us and we play, I think, a important role within BlackBerry.

Gregor Vand

Yeah, very interesting. We're going to talk a lot more about the automotive side and some other industries. Just flipping back very briefly to your history. Have you always been in embedded systems? Was QNX a sort of accident almost to get involved with or what was the story there?

John Wall

Yeah, I mean, I graduated in 1992. I'm an electrical engineer. We were in a recession. I had a friend that worked at qnx. I never intended to get into software. I was more of a hardware person, an analog person. Started working at qnx. Obviously, I started at the very bottom. I started in tech support, which, believe it or not, in those days was a phone call or a fax. There was no email. So we were dealing with the customers directly. And I really enjoyed the customer facing part of it. And so I tended to gravitate. You know, I moved up within the organization from an engineering perspective, you know, from tech support to an engineer, to a development manager, to a director. But I always kind of stayed on the side that was more customer facing, you know, engineering services, the groups that tended to have to deliver to the customers. So that was something that I found very fascinating. And I really enjoyed having an outward view as opposed to more of an internal view. And so I always gravitated towards the jobs that allowed me to be in front of the customer.

Gregor Vand

Yeah, very interesting. Yeah. Talking about qnx, let's stick on automotive sort of briefly. I mean, there's other industries that I believe we can also talk about. I guess it's just sort of trying to set the platform in context. Could you give some examples you've mentioned, obviously, jbl, Harman, Kardon, that might give some hints as to what QNX can help with. But, you know, what systems are we talking about and why do we need such a sort of, I guess, specific or proprietary embedded system to run these things? And let's just stick on automotive for now.

John Wall

Yeah, maybe a little bit of a history lesson there and maybe to talk about the progression. You know, when we first got into automotive, it was infotainment. You know, Android did not exist. IOS did not exist. QNX had a very rich environment for infotainment systems. We had multimedia engines. We had. Our founder at that time was fascinated by becoming the next desktop and competing with Microsoft Windows 95, etc. So we had all the elements needed to build infotainment systems and we became the dominant force with well over 60% market share of infotainment from 2004 to 2012. So that's really where we cut our teeth in automotive. So if you were driving an Audi or a BMW or a Porsche or a GM vehicle or Chrysler vehicle. In those days, the infotainment system would have been based on QNX. So from anywhere from 2008 to 2018, most of the vehicles that they were running QNX infotainment systems. So your navigation, your multimedia, your ipod integration, your iPhone integration, Android. But then in around probably 2013, we started to see that Android was coming on and trying to recreate the handset experience. Every single time with every single OEM was not going to be possible and that they were going to take Android. You know, it was a full platform, it had everything you needed for the experience within the vehicle. So then we started to look at, well, where is the car going? And what we could see even in 2014 is if autonomous drive is going to be a thing, it's going to require a lot of cpu, it's going to require a lot of processing power. So it's going to require a high level operating system like the type of operating system that we have, it's going to require real time operating system, so deterministic operating system. And above all it's going to require a level of safety certification that is very difficult to achieve and very unique to niche players. And so we really put our heads down, really focused on that. And so today what you'll see us and if you look at Mercedes that announced the Level 3 drive system that they have in California and in Germany, that's a QNX based system. If you look at BMW that announced a level three drive system, that's QNX as well. And if you look at probably most of the cars out there, I think Our stat is 24 of 25 EVs and all the other cars. Any safety based system that requires a high level operating system that is running on a high performance compute is running qnx. So for instance, if you look at Nvidia that have the Nvidia drive, the operating system is qnx. If you look at the Qualcomm solution, Qualcomm ride, it's running on QNX as well as an operating system. So just about every advanced driver system out there today is based on our software.

Gregor Vand

That's fascinating. So I think it's fair to say that most of our listeners will have interacted with a QNX based system at some point.

John Wall

They absolutely will. And the other area that is very popular is what we call a digital cockpit. So you used to have your infotainment system. Now what they've done is they've consolidated the infotainment system with Your Digital Instrument Cluster, your H Vac used hypervisor virtualization solution to be able to run Android and to be able to run maybe some safety systems like the cluster. So we are dominant in that as well.

Gregor Vand

So, I mean, there's obviously quite a few areas to unpack here in terms of how this all kind of works, I guess under the hood. I'm aware there's this idea of microkernel architecture, I believe, and I can only imagine that sort of leads into quite a few areas, performance also just the real time capabilities, et cetera. Could you speak a bit to what is that microkernel architecture? Why and what does that sort of make possible?

John Wall

I think the why is the history of our founders. That's the university project that they did was a microkernel approach. And just to give your listeners a little bit of knowledge of what this means is in a microkernel architecture, it means that everything runs in user space. So your drivers, your applications, they all run in user space, they can be stopped, they can be started. Whereas with a monolithic kernel, you're talking about something like Linux or Windows, where everything is kind of linked into one blob sharing the same address space. So the advantage that that gives us is it gives us a big advantage on reliability. One application or one driver does not take down the system. It also makes the approach of safety certification much easier for us based on the architecture. So it really allows us to be able to update systems in the field that have safety requirements without having to redo whole recertification of the system. The disadvantage of a Microkernel is you have to be much more careful about how the system is designed to achieve performance because you are in different address spaces. There's context switching as you go from one application to another. Your drivers are all separate, whereas in Linux they're all in one space, which makes it very efficient from a performance perspective. But we have all kinds of ways of mitigating that. But it really gives us an advantage for making the system robust and also for making the system, I would say, self healing. So that if something does go down, you're able to catch it, you're able to restart those applications without bringing the whole system down.

Gregor Vand

Yeah, I mean, so just to, I guess, give a very layman example, being able to reboot just the nav system without touching.

John Wall

Exactly.

Gregor Vand

Control and that kind of thing.

John Wall

Yeah. And have the rest of the system continue to run.

Gregor Vand

Yeah, it's probably fairly clear, I think, to our listeners listening in terms of why that was so important as well. As I'm sure maybe older cars that they've run. And there's been some aspect of the system that's stopped working, but ultimately it's not the whole system, is it fair to say? I mean, again, being sort of software engineering daily, the analogy of microservices versus monolithic, is that a good analogy as well?

John Wall

Yeah, you know what, that's a very good analogy. Actually. That's exactly how we would look at it. You can add services, you can take services away, you can restart services. Yeah, that's a very good way. So from a software update perspective, you can update the system without having to take down or rebuild the kernel. And that avoids, like for instance, if I want to keep the ipod driver or the iPhone interface fresh, I don't have to update the entire operating system, I can just update that particular piece of the system. So that's a good analogy.

Gregor Vand

Awesome. So, yeah, I mean, there's a couple of others. I mean, talk about, I think it's called QNX Accelerate, which is sort of a cloud piece to this as well. Could you speak to that? Because I'm curious, how does cloud now come into this?

John Wall

So to be clear, our approach with everything is cloud first. So a big initiative that we have, one of the pain points for our customers, and not just automotive, but across the board, is vendor lock in on hardware. So we take very seriously the idea of standardizations that separate hardware from software. So our operating system is fully POSIX compliant. We have made a lot of investments in something called Virt IO, which is shared interfaces to share drivers. We've worked for instance, with Google very closely to have a design where you can take Android from Google and drop it on any hardware without any changes. Whereas typically if you're getting Android, you're getting it from the hardware vendor, you're getting a version from this hardware vendor because they're making all kinds of adaptations. So one of the ways to really force that issue is you do cloud first, where you have to abstract, there is no dedicated hardware necessarily. In a lot of cases, you're doing either an emulation or you're doing a software implementation. And the idea is cloud first. Start your development in cloud, even if the hardware is not available, even if you haven't made your decisions on which hardware to select. We have all the hardware that is typical for those different domains that we're dealing with already supported with that platform. So you can develop in the cloud. And there's so many advantages of developing in the cloud. You know, keeping your tools straight, keeping Your software versions straight. When you look at some of these really large software programs at automotive customers that, you know, they're around the clock around the world. There's teams in India, there's teams in China, there's teams everywhere. The biggest problem is keeping everybody in sync across the world. And that's, you know, cloud removes a lot of that complexity. So that's very important for us.

Gregor Vand

So yeah, I mean in terms of devex, effectively does QNX have its sort of, I don't know, its own IDE or how does it look when a developer is wanting to interact with qnx?

John Wall

That's a great question because this is something that we're being very careful about. We are not creating a CI CD environment. Our customers have their own CI CD environments, very complex CI CD environments. So what we do is obviously we have our own tooling, we have an ID VS code. So we've just moved away from Eclipse to VS code. And a lot of the reason was for cloud. But we're really focused on how do we provide microservices that can plug in to the customer CI CD to provide artifacts like SKU management, safety artifacts, sbom. You know, the software bill of material is a huge topic these days. Cars can't ship in Europe if they don't have like a proper bill of material. So we're. While we don't provide an end to end CI cd, we do strive to plug into them in a generic way and we're working with, you know, the super scalers to do that as well as our customers.

Gregor Vand

And I'm aware, I believe it's QNX 8.0 is the latest and greatest. Could you speak a bit to just like what has that kind of brought over? I think 7.11 was the last version.

John Wall

Correct. So 7.1 was based on the kernel that we had developed in the early 2000s. So was developed with SMP in mind, symmetrical multiprocessing. But at the time when we were doing that, especially in the networking space, you were talking about two distinct PowerPC chips with a bridge and we scaled really well with two cores. We're now in the area that it's not unusual for even a mid level processor to have eight cores. So we were running into a situation where you would have a deadlock on the kernel because you had all these cores that were trying to do kernel messaging. So the big change that we did with SDP8 is we redeveloped our kernel for the first time in 20 years, 20 some years. We are now have the ability to scale one to one as the number of cores increase. So whether it's 1632, you know, our target was to match Linux on performance. So we wanted to retain the pedigree of safety, the pedigree of security, the pedigree of determinism, real time response, but be able to match Linux on performance. And that's what we've been able to do with SDP8. So it's a monumental change for us from 7.1 and it's the foundational product that will carry us into the next 10 to 15 years.

Gregor Vand

Wow. And we're going to move on to more in the security space like pure security shortly. With yourself, Ishmael. Just kind of wrapping up for now on qnx. I mean I imagine just, I guess from what you've said, 8.0 being like a pretty major rewrite, security must have come into that. Things have changed dramatically. And not to say obviously, 7.1 obviously was trying to keep pace, I imagine with the threats of today. But just in terms of it's a very specific context of how security can affect a vehicle or QNX's in medical devices and this kind of thing. What are the security considerations? And again maybe what does 8.0 do differently there?

John Wall

So 7.1 was very focused on security. That was the difference between the previous versions and seven. So you know, we had put in a lot of gear for security. I think what's different with eight is there's now standards around security 214-34. There's WP 29, 155, 156. We're now certified for security the same way we're certified for safety. So I think more than mechanisms, I would say it's more processes that have evolved to consider security more at the same level as we've treated safety. And it's a heavy lift. I mean there's a lot of work that goes along with this. Obviously we've added more mechanisms to SDP8 as well from a security perspective. But 7.1 was quite good, was quite good. It had all the mechanisms you would expect. We also have a lot of third party partners that we work with that do like binary ceiling, they add a lot of things that even on top of that. But I think the biggest change has been the process that we've instituted where we now look at security as being the same thing as safety from a process perspective.

Gregor Vand

Fascinating. Okay, thanks so much John, for all of that on qnx. We're going to move slightly sideways or diagonally to Ishmael and you Are VP of Threat intelligence, is that right?

Ismail Valenzuela

Threat research and threat intelligence.

Gregor Vand

Fantastic. So yeah, I mean again for our listeners, BlackBerry is today is quite a sort of fairly sprawling company. It does have a few arms in different areas. I'd love to just first of all again a bit of your background. You have quite an illustrious background from a security standpoint and then sort of how did that lead into BlackBerry?

Ismail Valenzuela

Well, just like John, we've been doing this for quite some time. I started doing well cybersecurity, we call it cybersecurity now. Right. But we call it back then information security at the end of 2000, 2001. And yeah, I've been doing this for quite some time as a practitioner doing hands on work, working as an incident responder, as a consultant, walking into large environments that were on fire when the adversaries were there. Maybe ransom in the environment more recently or back then it was just like botnets or directed targeted attacks from different threat actors including nation states. And then well, helping these customers save the day and then more on the proactive side, defending organizations, building security operations centers and for the last few years more on the research engineering, supporting data science and engineering in building products for defenders. That's what I like to think myself of as just a defender that is trying to help organizations.

Gregor Vand

Nice. And I think you joined BlackBerry almost three years ago and if one just, let's just say goes to the BlackBerry website now security is just everywhere in terms of, that's the sort of almost the face of the business now if there's one thing it should be known for, it's security. So what does your role sort of encompass? And I'm curious if it does stretch across into anything to do with qnx but broadly speaking, what does it deal with day to day?

Ismail Valenzuela

So as you just said, the history the company has, the foundation in protecting devices is something that we have continued. John talked about how we have continued that on the automobile side but also in many other type of endpoints, medical devices and automation. Other type of endpoints. And we continue to protect mobile phones as well.

Gregor Vand

Right.

Ismail Valenzuela

I mean the audience cannot see my phone right now, but I'm holding it and if I open my phone I can just go onto the BlackBerry UEM which is the unified endpoint management which you know, protects my data here, my corporate information. We have software to protect communications with military grade encryption and threat intelligence, which is essentially what my team does or the research part. It's about learning, studying what adversaries are doing to try to anticipate their moves and to translate that into what we call actionable countermeasures or defenses that we can implement in the products and that we can also implement in our services. Because technology is just part of the problem. It's also about humans, human beings understanding the context, the business, and if we take it to the safety side, right, this is all very related to each other. We also have software that helps to protect people in times of crisis, because secure communication is also essential in critical event management.

John Wall

The global developer talent shortage is expected to grow to 4 million in 2025, further contributing to developer burnout. With the security and talent shortage growing rapidly, businesses need effective tools to help developers work efficiently and securely. That's where Bitwarden comes in. Bit Warden delivers trusted open source security solutions that empower your developers and security teams to securely manage and share sensitive information online. Protect your infrastructure secrets, API keys, user passwords, mailing addresses, credit cards, passkeys and more with easy to use and enterprise ready Bitwarden solutions. Start your free trial today@bitwarden.com one of.

Gregor Vand

The kind of key products, Silence MDR. And that was I believe, an acquisition. And back then AI was being talked about as one of the key drivers, I believe, for bringing that into the portfolio. And I'm curious, how have you seen things evolve from then to now in terms of the usage or the application, I guess, of AI, plus I guess the work that you do, which is, if you want to call almost pure human sort of understanding, threat intelligence. And then how do we translate that into something where AI ends up sort of doing the heavy lifting?

Ismail Valenzuela

Good question. There's a lot to untangle there. Yes, BlackBerry bought Silence in 2019. And I remember back well before that, Sylens was known for being the first technology endpoint solution to essentially focus on detection based on AI and machine learning models more specifically. And I remember back in the day, you know, 2017, 2018, people are black hat, like, you know, laughing about these things and saying, oh, you know, that's not how you do detection on the endpoint. Fast forward to not even 2024, but even during the last few years. There's no vendor, no one that would dare to say that they're not using AI and machine learning in order to scale your detection capabilities. Because there's no way to do this when attackers are throwing at us, you know, a lot of malware per second, as we report in our, in our research. So that's a fundamental aspect of that. And obviously we have continued to build on this platform, adding more machine learning models I think we have released up to 18 new machine learning models in the last 18 months for various things that we see as a result of our research. Working together with engineering and data science, we evaluate these things in realistic scenarios. So we do this, as I said before, in a proactive manner, trying to anticipate it, doing purple teaming exercises, which is essentially a way of emulating an adversary and having the blue team, the defenders, trying to catch these adversaries and trying to prevent these attack chains as soon as possible. So we do a combination obviously of AI machine learning models with any other effective way of stopping these adversaries, including humans.

Gregor Vand

Right.

Ismail Valenzuela

Human beings that are monitoring and reacting to these type of alerts.

Gregor Vand

There's like silence MDR which managed detection and response and I think just pure endpoint as well. So is that all part of the same product portfolio or MDR is that that's where the human side they come and actually do a lot of eventually have a team at BlackBerry kind of helping you or how do you sort of explain the difference there?

Ismail Valenzuela

Yeah, so it's part of our portfolio. Right. If you look at our website, we have silenced MDR. That's the human team or SOC that is 247 reacting to these type of alerts, being proactive, working with the customer and making sure that they have the necessary defenses in place to be able to take the most out of this. And for example, right now we back this up with a $1 million guarantee for all of our customers and then the rest of the products or the technology silence endpoint as I mentioned before, BlackBerry UEM to manage devices, not just phones but also laptops. It's very common these days to have people, the workforce distributed, working in hybrid environments. So these type of solutions are important. And talking about that type of communication silencedge as well, which is a zero trust type of remote access Solution and our SecuSmart suite of solutions as well for secure communications.

Gregor Vand

Yeah, so secure communications. I wanted just to touch on that again. I think a lot of the history I guess of BlackBerry was that the handsets were these incredibly secure communication devices. And I believe it was fairly well known that Obama refused to let go of his for that reason even as other devices were becoming the more popular at that point in time. So how has that sort of the pure handset business and then now we're talking about secure communication. I believe it's application based that can be on any kind of device. Or maybe you tell me what is the secure communications business today?

Ismail Valenzuela

Yes, essentially about military grade encryption and securing Communications in a way that you can control this encryption also end to end, that you can control both sides of the communication. Like in the beginning of library days, you would have like a BS server where you would control all of these in house. Now it looks like we went on to the all cloud based, let's use applications like WhatsApp and you know, any application that anybody can download on the phone to do this type of, you know, encrypted communications. There's a lot of caveats there, by the way. A lot of people think it's encrypted, end to end or secure. It's not that much. Right. We can get into that if you want to. It looks like we're now realizing that there's a big need for privacy, especially when it comes to, you know, government communications. We have a lot of government customers and when it comes to, you know, corporate communications as well, when it comes to mergers, acquisitions and a lot of the other confidential data that is exchanged by executives on a, on a daily basis. And we have seen very recently, for example, the US Government talking about the threat of certain Chinese groups that are infiltrating into telecommunication companies and urging people to use secure comms. And there's been some fines even by the SEC, right in the US Secure Exchange Commission to certain executives that have been using what is supposed to be a secure platform, for example, WhatsApp, for certain things that are really, that should be confidential. There is a lot of realization right now that there is a need for this type of secure communications. We're a very strong player in that business.

Gregor Vand

Just so to kind of clarify, I guess the format that takes is more, I guess at the server level as opposed to application level, or is it both?

Ismail Valenzuela

From a technical perspective, it required a hardware token back in the day, but these days it's something that you can do on software. So these encryption keys are managed by the server that you control, that you have on prem. And these encryption keys are distributed to the users that you provision.

Gregor Vand

Right.

Ismail Valenzuela

With the devices that you provision. So this will enable that end to end encryption where not only the data is encrypted, also the metadata is encrypted, which is a big thing, right? Going back to the news in the last few days, a lot of this information, metadata could be very, very useful for attackers to figure out trends, who is calling who at what times. And that can be very valuable information that we need to protect.

Gregor Vand

And I mean, just talking about sort of, well like the threats and staying on top of that, there's quite A move. Now, for example, there's a company over here in Singapore that does attack surface management. But the way they're talking about it, and I say talking about it, but actually deploying it, is they have very much in house threat research, threat intelligence, and sort of is very much bleeding edge. What they are uncovering day to day is in the platform tomorrow. What kind of similarities do you would you say you have at BlackBerry?

Ismail Valenzuela

My team specifically is a global team of researchers that are located all over the world, not just for a 24, 7 coverage, which is important, but also because these threats are specific to the geographies that we work on. So, for example, you mentioned Singapore. We have recently published a bunch of reports on threats that we see specifically in Southeast Asia. And those threats are very specific to the region, very specific to the geopolitics, very different from what we see, for example, in Latin America or in North America or in Europe or in Middle East. So that's why it's important that we have these researchers in all these locations. They know the language, they know the culture, they know the politics, and they're able to interpret. Right. Why do we see something specific? I have seen, for example, around Singapore, Southeast Asia, a lot of attacks against poor authorities by specific threat actors that have geopolitical interests in the area. I think we all understand what's the role of China, Right. And how they have been promoting this, from the government sponsoring this type of campaigns to, well, stealing of intellectual property or stealing some other military secrets, things that could benefit an economic position of this specific country or what's going on with Taiwan. All of these things shape the threat landscape as well at the cyber security level.

Gregor Vand

Yeah, very fascinating. I actually want to sort of bring you back in, John, in terms of, you know, I think some of the examples you've just given Ishmael, on threats, all very pertinent and probably some that are quite familiar to listeners, some maybe not. But then when it comes to, you know, embedded systems and some of the, you know, maybe some of the other industries that I believe QNX can cover, I believe it's in medical devices, aerospace, defense, rail. Threats against any of these is pretty major and sort of, I guess what are. I mean, this obviously could involve both of you being able to comment on this, but what kind of threats against embedded systems are we actually seeing today?

John Wall

I think everybody's familiar with the Jeep hack from 2015 that Charlie Miller and his partner were able to hack into a Jeep, control some aspects of the Vehic vehicle as a real wake up Call to the auto industry. And we know the system, we were involved in the system and the system evolved from a non connected system that over time became a connected system, had no concept of security at all. QNX is a component supplier to the automotive industry or the medical industry. We don't build the actual final product. What we provide is obviously all the mechanisms from an operating system perspective that the customer can use to shut the door, shut the windows as much as possible. But they're doing the same thing. They're engaging threat analysis, they're doing terras. The auto industry takes this very, very seriously, as does the other industries that were involved in medical, for instance. You know, a big part of medical, for instance, is being able to secure the network itself within the hospital to start to reduce the threats. But yeah, I mean, it's, the landscape is no different. The stakes are high. You know, when Ishmael talks about it, he talks about stealing of intellectual property, secrets being exposed. With a car, you're looking at something that could be much more serious from a, you know, not necessarily from intellectual property, but from an actual taking control of the vehicle. And so I would say the OEMs, they are very, very focused on security.

Ismail Valenzuela

And the response times. Right. Are completely different.

Gregor Vand

Right.

Ismail Valenzuela

John, we monitor something, we look at something, we do instant response and of course rapid response is important, but in terms of a vehicle, it's immediate, it's real time.

John Wall

Yeah. And so there's a lot of hardware mechanisms within the vehicle to separate traffic to make sure. I mean, one of the big things that was discovered with the gpack was there was no barrier from the infotainment system to the rest of the car. There was no gateway. Now you have the notion of gateways and you have the notion of routers within the vehicle that are pretty locked down. But yeah, it's a big topic.

Gregor Vand

And I guess that goes back again to microkernel in terms of being able to have that separation.

John Wall

Absolutely. But again, we're a component within a much larger application sphere. So we can do what we can do, we can provide the mechanisms that we provide. But at, at the end of the day, the OEM that's building the device, whether it's a medical device, whether it's an industrial automation device, oil and gas, wind turbine car, it's ultimately up to the oem, we provide the mechanisms. But I mean, there's a lot of layers there of application and connectivity that, you know, at the end of the day we can't, we don't see it until the car is Shipping, I mean.

Gregor Vand

I think that's very familiar to. Even if our listeners don't have any, any experience with sort of the embedded system side, but just the pure software side. A framework, a language can be provided. I think framework is probably the better analogy. It can be provided. It has a lot of safety features, a lot of security features, but it's how it's implemented at the end of the day.

John Wall

Yeah, that's just it. And the reality of it is when you think about an embedded system just versus software, the differentiator is really that we're in a more constrained environment. And even today, if you look at that environment, you know, there's 8, 12, 20 gigs of memory. I mean we're running on the latest silicon like Thor from Nvidia, you know, so it's the same thing. Customer has given a bunch of frameworks to be able to build something and then obviously, you know, we have to monitor CVEs. There's a lot of open source being used within the vehicles. So we have a responsibility to monitor any open source software that we're providing as part of our products. And so that's an ongoing process as is being able to update the vehicle or to shut down a feature in real time if a threat is found. So the monitoring of vehicles is very similar to the monitoring of business and any other type of security threat.

Gregor Vand

And yeah, I mean, just like to touch on one last thing there, as you've called out, it is about how it's implemented. I imagine you don't have to give specific names or examples, but have there been situations where a company has ultimately realized there's a problem and they have to actually come back to you because they say, look, we actually don't know what the best way around this is and the architecture is from your side and can you help us? That speed of response, I think is what I'm getting at. Coming back to you.

John Wall

I definitely won't share. Oo, but yes, that is not unusual that they seek our help.

Gregor Vand

Yeah, that makes sense.

John Wall

And most of the time it's more to determine what does this vulnerability mean to me, do I have a vulnerability here or. Because I mean, you can have a vulnerability in software that's not exposed by the way the system was implemented. And so normally that's what they want to know from us is okay, we know there's a weakness here. Are we vulnerable? And sometimes these are systems that are very old. You know, a medical device is not unusual to be in the field for 20 years.

Gregor Vand

Yeah, that's A great call out in terms of, as you say, a medical device is supposed to have a lifespan of exactly a couple of decades.

John Wall

Well, wind turbine, the wind turbine has a 25 year lifespan. If somebody were to hack a wind turbine and start playing with the pitch of the blade, you could bring down wind turbines.

Gregor Vand

So I guess looking forwards, what are you each sort of, I guess excited about in terms of maybe just sticking with you, John, briefly Qnx into the, I don't know, the next five, even 10 years, what are you kind of most excited about in terms of where things can go?

John Wall

I think what I'm excited about is the fact that everything is becoming more software defined, more mission critical devices are becoming software defined, such as cooperative robots, cars. But there's going to be more software in the future, not less. So I feel really good about our business. And also what we're seeing is our customers would like us to do more to provide more of a platform as opposed to components so that they can focus on application and not focus so much in the weeds of the software, what we call foundational software. So I see a really very large opportunity for QNX to really grow its business and to really grow out or to build out more of a kind of a safe and secure platform for different verticals, whether it's automotive, medical, robotics, etc.

Gregor Vand

Awesome. And yeah, Ishmael, sort of same to you. I know in security it's always an interesting question. It's like, what are we getting excited about? And usually it has to relate to threats, mean people are hacking and we only have a job in security if bad things are unfortunately sort of unfolding at times. But what are you kind of excited about?

Ismail Valenzuela

There's always going to be that component, right. Of looking at what attackers are doing and defending against that. And if we look at the use of AI, yes, attackers are starting to use that, but also defenders. And I think that's a very interesting field because as we start using AI to anticipate, to do secure by design, especially as John was saying, where everything runs on software, critical infrastructure running on software supply chains, AI is going to help us to scale much better. Right. So I'm very excited about how we can look at like that's part of what my team is doing as well. Right. Looking at ways in which we can use AI to scale better and faster than attackers. So we can anticipate more, we can secure more by design rather than just like always being reactive.

Gregor Vand

Yeah, absolutely. I mean, I think that's where again, in one sort of area of Software and security I've always been interested in and sort of trying to promote is just that software engineers themselves are much more educated and aware of security and what they're building, not just passing it off to, oh, the security engineer will tell me if I've done something wrong. And again, I think that AI really is helping here. Of course, tools like Copilot, et cetera, do make mistakes, but they do learn from these mistakes quite quickly.

John Wall

That's a great point. It's very much safety and security have to be cultural, not bolted on your engineers. It has to be part of their daily living within the organization. That takes time.

Gregor Vand

Exactly. I think that's a very good point. And it was actually something I sort of had to educate, I think a few CEOs on, which was that they thought software engineers were fantastically educated on security. And I had to break it to them, it was almost the opposite. It was the last thing they had been taught. It was the last thing they thought about.

John Wall

It's not fun. It really has to become part of your culture, part of the way you think when you're doing your software designs, when you're doing your implementation, it's a lot more fun to do 80% of the fun work and let somebody else do the 20%. That's really hard. So you have to build into the process. You have to build it into the mindset and make people really believe that this is the prime thing that they're doing.

Gregor Vand

That is a great point. So just to. Yeah, just to kind of wrap up, I tend to ask this question to most guests, and we've got two today. So for each of you, the question really is just if you could go back and tell yourself something at the start of your career based on what you know now, what would you be telling yourself? Or it could be advice, or it could be just sort of something that you would have told yourself.

Ismail Valenzuela

You know, I think that maybe this is going to be like, very generic, but I think sometimes we just. We limit ourselves to, you know, what you have seen around you or the things that other people that, you know, have done before. And I think that, you know, one of the things I would tell myself is like, look, there is no limits to what we can achieve, right? Professionally, personally, there's abundance of everything right out there, lots of fun projects and problems to solve, and don't limit yourself. And that's something that, you know, I see now. And obviously I've been working with global companies and global teams for quite some time. It's a lot of fun, you know, that's something I. That keeps me. Makes me excited and keeps me going as well, like trying to solve these problems. And especially for when it's problems that affect people's lives. And we're talking about automobile before. Right. But how many ransomware attacks we see against schools, we see against hospitals. Right. So I think that's something beautiful about what we do, our mission. Anyways. I don't know if I answered your question, but that's kind of.

Gregor Vand

No, no. I mean, there's no right answer to this. Right. But yeah, yeah. You know, work is what you make of it. I think that's people's advice around. Do what you love. And this kind of thing, which is a little bit hard sometimes, I think, for people to get their head around. But there's always ways to be turning up and doing something each day that can excite you, I think is the way to look at it. I like that. John, what about you?

John Wall

Obviously, I'd love to go back and fix every mistake I've ever made.

Gregor Vand

That's a tree engineer right there.

John Wall

But I have to admit, I've been pretty lucky. I mean, one of the things I've always told my kids is I always enjoyed getting up and going to work. And to me, that's. I wouldn't change anything, to be very honest, from that perspective. Like I said, I've made lots of left turns and right turns where I should have made the opposite turn. But at the end of the day, I've enjoyed my work. I've enjoyed going to work, I've enjoyed the customers. I mean, even when I was traveling to Germany every couple of weeks for a period of a couple of years, I just thought it was fantastic meeting all these people going to these different countries. So I have no regrets. Could I have done things better? Absolutely. But I'm still in learning mode and I'm still really enjoying it.

Gregor Vand

I love that. Still in learning mode. I think probably all three of us are, and I think that's a great place to end it. Stay in learning mode. I love that. Thank you so much to both of you giving up your time to come talk to our listeners. I think they've probably learned a lot about BlackBerry today that they had no idea potentially that was going on. Fascinating company. I've always been a fan of it from the handset days and love to see what it's doing now. So thanks so much for coming on and yeah, hope we catch up again in the future.

Ismail Valenzuela

Thank you.

John Wall

Thank you. Much appreciated.