Apple Podcast / Spotify / Google Play / Overcast
Want to get more breakdowns? Subscribe to my free newsletter here: https://www.colinkeeley.com/newsletter
Enroll in Colin's "How To Buy a Small Business" Course & Community https://www.indiepe.com
Hire top 1% remote talent in Latin America.
Sell your SaaS at https://www.vernehq.com
[00:00:00] Colin Keeley: Hello and welcome back. This isColin Keeley here,
[00:00:02] Brent Sanders: and I'm Brent Sanders.
[00:00:04] Colin Keeley: We are two guys buying andbuilding wonderful internet companies.
[00:00:07] Brent Sanders: Yeah. And so we've decided tomake a, an episode this week about a sensitive subject. It's something that'swe're noticing is, is happening in the space, but really just a fact of lifewhen doing business, which is.
Lawsuits, right? Legal, legal issues and we've, we just want todedicate to kinda talk about stuff that's going on in the space, but also justrecent stuff that we've run into. I mean, I guess not recent, but just kindalooking back in the last, I dunno, couple years of, of legal fund doing microSaaS acquisitions.
[00:00:41] Colin Keeley: Yeah. I don't know which one youwanna start with. I mean, we've dealt with random things in the past. I thinkthe most interesting, somewhat recent thing is suret and acquirer of softwarecompanies, not that dissimilar from us. Basically sued and effectively killedcalm capital, which is another I.
I mean they acquire minority portions of mostly softwarecompanies and it sounded like a frivolous lawsuit and they pushed it so farthat calm is effectively shutting down, which is quite a bummer. I thought. Ilove their, thesis and I think they've done it in a really good way. And it'sjust wild that, the lawsuit could basically kill this, promising company.
[00:01:18] Brent Sanders: Yeah. And, and from what Iunderstand, you probably know more than I do, but this scenario here. And alsofor like scope purposes. We're not talking about like, civil losses. It's justlike sort of business back and forth lawsuits, things that, partners breakingup. And, and in this case I think that that was the scenario.
They partnered on something. And then just to be clear, thecalm fund, like the existing investments are still going on and, still beingaided. So it's not shutting down, it's just not making any future acquisitionsat this time. Is that, is that right?
[00:01:50] Colin Keeley: Yeah, so background here sure.Swift and Calm put on this like founder summit series, so like a conferenceseries for, software founders.
It seemed to be going pretty well. I think the situation wasthe sure Swift founders left and like the LPs took over our in charge now. AndI think they wanted to break off the series and continued with, they're now thebig band software guys, so like just another competing firm. And sure, SWTapparently is like, we don't like that idea, we're just gonna sue you.
And they just continued the, the suit. Then it becameapparently such a distraction and such a drain on resources that Calm couldn'traise, future rounds of funding. 'cause it's scaring off LPs. And I have Tylertalks about it a bunch. I could talk through like what he learned or what hesaid he learned and what he would've done differently.
But yeah, it's a wild situation with a small fund caneffectively be killed by a lawsuit, whether it's, unjustified or not.
[00:02:45] Brent Sanders: Yeah, I mean, I think that'strue of any business, at least at this scale, right, of like. Smaller, lesscapitalized businesses that, a couple million dollars can wipe you out.
I mean, so I wanna preface this conversation with somethingthat I learned very early in my career around legal situations which is, suingsomebody is, is just a game of seeing who's got more money. That's my like,general approach to anything legal related when it comes to threats orlitigation.
It's like, let's fuck around and see who's got more money,who's willing to pay more, and, and like it's essentially a measure of that,which is messed up, right? If you think about, what's fair, what's right. ButI, I put like business law almost less so of, fairness is, is relative and itdoes come at a cost where.
You might be right, but you don't have the legal resources todefend yourself. And so that's the way that in the beginning of my career, I'vethought about, I've had situations as a service provider or whatever, where,litigation has presented itself. And I always just am like, okay, if I'm thebig fish, then sure I wanna, threaten and, and do all those things.
But if I am clearly. It's just good money after bad is the wayI look at it. Unless you, you, you're the bigger fish and, and frankly, I'venever been in that case where it's like, okay, I don't mind, dropping a couplehundred thousand dollars to, to make, ruin someone's day.
I just don't have that, that value and or I don't place thevalue on it. At least I haven't been mad enough to so anyways, that. I justwant to say like that. I'm gonna keep saying that over and over. Let's fuckaround and see who has more money. Is generally the theme, which sounds likethe case with Sure.
Swift, they, and by the way, when an l, a bunch of LPs tookover the company, is that the operations of the company essentially? Is thatwhat you're saying around Sure. Swift.
[00:04:36] Colin Keeley: I don't wanna speak for them,but Yeah. My understanding is the whole executive team left, started a newprivate equity fund and the old fund is still operating, which has, it's aholding company, so there's a number of companies beneath it.
Mm-Hmm. And there's all new people, running the thing overthere.
[00:04:50] Brent Sanders: Yeah. Yeah. So that's a funnything. It's like trying to, your operators and then you're gonna try to sueinvestors. It's like obviously the, by the nature they're gonna have more cash.Or a larger disposition.
So an uphill battle to start. So anyways, going back to thestory they, they put on, they essentially partner. I guess that's sort of thefirst mistake is they decide to partner and everything's going well. And thenthese partners of Sure, swift, the operating side leave. Then like, what, whatwent wrong?
Like obviously people are aggrieved because, their executiveteam left, but like why go after calm?
[00:05:27] Colin Keeley: So I think they actually wentafter Calm and some of the founders of Sures Swift. Oh, okay. That left. And Ithink the plan was for , the founders who left and calm for them to continuethis conference series. But sure, swift was getting cut out of it, which is, Imean, it's like a tiny product line. It's definitely not core to your privateequity business. But yet they were saying they were being harmed because,they're stealing this conference away from them.
But yeah, Tyler writes everything publicly on Twitter and inhis like newsletter and stuff, and he was saying when this was happening and hepublished a lawsuit and everything. And it just kept continuing. You'd think,the shame of it on Sure. Swifts side, like the damage to your reputationamongst founders would be.
Painful enough that you wouldn't pursue this, but they justkept pursuing it and kept bearing calm under like legal fees to the point whereit was just like, Hey, we gotta throw in the towel. It doesn't make sense to dothis anymore.
[00:06:20] Brent Sanders: That's a, yeah, it's a bummer.But it makes sense, right? It's like if you go through this process and youneed to provide your slack.
History, you need to provide your email. These things getsubpoenaed, right? It is my understanding of, of the process and the thingsthat start happening is and it gets very serious. 'cause it's like, now youaren't, if you can't furnish that stuff, I have no idea what happens, but I,I'd assume you, essentially lose the battle.
You essentially give up. But yeah, I mean, it, you're going toknow, or you're going to need to retain very expensive, three to five to $800an hour. People working multiple days on your behalf. And it's like, again, ifyou're balancing this with LP money, that's, it's super irresponsible. Which Ithink is the conclusion he came to.
It's like, look, I can't burn investor money. They didn't gimmemoney to, to pay attorneys. Right. You just gotta end things. Do you know what,like what's your understanding of like, what is their claim? I mean, 'cause itsounds like Sure. Swift was saying this is our proprietary deal flow. We, weput on this, this event in partnership with you, and you cut us out and, andthat's like how we, you're basically cutting off our top of funnel and, andeveryone's leaving and, and leaving us with a bag.
And it, it feels like it's essentially the top of funnel, butis the thinking. I, I would assume the thinking on their end is like, Hey,let's just. One, we're we're hurt and being hurt emotionally, depending on who'son the other end. That can only go so far. Again, depending on who's on theother end, because that, that can go really far with some people, which I thinkwe'll talk about a little bit more in this, this episode.
But yeah, it just seems, it, it is a bummer. That being said,it's like if they have the sort of war chest and if, if you think about it fromtheir perspective, they've got MRR coming in, they're doing, if I'munderstanding correctly. Sure. Swift does just sort of like they have theholding company, they do mailbox money.
They're sending money out every quarter of their investors, andif they're gonna take some of that and essentially bury competitors in the longterm, that proprietary deal flow in their head will come back to them. Right. Iget, I think that's, I'm trying to think of it from their perspective of like,okay, well if I burn their ships.
Three to five years from now, the next few deals will startcoming back to me or back towards Sure. Swift, which like, I don't knowanything about their, their business. I, I, I don't know if they're doingfuture acquisitions or, or deploying capital with, the shakeup, but that mightbe their thinking and say, Hey, well, we've got cash flow coming in greaterthan Palm and we can divert some of it for a period of a year or three and getrid of competitors.
Yeah, they're thinking.
[00:08:58] Colin Keeley: I mean, I think whether it'sjustified in any way or not, I mean, you could just pursue litigation if youwant, if you wanna make this other person's life hell. Which it seems likemaybe this is just, spiteful to some extent very effective. But yeah, just, itdoesn't have to be like a real reason.
You could still bury someone in legal fees. But Tyler'stakeaways here was he says he needs to at least raise bigger funds, haveseparate revenue streams. Or do the same work with a really small or cheapteam. So he was saying he wish he started this as more of a side business andthen he had like core income streams from like m and a advisory or something, orbrokering sales of these companies that he wasn't , buying minority stakes inor consulting or something like that.
Yeah, he basically decided raising these small funds is justnot worth it. It like, it's just too fragile of a business.
[00:09:48] Brent Sanders: Is he talking about this? Andagain, I don't know a ton about the structure. I know the, the overall thesisand it's really cool. But from a fund perspective, what did he, did he raiseupfront capital and if so, how much?
[00:10:01] Colin Keeley: I could probably find it, Iwanna say the first one was maybe only a few million, and then maybe it gotinto the like a little over 10 million or something like that. Yeah, I think hehad a few separate funds done. But yeah, I was buying minority stakes incompanies, mostly software companies.
[00:10:17] Brent Sanders: So the way that I, I'm readingthis and I'm probably doing poor math depending on how it goes, but it's like,what that means to me from a average Joe, like to convert it to, what does thatmean for him month over month?
It's like there's not a lot of cash for him. There's cashcoming in, that's Carrie or whatever that's gonna pay. Admin costs andaccounting and all the, the, the junk, and I'm assuming very little of that'sgonna come back to him. And then how does he get paid? Like this is what I'm,what I'm hearing from you is like, it's tough right now for cash flow andunless you have something ancillary that's driving cash flow, like how do youpay your mortgage and, and for literally you're, you're managing these, this,let's say $10 million for round number, you're managing $10 million or it'salready been deployed and it's like.
Who's, who's taking care of him. It's a very, like, fragile,boat, so to speak. It's, and so then if you come upon rough waters, you're,you're sunk. So it does seem like that, that's like the, the takeaway I'mgetting, which is like, he's probably struggling. I don't know personally,like, I don't know him.
I don't know his, I. His background, but it sounds like there'sjust scraps left over and of that it's like, hey, this isn't worth it. Like Ican't wait for the outcomes of all these investments. I've gotta be able to paymy bills day to day.
[00:11:33] Colin Keeley: Yeah, that definitely makessense. I, he didn't take that route, or at least he didn't say that publicly.
It's definitely possible. So publicly they have 20 millionroughly in total assets under management. So 2% of that is like 400,000, whichdisappears really fast. 'cause there's like. Fairly significant carrying costsof doing all the legal work on multiple different funds. Bunch of small fundstoo.
[00:11:56] Brent Sanders: Right, right. I mean, and if itsounds like he's very interested in, if you're doing an event like that'scoming outta pocket. Right. That's part of, there's expenses there. There's,even just like if he's doing a regular, meet and greets and, and traveling like400 grand, I would take half of that out immediately for.
Junk, right? Of like, hey, because of the, the number ofcompanies. And then it's, maybe he's being able to, to pocket some of that for,for his time. But it sounds like, I mean, that, that's like one month's legalfees in a, in a slow paced, active legal case, right? So it's like you, youimmediately go to zero and then you start looking at, okay, I, I'm gonna beracking up debt for this, for this scenario.
So it's. The more that I'm, I'm hearing about that isunderstanding the numbers a bit more, and we're guessing, right? Like we don'tknow shit. Like we, we know what he says on Twitter, but like, I'm trying toput myself in his shoes and then his investor's shoes and the pressure that hemight be getting of like, Hey, all this is gonna go away, because it's allgoing towards, there's just not enough cushion for, for legal battles, which bythe way, nobody plans on advance.
If, if I said, oh, I needed to go to investor and say I neededto actually, I have to raise a hundred million. I'm gonna deploy 10 of it andI'm gonna keep the restaurant in case of legal issues, they would run, right?They'd be like, what, what are you, what are you planning? What are youexpecting? So I mean, it, the more I think about this, the more I see thissure.
Swift angle of like, they know these facts and they, you canmake a competitor just go away if you're willing to, to burn that cash. And ifyou think about it for them it might be worth, Hey, if we get one deal that wedidn't, or two deals that we didn't, all of this is, is well worth it. And.
If you have a spiteful person, they also can spike the, thefootball and say, that might feel good to them, but there, there, this mightmake sense, is the kind of scary thing that I'm realizing as we're talkingthrough this. It's like there might be a world where this is actually a good strategy.
[00:13:55] Colin Keeley: Yeah, I mean, like calm is notlike not really competitive with us, I guess I would say. I send them stuffperiodically because. People reach out to me and they wanna do a minority deal.Like they need one check to get going, and then they're off to the races.Mm-Hmm. And that's not what we do.
We do majority deals. So I send them so I, I don't know if it'scompetitive, the spin outs where all the executives left and raised like a $200million fund. And definitely taking significant deal flow away, like goingafter them would probably make more sense. Yeah. But then they're backed bylike, billionaire family offices.
So it's a little harder, harder, target to attack.
[00:14:28] Brent Sanders: Would you characterize this asof like the, schoolyard fight, there's like two big bullies or two big kidsthat are fighting. I'm not gonna call anybody the bully 'cause they're all, Idon't know enough about it, but there's two big kids and then one of the bigkids turns around and, and hauls off and knocks out one of the smaller kids.
[00:14:44] Colin Keeley: A little kid.
[00:14:45] Brent Sanders: Yeah. It's like, why would youdo that? It, it just so what you're saying and in this community, it's like,why would you know that looks weird. That looks super off putting. And thenwill this impact their, like really, really think about this? Like, will thisimpact future deals for them of like reputation?
Do founders actually care about reputation? I would say yes.Like I think for the, especially the, the, in my mind, the better deals, theones that are like the bootstrap founders that have really built somethinggreat and they really care, they're gonna go and dig and I. Do feel like that'sgonna matter, but maybe I'm thinking more of on a micro scale, maybe they'rethinking like, Hey, this is, we're buying big companies that, there's nobootstrapping going on here.
This is like, they're buying, big boy businesses, not bootstrapbusinesses.
[00:15:33] Colin Keeley: Yeah, I mean, I would saybasically every deal we've won, I'm not sure we were the highest offer. Like wewere easy to deal with and they liked us. Yeah. And they felt like we were agood home for their business. So I would say it matters far more.
Like in venture capital there's a lot of bad actors and theykeep continuing to keep winning deals 'cause maybe it doesn't matter quite asmuch. Yeah, you would think this gets flushed out, but maybe it just neverdoes. It's not public enough. You Google, you know the names, they don't showup as negative things and it just, people pay attention to their own lives.
They don't care that much about this stuff. It is it, I wouldthink of the reputational damages being problematic, but maybe it's not. Idon't know. I guess we'll see over the years whether this continues or whetherit is run their companies they already own and they don't really buy any moreacquisitions.
[00:16:17] Brent Sanders: I mean, I could easily seesomebody who's just of a slightly different generation not putting any stockand like, oh, they're gonna complain about me on Twitter. Like, who gives afuck? Like, I don't, they're gonna do it anyways. Right? It's like, and, and I,I'm not sure. I mean, I got some gray hair.
I'm not sure where I fit in on that. Sometimes I'm like, likethe crazy stuff that goes on there. You can, anybody's gonna actually takeanything. A grain of truth there. So, I don't know interesting scenario. Itsucks. I guess like, that's my one reaction to this is like, that it's reallyunfortunate to see, this always scares me in like the patent troll world, whereit's like somebody's just gonna come after you and, ruin your day and they'rereally well equipped for it, and you're not, and it's just going to, it's likeextortion essentially.
So it, it feels semi close to that in, in some respects. Butthen again, I don't know really the details about the, the actual merits of, ofthe case. Like, you're getting it from one perspective who's being very public,and then the other side's like, hush hush. That, that does seem like a strangeimbalance.
[00:17:21] Colin Keeley: Yeah. My takeaway too is it'slike, what can we learn from this? And then it's just a bummer overall. Itfeels like there's more demand for this kind of one and done check than ever.Yeah, it's unfortunate. I, hopefully he comes back in some form or another,maybe very different legal entity and just restarts it.
But
[00:17:36] Brent Sanders: yeah, I mean, I think one thingthat would be interesting to, to talk about is here are, deals that we'velooked at in the past that have like legal potential and, running for the hillswhen that even like comes up. We had one, very large deal that we were headingtowards close.
I won't get into the, the exact details, but like ran into.Something that was, was essentially like, oh, you can get, the, the seller wassaying, that's not gonna be a problem. You actually talk to the, the otherparty and they're like, this is gonna be a problem and you can either do thisor you can sue us.
And they're like, oh, you'll win, you'll win. Don't worry.Like, and it's like the fact that we're talking about legal issues in anacquisition, it's like, no, we're not, no, no. Our investors do not pay us topay attorneys. Which I think is. I, for the most part, everyone, unless you'relike a, a, a law firm that has a acquisition arm on it and you wanna bill hoursand you're gonna do that for free, like, great.
But like, I just think it's, it is something, it, it's toxic,right? It's like toxic waste. You just, you run for the hills.
[00:18:39] Colin Keeley: There's kind of one bar. If it'syour own money, you do what you want. And then if you're bringing investormoney into it, like the level for risk has to be way lower. And any like legalrisk or like, something looks a little funky on the business, you just walkaway.
Yeah, for sure.
[00:18:53] Brent Sanders: Before we move on, I, I thinkit would be, does Tyler talk about like how this impacts his like personalmental state? 'cause that, that there has to be a fair amount of interferencethere.
[00:19:05] Colin Keeley: I mean, you could read itbetween the lines in his writing that he is not Yeah. Super happy about it, butnot really to a large extent.
But yeah, it's gotta not be fun. Basically a year of dealingwith stuff that's not productive in any way.
[00:19:23] Brent Sanders: Not productive. And, andthere's like this risk of, with certain lawsuits, especially business, it'slike. If you look at damages, you look at, this could take everything from you,right?
It could take, if it could take his portfolio, I, I don't knowin this case, but if I was him, I'd be thinking about, because I'm a sicko,this is all gonna get taken away. So there's like this mental resilience thatyou'd have to like, have and maintain and build. Around, I'm gonna be okay.Like, for me to keep working, I have to know what I'm doing is going to come tofruition.
Otherwise, why would I be doing this? So there's gonna be thislike, what's it all for thing that's almost like, I'm just trying to like lookat a lawsuit as a weapon and I'm, there's like a mental drain, but also almostlike a, a dangerous thing that that can happen there depending on who you are,right?
Like I, I'd like to think I'm stable, but. If put in thesesituations, it, it may make you want to just throw your hands up and say,forget it. I, I can't deal with this. This isn't, it's affecting the personitself. I, I've spoken with a a few people that just, like, they won't even godown that route.
They're just like, you know what, it's, I'll just walk awayfrom it. I'd rather just walk away from it than have it affect my health. Haveit affect, I mean, this, this stuff does. If you're engaged in your work atthis level, like it's going to have a reflection on you personally. I don'tcare how tough you are.
[00:20:47] Colin Keeley: Yeah. Yeah. Not fun. I, I don'tknow how you protect yourself. I. Obviously you raised bigger funds as an idea,so you have the the capital. Otherwise I think you just legally separateeverything as much as you can. So hopefully, I mean, imagine this is likemultiple different funds. I don't know what funds signed on for this conferenceor what legal entity signed on for the conference, but that should be the onlyone that could be sued, I imagine.
And so I would think that the other investments are all safeand it's just attacking this one entity that's related to the conference, ormaybe it's the holding company at the top, which would be like, I. Don't signcontracts with that. Yeah. Legal entity don't sign
[00:21:23] Brent Sanders: contracts. Exactly. So, and Ithink a lot of that stuff, like in extenuating circumstances, a court may say,Hey, we're gonna go up to the, this is, it's got, I'm sure it has to reach somebar of like, hey, there's, there's been enough malfeasance where we're, youclearly set up a, a shell company to do these.
Like there's no value in that company. We're gonna go after thething that actually has value and, and being able to do that. It's interestingyou see that with like. I don't know, like the Sackler family with the PurduePharma stuff, it's like, oh, well, you can't come after us. That's ourbusiness.
And then like, no, this is bad enough that we're, we're gonnago after you. But yeah, I, I don't know. I think about this as in terms ofdefenses, I think about this as like, is there an element of keeping yourdealings. Like not trying to keep it real all the time. I guess that might bethe one way I, I would think about this is like, sometimes you have to realizeI don't wanna say karma 'cause it makes me sound crazy, but like, trying towork things out and sometimes when you start these conversations, it's realeasy to be.
Like, either silent, I'm not gonna respond to that person andthis is just gonna blow over. Or, I'm not gonna dress, I'm not gonna like nipthis thing in the bud. And that may take a little bit of like, pride crushingupfront. And at least cases that I've seen this, this go too far, it's, it'stends to start that way.
It's a little bit of like, fuck you, fuck you. And then theletters start going, and then the filing start going and it's like, oh shit,this is escalating. Had we. Kept talking, like it wouldn't have gone there.Right. And so that the, in terms of defense, and again, like if somebody'scoming after you for something, there are, there are definitely areas that thisdefense would never work, right?
It's like something has already happened, it's in the past. Canwe work through it? Can we find a settlement? Can you know? And, and it's whenyou've done nothing, why would you settle? Right? But it's like, I, I just try.Always make sure everybody feels like they're winning or is trying to win, oris like we're all walking away from a deal or a situation is like successful,even if it's a shitty situation.
Right? So I think there is an element of like working in goodfaith, that is the defense that I, I put a lot of trust in, but I also like,that that only goes so far. So I guess that's like maybe more of an operatingprinciple than a what to do, what to do if you get sued. I think if you'regetting sued, it's already gone too far.
[00:23:51] Colin Keeley: Yeah, I think that helps. Myother one would just be like, I mean, this is a simple partnership for a prettymeaningless business and a torpedoed, the whole main thing. So I would thinkof. Being very careful with partnerships and who you're doing that with. Andlike, try to do everything in-house as much as you can.
Be careful with service providers, like, don't do anyunnecessary deals if you don't have to. 'cause it just like broadens yourexposure, potentially your surface area for attack just increased witheveryone.
[00:24:18] Brent Sanders: Speaking of which, like welike. I think that's a really, really good point. I think, going on the likewho you partner with is, is an important one, but also like who you hire,right?
We hire software engineers. Like I've hired tons and tons ofengineers for tons of different projects. I was having the revelation, or likeabout a year ago we were working on, I think working on Scout and just tryingto find the right developer. It's a weird code base and it's hard to find theright people.
It's like it is so dangerous, even using. Checks and balancesand, and controls, like it is so dangerous to bring developers or just peopleinto your business, right? They get keys to things they get, and a lot of thetime my approach for hiring, especially when I don't have an existing bench, tobuild a bench, is like, I'll hire five people with the intention of onlycontinuing with one or two, like graduating people up because I find, techinterviews are, are hard and you just gotta work through that week by week.
But you know, we've, I've added a ton of controls around, okay,I'm gonna give this person access. I mean, I've had so many sleepless nightsknowing like, this developer has access to this database, and, if they wantedto be malicious. I just think that is the, the area that I'm double triplingdown on, like security protocols around, people having access to things, data,staging data.
It's like we're not a big. A company that has, HIPAA complianceor a lot of data compliance requirements. But I get that, like, we need to havethat as well as like supply chain, like knowing all the code that they're,they're pushing through. So as security, security is constantly in this worldof, of software companies, it's just getting more and more the, the.
Amplitude or everything is just ramping up. Like there's justso much more every single day in terms of risk. And so like, I feel like that'sone major risk that I never really, and I thought, oh well we've got cash, wecan hire people to help us. It's like, yeah, but there's, if it doesn't workout with them, are they gonna be aggrieved about something?
Do they gonna. Have access to something. And so just lockingdown those controls has been more important than I feel like ever of like, and,and giving me a lot of pause as to inviting anybody in the trust tree, so tospeak.
[00:26:31] Colin Keeley: I did this at JUULs recently,the Latin America recruiting company. So I mean, initially we were really smalland everyone had access to everything and then we kept hiring more and morerecruiters and if like one of them was malicious, they could have, taken ourwhole customer list.
Taken everything or like really damaged, our sensitive systems.Yeah. So a couple months ago went through and like I definitely made surepeople didn't have access to things they didn't need access to. So locking downsensitive systems, like, the new recruiters can't touch our CRM.
They don't know who our existing customers, they, they onlyknow who they are. Like looking at hiring now or helping out on hiring. Yeah.Limiting your credit card or money access to just the people that need it. Forsure.
[00:27:12] Brent Sanders: Yeah. Yeah. It's, I guess it'sjust like one thing, I never really, in the startup world or in like the smallscale, starting from zero, there's not much to protect, right?
But being in this realm of like, Hey, this is a business thathas 10 years of transactions in the database, or, passwords that are encrypted,but you know, they get access to the key. It's like they, when developers comein or even just service providers, they get access to sort of things or. Getproximity towards things.
And especially with development where it's like, Hey, there'sthis issue happening on production. You need access to production, you needaccess to these things. Otherwise you can't do it on staging or you can't do itin a development environment. It's, it's it's posed interesting challenges,which I, I think we've, been able to rise to, but it's just extra, extraheadache.
But that is for sure, something that I feel like keeps me up atnight is like, who has access to things Who. And it's less so them. It's like,who has access to them? Right. Who has access to their machine on their, intheir house? Like, I don't know if they felt like going, if their machine wascompromised and they had access to a system, would that person just decide to,download the database and, and do something with it. It's, it's just, you seethese breaches all the time and, and they aren't usually like a directcorrelation to, oh, you hired this person, they got mad and then they didsomething. It's like that person had poor password, passwords on their machineand it's all the same on every system.
And it's like, it's hard to enforce those things.
[00:28:41] Colin Keeley: For sure. Do you wanna talkabout our past ransom situation?
[00:28:45] Brent Sanders: Sure. Yeah. So we had a productthat essentially had data that was on S3, like an S3 bucket, and that that keygot leaked through a development environment. This was a, a long time ago, butit got leaked through a development environment and they were able to getaccess to one specific bucket and write to it, and which may means like withthe keys.
They found on another tier, those keys still worked on anothertier. And, and so this is a common thing, and I'm gonna get a little technical,but with Amazon, a lot of people that aren't super savvy with it, like willjust try to get it to work, right? It's like just put the keys in, especiallyfor development environments that have access to like all the buckets.
And there's a way to say, Hey, I want access to this to be ableto read, write, and do all these things, but only this bucket. When you're indevelopment, you're like, I dunno, just give it to everything. So it was adevelopment bucket or development credential, but it had access to more,buckets than it should have.
So this, this essentially got found and over a period of time,somebody went in and took all the, the data, removed it and put a, a, a filethere and said, Hey, email us if you want your files back within, this amountof time you gotta send us Bitcoin. And we're like, oh shit. This is, we didn'treally know what the data was that was in there and we're, we're scrambling it.
So I found this, it was scrambling to understand, it wasn'teven impacting anything. It was something that we were doing a routine checkand found this. And so that was a first, and, and I know people who've had,their, their actual like systems. Like they're machines bricked, essentially,you log into your computer and blue and it's like, Hey, you're not gettingaccess to any of your data.
And so it's a common thing and this is the story essentiallygoes, reached out to the person. Again, I don't really remember what was inthere and when I was going through that, I'm like, I don't know if I need thisdata. I don't.
[00:30:42] Colin Keeley: I it's a subset of customerstoo. It's not like all customers or something were inference.
Right?
[00:30:47] Brent Sanders: Yeah. It was like a subset ofcustomer data and I was like, I don't know. This is like. Nobody's emailing mebeing like, Hey, my data's not there, or something's not working, or there's, Iwasn't exactly clear if it was code or, or something that we use, like assetsand emails, something along those lines.
So I just assumed we, we need it and we should have it. So,went through that process and it was hilarious in a couple of ways. So, I'mgonna cut to the end, but I'll, I'll then tell the story, but the, at the end,like, I realized I didn't need this data, so once I got the data back, I'mlike, oh shit.
Like this isn't really. Important. Nobody needs it. And it'slike, didn't affect any customers, didn't affect any outage, it didn't affectanything. So it was stupid in the end to go through this. But we went throughit and, and there was biggest regret was paying the, the. The ransom. So thisstory is intended to help.
If you're in this situation, I'm gonna tell you why not to paythe ransom. So I email this guy, I assume it's a guy, I assume he is in Russia,based on like, or like an eastern European country of some sort, just based onhis, his written English. So he wants, Bitcoin, which like, I don't haveBitcoin on hand, especially our company didn't have Bitcoin on hand, so I'm notgonna pay it personally.
So we, we essentiallysay, Hey, we are intending to pay it.
We wanna these files restored. So, they use like a database orlike a file backup system. They send you like, here's essentially the files,but in order they've been encrypted in order to un basically decrypt them and,and restore them. Here's how you can do it. And so we need to get a key andthey give you a time limit.
And so the scramble was really like, how do I even get money tothem? Because everything I tried was like, oh, this is gonna take two days,four days, you have to do KYC. Like, I'm going through my personal Coinbase totry to figure out like, how can I move money to this, this wallet? So weeventually get them paid.
Then we start the transfer and , we have like five gigabytes,10 gigabytes of data, and it's moving at like 10 K per second. I'm like, Hey,like this isn't gonna work. Like where are your servers? Like I can spin up aserver to transfer this, but like, it's like, oh, you need to pay for premiumtransfer.
And then that was the point at which, oh fuck, this is like, thisis not gonna be worth it. So I'll, I won't go through all the details, butessentially devolves from there. We try to make another payment, but it, it waslike a partial payment and then it was like, it was just like, forget it. So weended up getting the data back, but then I saw what data was in there and I, Ithink that's like the, the, the misgivings here is like, unless it wasabsolutely critical, like don't pay the, the ransom, even if it is critical,it's like a, you shouldn't be in that situation, which we shouldn't have beenin that situation either.
Like we shouldn't have a development environment that. Hasaccess to, or credentials that should be able to reach into a productionenvironment in any way. This is the fun of like, acquiring companies, is youreally do have to go through everything in every scenario, and it does build atleast like lessons learned now.
I know different ways and, and things to go through. I mean,this isn't even like a diligence thing as much as like an operations thing oflike understanding. As your team's developing, are they creating newcredentials and having controls around those pieces? But I guess that's the,the short version of the story is don't pay the, the ransom, just move on.
I think we would've been, we've had more cash in the, in ourpocket, but even more so we would've, we, at the, the downside, we've justrecreated those files, that, that's the reality is like they weren't importantfiles. They were basically files like trial users would generate. That didn'thave any real meaning to 'em, and it was just stupid.
So I think knowing what's in your buckets as well would help.But it was I don't know. I don't have any other reflections. Do you,
[00:34:31] Colin Keeley: And my favorite part that youleft out was, they're asking for some amount of Bitcoin and I was like, can wejust, negotiate, we asked for give 'em less?
And they're like we don't negotiate. We're not your friend.That was my favorite response of theirs. Yeah.
[00:34:42] Brent Sanders: Well, they were my friend. Theywere very helpful in like. They had an extensive tech support, right? Like thatseemed to be, and so we, I'm like trying to work through, okay, what's gonnahappen when I pay you and how am I gonna transfer this?
And I, I wanted to know the details because I wanted to likevalidate like, is this person even like savvy enough or are they just, deletingthese files and just try, am I gonna get, extorted any, but it's, I think the,what everyone tells you is like, just don't, don't deal with it, don't do it.
I mean, it's happening more and more. You'll see hospitalsystems getting ransomed. I believe the city of Cleveland just recently got alltheir shit ransomed. Yeah, the hospital
[00:35:19] Colin Keeley: ones are a mess. This has beenhappening a bunch. You and then we're in some like doctor group chats and theyjust basically operate off their phones and try to do whatever they can andlike paper and phone calls.
But yeah, those are super old systems that they get knockedout. It takes 'em like a month plus to get back up. Yeah, it's wild.
[00:35:38] Brent Sanders: So it, it is de it. Definitelythat incident renewed sort of my focus on security, on, existing systems thatit's like, we assume all these things, you go through diligence, you go througha certain process, but then the products change.
Like you have teams working on them and, and just havingregular oversight and reviews and frankly, penetration testing, like trying togo in and, and. Hire someone to go in and try to maliciously break stuff or docard testing. I mean, we run into it with, this happened with Scout, where,people were sending emails and we, we didn't even know you could, there wereparts to that system 'cause they weren't exposed.
Right. And so slapping caps on new things, it, it happens. Andthese things do have, from a, I guess this is better yet, like less a legalthing and more of a security refocus of like, hey, these things have very realcosts. Somebody's gonna send a hundred thousand emails through your SendGridaccount, that's gonna, they're gonna charge you.
And so building these controls has been important. And it'sbeen, it unfortunately doesn't affect MRR, right? It's like, I wanna befocusing on MRR, I wanna be focusing on growth. But, after that, I definitely,it's been spending time on making sure we're not gonna be, hemorrhaging moneybecause.
Our servers are getting, redlined due to some malicious persontesting credit cards, for, for hours and hours and on end. And by the way, likeno software system is, is really like, impervious to this.
[00:37:09] Colin Keeley: Yeah. So all in all, a prettystraightforward, easy drug deal. You give them the money, they give you thedata back, and it was all fine.
Although, lesson learning should be paid for very slowly.
[00:37:18] Brent Sanders: I thought that was, that wassort of the kicker. It's like, I'm gonna give you the drugs, but I'm gonna giveyou, I don't know what drug we're gonna use. Let's, let's use heroin. I'm gonnaget a tiny bag. Even though you, you bought a big bag.
[00:37:28] Colin Keeley: Yeah. The rest is being walkedover to you from, a thousand miles away.
[00:37:32] Brent Sanders: Yeah. I'm going through, theDTS while I'm waiting for my, my drugs that I already paid for. So, yeah,don't, don't pay the ransom there. There's just more hooks that they'll use to,to get outta you and just move on.
I mean, I think that that would've been the, the wise thing todo. Just say, fuck it. Like these files are gone. Nobody missed them. Not asingle person was, even after they were restored, I, I've been watching them.Nobody's accessed them. These were like, it, it was stupid. So don't do it.
[00:38:02] Colin Keeley: Cool.
Anything else? Any other updates you want say before we signoff?
[00:38:07] Brent Sanders: No, nothing on my end. Justkeeping an eye on my, my logs and making sure that security's on on point.
[00:38:13] Colin Keeley: Yeah, it's all easy. You buy abusiness and you add sales and marketing and it just goes up. No problems. Yep,
[00:38:19] Brent Sanders: exactly.
[00:38:21] Colin Keeley: Well, cool. That's all I gotthen.
[00:38:23] Brent Sanders: Cool. Thanks for listening.
[00:38:25] Colin Keeley: All right. Take care.
