Technology

Meet Window Snyder, the trailblazer who helped secure the internet and billions of devices

After the band played Miles Davis’ Seven Steps to Heaven, and an effusive introduction from the head of the school, Window Snyder stands in front of a hall filled with around 800 students at her old high school to receive an alumni award. Some of the students have a plastic spoon stuck to their noses, part of an end-of-the-year traditional school game — basically a game of tag — for seniors called “Assassin.” Most of them have their eyes set on the special guest.

Snyder is emotional. She hesitates, and has a hard time starting her speech. Once she does, she opens up about how much she struggled when she got here, to Choate Rosemary Hall in Wallingford, Connecticut, after leaving her mom and her life in California back in 1989.

At one point, Snyder recalls, her advisor asked her: “Are you sure this is the right place for you? Maybe you will be happier back home, somewhere else.”

But Snyder was sure, and it paid off.

“I never worked so hard for anything in my life. And then after leaving Choate, nothing was ever hard again,” Snyder tells the students. “And it’s not because I didn’t do hard things. I knew how to get hard things done.”

That may be an understatement.

In her nearly 25-year career in cybersecurity, Snyder was part of a group of people who pushed Microsoft in the early days of the mainstream internet to finally take cybersecurity seriously by embracing the notion that security needed to be part of the software development cycle — not bolted on afterward — and played a significant role in developing the first versions of the Windows operating systems that implemented that idea. She also helped convince the company that outside researchers, who were keen on pointing out flaws in Microsoft’s products, were actually allies, not enemies.

Having helped secure Windows, the operating system used by hundreds of millions of people in the world — and after a stint at another security consultancy and leading Mozilla’s security team at a time when users considered Firefox the secure alternative to Internet Explorer — Snyder moved to Microsoft’s then-biggest competitor.

In Cupertino, she managed Apple’s privacy and security teams. There, as part of a project she called “Apple Doesn’t Have Your Data,” she successfully lobbied and worked on enabling encryption by default in all Apple-made computers, iPhones and iPads, and iMessage, helping lay the foundations for the company’s reputation as a cybersecurity giant.

At the cloud computing company Fastly, Snyder built the security team and helped secure what she says was around 10% of internet traffic, which passed through Fastly’s infrastructure at the time. She has also worked at Intel, the payment company Square, and she got her start at the legendary and pioneering cybersecurity startup @stake.

“People don’t realize that Window is responsible for starting so many positive security improvements at major corporations that blazed a trail for other corporations to follow in their footsteps,” says Katie Moussouris, a veteran of the hacking scene and the now CEO and founder of Luta Security.

“It’s not just her work at Microsoft, it’s that she basically revolutionized security for the entire internet with her work there,” Moussouris adds. “She is more responsible for more technical and social changes inside of software companies than anybody else I know.”

“A lot of the big companies who are now doing things that seem obvious to them in retrospect, [it’s] because she went in and changed what they did,” says Dave Aitel, a well-known cybersecurity expert who worked with Snyder at @stake. “Her legacy is about changing big companies and moving big ships.”

Those who know her or have worked with her call Snyder “trailblazing,” “intelligent,” “impressive,” “technical,” “brilliant,” “driven,” “thoughtful,” “relentless,” “remarkable,” “wicked smart,” “professional,” a “leader,” “humble,” and “like a swan — so graceful on the surface, but paddling like hell underneath.”

As she admitted in her speech at Choate, however, getting where she is wasn’t always easy.

A picture of Window Snyder and Katie Moussouris, circa 2007. Image Credits: Katie Moussouris (supplied)

Snyder was born in 1975 in New Jersey to an American father and a Kenyan-born mother. It was from her mom, Wayua Muasa, where she got her determination and love for technology, Snyder tells me.

Muasa, who was raised in Machakos in rural Kenya, was part of the Akamba people, and had a humble upbringing. Growing up, for example, Muasa shared the same sweater with her sister. She would wear it in the morning, and then her sister would wear it in the afternoon when she went to school. Years later, she received a scholarship to attend university in Boston in the mid-1960s, arriving in the U.S. just as the civil rights movement was igniting.

“She worked incredibly hard to make sure I have every opportunity that was available to my education,” Snyder said.

When she raised Snyder, Muasa transitioned from teaching to working as a mainframe software engineer. After she taught herself how to code, Muasa wrote in COBOL, a coding language invented in 1959. When Snyder was five, Muasa brought home a Texas Instruments 99/4A, a popular home computer at the time.

“I have these wonderful memories of her sitting at the kitchen table with a stack of — just a huge stack of green bar printouts. And her flipping through and debugging with a pencil at the kitchen table in the evening,” Snyder says.

Computers had been part of Snyder’s life since she was little. Growing up, she says, she used to do basic programming on her mother’s computers. When she got to Choate, computers weren’t much of a “novelty” and they simply felt like “a tool.” So, she cultivated other interests, and had different ambitions than getting into technology.

“I thought I was going to be a writer, I was very excited about literature classes, and I was excited about the arts, and I was into theater and I was singing,” Snyder says.

During high school, Snyder says she was also into photography and spent a lot of her free time in the photo lab, and was the photo editor for the yearbook.

“She basically revolutionized security for the entire internet.” Katie Moussouris

But then she went to Boston College in the early-1990s, where she decided to study computer science and mathematics. Even though she initially had no idea that there were others out there with an interest in hacking, at the time the city’s hacker scene was burgeoning, especially around the MIT campus.

Snyder began frequenting first bulletin boards and then IRC chat channels, such as #NewHackCity, and started playing with a computer made by Digital Equipment Corporation (DEC) that ran Ultrix, an operating system that was designed to be operated by multiple users.

That’s when Snyder had, perhaps, her first hacker inspiration.

“My question was: what’s keeping my data separate from everyone else’s? What’s keeping my process separate from the kernel?” Snyder recalled asking herself, referring to the core part of the computer, which controls almost all the other processes running on the machine.

This led to her obsession with studying and taking apart DEC computers — so much so that she later named her cat Digital Equipment Corporation, who passed away in 2016 after living an impressive 20 years.

“I was just inhaling as much information about the operating system as I could, taking operating systems classes and learning about these things, and then building tools to try and circumvent these security mechanisms,” Snyder says.

To truly understand how those computers worked, she needed to get her hands on them, which wasn’t easy since they were already a bit dated. Some of them she found on eBay, and some at the MIT flea market, where a group of young hackers who went by “L0pht” — now considered one of the most influential hacker groups in the U.S. — often hung out and sold hardware they didn’t need.

In his recent book, Cris Thomas, who’s known as Space Rogue and was one of the original members of the L0pht, recalled meeting Snyder at the flea. Thomas writes that he and the others had several computers made by DEC that they had little use for, among them, a MicroVAX II model from 1985. At the time, the group had an internet bulletin board — a precursor to online forums — where they would post what hardware they were going to bring to the flea. Snyder, however, saw a post on a different bulletin board, where the MicroVAX II caught her attention.

“Are you the guys with the VAX?” Thomas remembers Snyder asking when she approached them.

Thomas wrote that he was taken aback, as Snyder didn’t look like most of the people at the flea.

“I was a little stunned at first, not understanding what it was she was asking for; I’d heard VAX and was thinking about one of the huge ones still back at the L0pht, and she didn’t quite match the ripped jeans, dirty t-shirt, and black-leather-jacket cyberpunk aesthetic of most of the other people at The Flea,” he wrote.

Despite her looks, she was one of them, a hacker. At the time, she went by the online handle RosieRiv, or Rosie the Riveter, a feminist and empowerment icon.

It didn’t take Snyder long to graduate from hacker to cybersecurity professional, becoming the tenth employee at one of the first cybersecurity consultancy companies in the U.S., called @stake, at the end of the 1990s.

The company comprised a who’s who of hackers, many now among the most well-respected in the world, such as ex-Facebook chief security officer Alex Stamos; the operational security expert the Grugq; Peiter “Mudge” Zatko, who worked at DARPA and Twitter; Aitel, the founder of Immunity and the Infiltrate conference; and Moussouris, who would go on to become a pioneer of bug bounties.

One of the company’s most important customers was Microsoft, at the time the biggest software maker in the world. Chris Wysopal, also known as Weld Pond from his L0pht days, worked with Snyder at @stake. Wysopal says he remembers that whenever Microsoft called, the @stake folks would say “let’s send in the dream team,” and that included Snyder.

During those years, Snyder also worked with Frank Swiderski, with whom she would later write a book about threat modeling, a cybersecurity process by which one identifies, communicates, and understands the threats that an organization or a specific software faces, and finds solutions to handle them. Threat modeling is now a standard process throughout not only cybersecurity, but tech in general. At the time, it was a novel concept, and while Snyder and Swiderski didn’t invent it, they certainly were among the first ones to codify it.

“It was designed to allow someone to very quickly understand where the areas of greatest vulnerability or greatest opportunity were for the attacker,” Snyder says. “Looking at entry points, tracing data flows through the system, you can do it with the developer who is familiar with the system. And then it helps you prioritize which things you should be working on.”

Threat modeling was one of the methodologies Snyder codified at @stake. Another one being what’s called the “security development lifecycle,” a framework with which developers take into account security and privacy from the beginning and alongside the development of the app or system they’re working on.

At the time, these were pioneering concepts.

Wysopal says, “Back then, I feel like we were both learning how to take our interest in hacking and sort of adversarial ways of looking at things, and professionalizing that as pen testers and threat modelers, and selling those services to companies.”

“So, I feel like at that point in time, she was instrumental in developing how to professionalize a lot of those services,” Wysopal says.

Frank Heidt, another one of Snyder’s @stake colleagues, says that “one of the things that Window did was bring this kind of discipline to everything, methodologies, written down, disciplined, repeatable methodologies.”

“She was like a pioneer for our industry. None of this existed,” Heidt adds.

Snyder and Swiderski impressed Microsoft’s executives so much that the software giant poached them and brought them on board, with the goal of bringing their knowledge of threat modeling and the security development lifecycle to Redmond.

Window Snyder poses in front of a building at her old high school, Choate Rosemary Hall. Image Credits: Ben Hancock/TechCrunch

When Snyder and Swiderski joined Microsoft, the company was struggling with viruses and the perception that it wasn’t taking security seriously. These were the times when hackers released a tool for hacking Microsoft Windows called Back Orifice live on stage at the hacking conference Def Con as a way to taunt and embarrass the software giant. In response to the negative attention, Microsoft’s then-chairman Bill Gates launched the so-called “Trustworthy Computing Initiative,” an effort to put the security of the user at the forefront of all Microsoft employees.

At Microsoft, Snyder was an integral part of the security teams who worked on introducing a raft of new security features, such as a firewall, security checks in its email app Outlook Express, and several improvements for Internet Explorer, in Windows XP Service Pack 2, released in 2004, as well as Windows XP Professional x64 Edition, released in 2005.

For the latter, Snyder was chosen to represent the security team at the daily meetings — called “the war room” — where representatives for all the teams working on the operating system met to discuss progress, issues, and potential solutions. At the time, Snyder was still a junior employee, so it was unusual that she was chosen to go to these meetings.

“It was an assignment that one would give to a senior program manager. We were relying on her to basically represent the security team in the day to day decision making as the release came to completion,” says Steve Lipner, who was Microsoft’s director of security assurance and Snyder’s manager at the time. “That was a responsible position and she did a good job.”

Clyde Rodriguez, who headed the engineering effort for the Windows XP Professional x64 Edition operating system and the war room meetings, says Snyder “was one of the most critical partners” that he had in that project, because he had a “high degree of trust in her judgment.”

That’s why Rodriguez says he always made sure teams proposing significant changes would consult Snyder to understand the security implications of their proposals.

“She was like a pioneer for our industry. None of this existed.” Frank Heidt

“Many times I would not accept anything unless Window said it was okay,” Rodriguez recalls. “There were others who also had an influential impact. But Window was one of them.”

When they were very close to finalizing development, Rodriguez remembers that Snyder was one of the last people he wanted to get the final thumbs up from.

“‘Do you think this is ready?’ And ultimately, when she said yes, I felt confident in going ahead,” Rodriguez says.

At the same time, Snyder also successfully pitched Microsoft executives about holding a cybersecurity event inside the company. She called the event Blue Hat, a play on the term “black hat” — cybersecurity lingo for hackers with malicious intentions — and the fact that only people with a blue Microsoft badge could attend it. During the event, outside security researchers would come to Redmond and tell both executives and employees what security researchers do and how they found vulnerabilities in the company’s products. Blue Hat would later go on to become a full-fledged public conference that is still running and attracts hundreds of attendees every year.

“Window was the person that I always thought more than anybody else convinced the company: ‘No, these are people that may do it in a smarter way than you may, but are trying to help make your product better’,” Lipner says.

Snyder’s work at Microsoft was noticed across the industry.

“As a security researcher outside of Microsoft it was her work that made us all grumble and groan because a lot of things were now impossible to do on the newest versions of the operating system,” Moussouris says.

And, Moussouris says, making Windows more secure at a time when the operating system had a near monopoly “meant securing the whole internet.”

In 2010, after working at the consultancy Matasano and later Mozilla, Snyder joined Apple, where she was the only product manager responsible for the privacy and security of all Apple products.

Andrew Whalley, who worked on the security engineering team at Apple from 2010 until 2016, says that when Snyder joined, she brought to Cupertino the “very user centric security and privacy mindset” that she championed at Microsoft and Mozilla.

Three years after the launch of the first iPhone, Apple was starting to grapple with the reality that people were putting their whole lives on those devices. These circumstances required radical solutions to keep people’s data safe.

Snyder’s idea was essentially to reduce the amount of user data Apple had access to.

“If the data’s on your infrastructure, if you’re the custodian of that data, then you have a duty to protect it, and protecting it is hard. So let’s minimize our own access to it, as a method for creating better security solutions,” Snyder remembers thinking.

Jon Callas, a veteran cryptography and security expert who worked at Apple at the time, says Snyder helped change the conversation inside the company.

“That focus on user level security,” which is now front and center at Apple and Google in terms of what they do with iOS and Android, Callas says, “that mode of thought goes back to the sorts of things that she was pushing” in the late 2000s and early 2010s.

Snyder advocated for and worked on some of the most important new security features that Apple would ever launch. Among those include making its flagship messaging app iMessage end-to-end encrypted — even before apps like Signal and WhatsApp did it — so that nobody else, not even Apple, could read a person’s private conversations.

Under Snyder’s watch, Apple made full disk encryption, called FileVault, the default for macOS computers, making it considerably harder to access data on a powered-down MacBook with a strong FileVault password. Microsoft’s equivalent for Windows (called BitLocker), on the other hand, was for many years geared toward companies and enterprises, and not enabled by default.

And, during Snyder’s tenure, Apple made almost all the data inside a person’s iPhone encrypted unless the phone is unlocked with only a passcode known by its owner. After this change, if anyone loses their iPhone and it’s protected by a relatively strong passcode, it’s virtually impossible to access its contents unless you have the resources of a law enforcement or intelligence agency. In practice, this made stealing iPhones much less attractive.

The last development was especially significant, according to Callas.

“While it is not perfect, it is nonetheless true that for the vast majority of people, let’s say, I could hand you my phone, walk away, and come back in three hours and have confidence that you hadn’t gotten anything,” Callas says. “This is so significant that it creates the world that we’re dealing with now, which is things like there are special devices like [iPhone hacking tool] GreyKey and other things that people use to unlock phones.”

This feature has been controversial in law enforcement circles, with the FBI fighting Apple in court to force the company to build a tool to unlock the iPhone of the San Bernardino shooter. Eventually, a zero-day maker sold the FBI an exploit to unlock the phone.

“The FBI would not have needed that had Window not worked at Apple,” Moussouris says. “She’s the reason why Apple technology is that much harder to break into.”

Once Apple pushed these innovations out to consumers, other companies like Google followed suit, turning encryption on by default on its Android devices.

“She’s the reason why Apple technology is that much harder to break into.” Katie Moussouris

In line with Apple’s notorious culture of secrecy, when Snyder joined the company, a lot of the work done by the security team wasn’t advertised outside of Apple. At the time, most of the iPhone’s security features were documented by early jailbreakers, a ragtag group of hackers who were obsessed with getting around the iPhone’s security mechanisms and sharing their knowledge publicly.

Snyder and others thought Apple was letting people outside the company drive the narrative about the security of the iPhone at a time when Apple engineers were making significant advancements in the state of the art of mobile security — and were very proud of it.

That’s why in 2012 she convinced the company’s higher ups to publish the first-ever whitepaper on iOS security, which detailed all the security mechanisms included in the iPhone.

“There was definitely a feeling amongst the security people within Apple that we had a really good, secure product,” Whalley says. “That we had been doing the right thing for the users and the product, and the missing piece was talking about it.”

The next year, Snyder was part of the push to make macOS upgrades free, which meant that security updates were also free for anyone with an Apple computer.

“The world that we are in now, where we take things for granted about the security of our laptops, our phones, and everything, owes a huge debt to the fact that she was quiet and relentless in advocating for these things, and exploited the willingness of management to listen,” Callas says. “Her influence in the late 2000s at Apple is absolutely instrumental in seeing ubiquitous security today.”

Window Snyder talks to students at her old high school, Choate Rosemary Hall in Wallingford, Connecticut. Image Credits: Choate Rosemary Hall/Flickr

After a career helping secure some of the most popular software and hardware in the world, Snyder is now going it alone with her new startup called Thistle Technologies, which she launched in 2020. Her new goal: securing the diverse and disparate world of internet-connected devices that are starting to be ubiquitous inside our homes, as well as inside critical infrastructure networks — often referred to as the “Internet of Things,” or IoT.

These devices — think smart light bulbs, routers, thermostats, baby monitors but also water treatment and energy plants controllers — have varying levels of security. Often, however, they are insecure by default. Perhaps that’s because they lack a mechanism to update remotely or automatically to patch vulnerabilities. Sometimes it’s because they have default, hardcoded credentials that are easy to guess, such as “admin” and “password.”

To secure them, Snyder says she is building a set of tools, libraries, and backup services “that developers can quickly incorporate into their devices to get to a modern security architecture really quickly.” In other words, Thistle is an easy-to-deploy security infrastructure that IoT makers can just plug in and almost forget about.

“She’s trying to change the whole industry.” Dave Aitel

“The goal was to try and take on this industry wide problem, which is that device security is incredibly inconsistent. And in places where it’s implemented, it might not be implemented to the degree of resilience that’s required for the threats these devices are up against,” Snyder says. “That is a way to make it easy to bring the security functionality, sophisticated security work to device developers to allow them to not have to worry about the security plumbing, incorporate it easily, and then get back to developing the customer facing features that are their bread and butter.”

Aitel says this shows once again how ambitious Snyder can be.

“She’s trying to change the whole industry, the industry of those stupid routers that we all have, and they have no security update, and we never thought they would,” he says.

For Snyder, this was the natural next step to take.

“If we focus on accessibility, if we focus on opportunity, if we focus on democratizing the security functionality, then we will all benefit from that kind of work,” she says. “And that’s what we’re hoping to do at Thistle Technologies. And it really feels like that’s what I’ve been trying to do my entire career.”

As a Black woman in cybersecurity, Snyder has been an inspiration for a whole generation of hackers who may not fit the stereotypical mold of a dude with a hoodie and a bunch of stickers on his laptop.

Lodrina Cherne, a forensics instructor at the cybersecurity training organization SANS, and who is a woman of color, remembers finally meeting Snyder in 1999 at the hacking conference Def Con in Las Vegas after having heard a lot about her online.

“I’ve used her and certainly other role models I met at the same time, other women who have since gone on to do really great things in the last 20 years through today, as examples for the belief that I hold very strongly, and the belief that I pass on to my mentees,” Cherne says. “That it doesn’t really matter what a cybersecurity professional today looks like, or what you think a cybersecurity professional should be.”

Obviously, there’s still a lot of work the industry can do in this department. And it’s taken a lot of sacrifice from people like Snyder, who have been breaking the glass ceiling for others.

“If I had realized how few women I would have met in my professional capacity, I would have chosen something else. If I had realized how alienated I would feel in these communities, I would have chosen something else,” Snyder says. “And the hacking community is incredibly racist and misogynist, and that’s an awful place to be in.”

But thanks to her passion for hacking, and her decision to stay in the industry, make a difference and have an impact, others can follow in her footsteps.

“For somebody like me,” Cherne says, “it’s very obvious how huge her influence has been. I think others could certainly recognize it.”

Others are definitely seeing it.

After receiving the alumni award, and delivering her speech in front of the students, Snyder walks through the college-like campus of her old high school, almost 30 years after she graduated, when a young Black student sheepishly approaches and waves at her.

The student thanks Snyder for the speech she gave earlier that day. She says she’s on the school’s robotics team, and seeing a Black woman like Snyder succeed in a field where there’s so few Black women was inspiring.

Snyder smiles, holds both of her hands on her chest, and says: “Thank you.”

Window Snyder, founder and CEO of Thistle Technologies, will be a guest on Found Live at Disrupt in San Francisco on September 21. Get your tickets here and use discount code FOUND.

Leave a Reply

Your email address will not be published. Required fields are marked *