Exploring NZ Tech Growth, Darknet Intelligence, and Cybersecurity with Julian Wendt

Paul Spain:
Hey folks, greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain and privileged to have Julian Wendt from nWebbed joining us on the show for the first time. How are you Julian?

Julian Wendt:
Doing well, thank you very much for having me, Paul.

Paul Spain:
Great to have you on the show. Maybe you can just let people know where you fit into this big wide world of tech in New Zealand.

Julian Wendt:
Sure. So I come from a technical background so have been involved in security analysis, incident response and, and security consulting in the form of technical assessments, that sort of thing. And for the past few years have been entirely focused on nWebbed intelligence, which is the darknet monitoring tool we’ve been developing.

Paul Spain:
Excellent, excellent. So yeah, we’re looking forward to getting into that. So a bit more to chat about across the show. So we’ll jump into the tech news and so on of the week and of course before we do that, a big thank you to our show partners to One NZ, 2degrees, Spark, Workday, HP and Gorilla Technology. Well, first up this week we have now the latest report from NZ Tech, not a related entity to New Zealand Tech podcast, but from NZ Tech with their, the, the tech sector kind of, I guess key, key metrics that they’ve, that they’ve shared. And look, one thing that I find still surprises people is just the scale of the tech sector in New Zealand and its important to New Zealand. And in fact I had this with a topic that came up recently on Herald now with Ryan Bridge and he was a little bit taken aback at the potential for the tech sector to become New Zealand’s number one export earner in potentially next few years ahead. And he had no idea because of the way that the statistics and numbers are broken down from an export perspective, usually tech isn’t on the list.

Paul Spain:
And this is part of the reality, I guess the threads of technology run through every part of business, every industry. What do you count as tech, what’s tech, what’s not and so on. Right. And even when you look at our number one export earner being dairy, of course there are elements of, of technology, you know, being used absolutely on the farm and right through the process from.

Julian Wendt:
Start to finish and exported. I mean if you’re talking about dairy specifically, we’ve got Kotahi, the logistics arm of Fonterra and they develop a lot of tech in house and they will use that with their partners and export it effectively. So to your point, it runs through so many different industries and that’s probably why a lot of people don’t realize Just how much of a factor it plays in our economy.

Paul Spain:
Yeah, yep. And, yeah, and the likes of, you know, Holter of. Of course, you know, there’s really just so much when it comes to the world of. Yeah, that’s just, just agritech. So, yeah, that’s probably was one of the first things to sort of call out on the report. Now in this report that we’ll be linking to in the show notes, you can go and delve into the PDF and explore it in your own time. They quote 11.4 billion New Zealand dollars worth of tech goods and services exported in 2024. So it does take a little while for this report to get to us.

Paul Spain:
We’re obviously a good chunk of the way through into 2025. But, yeah, great to, you know, great, great to see these numbers and to see the increases and it’s also, I think, encouraging in the current economy where things have been pretty tough to recognise that, you know, those that are involved in the tech sector are involved in a sector that is growing. It continues to grow at pace. I think here they’re talking about the overall sort of combined revenue, not just export, being 18.2 billion. So, you know, some really, really good, good numbers. And yeah, I think, yeah, there’s lots of, lots of positives in there. It’s not, you know, it’s not all perfectly rosy in the current economy, but yeah, there’s certainly some, some pretty positive takeaways. It is interesting to see the breakdown of, I guess, how things are sort of split up between Auckland and Northland and Waikato and all the different regions around the country in terms of the workforce.

Paul Spain:
So the people. And at the moment we’re seeing in total across. They put two categories, high tech manufacturing and ict. And if we look at those in total, they’re saying 52.3% are in Auckland. That’s followed by Wellington and then Canterbury, where the biggest, the biggest sort of slices are followed by, I think it’s Waikato and then Bay of Plenty and onto Otago. So, yeah, lots of good employment going on right around the country and even into small regions.

Julian Wendt:
Really heartening to see and there’s still so much more room to grow. That’s the beauty of exporting knowledge. You can export it time and again and we are a very curious and innovative culture. So it only fits that we should start leveraging that a little bit more.

Paul Spain:
Yeah, yeah. And the other, the other thing that stood out was on our software exports side. So they’re saying over the last decade, 22% compound annual growth rate. So just, you know, continues to be, you know, really significant. And you know, that’s, that’s across, you know, a really broad range of software that’s being exported. But that’s exactly as you say when you’re, when you’re, when you’re exporting, you know, bits and bytes and data and you can export, it’s a great place to be. So it’s good to see that growth as well, continuing strong.

Julian Wendt:
And something which I don’t think a lot of New Zealanders consider is our reputation internationally. We have a very good reputation internationally as a trustworthy partner as having good business processes and controls to ensure that if you purchase software from New Zealand or purchase anything from New Zealand, you’re going to be well looked after, it’s going to be properly supported and you don’t get that with every country. And now add to that all the geopolitical tensions going on. We’ve kept our noses clean there too, relatively speaking. So there’s a lot of opportunity for us to export software and for us to export our knowledge.

Paul Spain:
Also on the local front, interesting to read about this new campaign and app called Pātea, which is designed to help reduce gambling harm in New Zealand. And the stats I saw RNZ reporting was gambling loss in the country at over 2.6 billion each year and Maori and Pacifica being disproportionately affected. And so what we’ve got with this, this new app and the supporting campaign and so on as there is this real focus on, I guess providing, you know, tools that are maybe, you know, more culturally helpful to help families kind of deal with the challenges related to gambling. So always, you know, really encouraging to see technology being used in innovative ways to solve, you know, non technology problems. But technology coming, coming in and, and being leveraged in smart ways and yeah, these, these things are really, really challenging to deal with. So yeah, it’s good, good to see those, those efforts. So we will, we will, we should be able to link to that in the show notes as, as well we know. Yeah, when you hear figures like that, it’s a reminder that there are, you know, probably more families than we would, than we would like that are impacted by these sorts of challenges.

Paul Spain:
Right.

Julian Wendt:
It’s addiction. Anything we can do to help reduce the effects of addiction. And I mean we’re speaking specifically about gambling here but in General I am 100% supportive and hopefully we can help undo some damage there.

Paul Spain:
Now onto the, onto the global front, I think a lot of people would have seen somewhere around Trump’s tech dinner, his own version of the New Zealand tech podcast, but the Trump White House version where a whole lot of, I guess, tech titans from across the U.S. you know, put their heads together over a meal. Now, we don’t, you know, we don’t have too much detail on what was and wasn’t discussed, but certainly the media were able to sort of film a portion of it. And you know, I don’t know if you caught some of it, but you know, what I noticed when I saw the coverage and it was, you know, zooming in on the, the likes of, you know, Tim Cook from Apple and, you know, Bill Gates and Sam Altman and Mark Zuckerberg, you know, et cetera, et cetera. So the top leaders when it comes to the tech world. And there was, you know, effectively each of them in the bit that, you know, I caught with, you know, thanking Trump for being awesome and then highlighting how much money that they were investing. And this is where there felt to me like a little bit of a link with what we were talking about. Last week we delved in quite a lot to AWS’s local New Zealand region data center reannounce or, you know, recommitment to a 7 and a half billion dollar investment into New Zealand, which, you know, based on, you know, what’s been shared to back it up, feels very hollow.

Paul Spain:
And it seemed, it seemed quite like that. And in fact, there was a hot mic moment where it turned out that I think Mark Zuckerberg had been a little bit caught out, even though these questions and I’m not sure what order they were asked and when they got to him, but he was asked what matter were investing and I think he came back with a $600 billion, you know, figure or some, you know, a really, really big number after we had heard a range of other big numbers. It was, it was Microsoft that was, was, you know, maybe at the softer end, which is interesting because when we look at their, you know, their market cap, you know, they’re second only to Nvidia and heading in the direction of being a $4 trillion US business. And what they were talking about investing was maybe a tenth of what Apple or Meta were suggesting. So I don’t know how it felt for you, but to me it’s really just quite hard to believe some of the figures that were put on the table. And with that hot mic moment where Zuckerberg was, you know, caught apologising or, you know, just discussing with Trump quietly afterwards, like, oh, I was a little bit caught out by that wasn’t sure what number you wanted me to say. And yeah, so I just, you know, that was what popped into my head sort of thing. Yeah, I’m not, I’m not, I’m just not sure that there’s the substance behind some of the numbers.

Julian Wendt:
We see that quite a lot with especially some of those tech companies you’ve just mentioned. And it’s interesting that Microsoft have been much softer on that front. Microsoft have a much more mature business model in a lot of ways. And I have found that the numbers that they claim they’re going to invest in something tend to stack up a lot more in hindsight than what we hear from some of these other names we’ve just mentioned. Also, just backing up a little bit. If we want to compare Trump’s tech podcast and ours, we’re going to have to be a lot more self congratulatory.

Paul Spain:
Julian, you’re looking good today, mate. How much are you investing?

Julian Wendt:
I believe it was 600 billion.

Paul Spain:
Yeah, cool, cool. All right, we’re catching up. Yeah. Look, it just throws me when, when we’ve got what appears to be blatant either dishonesty or stretching of the truth. Right. Because, yeah, it depends how you look at these things. But I had a, I won’t disclose the name because I, you know, I was asked to keep it quiet, but after last week’s episode came out, I had a communication from one of the top executives in a company that competes pretty closely with AWS after listening to the episode. And they were certainly challenging the believability of what was said.

Paul Spain:
And look, you know, I’ve been looking at some of the numbers that have been shared publicly. There has been some, you know, some other good content online discussing this topic. I think it was Newsroom who came out very, very strongly, you know, pushing back on AWS’s claims. Now, I’m not sure how much on these topics and it is hard when, you know, AWS haven’t shared too much publicly, so it’s a little bit hard to know exactly what is fact and what is kind of joining up the dots and speculation. But certainly some pretty big, you know, push back on AWS’s claims. But one of the numbers that I saw floating around out there was suggesting that Microsoft’s data center that was right next to the one that everyone was expecting AWS to open and is, you know, still unbuilt out in Westgate area, West Auckland. The numbers I saw on that are in the sort of 300 million New Zealand dollar range. So yeah, how you get from that to the 7.5 billion, you know, is this over 100 years? Like, you know.

Paul Spain:
Yeah, it concerns me and I think what it does is it is, it creates a scenario of, of distrust where, well, how can we now trust these firms if they’re not, if they’re not being honest with, with us or if they’re not being, not being straight with us? And yeah, it’s, it’s, it’s not good. And certainly I, you know, I was, I was left with, with, you know, a number, number of questions around the new jobs, the numbers and you know, in fact, you know, I messaged some of the folks at AWS and said, look, by your lack of transparency, you know, really you create a trustworthiness issue for AWS now within the New Zealand market. And before last week, this was a brand that generally had a lot of trust. Now I’m sure, you know, this will get forgotten in time and so on as these things do. But yeah, right now I think it takes away an edge of credibility away from aws. And I think one of the things that they were really clear on with me when I asked questions around their data centers was, and this is a global thing, so they’re just falling into line with global guidance was they refused to really tell me anything in terms of ownership of data centers, locations and the like. One of them is, oh, we can’t possibly let you know where any of our data centers are. Well, I went online and looked up where there are data centers in Australia.

Paul Spain:
It’s all public information. Like you can’t hide that sort of information. Right. So there’s a level of ridiculousness to it. And this is something that I guess their local public relations folks in New Zealand and Australia just have to follow the guidance that they’ve been given internationally. But it makes everyone in this part of the world look not good, including their local country manager, you know, who’s probably a very, very capable and talented leader. But because he was dodging around the questions and not answering straight as well, you know, it calls the credibility of.

Julian Wendt:
These leaders into question 100%. And I mean, you’ve already touched on it. This is something we’re seeing more and more from these types of tech companies. They will stretch the truth and I think it helps get splashy headlines, maybe bring up share prices for a few weeks as people get really excited. But it’s to the detriment of long term credibility. So I don’t know what your take is on it, but what I’m seeing is they’re taking that short term approach of oh, the shares will be worth more tomorrow if we make these big outlandish claims today. And they don’t really think about how is that going to impact us next year.

Paul Spain:
Yeah, and we’ve seen it in other announcements in the US over the last few years with oh, we’re a company saying we’re opening X sort of factory in the US and then the factory, we’re making a big tech investment into the US and then the factory never eventuates. And yeah, these big numbers that, that we heard at that dinner with Trump and you know, these recent announcements. Yeah, I just don’t think they’re, they’re good and I hope it doesn’t, you know, set a trend. I think it’s actually appropriate that there should be backlash, you know, against this sort of thing. And you know, I’ll certainly be asking more questions going forward when we get these sorts of announcements of hey, I’m not sure I believe you need to back it up. And you know, I think, yeah, at the moment what we’re not getting is the backing up some of these claims and these numbers. And I think, you know, if we were to look again in a year’s time, two years time and I don’t know how much information will be available but it’d be interesting as to, you know, who’s actually met their investment commitments in New Zealand, the US and other areas. And probably we won’t know because there won’t be enough transparency either.

Paul Spain:
So you can’t be sure.

Julian Wendt:
So I think it’s great that you will continue to ask those questions, the what happened here question and hopefully we won’t just see lots of dodging and dancing.

Paul Spain:
Now something very positive I think on the Amazon front is Project Kuiper. So this is I guess the closest thing we have to a Starlink competitor. Not launched publicly yet, but just I guess in the last few days we saw that Amazon have signed up JetBlue pretty good US airline. I think they’ve probably had some struggles in the last few years but I’ve flown them a few times and, and you know, found them to be a reasonable airline. So they are going to be, in fact they might have been, they might have been the first airline that I went on that had free in flight Wi Fi and this would be going back a good few years and of course in flight Wi Fi’s now been around for a really long, long time since, since we, you know, that was first, first trialed and so on. But they’re going to be relying on Project Kuiper to deliver that. And the other bit of news was they’ve shared some pre launch speed test results and seeing speeds that are a lot more impressive than Starlink and how this actually plays out in the longer term. What their pricing is, are they just focusing on the, the business market or are they going to be doing a direct compete with Starlink over time? There’s a fair bit more.

Paul Spain:
We’ll see how that actually plays out in reality once they’re in the market and they’re rolling.

Julian Wendt:
I’ll also be interested to see whether they’re prepared to do deals with the defence sector, whether they want to keep it civilian or whether they go down that route. Starlit kind of split itself in two in order to serve the defence sector as well. I’ll be very interested to see what Amazon do in that regard.

Paul Spain:
Onto other topics. The big tech event that happens in Germany each year in Berlin IFA, is taking place now. Lots and lots and lots of tech announcements over there. It kind of almost halfway between, actually it’s a bit further than halfway, but from ces which takes place in January in the US and lots of tech announcements there, but yeah, there’s a bunch there. Probably won’t really delve into those today, but I see Chris Keel from New Zealand Herald is over there, so he’s sharing a little bit from there. One of the tech brands has taken him across, so I’m sure he will be enjoying that. One of the things that did come up on my radar, and I guess it’s a brand we’ve talked about a few times over the years is Philips Hue. They’ve made some new announcements which were incidentally where he accidentally leaked apparently on, on Amazon.com a few days ahead of when they were, they were supposed to come out.

Paul Spain:
But one of the things that they’re adding is a capability called Motion Aware. Now this effectively allows your light bulbs to indicate that there’s motion. So without having to get a sort of a traditional motion sensor device, the way individuals will interfere with the ZigBee radio communication that they have built in, there’s, there’s enough of a, I guess a disruption as people, you know, come in and out of a room and move around and so on for them to detect that, that presence and emotion especially. So I thought, oh, that, that’s, that’s quite interesting. There are obviously other ways of detecting motion, but having having your light bulbs able to do it for you, that’s, it’s, it’s Not a bad idea. And the other thing that, that jumped out is that the Philips Hue brand launching a, a doorbell. So I guess competing with the ring doorbells and all the other ones on the market. So yeah, filling out their stack of consumer tech IoT products.

Paul Spain:
Right.

Julian Wendt:
Makes sense for Philips to get into the smart home side of things and certainly one of the more reputable brands to get into it.

Paul Spain:
Yeah, well, I mean it’s interesting because I think they carry the Philips name but I think they sit under Signify. So which I don’t think is actually. And these things always move. So I haven’t kept my finger completely on the pulse but I don’t think as far as I’m aware that Signify is owned by Philips but I think they’ve probably got a, you know, it was a licensing. They bought the Philips Hue brand and they’ve kind of kept that naming. They also own Wiz Smart Lighting. So that’s the other brand that sits under, under Signify. And yeah, I think they’ve probably got a number of, a number of, of brands overall.

Paul Spain:
Overall that sort of are within their world. But I’m not, I’m not sure of the technicalities of their, their ownership of, of the Philips branding. Exactly.

Julian Wendt:
So probably requires a team of lawyers to actually get to the bottom of.

Paul Spain:
It to figure it all out. Yeah yeah, but yeah, it’s certainly a really well established brand and you know, good to see continued action going on. Now Google, there was the big antitrust, you know, case against sort of Alphabet Google and there was some suggestion they were going to have to split up the business and that that would mean that Google would have to divest of Chrome, that Google would no longer be able to do search deals and that, you know, that that could even, you know, create, create a scenario where, where Firefox might end up being hurt by this, shall we, shall we say because Mozilla foundation who make Firefox get something like 85% of their revenue from their search deal with Google. So it turns out, thanks to, thanks to the world of gen AI, that whilst the, the judge has ruled that Google is a search monopoly because of the rise of of AI, the actual, you know, impact of this is nowhere, nowhere near, you know, what it was speculated that it could be. So, you know, there’s a bit of sort of, you know, softening of how they have to do, you know, they can’t do exclusive deals with browser manufacturers that block out, you know, any other partnerships. But realistically if they’re throwing the most money at it they, there probably won’t be necessarily be a big difference going forward. I guess that’s a little bit of a wait and see.

Julian Wendt:
I’d say they’ll still be the default search engine if they’re the default payment provider for Mozilla. Stands to reason they’ll still be the default search engine, doesn’t it?

Paul Spain:
Yeah, I mean, I guess there’s a possibility with this sort of thing that it ends up in a bit more of a, a bidding scenario so that, you know, a Microsoft or I mean there aren’t too many other sort of, you know, search engines I guess. You know, Microsoft, Yahoo, so Bing and Yahoo there, you know, maybe in some, in some cases they can, they can buy their way in because it’s not a complete, that’s true, a complete lockout. But whether that actually happens. Yeah, I’m, I’m not sure. I’m not sure that would, would necessarily happen. Right. So. Yeah.

Paul Spain:
So yeah. Really? Yeah, an interesting situation and I think a lot of those involved in the world of Google and Alphabet will be, will be very, very relieved. And I think also for, for Chrome fans, you know, it would have been quite, quite odd, although it would have been pros and cons, some, some benefits. Right.

Julian Wendt:
I mean Google has been really coming down on the types of extensions that you can use. So I mean the extension ecosystem for Firefox is now much broader than it is for Google Chrome. But at the same time there are lots of benefits to. It is the most popular browser and having a good strong development team who get fed and paid can only be a good thing.

Paul Spain:
Yeah, and I think, you know, the browser extension thing, there’s quite a sort of cyber security and data privacy sort of elements and some complexities there. So that in itself is an interesting topic to delve into. Now you had highlighted around a bit of a drama going on at the moment with the Salesloft Drift breach and yeah. Curious if you can maybe break it down for us.

Julian Wendt:
Sure thing. So Salesloft is one of those ubiquitous tools that nobody’s heard of before unless you happen to be in the marketing department for, for a large enterprise. So Salesloft is a software as a service tool which is used to enable marketing. So it’s often integrated with other tools like Salesforce. It is used by something like 5,000 of some of our largest software providers globally and they suffered a compromise of their GitHub actually early last month. And as part of that compromise a bunch of authentication tokens were stolen. Tokens are a little bit different to Passwords, they allow for direct integrations between two software pieces. What that means is they often tend to be valid for much longer.

Julian Wendt:
So once enabled and once being used, they can often be valid for years at a time. And if someone manages to steal them, you kind of end up having unfettered access in the same way that that integration would have. So lots of organisations that are well known in the tech sector were affected by this. We’ve got organisations like Cloudflare, Tenable, Nutanix, lots of others that are really well known who have all been impacted by this. They’ve had their customer data stolen out of their Salesforce instance. In some cases it includes not only support tickets but other secrets such as API tokens, passwords, that sort of thing, which may be support people were working on with their customers. So this is something that will indirectly impact millions, if not hundreds of millions of people.

Paul Spain:
Yeah, pretty serious. Yeah. There’s a website up, isn’t there, drift, breach.com where it’s got the, the who’s who and yeah, probably a lot of listeners will be dealing with some of the firms that have been impacted. Yeah, the likes of Cloudflare, Zscaler, Palo Alto Networks, you know, Pager Duty, Tenable, Megaport and so on. So yeah, some pretty well known companies, especially in the cybersecurity space. Some really, really big names. So there’s some, always some learnings to take away from these sorts of scenarios and you know, I guess we will get more of that over time. You know, one of the aspects here is that drift, the driftbreach.com website shares the dates of some of these breaches and some of them, you know, are reasonably well spread out.

Paul Spain:
Shall we, you know, shall we say. So they’ve taken place over, you know, from the earlier ones to, you know, the most recent ones. You know, these can be, you know, three to four, three to four week period that these, these breaches have sort of taken place over. So when you look at that, you think there’s some lessons in here that could have, some steps that could have been taken to address these if all of the information was appropriately shared and you know, all of those involved were proactive. Now we know in reality these things are easier said than done, but I think there’ll be some pretty solid takeaways and some people, maybe there’ll be some lessons learned, I’d say hanging their heads afterwards and yeah, recognising that, hey, they’ve missed a few tricks there along the way.

Julian Wendt:
Absolutely. And I think the longer some organisations wait to disclose that they’ve had this problem, the more it’s going to impact their reputation. I mean, in a lot of cases here, it’s not Cloudflare, for example’s, fault that this breach occurred. And the same goes for these other organisations that have been impacted by the Salesloft Drift breach. But the longer they wait to disclose the fact that they were impacted, the more it’s going to affect their reputation.

Paul Spain:
Yeah, these things are tough. Also, there’s a reminder in here, you know, about, you know, supply chain issues, about really understanding the firms whose software that you, that you use. Right. And, you know, I’m sure you will have come across these sort of scenarios where, you know, somebody within an organisation says, just install this software now. And so the usual sort of checks and balances that, that should be put in place to look at and consider the appropriateness of a particular vendor and just whether they are the trustworthy organisation you would like them to be or not. And I’m not saying this was one where there were indicators upfront, because often there isn’t. But there is appropriate due diligence that needs to come into play, just as there is with organisations allowing access to browser extensions. Right.

Paul Spain:
In 2025, you don’t just say, yeah, you can install free for all, whatever you want anytime, because you don’t know what the impact might be of some of those sorts of things.

Julian Wendt:
Absolutely. And what this incident highlights is that even the big boys, even the big players will sometimes get that wrong. But something I am definitely seeing here in New Zealand is at the board level, this is something that’s being understood better and better. And we are seeing more boards care about things like a software bill of materials. They care about having third party risk assessments being done. In fact, in the financial service sector, we’re even starting to see a lot more fourth party risk assessments being done. So people at the board level are definitely starting to pay attention. They’re recognizing that this is a risk to the business.

Julian Wendt:
It’s not just an IT problem, but it is a business risk and it’s something that deserves their attention, which is really great to see.

Paul Spain:
Yeah. Yep. And yeah, it is, it is pleasing to see that we’ve moved along because I think from a board perspective. Yeah. Over, over the years, I think at times it’s been, it’s been, it’s been concerning the lack of, lack of attention. Now, you know, some of this comes down to what a government can do and governments can turn sort of, you know, certain knobs and, you know, if, you know, if Risks have maybe got a tie in with health and safety privacy to a degree, then you know those things, especially health and safety, you know, the legislation there has teeth. But when it’s come to cyber security and you know, to a reasonable degree data privacy, there hasn’t been too much. So there’s probably still more opportunity for us as a country to step that up.

Paul Spain:
But of course, any entity that’s doing, that’s operating on an international basis has to deal with laws of other countries like Australia, like EU and so on. And yeah, often there are some more hefty impacts from those other countries and regions.

Julian Wendt:
Absolutely, yeah. And to that point, as I often say to friends, cybersecurity is a marathon, it’s not a sprint. You will still be doing this in a couple of years time and you may never achieve the nirvana of having a secure state for your organisation. There will always be more things.

Paul Spain:
Oh, 100%. There’s no, there is no absolute perfection. Right. But I think, yeah, every organisation needs to be on that continuous improvement journey and every day stepping it up. Which brings us, and it’s very timely, brings us to delve into nWebbed and yeah, keen to hear a little bit more around what nWebbed are doing, where you’re at in your sort of startup journey. Cause I understand you do this, but you’ve got another job and so on. So there’s a lot that you and your team are juggling. But yeah, it’s always good to see a strong focus on cyber security within New Zealand and to see smart firms doing new things to help keep us safe.

Paul Spain:
So yeah, tell us a little bit more about the story.

Julian Wendt:
Sure thing. So nWebbed intelligence is a darknet monitoring platform and it was born out of frustration basically. So I’m involved in an organisation called Hackers Without Borders, a non profit organisation that assists other nonprofit organisations around the world with their cybersecurity posture. And there was an incident involving the Red Cross a few years ago and it was just incredibly frustrating for me because a lot of the breaches that are occurring there are preventable because we’ve got the likes of various threat actors who are publishing the fact that hey, I have these credentials for these organisations, they’ll even post them freely on the darknet. And only wealthy organisations, state actors, Fortune 500 companies, have access to really high grade darknet intelligence so that they can respond to those types of threats. Whereas the likes of the Red Cross, and let’s face it, most of the general market, they don’t have access to that we have the likes of have I been pwned? And I’m not knocking have I been Pwned? It’s an amazing tool, but it’s very much retrospective. It can tell you if your credentials were in a breach three, four years ago sort of thing. Whereas the high grade tools, they’ll alert you right away if something shows up on the darknet.

Julian Wendt:
And so it was incredibly frustrating for me to have access to these things, to see that this type of information was being posted, and yet most organisations in the world didn’t really have a means to access that intelligence.

Paul Spain:
Yep. So breakdown for those that aren’t familiar with what this sort of darknet monitoring looks like.

Julian Wendt:
Yeah, sure thing. So let’s start with what the Darknet is. The Darknet is an area of the Internet that is not accessible to regular Internet browsers. You need special software to access it. Google does not index it. So you can’t use a Google search to find things that are on the darknet. And interestingly, it was actually created, I believe it was by the United States Naval Intelligence to help with anonymized posting and communications around the world to get around oppressive regimes and things like that. However, by nature of how it was created, it required public support, which meant that lots of other people found that it could be used for nefarious purposes because it allows for anonymized use of the Internet and not just accessing the Internet in an anonymized fashion, but hosting services in an anonymized fashion.

Julian Wendt:
So with that capability, of course, grew an entire cybercrime ecosystem, and actually not just cybercrime, but crime in general, cyber enabled. And that has been growing for well over a decade now. There was, for example, a site called Silk Road, which you may have heard of some time ago, that’s getting a bit older now.

Paul Spain:
Yep.

Julian Wendt:
And lots of others followed suit. And that then matured into lots of cybercrime platforms where different criminals were able to share information and to collaborate basically in a way which I really wish the legitimate cybercrime fighting world would do more. So that’s the Darknet and Darknet monitoring is all about monitoring all of those cybercrime channels where information is being shared, where people like to post their exploits just for reputation, basically they want to show off how great they are. And so they will post if they’ve managed to compromise various systems or collect stolen passwords, if they’ve got stealer malware deployed, or if they’ve managed to compromise a website and steal all the user passwords, they will often publish that on their hidden Darknet forums as a reputational thing. So Darknet monitoring is all about having the same level of access that these cyber criminals have have and leveraging that collaboration and using it against them by monitoring for it and alerting the people who are actually impacted by those communications.

Paul Spain:
Yeah, the Darknet name, I guess there’s some interesting aspects to it, isn’t there? There’s that it’s dark to sort of search engines that you can’t just Google it. And I guess there’s some darker aspects you could say to, you know, what can be found there. And I remember I’d be going back quite a, quite a few years ago, but I was asked to come on one of the radio stations and to, you know, do something. We did some sort of, and maybe they live streamed it, I can’t remember but we delved into, you know, via the Tor browser and into some of the marketplaces that were around at that time. And the, you know, the fact that yeah, there’s a lot of untoward things available.

Julian Wendt:
There certainly are. And it would have been then too. I don’t know if that was in the, the Silk Road days or I think it reloaded.

Paul Spain:
Yeah, it was probably, I’m guessing it was post Silk Road. Cuz that goes back a few years, doesn’t it? It does, it did. Am I remembering correctly that, that Trump.

Julian Wendt:
Released the, he pardoned Ross Albrecht.

Paul Spain:
That’s right, yeah.

Julian Wendt:
Yes.

Paul Spain:
Yeah, yeah, so yeah, that was, that was an interesting one. I, I, I don’t, I don’t, that was, yeah, that would have been earlier on this year. I can’t remember what the full story was, whether he wasn’t well or whether there was a bit more, a bit more to it in terms of why he remember either. But yeah, there was a lot going on in January. So your offering is a service that you pay for sort of based on what, the number of people in your organisation sort of thing.

Julian Wendt:
Exactly right. It’s based on the number of users you have. So just as a high level example, you could do employee credential monitoring and that is charged on a per user basis. So that makes it really easily scalable whether you’re a 10 person organisation or a 10,000 person organisation. It’s equally accessible. And then we also have a product we call Portals which allows organisations to help protect their reputation against stolen customer credentials because that’s something they have no real control over, but it can impact their reputation.

Paul Spain:
Yeah, well that’s interesting because trade me have been in the media in recent Weeks where, you know, folks have gone on to Trade Me. They’ve, you know, they’ve picked something that they want to buy from a. What are they? Verified user. Yeah, who’s got a very good, you know, reviews and ratings and they’ve bought something, sent their money off and then maybe they’re not having much luck so they get hold of TradeMe and TradeMe like oh no, no, no, don’t send money to them. And it’s already too late at that point. Now possibly trademe already have this type of solution in place and it hasn’t got to them quite fast enough. But in a scenario where they were using this sort of tech and they got the information quick enough, this is the sort of thing that would allow them maybe to shut off an account once they become aware that credentials maybe have been breached.

Julian Wendt:
Exactly right. And the platform is designed to enable developers to integrate that directly. So it doesn’t need to be a manual process. It can kick off an automated process that re secures the account and keeps their service secure.

Paul Spain:
Now I guess the, the, the other aspect to, to these sorts of things like when I, when I was reading around, you know, Trade Me’s scenario, part of, part of the challenge for, for Trade Me that’s come at them is well, why aren’t you, you know, forcing everyone to have multi factor authentication that would, you know, take a little bit of an edge off this, this scenario. And they say well you know, that’s optional, that’s up to our users. But because they’re not enforcing it, that creates a scenario where now their reputation has been tarnished because they, you know, they don’t know or don’t know quick enough around account breaches and they’re not, you know, insisting on Multi factor authentication. Whereas if you say, you look at, you know, in, in New Zealand, you know, who, who you know, I think have, have probably been, you know, leading the way in some areas in terms of how, how they’re, you know, how they’re handling authentication, you know, you’ve got a, yeah, you’ve got a different scenario. Not, not that in New Zealand probably been perfect themselves. They’ve had, they’ve had their own challenges. But the fact that they adopted, you know, passkeys, you know, I think probably ahead of, you know, just about anybody of scale within the New Zealand market has sort of led the way. But of course it’s not quite that simple, is it? Because a breach doesn’t necessarily have to give away credentials for somebody to be able to get into an account.

Julian Wendt:
Exactly. So, three things to unpack here. First of all, for Trade Me, I understand why they haven’t enforced mfa. I mean, I work with a number of financial services organisations. These people manage millions if not billions of dollars, but millions of dollars for individual people. And they can’t get those people to use mfa. I mean, these people are literally prepared to take their millions of dollars and give them to someone else if they’re going to enforce mfa. So there’s a lot of resistance from the public.

Julian Wendt:
That said, I don’t think anyone’s ever told me about receiving an email from Trade Me recommending mfa. So they probably could be doing a lot more there, let’s face it. But to your point about that’s not necessarily the silver bullet. What we’re seeing a lot of on the Darknet, and it’s a growing trend, is it’s not just the passwords that are being stolen and then published. We’re also seeing something called session tokens or cookies. And that is so much more dangerous because if someone steals your session token, and that can be done through steal a malware and malicious browser extensions, if someone steals that, they can get straight into your account, they don’t need a password, they can bypass mfa. So you can have MFA enabled, you can have a passkey and MFA phishing resistant MFA as Microsoft likes to call it, and they can still get into your account. So it is not a silver bullet.

Julian Wendt:
And it’s important that people understand MFA is not a silver bullet. But in terms of low hanging fruit and things you can do to improve your overall security, MFA really is a great one.

Paul Spain:
Yeah. I would hope our listeners, because we’ve talked about this, these sorts of topics many times over a very long period of time are in a good state. But look, maybe you’ve got some accounts that you think are less important or what have you, but usually if you’ve got a log into something, it’s something that you probably want to have ownership of. If you’re like me, you might not use it at something like Trade Me very often in 2025. Right. Too busy. Whatever it is, you know, some people have gone to Facebook Marketplace and you know, there’s all sorts of reasons why not, but. Yeah, but does it have your credit.

Julian Wendt:
Card details stored in it?

Paul Spain:
Yep. Well, these are the important considerations. Right. So just, you know, take this as a reminder. And of course we’ve got, you know, listeners that are across large organisations, government and so on. You know, let’s keep sort of nudging these things forward through education of Our teams and, you know, even if it’s just your family members. Right. Be doing what you can to encourage good habits amongst family members.

Paul Spain:
You know, we’ve all got a part to play in reducing these risks. And some of it is with innovative tools that can, you know, scan what’s going on on the dark web. Some of it’s just the mundane, you know, keeping ourselves in a good, best practice state by staying on top of our passwords 100%.

Julian Wendt:
We all have that responsibility. And I really like the point you made. It’s not just for ourselves, but for our friends and family as well. Our listeners here, they’re probably going to be the tech savvy in the family. So look after your family, look after your friends.

Paul Spain:
Yeah, it’s really a conversation we shouldn’t still be having in 2025, but we still keep seeing different. And so, yeah, we’ve all got a part to play. And look, if you’re in an organisation where you can make a difference, Trade Me, then look, you know, see what you can do to nudge things along a little bit. And look, you know, the Trade Me example, you know, we’re kind of calling them out because, you know, they have had some attention recently. But, you know, this particular scenario that they’ve had whereby there’s I think, three parties involved in these transactions, it’s a somewhat unusual scenario that we’re seeing and we probably. Well, we could run through it quickly. You familiar with what’s happened with Trade Me? So I think you’ve basically had a scenario where some goods get listed or an item gets listed on, on Trade Me by an account that’s been compromised and taken over. The cybercriminal involved then fires up another, another transaction which is around, I think, converting cash into crypto.

Paul Spain:
And so a payment gets made by the Trade Me buyer. It doesn’t. It basically goes to account that’s been nominated for someone who as soon as they receive funds, are going to convert it into crypto. And that’s kind of how it happens. So you’ve got somebody who could be anywhere in the world who basically, what they receive as the cryptocurrency they’ve done a transaction with, someone is expecting X amount of money, maybe it’s $1,000, thousand dollars comes into their account. So they hand on, you know, that value in crypto. Now there is an element here where those receiving them would probably, in what comes through into their bank account, it might well say Trade Me or some details of the trade you would expect that would hold some of these transactions up and maybe it will do now that this one has received some publicity. But yeah, there’s a few lessons in there anyway, for all of us to be cautious, whether it’s those holding crypto and wanting to get involved in selling some or wherever you sit, certainly shows.

Julian Wendt:
The ongoing ingenuity of cybercriminals. They will always try new methods and sort of integrating trade me with what they call the money mule side of it as well. That’s quite new. That’s not something we’ve seen a lot of in the past. So we can see that they’re constantly learning, constantly adapting, and we need to do the same. And when I say we. Yes, I mean trade me as well.

Paul Spain:
All of us. All of us, yeah, yeah, yep. Now, one thing that came up in terms of, I guess, collating and scanning the dark, where is what are the ethical sort of concerns there? If you’re sort of sweeping up and collecting a lot of data from an untoward, you know, from untoward sort of locations, you know, you potentially could be coming across data that you shouldn’t have your hands on. Right, absolutely. And maybe reasonably, reasonably large chunks on it there. So, yeah, how do you, how do you deal with that in an appropriate sort of. An appropriate sort of way for, you know, for, for instance, you know, probably a situation we come back to, you know, time and time again because, you know, everyone in the country knows about it was, you know, when the Waikato District Health Board, you know, they, they were under attack, you know, a chunk of patient data ended up there on the dark web. Right.

Paul Spain:
So, yeah, there’s the potential of scraping up information that really, you probably don’t want to have to deal with. But yeah, you’ve also got to go through and sort of filter through the information that’s out there in order to get the gold and the useful information that’s going to. Going to help people. So how do you deal with that?

Julian Wendt:
When it comes to the ethics of darknet scanning, I tend to divvy that up into three different groups. You’ve got those who are doing it ethically. So organisations like nWebbed, where you leverage automation heavily, so you don’t want people looking at that stuff manually. Ideally, you want to leverage automation and machine learning and AI.

Paul Spain:
Because we can trust the bots, right?

Julian Wendt:
Well, we can trust the bots not to go, oh, that’s just too juicy for me to ignore. I’m going to have to tell my friends about that. I’m going to have to tell my family about that. So we can trust it in that regard? Absolutely.

Paul Spain:
It’s a good example actually to highlight why these things are important.

Julian Wendt:
So they definitely help us out there. It’s also really important to have the right security controls in place. So nWebbed and a number of other organisations as well, we will only release information to an organisation after they’ve proven that they own it. So there are lots of security controls in place to prove that. And we’re not alone in that. That is how the ethical organisations conduct themselves. Then if we sort of slide down the hill a little bit to what I’d call morally dubious and ethically grey, there are organisations who, they’re not scanning the darknet for malicious purposes specifically, but they’re pulling everything in and they will sell it to anyone. So they don’t do that due diligence.

Julian Wendt:
They don’t protect that data in the way that they should with the care that they should given. A lot of this is pii, personally identifiable information, healthcare data, financial data, and just incredibly private data a lot of the time. So they don’t care about that fact and they will sell it to anyone. They don’t have malicious intent, but they’re not doing it to help protect anyone either. They’re not doing the research to look at the trends so that they can tell us how to better protect ourselves, anything like that. It really is just suck it all up and sell it for a dollar if they can. And then finally, right at the bottom of the hill, you’ve got those who are actually doing this for malicious purposes. And these are the cyber criminals and people who maybe even just started out curious and ended up not being able to resist and going, is that really that person’s account? I’m going to tell my friends about that.

Julian Wendt:
I’m going to test that. I’m going to see if those credentials are valid. So they maybe didn’t start out malicious, but they certainly ended up there.

Paul Spain:
Yeah, yeah. So within New Zealand, we obviously have the, you know, the privacy or privacy Commissioner. What, what do you have to do in terms of sort of, you know, reporting when you come across, you know, different information? What, what are you, what are, you know, what, what are you compelled to actually do in terms of reporting in that direction?

Julian Wendt:
Because we don’t look at any of the information. We follow all the standard security controls around encryption and basically we have alerting and reporting if anyone from our team accesses that information.

Paul Spain:
Gotcha. Yeah, yeah. So you’re not having to report to them on a daily basis of all the things you’ve stumbled upon before. No.

Julian Wendt:
Although we do try to maintain a good relationship.

Paul Spain:
Yeah. Because I can. Yeah, I can imagine some of. Sometimes the legislation can get a bit complicated in some areas and yeah, we won’t delve into what the EU or other markets sort of might require on these sorts of things, but I imagine it actually starts making some of this work quite challenging as well in terms of those requirements does.

Julian Wendt:
And again, this is where the automation side of it really comes into play.

Paul Spain:
Yeah. Yeah. Oh, that’s great. So for folks who are, who are interested in maybe finding out a little bit more, you know, maybe they fall into the camp of working in an organisation that could use your technology. Where do they, where do they go to find out a little bit more?

Julian Wendt:
They’re welcome to reach out to us. Contact details are available and there’s a contact form available on our website, nWebbed.com that is nWebbed, starting with an N not with an E. Excellent.

Paul Spain:
That’s good stuff. Well, it’s been great to have you on the show. Thank you, Julian.

Julian Wendt:
Thank you for having me. It’s been a real pleasure.

Paul Spain:
Lots packed in there, so, yeah, really, really appreciate it. Thanks everyone for listening in and of course a big thank you to our show partners, Gorilla Technology, HP, Spark 2degrees One NZ and Workday. Now, of course, if you’ve been listening in to the audio podcast, do make sure you, you’re following us on, on the likes of YouTube so you get access to the videos. You can follow myself, Paul Spain on LinkedIn as well for our, our live streams. And yeah, if you’ve been watching the video then you know, of course look out for, for the audio through your favorite podcast app or audio app such as sort of Spotify, YouTube Music, Apple Podcasts and so on. All right, thanks everyone. We’ll catch you on the next episode. See ya.