back to indexNicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266
link |
If one site is hacked, you can just unleash all hell.
link |
We have stumbled into this new era
link |
of mutually assured digital destruction.
link |
How far are people willing to go?
link |
You can capture their location,
link |
you can capture their contacts
link |
that record their telephone calls, record their camera
link |
without them knowing about it.
link |
Basically, you can put an invisible ankle bracelet
link |
on someone without them knowing.
link |
You could sell that to a zero day broker for $2 million.
link |
The following is a conversation with Nicole Perlroth,
link |
cybersecurity journalist and author
link |
of This Is How They Tell Me The World Ends,
link |
The Cyber Weapons Arm Race.
link |
This is the Lex Friedman podcast.
link |
To support it, please check out our sponsors
link |
in the description.
link |
And now, dear friends, here's Nicole Perlroth.
link |
You've interviewed hundreds of cybersecurity hackers,
link |
activists, dissidents, computer scientists,
link |
government officials, forensic investigators,
link |
So let's talk about cybersecurity and cyber war.
link |
Start with the basics.
link |
What is a zero day vulnerability?
link |
And then a zero day exploit or attack?
link |
So at the most basic level, let's say I'm a hacker
link |
and I find a bug in your iPhone iOS software
link |
that no one else knows about, especially Apple.
link |
That's called a zero day because the minute it's discovered,
link |
engineers have had zero days to fix it.
link |
If I can study that zero day,
link |
I could potentially write a program to exploit it.
link |
And that program would be called a zero day exploit.
link |
And for iOS, the dream is that you craft a zero day exploit
link |
that can remotely exploit someone else's iPhone
link |
without them ever knowing about it.
link |
And you can capture their location,
link |
you can capture their contacts
link |
that record their telephone calls,
link |
record their camera without them knowing about it.
link |
Basically, you can put an invisible ankle bracelet
link |
on someone without them knowing.
link |
And you can see why that capability,
link |
that zero day exploit would have immense value
link |
for a spy agency or a government
link |
that wants to monitor its critics or dissidents.
link |
And so there's a very lucrative market now
link |
for zero day exploits.
link |
So you said a few things there.
link |
One is iOS, why iOS, which operating system,
link |
which one is the sexier thing to try to get to
link |
or the most impactful thing?
link |
And the other thing you mentioned is remote
link |
versus like having to actually come
link |
in physical contact with it.
link |
Is that the distinction?
link |
So iPhone exploits have just been
link |
a government's number one priority.
link |
Recently, actually the price
link |
of an Android remote zero day exploit,
link |
something that can get you into Android phones
link |
is actually higher.
link |
The value of that is now higher on this underground market
link |
for zero day exploits than an iPhone iOS exploit.
link |
So things are changing.
link |
So there's probably more Android devices,
link |
so that's why it's better.
link |
But then the iPhone side,
link |
so I'm an Android person,
link |
because I'm a man of the people.
link |
But it seems like all the elites use iPhone,
link |
all the people at nice dinner parties.
link |
So is that the reason that the more powerful people
link |
use iPhones, is that why?
link |
I actually, so it was about two years ago
link |
that the prices flipped.
link |
It used to be that if you could craft
link |
a remote zero click exploit for iOS,
link |
then that was about as good as it gets.
link |
You could sell that to a zero day broker for $2 million.
link |
The caveat is you can never tell anyone about it,
link |
because the minute you tell someone about it,
link |
Apple learns about it,
link |
they patch it in that $2.5 million investment
link |
that that zero day broker just made goes to dust.
link |
So a couple of years ago,
link |
and don't quote me on the prices,
link |
but an Android zero click remote exploit
link |
for the first time topped the iOS.
link |
And actually a lot of people's read on that
link |
was that it might be a sign
link |
that Apple security was falling,
link |
and that it might actually be easier
link |
to find an iOS zero day exploit
link |
than find an Android zero day exploit.
link |
The other thing is market share.
link |
There are just more people around the world that use Android.
link |
And a lot of governments that are paying top dollar
link |
for zero day exploits these days
link |
are deep pocketed governments in the Gulf
link |
that wanna use these exploits
link |
to monitor their own citizens, monitor their critics.
link |
And so it's not necessarily
link |
that they're trying to find elites,
link |
it's that they wanna find out who these people are
link |
that are criticizing them
link |
or perhaps planning the next Arab Spring.
link |
So in your experience,
link |
are most of these attacks targeted
link |
to cover a large population,
link |
or is there attacks that are targeted
link |
towards specific individuals?
link |
So I think it's both.
link |
Some of the zero day exploits that have fetched top dollar
link |
that I've heard of in my reporting in the United States
link |
were highly targeted.
link |
There was a potential terrorist attack.
link |
They wanted to get into this person's phone.
link |
It had to be done in the next 24 hours.
link |
They approached hackers and say, we'll pay you
link |
X millions of dollars if you can do this.
link |
But then you look at,
link |
when we've discovered iOS zero day exploits in the wild,
link |
some of them have been targeting large populations
link |
So a couple of years ago,
link |
there was a watering hole attack.
link |
Okay, what's a watering hole attack?
link |
There's a website,
link |
it was actually had information aimed at Uyghurs
link |
and you could access it all over the world.
link |
And if you visited this website,
link |
it would drop an iOS zero day exploit onto your phone.
link |
And so anyone that visited this website
link |
that was about Uyghurs anywhere,
link |
I mean, Uyghurs, Uyghurs living abroad,
link |
basically the Uyghur diaspora would have gotten infected
link |
with this zero day exploit.
link |
So in that case, they were targeting huge swaths
link |
of this one population or people interested
link |
in this one population, basically in real time.
link |
So who are these attackers?
link |
From the individual level to the group level,
link |
psychologically speaking, what's their motivation?
link |
Is it purely money?
link |
Is it the challenge?
link |
Are they malevolent?
link |
These are big philosophical human questions, I guess.
link |
So these are the questions I set out to answer for my book.
link |
I wanted to know, are these people that are just after money?
link |
If they're just after money, how do they sleep at night?
link |
Not knowing whether that zero day exploit
link |
they just sold to a broker is being used
link |
to basically make someone's life a living hell.
link |
And what I found was there's kind of this long sorted history
link |
It started out in the 80s and 90s
link |
when hackers were just finding holes and bugs and software
link |
for curiosity's sake, really as a hobby.
link |
And some of them would go to the tech companies
link |
like Microsoft or Sun Microsystems at the time or Oracle.
link |
And they'd say, hey, I just found this zero day
link |
in your software and I can use it to break into NASA.
link |
And the general response at the time wasn't,
link |
thank you so much for pointing out this flaw
link |
and our software, we'll get it fixed as soon as possible.
link |
It was, don't ever poke around our software ever again
link |
or we'll stick our general counsel on you.
link |
And that was really sort of the common thread for years.
link |
And so hackers who set out to do the right thing
link |
were basically told to shut up
link |
and stop doing what you're doing.
link |
And what happened next was they basically started trading
link |
this information online.
link |
Now, when you go back and interview people
link |
from those early days, they all tell a very similar story,
link |
which is they're curious, they're tinkerers.
link |
They remind me of like the kid down the block
link |
that was constantly poking around the hood of his dad's car.
link |
They just couldn't help themselves.
link |
They wanted to figure out how a system is designed
link |
and how they could potentially exploit it
link |
for some other purpose.
link |
It doesn't have to be good or bad.
link |
But they were basically kind of beat down for so long
link |
by these big tech companies
link |
that they started just silently trading them
link |
with other hackers.
link |
And that's how you got these really heated debates
link |
in the 90s about disclosure.
link |
Should you just dump these things online
link |
because any script kitty can pick them up
link |
and use it for all kinds of mischief.
link |
But don't you wanna just stick a middle finger
link |
to all these companies
link |
that are basically threatening you all the time.
link |
So there was this really interesting dynamic at play.
link |
And what I learned in the course of doing my book
link |
was that government agencies and their contractors
link |
sort of tapped into that frustration and that resentment.
link |
And they started quietly reaching out to hackers
link |
And they said, hey, you know that zero day
link |
you just dropped online,
link |
could you come up with something custom for me?
link |
And I'll pay you six figures for it
link |
so long as you shut up and never tell anyone
link |
that I paid you for this.
link |
And that's what happened.
link |
So throughout the 90s,
link |
there was a bunch of boutique contractors
link |
that started reaching out to hackers on these forums
link |
and saying, hey, I'll pay you six figures
link |
for that bug you were trying to get Microsoft
link |
And sort of so began or so catalyzed this market
link |
where governments and their intermediaries
link |
started reaching out to these hackers
link |
and buying their bugs for free.
link |
And in those early days,
link |
I think a lot of it was just for quiet counterintelligence,
link |
traditional espionage.
link |
But as we started baking the software,
link |
Windows software, Schneider Electric,
link |
Siemens industrial software into our nuclear plants
link |
and our factories and our power grid
link |
and our petrochemical facilities and our pipelines,
link |
those same zero days came to be just as valuable
link |
for sabotage and war planning.
link |
Does the fact that the market sprung up
link |
and you can now make a lot of money
link |
change the nature of the attackers that came to the table
link |
or grow the number of attackers?
link |
I mean, what is, I guess,
link |
you told the psychology of the hackers in the 90s,
link |
what is the culture today and where is it heading?
link |
So I think there are people who will tell you
link |
they would never sell a zero day
link |
to a zero day broker or a government.
link |
One, because they don't know how it's gonna get used
link |
when they throw it over the fence.
link |
Most of these get rolled into classified programs
link |
and you don't know how they get used.
link |
If you sell it to a zero day broker,
link |
you don't even know which nation state might use it
link |
or potentially which criminal group might use it
link |
if you sell it on the dark web.
link |
The other thing that they say is that
link |
they wanna be able to sleep at night.
link |
And they lose a lot of sleep
link |
if they found out their zero day was being used
link |
to make a dissident's life living hell.
link |
But there are a lot of people, good people,
link |
who also say, no, this is not my problem.
link |
This is the technology company's problem.
link |
If they weren't writing new bugs
link |
into their software every day,
link |
then there wouldn't be a market.
link |
Then there wouldn't be a problem.
link |
But they continue to write bugs
link |
into their software all the time
link |
and they continue to profit off that software.
link |
So why shouldn't I profit off my labor too?
link |
And one of the things that has happened,
link |
which is I think a positive development
link |
over the last 10 years, are bug bounty programs.
link |
Companies like Google and Facebook
link |
and then Microsoft and finally Apple,
link |
which resisted it for a really long time,
link |
have said, okay, we are gonna shift our perspective
link |
We're no longer going to treat them as the enemy here.
link |
We're going to start paying them
link |
for what it's essentially free quality assurance.
link |
And we're gonna pay them good money in some cases,
link |
six figures in some cases.
link |
We're never gonna be able to bid against a zero day broker
link |
who sells to government agencies.
link |
But we can reward them and hopefully get to that bug earlier
link |
where we can neutralize it
link |
so that they don't have to spend another year
link |
developing the zero day exploit.
link |
And in that way, we can keep our software more secure.
link |
But every week I get messages from some hacker that says,
link |
you know, I tried to see this zero day exploit
link |
that was just found in the wild,
link |
being used by this nation state.
link |
I tried to tell Microsoft about this two years ago
link |
and they were gonna pay me peanuts so it never got fixed.
link |
There are all sorts of those stories that can continue on.
link |
And I think just generally,
link |
hackers are not very good at diplomacy.
link |
They tend to be pretty snipey, technical crowd.
link |
And very philosophical in my experience.
link |
But diplomacy is not their strong suit.
link |
Oh, there almost has to be a broker
link |
between companies and hackers.
link |
We can translate effectively,
link |
just like you have a zero day broker
link |
between governments and hackers.
link |
You have to speak their language.
link |
Yeah, and there have been some of those companies
link |
who've risen up to meet that demand.
link |
And HackerOne is one of them.
link |
Bugcrowd is another.
link |
Cynak has an interesting model, so that's a company
link |
that you pay for a private bug bounty program essentially.
link |
So you pay this company, they tap hackers all over the world
link |
to come hack your software, hack your system.
link |
And then they'll quietly tell you what they found.
link |
And I think that's a really positive development.
link |
And actually, the Department of Defense
link |
hired all three of those companies I just mentioned
link |
to help secure their systems.
link |
Now I think they're still a little timid
link |
in terms of letting those hackers
link |
into the really sensitive, high side classified stuff.
link |
But you know, baby steps.
link |
Just to understand what you were saying,
link |
you think it's impossible for companies
link |
to financially compete with the zero day brokers,
link |
So like the defense can't outpay the hackers?
link |
It's interesting, they shouldn't outpay them.
link |
Because what would happen
link |
if they started offering $2.5 million at Apple
link |
for any zero day exploit
link |
that governments would pay that much for,
link |
is their own engineers would say,
link |
why the hell am I working for less than that
link |
and doing my nine to five every day?
link |
So you would create a perverse incentive.
link |
And I didn't think about that until I started this research
link |
and I realized, okay, yeah, that makes sense.
link |
You don't want to incentivize offense so much
link |
that it's to your own detriment.
link |
And so I think what they have though,
link |
what the companies have on government agencies,
link |
is if they pay you, you get to talk about it.
link |
You know, you get the street cred.
link |
You get to brag about the fact you just found
link |
that $2.5 million, you know, iOS zero day
link |
that no one else did.
link |
And if you sell it to a broker,
link |
you never get to talk about it.
link |
And I think that really does eat at people.
link |
Can I ask you a big philosophical question
link |
about human nature here?
link |
So if you have, I mean, what you've seen,
link |
if a human being has a zero day,
link |
they found a zero day vulnerability that can hack into,
link |
I don't know, what's the worst thing you can hack into?
link |
Something that could launch nuclear weapons.
link |
Which percentage of the people in the world
link |
that have the skill would not share that with anyone,
link |
with any bad party?
link |
I guess how many people are completely devoid
link |
of ethical concerns in your sense?
link |
So my belief is all the ultra competent people
link |
or very, very high percentage of ultra competent people
link |
are also ethical people.
link |
That's been my experience.
link |
But then again, my experience is narrow.
link |
What's your experience been like?
link |
So this was another question I wanted to answer.
link |
Who are these people who would sell a zero day exploit
link |
that would neutralize a Schneider Electric safety lock
link |
at a petrochemical plant?
link |
Basically the last thing you would need to neutralize
link |
before you trigger some kind of explosion.
link |
Who would sell that?
link |
And I got my answer,
link |
well, the answer was different.
link |
A lot of people said, I would never even look there
link |
because I don't even wanna know.
link |
I don't even wanna have that capability.
link |
I don't even wanna have to make that decision
link |
about whether I'm gonna profit off of that knowledge.
link |
I went down to Argentina
link |
and this whole kind of moral calculus I had in my head
link |
was completely flipped around.
link |
So just to back up for a moment.
link |
So Argentina actually is a real hacker's paradise.
link |
People grew up in Argentina and I went down there,
link |
I guess I was there around 2015, 2016,
link |
but you still couldn't get an iPhone.
link |
They didn't have Amazon Prime.
link |
You couldn't get access to any of the apps
link |
we all take for granted.
link |
To get those things in Argentina as a kid,
link |
you have to find a way to hack them.
link |
And the whole culture is really like a hacker culture.
link |
They say it's really like a MacGyver culture.
link |
You have to figure out how to break into something
link |
with wire and tape.
link |
And that means that there are a lot of really good hackers
link |
in Argentina who specialize in developing zero to exploits.
link |
And I went down to this Argentina conference
link |
called Echo Party.
link |
And I asked the organizer, okay, can you introduce me
link |
to someone who's selling zero to exploits to governments?
link |
And he was like, just throw a stone.
link |
Throw a stone anywhere and you're gonna hit someone.
link |
And all over this conference, you saw these guys
link |
who were clearly from these Gulf States
link |
who only spoke Arabic.
link |
What are they doing at a young hacking conference
link |
And so I went out to lunch with kind of this godfather
link |
of the hacking scene there.
link |
And I asked this really dumb question
link |
and I'm still embarrassed about how I phrased it.
link |
But I said, so will these guys only sell
link |
these zero to exploits to good Western governments?
link |
And he said, Nicole, last time I checked,
link |
the United States wasn't a good Western government.
link |
The last country that bombed another country
link |
into oblivion wasn't China or Iran,
link |
it was the United States.
link |
So if we're gonna go by your whole moral calculus,
link |
just know that we have a very different calculus down here
link |
and we'd actually rather sell to Iran or Russia
link |
or China maybe than the United States.
link |
And that just blew me away.
link |
Like, wow, he's like, we'll just sell
link |
to whoever brings us the biggest bag of cash.
link |
Have you checked into our inflation situation recently?
link |
So I had some of those like reality checks along the way.
link |
We tend to think of things as is this moral,
link |
is this ethical, especially as journalists.
link |
And we kind of sit on our high horse sometimes
link |
and write about a lot of things
link |
that seem to push the moral bounds.
link |
But in this market, which is essentially
link |
an underground market that the one rule is like fight club.
link |
No one talks about fight club.
link |
First rule of the zero day market,
link |
nobody talks about the zero day market on both sides
link |
because the hacker doesn't wanna lose
link |
their $2.5 million bounty.
link |
And governments roll these into classified programs
link |
and they don't want anyone to know what they have.
link |
So no one talks about this thing.
link |
And when you're operating in the dark like that,
link |
it's really easy to put aside your morals sometimes.
link |
Can I, as a small tangent, ask you, by way of advice,
link |
you must have done some incredible interviews.
link |
And you've also spoken about how serious
link |
you take protecting your sources.
link |
If you were to give me advice for interviewing
link |
when you're recording on mic with a video camera,
link |
how is it possible to get into this world?
link |
Like is it basically impossible?
link |
So you've spoken with a few people,
link |
what is it like the godfather of cyber war, cyber security?
link |
So people that are already out.
link |
And they still have to be pretty brave to speak publicly.
link |
But is it virtually impossible to really talk to anybody
link |
who is a current hacker?
link |
Are you always like 10, 20 years behind?
link |
It's a good question.
link |
And this is why I'm a print journalist.
link |
But when I've seen people do it,
link |
it's always the guy who's behind the shadows,
link |
whose voice has been altered.
link |
When they've gotten someone on camera,
link |
that's usually how they do it.
link |
Very, very few people talk in this space.
link |
And there's actually a pretty well known case study
link |
in why you don't talk publicly in this space
link |
and you don't get photographed.
link |
And that's the gruck.
link |
So the gruck is or was this zero day broker,
link |
South African guy, lives in Thailand.
link |
And right when I was starting on this subject
link |
at the New York Times, he'd given an interview to Forbes.
link |
And he talked about being a zero day broker.
link |
And he even posed next to this giant duffel bag
link |
filled with cash, ostensibly.
link |
And later he would say he was speaking off the record.
link |
He didn't understand the rules of the game.
link |
But what I heard from people who did business with him
link |
was that the minute that that story came out,
link |
No one did business with him.
link |
His business plummeted by at least half.
link |
No one wants to do business with anyone
link |
who's going to get on camera and talk
link |
about how they're selling zero days to governments.
link |
It puts you at danger.
link |
And I did hear that he got some visits
link |
from some security folks.
link |
And that's another thing for these people to consider.
link |
If they have those zero day exploits at their disposal,
link |
they become a huge target for nation states
link |
all over the world.
link |
Talk about having perfect opsec.
link |
You better have some perfect opsec
link |
if people know that you have access to those zero day
link |
Which sucks because, I mean, transparency here
link |
would be really powerful for educating the world
link |
and also inspiring other engineers to do good.
link |
It just feels like when you operate in the shadows,
link |
it doesn't help us move in the positive direction in terms
link |
of getting more people on the defense side
link |
versus on the attack side.
link |
But of course, what can you do?
link |
I mean, the best you can possibly do
link |
is have great journalists, just like you did,
link |
interview and write books about it,
link |
and integrate the information you get
link |
while hiding the sources.
link |
Yeah, and I think what HackerOne has told me was, OK,
link |
let's just put away the people that
link |
are finding and developing zero day exploits all day long.
link |
Let's put that aside.
link |
What about however many millions of programmers
link |
all over the world who've never even heard of a zero day
link |
Why not tap into them and say, hey, we'll
link |
start paying you if you can find a bug in United Airlines
link |
software or in Schneider Electric or in Ford or Tesla?
link |
And I think that is a really smart approach.
link |
Let's go find this untapped army of programmers
link |
to neutralize these bugs before the people who will continue
link |
to sell these to governments can find them and exploit them.
link |
OK, I have to ask you about this.
link |
From a personal side, it's funny enough,
link |
after we agreed to talk, I've gotten,
link |
for the first time in my life, was a victim of a cyber attack.
link |
So this is ransomware.
link |
It's called Deadbolt.
link |
People can look it up.
link |
I have a QNAP device for basically kind
link |
of coldish storage.
link |
So it's about 60 terabytes with 50 terabytes of data on it
link |
And apparently, about 4,000 to 5,000 QNAP devices
link |
were hacked and taken over with this ransomware.
link |
And what ransomware does there is it goes file by file,
link |
almost all the files on the QNAP storage device,
link |
and encrypts them.
link |
And then there's this very eloquently and politely
link |
written page that pops up, describes what happened.
link |
All your files have been encrypted.
link |
This includes but is not limited to photos, documents,
link |
This is a lot of people commented
link |
about how friendly and eloquent this is.
link |
And I have to commend them.
link |
It is, and it's pretty user friendly.
link |
This is not a personal attack.
link |
You have been targeted because of the inadequate security
link |
provided by your vendor, QNAP.
link |
You can make a payment of exactly 0.03 Bitcoin,
link |
which is about $1,000, to the following address.
link |
Once the payment has been made, we'll
link |
follow up with transaction to the same address,
link |
They give you instructions of what happens next,
link |
and they'll give you a decryption key
link |
that you can then use.
link |
And then there's another message for QNAP that says,
link |
all your affected customers have been targeted using
link |
a zero day vulnerability in your product.
link |
We offer you two options to mitigate this and future damage.
link |
One, make a Bitcoin payment of 5 Bitcoin
link |
to the following address, and that
link |
will reveal to QNAP the, I'm summarizing things here,
link |
what the actual vulnerability is.
link |
Or you can make a Bitcoin payment of 50 Bitcoin
link |
to get a master decryption key for all your customers.
link |
50 Bitcoin is about $1.8 million.
link |
So first of all, on a personal level, this one hurt for me.
link |
There's, I mean, I learned a lot because I wasn't,
link |
for the most part, backing up much of that data
link |
because I thought I can afford to lose that data.
link |
It's not horrible.
link |
I mean, I think you've spoken about the crown jewels,
link |
like making sure there's things you really protect.
link |
And I have, you know, I'm very conscious,
link |
security wise, on the crown jewels.
link |
But there's a bunch of stuff, like, you know,
link |
personal videos that are not, like,
link |
I don't have anything creepy, but just, like,
link |
fun things I did that because they're very large or 4K
link |
or something like that, I kept them on there,
link |
thinking RAID 5 will protect it.
link |
You know, just I lost a bunch of stuff, including raw footage
link |
from interviews and all that kind of stuff.
link |
And I'm sure there's a lot of painful stuff
link |
like that for the 4,000 to 5,000 people that use QNAP.
link |
And there's a lot of interesting ethical questions here.
link |
Does QNAP pay them?
link |
Do the individuals pay them, especially when
link |
you don't know if it's going to work or not?
link |
So QNAP said that, please don't pay them.
link |
We're working very hard day and night to solve this.
link |
It's so philosophically interesting to me
link |
because I also project onto them thinking,
link |
what is their motivation?
link |
Because the way they phrased it, on purpose, perhaps,
link |
but I'm not sure if that actually reflects their real motivation,
link |
is maybe they're trying to help themselves sleep at night,
link |
basically saying, this is not about you.
link |
This is about the company with the vulnerabilities.
link |
Just like you mentioned, this is the justification they have.
link |
But they're hurting real people.
link |
But I'm sure there's a few others that are really hurt.
link |
And the zero day factor is a big one.
link |
Their QNAP right now is trying to figure out
link |
what the hell is wrong with their system that would let this in.
link |
And even if they pay, if they still don't know where the zero
link |
day is, what's to say that they won't just hit them again
link |
and hit you again?
link |
So that really complicates things.
link |
And that is a huge advancement for ransomware.
link |
It's really only been, I think, in the last 18 months
link |
that we've ever really seen ransomware exploit zero days
link |
to pull these off.
link |
Usually, 80% of them, I think the data shows 80% of them
link |
come down to a lack of two factor authentication.
link |
So when someone gets hit by a ransomware attack,
link |
they don't have two factor authentication on.
link |
Their employees were using stupid passwords.
link |
You can mitigate that in the future.
link |
This one, they don't know.
link |
They probably don't know.
link |
And I guess it's zero click because I
link |
didn't have to do anything.
link |
The only thing, well, here's the thing.
link |
I did basics of I put it behind a firewall.
link |
I followed instructions.
link |
But I didn't really pay attention.
link |
So maybe there's a misconfiguration of some sort
link |
that's easy to make.
link |
It's difficult. We have a personal NAS.
link |
So I'm not willing to say that I did
link |
everything I possibly could.
link |
But I did a lot of reasonable stuff.
link |
And they still hit it with zero clicks.
link |
I didn't have to do anything.
link |
Yeah, well, it's like a zero day.
link |
And it's a supply chain attack.
link |
You're getting hit from your supplier.
link |
You're getting hit because of your vendor.
link |
And it's also a new thing for ransomware groups
link |
to go to the individuals to pressure them to pay.
link |
There was this really interesting case.
link |
I think it was in Norway where there was a mental health
link |
clinic that got hit.
link |
And the cybercriminals were going to the patients
link |
themselves to say, pay this, or we're
link |
going to release your psychiatric records.
link |
I mean, talk about hell.
link |
In terms of whether to pay, that is on the cheaper
link |
end of the spectrum.
link |
From the individual or from the company?
link |
We've seen, for instance, there was an Apple supplier in Taiwan.
link |
And the ransom demand was $50 million.
link |
I'm surprised it's only $1.8 million.
link |
I'm sure it's going to go up.
link |
There's obviously governments, and maybe in this case,
link |
the company are going to tell you,
link |
we recommend you don't pay or please don't pay.
link |
But the reality on the ground is that some businesses
link |
Some countries can't function.
link |
I mean, the underreported storyline of Colonial Pipeline
link |
was after the company got hit and took
link |
the preemptive step of shutting down the pipeline
link |
because their billing systems were frozen,
link |
they couldn't charge customers downstream.
link |
My colleague David Zanger and I got our hands
link |
on a classified assessment that said that as a country,
link |
we could have only afforded two to three more days
link |
of Colonial Pipeline being down.
link |
And it was really interesting.
link |
I thought it was the gas and the jet fuel, but it wasn't.
link |
We were sort of prepared for that.
link |
It was the diesel.
link |
Without the diesel, the refineries couldn't function,
link |
and it would have totally screwed up the economy.
link |
And so there was almost this national security
link |
economic impetus for them to pay this ransom.
link |
And the other one I always think about is Baltimore.
link |
When the city of Baltimore got hit,
link |
I think the initial ransom demand
link |
was something around $76,000.
link |
It may have even started smaller than that.
link |
And Baltimore stood its ground and didn't pay.
link |
But ultimately, the cost to remediate was $18 million.
link |
That's a lot for the city of Baltimore.
link |
That's money that could have gone to public school education
link |
and roads and public health.
link |
And instead, it just went to rebuilding these systems
link |
And so a lot of residents in Baltimore
link |
were like, why the hell didn't you pay the $76,000?
link |
So it's not obvious.
link |
It's easy to say, don't pay.
link |
You're funding their R&D for the next go round.
link |
But it's too often, it's too complicated.
link |
So on the individual level, just like the way
link |
I feel personally from this attack,
link |
have you talked to people that were kind of victims
link |
in the same way I was, but maybe more dramatic ways or so on,
link |
in the same way that violence hurts people?
link |
How much does this hurt people in your sense
link |
and the way you researched it?
link |
The worst ransomware attack I've covered on a personal level
link |
was an attack on a hospital in Vermont.
link |
And you think of this as like, OK,
link |
it's hitting their IT networks.
link |
They should still be able to treat patients.
link |
But it turns out that cancer patients
link |
couldn't get their chemo anymore.
link |
Because the protocol of who gets what is very complicated.
link |
And without it, nurses and doctors couldn't access it.
link |
So they were turning chemo patients away,
link |
cancer patients away.
link |
One nurse told us, I don't know why people
link |
aren't screaming about this, that the only thing I've
link |
seen that even compares to what we're
link |
seeing at this hospital right now
link |
was when I worked in the burn unit
link |
after the Boston Marathon bombing.
link |
They really put it in these super dramatic terms.
link |
And last year there was a report in the Wall Street Journal
link |
where they attributed an infant death to a ransomware attack
link |
because a mom came in and whatever device
link |
they were using to monitor the fetus
link |
wasn't working because of the ransomware attack.
link |
And so they attributed this infant death
link |
to the ransomware attack.
link |
Now on a bigger scale but less personal,
link |
when there was the NotPetya attack.
link |
So this was an attack by Russia on Ukraine
link |
that came at them through a supplier, a tax software
link |
company in that case, that didn't just
link |
hit any government agency or business in Ukraine
link |
that used this tax software.
link |
It actually hit any business all over the world that
link |
had even a single employee working remotely in Ukraine.
link |
So it hit Maersk, the shipping company, hit Pfizer,
link |
hit FedEx, but the one I will never forget is Merck.
link |
It paralyzed Merck's factories.
link |
I mean, it really created an existential crisis
link |
Merck had to tap into the CDC's emergency supplies
link |
of the Gardasil vaccine that year
link |
because their whole vaccine production line had been
link |
paralyzed in that attack.
link |
Imagine if that was going to happen right now
link |
to Pfizer or Moderna or Johnson and Johnson.
link |
I mean, that would really create a global cyber terrorist
link |
attack, essentially.
link |
And that's almost unintentional.
link |
I thought for a long time, I always
link |
labeled it as collateral damage.
link |
But actually, just today, there was a really impressive threat
link |
researcher at Cisco, which has this threat intelligence
link |
division called Talos, who said, stop calling it
link |
collateral damage.
link |
They could see who was going to get hit before they
link |
deployed that malware.
link |
It wasn't collateral damage.
link |
It was intentional.
link |
They meant to hit any business that did business with Ukraine.
link |
It was to send a message to them, too.
link |
So I don't know if that's accurate.
link |
I always thought of it as sort of the sloppy collateral
link |
damage, but it definitely made me think.
link |
So how much of this between states
link |
is going to be a part of war, these kinds of attacks
link |
on Ukraine between Russia and US, Russia and China,
link |
Let's look at China and US.
link |
Do you think China and US are going
link |
to escalate something that would be called a war purely
link |
in the space of cyber?
link |
I believe any geopolitical conflict from now on
link |
is guaranteed to have some cyber element to it.
link |
The Department of Justice recently
link |
declassified a report that said China has been hacking
link |
into our pipelines, and it's not for intellectual property
link |
It's to get a foothold so that if things escalate in Taiwan,
link |
for example, they are where they need
link |
to be to shut our pipelines down.
link |
And we just got a little glimpse of what
link |
that looked like with Colonial Pipeline and the panic buying
link |
and the jet fuel shortages and that assessment I just
link |
mentioned about the diesel.
link |
They've gotten there.
link |
Anytime I read a report about new aggression from fighter
link |
jets, Chinese fighter jets in Taiwan,
link |
or what's happening right now with Russia's buildup
link |
on the Ukraine border, or India, Pakistan,
link |
I'm always looking at it through a cyber lens.
link |
And it really bothers me that other people aren't,
link |
because there is no way that these governments
link |
and these nation states are not going
link |
to use their access to gain some advantage in those conflicts.
link |
And I'm now in a position where I'm
link |
an advisor to the Cybersecurity Infrastructure Security
link |
So I'm not saying anything classified here.
link |
But I just think that it's really important
link |
to understand just generally what the collateral damage
link |
could be for American businesses and critical infrastructure
link |
in any of these escalated conflicts around the world.
link |
Because just generally, our adversaries
link |
have learned that they might never
link |
be able to match us in terms of our traditional military
link |
spending on traditional weapons and fighter jets.
link |
But we have a very soft underbelly
link |
when it comes to cyber.
link |
80% or more of America's critical infrastructure,
link |
so pipelines, power grid, nuclear plants, water systems,
link |
is owned and operated by the private sector.
link |
And for the most part, there is nothing out there legislating
link |
that those companies share the fact they've been breached.
link |
They don't even have to tell the government they've been hit.
link |
There's nothing mandating that they even
link |
meet a bare minimum standard of cybersecurity.
link |
So even when there are these attacks, most of the time,
link |
we don't even know about it.
link |
So that is, if you were going to design a system
link |
to be as blind and vulnerable as possible,
link |
that's pretty good.
link |
That's what it looks like is what we have here
link |
in the United States.
link |
And everyone here is just operating like,
link |
let's just keep hooking up everything for convenience.
link |
Software eats the world.
link |
Let's just keep going for cost, for convenience sake,
link |
just because we can.
link |
And when you study these issues and you study these attacks
link |
and you study the advancement and the uptick in frequency
link |
and the lower barrier to entry that we see every single year,
link |
you realize just how dumb software eats world is.
link |
And no one has ever stopped to pause and think,
link |
should we be hooking up these systems to the internet?
link |
They've just been saying, can we?
link |
And that's a real problem.
link |
And just in the last year, we've seen a record number
link |
of zero day attacks.
link |
I think there were 80 last year, which
link |
is probably more than double what it was in 2019.
link |
A lot of those were nation states.
link |
We live in a world with a lot of geopolitical hot points
link |
And where those geopolitical hot points are
link |
are places where countries have been investing heavily
link |
in offensive cyber tools.
link |
If you're a nation state, the goal
link |
would be to maximize the footprint of zero day,
link |
like super secret zero day that nobody is aware of.
link |
And whenever war is initiated, the huge negative effects
link |
of shutting down infrastructure or any kind of zero day
link |
is the chaos it creates.
link |
So if you just, there's a certain threshold
link |
when you create the chaos.
link |
The market's plummeted.
link |
Just everything goes to hell.
link |
I mean, it's not just zero days.
link |
We make it so easy for threat actors.
link |
I mean, we're not using two factor authentication.
link |
We're not patching.
link |
There was the shell shock vulnerability
link |
that was discovered a couple of years ago.
link |
It's still being exploited because so many people
link |
So the zero days are really the sexy stuff.
link |
And what really drew me to the zero day market
link |
was the moral calculus we talked about, particularly
link |
from the US government's point of view.
link |
How do they justify leaving these systems so vulnerable
link |
when we use them here and we're baking
link |
more of our critical infrastructure
link |
with this vulnerable software?
link |
It's not like we're using one set of technology
link |
and Russia is using another and China is using this.
link |
We're all using the same technology.
link |
So when you find a zero day in Windows,
link |
you're not just leaving it open so you can spy on Russia
link |
or implant yourself in the Russian grid.
link |
You're leaving Americans vulnerable too.
link |
But zero days are like, that is the secret sauce.
link |
That's the superpower.
link |
And I always say every country now,
link |
with the exception of Antarctica,
link |
someone added the Vatican to my list,
link |
is trying to find offensive hacking tools and zero days
link |
to make them work.
link |
And those that don't have the skills
link |
now have this market that they can tap into,
link |
where $2.5 million, that's chump change
link |
for a lot of these nation states.
link |
It's a hell of a lot less than trying
link |
to build the next fighter jet.
link |
But yeah, the goal is chaos.
link |
I mean, why did Russia turn off the lights twice in Ukraine?
link |
I think part of it is chaos.
link |
I think part of it is to sow the seeds of doubt
link |
in their current government.
link |
Your government can't even keep your lights on.
link |
Why are you sticking with them?
link |
Come over here and we'll keep your lights on at least.
link |
There's like a little bit of that.
link |
Nuclear weapons seems to have helped prevent nuclear war.
link |
Is it possible that we have so many vulnerabilities
link |
and so many attack vectors on each other
link |
that you will kind of achieve the same kind of equilibrium
link |
like mutually shared destruction?
link |
That's one hopeful solution to this.
link |
Do you have any hope for this particular solution?
link |
You know, nuclear analogies always tend to fall apart
link |
when it comes to cyber,
link |
mainly because you don't need fissile material.
link |
You know, you just need a laptop and the skills
link |
and you're in the game.
link |
So it's a really low barrier to entry.
link |
The other thing is attribution is harder.
link |
And we've seen countries muck around with attribution.
link |
We've seen, you know, nation states piggyback
link |
on other countries spy operations and just sit there
link |
and siphon out whatever they're getting.
link |
We learned some of that from the Snowden documents.
link |
We've seen Russia hack into Iran's command
link |
and control attack servers.
link |
We've seen them hit a Saudi petrochemical plant
link |
where they did neutralize the safety locks at the plant
link |
and everyone assumed that it was Iran,
link |
given Iran had been targeting Saudi oil companies forever.
link |
But nope, it turned out that it was
link |
a graduate research institute outside Moscow.
link |
So you see countries kind of playing around
link |
I think because they think, okay, if I do this,
link |
like how am I gonna cover up that it came from me
link |
because I don't wanna risk the response.
link |
So people are sort of dancing around this.
link |
It's just in a very different way.
link |
And, you know, at the times I'd covered the Chinese hacks
link |
of infrastructure companies like pipelines.
link |
I'd covered the Russian probes of nuclear plants.
link |
I'd covered the Russian attacks on the Ukraine grid.
link |
And then in 2018, my colleague David Sanger and I
link |
covered the fact that US Cyber Command
link |
had been hacking into the Russian grid
link |
and making a pretty loud show of it.
link |
And when we went to the National Security Council,
link |
because that's what journalists do
link |
before they publish a story,
link |
they give the other side a chance to respond,
link |
I assumed we would be in for that really awkward,
link |
painful conversation where they would say,
link |
you will have blood on your hands if you publish this story.
link |
And instead they gave us the opposite answer.
link |
They said, we have no problem
link |
with you publishing this story.
link |
Well, they didn't say it out loud,
link |
but it was pretty obvious they wanted Russia to know
link |
that we're hacking into their power grid too,
link |
and they better think twice before they do to us
link |
what they had done to Ukraine.
link |
So yeah, you know, we have stumbled into this new era
link |
of mutually assured digital destruction.
link |
I think another sort of quasi norm we've stumbled into
link |
is proportional responses.
link |
There's this idea that if you get hit,
link |
you're allowed to respond proportionally
link |
at a time and place of your choosing.
link |
That is how the language always goes.
link |
That's what Obama said after North Korea hit Sony.
link |
We will respond at a time and place of our choosing.
link |
But no one really knows like what that response looks like.
link |
And so what you see a lot of the time
link |
are just these like, just short of war attacks.
link |
You know, Russia turned off the power in Ukraine,
link |
but it wasn't like it stayed off for a week.
link |
You know, it stayed off for a number of hours.
link |
You know, NotPetya hit those companies pretty hard,
link |
but no one died, you know?
link |
And the question is, what's gonna happen when someone dies?
link |
And can a nation state masquerade as a cyber criminal group,
link |
as a ransomware group?
link |
And that's what really complicates
link |
coming to some sort of digital Geneva convention.
link |
Like there's been a push from Brad Smith at Microsoft.
link |
We need a digital Geneva convention.
link |
And on its face, it sounds like a no brainer.
link |
Yeah, why wouldn't we all agree to stop hacking
link |
into each other's civilian hospital systems,
link |
elections, power grid, pipelines?
link |
But when you talk to people in the West,
link |
officials in the West, they'll say, we would never,
link |
we'd love to agree to it, but we'd never do it
link |
when you're dealing with Xi or Putin or Kim Jong Un.
link |
Because a lot of times, they outsource these operations
link |
to cyber criminals.
link |
In China, we see a lot of these attacks
link |
come from this loose satellite network of private citizens
link |
that work at the behest of the Ministry of State Security.
link |
So how do you come to some sort of state to state agreement
link |
when you're dealing with transnational actors
link |
and cyber criminals, where it's really hard to pin down
link |
whether that person was acting alone
link |
or whether they were acting at the behest of the MSS
link |
And a couple of years ago, I remember,
link |
can't remember if it was before or after NotPetya,
link |
but Putin said, hackers are like artists
link |
who wake up in the morning in a good mood and start painting.
link |
In other words, I have no say over what they do or don't do.
link |
So how do you come to some kind of norm
link |
when that's how he's talking about these issues
link |
and he's just decimated Merck and Pfizer
link |
and another however many thousand companies?
link |
That is the fundamental difference between nuclear weapons
link |
and cyber attacks is the attribution
link |
or one of the fundamental differences.
link |
If you can fix one thing in the world
link |
in terms of cybersecurity
link |
that would make the world a better place,
link |
what would you fix?
link |
So you're not allowed to fix like authoritarian regimes
link |
You have to keep that,
link |
you have to keep human nature as it is.
link |
In terms of on the security side, technologically speaking,
link |
you mentioned there's no regulation
link |
on companies in United States.
link |
What if you could just fix with the snap of a finger,
link |
what would you fix?
link |
Two factor authentication, multifactor authentication.
link |
It's ridiculous how many of these attacks come in
link |
because someone didn't turn on multifactor authentication.
link |
I mean, Colonial Pipeline, okay?
link |
They took down the biggest conduit
link |
for gas, jet fuel and diesel
link |
to the East Coast of the United States of America, how?
link |
Because they forgot to deactivate an old employee account
link |
whose password had been traded on the dark web
link |
and they'd never turned on two factor authentication.
link |
This water treatment facility outside Florida
link |
was hacked last year.
link |
How did it happen?
link |
They were using Windows XP from like a decade ago
link |
that can't even get patches if you want it to
link |
and they didn't have two factor authentication.
link |
Time and time again,
link |
if they just switched on two factor authentication,
link |
some of these attacks wouldn't have been possible.
link |
Now, if I could snap my fingers,
link |
that's the thing I would do right now.
link |
But of course, this is a cat and mouse game
link |
and then the attackers onto the next thing.
link |
But I think right now that is like bar none.
link |
That is just, that is the easiest, simplest way
link |
to deflect the most attacks.
link |
And the name of the game right now isn't perfect security.
link |
Perfect security is impossible.
link |
They will always find a way in.
link |
The name of the game right now
link |
is make yourself a little bit harder to attack
link |
than your competitor than anyone else out there
link |
so that they just give up and move along.
link |
And maybe if you are a target
link |
for an advanced nation state or the SVR,
link |
you're gonna get hacked no matter what.
link |
But you can make cyber criminal groups deadbolt, is it?
link |
You can make their jobs a lot harder
link |
simply by doing the bare basics.
link |
And the other thing is stop reusing your passwords.
link |
But if I only get one, then two factor authentication.
link |
So what is two factor authentication?
link |
Factor one is what, logging in with a password.
link |
And factor two is like have another device
link |
or another channel through which you can confirm,
link |
Yes, usually this happens through some kind of text.
link |
You get your one time code from Bank of America
link |
The better way to do it is spend $20
link |
buying yourself a Fido key on Amazon.
link |
That's a hardware device.
link |
And if you don't have that hardware device with you,
link |
then you're not gonna get in.
link |
And the whole goal is, I mean, basically,
link |
my first half of my decade at The Times
link |
was spent covering like the copy.
link |
It was like Home Depot got breached,
link |
News at 11, Target, Neumann Marcus,
link |
like who wasn't hacked over the course of those five years?
link |
And a lot of those companies that got hacked,
link |
what did hackers take?
link |
They took the credentials, they took the passwords.
link |
They can make a pretty penny selling them on the dark web
link |
and people reuse their passwords.
link |
So you get one from God knows who, I don't know,
link |
LastPass, worst case example, actually LastPass.
link |
But you get one and then you go test it
link |
on their email account.
link |
And you go test it on their brokerage account
link |
and you test it on their cold storage account.
link |
That's how it works.
link |
But if you have multi factor authentication,
link |
then they can't get in
link |
because they might have your password,
link |
but they don't have your phone,
link |
they don't have your Fido key.
link |
So you keep them out.
link |
And I get a lot of alerts that tell me
link |
someone is trying to get into your Instagram account
link |
or your Twitter account or your email account.
link |
And I don't worry because I use multi factor authentication.
link |
They can try all day.
link |
Okay, I worry a little bit, but it's the simplest thing to do
link |
and we don't even do it.
link |
Well, there's an interface aspect to it
link |
because it's pretty annoying if it's implemented poorly.
link |
So actually bad implementation
link |
of two factor authentication, not just bad,
link |
but just something that adds friction
link |
is a security vulnerability, I guess,
link |
because it's really annoying.
link |
Like I think MIT for a while had two factor authentication.
link |
It was really annoying.
link |
I just, like the number of times it pings you,
link |
like it asks to reauthenticate across multiple subdomains.
link |
Like it just feels like a pain.
link |
I don't know what the right balance there.
link |
Yeah, it feels like friction in our frictionless society.
link |
It feels like friction, it's annoying.
link |
That's security's biggest problem, it's annoying.
link |
We need the Steve Jobs of security to come along
link |
and we need to make it painless.
link |
And actually on that point,
link |
Apple has probably done more for security than anyone else
link |
simply by introducing biometric authentication,
link |
first with the fingerprint and then with face ID.
link |
And it's not perfect, but if you think just eight years ago,
link |
everyone was running around with either no passcode
link |
and optional passcode or four digit passcode on their phone
link |
that anyone, think of what you can get
link |
when you get someone's iPhone, if you steal someone's iPhone
link |
and props to them for introducing the fingerprint
link |
And again, it wasn't perfect, but it was a huge step forward.
link |
Now it's time to make another huge step forward.
link |
I wanna see the password die.
link |
I mean, it's gotten us as far as it was ever gonna get us.
link |
And I hope whatever we come up with next
link |
is not gonna be annoying, is gonna be seamless.
link |
When I was at Google, that's what we worked on is,
link |
and there's a lot of ways to call it
link |
active authentication, passive authentication.
link |
So basically you use biometric data,
link |
not just like a fingerprint, but everything from your body
link |
to identify who you are, like movement patterns.
link |
So it basically create a lot of layers of protection
link |
where it's very difficult to fake,
link |
including like face unlock, checking that it's your actual
link |
face, like the liveness tests.
link |
So like from video, so unlocking it with video,
link |
voice, the way you move the phone,
link |
the way you take it out of the pocket, that kind of thing.
link |
All of those factors.
link |
It's a really hard problem though.
link |
And ultimately, it's very difficult to beat the password
link |
in terms of security.
link |
Well, there's a company that I actually will call out
link |
and that's Abnormal Security.
link |
So they work on email attacks.
link |
And it was started by a couple of guys who were doing,
link |
I think, ad tech at Twitter.
link |
So ad technology now, like it's a joke
link |
how much they know about us.
link |
You always hear the conspiracy theories that
link |
you saw someone's shoes and next thing you know,
link |
it's on your phone.
link |
It's amazing what they know about you.
link |
And they're basically taking that
link |
and they're applying it to attacks.
link |
So they're saying, okay, if you're,
link |
this is what your email patterns are.
link |
It might be different for you and me
link |
because we're emailing strangers all the time.
link |
But for most people,
link |
their email patterns are pretty predictable.
link |
And if something strays from that pattern, that's abnormal
link |
and they'll block it, they'll investigate it.
link |
Let's start using that kind of targeted ad technology
link |
to protect people.
link |
And yeah, I mean, it's not gonna get us away
link |
from the password and using multifactor authentication,
link |
but the technology is out there
link |
and we just have to figure out how to use it
link |
in a really seamless way because it doesn't matter
link |
if you have the perfect security solution
link |
if no one uses it.
link |
I mean, when I started at the times
link |
when I was trying to be really good
link |
about protecting sources,
link |
I was trying to use PGP encryption
link |
and it's like, it didn't work.
link |
The number of mistakes I would probably make
link |
just trying to email someone with PGP just wasn't worth it.
link |
And then Signal came along and Signal made it wicker.
link |
They made it a lot easier
link |
to send someone an encrypted text message.
link |
So we have to start investing in creative minds,
link |
in good security design.
link |
I really think that's the hack that's gonna get us
link |
out of where we are today.
link |
What about social engineering?
link |
Do you worry about this sort of hacking people?
link |
Yes, I mean, this is the worst nightmare
link |
of every chief information security officer out there.
link |
Social engineering, we work from home now.
link |
I saw this woman posted online about how her husband,
link |
it went viral today,
link |
but it was her husband had this problem at work.
link |
They hired a guy named John
link |
and now the guy that shows up for work every day
link |
doesn't act like John.
link |
I mean, think about that.
link |
Like think about the potential for social engineering
link |
You apply for a job and you put on a pretty face,
link |
you hire an actor or something,
link |
and then you just get inside the organization
link |
and get access to all that organization's data.
link |
A couple of years ago,
link |
Saudi Arabia planted spies inside Twitter.
link |
Probably because they were trying to figure out
link |
who these people were
link |
who were criticizing the regime on Twitter.
link |
They couldn't do it with a hack from the outside,
link |
so why not plant people on the inside?
link |
And that's like the worst nightmare.
link |
And it also, unfortunately, creates all kinds of xenophobia
link |
at a lot of these organizations.
link |
I mean, if you're gonna have to take that into consideration,
link |
then organizations are gonna start looking
link |
really skeptically and suspiciously
link |
at someone who applies for that job from China.
link |
And we've seen that go really badly
link |
at places like the Department of Commerce,
link |
where they basically accuse people of being spies
link |
that aren't spies.
link |
So it is the hardest problem to solve,
link |
and it's never been harder to solve
link |
than right at this very moment
link |
when there's so much pressure for companies
link |
to let people work remotely.
link |
That's actually why I'm single.
link |
I'm suspicious that China and Russia,
link |
every time I meet somebody,
link |
are trying to plant and get insider information,
link |
so I'm very, very suspicious.
link |
I keep putting the touring test in front, no.
link |
No, I have a friend who worked inside NSA
link |
and was one of their top hackers,
link |
and he's like, every time I go to Russia,
link |
I get hit on by these 10s.
link |
And I come home, my friends are like,
link |
I'm sorry, you're not a 10.
link |
Like, it's a common story.
link |
I mean, it's difficult to trust humans
link |
in this day and age online.
link |
So we're working remotely, that's one thing,
link |
but just interacting with people on the internet,
link |
sounds ridiculous, but because of this podcast in part,
link |
I've gotten to meet some incredible people,
link |
but it makes you nervous to trust folks,
link |
and I don't know how to solve that problem.
link |
So I'm talking with Mark Zuckerberg,
link |
who dreams about creating the metaverse.
link |
What do you do about that world
link |
where more and more our lives is in the digital sphere?
link |
Like, one way to phrase it is,
link |
most of our meaningful experiences at some point
link |
will be online, like falling in love, getting a job,
link |
or experiencing a moment of happiness with a friend,
link |
with a new friend made online, all of those things.
link |
Like, more and more, the fun we do,
link |
the things that make us love life will happen online,
link |
and if those things have an avatar that's digital,
link |
that's like a way to hack into people's minds,
link |
whether it's with AI or kind of troll farms
link |
or something like that.
link |
I don't know if there's a way to protect against that.
link |
That might fundamentally rely on our faith
link |
in how good human nature is.
link |
So if most people are good, we're going to be okay,
link |
but if people will tend towards manipulation
link |
and malevolent behavior in search of power,
link |
then we're screwed.
link |
So I don't know if you can comment
link |
on how to keep the metaverse secure.
link |
Yeah, I mean, all I thought about
link |
when you were talking just now was my three year old son.
link |
He asked me the other day, what's the internet, mom?
link |
And I just almost wanted to cry.
link |
You know, I don't want that for him.
link |
I don't want all of his most meaningful experiences
link |
You know, by the time that happens,
link |
how do you know that person's human,
link |
that avatar's human?
link |
You know, I believe in free speech.
link |
I don't believe in free speech for robots and bots.
link |
And like, look what just happened over the last six years.
link |
You know, we had bots pretending
link |
to be Black Lives Matter activists
link |
just to sow some division,
link |
or, you know, Texas secessionists,
link |
or, you know, organizing anti Hillary protests,
link |
or just to sow more division,
link |
to tie us up in our own politics
link |
so that we're so paralyzed we can't get anything done.
link |
We can't make any progress
link |
and we definitely can't handle our adversaries
link |
and their longterm thinking.
link |
It really scares me.
link |
And here's where I just come back to.
link |
Just because we can create the metaverse,
link |
you know, just because it sounds like the next logical step
link |
in our digital revolution,
link |
do I really want my child's most significant moments
link |
They weren't for me, you know?
link |
So maybe I'm just stuck in that old school thinking,
link |
or maybe I've seen too much.
link |
And I'm really sick of being
link |
the guinea pig parent generation for these things.
link |
I mean, it's hard enough with screen time.
link |
Like thinking about how to manage the metaverse as a parent
link |
to a young boy, like I can't even let my head go there.
link |
That's so terrifying for me.
link |
But we've never stopped any new technology
link |
just because it introduces risks.
link |
We've always said, okay, the promise of this technology
link |
means we should keep going, keep pressing ahead.
link |
We just need to figure out new ways to manage that risk.
link |
And you know, that's the blockchain right now.
link |
Like when I was covering all of these ransomware attacks,
link |
I thought, okay, this is gonna be it for cryptocurrency.
link |
You know, governments are gonna put the kibosh down.
link |
They're gonna put the hammer down and say enough is enough.
link |
Like we have to put this genie back in the bottle
link |
because it's enabled ransomware.
link |
I mean, five years ago, they would hijack your PC
link |
and they'd say, go to the local pharmacy,
link |
get a eGift card and tell us what the pin is.
link |
And then we'll get your $200.
link |
Now it's pay us, you know, five Bitcoin.
link |
And so there's no doubt cryptocurrencies
link |
enabled ransomware attacks,
link |
but after the Colonial Pipeline ransom was seized,
link |
because if you remember, the FBI was actually able to go in
link |
and claw some of it back from DarkSide,
link |
which was the ransomware group that hid it.
link |
And I spoke to these guys at TRM Labs.
link |
So they're one of these blockchain intelligence companies.
link |
And a lot of people that work there
link |
used to work at the treasury.
link |
And what they said to me was,
link |
yeah, cryptocurrency has enabled ransomware,
link |
but to track down that ransom payment would have taken,
link |
you know, if we were dealing with fiat currency,
link |
would have taken us years to get to that one bank account
link |
or belonging to that one front company in the Seychelles.
link |
And now thanks to the blockchain,
link |
we can track the movement of those funds in real time.
link |
And you know what?
link |
You know, these payments are not as anonymous
link |
Like we still can use our old hacking ways and zero days
link |
and, you know, old school intelligence methods
link |
to find out who owns that private wallet
link |
and how to get to it.
link |
So it's a curse in some ways and that it's an enabler,
link |
but it's also a blessing.
link |
And they said that same thing to me
link |
that I just said to you.
link |
They said, we've never shut down a promising new technology
link |
because it introduced risk.
link |
We just figured out how to manage that risk.
link |
And I think that's where the conversation
link |
unfortunately has to go,
link |
is how do we in the metaverse use technology to fix things?
link |
So maybe we'll finally be able to, not finally,
link |
but figure out a way to solve the identity problem
link |
on the internet, meaning like a blue check mark
link |
for actual human and connect it to identity
link |
or like a fingerprint so you can prove your you.
link |
And yet do it in a way that doesn't involve the company
link |
having all your data.
link |
So giving you, allowing you to maintain control
link |
over your data, or if you don't,
link |
then there's a complete transparency
link |
of how that data is being used, all those kinds of things.
link |
And maybe as you educate more and more people,
link |
they would demand in a capitalist society
link |
that the companies that they give their data to
link |
will respect that data.
link |
Yeah, I mean, there is this company,
link |
and I hope they succeed, their name's PII Ono, Piano.
link |
And they wanna create a vault for your personal information
link |
inside every organization.
link |
And ultimately, if I'm gonna call Delta Airlines
link |
they don't need to know my social security number.
link |
They don't need to know my birth date.
link |
They're just gonna send me a one time token to my phone.
link |
My phone's gonna say, or my Fido key is gonna say,
link |
And then we're gonna talk about my identity like a token,
link |
some random token.
link |
They don't need to know exactly who I am.
link |
They just need to know the system trust that I am,
link |
who I say I am, but they don't get access to my PII data.
link |
They don't get access to my social security number,
link |
my location, or the fact I'm a Times journalist.
link |
I think that's the way the world's gonna go.
link |
We have, enough is enough on sort of
link |
losing our personal information everywhere,
link |
letting data marketing companies track our every move.
link |
They don't need to know who I am.
link |
We're stuck in this world where the internet runs on ads.
link |
So ads are not gonna go away,
link |
but they don't need to know I'm Nicole Perlora.
link |
They can know that I am token number, you know,
link |
And they can let you know what they know
link |
and give you control about removing the things they know.
link |
Yeah, right to be forgotten.
link |
To me, you should be able to walk away
link |
with a single press of a button.
link |
And I also believe that most people,
link |
given the choice to walk away, won't walk away.
link |
They'll just feel better about having the option
link |
to walk away when they understand the trade offs.
link |
If you walk away, you're not gonna get
link |
some of the personalized experiences
link |
that you would otherwise get,
link |
like a personalized feed and all those kinds of things.
link |
But the freedom to walk away is,
link |
I think, really powerful.
link |
And obviously, what you're saying,
link |
it's definitely, there's all of these HTML forms
link |
where you have to enter your phone number and email
link |
and private information from Delta, every single airline.
link |
I have so many opinions on this.
link |
Just the friction and the sign up
link |
and all of those kinds of things.
link |
I should be able to, this has to do with everything.
link |
This has to do with payment, too.
link |
Payment should be trivial.
link |
It should be one click,
link |
and one click to unsubscribe and subscribe,
link |
and one click to provide all of your information
link |
that's necessary for the subscription service,
link |
for the transaction service, whatever that is,
link |
getting a ticket, as opposed to,
link |
I have all of these fake phone numbers and emails
link |
that I use in Alta Sign Up,
link |
because you never know if one site is hacked,
link |
then it's just going to propagate to everything else.
link |
And there's low hanging fruit,
link |
and I hope Congress does something.
link |
And frankly, I think it's negligent they haven't
link |
on the fact that elderly people are getting spammed to death
link |
on their phones these days with fake car warranty scams.
link |
And I mean, my dad was in the hospital last year,
link |
and I was in the hospital room, and his phone kept buzzing,
link |
and I look at it, and it's just spam attack after spam attack,
link |
people nonstop calling about his freaking car warranty,
link |
why they're trying to get his social security number,
link |
they're trying to get his PII,
link |
they're trying to get this information.
link |
We need to figure out how to put those people
link |
in jail for life, and we need to figure out
link |
why in the hell we are being required
link |
or asked to hand over our social security number
link |
and our home address and our passport,
link |
all of that information to every retailer who asks.
link |
I mean, that's insanity.
link |
And there's no question they're not protecting it
link |
because it keeps showing up in spam or identity theft
link |
or credit card theft or worse.
link |
Well, spam is getting better, and maybe I need to,
link |
as a side note, make a public announcement.
link |
Please clip this out, which is if you get an email
link |
or a message from Lex Friedman saying how much
link |
I, Lex, appreciate you and love you and so on,
link |
and please connect with me on my WhatsApp number
link |
and I will give you Bitcoin or something like that,
link |
please do not click.
link |
And I'm aware that there's a lot of this going on,
link |
a very large amount.
link |
I can't do anything about it.
link |
This is on every single platform.
link |
It's happening more and more and more,
link |
which I've been recently informed that they're not emailing.
link |
So it's cross platform.
link |
They're taking people's, they're somehow,
link |
this is fascinating to me because they are taking people
link |
who comment on various social platforms
link |
and they somehow reverse engineer.
link |
They figure out what their email is
link |
and they send an email to that person saying,
link |
from Lex Friedman, and it's like a heartfelt email
link |
It's fascinating because it's cross platform now.
link |
It's not just a spam bot that's messaging
link |
and a comment that's in a reply.
link |
They are saying, okay, this person cares
link |
about this other person on social media.
link |
So I'm going to find another channel,
link |
which in their mind probably increases
link |
and it does the likelihood that they'll get the people
link |
to click and they do.
link |
I don't know what to do about that.
link |
It makes me really, really sad,
link |
especially with podcasting.
link |
There's an intimacy that people feel connected
link |
and they get really excited.
link |
Okay, cool, I wanna talk to Lex.
link |
And I get angry at the people that do this.
link |
I mean, it's like the John that gets hired,
link |
the fake employee.
link |
I mean, I don't know what to do about that.
link |
I mean, I suppose the solution is education.
link |
It's telling people to be skeptical
link |
on the stuff they click.
link |
That balance with the technology solution
link |
of creating maybe like two factor authentication
link |
and maybe helping identify things
link |
that are likely to be spam, I don't know.
link |
But then the machine learning there is tricky
link |
because you don't wanna add a lot of extra friction
link |
that just annoys people because they'll turn it off.
link |
Because you have the accept cookies thing, right?
link |
That everybody has to click on now,
link |
so now they completely ignore the accept cookies.
link |
This is very difficult to find that frictionless security.
link |
You mentioned Snowden.
link |
You've talked about looking through the NSA documents
link |
he leaked and doing the hard work of that.
link |
What do you make of Edward Snowden?
link |
What have you learned from those documents?
link |
What do you think of him?
link |
In the long arc of history,
link |
is Edward Snowden a hero or a villain?
link |
I think he's neither.
link |
I have really complicated feelings about Edward Snowden.
link |
On the one hand, I'm a journalist at heart
link |
and more transparency is good.
link |
And I'm grateful for the conversations
link |
that we had in the post Snowden era
link |
about the limits to surveillance
link |
and how critical privacy is.
link |
And when you have no transparency
link |
and you don't really know in that case
link |
what our secret courts were doing,
link |
how can you truly believe that our country
link |
is taking our civil liberties seriously?
link |
So on the one hand, I'm grateful
link |
that he cracked open these debates.
link |
On the other hand, when I walked into the storage closet
link |
of classified NSA secrets,
link |
I had just spent two years
link |
covering Chinese cyber espionage almost every day.
link |
And the sort of advancement of Russian attacks
link |
that were just getting worse and worse and more destructive.
link |
And there were no limits to Chinese cyber espionage
link |
and Chinese surveillance of its own citizens.
link |
And there seemed to be no limit
link |
to what Russia was willing to do in terms of cyber attacks
link |
and also in some cases assassinating journalists.
link |
So when I walked into that room,
link |
there was a part of me quite honestly
link |
that was relieved to know that the NSA
link |
was as good as I hoped they were.
link |
And we weren't using that knowledge to,
link |
as far as I know, assassinate journalists.
link |
We weren't using our access
link |
to take out pharmaceutical companies.
link |
For the most part, we were using it for traditional espionage.
link |
Now, that set of documents also set me
link |
on the journey of my book because to me,
link |
the American people's reaction to the Snowden documents
link |
was a little bit misplaced.
link |
about the phone call metadata collection program.
link |
Angela Merkel, I think rightfully was upset
link |
that we were hacking her cell phone.
link |
But in sort of the spy eat spy world,
link |
hacking world leaders cell phones
link |
is pretty much what most spy agencies do.
link |
And there wasn't a lot that I saw in those documents
link |
that was beyond what I thought a spy agency does.
link |
And I think if there was another 9 11 tomorrow,
link |
God forbid, we would all say, how did the NSA miss this?
link |
Why weren't they spying on those terrorists?
link |
Why weren't they spying on those world leaders?
link |
And there's some of that too.
link |
But I think that there was great damage done
link |
to the US's reputation.
link |
I think we really lost our halo
link |
in terms of a protector of civil liberties.
link |
And I think a lot of what was reported
link |
was unfortunately reported in a vacuum.
link |
That was my biggest gripe that we were always reporting,
link |
the NSA has this program and here's what it does.
link |
And the NSA is in Angela Merkel's cell phone
link |
and the NSA can do this.
link |
And no one was saying, and by the way,
link |
China has been hacking into our pipelines
link |
and they've been making off
link |
with all of our intellectual property.
link |
And Russia has been hacking into our energy infrastructure
link |
and they've been using the same methods to spy on track.
link |
And in many cases, kill their own journalists.
link |
And the Saudis have been doing this
link |
to their own critics and dissidents.
link |
And so you can't talk about any of these countries
link |
It is really like spy out there.
link |
And so I just have complicated feelings.
link |
And the other thing is, and I'm sorry,
link |
this is a little bit of a tangent,
link |
but the amount of documents that we had,
link |
like thousands of documents,
link |
most of which were just crap,
link |
but had people's names on them.
link |
Part of me wishes that those documents
link |
had been released in a much more targeted, limited way.
link |
It's just a lot of it just felt like a PowerPoint
link |
that was taken out of context.
link |
And you just sort of wish
link |
that there had been a little bit more thought
link |
into what was released.
link |
Because I think a lot of the impact from someone
link |
was just the volume of the reporting.
link |
But I think based on what I saw personally,
link |
there was a lot of stuff that I just,
link |
I don't know why that particular thing got released.
link |
As a whistleblower, what's a better way to do it?
link |
Because I mean, there's fear,
link |
it takes a lot of effort to do a more targeted release.
link |
If there's proper channels,
link |
you're afraid that those channels will be manipulated
link |
by who do you trust.
link |
What's a better way to do this, do you think?
link |
As a journalist, this is almost like a journalistic question.
link |
Reveal some fundamental flaw in the system
link |
without destroying the system.
link |
I bring up, again, Mark Zuckerberg and Metta,
link |
there was a whistleblower
link |
that came out about Instagram internal studies.
link |
And I also torn about how to feel about that whistleblower.
link |
Because from a company perspective, that's an open culture.
link |
How can you operate successfully
link |
if you have an open culture
link |
where any one whistleblower can come out,
link |
out of context, take a study,
link |
whether it represents a larger context or not,
link |
and the press eats it up.
link |
And then that creates a narrative
link |
that is just like with the NSA,
link |
you said it's out of context, very targeted,
link |
to where, well, Facebook is evil, clearly,
link |
because of this one leak.
link |
It's really hard to know what to do there,
link |
because we're now in a society
link |
that's deeply distrust institutions.
link |
And so narratives by whistleblowers make that whistleblower
link |
and their forthcoming book very popular.
link |
And so there's a huge incentive
link |
to take stuff out of context and to tell stories
link |
that don't represent the full context, the full truth.
link |
It's hard to know what to do with that,
link |
because then that forces Facebook and Meta and governments
link |
to be much more conservative, much more secretive.
link |
It's like a race to the bottom, I don't know.
link |
I don't know if you can comment on any of that,
link |
how to be a whistleblower ethically and properly.
link |
I don't know, I mean, these are hard questions.
link |
And even for myself, in some ways,
link |
I think of my book as sort of blowing the whistle
link |
on the underground zero day market.
link |
But it's not like I was in the market myself.
link |
It's not like I had access to classified data
link |
when I was reporting out that book.
link |
As I say in the book, listen,
link |
I'm just trying to scrape the surface here,
link |
so we can have these conversations before it's too late.
link |
And I'm sure there's plenty in there
link |
that someone who's US intelligence agencies
link |
preeminent zero day broker probably
link |
has some voodoo doll of me out there.
link |
And you're never gonna get it 100%.
link |
But I really applaud whistleblowers
link |
like the whistleblower who blew the whistle
link |
on the Trump call with Zelensky.
link |
I mean, people needed to know about that,
link |
that we were basically, in some ways,
link |
blackmailing an ally to try to influence an election.
link |
I mean, they went through the proper channels.
link |
They weren't trying to profit off of it, right?
link |
There was no book that came out afterwards
link |
from that whistleblower.
link |
That whistleblower's not like,
link |
they went through the channels.
link |
They're not living in Moscow, let's put it that way.
link |
Can I ask you a question, you mentioned NSA,
link |
one of the things that showed
link |
is they're pretty good at what they do.
link |
Again, this is a touchy subject, I suppose,
link |
but there's a lot of conspiracy theories
link |
about intelligence agencies.
link |
From your understanding of intelligence agencies,
link |
the CIA, NSA, and the equivalent of in other countries,
link |
are they, one question, this could be a dangerous question,
link |
are they competent, are they good at what they do?
link |
And two, are they malevolent in any way?
link |
Sort of, I recently had a conversation
link |
about tobacco companies.
link |
They kind of see their customers as dupes,
link |
like they can just play games with people.
link |
Conspiracy theories tell that similar story
link |
about intelligence agencies,
link |
that they're interested in manipulating the populace
link |
for whatever ends the powerful,
link |
in dark rooms, cigarette smoke, cigar smoke filled rooms.
link |
What's your sense?
link |
Do these conspiracy theories have any truth to them?
link |
Or are intelligence agencies, for the most part,
link |
Okay, well, that's an easy one.
link |
No, I think it depends which intelligence agency.
link |
Think about the Mossad.
link |
They're killing every Iranian nuclear scientist they can
link |
over the years, but have they delayed the time horizon
link |
before Iran gets the bomb?
link |
Have they probably staved off terror attacks
link |
on their own citizens?
link |
You know, none of these, intelligence is intelligence.
link |
You know, you can't just say like they're malevolent
link |
or they're heroes.
link |
You know, everyone I have met in this space
link |
is not like the pound your chest patriot
link |
that you see on the beach on the 4th of July.
link |
A lot of them have complicated feelings
link |
about their former employers.
link |
Well, at least at the NSA reminded me
link |
to do what we were accused of doing after Snowden,
link |
to spy on Americans.
link |
You have no idea the amount of red tape and paperwork
link |
and bureaucracy it would have taken to do
link |
what everyone thinks that we were supposedly doing.
link |
But then, you know, we find out in the course
link |
of the Snowden reporting about a program called Lovin',
link |
where a couple of the NSA analysts were using their access
link |
to spy on their ex girlfriends.
link |
So, you know, there's an exception to every case.
link |
Generally, I will probably get, you know,
link |
accused of my Western bias here again,
link |
but I think you can almost barely compare
link |
some of these Western intelligence agencies
link |
to China, for instance.
link |
And the surveillance that they're deploying on the Uyghurs
link |
to the level they're deploying it.
link |
And the surveillance they're starting to export abroad
link |
with some of the programs,
link |
like the watering hole attack I mentioned earlier,
link |
where it's not just hitting the Uyghurs inside China,
link |
it's hitting anyone interested
link |
in the Uyghur plight outside China.
link |
I mean, it could be an American high school student
link |
writing a paper on the Uyghurs.
link |
They wanna spy on that person too.
link |
You know, there's no rules in China
link |
really limiting the extent of that surveillance.
link |
And we all better pay attention to what's happening
link |
with the Uyghurs because just as Ukraine has been to Russia
link |
in terms of a test kitchen for its cyber attacks,
link |
the Uyghurs are China's test kitchen for surveillance.
link |
And there's no doubt in my mind
link |
that they're testing them on the Uyghurs.
link |
Uyghurs are their Petri dish,
link |
and eventually they will export
link |
that level of surveillance overseas.
link |
Obama and Xi Jinping reached a deal
link |
where basically the White House said,
link |
you better cut it out on intellectual property theft.
link |
And so they made this agreement
link |
that they would not hack each other for commercial benefit.
link |
And for a period of about 18 months,
link |
we saw this huge drop off in Chinese cyber attacks
link |
on American companies.
link |
But some of them continued.
link |
Where did they continue?
link |
They continued on aviation companies,
link |
on hospitality companies like Marriott.
link |
Because that was still considered fair game to China.
link |
It wasn't IP theft they were after.
link |
They wanted to know who was staying in this city
link |
at this time when Chinese citizens were staying there
link |
so they could cross match for counterintelligence
link |
who might be a likely Chinese spy.
link |
I'm sure we're doing some of that too.
link |
Counterintelligence is counterintelligence.
link |
It's considered fair game.
link |
But where I think it gets evil
link |
is when you use it for censorship,
link |
to suppress any dissent,
link |
to do what I've seen the UAE do to its citizens
link |
where people who've gone on Twitter
link |
just to advocate for better voting rights,
link |
more enfranchisement,
link |
suddenly find their passports confiscated.
link |
You know, I talked to one critic, Ahmed Mansour,
link |
you know, you might find yourself a terrorist,
link |
labeled a terrorist one day,
link |
you don't even know how to operate a gun.
link |
I mean, he had been beaten up
link |
every time he tried to go somewhere.
link |
His passport had been confiscated.
link |
By that point, it turned out
link |
they'd already hacked into his phone
link |
so they were listening to us talking.
link |
They'd hacked into his baby monitor
link |
so they're spying on his child.
link |
And they stole his car.
link |
And then they created a new law
link |
that you couldn't criticize the ruling family
link |
or the ruling party on Twitter.
link |
And he's been in solitary confinement every day since
link |
So that's evil, you know, that's evil.
link |
And we still, we don't do that here.
link |
You know, we have rules here.
link |
We don't cross that line.
link |
So yeah, in some cases, like I won't go to Dubai.
link |
You know, I won't go to Abu Dhabi.
link |
If I ever want to go to the Maldives,
link |
like too bad, like most of the flights go through Dubai.
link |
So there's some lines we're not willing to cross.
link |
But then again, just like you said,
link |
there's individuals within NSA, within CIA,
link |
and they may have power.
link |
And to me, there's levels of evil.
link |
To me personally, this is the stuff of conspiracy theories,
link |
is the things you've mentioned as evil
link |
are more direct attacks.
link |
But there's also psychological warfare.
link |
So what does spying allow you to do?
link |
Allow you to collect information
link |
if you have something that's embarrassing.
link |
Or if you have like Jeffrey Epstein conspiracy theories,
link |
active, what is it, manufacture of embarrassing things.
link |
And then use blackmail to manipulate the population
link |
or all the powerful people involved.
link |
It troubles me deeply that MIT allowed somebody
link |
like Jeffrey Epstein in their midst,
link |
especially some of the scientists I admire
link |
that they would hang out with that person at all.
link |
And so I'll talk about it sometimes.
link |
And then a lot of people tell me,
link |
well, obviously Jeffrey Epstein is a front for intelligence.
link |
And I just, I struggle to see that level of competence
link |
But, you know, who the hell am I?
link |
And I guess I was trying to get to that point.
link |
You said that there's bureaucracy and so on,
link |
which makes some of these things very difficult.
link |
I wonder how much malevolence,
link |
how much competence there is in these institutions.
link |
Like how far, this takes us back to the hacking question.
link |
How far are people willing to go if they have the power?
link |
This has to do with social engineering.
link |
This has to do with hacking.
link |
This has to do with manipulating people,
link |
attacking people, doing evil onto people,
link |
psychological warfare and stuff like that.
link |
I believe that most people are good.
link |
And I don't think that's possible in a free society.
link |
There's something that happens
link |
when you have a centralized government
link |
where power corrupts over time
link |
and you start surveillance programs
link |
kind of, it's like a slippery slope
link |
that over time starts to both use fear
link |
and direct manipulation to control the populace.
link |
But in a free society, I just,
link |
it's difficult for me to imagine
link |
that you can have like somebody like a Jeffrey Epstein
link |
in the front for intelligence.
link |
I don't know what I'm asking you, but I'm just,
link |
I have a hope that for the most part,
link |
intelligence agencies are trying to do good
link |
and are actually doing good for the world
link |
when you view it in the full context
link |
of the complexities of the world.
link |
But then again, if they're not, would we know?
link |
That's why Edward Snowden might be a good thing.
link |
Let me ask you on a personal question.
link |
You have investigated some of the most powerful
link |
organizations and people in the world
link |
of cyber warfare, cyber security.
link |
Are you ever afraid for your own life,
link |
your own wellbeing, digital or physical?
link |
I mean, I've had my moments.
link |
You know, I've had our security team at the times
link |
called me at one point and said,
link |
someone's on the dark web offering good money
link |
to anyone who can hack your phone or your laptop.
link |
I describe in my book how when I was at that
link |
hacking conference in Argentina and I came back
link |
and I brought a burner laptop with me,
link |
but I'd kept it in the safe anyway
link |
and it didn't have anything on it,
link |
but someone had broken in and it was moved.
link |
You know, I've had all sorts of sort of scary moments.
link |
And then I've had moments where I think I went
link |
just way too far into the paranoid side.
link |
I mean, I remember writing about the Times hack by China
link |
and I just covered a number of Chinese cyber attacks
link |
where they'd gotten into the thermostat
link |
at someone's corporate apartment
link |
and they'd gotten into all sorts of stuff.
link |
And I was living by myself.
link |
I was single in San Francisco and my cable box
link |
on my television started making some weird noises
link |
in the middle of the night.
link |
And I got up and I ripped it out of the wall
link |
and I think I said something like embarrassing,
link |
like, fuck you China, you know.
link |
And then I went back to bed and I woke up
link |
and it's like beautiful morning light.
link |
I mean, I'll never forget it.
link |
Like this is like glimmering morning light
link |
is shining on my cable box, which has now been ripped out
link |
and is sitting on my floor and like the morning light.
link |
And I was just like, no, no, no,
link |
like I'm not going down that road.
link |
Like you basically, I came to a fork in the road
link |
where I could either go full tinfoil hat,
link |
go live off the grid, never have a car with navigation,
link |
never use Google maps, never own an iPhone,
link |
never order diapers off Amazon, you know, create an alias
link |
or I could just do the best I can
link |
and live in this new digital world we're living in.
link |
And what does that look like for me?
link |
I mean, what are my crown jewels?
link |
This is what I tell people, what are your crown jewels?
link |
Cause just focus on that.
link |
You can't protect everything,
link |
but you can protect your crown jewels.
link |
For me, for the longest time,
link |
my crown jewels were my sources.
link |
I was nothing without my sources.
link |
So I had some sources, I would meet the same dim sum place
link |
or maybe it was a different restaurant on the same date,
link |
you know, every quarter and we would never drive there.
link |
We would never Uber there.
link |
We wouldn't bring any devices.
link |
I could bring a pencil and a notepad.
link |
And if someone wasn't in town,
link |
like there were a couple of times where I'd show up
link |
and the source never came,
link |
but we never communicated digitally.
link |
And those were the links I was willing to go
link |
to protect that source, but you can't do it for everyone.
link |
So for everyone else, you know, it was signal,
link |
using two factor authentication,
link |
you know, keeping my devices up to date,
link |
not clicking on phishing emails, using a password manager,
link |
all the things that we know we're supposed to do.
link |
And that's what I tell everyone, like don't go crazy
link |
because then that's like the ultimate hack.
link |
Then they've hacked your mind, whoever they is for you.
link |
But just do the best you can.
link |
Now, my whole risk model changed when I had a kid.
link |
You know, now it's, oh God, you know,
link |
if anyone threatened my family, God help them.
link |
But it changes you.
link |
And, you know, unfortunately there are some things,
link |
like I was really scared to go deep on,
link |
like Russian cyber crime, you know, like Putin himself,
link |
you know, and it's interesting.
link |
Like I have a mentor who's an incredible person
link |
who was the Times Moscow Bureau Chief during the Cold War.
link |
And after I wrote a series of stories
link |
about Chinese cyber espionage, he took me out to lunch.
link |
And he told me that when he was living in Moscow,
link |
he would drop his kids off at preschool
link |
when they were my son's age now.
link |
And the KGB would follow him
link |
and they would make a really like loud show of it.
link |
You know, they'd tail him, they'd, you know, honk,
link |
they'd just be, make a ruckus.
link |
And he said, you know what, they never actually did anything
link |
but they wanted me to know that they were following me
link |
and I operated accordingly.
link |
And he says, that's how you should operate
link |
in the digital world.
link |
Know that there are probably people following you.
link |
Sometimes they'll make a little bit of noise.
link |
But one thing you need to know is that
link |
while you're at the New York Times,
link |
you have a little bit of an invisible shield on you.
link |
You know, if something were to happen to you,
link |
that would be a really big deal.
link |
That would be an international incident.
link |
So I kind of carried that invisible shield with me
link |
And then Jamal Khashoggi happened.
link |
And that destroyed my vision of my invisible shield.
link |
You know, sure, you know, he was a Saudi
link |
but he was a Washington Post columnist.
link |
You know, for the most part,
link |
he was living in the United States.
link |
He was a journalist.
link |
And for them to do what they did to him,
link |
pretty much in the open and get away with it,
link |
and for the United States to let them get away with it
link |
because we wanted to preserve diplomatic relations
link |
that really threw my worldview upside down.
link |
And, you know, I think that sent a message
link |
to a lot of countries
link |
that it was sort of open season on journalists.
link |
And to me, that was one of the most destructive things
link |
that happened under the previous administration.
link |
And, you know, I don't really know
link |
what to think of my invisible shield anymore.
link |
Like you said, that really worries me
link |
on the journalism side that people would be afraid
link |
to dig deep on fascinating topics.
link |
And, you know, I have my own,
link |
part of the reason, like I would love to have kids,
link |
I would love to have a family.
link |
Part of the reason I'm a little bit afraid,
link |
there's many ways to phrase this,
link |
but the loss of freedom in the way of doing
link |
all the crazy shit that I naturally do,
link |
which I would say the ethic of journalism
link |
is kind of not, is doing crazy shit
link |
without really thinking about it.
link |
This is letting your curiosity
link |
really allow you to be free and explore.
link |
It's, I mean, whether it's stupidity or fearlessness,
link |
whatever it is, that's what great journalism is.
link |
And all the concerns about security risks
link |
have made me like become a better person.
link |
The way I approach it is just make sure
link |
you don't have anything to hide.
link |
I know this is not a thing.
link |
This is not a, this is not an approach to security.
link |
I'm just, this is like a motivational speech or something.
link |
It's just like, if you can lose,
link |
you can be hacked at any moment.
link |
Just don't be a douchebag secretly.
link |
Just be like a good person.
link |
Because then, I see this actually
link |
with social media in general.
link |
Just present yourself in the most authentic way possible,
link |
meaning be the same person online as you are privately.
link |
Have nothing to hide.
link |
That's one, not the only, but one of the ways
link |
to achieve security.
link |
Maybe I'm totally wrong on this,
link |
but don't be secretly weird.
link |
If you're weird, be publicly weird
link |
so it's impossible to blackmail you.
link |
That's my approach to security.
link |
Yeah, well, they call it
link |
the New York Times front page phenomenon.
link |
Don't put anything in email or I guess social media
link |
these days that you wouldn't want to read
link |
on the front page of the New York Times.
link |
And that works, but sometimes I even get carried,
link |
I mean, I have not as many followers as you,
link |
but a lot of followers,
link |
and sometimes even I get carried away.
link |
Just be emotional and stuff and say something.
link |
Yeah, I mean, just the cortisol response on Twitter.
link |
Twitter is basically designed to elicit those responses.
link |
I mean, every day I turn on my computer,
link |
I look at my phone, I look at what's trending on Twitter,
link |
and it's like, what are the topics
link |
that are gonna make people the most angry today?
link |
And you know, it's easy to get carried away,
link |
but it's also just, that sucks too,
link |
that you have to be constantly censoring yourself.
link |
And maybe it's for the better.
link |
Maybe you can't be a secret asshole,
link |
and we can put that in the good bucket.
link |
But at the same time, you know,
link |
there is a danger to that other voice,
link |
to creativity, you know, to being weird.
link |
There's a danger to that little whispered voice
link |
that's like, well, how would people read that?
link |
You know, how could that be manipulated?
link |
How could that be used against you?
link |
And that stifles creativity and innovation and free thought.
link |
And you know, that is on a very micro level.
link |
And that's something I think about a lot.
link |
And that's actually something that Tim Cook
link |
has talked about a lot,
link |
and why he has said he goes full force on privacy
link |
is it's just that little voice
link |
that is at some level censoring you.
link |
And what is sort of the long term impact
link |
of that little voice over time?
link |
I think there's a ways, I think that self censorship
link |
is an attack factor that there's solutions to.
link |
The way I'm really inspired by Elon Musk,
link |
the solution to that is just be privately
link |
and publicly the same person and be ridiculous.
link |
Embrace the full weirdness and show it more and more.
link |
So, you know, that's memes that has like ridiculous humor.
link |
And I think, and if there is something
link |
you really wanna hide, deeply consider
link |
if that you wanna be that.
link |
Like, why are you hiding it?
link |
What exactly are you afraid of?
link |
Because I think my hopeful vision for the internet
link |
is the internet loves authenticity.
link |
They wanna see you weird, so be that and like live that fully
link |
because I think that gray area
link |
where you're kind of censoring yourself,
link |
that's where the destruction is.
link |
You have to go all the way, step over, be weird.
link |
And then it feels, it can be painful
link |
because people can attack you and so on, but just ride it.
link |
I mean, that's just like a skill
link |
on the social psychological level
link |
that ends up being an approach to security,
link |
which is like remove the attack vector
link |
of having private information
link |
by being your full weird self publicly.
link |
What advice would you give to young folks today,
link |
you know, operating in this complicated space
link |
about how to have a successful life,
link |
a life they can be proud of,
link |
a career they can be proud of?
link |
Maybe somebody in high school and college
link |
thinking about what they're going to do.
link |
Be a hacker, you know, if you have any interest,
link |
become a hacker and apply yourself to defense, you know.
link |
Every time, like we do have
link |
these amazing scholarship programs, for instance,
link |
where, you know, they find you early,
link |
they'll pay your college as long as you commit
link |
to some kind of federal commitment
link |
to sort of help federal agencies with cybersecurity.
link |
And where does everyone wanna go every year
link |
from the scholarship program?
link |
They wanna go work at the NSA or Cyber Command, you know.
link |
They wanna go work on offense.
link |
They wanna go do the sexy stuff.
link |
It's really hard to get people to work on defense.
link |
It's just, it's always been more fun
link |
to be a pirate than be in the Coast Guard, you know.
link |
And so we have a huge deficit
link |
when it comes to filling those roles.
link |
There's 3.5 million unfilled cybersecurity positions
link |
I mean, talk about job security,
link |
like be a hacker and work on cybersecurity.
link |
You will always have a job.
link |
And we're actually at a huge deficit
link |
and disadvantage as a free market economy
link |
because we can't match cybersecurity salaries
link |
at Palantir or Facebook or Google or Microsoft.
link |
And so it's really hard for the United States
link |
to fill those roles.
link |
And, you know, other countries have had this work around
link |
where they basically have forced conscription on some level.
link |
You know, China tells people,
link |
like you do whatever you're gonna do during the day,
link |
You know, if you need to do some ransomware, okay.
link |
But the minute we tap you on the shoulder
link |
and ask you to come do this sensitive operation for us,
link |
the answer is yes.
link |
You know, same with Russia.
link |
You know, a couple of years ago when Yahoo was hacked
link |
and they laid it all out in an indictment,
link |
it came down to two cyber criminals
link |
and two guys from the FSB.
link |
Cyber criminals were allowed to have their fun,
link |
but the minute they came across the username and password
link |
for someone's personal Yahoo account
link |
that worked at the White House or the State Department
link |
or military, they were expected to pass that over to the FSB.
link |
So we don't do that here.
link |
And it's even worse on defense.
link |
We really can't fill these positions.
link |
So, you know, if you are a hacker,
link |
if you're interested in code,
link |
if you're a tinker, you know, learn how to hack.
link |
There are all sorts of amazing hacking competitions
link |
you can do through the SANS org, for example, S A N S.
link |
And then use those skills for good.
link |
You know, neuter the bugs in that code
link |
that get used by autocratic regimes
link |
to make people's life, you know, a living prison.
link |
You know, plug those holes.
link |
You know, defend industrial systems,
link |
defend our water treatment facilities
link |
from hacks where people are trying to come in
link |
and poison the water.
link |
You know, that I think is just an amazing,
link |
it's an amazing job on so many levels.
link |
It's intellectually stimulating.
link |
You can tell yourself you're serving your country.
link |
You can tell yourself you're saving lives
link |
and keeping people safe.
link |
And you'll always have amazing job security.
link |
And if you need to go get that job that pays you,
link |
you know, 2 million bucks a year, you can do that too.
link |
And you can have a public profile,
link |
more so of a public profile, you can be a public rockstar.
link |
I mean, it's the same thing as sort of the military.
link |
there's a lot of well known sort of people
link |
commenting on the fact that veterans
link |
are not treated as well as they should be.
link |
But it's still the fact that soldiers
link |
are deeply respected for defending the country,
link |
the freedoms, the ideals that we stand for.
link |
And in the same way, I mean, in some ways,
link |
the cybersecurity defense are the soldiers of the future.
link |
Yeah, and you know what's interesting,
link |
I mean, in cybersecurity, the difference is,
link |
oftentimes you see the more interesting threats
link |
in the private sector, because that's where the attacks come.
link |
You know, when cyber criminals
link |
and nation state adversaries come for the United States,
link |
they don't go directly for Cyber Command or the NSA.
link |
You know, they go for banks, they go for Google,
link |
they go for Microsoft, they go for critical infrastructure.
link |
And so those companies, those private sector companies
link |
get to see some of the most advanced,
link |
sophisticated attacks out there.
link |
And you know, if you're working at FireEye
link |
and you're calling out the SolarWinds attack, for instance,
link |
I mean, you just saved God knows how many systems
link |
from, you know, that compromise turning into something
link |
that more closely resembles sabotage.
link |
So, you know, go be a hacker, or go be a journalist.
link |
So you wrote the book,
link |
This Is How They Tell Me The World Ends,
link |
as we've been talking about,
link |
of course, referring to cyber war, cybersecurity.
link |
What gives you hope about the future of our world
link |
if it doesn't end?
link |
How will it not end?
link |
That's a good question.
link |
I mean, I have to have hope, right?
link |
Because I have a kid and I have another on the way,
link |
and if I didn't have hope, I wouldn't be having kids.
link |
But it's a scary time to be having kids.
link |
And you know, it's like pandemic, climate change,
link |
disinformation, increasingly advanced, perhaps deadly
link |
What gives me hope is that I share your worldview
link |
that I think people are fundamentally good.
link |
And sometimes, and this is why the metaverse
link |
scares me to death, but when I'm reminded of that
link |
Like online, I get the opposite.
link |
You know, you start to lose hope and humanity
link |
when you're on Twitter half your day.
link |
It's like when I go to the grocery store
link |
or I go on a hike or like someone smiles at me
link |
or you know, or someone just says something nice.
link |
You know, people are fundamentally good.
link |
We just don't hear from those people enough.
link |
And my hope is, I just think our current political climate,
link |
like we've hit rock bottom.
link |
This is as bad as it gets.
link |
We can't do anything.
link |
But I think it's a generational thing.
link |
You know, I think baby boomers, like it's time to move along.
link |
I think it's time for a new generation to come in.
link |
And I actually have a lot of hope when I look at you.
link |
I'm sort of like this, I guess they call me
link |
a geriatric millennial or a young gen X.
link |
But like we have this unique responsibility
link |
because I grew up without the internet
link |
and without social media, but I'm native to it.
link |
So I know the good and I know the bad.
link |
And that's true on so many different things.
link |
You know, I grew up without climate change anxiety
link |
and now I'm feeling it and I know it's not a given.
link |
We don't have to just resign ourselves to climate change.
link |
You know, same with disinformation.
link |
And I think a lot of the problems we face today
link |
have just exposed the sort of inertia
link |
that there has been on so many of these issues.
link |
And I really think it's a generational shift
link |
that has to happen.
link |
And I think this next generation is gonna come in
link |
and say like, we're not doing business
link |
like you guys did it anymore.
link |
You know, we're not just gonna like rape
link |
and pillage the earth and try and turn everyone
link |
against each other and play dirty tricks
link |
and let lobbyists dictate what we do
link |
or don't do as a country anymore.
link |
And that's really where I see the hope.
link |
It feels like there's a lot of low hanging fruit
link |
for young minds to step up and create solutions and lead.
link |
So whenever like politicians or leaders that are older,
link |
like you said, are acting shitty, I see that as a positive.
link |
They're inspiring a large number of young people
link |
And so I think you're right, there's going to be,
link |
it's almost like you need people to act shitty
link |
to remind them, oh, wow, we need good leaders.
link |
We need great creators and builders and entrepreneurs
link |
and scientists and engineers and journalists.
link |
You know, all the discussions about how the journalism
link |
is quote unquote broken and so on,
link |
that's just an inspiration for new institutions to rise up
link |
that do journalism better,
link |
new journalists to step up and do journalism better.
link |
So I, and I've been constantly,
link |
when I talk to young people, I'm constantly impressed
link |
by the ones that dream to build solutions.
link |
And so that's ultimately why I put the hope.
link |
But the world is a messy place,
link |
like we've been talking about, it's a scary place.
link |
Yeah, and I think you hit something,
link |
hit on something earlier, which is authenticity.
link |
Like no one is going to rise above that is plastic anymore.
link |
You know, people are craving authenticity.
link |
You know, the benefit of the internet is it's really hard
link |
to hide who you are on every single platform.
link |
You know, on some level it's gonna come out
link |
who you really are.
link |
And so you hope that, you know,
link |
by the time my kids are grown,
link |
like no one's gonna care if they made one mistake online,
link |
so long as they're authentic, you know?
link |
And I used to worry about this.
link |
My nephew was born the day I graduated from college.
link |
And I just always, you know, he's like born into Facebook.
link |
And I just think like, how is a kid like that
link |
ever gonna be president of the United States of America?
link |
Because if Facebook had been around when I was in college,
link |
you know, like Jesus, you know,
link |
how are those kids are gonna ever be president?
link |
There's gonna be some photo of them at some point
link |
making some mistake, and that's gonna be all over for them.
link |
And now I take that back.
link |
Now it's like, no, everyone's gonna make mistakes.
link |
There's gonna be a picture for everyone.
link |
And we're all gonna have to come and grow up
link |
to the view that as humans, we're gonna make huge mistakes.
link |
And hopefully they're not so big
link |
that they're gonna ruin the rest of your life.
link |
But we're gonna have to come around to this view
link |
that we're all human.
link |
And we're gonna have to be a little bit more forgiving
link |
and a little bit more tolerant when people mess up.
link |
And we're gonna have to be a little bit more humble
link |
when we do, and like keep moving forward.
link |
Otherwise you can't like cancel everyone, you know?
link |
Nicole, this is an incredible, hopeful conversation.
link |
Also, one that reveals that in the shadows
link |
there's a lot of challenges to be solved.
link |
So I really appreciate that you took on
link |
this really difficult subject with your book.
link |
That's journalism at its best.
link |
So I'm really grateful that you took the risk
link |
that you took that on,
link |
and that you plugged the cable box back in.
link |
That means you have hope.
link |
And thank you so much for spending
link |
your valuable time with me today.
link |
Thank you, thanks for having me.
link |
Thanks for listening to this conversation
link |
with Nicole Perlroth.
link |
To support this podcast,
link |
please check out our sponsors in the description.
link |
And now let me leave you with some words
link |
from Nicole herself.
link |
Here we are, entrusting our entire digital lives,
link |
passwords, texts, love letters, banking records,
link |
health records, credit cards, sources,
link |
and deepest thoughts to this mystery box
link |
whose inner circuitry most of us would never vet.
link |
Run by code written in a language most of us
link |
will never fully understand.
link |
Thank you for listening and hope to see you next time.