back to index

Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266


small model | large model

link |
00:00:00.000
If one site is hacked, you can just unleash all health.
link |
00:00:03.520
We have stumbled into this new era of mutually assured digital distraction.
link |
00:00:08.960
How far are people willing to go?
link |
00:00:11.120
And you can capture their location, you can capture their contacts that record their
link |
00:00:16.960
telephone calls, record their camera without them knowing about it.
link |
00:00:20.720
Basically, you can put an invisible ankle bracelet on someone without them knowing.
link |
00:00:25.920
You could sell that to a zero day broker for two million dollars.
link |
00:00:34.080
The following is a conversation with Nicole Pearlroth,
link |
00:00:37.200
cybersecurity journalist and author of This Is How They Tell Me The World Ends,
link |
00:00:42.400
The Cyber Weapons Arm Race.
link |
00:00:44.800
This is the Lex Friedman podcast.
link |
00:00:46.800
To support it, please check out our sponsors in the description.
link |
00:00:50.240
And now, dear friends, here's Nicole Pearlroth.
link |
00:00:54.000
You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer
link |
00:01:00.160
scientists, government officials, forensic investigators, and mercenaries.
link |
00:01:05.520
So let's talk about cybersecurity and cyber war.
link |
00:01:09.360
Start with the basics.
link |
00:01:10.400
What is a zero day vulnerability and then a zero day exploit or attack?
link |
00:01:16.480
So, at the most basic level, let's say I'm a hacker and I find a bug in your iPhone iOS
link |
00:01:27.440
software that no one else knows about, especially Apple.
link |
00:01:31.040
That's called a zero day because the minute it's discovered,
link |
00:01:34.240
engineers have had zero days to fix it.
link |
00:01:37.600
If I can study that zero day, I could potentially write a program to exploit it.
link |
00:01:44.000
And that program would be called a zero day exploit.
link |
00:01:48.000
And for iOS, the dream is that you craft a zero day exploit that can remotely exploit
link |
00:01:55.360
someone else's iPhone without them ever knowing about it.
link |
00:01:59.120
And you can capture their location.
link |
00:02:01.040
You can capture their contacts that record their telephone calls, record their camera
link |
00:02:07.120
without them knowing about it.
link |
00:02:08.800
Basically, you can put an invisible ankle bracelet on someone with a
link |
00:02:13.920
phone without them knowing.
link |
00:02:14.880
And you can see why that capability, that zero day exploit, would have immense value
link |
00:02:20.400
for a spy agency or a government that wants to monitor its critics or dissidents.
link |
00:02:27.520
And so there's a very lucrative market now for zero day exploits.
link |
00:02:31.920
So you said a few things there.
link |
00:02:33.280
One is iOS.
link |
00:02:34.720
Why iOS?
link |
00:02:36.080
Which operating system?
link |
00:02:37.520
Which one is the sexier thing to try to get to or the most impactful thing?
link |
00:02:41.600
And the other thing you mentioned is remote versus like having to actually come in physical
link |
00:02:47.520
contact with it.
link |
00:02:48.480
Is that the distinction?
link |
00:02:50.160
So iPhone exploits have just been a government's number one priority.
link |
00:02:57.600
Recently, actually the price of an Android remote zero day exploit,
link |
00:03:02.720
something that can get you into Android phones, is actually higher.
link |
00:03:07.280
The value of that is now higher on this underground market for zero day exploits
link |
00:03:12.400
than an iPhone iOS exploit.
link |
00:03:15.200
So things are changing.
link |
00:03:16.560
So there's probably more Android devices.
link |
00:03:19.840
So that's why it's better.
link |
00:03:21.520
But on the iPhone side, I'm an Android person because I'm a man of the people.
link |
00:03:28.400
But it seems like all the elites use iPhone, all the people at nice dinner parties.
link |
00:03:32.960
So is that the reason that the more powerful people use iPhones?
link |
00:03:38.000
Is that why?
link |
00:03:38.640
I don't think so.
link |
00:03:39.680
I actually, so it was about two years ago that the price has flipped.
link |
00:03:43.520
It used to be that if you could craft a remote zero click exploit for iOS,
link |
00:03:53.200
then that was about as good as it gets.
link |
00:03:55.280
You could sell that to a zero day broker for $2 million.
link |
00:04:00.480
The caveat is you can never tell anyone about it, because the minute you tell someone about it,
link |
00:04:05.760
Apple learns about it, they patch it in that $2.5 million investment that that zero day broker
link |
00:04:12.400
just made goes to dust.
link |
00:04:14.800
So a couple years ago, and don't quote me on the prices, but an Android zero click remote
link |
00:04:23.680
exploit for the first time topped the iOS. And actually, a lot of people's read on that
link |
00:04:31.360
was that it might be a sign that Apple security was falling and that it might actually be easier
link |
00:04:41.840
to find an iOS zero day exploit than find an Android zero day exploit.
link |
00:04:48.160
The other thing is market share.
link |
00:04:49.760
There are just more people around the world that use Android.
link |
00:04:54.640
And a lot of governments that are paying top dollar for zero day exploits these days
link |
00:05:01.280
are deep pocketed governments in the Gulf that want to use these exploits to monitor
link |
00:05:07.680
their own citizens, monitor their critics.
link |
00:05:10.720
And so it's not necessarily that they're trying to find elites.
link |
00:05:14.480
It's that they want to find out who these people are that are criticizing them or perhaps
link |
00:05:19.120
planning the next Arab Spring.
link |
00:05:21.040
So in your experience, are most of these attacks targeted to cover a large population
link |
00:05:26.400
or is there attacks that are targeted towards specific individuals?
link |
00:05:31.120
So I think it's both.
link |
00:05:32.720
Some of the zero day exploits that have fetched top dollar that I've heard of in my reporting in
link |
00:05:38.320
the United States were highly targeted.
link |
00:05:41.120
There was a potential terrorist attack.
link |
00:05:43.440
They wanted to get into this person's phone.
link |
00:05:45.280
It had to be done in the next 24 hours.
link |
00:05:47.920
They approached hackers and say, we'll pay you X millions of dollars if you can do this.
link |
00:05:53.600
But then you look at when we've discovered iOS zero day exploits in the wild,
link |
00:06:00.640
some of them have been targeting large populations like Uighurs.
link |
00:06:05.200
So a couple of years ago, there was a watering hole attack.
link |
00:06:10.080
Okay, what's a watering hole attack?
link |
00:06:12.000
There's a website.
link |
00:06:13.120
It was actually had information aimed at Uighurs.
link |
00:06:16.960
Uighurs and you could access it all over the world.
link |
00:06:20.880
And if you visited this website, it would drop an iOS zero day exploit onto your phone.
link |
00:06:29.440
And so anyone that visited this website that was about Uighurs anywhere,
link |
00:06:34.320
I mean Uighurs, Uighurs living abroad, basically the Uighur diaspora would have
link |
00:06:40.480
gotten infected with this zero day exploit.
link |
00:06:43.840
So in that case, they were targeting huge swaths of this one population
link |
00:06:50.560
or people interested in this one population basically in real time.
link |
00:06:57.120
Who are these attackers from the individual level to the group level?
link |
00:07:02.640
Psychologically speaking, what's their motivation?
link |
00:07:05.040
Is it purely money?
link |
00:07:07.360
Is it the challenge?
link |
00:07:09.120
Are they malevolent?
link |
00:07:10.480
Is it power?
link |
00:07:11.280
Or these are big philosophical human questions, I guess.
link |
00:07:15.280
So these are the questions I set out to answer for my book.
link |
00:07:20.240
I wanted to know, are these people that are just after money?
link |
00:07:26.720
If they're just after money, how do they sleep at night?
link |
00:07:29.600
Not knowing whether that zero day exploit they just sold to a broker is being used
link |
00:07:34.560
to basically make someone's life a living hell.
link |
00:07:36.880
And what I found was there's kind of this long sordid history to this question.
link |
00:07:43.600
It started out in the 80s and 90s when hackers were just finding holes and bugs in software
link |
00:07:51.120
for curiosity's sake, really as a hobby, and some of them would go to the tech companies
link |
00:07:56.800
like Microsoft or Sun Microsystems at the time or Oracle.
link |
00:08:01.680
And they'd say, hey, I just found this zero day in your software and I can use it to break
link |
00:08:06.480
into NASA.
link |
00:08:08.080
And the general response at the time wasn't, thank you so much for pointing out this flaw
link |
00:08:13.840
and our software will get it fixed as soon as possible.
link |
00:08:17.200
It was, don't ever poke around our software ever again or we'll stick our general counsel on you.
link |
00:08:24.080
And that was really sort of the common thread for years.
link |
00:08:29.280
And so hackers who set out to do the right thing were basically told to shut up and stop
link |
00:08:37.200
doing what you're doing.
link |
00:08:39.280
And what happened next was they basically started trading this information online.
link |
00:08:45.280
Now, when you go back and interview people from those early days, they all tell a very
link |
00:08:51.040
similar story, which is they're curious, they're tinkers.
link |
00:08:56.000
They remind me of like the kid down the block that was constantly poking around the hood
link |
00:09:00.880
of his dad's car.
link |
00:09:01.920
They just couldn't help themselves.
link |
00:09:04.720
They wanted to figure out how a system is designed and how they could potentially exploit
link |
00:09:10.400
it for some other purpose.
link |
00:09:11.840
It doesn't have to be good or bad.
link |
00:09:14.400
But they were basically kind of beat down for so long by these big tech companies that
link |
00:09:22.320
they started just silently trading them with other hackers.
link |
00:09:26.800
And that's how you got these really heated debates in the 90s about disclosure.
link |
00:09:34.640
Should you just dump these things online because any script kitty can pick them up and use it
link |
00:09:39.600
for all kinds of mischief.
link |
00:09:42.160
But, you know, don't you want to just stick a middle finger to all these companies that are
link |
00:09:46.320
basically threatening you all the time.
link |
00:09:48.000
So there was this really interesting dynamic at play and what I learned in the course of
link |
00:09:54.400
doing my book was that government agencies and their contractors sort of tapped into
link |
00:10:01.280
that frustration and that resentment.
link |
00:10:03.760
And they started quietly reaching out to hackers on these forums and they said, hey,
link |
00:10:10.240
you know that zero day you just dropped online.
link |
00:10:12.800
Could you could you come up with something custom for me?
link |
00:10:15.520
And I'll pay you six figures for it.
link |
00:10:18.080
So long as you shut up and never tell anyone that we that I paid you for this and that's
link |
00:10:23.440
what happened.
link |
00:10:24.480
So throughout the 90s, there was a bunch of boutique contractors that started reaching
link |
00:10:30.560
out to hackers on these forums and saying, hey, I'll pay you six figures for that bug.
link |
00:10:35.760
You were trying to get Microsoft to fix for free and sort of so began or so catalyzed
link |
00:10:41.840
this market where governments and their intermediaries started reaching out to these hackers and
link |
00:10:48.640
buying their bugs for free.
link |
00:10:50.560
And in those early days, I think a lot of it was just for quiet counterintelligence,
link |
00:10:55.360
traditional espionage.
link |
00:10:57.760
But as we started baking the software, Windows software, Schneider Electric,
link |
00:11:05.120
Siemens industrial software into our nuclear plants and our factories and our power grid
link |
00:11:14.800
and our petrochemical facilities and our pipelines, those same zero days came to be just as valuable
link |
00:11:22.000
for sabotage and war planning.
link |
00:11:24.960
Does the fact that the market sprung up and you cannot make a lot of money change the
link |
00:11:28.880
nature of the attackers that came to the table or grow the number of attackers?
link |
00:11:33.760
I mean, what is, I guess you told the psychology of the hackers in the 90s, what is the culture
link |
00:11:41.680
today and where is it heading?
link |
00:11:43.520
So I think there are people who will tell you they would never sell a zero day to a
link |
00:11:49.280
zero day broker or a government.
link |
00:11:52.080
One, because they don't know how it's going to get used when they throw it over the fence.
link |
00:11:55.920
You know, most of these get rolled into classified programs and you don't know how they get used.
link |
00:12:00.160
If you sell it to a zero day broker, you don't even know which nation state might use it
link |
00:12:06.720
or potentially which criminal group might use it if you sell it on the dark web.
link |
00:12:11.200
The other thing that they say is that they want to be able to sleep at night.
link |
00:12:17.840
And they lose a lot of sleep if they found out their zero day was being used to, you know,
link |
00:12:22.800
make a dissident's life living hell.
link |
00:12:24.560
But there are a lot of people, good people who also say, no, this is not my problem.
link |
00:12:31.200
This is the technology company's problem.
link |
00:12:34.080
If they weren't writing new bugs into their software every day, then there wouldn't be a market.
link |
00:12:39.040
You know, then there wouldn't be a problem, but they continue to write bugs into their
link |
00:12:43.840
software all the time and they continue to profit off that software.
link |
00:12:46.960
So why shouldn't I profit off my labor too?
link |
00:12:51.120
And one of the things that has happened, which is I think a positive development over the last
link |
00:12:56.480
10 years, are bug bounty programs, you know, companies like Google and Facebook and then
link |
00:13:03.040
Microsoft and finally Apple, which resisted it for a really long time, have said, okay,
link |
00:13:09.680
we are going to shift our perspective about hackers.
link |
00:13:13.280
We're no longer going to treat them as the enemy here.
link |
00:13:16.720
We're going to start paying them for what it's essential to do.
link |
00:13:19.680
Paying them for what it's essentially free quality assurance.
link |
00:13:23.680
And we're going to pay them good money in some cases, you know, six figures in some cases.
link |
00:13:28.720
We're never going to be able to bid against a zero day broker who sells to government agencies,
link |
00:13:34.560
but we can reward them and hopefully get that to that bug earlier where we can neutralize it
link |
00:13:40.800
so that they don't have to spend another year developing the zero day exploit.
link |
00:13:44.640
And in that way, we can keep our software more secure.
link |
00:13:47.440
But every week I get messages from some hacker that says, you know, I tried to see this zero day
link |
00:13:54.720
exploit that was just found in the wild, you know, being used by this nation state.
link |
00:13:59.600
I tried to tell Microsoft about this two years ago and they were going to pay me peanuts.
link |
00:14:05.360
So it never got fixed.
link |
00:14:07.840
You know, there are all sorts of those stories that can continue on.
link |
00:14:11.120
And, you know, I think just generally hackers are not very good at diplomacy, you know,
link |
00:14:18.400
they tend to be pretty snipey, technical, crowd and very philosophical in my experience.
link |
00:14:26.560
But, you know, diplomacy is not their strong suit.
link |
00:14:30.560
Well, there almost has to be a broker between companies and hackers.
link |
00:14:34.640
We can translate effectively just like you have a zero day broker between governments and hackers.
link |
00:14:39.760
Yeah.
link |
00:14:41.360
Because you have to speak their language.
link |
00:14:43.040
Yeah.
link |
00:14:43.600
And there have been some of those companies who've risen up to meet that demand.
link |
00:14:47.680
And Hacker One is one of them.
link |
00:14:50.240
Bug Crowd is another.
link |
00:14:52.480
CINAC has an interesting model.
link |
00:14:54.160
So that's a company that you pay for a private bug bounty program, essentially.
link |
00:14:59.680
So you pay this company, they tap hackers all over the world to come hack your software,
link |
00:15:05.920
hack your system, and then they'll quietly tell you what they found.
link |
00:15:11.040
And I think that's a really positive development.
link |
00:15:13.600
And actually, the Department of Defense hired all three of those companies,
link |
00:15:19.120
I just mentioned, to help secure their systems.
link |
00:15:21.920
Now, I think they're still a little timid in terms of letting those hackers into the really
link |
00:15:26.800
sensitive, high side classified stuff, but, you know, baby steps.
link |
00:15:31.680
Just to understand what you were saying, you think it's impossible for companies to
link |
00:15:37.840
financially compete with the zero day brokers with governments,
link |
00:15:41.840
so like the defense can't outpay the hackers?
link |
00:15:47.600
It's interesting.
link |
00:15:48.320
You know, they shouldn't outpay them because what would happen if they started offering
link |
00:15:55.280
$2.5 million at Apple for any zero day exploit that governments would pay that much for
link |
00:16:04.640
is their own engineers would say, why the hell am I working for less than that
link |
00:16:10.160
and doing my nine to five every day?
link |
00:16:12.320
So you would create a perverse incentive.
link |
00:16:14.560
And I didn't think about that until I started this research and I realized,
link |
00:16:19.040
okay, yeah, that makes sense.
link |
00:16:20.400
You don't want to incentivize offense so much that it's to your own detriment.
link |
00:16:27.360
And so I think what they have though, what the companies have on government agencies
link |
00:16:32.560
is if they pay you, you get to talk about it.
link |
00:16:35.920
You know, you get the street cred.
link |
00:16:38.000
You get to brag about the fact you just found that $2.5 million, you know,
link |
00:16:44.080
iOS zero day that no one else did.
link |
00:16:46.960
And if you sell it to a broker, you never get to talk about it.
link |
00:16:49.920
And I think that really does eat at people.
link |
00:16:52.960
Can I ask you a big philosophical question about human nature here?
link |
00:16:57.120
So if you have in what you've seen, if a human being has a zero day,
link |
00:17:03.280
they found a zero day vulnerability that can hack into, I don't know,
link |
00:17:09.680
what's the worst thing you can hack into something that could launch nuclear weapons.
link |
00:17:14.880
Which percentage of the people in the world that have the skill would not share that with
link |
00:17:19.360
anyone with any bad party.
link |
00:17:23.280
I guess how many people are completely devoid of ethical concerns in your sense?
link |
00:17:31.680
So my belief is all the ultra competent people or very, very high percentage of
link |
00:17:38.400
ultra competent people are also ethical people.
link |
00:17:41.440
That's been my experience.
link |
00:17:42.800
But then again, my experience is narrow.
link |
00:17:45.680
What's your experience been like?
link |
00:17:48.560
So this was another question I wanted to answer.
link |
00:17:53.600
Who are these people who would sell a zero day exploit that would neutralize
link |
00:17:59.440
a Schneider electric safety lock at a petrochemical plant?
link |
00:18:03.040
Basically the last thing you would need to neutralize before you trigger some kind of explosion.
link |
00:18:07.920
Who would sell that?
link |
00:18:11.280
And I got my answer.
link |
00:18:15.360
Well, the answer was different.
link |
00:18:16.720
A lot of people said, I would never even look there because I don't even want to know.
link |
00:18:20.880
I don't even want to have that capability.
link |
00:18:23.520
I don't even want to have to make that decision about whether I'm going to profit off of that knowledge.
link |
00:18:29.840
I went down to Argentina and this whole kind of moral calculus I had in my head was completely
link |
00:18:37.680
flipped around.
link |
00:18:39.200
So just a backup for a moment.
link |
00:18:41.520
So Argentina actually is a real hackers paradise.
link |
00:18:47.440
People grew up in Argentina and I went down there.
link |
00:18:50.640
I guess I was there around 2015, 2016, but you still couldn't get an iPhone.
link |
00:18:57.280
They didn't have Amazon Prime.
link |
00:18:58.800
You couldn't get access to any of the apps we all take for granted.
link |
00:19:02.480
To get those things in Argentina as a kid, you have to find a way to hack them.
link |
00:19:06.720
And it's the whole culture is really like a hacker culture.
link |
00:19:11.280
They say it's really like a MacGyver culture.
link |
00:19:14.000
You have to figure out how to break into something with wire and tape.
link |
00:19:18.640
And that means that there are a lot of really good hackers in Argentina who
link |
00:19:25.120
specialize in developing zero day exploits.
link |
00:19:29.680
And I went down to this Argentina conference called Echo Party.
link |
00:19:34.240
And I asked the organizer, okay, can you introduce me to someone who's selling zero day exploits
link |
00:19:40.240
to governments?
link |
00:19:41.520
And he was like, just throw a stone, throw a stone anywhere and you're going to hit someone.
link |
00:19:47.520
And all over this conference, you saw these guys who were clearly from these Gulf States,
link |
00:19:52.800
who only spoke Arabic.
link |
00:19:54.000
What are they doing at a young hacking conference in Buenos Aires?
link |
00:19:58.960
Oh boy.
link |
00:19:59.600
And so I went out to lunch with kind of this godfather of the hacking scene
link |
00:20:06.800
there.
link |
00:20:07.200
And I asked this really dumb question and I'm still embarrassed about how I phrased it.
link |
00:20:12.960
But I said, so, you know, well, these guys only sell these zero day exploits to good Western
link |
00:20:18.640
governments.
link |
00:20:20.160
And he said, Nicole, last time I checked the United States wasn't a good Western government.
link |
00:20:24.880
You know, the last country that bombed another country into oblivion wasn't China or Iran.
link |
00:20:30.880
It was the United States.
link |
00:20:32.800
So if we're going to go by your whole moral calculus, you know, just know that we have
link |
00:20:36.800
a very different calculus down here.
link |
00:20:39.120
And we'd actually rather sell to Iran or Russia or China, maybe, than the United States.
link |
00:20:46.080
And that just blew me away.
link |
00:20:48.080
Like, wow.
link |
00:20:49.200
You know, he's like, we'll just sell to whoever brings us the biggest bag of cash.
link |
00:20:53.040
Have you checked into our inflation situation recently?
link |
00:20:57.280
So, you know, I had some of those like reality checks along the way.
link |
00:21:01.440
You know, we tend to think of things as is this moral, you know, is this ethical, especially
link |
00:21:06.640
as journalists, you know, we kind of sit on our high horse sometimes and write about a
link |
00:21:12.000
lot of things that seem to push the moral bounds.
link |
00:21:15.600
But in this market, which is essentially an underground market that, you know, the one
link |
00:21:20.640
rule is like fight club, you know, no one's going to do that.
link |
00:21:22.960
No one talks about fight club.
link |
00:21:24.240
First rule of the zero day market, nobody talks about the zero day market on both sides
link |
00:21:28.960
because the hacker doesn't want to lose their $2.5 million bounty and governments roll
link |
00:21:34.960
these into classified programs and they don't want anyone to know what they have.
link |
00:21:38.880
So no one talks about this thing.
link |
00:21:41.040
And when you're operating in the dark like that, it's really easy to put aside your morals sometimes.
link |
00:21:46.480
Can I, as a small tangent, ask you by way of advice, you must have done some incredible interviews.
link |
00:21:55.440
And you've also spoken about how serious you take protecting your sources.
link |
00:22:01.360
If you were to give me advice for interviewing when you're recording on mic with a video camera,
link |
00:22:10.080
how is it possible to get into this world?
link |
00:22:12.880
Like, is it basically impossible?
link |
00:22:15.840
So you've spoken with a few people.
link |
00:22:18.960
What is it like the godfather of cyber war, cyber security?
link |
00:22:23.040
So people that are already out.
link |
00:22:25.120
And they still have to be pretty brave to speak publicly.
link |
00:22:29.600
But is it virtually impossible to really talk to anybody who's a current hacker?
link |
00:22:34.480
You're always like 10, 20 years behind.
link |
00:22:37.520
It's a good question.
link |
00:22:38.640
And this is why I'm a print journalist.
link |
00:22:40.400
But when I've seen people do it, it's always the guy who's behind the shadows,
link |
00:22:49.040
whose voice has been altered.
link |
00:22:51.600
When they've gotten someone on camera, that's usually how they do it.
link |
00:22:56.720
Very, very few people talk in this space.
link |
00:22:58.800
And there's actually a pretty well known case study in why you don't talk publicly in this space
link |
00:23:04.240
and you don't get photographed.
link |
00:23:05.920
And that's the gruck.
link |
00:23:06.720
So, you know, the gruck is or was this zero day broker, South African guy lives in Thailand.
link |
00:23:15.120
And right when I was starting on this subject at the New York Times,
link |
00:23:20.160
he'd given an interview to Forbes and he talked about being a zero day broker.
link |
00:23:25.440
And he even posed next to this giant defil bag filled with cash ostensibly.
link |
00:23:31.680
And later he would say he was speaking off the record.
link |
00:23:35.280
He didn't understand the rules of the game.
link |
00:23:38.000
But what I heard from people who did business with him was that the minute that that story
link |
00:23:42.560
came out, he became PNG'd.
link |
00:23:45.280
No one did business with him.
link |
00:23:47.440
His business plummeted by at least half.
link |
00:23:50.000
No one wants to do business with anyone who's going to get on camera
link |
00:23:53.680
and talk about how they're selling zero days to governments.
link |
00:23:58.080
It puts you at danger.
link |
00:23:59.600
And I did hear that he got some visits from some security folks.
link |
00:24:03.200
And, you know, that's another thing for these people to consider.
link |
00:24:05.440
You know, if they have those zero day exploits at their disposal,
link |
00:24:11.600
they become a huge target for nation states all over the world.
link |
00:24:17.280
You know, talk about having perfect opsec.
link |
00:24:19.680
You know, you better have some perfect opsec if people know
link |
00:24:23.520
that you have access to those zero day exploits.
link |
00:24:26.880
Which sucks because, I mean, transparency here.
link |
00:24:31.680
Would be really powerful for educating the world and also inspiring other engineers to do good.
link |
00:24:37.920
It just feels like when you operate in the shadows, it doesn't help us move in the positive
link |
00:24:44.080
direction in terms of like getting more people on the defense side versus on the attack side.
link |
00:24:48.640
Right.
link |
00:24:49.120
But of course, what can you do?
link |
00:24:50.400
I mean, the best you can possibly do is have great journalists just like you did interview
link |
00:24:56.160
and write books about it and integrate the information you get while high.
link |
00:25:00.400
Yeah.
link |
00:25:02.000
And I think, you know, what hacker one has told me was, okay, let's just put away the people that
link |
00:25:07.920
are finding and developing zero day exploits all day long.
link |
00:25:12.160
Let's put that aside.
link |
00:25:13.520
What about the, you know, however many millions of programmers all over the world who've never
link |
00:25:19.200
even heard of a zero day exploit?
link |
00:25:21.360
Why not tap into them and say, hey, we'll start paying you if you can find a bug in
link |
00:25:27.920
United Airlines software or in Schneider Electric or in Ford or Tesla.
link |
00:25:34.400
And I think that is a really smart approach.
link |
00:25:37.680
Let's go find this untapped army of programmers to neutralize these bugs before the people
link |
00:25:44.480
who will continue to sell these to governments can find them and exploit them.
link |
00:25:48.400
Okay.
link |
00:25:48.880
I have to ask you about this from a personal side of it's funny enough after we agree to
link |
00:25:55.120
talk, I've gotten for the first time in my life was a victim of a cyber attack.
link |
00:26:01.040
So this is ransomware, it's called Deadbolt.
link |
00:26:05.600
People can look it up.
link |
00:26:07.040
I have a QNAP device for basically kind of cold dish storage.
link |
00:26:12.640
So it's about 60 terabytes with 50 terabytes of data on it in RAID 5 and apparently about
link |
00:26:20.800
4,000 to 5,000 QNAP devices were hacked and taken over with this ransomware.
link |
00:26:27.680
And what ransomware does there is it goes file by file almost all the files on the QNAP
link |
00:26:34.880
storage device and encrypts them.
link |
00:26:37.600
And then there's this very eloquently and politely written page that pops up.
link |
00:26:43.600
It describes what happened.
link |
00:26:45.440
All your files have been encrypted.
link |
00:26:47.440
This includes, but is not limited to photos, documents and spreadsheets.
link |
00:26:51.040
Why me?
link |
00:26:53.040
This is a lot of people commented about how friendly and eloquent this is.
link |
00:26:58.000
And I have to commend them, it is and it's pretty user friendly.
link |
00:27:03.200
Why me?
link |
00:27:04.000
This is not a personal attack.
link |
00:27:05.520
You have been targeted because of the inadequate security provided by your vendor, QNAP.
link |
00:27:12.560
What now?
link |
00:27:13.760
You can make a payment of exactly 0.03 Bitcoin, which is about $1,000, to the following address.
link |
00:27:20.640
Once the payment has been made, we'll follow up with transaction to the same address, blah,
link |
00:27:25.760
blah, blah, they give you instructions of what happens next and they'll give you a
link |
00:27:29.760
decryption key that you can then use.
link |
00:27:32.160
And then there's another message for QNAP that says all your affected customers have
link |
00:27:37.840
been targeted using a zero day vulnerability in your product.
link |
00:27:41.280
We offer you two options to mitigate this and future damage.
link |
00:27:45.600
One, make a Bitcoin payment of five Bitcoin to the following address and that will reveal
link |
00:27:52.240
to QNAP the, I'm summarizing things here, what the actual vulnerability is or you can
link |
00:27:58.320
make a Bitcoin payment of 50 Bitcoin to get a master decryption key for all your customers.
link |
00:28:04.480
50 Bitcoin is about $1.8 million.
link |
00:28:07.600
Okay.
link |
00:28:09.600
So, first of all, on a personal level, this one hurt for me.
link |
00:28:17.040
I mean, I learned a lot because I wasn't, for the most part, backing up much of that
link |
00:28:26.520
data because I thought I can afford to lose that data.
link |
00:28:31.160
It's not horrible.
link |
00:28:32.160
I mean, I think you've spoken about the crown jewels, making sure there's things you really
link |
00:28:37.480
protect.
link |
00:28:38.480
I mean, I have very conscious security wise on the crown jewels, but there's a bunch
link |
00:28:45.920
of stuff like, you know, personal videos, they're not like, I don't know anything creepy, but
link |
00:28:51.000
just like fun things I did that because they're very large or 4K or something like that, I
link |
00:28:56.200
kept them on there, thinking RAID 5 will protect it.
link |
00:29:00.040
Just I lost a bunch of stuff, including raw footage from interviews and all that kind
link |
00:29:06.600
of stuff.
link |
00:29:08.400
So it's painful.
link |
00:29:09.640
And I'm sure there's a lot of painful stuff like that for the 4,000 to 5,000 people that
link |
00:29:13.800
use QNAP.
link |
00:29:14.800
And there's a lot of interesting ethical questions here.
link |
00:29:18.480
Do you pay them?
link |
00:29:20.800
Does QNAP pay them?
link |
00:29:23.360
Do the individuals pay them?
link |
00:29:25.680
Especially when you don't know if it's going to work or not.
link |
00:29:29.080
Do you wait?
link |
00:29:30.080
So, QNAP said that please don't pay them.
link |
00:29:36.160
We're working very hard day and night to solve this.
link |
00:29:42.120
It's so philosophically interesting to me because I also project onto them thinking,
link |
00:29:46.680
what is their motivation?
link |
00:29:48.440
Because the way they phrase that on purpose, perhaps, but I'm not sure if that actually
link |
00:29:52.960
reflects their real motivation is maybe they're trying to help themselves sleep at night, basically
link |
00:29:59.600
saying this is not about you.
link |
00:30:01.360
This is about the company with the vulnerabilities.
link |
00:30:04.480
Just like you mentioned, this is the justification they have, but they're hurting real people.
link |
00:30:09.600
They hurt me, but I'm sure there's a few others that are really hurt.
link |
00:30:14.800
And the zero day factor is a big one.
link |
00:30:18.880
Their QNAP right now is trying to figure out what the hell is wrong with their system that
link |
00:30:23.920
would let this in.
link |
00:30:26.000
And even if they pay, if they still don't know where the zero day is, what's to say
link |
00:30:31.320
that they won't just hit them again and hit you again.
link |
00:30:34.320
So that really complicates things and that is a huge advancement for ransomware.
link |
00:30:41.000
It's really only been, I think, in the last 18 months that we've ever really seen ransomware
link |
00:30:46.280
exploit zero days to pull these off.
link |
00:30:49.640
Usually 80% of them, I think the data shows 80% of them come down to a lack of two factor
link |
00:30:56.680
authentication.
link |
00:30:57.680
So when someone gets hit by a ransomware attack, they don't have two factor authentication
link |
00:31:03.000
on, their employees were using stupid passwords.
link |
00:31:07.680
You can mitigate that in the future.
link |
00:31:09.800
This one, they don't know.
link |
00:31:10.800
They probably don't know.
link |
00:31:11.800
Yeah.
link |
00:31:12.800
And it was, I guess it's zero click because I didn't have to do anything.
link |
00:31:16.240
The only thing, well, here's the thing.
link |
00:31:21.760
I did basics of putting it behind a firewall, I followed instructions, but I didn't really
link |
00:31:29.600
pay attention.
link |
00:31:30.600
So maybe there's a misconfiguration of some sort that's easy to make.
link |
00:31:36.400
It's difficult.
link |
00:31:37.400
We have a personal NAS, so I'm not willing to say that I did everything I possibly could,
link |
00:31:47.440
but I did a lot of reasonable stuff and they still hit it with zero clicks.
link |
00:31:51.480
I didn't have to do anything.
link |
00:31:52.480
Yeah.
link |
00:31:53.480
Well, it's like a zero day and it's a supply chain attack.
link |
00:31:57.160
You're getting hit from your supplier.
link |
00:31:59.680
You're getting hit because of your vendor.
link |
00:32:01.800
And it's also a new thing for ransomware groups to go to the individuals to pressure them
link |
00:32:07.160
to pay it.
link |
00:32:08.160
There was this really interesting case, I think it was in Norway where there was a mental
link |
00:32:13.160
health clinic that got hit and the cyber criminals were going to the patients themselves to
link |
00:32:20.280
say, pay this or we're going to release your psychiatric records, I mean, talk about hell.
link |
00:32:28.240
In terms of whether to pay, that is on the cheaper end of the spectrum.
link |
00:32:33.800
From the individual or from the company?
link |
00:32:35.960
Both.
link |
00:32:36.960
We've seen, for instance, there was an Apple supplier in Taiwan, they got hit and the ransom
link |
00:32:44.840
demand was 50 million.
link |
00:32:47.360
I'm surprised it's only 1.8 million.
link |
00:32:49.440
I'm sure it's going to go up.
link |
00:32:52.320
And it's hard.
link |
00:32:53.320
There's obviously governments and maybe in this case, the company are going to tell you
link |
00:32:58.200
we recommend you don't pay or please don't pay.
link |
00:33:02.560
But the reality on the ground is that some businesses can't operate, some countries
link |
00:33:08.600
can't function.
link |
00:33:09.600
I mean, the under reported storyline of colonial pipeline was after the company got hit and
link |
00:33:19.400
took the preemptive step of shutting down the pipeline because their billing systems
link |
00:33:23.600
were frozen, they couldn't charge customers downstream.
link |
00:33:27.680
My colleague David Sanger and I got our hands on a classified assessment that said that
link |
00:33:33.800
as a country, we could have only afforded two to three more days of colonial pipeline
link |
00:33:39.400
being down.
link |
00:33:40.400
And it was really interesting.
link |
00:33:42.080
I thought it was the gas and the jet fuel, but it wasn't.
link |
00:33:45.720
We were sort of prepared for that.
link |
00:33:47.560
It was the diesel.
link |
00:33:49.400
Without the diesel, the refineries couldn't function and it would have totally screwed
link |
00:33:53.800
up the economy.
link |
00:33:54.960
And so there was almost this like national security, economic impetus for them to pay
link |
00:34:03.120
this ransom.
link |
00:34:04.120
And the other one I always think about is Baltimore.
link |
00:34:06.560
You know, when the city of Baltimore got hit, I think the initial ransom demand was
link |
00:34:11.480
something around 76,000.
link |
00:34:13.880
It may have even started smaller than that.
link |
00:34:17.120
And Baltimore stood its ground and didn't pay, but ultimately the cost to remediate
link |
00:34:22.920
was $18 million.
link |
00:34:25.160
It's a lot for the city of Baltimore.
link |
00:34:26.840
That's money that could have gone to public school education and roads and public health.
link |
00:34:32.800
And instead, it just went to rebuilding the systems from scratch.
link |
00:34:36.360
And so a lot of residents in Baltimore were like, why the hell didn't you pay the $76,000?
link |
00:34:43.640
So it's not obvious.
link |
00:34:46.280
It's easy to say, don't pay, because why you're funding their R&D for the next go round?
link |
00:34:52.200
But it's too often, it's too complicated.
link |
00:34:57.040
So on the individual level, just like the way I feel personally from this attack, have
link |
00:35:03.400
you talked to people that were kind of victims in the same way I was, but maybe more dramatic
link |
00:35:07.480
ways or so on, in the same way that violence hurts people?
link |
00:35:13.360
How much is this hurt people in your sense and the way you researched it?
link |
00:35:16.720
The worst ransomware attack I've covered on a personal level was an attack on a hospital
link |
00:35:26.160
in Vermont.
link |
00:35:28.440
And you think of this as like, okay, it's hitting their IT networks.
link |
00:35:31.800
They should still be able to treat patients.
link |
00:35:34.840
But it turns out that cancer patients couldn't get their chemo anymore, because the protocol
link |
00:35:40.640
of who gets what is very complicated and without it, nurses and doctors couldn't access it.
link |
00:35:46.680
So they were turning chemo patients away, cancer patients away.
link |
00:35:52.440
One nurse told us, I don't know why people aren't screaming about this, that the only
link |
00:35:57.880
thing I've seen that even compares to what we're seeing at this hospital right now was
link |
00:36:02.240
when I worked in the burn unit after the Boston Marathon bombing.
link |
00:36:07.000
They really put it in these super dramatic terms.
link |
00:36:10.800
And last year, there was a report in the Wall Street Journal where they attributed an infant
link |
00:36:17.440
death to a ransomware attack because a mom came in and whatever device they were using
link |
00:36:26.360
to monitor the fetus wasn't working because of the ransomware attack.
link |
00:36:30.760
And so they attributed this infant death to the ransomware attack.
link |
00:36:34.720
Now on a bigger scale, but less personal, when there was the not Petya attack.
link |
00:36:41.400
So this was an attack by Russia on Ukraine that came at them through a supplier attacks
link |
00:36:50.520
a software company in that case that didn't just hit any government agency or business
link |
00:36:57.200
in Ukraine that use this tax software, it actually hit any business all over the world
link |
00:37:02.560
that had even a single employee working remotely in Ukraine.
link |
00:37:07.440
So it hit Marysk, the shipping company, but hit Pfizer, hit FedEx, but the one I will
link |
00:37:12.400
never forget is Merck.
link |
00:37:14.840
It paralyzed Merck's factories.
link |
00:37:17.680
I mean, it really created an existential crisis for the company.
link |
00:37:22.040
Merck had to tap into the CDC's emergency supplies of the Gardasil vaccine that year
link |
00:37:27.680
because their whole vaccine production line had been paralyzed in that attack.
link |
00:37:32.080
Imagine if that was going to happen right now to Pfizer or Moderna or Johnson and Johnson,
link |
00:37:39.520
you know, imagine, I mean, that would really create a global cyber terrorist attack essentially.
link |
00:37:47.320
And that's almost unintentional.
link |
00:37:49.280
I thought for a long time, I always labeled it as collateral damage, but actually just
link |
00:37:56.400
today, there was a really impressive threat researcher at Cisco, which has the threat
link |
00:38:03.600
intelligence division called TALOS, who said, stop calling it collateral damage.
link |
00:38:09.040
They could see who was going to get hit before they deployed that malware.
link |
00:38:15.740
It wasn't collateral damage.
link |
00:38:18.000
It was intentional.
link |
00:38:19.160
They meant to hit any business that did business with Ukraine.
link |
00:38:23.280
It was to send a message to them, too.
link |
00:38:26.380
So I don't know if that's accurate.
link |
00:38:28.640
I always thought of it as sort of the sloppy collateral damage, but it definitely made
link |
00:38:33.240
me think.
link |
00:38:34.880
So how much of this between states is going to be a part of war, these kinds of attacks
link |
00:38:42.880
on Ukraine, between Russia and US, Russia and China, China and US?
link |
00:38:51.200
Let's look at China and US.
link |
00:38:53.320
Do you think China and US are going to escalate something that would be called a war purely
link |
00:39:01.640
in the space of cyber?
link |
00:39:04.200
I believe any geopolitical conflict from now on is guaranteed to have some cyber element
link |
00:39:15.640
to it.
link |
00:39:17.320
The Department of Justice recently declassified a report that said China's been hacking into
link |
00:39:21.880
our pipelines, and it's not for intellectual property theft.
link |
00:39:25.400
It's to get a foothold so that if things escalate in Taiwan, for example, they are where they
link |
00:39:31.120
need to be to shut our pipelines down, and we just got a little glimpse of what that
link |
00:39:35.340
looked like with colonial pipeline and the panic buying and the jet fuel shortages and
link |
00:39:41.040
that assessment I just mentioned about the diesel.
link |
00:39:44.680
So they're there.
link |
00:39:47.240
They've gotten there.
link |
00:39:49.400
Anytime I read a report about new aggression from Chinese fighter jets in Taiwan, or what's
link |
00:39:58.000
happening right now with Russia's buildup on the Ukraine border, or India, Pakistan,
link |
00:40:04.560
I'm always looking at it through a cyber lens, and it really bothers me that other people
link |
00:40:09.880
aren't because there is no way that these governments and these nation states are not
link |
00:40:17.360
going to use their access to gain some advantage in those conflicts.
link |
00:40:24.240
And I'm now in a position where I'm an advisor to the cybersecurity infrastructure security
link |
00:40:32.080
agency at DHS, so I'm not saying anything classified here, but I just think that it's
link |
00:40:39.920
really important to understand just generally what the collateral damage could be for American
link |
00:40:47.680
businesses and critical infrastructure in any of these escalated conflicts around the
link |
00:40:53.000
world, because just generally, our adversaries have learned that they might never be able
link |
00:41:01.680
to match us in terms of our traditional military spending on traditional weapons and fighter
link |
00:41:06.640
jets.
link |
00:41:08.320
But we have a very soft underbelly when it comes to cyber.
link |
00:41:13.040
80% or more of America's critical infrastructure, so pipelines, power grid, nuclear plants,
link |
00:41:22.000
water systems, is owned and operated by the private sector.
link |
00:41:26.960
And for the most part, there is nothing out there legislating that those companies share
link |
00:41:34.080
the fact they've been breached, they don't even have to tell the government they've
link |
00:41:37.400
been hit.
link |
00:41:38.880
There's nothing mandating that they even meet a bare minimum standard of cybersecurity.
link |
00:41:45.080
And that's it.
link |
00:41:46.800
So even when there are these attacks, most of the time, we don't even know about it.
link |
00:41:51.440
So that is, if you were going to design a system to be as blind and vulnerable as possible,
link |
00:41:58.040
that is pretty good.
link |
00:42:00.800
That's what it looks like is what we have here in the United States.
link |
00:42:04.920
And everyone here is just operating like, let's just keep hooking up everything for
link |
00:42:10.800
convenience, software eats the world.
link |
00:42:15.080
Let's just keep going for cost, for convenience sake, just because we can.
link |
00:42:21.080
And when you study these issues and you study these attacks and you study the advancement
link |
00:42:26.880
and the uptick in frequency and the lower barrier to entry that we see every single
link |
00:42:33.960
year, you realize just how dumb software eats world is.
link |
00:42:40.000
And no one has ever stopped to pause and think, should we be hooking up these systems to the
link |
00:42:45.480
internet?
link |
00:42:46.480
They've just been saying, can we, let's do it.
link |
00:42:51.400
And that's a real problem.
link |
00:42:52.600
And this, and just in the last year, you know, we've seen a record number of zero day attacks.
link |
00:42:56.640
I think there were 80 last year, which is probably more than double what it was in 2019.
link |
00:43:03.160
A lot of those were nation states, you know, we live in a world with a lot of geopolitical
link |
00:43:09.680
hot points right now.
link |
00:43:12.080
And where those geopolitical hot points are, are places where countries have been investing
link |
00:43:18.320
heavily in offensive cyber tools.
link |
00:43:21.880
If you're a nation state, the goal would be to maximize the footprint of zero day, like
link |
00:43:30.040
super secret zero day that nobody's aware of, that whenever war is initiated, the huge
link |
00:43:36.560
negative effects of shutting down infrastructure or any kind of zero day is the chaos it creates.
link |
00:43:42.080
So if you just, there's a certain threshold when you create the chaos, the markets plummeted,
link |
00:43:46.640
just everything goes, goes to hell.
link |
00:43:49.480
So it's not just zero days, you know, we make it so easy for threat actors.
link |
00:43:56.640
I mean, we're not using two factor authentication, we're not patching.
link |
00:44:02.840
There was the shell shock vulnerability that was discovered a couple years ago.
link |
00:44:08.360
It's still being exploited because so many people haven't fixed it.
link |
00:44:14.040
So you know, the zero days are really the sexy stuff.
link |
00:44:17.160
And what really got drew me to the zero day market was the moral calculus we talked about.
link |
00:44:24.080
Really from the US government's point of view, how do they justify leaving these systems
link |
00:44:30.400
so vulnerable when we use them here and we're baking more of our critical infrastructure
link |
00:44:36.520
with this vulnerable software?
link |
00:44:38.720
It's not like we're using one set of technology and Russia is using another and China is using
link |
00:44:43.560
this, we're all using the same technology.
link |
00:44:46.040
So when you find a zero day in windows, you're not just leaving it open so you can spy on
link |
00:44:51.760
Russia or implant yourself in the Russian grid, you're leaving Americans vulnerable too.
link |
00:44:57.720
But you know, but zero days are like, that is the secret sauce, you know, that's the
link |
00:45:03.400
superpower.
link |
00:45:04.400
You know, and I always say like every country now with the exception of Antarctica, someone
link |
00:45:09.640
added the Vatican to my list is trying to find offensive hacking tools and zero days to make
link |
00:45:16.960
them work.
link |
00:45:17.960
And those that don't have the skills now have this market that they can tap into where,
link |
00:45:23.680
you know, $2.5 million, that's chump change for a lot of these nation states.
link |
00:45:28.200
It's a hell of a lot less than trying to build the next fighter jet.
link |
00:45:32.080
But yeah, the goal is chaos.
link |
00:45:34.440
I mean, why did Russia turn off the lights twice in Ukraine?
link |
00:45:39.120
You know, I think part of it is chaos, I think part of it is to sow the seeds of doubt in
link |
00:45:46.280
their current government, your government can't even keep your lights on.
link |
00:45:50.480
Why are you sticking with them, you know, come over here and we'll keep your lights
link |
00:45:55.040
on at least, you know, there's like a little bit of that.
link |
00:45:58.720
Nuclear weapons seems to have helped prevent nuclear war.
link |
00:46:04.760
Is it possible that we have so many vulnerabilities and so many attack vectors on each other that
link |
00:46:11.480
it will kind of achieve the same kind of equilibrium like mutually assured destruction?
link |
00:46:17.200
Yeah, that's one hopeful solution to this.
link |
00:46:20.520
Do you have any hope for this particular solution?
link |
00:46:23.800
You know, nuclear analogies always tend to fall apart when it comes to cyber, mainly
link |
00:46:27.920
because you don't need fissile material, you know, you just need a laptop and the skills
link |
00:46:33.160
and you're in the game.
link |
00:46:34.660
So it's a really low barrier to entry.
link |
00:46:38.240
The other thing is attributions harder and we've seen countries muck around with attribution.
link |
00:46:44.440
We've seen, you know, nation states piggyback on other countries by operations and just
link |
00:46:49.560
sit there and siphon out whatever they're getting.
link |
00:46:53.400
We learned some of that from the Snowden documents.
link |
00:46:56.320
We've seen Russia hack into Iran's command and control attack servers.
link |
00:47:01.480
We've seen them hit a Saudi petrochemical plant where they did neutralize the safety locks
link |
00:47:07.560
at the plant and everyone assumed that it was Iran, given Iran had been targeting Saudi
link |
00:47:11.920
oil companies forever, but nope, it turned out that it was a graduate research institute
link |
00:47:16.760
outside Moscow.
link |
00:47:17.840
So you see countries kind of playing around with attribution.
link |
00:47:21.160
Why?
link |
00:47:22.160
I think because they think, okay, if I do this, like how am I going to cover up that
link |
00:47:26.800
it came from me because I don't want to risk the response?
link |
00:47:30.960
So people are sort of dancing around this.
link |
00:47:33.200
It's just in a very different way.
link |
00:47:35.360
And, you know, at the times I'd covered the Chinese hacks of infrastructure companies
link |
00:47:41.560
like pipelines.
link |
00:47:42.560
I'd covered the Russian probes of nuclear plants.
link |
00:47:46.000
I'd covered the Russian attacks on the Ukraine grid.
link |
00:47:50.200
And then in 2018, my colleague David Sanger and I covered the fact that U.S. cyber command
link |
00:47:57.120
had been hacking into the Russian grid and making a pretty loud show of it.
link |
00:48:02.440
And when we went to the National Security Council, because that's what journalists do
link |
00:48:06.560
before they publish a story, they give the other side a chance to respond, I assumed
link |
00:48:12.200
we would be in for that really awkward, painful conversation where they would say, you will
link |
00:48:17.400
have blood on your hands if you publish this story.
link |
00:48:20.400
And instead they gave us the opposite answer.
link |
00:48:23.040
They said, we have no problem with you publishing this story.
link |
00:48:27.160
Why?
link |
00:48:28.160
Well, they didn't say it out loud, but it was pretty obvious they wanted Russia to
link |
00:48:32.320
know that we're hacking into their power grid too, and they better think twice before
link |
00:48:37.320
they do to us what they had done to Ukraine.
link |
00:48:40.280
So yeah, you know, we have stumbled into this new era of mutually assured digital destruction.
link |
00:48:47.720
I think another sort of quasi norm we've stumbled into is proportional responses.
link |
00:48:57.000
You know, there's this idea that if you get hit, you're allowed to respond proportionally
link |
00:49:03.440
at a time and place of your choosing.
link |
00:49:05.440
You know, that is how the language always goes.
link |
00:49:08.600
That's what Obama said after North Korea hit Sony.
link |
00:49:12.960
We will respond at a time and place of our choosing.
link |
00:49:17.080
But no one really knows, like, what that response looks like.
link |
00:49:21.240
And so what you see a lot of the time are just these, like, just short of war attacks.
link |
00:49:27.240
You know, Russia turned off the power in Ukraine, but it wasn't like it stayed off for a week.
link |
00:49:31.480
You know, it stayed off for a number of hours.
link |
00:49:34.880
You know, not Petya hit those companies pretty hard, but no one died.
link |
00:49:41.000
You know, and the question is, what's going to happen when someone dies?
link |
00:49:45.120
And Canaanation State masquerade as a cyber criminal group, as a ransomware group.
link |
00:49:51.840
And that's what really complicates coming to some sort of digital Geneva convention.
link |
00:49:56.600
Like, there's been, there's been a push from Brad Smith at Microsoft.
link |
00:50:01.240
We need a digital Geneva convention.
link |
00:50:04.120
And on its face, it sounds like a no brainer.
link |
00:50:06.440
Yeah.
link |
00:50:07.440
Why wouldn't we all agree to stop hacking into each other's civilian hospital systems,
link |
00:50:11.520
power grid, pipelines, but when you talk to people in the West, officials in the West,
link |
00:50:20.640
they'll say, we would never, we'd love to agree to it, but we never do it when you're
link |
00:50:25.840
dealing with Xi or Putin or Kim Jong Un, because a lot of times they outsource these
link |
00:50:34.400
operations to cyber criminals.
link |
00:50:37.160
In China, we see a lot of these attacks come from this loose satellite network of private
link |
00:50:42.360
citizens that work at the behest of the Ministry of State Security.
link |
00:50:46.800
So how do you come to some sort of state to state agreement when you're dealing with
link |
00:50:54.120
transnational actors and cyber criminals, where it's really hard to pin down whether
link |
00:50:59.360
that person was acting alone or whether they were acting at the behest of the MSS or the
link |
00:51:05.320
FSB?
link |
00:51:06.920
And a couple of years ago, I can't remember if it was before or after not pet you, but
link |
00:51:11.920
Putin said, hackers are like artists who wake up in the morning in a good mood and start
link |
00:51:16.880
painting.
link |
00:51:17.880
In other words, I have no say over what they do or don't do.
link |
00:51:21.520
So how do you come to some kind of norm when that's how he's talking about these issues
link |
00:51:26.800
and he's just decimated Merck and Pfizer and however many thousand companies?
link |
00:51:34.320
That is the fundamental difference between nuclear weapons and cyber attacks is the attribution
link |
00:51:40.240
or one of the fundamental differences.
link |
00:51:42.240
If you can fix one thing in the world in terms of cyber security that would make the world
link |
00:51:48.000
a better place, what would you fix?
link |
00:51:51.160
So you're not allowed to fix authoritarian regimes and you have to keep that.
link |
00:51:57.960
You have to keep human nature as it is.
link |
00:52:00.640
In terms of on the security side, technologically speaking, you mentioned there's no regulation
link |
00:52:06.400
on companies in the United States.
link |
00:52:10.400
What if you could just fix with the snap of a finger, what would you fix?
link |
00:52:15.760
Two factor authentication, multifactor authentication.
link |
00:52:21.200
It's ridiculous how many of these attacks come in because someone didn't turn on multifactor
link |
00:52:26.760
authentication.
link |
00:52:27.760
I mean, colonial pipeline, okay, they took down the biggest conduit for gas, jet fuel
link |
00:52:35.320
and diesel to the east coast of the United States of America, how?
link |
00:52:39.460
Because they forgot to deactivate an old employee account whose password had been traded on
link |
00:52:43.600
the dark web and they'd never turned on two factor authentication.
link |
00:52:48.120
This water treatment facility outside Florida was hacked last year.
link |
00:52:51.840
How did it happen?
link |
00:52:53.280
They were using Windows XP from like a decade ago that can't even get patches if you want
link |
00:52:58.400
it to and they didn't have two factor authentication.
link |
00:53:01.920
Time and time again, if they just switched on two factor authentication, some of these
link |
00:53:07.080
attacks wouldn't have been possible.
link |
00:53:08.400
Now, if I could snap my fingers, that's a thing I would do right now.
link |
00:53:11.880
But of course, this is a cat and mouse game and then the attackers onto the next thing.
link |
00:53:17.640
But I think right now, that is like bar none, that is the easiest, simplest way to deflect
link |
00:53:25.160
the most attacks and the name of the game right now isn't perfect security.
link |
00:53:30.120
Perfect security is impossible.
link |
00:53:32.280
They will always find a way in.
link |
00:53:34.360
The name of the game right now is make yourself a little bit harder to attack than your competitor
link |
00:53:39.960
or than anyone else out there so that they just give up and move along.
link |
00:53:45.040
Maybe if you are a target for an advanced nation state or the SVR, you're going to get
link |
00:53:51.960
hacked no matter what, but you can make cyber criminal groups deadbolt, is it?
link |
00:53:57.800
You can make their jobs a lot harder simply by doing the bare basics.
link |
00:54:03.480
And the other thing is stop reusing your passwords, but if I only get one, then two factor authentication.
link |
00:54:08.120
So what is two factor authentication?
link |
00:54:10.720
Factor one is what logging in with a password, and factor two is like have another device
link |
00:54:15.800
or another channel through which you can confirm, yeah, that's me.
link |
00:54:19.640
Yes.
link |
00:54:20.640
You know, usually this happens through some kind of text, you know, you get your one time
link |
00:54:24.640
code from Bank of America or from Google, and the better way to do it is spend $20 buying
link |
00:54:31.640
yourself a Fido key on Amazon.
link |
00:54:34.360
That's a hardware device.
link |
00:54:36.200
And if you don't have that hardware device with you, then you're not going to get in.
link |
00:54:41.440
And the whole goal is, I mean, basically, you know, my first half of my decade at the
link |
00:54:45.600
Times was spent covering like the copy.
link |
00:54:48.600
It was like Home Depot got breached, News at 11, you know, Target, Neumann Marcus,
link |
00:54:54.480
like who wasn't hacked over the course of those five years.
link |
00:54:58.560
And a lot of those companies that got hacked, what did hackers take?
link |
00:55:02.200
They took the credentials.
link |
00:55:03.760
They took the passwords.
link |
00:55:05.560
They can make a pretty penny selling them on the dark web and people reuse their passwords.
link |
00:55:11.600
So you get one from, you know, God knows who, I don't know, LastPass, the worst case example
link |
00:55:17.920
actually LastPass, but you get one and then you go test it on their email account and
link |
00:55:23.480
you go test it on their brokerage account and you test it on their cold storage account.
link |
00:55:27.920
Yeah.
link |
00:55:28.920
You know, that's how it works.
link |
00:55:29.920
But if you have multi factor authentication, then they can't get in because they might
link |
00:55:35.160
have your password, but they don't have your phone.
link |
00:55:38.040
They don't have your phyto key, you know, and so you keep them out.
link |
00:55:43.120
And you know, I get a lot of alerts that tell me someone is trying to get into your Instagram
link |
00:55:49.200
account or your Twitter account or your email account and I don't worry because I use multi
link |
00:55:54.480
factor authentication.
link |
00:55:55.480
They can try all day.
link |
00:55:57.480
Okay.
link |
00:55:58.480
I worry a little bit, but, you know, it's the simplest thing to do and we don't even
link |
00:56:04.280
do it.
link |
00:56:05.280
Well, there's an interface aspect to it because it's pretty annoying if it's implemented poorly.
link |
00:56:09.960
Yeah.
link |
00:56:10.960
So, so actually bad implementation of two factor authentication, not just bad, but just something
link |
00:56:17.800
that adds friction is a security vulnerability, I guess, because it's really annoying.
link |
00:56:23.000
Like, I think MIT for a while had two factor authentication, it was really annoying.
link |
00:56:28.560
I just, like the, the time, the number of times it pings you, like, uh, it re, it asked
link |
00:56:36.160
to reauthenticate across multiple subdomains, like, it just feels like a pain.
link |
00:56:42.720
I don't know what the right balance there.
link |
00:56:44.280
Yeah.
link |
00:56:45.280
It feels like friction in our frictionless society, it feels like friction, it's annoying.
link |
00:56:51.240
That security is biggest problem.
link |
00:56:53.040
It's annoying.
link |
00:56:54.040
You know, we need the Steve Jobs of security to come along and we need to make it painless.
link |
00:57:00.000
And actually, you know, on that point, Apple has probably done more for security than anyone
link |
00:57:06.880
else simply by introducing biometric authentication first with the fingerprint and then with face
link |
00:57:12.760
ID.
link |
00:57:13.760
And it's not perfect, but, you know, if you think just eight years ago, everyone was running
link |
00:57:18.040
around with either no passcode and optional passcode or four digit passcode on their phone
link |
00:57:23.480
that anyone, you know, think of what you can get when you get someone's iPhone, if you
link |
00:57:27.480
steal someone's iPhone and, you know, props to them for introducing the fingerprint and
link |
00:57:32.800
face ID.
link |
00:57:33.800
And again, it wasn't perfect, but it was a huge step forward.
link |
00:57:37.040
Now it's time to make another huge step forward.
link |
00:57:41.080
I want to see the password die.
link |
00:57:42.760
I mean, it's gotten us as far as it was ever going to get us.
link |
00:57:47.040
And I hope whatever we come up with next is not going to be annoying, is going to be seamless.
link |
00:57:52.480
When I was at Google, that's what we worked on is, and there's a lot of ways to call it
link |
00:57:56.920
active authentication, passive authentication.
link |
00:57:59.960
So basically you use biometric data, not just like a fingerprint, but everything from your
link |
00:58:05.000
body to identify who you are.
link |
00:58:07.280
Like movement patterns, so it basically creates a lot of layers of protection where it's very
link |
00:58:14.240
difficult to fake, including like face unlock, checking that it's your actual face, like
link |
00:58:21.480
the liveness tests.
link |
00:58:23.120
So like from video, so unlocking it with video, voice, the way you move the phone, the way
link |
00:58:31.160
you take it out of the pocket, that kind of thing.
link |
00:58:33.440
All of those factors, it's a really hard problem though.
link |
00:58:37.600
And ultimately, it's very difficult to beat the password to have a security.
link |
00:58:43.360
Well, there's a company that I actually will call out and that's abnormal security.
link |
00:58:48.280
So they work on email attacks.
link |
00:58:51.880
And it was started by a couple guys who were doing, I think, ad tech at Twitter.
link |
00:58:59.440
So you know, ad technology now, like it's a joke how much they know about us, you know,
link |
00:59:04.040
you always hear the conspiracy theories that, you know, you saw someone's shoes and next
link |
00:59:08.480
thing you know, it's on your phone, it's amazing what they know about you.
link |
00:59:13.720
And they're basically taking that and they're applying it to attacks.
link |
00:59:19.760
So they're saying, okay, you know, if you're, this is what your email patterns are, it might
link |
00:59:25.160
be different for you and me because we're emailing strangers all the time.
link |
00:59:28.880
But for most people, their email patterns are pretty predictable.
link |
00:59:34.000
And if something strays from that pattern, that's abnormal.
link |
00:59:38.680
And they'll block it, they'll investigate it, you know, and that's great.
link |
00:59:43.600
You know, let's start using that kind of targeted ad technology to protect people.
link |
00:59:50.840
And yeah, I mean, it's not going to get us away from the password and using multi factor
link |
00:59:55.360
authentication, but you know, the technology is out there and we just have to figure out
link |
01:00:01.120
how to use it in a really seamless way because it doesn't matter if you have the perfect
link |
01:00:06.520
security solution if no one uses it.
link |
01:00:08.320
I mean, when I started at the times, when I was trying to be really good about protecting
link |
01:00:14.280
sources, I was trying to use PGP encryption and it's like, it didn't work, you know, the
link |
01:00:19.880
number of mistakes I would probably make just trying to email someone with PGP just wasn't
link |
01:00:25.880
worth it.
link |
01:00:27.480
And then Signal came along and, and Signal made it a wicker, you know, they made it
link |
01:00:32.840
a lot easier to send someone an encrypted text message.
link |
01:00:37.040
So we, we have to start investing in creative minds in good security design, you know, I
link |
01:00:45.560
really think that's the hack that's going to get us out of where we are today.
link |
01:00:50.160
What about social engineering?
link |
01:00:52.600
Do you worry about this sort of hacking people?
link |
01:00:56.480
Yes, I mean, this is the worst nightmare of every chief information security officer out
link |
01:01:03.560
there.
link |
01:01:04.560
You know, social engineering, we work from home now.
link |
01:01:10.040
I saw this, this woman posted online about how her husband, it went viral today, but
link |
01:01:16.920
it was her husband had this problem at work.
link |
01:01:20.040
They hired a guy named John and now the guy that shows up for work every day doesn't act
link |
01:01:26.640
like John.
link |
01:01:29.640
I mean, think about that.
link |
01:01:31.120
Like think about the potential for social engineering in that context.
link |
01:01:35.600
You know, you apply for a job and you put on a pretty face, you hire an actor or something
link |
01:01:40.360
and then you just get inside the organization and get access to all that organization's
link |
01:01:44.440
data.
link |
01:01:45.440
You know, a couple of years ago, Saudi Arabia planted spies inside Twitter, you know, why?
link |
01:01:52.400
Probably because they were trying to figure out who these people were, who were criticizing
link |
01:01:56.320
the regime on Twitter, you know, they couldn't do it with a hack from the outside.
link |
01:02:00.080
You know, why not plant people on the inside?
link |
01:02:02.760
And that's like the worst nightmare.
link |
01:02:04.640
And it also, unfortunately, creates all kinds of xenophobia at a lot of these organizations.
link |
01:02:11.280
I mean, if you're going to have to take that into consideration, then organizations are
link |
01:02:15.760
going to start looking really skeptically and suspiciously at someone who applies for
link |
01:02:20.480
that job from China.
link |
01:02:23.320
And we've seen that go really badly at places like the Department of Commerce where they
link |
01:02:29.120
basically accuse people of being spies that aren't spies.
link |
01:02:32.000
So it is the hardest problem to solve.
link |
01:02:35.680
And it's never been harder to solve than right at this very moment when there's so much pressure
link |
01:02:40.440
for companies to let people work remotely.
link |
01:02:44.000
That's actually why I'm single, I'm suspicious that China and Russia, every time I meet somebody,
link |
01:02:49.640
are trying to plant and get insider information, so I'm very, very suspicious.
link |
01:02:54.640
I keep putting the Turing test in front, no.
link |
01:02:57.960
No, I have a friend who worked inside NSA and was one of their top hackers.
link |
01:03:05.200
And he's like, every time I go to Russia, I get hit on by these 10s.
link |
01:03:10.920
And I come home, my friends are like, I'm sorry, you're not a 10, like the common story.
link |
01:03:16.880
I mean, it's difficult to trust humans in this day and age online, you know, because
link |
01:03:23.800
so we're working remotely, that's one thing, but just interacting with people on the internet.
link |
01:03:31.320
It sounds ridiculous, but, you know, because of this podcast in part, I've gotten to meet
link |
01:03:35.880
some incredible people, but it, you know, it makes you nervous to trust folks.
link |
01:03:43.440
And I don't know how to solve that problem.
link |
01:03:48.240
So I'm talking with Mark Zuckerberg, who dreams about creating the metaverse.
link |
01:03:55.680
What do you do about that world where more and more our lives is in the digital sphere?
link |
01:04:01.640
Like one way to phrase it is most of our meaningful experiences at some point will be online,
link |
01:04:12.240
like falling in love, getting a job, or experiencing a moment of happiness with a friend, with
link |
01:04:20.000
a new friend made online, all of those things, like more and more, the fun we do, the things
link |
01:04:25.800
that make us love life will happen online.
link |
01:04:29.200
And if those things have an avatar that's digital, that's like a way to hack into people's minds,
link |
01:04:35.960
whether it's with AI or kind of troll farms or something like that, I don't know if there's
link |
01:04:41.440
a way to protect against that.
link |
01:04:44.960
That might fundamentally rely on our faith in how good human nature is.
link |
01:04:52.000
So if most people are good, we're going to be okay.
link |
01:04:55.000
But if people will tend towards manipulation and a level of behavior in search of power,
link |
01:05:03.440
then we're screwed.
link |
01:05:05.640
So I don't know if you can comment on how to keep the metaverse secure.
link |
01:05:10.160
I mean, all I thought about when you were talking just now is my three year old son.
link |
01:05:19.920
He asked me the other day, what's the internet, mom?
link |
01:05:24.080
And I just almost wanted to cry.
link |
01:05:27.880
I don't want that for him.
link |
01:05:30.280
I don't want all of his most meaningful experiences to be online.
link |
01:05:34.240
By the time that happens, how do you know that person's human, that avatar is human?
link |
01:05:42.440
I believe in free speech.
link |
01:05:43.600
I don't believe in free speech for robots and bots.
link |
01:05:47.600
And look what just happened over the last six years.
link |
01:05:52.600
We had bots pretending to be Black Lives Matter activists just to sow some division or Texas
link |
01:06:00.520
secessionists or organizing anti Hillary protests or just to sow more division, tie us up in
link |
01:06:09.920
our own politics so that we're so paralyzed, we can't get anything done.
link |
01:06:15.760
We can't make any progress and we definitely can't handle our adversaries and their long
link |
01:06:20.480
term thinking.
link |
01:06:23.120
It really scares me and here's where I just come back to just because we can create the
link |
01:06:31.280
metaverse, just because it sounds like the next logical step in our digital revolution.
link |
01:06:39.920
Do I really want my child's most significant moments to be online?
link |
01:06:45.640
They weren't for me.
link |
01:06:48.080
So maybe I'm just stuck in that old school thinking or maybe I've seen too much.
link |
01:06:55.120
And I'm really sick of being the guinea pig parent generation for these things.
link |
01:07:01.720
I mean, it's hard enough with screen time, thinking about how to manage the metaverse
link |
01:07:08.560
as a parent to a young boy.
link |
01:07:11.640
I can't even let my head go there.
link |
01:07:13.840
That's so terrifying for me.
link |
01:07:16.640
But we've never stopped any new technology just because it introduces risks.
link |
01:07:24.120
We've always said, okay, the promise of this technology means we should keep going, keep
link |
01:07:30.360
pressing ahead.
link |
01:07:31.760
We just need to figure out new ways to manage that risk.
link |
01:07:35.640
And that's the blockchain right now.
link |
01:07:40.840
When I was covering all of these ransomware attacks, I thought, okay, this is going to
link |
01:07:46.800
be it for cryptocurrency.
link |
01:07:49.600
Governments are going to put the kibosh down.
link |
01:07:51.400
They're going to put the hammer down and say, enough is enough.
link |
01:07:54.800
We have to put this genie back in the bottle because it's enabled ransomware.
link |
01:07:58.560
I mean, five years ago, they would hijack your PC and they'd say, go to the local pharmacy,
link |
01:08:05.600
get an eGift card and tell us what the pin is, and then we'll get your $200.
link |
01:08:10.480
Now it's pay us, you know, five Bitcoin.
link |
01:08:14.520
And so there's no doubt cryptocurrencies enabled ransomware attacks, but after the colonial
link |
01:08:20.160
pipeline ransom was seized, because if you remember, the FBI was actually able to go
link |
01:08:24.760
in and claw some of it back from dark side, which was the ransomware group that hit it.
link |
01:08:31.560
And I spoke to these guys at TRM Labs.
link |
01:08:34.160
So they're one of these blockchain intelligence companies.
link |
01:08:37.000
And a lot of people that work there are used to work at the Treasury.
link |
01:08:41.080
And what they said to me was, yeah, cryptocurrency has enabled ransomware, but to track down
link |
01:08:49.000
that ransom payment would have taken, you know, if we were dealing with fiat currency,
link |
01:08:54.840
would have taken us years to get to that one bank account or belonging to that one front
link |
01:08:59.760
company in the Seychelles.
link |
01:09:01.960
And now, thanks to blockchain, we can track the movement of those funds in real time.
link |
01:09:08.440
And you know what, you know, these payments are not as anonymous as people think.
link |
01:09:13.400
Like we still can use our old hacking ways and zero days and, you know, old school intelligence
link |
01:09:18.920
methods to find out who owns that private wallet and how to get to it.
link |
01:09:23.640
So it's a curse in some ways in that it's an enabler, but it's also a blessing.
link |
01:09:29.600
And they said that same thing to me that I just said to you, they said, we've never
link |
01:09:34.160
shut down a promising new technology because it introduced risk.
link |
01:09:39.200
We just figured out how to manage that risk.
link |
01:09:42.200
And I think that's where the conversation unfortunately has to go, is how do we, in
link |
01:09:47.760
the metaverse, use technology to fix things.
link |
01:09:53.680
So maybe we'll finally be able to not finally, but figure out a way to solve the identity
link |
01:10:00.360
problem on the internet, meaning like a blue check mark for actual human and connect it
link |
01:10:05.840
to identity, like a fingerprint, so you can prove your you and yet do it in a way that
link |
01:10:13.880
doesn't involve the company having all your data.
link |
01:10:17.720
So allowing you to maintain control over your data or if you don't, then there's a complete
link |
01:10:25.200
transparency of how that data is being used, all those kinds of things.
link |
01:10:29.160
And maybe as you educate more and more people, they would demand in a capitalist society that
link |
01:10:36.320
the companies that they give their data to will respect that data.
link |
01:10:40.840
Yeah.
link |
01:10:41.840
I mean, there is this company and I hope they succeed.
link |
01:10:44.920
Their name's PIIano and they want to create a vault for your personal information inside
link |
01:10:52.520
every organization.
link |
01:10:54.800
And ultimately, if I'm going to call Delta Airlines to book a flight, they don't need
link |
01:10:59.960
to know my social security number, they don't need to know my birth date.
link |
01:11:05.680
They're just going to send me a one time token to my phone.
link |
01:11:08.920
My phone's going to say, or my Fido key is going to say, yep, it's her.
link |
01:11:13.600
And then we're going to talk about my identity like a token, some random token.
link |
01:11:17.640
They don't need to know exactly who I am.
link |
01:11:20.120
They just need to know the system trust that I am, who I say I am, but they don't get access
link |
01:11:26.600
to my PII data.
link |
01:11:27.960
They don't get access to my social security number, my location, or the fact I'm a Times
link |
01:11:33.200
journalist.
link |
01:11:34.200
I think that's the way the world's going to go.
link |
01:11:38.560
Enough is enough on sort of losing our personal information everywhere, letting data marketing
link |
01:11:45.160
companies track our every move.
link |
01:11:48.920
They don't need to know who I am, okay, I get it.
link |
01:11:52.520
We're stuck in this world where the internet runs on ads, so ads are not going to go away,
link |
01:12:00.200
but they don't need to know I'm Nicole Perlera.
link |
01:12:03.600
They can know that I am token number X567.
link |
01:12:08.800
And they can let you know what they know and give you control about removing the things
link |
01:12:13.080
they know.
link |
01:12:14.080
Yeah, right to be forgotten.
link |
01:12:15.920
To me, you should be able to walk away with a single press of a button.
link |
01:12:20.440
And I also believe that most people given the choice to walk away won't walk away.
link |
01:12:25.320
They'll just feel better about having the option to walk away when they understand the tradeoffs.
link |
01:12:30.720
If you walk away, you're not going to get some of the personalized experiences that you would
link |
01:12:35.000
otherwise get, like a personalized feed and all those kinds of things.
link |
01:12:38.840
But the freedom to walk away is, I think, really powerful.
link |
01:12:44.200
And obviously, what you're saying, there's all of these HTML forms.
link |
01:12:48.720
We have to enter your phone number and email and private information from Delta, every
link |
01:12:53.600
single airline.
link |
01:12:55.960
Longer times, I have so many opinions on this, just the friction and the sign up and all
link |
01:13:03.800
of those kinds of things.
link |
01:13:04.800
I should be able to, this has to do with everything.
link |
01:13:07.240
This has to do with payment too.
link |
01:13:10.160
Payment should be trivial.
link |
01:13:11.880
It should be one click and one click to unsubscribe and subscribe and one click to provide all
link |
01:13:18.560
of your information that's necessary for the subscription service, for the transaction
link |
01:13:23.120
service, whatever, that is getting a ticket as opposed to, I have all these fake phone
link |
01:13:27.160
numbers and emails that I use in Delta sign up because you never know if one site is hacked,
link |
01:13:34.440
then it's just going to propagate to everything else.
link |
01:13:37.760
Yeah.
link |
01:13:38.760
And there's low hanging fruit and I hope Congress does something and frankly, I think
link |
01:13:45.160
it's negligent they haven't on the fact that elderly people are getting spammed to death
link |
01:13:51.960
on their phones these days with fake car warranty scams.
link |
01:13:56.040
I mean, my dad was in the hospital last year and I was in the hospital room and his phone
link |
01:14:01.240
kept buzzing and I look at it and it's just spam attack after spam attack, people nonstop
link |
01:14:09.440
calling about his freaking car warranty, why they're trying to get his social security
link |
01:14:15.400
number, they're trying to get his PII, they're trying to get their information.
link |
01:14:19.960
We need to figure out how to put those people in jail for life and we need to figure out
link |
01:14:28.680
why in the hell we are being required or asked to hand over our social security number and
link |
01:14:37.080
our home address and our password, all of that information to every retailer who asks.
link |
01:14:43.320
I mean, that's insanity.
link |
01:14:46.720
And there's no question they're not protecting it because it keeps showing up in spam or identity
link |
01:14:54.440
theft or credit card theft or worse.
link |
01:14:56.800
Well, spam is getting better and maybe as a side note, make a public announcement, please
link |
01:15:02.720
clip this out, which is if you get an email or a message from Lex Friedman saying how
link |
01:15:10.560
much I, Lex, appreciate you and love you and so on and please connect with me on my WhatsApp
link |
01:15:19.040
number and I will give you Bitcoin or something like that, please do not click.
link |
01:15:25.400
And I'm aware that there's a lot of this going on, a very large amount, I can't do anything
link |
01:15:31.160
about it.
link |
01:15:32.160
This is on every single platform, it's happening more and more and more, which I've been recently
link |
01:15:38.120
informed that they're not emailing.
link |
01:15:41.080
So it's cross platform, they're taking people's, they're somehow, this is fascinating to me
link |
01:15:47.280
because they are taking people who comment on various social platforms and they somehow
link |
01:15:54.840
reverse engineer, they figure out what their email is and they send an email to that person
link |
01:16:00.280
saying from Lex Friedman and it's like a heartfelt email with links.
link |
01:16:05.320
It's fascinating because it's cross platform now, it's not just a spam bot that's messaging
link |
01:16:11.000
and a comment that's in reply, they are saying, okay, this person cares about this other person
link |
01:16:17.360
on social media, so I'm going to find another channel, which in their mind probably increases
link |
01:16:22.600
and it does the likelihood that they'll get the people to click and they do.
link |
01:16:28.960
I don't know what to do about that, it makes me really, really sad, especially with podcasting,
link |
01:16:33.840
there's an intimacy that people feel connected and they get really excited, okay, cool.
link |
01:16:39.120
I want to talk to Lex and they click and I get angry at the people that do this.
link |
01:16:51.120
I mean, it's like the John that gets hired, the fake employee, I mean, I don't know what
link |
01:16:57.800
to do about that.
link |
01:16:58.800
I suppose the solution is education, it's telling people to be skeptical on the stuff
link |
01:17:05.360
they click, that balance with the technology solution of creating a maybe like two factor
link |
01:17:12.960
authentication and maybe helping identify things that are likely to be spam, I don't
link |
01:17:19.440
know, but then the machine learning there is tricky because you don't want to add a lot
link |
01:17:23.160
of extra friction that just annoys people because they'll turn it off because you have
link |
01:17:28.400
the accept cookies thing, right?
link |
01:17:31.040
That everybody has to click on us and now they completely ignore the accept cookies.
link |
01:17:35.040
This is very difficult to find that frictionless security.
link |
01:17:42.360
You mentioned Snowden, you talked about looking through the NSA documents he leaked and doing
link |
01:17:50.080
the hard work of that.
link |
01:17:52.200
What do you make of Edward Snowden?
link |
01:17:54.640
What have you learned from those documents?
link |
01:17:56.800
What do you think of him?
link |
01:18:00.760
In the long arc of history, is Edward Snowden a hero or a villain?
link |
01:18:05.440
I think he's neither.
link |
01:18:07.400
I have really complicated feelings about Edward Snowden.
link |
01:18:13.000
On the one hand, I'm a journalist at heart and more transparency is good and I'm grateful
link |
01:18:21.200
for the conversations that we had in the post Snowden era about the limits to surveillance
link |
01:18:29.560
and how critical privacy is.
link |
01:18:33.960
When you have no transparency and you don't really know in that case what our secret courts
link |
01:18:39.000
were doing, how can you truly believe that our country is taking our civil liberties
link |
01:18:47.120
seriously?
link |
01:18:49.760
On the one hand, I'm grateful that he cracked open these debates.
link |
01:18:56.320
On the other hand, when I walked into the storage closet of classified NSA secrets,
link |
01:19:05.800
I had just spent two years covering Chinese cyber espionage almost every day and the sort
link |
01:19:15.560
of advancement of Russian attacks that were just getting worse and worse and more destructive.
link |
01:19:23.400
There were no limits to Chinese cyber espionage and Chinese surveillance of its own citizens.
link |
01:19:31.040
There seemed to be no limit to what Russia was willing to do in terms of cyber attacks
link |
01:19:37.120
and also in some cases assassinating journalists.
link |
01:19:41.640
When I walked into that room, there was a part of me quite honestly that was relieved
link |
01:19:48.520
to know that the NSA was as good as I hoped they were.
link |
01:19:54.880
We weren't using that knowledge to, as far as I know, assassinate journalists.
link |
01:20:03.360
We weren't using our access to take out pharmaceutical companies.
link |
01:20:11.040
For the most part, we were using it for traditional espionage.
link |
01:20:16.640
That set of documents also set me on the journey of my book because to me, the American people's
link |
01:20:23.200
reaction to the Snowden documents was a little bit misplaced.
link |
01:20:28.880
They were upset about the phone call metadata collection program.
link |
01:20:34.160
Angela Merkel, I think, rightfully was upset that we were hacking her cell phone.
link |
01:20:39.680
But in the spy eat spy world, hacking world leader's cell phones is pretty much what most
link |
01:20:45.720
spy agencies do.
link |
01:20:47.720
There wasn't a lot that I saw in those documents that was beyond what I thought a spy agency
link |
01:20:54.640
does.
link |
01:20:57.880
I think if there was another 911 tomorrow, God forbid, we would all say, how did the NSA
link |
01:21:04.520
miss this?
link |
01:21:05.880
Why weren't they spying on those terrorists?
link |
01:21:07.960
Why weren't they spying on those world leaders?
link |
01:21:11.080
There's some of that too.
link |
01:21:13.520
But I think that there was great damage done to the US's reputation.
link |
01:21:22.840
I think we really lost our halo in terms of a protector of civil liberties.
link |
01:21:31.000
And I think a lot of what was reported was unfortunately reported in a vacuum.
link |
01:21:37.080
That was my biggest gripe that we were always reporting, the NSA has this program and here's
link |
01:21:44.200
what it does and the NSA is in Angela Merkel's cell phone and the NSA can do this and no one
link |
01:21:52.880
was saying, and by the way, China has been hacking into our pipelines and they've been
link |
01:22:00.680
making off with all of our intellectual property and Russia's been hacking into our energy
link |
01:22:06.440
infrastructure and they've been using the same methods to spy on track and in many
link |
01:22:11.680
cases kill their own journalists and the Saudis have been doing this to their own critics
link |
01:22:16.600
and dissidents.
link |
01:22:17.600
And so you can't talk about any of these countries in isolation.
link |
01:22:22.840
It is really like spy eat spy out there.
link |
01:22:26.160
And so I just have complicated feelings.
link |
01:22:28.760
And the other thing is, and I'm sorry, this is a little bit of a tangent, but the amount
link |
01:22:34.600
of documents that we had, like thousands of documents, most of which were just crap, but
link |
01:22:42.000
had people's names on them, you know, part of me wishes that those documents had been
link |
01:22:49.240
released in a much more targeted, limited way.
link |
01:22:53.200
Just a lot of it just felt like a PowerPoint that was taken out of context.
link |
01:23:00.600
And you just sort of wish that there had been a little bit more thought into what was released
link |
01:23:07.680
because I think a lot of the impact from someone was just the volume of the reporting.
link |
01:23:14.000
But I think, you know, based on what I saw personally, there was a lot of stuff that
link |
01:23:19.880
I just I don't know why that that particular thing got released.
link |
01:23:24.160
As a whistleblower, what's the better way to do it?
link |
01:23:26.800
Because, I mean, there's fear, there's it takes a lot of effort to do a more targeted
link |
01:23:32.640
release.
link |
01:23:33.640
You know, if there's proper channels, you're afraid that those channels will be manipulated
link |
01:23:38.200
like who do you trust?
link |
01:23:41.360
What's a better way to do this, do you think as a journalist, this is almost like a journalistic
link |
01:23:45.440
question, reveal some fundamental flaw in the system without destroying the system.
link |
01:23:50.840
And I bring up, you know, again, Mark Zuckerberg and Metta, there was a whistleblower that
link |
01:23:58.480
came out about Instagram internal studies.
link |
01:24:02.480
And I also torn about how to feel about that whistleblower, because from a company perspective,
link |
01:24:09.480
that's an open culture.
link |
01:24:11.880
How can you operate successfully if you have an open culture where any one whistleblower
link |
01:24:16.720
can come out out of context, take a study whether it represents a larger context or not.
link |
01:24:23.080
And the press eats it up.
link |
01:24:25.520
And then that creates a narrative that is just like with the NSA, you said it's out
link |
01:24:31.200
of context, very targeted to wear while Facebook is evil, clearly, because of this one leak.
link |
01:24:38.360
It's really hard to know what to do there, because we're now in a society that's deeply
link |
01:24:42.560
distressed institutions.
link |
01:24:44.640
And so narratives by whistleblowers make that whistleblower and their forthcoming book very
link |
01:24:50.680
popular.
link |
01:24:52.320
And so there's a huge incentive to take stuff out of context and to tell stories that don't
link |
01:24:57.120
represent the full context, the full truth.
link |
01:25:01.440
It's hard to know what to do with that, because then that forces Facebook and Metta and governments
link |
01:25:06.800
to be much more conservative, much more secretive.
link |
01:25:10.720
It's like a race to the bottom, I don't know if you can comment on any of that, how to
link |
01:25:16.440
be a whistleblower ethically and properly.
link |
01:25:20.720
I don't know.
link |
01:25:21.720
I mean, these are hard questions.
link |
01:25:23.840
And even for myself, in some ways, I think of my book as sort of blowing the whistle
link |
01:25:31.560
on the underground zero day market, but it's not like I was in the market myself.
link |
01:25:38.360
It's not like I had access to classified data when I was reporting out that book.
link |
01:25:44.440
As I say in the book, listen, I'm just trying to scrape the surface here so we can have these
link |
01:25:50.320
conversations before it's too late.
link |
01:25:53.320
And I'm sure there's plenty in there that someone who's US intelligence agency's preeminent
link |
01:26:02.400
zero day broker probably has some voodoo doll of me out there.
link |
01:26:07.280
And you're never going to get it 100%.
link |
01:26:12.240
But I really applaud whistleblowers like the whistleblower who blew the whistle on the Trump
link |
01:26:20.200
call with Zelensky.
link |
01:26:23.960
People needed to know about that, that we were basically in some ways blackmailing an
link |
01:26:29.640
ally to try to influence an election.
link |
01:26:34.880
They went through the proper channels.
link |
01:26:37.360
They weren't trying to profit off of it, right?
link |
01:26:39.560
There was no book that came out afterwards from that whistleblower.
link |
01:26:44.200
That whistleblower's not like, they went through the channels.
link |
01:26:47.960
They're not living in Moscow.
link |
01:26:49.800
Let's put it that way.
link |
01:26:50.800
Can I ask you a question?
link |
01:26:52.000
You mentioned NSA, one of the things it showed, is they're pretty good at what they do?
link |
01:26:59.320
Again, this is a touchy subject, I suppose, but there's a lot of conspiracy theories about
link |
01:27:06.440
intelligence agencies.
link |
01:27:08.200
From your understanding of intelligence agencies, CIA, NSA, and the equivalent of in other countries,
link |
01:27:17.000
are they one question, this could be a dangerous question, are they competent?
link |
01:27:22.200
Are they good at what they do?
link |
01:27:24.920
And two, are they malevolent in any way?
link |
01:27:31.480
A recent conversation about tobacco companies, they see their customers as dupes.
link |
01:27:39.760
They can just play games with people.
link |
01:27:43.920
Conspiracy theories tell that similar story about intelligence agencies, that they're
link |
01:27:48.760
interested in manipulating the populace for whatever ends the powerful in dark rooms,
link |
01:27:57.200
cigarette smoke, cigar smoke filled rooms.
link |
01:28:03.680
What's your sense?
link |
01:28:04.680
Do these conspiracy theories have any truth to them or are intelligence agencies for the
link |
01:28:13.440
most part good for society?
link |
01:28:15.600
Okay, well, that's an easy one.
link |
01:28:18.720
Is it?
link |
01:28:19.720
No.
link |
01:28:20.720
I think it depends which intelligence agency.
link |
01:28:23.960
Think about the Mossad.
link |
01:28:26.000
They're killing every Iranian nuclear scientist they can over the years, but have they delayed
link |
01:28:37.520
the time horizon before Iran gets the bomb?
link |
01:28:42.960
Have they probably staved off terror attacks on their own citizens?
link |
01:28:49.120
None of these, intelligence is intelligence.
link |
01:28:53.720
You can't just say they're malevolent or they're heroes.
link |
01:29:00.600
Everyone I have met in this space is not the pound your chest patriot that you see on the
link |
01:29:09.080
beach on the 4th of July.
link |
01:29:11.520
A lot of them have complicated feelings about their former employers, well, at least at
link |
01:29:18.240
the NSA reminded me to do what we were accused of doing after Snowden, to spy on Americans.
link |
01:29:28.960
You have no idea the amount of red tape and paperwork and bureaucracy it would have taken
link |
01:29:37.760
to do whatever one thinks that we were supposedly doing, but then we find out in the course
link |
01:29:45.480
of the Snowden reporting about a program called Love In where a couple of the NSA analysts
link |
01:29:51.800
were using their access to spy on their ex girlfriends.
link |
01:29:56.760
There's an exception to every case.
link |
01:30:00.760
Probably I will probably get accused of my Western bias here again, but I think you can
link |
01:30:10.960
almost barely compare some of these Western intelligence agencies to China, for instance.
link |
01:30:21.280
The surveillance that they're deploying on the Uyghurs to the level they're deploying
link |
01:30:27.640
it, and the surveillance they're starting to export abroad with some of the programs
link |
01:30:33.080
like the watering hole attack I mentioned earlier, where it's not just hitting the Uyghurs
link |
01:30:37.680
inside China, it's hitting anyone interested in the Uyghur plight outside China.
link |
01:30:42.480
It could be an American high school student writing a paper on the Uyghurs.
link |
01:30:46.600
They want to spy on that person too.
link |
01:30:49.480
There's no rules in China really limiting the extent of that surveillance.
link |
01:30:56.160
We all better pay attention to what's happening with the Uyghurs because just as Ukraine has
link |
01:31:02.880
been to Russia in terms of a test kitchen for cyber attacks, the Uyghurs are China's
link |
01:31:09.920
test kitchen for surveillance.
link |
01:31:13.120
There's no doubt in my mind that they're testing them on the Uyghurs.
link |
01:31:17.960
Uyghurs are their petri dish and eventually they will export that level of surveillance
link |
01:31:22.440
overseas.
link |
01:31:23.440
I mean, in 2015, Obama and Xi Jinping reached a deal where basically the White House said
link |
01:31:34.480
you better cut it out on intellectual property theft.
link |
01:31:39.160
They made this agreement that they would not hack each other for commercial benefit.
link |
01:31:43.920
For a period of about 18 months, we saw this huge drop off in Chinese cyber attacks on
link |
01:31:49.080
American companies.
link |
01:31:51.320
Some of them continued.
link |
01:31:54.360
They continued on aviation companies, on hospitality companies like Marriott.
link |
01:32:02.120
Why?
link |
01:32:03.120
Because that was still considered fair game to China.
link |
01:32:05.640
It wasn't IP theft.
link |
01:32:06.880
They were after it.
link |
01:32:07.880
They wanted to know who was staying in this city at this time when Chinese citizens were
link |
01:32:14.280
staying there so they could cross match for counterintelligence who might be a likely Chinese
link |
01:32:19.040
spy.
link |
01:32:20.200
I'm sure we're doing some of that too.
link |
01:32:23.560
Counterintelligence is counterintelligence.
link |
01:32:24.800
It's considered fair game.
link |
01:32:28.200
Where I think it gets evil is when you use it for censorship to suppress any dissent,
link |
01:32:37.400
to do what I've seen the UAE do to its citizens, where people who've gone on Twitter just to
link |
01:32:45.160
advocate for better voting rights, more enfranchisement.
link |
01:32:49.800
Only find their passports confiscated.
link |
01:32:53.720
I talked to one critic, Ahmed Mansour, and he told me, you might find yourself a terrorist,
link |
01:33:01.240
labeled a terrorist one day, and you don't even know how to operate a gun.
link |
01:33:04.960
He'd been beaten up every time he tried to go somewhere.
link |
01:33:07.960
His passport had been confiscated.
link |
01:33:09.640
By that point, it turned out they'd already hacked into his phone, so they were listening
link |
01:33:12.680
to us talking.
link |
01:33:14.180
He'd hacked into his baby monitor, so they're spying on his child, and they stole his car.
link |
01:33:23.400
Then they created a new law that you couldn't criticize the ruling family or the ruling
link |
01:33:28.120
party on Twitter.
link |
01:33:29.840
He's been in solitary confinement every day since on hunger strike.
link |
01:33:34.920
That's evil.
link |
01:33:36.440
That's evil.
link |
01:33:38.800
We don't do that here.
link |
01:33:40.800
We have rules here.
link |
01:33:42.080
We don't cross that line.
link |
01:33:44.960
In some cases, I won't go to Dubai.
link |
01:33:48.760
I won't go to Abu Dhabi.
link |
01:33:50.000
If I ever want to go to the Maldives, too bad, most of the flights go through Dubai.
link |
01:33:55.240
There's some lines we're not willing to cross, but then again, just like you said, there's
link |
01:33:59.160
individuals within NSA, within CIA, and they may have power.
link |
01:34:05.960
To me, there's levels of evil.
link |
01:34:07.920
To me, personally, this is the stuff of conspiracy theories is the things you've mentioned as
link |
01:34:13.440
evil are more direct attacks, but there's also psychological warfare, so blackmail.
link |
01:34:21.520
What does spying allow you to do?
link |
01:34:25.280
It allows you to collect information if you have something that's embarrassing, or if
link |
01:34:30.720
you have like Jeffrey Epstein conspiracy theories active, what is it, manufacture of embarrassing
link |
01:34:37.560
things, and then use blackmail to manipulate the population or all the powerful people
link |
01:34:42.240
involved.
link |
01:34:43.240
It troubles me deeply that MIT allowed somebody like Jeffrey Epstein in their midst, especially
link |
01:34:48.960
some of the scientists I admire that they would hang out with that person at all.
link |
01:34:56.280
I'll talk about it sometimes, and then a lot of people tell me, well, obviously, Jeffrey
link |
01:35:01.640
Epstein is the front for intelligence, and I struggle to see that level of competence
link |
01:35:09.560
and malevolence, but who the hell am I?
link |
01:35:18.280
I guess I was trying to get to that point.
link |
01:35:21.280
You said that there's bureaucracy and so on, which makes some of these things very difficult.
link |
01:35:25.720
I wonder how much malevolence, how much competence there is in these institutions.
link |
01:35:31.920
How far, it takes us back to the hacking question, how far are people willing to go if they have
link |
01:35:39.040
the power?
link |
01:35:40.040
This has to do with social engineering, this has to do with hacking, this has to do with
link |
01:35:44.240
manipulating people, attacking people, doing evil onto people, psychological warfare and
link |
01:35:48.560
stuff like that.
link |
01:35:50.200
I don't know, I believe that most people are good, and I don't think that's possible in
link |
01:35:58.360
a free society.
link |
01:35:59.360
There's something that happens when you have a centralized government where power corrupts
link |
01:36:04.640
over time and you start surveillance programs, it's like a slippery slope that over time
link |
01:36:12.840
starts to both use fear and direct manipulation to control the populace, but in a free society
link |
01:36:21.440
I just, it's difficult for me to imagine that you can have like somebody like a Jeffrey
link |
01:36:27.160
Epps in the front for intelligence.
link |
01:36:29.280
I don't know what I'm asking you, but I'm just, I have a hope that for the most part
link |
01:36:36.880
intelligence agencies are trying to do good and are actually doing good for the world
link |
01:36:43.480
when you view it in the full context of the complexities of the world.
link |
01:36:51.720
But then again, if they're not, would we know?
link |
01:36:55.520
That's why Edwin Snowden might be a good thing.
link |
01:36:58.480
Let me ask you on a personal question, you have investigated some of the most powerful
link |
01:37:02.400
organizations and people in the world of cyber warfare, cyber security.
link |
01:37:07.720
Are you ever afraid for your own life, your own well being digital or physical?
link |
01:37:13.240
I mean, I've had my moments.
link |
01:37:15.600
You know, I've had our security team at the times called me at one point and said someone's
link |
01:37:22.640
on the dark web offering good money to anyone who can hack your phone or your laptop.
link |
01:37:30.080
I describe in my book how when I was at that hacking conference in Argentina, I came back
link |
01:37:35.200
and I brought a burner laptop with me, but I'd kept it in the safe anyway and it didn't
link |
01:37:41.560
have anything on it, but someone had broken in and it was moved.
link |
01:37:46.720
You know, I've had all sorts of sort of scary moments and then I've had moments where I
link |
01:37:53.840
think I went just way too far into the paranoid side.
link |
01:37:58.720
I mean, I remember writing about the times hack by China and I'd just covered a number
link |
01:38:05.840
of Chinese cyber attacks where they'd gotten into the thermostat at someone's corporate
link |
01:38:10.840
apartment and, you know, they've gotten into all sorts of stuff and I was living by myself.
link |
01:38:17.640
I was single in San Francisco and my cable box on my television started making some weird
link |
01:38:25.000
noises in the middle of the night and I got up and I ripped it out of the wall and I think
link |
01:38:30.120
I said something like embarrassing like, fuck you China, you know, and then I went back
link |
01:38:37.320
to bed and I woke up and like, it's like beautiful morning light, I mean, I'll never
link |
01:38:42.040
forget it.
link |
01:38:43.040
Like this is like glimmering morning light shining on my cable box, which has now been
link |
01:38:46.840
ripped out and is sitting on my floor and like the morning light and I was just like,
link |
01:38:52.560
no, no, no, like I'm not going down that road.
link |
01:38:57.040
Like you basically, I came to a fork in the road where I could either go full tinfoil hat,
link |
01:39:06.240
go live off the grid, never have a car with navigation, never use Google Maps, never own
link |
01:39:11.840
an iPhone, never order diapers off Amazon, you know, create an alias or I could just
link |
01:39:20.680
do the best I can and live in this new digital world we're living in.
link |
01:39:26.440
And what does that look like for me?
link |
01:39:28.040
I mean, what are my crown jewels?
link |
01:39:30.600
This is what I tell people, what are your crown jewels because just focus on that.
link |
01:39:34.160
You can't protect everything, but you can protect your crown jewels.
link |
01:39:37.520
For me, for the longest time, my crown jewels were my sources.
link |
01:39:42.280
I was nothing without my sources.
link |
01:39:44.640
So I had some sources, I would meet the same dim sum place or maybe it was a different
link |
01:39:50.640
restaurant on the same date, you know, every quarter and we would never drive there.
link |
01:39:59.120
We would never Uber there.
link |
01:40:00.400
We wouldn't bring any devices.
link |
01:40:02.040
I could bring a pencil and a notepad.
link |
01:40:05.600
And if someone wasn't in town, like there were a couple of times where I'd show up and
link |
01:40:09.480
the source never came, but we never communicated digitally.
link |
01:40:14.280
And those were the lengths I was willing to go to protect that source, but you can't do
link |
01:40:18.200
it for everyone.
link |
01:40:19.600
So for everyone else, you know, it was signal using two factor authentication, you know,
link |
01:40:24.880
keeping my devices up to date, not clicking on phishing emails, using a password manager,
link |
01:40:30.760
all the things that, you know, we know we're supposed to do.
link |
01:40:34.720
And that's what I tell everyone, like don't go crazy because then that's like the ultimate
link |
01:40:38.920
hack.
link |
01:40:39.920
Then they've hacked your mind, whoever they is for you.
link |
01:40:43.680
But just do the best you can.
link |
01:40:45.400
Now, my whole risk model changed when I had a kid, you know, now it's, oh God, you know,
link |
01:40:54.720
if anyone threatened my family, God help them, but it's, it changes you and, you know, unfortunately,
link |
01:41:11.240
there are some things like I was really scared to go deep on, like Russian cybercrime, you
link |
01:41:16.960
know, like Putin himself, you know, and, and it's interesting, like I have a mentor who's
link |
01:41:22.680
an incredible person who was the Times Moscow bureau chief during the Cold War.
link |
01:41:29.920
And after I wrote a series of stories about Chinese cyber espionage, he took me out to
link |
01:41:34.000
lunch and he told me that when he was living in Moscow, he would drop his kids off at preschool
link |
01:41:39.880
when they were my son's age now.
link |
01:41:42.840
And the KGB would follow him and they would make a really like loud show of it.
link |
01:41:48.280
You know, they'd tail him, they'd, you know, honk, they'd just be a wreck, make a wreck
link |
01:41:54.360
us.
link |
01:41:55.360
And he said, you know what, they never actually did anything, but they wanted me to know that
link |
01:41:58.960
they were following me and I operated accordingly.
link |
01:42:03.320
And he says, that's how you should operate in, in the digital world.
link |
01:42:08.320
You know that there are probably people following you.
link |
01:42:12.160
Sometimes they'll make a little bit of noise.
link |
01:42:14.760
But one thing you need to know is that while you're at the New York Times, you have a little
link |
01:42:19.240
bit of an invisible shield on you, you know, if something were to happen to you, that would
link |
01:42:23.840
be a really big deal.
link |
01:42:24.840
That would be an international incident.
link |
01:42:27.080
So I kind of carried that invisible shield with me for years.
link |
01:42:31.680
And then a Jamal Khashoggi happened and that destroyed my vision of my invisible shield.
link |
01:42:39.400
You know, sure, you know, he was a Saudi, but he was a Washington Post columnist.
link |
01:42:45.680
You know, for the most part, he was living in the United States, he was a journalist.
link |
01:42:50.440
And for them to do what they did to him pretty much in the open and get away with it.
link |
01:42:58.720
And for the United States to let them get away with it because we wanted to preserve
link |
01:43:03.280
diplomatic relations with the Saudis, that really threw my worldview upside down.
link |
01:43:11.120
And you know, I think that sent a message to a lot of countries that it was sort of
link |
01:43:17.120
open season on journalists.
link |
01:43:19.840
And to me, that was one of the most destructive things that happened under the previous administration.
link |
01:43:27.840
And you know, I don't really know what to think of my invisible shield anymore.
link |
01:43:32.120
Like you said, that really worries me on the journalism side that people would be afraid
link |
01:43:36.320
to dig deep on fascinating topics.
link |
01:43:41.320
And you know, I have my own, that's part of the reason I would love to have kids, I would
link |
01:43:50.320
love to have a family.
link |
01:43:52.960
Part of the reason I'm a little bit afraid, there's many ways to phrase this, but the
link |
01:43:58.240
loss of freedom in the way of doing all the crazy shit that I naturally do, which I would
link |
01:44:05.560
say the ethic of journalism is kind of not is doing crazy shit without really thinking
link |
01:44:10.640
about it.
link |
01:44:11.640
This is letting your curiosity really allow you to be free and explore.
link |
01:44:18.640
I mean, whether it's stupidity or fearlessness, whatever it is, that's what great journalism
link |
01:44:24.200
is.
link |
01:44:25.480
And all the concerns about security risks have made me like become a better person.
link |
01:44:32.840
The way I approach it is just make sure you don't have anything to hide.
link |
01:44:37.200
I know this is not a thing, this is not a, this is not an approach to security.
link |
01:44:41.880
I'm just, this is like a motivational speech or something.
link |
01:44:45.160
It's just like, if you can lose, you can be hacked at any moment.
link |
01:44:49.400
Just don't be a douchebag secretly, just be like a good person.
link |
01:44:54.480
Because then I see this actually with social media in general, just present yourself in
link |
01:45:02.240
the most authentic way possible, meaning be the same person online as you are privately,
link |
01:45:07.000
have nothing to hide.
link |
01:45:08.240
That's one, not the only, but one of the ways to achieve security.
link |
01:45:14.720
I'm totally wrong on this, but don't be secretly weird.
link |
01:45:19.560
If you're weird, be publicly weird.
link |
01:45:21.960
So it's impossible to blackmail you.
link |
01:45:24.360
That's my approach to it.
link |
01:45:25.360
Yeah.
link |
01:45:26.360
Well, they call it the New York Times front page phenomenon, you know, don't put anything
link |
01:45:30.680
in email or I guess social media these days that you wouldn't want to read on the front
link |
01:45:36.120
page of the New York Times.
link |
01:45:38.000
And that works, but you know, sometimes I even get carry, I mean, I have not as many
link |
01:45:44.640
followers as you, but a lot of followers and sometimes even I get carried away.
link |
01:45:48.720
Just be emotional and stuff to say something.
link |
01:45:50.880
Yeah.
link |
01:45:51.880
Yeah.
link |
01:45:52.880
I mean, just the cortisol response on Twitter, you know, Twitter is basically like designed
link |
01:45:59.720
to elicit those responses.
link |
01:46:01.520
I mean, every day I turn on my computer, I look at my phone, I look at what's trending
link |
01:46:07.120
on Twitter and it's like, what are the topics that are going to make people the most angry
link |
01:46:12.760
today, you know, and, um, you know, it's easy to get carried away, but it's also just that
link |
01:46:21.120
sucks too that you have to be constantly censoring yourself and maybe it's for the better.
link |
01:46:26.840
Maybe you can't be a secret asshole and we can put that in the good bucket.
link |
01:46:31.640
But at the same time, you know, there is a danger to that other voice, to creativity,
link |
01:46:41.240
you know, to being weird.
link |
01:46:43.200
There's a danger to that little whispered voice that's like, well, how would people
link |
01:46:47.720
read that?
link |
01:46:48.720
You know, how could that be manipulated?
link |
01:46:51.280
How could that be used against you?
link |
01:46:53.840
And that stifles creativity and innovation and free thought and, you know, that is on
link |
01:47:03.680
a very micro level and that's something I think about a lot.
link |
01:47:09.120
And that's actually something that Tim Cook has talked about a lot.
link |
01:47:13.560
And why he has, you know, said he goes full force on privacy is it's just that little
link |
01:47:19.560
voice that is at some level censoring you.
link |
01:47:25.200
And what, what is sort of the longterm impact of that little voice over time?
link |
01:47:31.000
I think there's a ways, I think that self censorship is an attack factor that there's
link |
01:47:36.840
solutions to.
link |
01:47:37.840
In a way, I'm really inspired by Elon Musk.
link |
01:47:40.240
The solution to that is just be privately and publicly the same person and be ridiculous.
link |
01:47:47.160
Embrace the full weirdness and show it more and more.
link |
01:47:49.880
So it, you know, that's, that's memes that has like ridiculous humor.
link |
01:47:54.200
And I think, and if there is something you really want to hide, deeply consider if that
link |
01:48:01.320
you want to be that, like, why are you hiding it?
link |
01:48:05.520
What exactly are you afraid of?
link |
01:48:07.120
Because I think my hopeful vision for the internet is the internet loves authenticity.
link |
01:48:13.400
They want to see you weird.
link |
01:48:15.200
So be that and like live that fully because I think that gray area where you're kind of
link |
01:48:20.800
censoring yourself, that, that's where the destruction is.
link |
01:48:25.320
You have to go all the way, step over, be weird, be weird.
link |
01:48:28.880
And then it feels, it can be painful because people can attack you and so on, but just
link |
01:48:33.080
ride it.
link |
01:48:34.080
It's just like a skill on a social psychological level that ends up being a, an approach to
link |
01:48:41.360
security, which is like, remove the attack vector of having private information by being
link |
01:48:47.400
your full weird self publicly.
link |
01:48:51.800
What, what advice would you give to young folks today, you know, operating in, in this
link |
01:48:58.920
complicated space about how to have a successful life, a life they can be proud of, a career
link |
01:49:04.360
they can be proud of, maybe somebody in high school and college thinking about what they're
link |
01:49:10.120
going to do.
link |
01:49:11.120
Be a hacker, you know, if you have any interest, become a hacker and apply yourself to defense.
link |
01:49:18.920
You know, every time, like we do have these, these amazing scholarship programs, for instance,
link |
01:49:24.680
where, you know, they find you early, they'll pay your college as long as you commit to
link |
01:49:30.080
some kind of federal commitment to sort of help federal agencies with cybersecurity.
link |
01:49:35.440
And where does everyone want to go every year from the scholarship program?
link |
01:49:39.080
They want to go work at the NSA or cyber command, you know, they want to go work on offense.
link |
01:49:44.240
They want to go do the sexy stuff.
link |
01:49:46.360
It's really hard to get people to work on defense.
link |
01:49:50.000
It's just, it's always been more fun to be a pirate than be in the Coast Guard, you know,
link |
01:49:54.760
and so we have a huge deficit when it comes to filling those roles.
link |
01:50:01.440
There's 3.5 million unfilled cybersecurity positions around the world.
link |
01:50:07.560
I mean, talk about job security, like be a hacker and work on cybersecurity.
link |
01:50:12.800
You will always have a job.
link |
01:50:15.640
And we're actually had a huge deficit and disadvantage as a free market economy because
link |
01:50:23.120
we can't match cybersecurity salaries at Palantir or Facebook or Google or Microsoft.
link |
01:50:30.120
And so it's really hard for the United States to fill those roles.
link |
01:50:35.320
And you know, other countries have had this work around where they basically have forced
link |
01:50:39.400
conscription on some level, you know, China tells people, like, you do whatever you're
link |
01:50:45.080
going to do during the day, work at Alibaba, you know, if you need to do some ransomware,
link |
01:50:50.840
okay, but the minute we tap you on the shoulder and ask you to come do this sensitive operation
link |
01:50:56.320
for us, the answer is yes, you know, same with Russia, you know, a couple years ago
link |
01:51:01.760
when Yahoo was hacked, and they laid it all out in an indictment, it came down to two
link |
01:51:06.600
cyber criminals and two guys from the FSB, cyber criminals were allowed to have their
link |
01:51:11.080
fun, but the minute they came across the username and password for someone's personal Yahoo
link |
01:51:16.200
account that worked at the White House or the State Department or military, they were
link |
01:51:20.840
expected to pass that over to the FSB.
link |
01:51:23.720
So we don't do that here.
link |
01:51:25.080
And it's even worse on defense, we really can't fill these positions.
link |
01:51:30.040
So you know, if you are a hacker, if you're interested in code, if you're a tinker, you
link |
01:51:36.680
know, learn how to hack, there are all sorts of amazing hacking competitions you can do
link |
01:51:43.080
through the SANS org, for example, SANS.
link |
01:51:49.000
And then use those skills for good, you know, neuter the bugs in that code that get used
link |
01:51:54.280
by autocratic regimes to make people's life, you know, a living prison, you know, plug
link |
01:52:00.640
those holes, you know, defend industrial systems, defend our water treatment facilities from
link |
01:52:06.120
hacks where people are trying to come in and poison the water, you know, that I think is
link |
01:52:10.640
just an amazing, it's an amazing job on so many levels, it's intellectually stimulating,
link |
01:52:19.680
you can tell yourself you're serving your country, you can tell yourself you're saving
link |
01:52:24.120
lives and keeping people safe, and you'll always have amazing job security.
link |
01:52:28.480
And if you need to go get that job that pays you, you know, $2 million a year, you can
link |
01:52:32.520
do that too.
link |
01:52:33.520
And you can have a public profile, more so of a public profile, you can be a public rock
link |
01:52:37.960
star.
link |
01:52:38.960
I mean, it's the same thing as sort of the military.
link |
01:52:42.920
There's a lot of, there's a lot of well known sort of people commenting on the fact that
link |
01:52:50.920
veterans are not treated as well as they should be, but it's still the fact that soldiers
link |
01:52:56.000
are deeply respected for defending the country, the freedoms, the ideals that we stand for.
link |
01:53:02.880
And in the same way, I mean, in some ways, the cyber security defense are the soldiers
link |
01:53:08.000
of the future.
link |
01:53:09.000
Yeah.
link |
01:53:10.000
And you know what's interesting?
link |
01:53:11.000
I mean, in cybersecurity, the difference is oftentimes you see the more interesting
link |
01:53:16.640
threats in the private sector, because that's where the attacks come, you know, when cyber
link |
01:53:21.560
criminals and nation state adversaries come for the United States, they don't go directly
link |
01:53:26.400
for cyber command or the NSA.
link |
01:53:28.600
No, they go for banks.
link |
01:53:31.000
They go for Google, they go for Microsoft, they go for critical infrastructure.
link |
01:53:36.800
And so those companies, those private sector companies get to see some of the most advanced
link |
01:53:41.720
sophisticated attacks out there.
link |
01:53:46.120
And you know, if you're working at FireEye and you're calling out the SolarWinds attack,
link |
01:53:50.760
for instance, I mean, you just saved God knows how many systems from, you know, that compromise
link |
01:53:58.040
turning into something that more closely resembles sabotage.
link |
01:54:03.800
So you know, go be a hacker or go be a journalist.
link |
01:54:11.080
So you wrote the book, this is how they tell me the world ends, as we've been talking about,
link |
01:54:17.680
of course, referring to cyber war, cyber security.
link |
01:54:21.800
What gives you hope about the future of our world?
link |
01:54:25.400
If it doesn't end, how will it not end?
link |
01:54:31.720
That's a good question.
link |
01:54:32.720
I mean, I have to have hope, right?
link |
01:54:34.920
Because I have a kid and I have another on the way.
link |
01:54:37.640
And if I didn't have hope, I wouldn't be having kids.
link |
01:54:41.040
But it's a scary time to be having kids.
link |
01:54:46.920
And it's like pandemic, climate change, disinformation, increasingly advanced, perhaps
link |
01:54:55.160
deadly cyber attacks.
link |
01:54:57.800
What gives me hope is that I share your worldview that I think people are fundamentally good.
link |
01:55:05.400
And sometimes, and this is why the metaverse scares me to death, but when I'm reminded
link |
01:55:10.200
of that is not online, like online, I get the opposite, you know, you start to lose hope
link |
01:55:16.480
and humanity when you're on Twitter half your day.
link |
01:55:20.440
It's like when I go to the grocery store or I go on a hike or like someone smiles at
link |
01:55:25.640
me or, you know, or someone just says something nice, you know, people are fundamentally good.
link |
01:55:33.320
We just don't hear from those people enough.
link |
01:55:37.600
And my hope is, you know, I just think our current political climate, like we've hit
link |
01:55:43.520
rock bottom.
link |
01:55:45.020
This is as bad as it gets.
link |
01:55:46.720
We can't do anything.
link |
01:55:47.720
Don't jinx it.
link |
01:55:48.720
Well, but I think it's a generational thing.
link |
01:55:52.040
You know, I think baby boomers, like it's time to move along.
link |
01:55:57.080
I think it's time for a new generation to come in.
link |
01:56:01.240
And I actually have a lot of hope when I look at, you know, I'm sort of like this, I guess
link |
01:56:08.080
they call me a geriatric millennial or a young gen X, but like we have this unique responsibility
link |
01:56:14.320
because I grew up without the internet and without social media, but I'm native to it.
link |
01:56:21.120
So I know the good and I know the bad.
link |
01:56:25.600
And that's true on so many different things.
link |
01:56:28.320
You know, I grew up without climate change anxiety.
link |
01:56:32.200
And now I'm feeling it and I know it's not a given.
link |
01:56:34.920
We don't have to just resign ourselves to climate change, you know, same with disinformation.
link |
01:56:41.280
And I think a lot of the problems we face today have just exposed the sort of inertia
link |
01:56:47.600
that there has been on so many of these issues.
link |
01:56:50.000
And I really think it's a generational shift that has to happen.
link |
01:56:54.760
And I think this next generation is going to come in and say, like, we're not doing
link |
01:56:58.800
business like you guys did it anymore, you know, we're not just going to like rape and
link |
01:57:02.520
pillage the earth and try and turn everyone against each other and play dirty tricks and
link |
01:57:07.840
let lobbyists dictate, you know, what we do or don't do as a country anymore.
link |
01:57:14.480
And that's really where I see the hope.
link |
01:57:16.600
It feels like there's a lot of low hanging fruit for young minds to step up and create
link |
01:57:22.240
solutions and lead.
link |
01:57:23.840
So whenever like politicians or leaders that are older, like you said, are acting shitty,
link |
01:57:32.880
I see that as a positive.
link |
01:57:34.200
They're inspiring a large number of young people to replace them.
link |
01:57:39.120
Yeah.
link |
01:57:40.120
And so it's, I think you're right, there's going to be, it's almost like you need people
link |
01:57:44.200
to act shitty to remind them, oh, wow, we need good leaders, we need great creators
link |
01:57:49.200
and builders and entrepreneurs and scientists and engineers and journalists, you know, all
link |
01:57:54.800
the discussions about how the journalism is quote unquote broken and so on.
link |
01:57:58.800
That's just an inspiration for new institutions to rise up that do journalism better.
link |
01:58:03.880
We need journalists to step up and do journalism better.
link |
01:58:06.400
So I, and I've been constantly, when I talk to young people, I'm constantly impressed
link |
01:58:11.920
by the ones that dream to build solutions.
link |
01:58:16.520
And so that's, that's, that's ultimately why I put the hope, but the world is a messy
link |
01:58:22.280
place.
link |
01:58:23.280
Like we've been talking about the scary place.
link |
01:58:26.680
Yeah.
link |
01:58:27.680
And I think you hit something, hit on something earlier, which is authenticity.
link |
01:58:33.240
Like no one is going to rise above that is plastic anymore.
link |
01:58:40.120
You know, people are craving authenticity, you know, the benefit of the internet is it's
link |
01:58:45.720
really hard to hide who you are on every single platform, you know, and some level it's going
link |
01:58:51.240
to come out who you really are.
link |
01:58:54.000
And so you hope that, you know, by the time my kids are grown, like no one's going to
link |
01:59:00.480
care if they made one mistake online so long as they're authentic, you know, and I used
link |
01:59:08.120
to worry about this.
link |
01:59:09.680
My nephew was born the day I graduated from college and I just always, you know, he's
link |
01:59:15.640
like born into Facebook and just think like, how is a kid like that ever going to be president
link |
01:59:22.280
of the United States of America?
link |
01:59:24.360
Because if Facebook had been around when I was in college, you know, like Jesus, you
link |
01:59:30.680
know, what, how is, how are those kids are going to ever be president?
link |
01:59:34.280
There's going to be some photo of them at some point making some mistake and that's
link |
01:59:40.160
going to be all over for them.
link |
01:59:41.840
And now I take that back.
link |
01:59:43.160
Now it's like, no, everyone's going to make mistakes.
link |
01:59:46.920
There's going to be a picture for everyone and we're all going to have to come and grow
link |
01:59:51.840
up to the view that as humans, we're going to make huge mistakes and hopefully they're
link |
01:59:57.160
not so big that they're going to ruin the rest of your life, but we're going to have
link |
02:00:01.560
to come around to this view that we're all human and we're going to have to be a little
link |
02:00:05.480
bit more forgiving and a little bit more tolerant when people mess up and we're going to have
link |
02:00:10.720
to be a little bit more humble when we do and like keep moving forward.
link |
02:00:15.560
Otherwise, you can't like cancel everyone, you know?
link |
02:00:18.000
Nicole, this was an incredible, hopeful conversation.
link |
02:00:21.960
Also one that reveals that in the shadows, there's a lot of challenges to be solved.
link |
02:00:30.320
So I really appreciate that you took on this really difficult subject with your book.
link |
02:00:34.480
That's journalism is best.
link |
02:00:35.880
So I'm really grateful that you did the, that you took the risk that you took that on and
link |
02:00:40.600
that you plugged the cable box back in.
link |
02:00:42.640
That means you have hope.
link |
02:00:45.440
And thank you so much for spending your valuable time with me today.
link |
02:00:47.880
Thank you.
link |
02:00:48.880
Thanks for having me.
link |
02:00:50.880
Thanks for listening to this conversation with Nicole Pearlroth.
link |
02:00:53.680
To support this podcast, please check out our sponsors in the description.
link |
02:00:57.760
And now let me leave you with some words from Nicole herself.
link |
02:01:02.040
Here we are, entrusting our entire digital lives, passwords, texts, love letters, banking
link |
02:01:08.160
records, health records, credit card sources, and deepest thoughts to this mystery box whose
link |
02:01:14.200
inner circuitry most of us would never vet.
link |
02:01:17.840
Run by code written in a language most of us will never fully understand.
link |
02:01:23.560
Thank you for listening and hope to see you next time.