back to indexNicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266
link |
If one site is hacked, you can just unleash all health.
link |
We have stumbled into this new era of mutually assured digital distraction.
link |
How far are people willing to go?
link |
And you can capture their location, you can capture their contacts that record their
link |
telephone calls, record their camera without them knowing about it.
link |
Basically, you can put an invisible ankle bracelet on someone without them knowing.
link |
You could sell that to a zero day broker for two million dollars.
link |
The following is a conversation with Nicole Pearlroth,
link |
cybersecurity journalist and author of This Is How They Tell Me The World Ends,
link |
The Cyber Weapons Arm Race.
link |
This is the Lex Friedman podcast.
link |
To support it, please check out our sponsors in the description.
link |
And now, dear friends, here's Nicole Pearlroth.
link |
You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer
link |
scientists, government officials, forensic investigators, and mercenaries.
link |
So let's talk about cybersecurity and cyber war.
link |
Start with the basics.
link |
What is a zero day vulnerability and then a zero day exploit or attack?
link |
So, at the most basic level, let's say I'm a hacker and I find a bug in your iPhone iOS
link |
software that no one else knows about, especially Apple.
link |
That's called a zero day because the minute it's discovered,
link |
engineers have had zero days to fix it.
link |
If I can study that zero day, I could potentially write a program to exploit it.
link |
And that program would be called a zero day exploit.
link |
And for iOS, the dream is that you craft a zero day exploit that can remotely exploit
link |
someone else's iPhone without them ever knowing about it.
link |
And you can capture their location.
link |
You can capture their contacts that record their telephone calls, record their camera
link |
without them knowing about it.
link |
Basically, you can put an invisible ankle bracelet on someone with a
link |
phone without them knowing.
link |
And you can see why that capability, that zero day exploit, would have immense value
link |
for a spy agency or a government that wants to monitor its critics or dissidents.
link |
And so there's a very lucrative market now for zero day exploits.
link |
So you said a few things there.
link |
Which operating system?
link |
Which one is the sexier thing to try to get to or the most impactful thing?
link |
And the other thing you mentioned is remote versus like having to actually come in physical
link |
Is that the distinction?
link |
So iPhone exploits have just been a government's number one priority.
link |
Recently, actually the price of an Android remote zero day exploit,
link |
something that can get you into Android phones, is actually higher.
link |
The value of that is now higher on this underground market for zero day exploits
link |
than an iPhone iOS exploit.
link |
So things are changing.
link |
So there's probably more Android devices.
link |
So that's why it's better.
link |
But on the iPhone side, I'm an Android person because I'm a man of the people.
link |
But it seems like all the elites use iPhone, all the people at nice dinner parties.
link |
So is that the reason that the more powerful people use iPhones?
link |
I actually, so it was about two years ago that the price has flipped.
link |
It used to be that if you could craft a remote zero click exploit for iOS,
link |
then that was about as good as it gets.
link |
You could sell that to a zero day broker for $2 million.
link |
The caveat is you can never tell anyone about it, because the minute you tell someone about it,
link |
Apple learns about it, they patch it in that $2.5 million investment that that zero day broker
link |
just made goes to dust.
link |
So a couple years ago, and don't quote me on the prices, but an Android zero click remote
link |
exploit for the first time topped the iOS. And actually, a lot of people's read on that
link |
was that it might be a sign that Apple security was falling and that it might actually be easier
link |
to find an iOS zero day exploit than find an Android zero day exploit.
link |
The other thing is market share.
link |
There are just more people around the world that use Android.
link |
And a lot of governments that are paying top dollar for zero day exploits these days
link |
are deep pocketed governments in the Gulf that want to use these exploits to monitor
link |
their own citizens, monitor their critics.
link |
And so it's not necessarily that they're trying to find elites.
link |
It's that they want to find out who these people are that are criticizing them or perhaps
link |
planning the next Arab Spring.
link |
So in your experience, are most of these attacks targeted to cover a large population
link |
or is there attacks that are targeted towards specific individuals?
link |
So I think it's both.
link |
Some of the zero day exploits that have fetched top dollar that I've heard of in my reporting in
link |
the United States were highly targeted.
link |
There was a potential terrorist attack.
link |
They wanted to get into this person's phone.
link |
It had to be done in the next 24 hours.
link |
They approached hackers and say, we'll pay you X millions of dollars if you can do this.
link |
But then you look at when we've discovered iOS zero day exploits in the wild,
link |
some of them have been targeting large populations like Uighurs.
link |
So a couple of years ago, there was a watering hole attack.
link |
Okay, what's a watering hole attack?
link |
There's a website.
link |
It was actually had information aimed at Uighurs.
link |
Uighurs and you could access it all over the world.
link |
And if you visited this website, it would drop an iOS zero day exploit onto your phone.
link |
And so anyone that visited this website that was about Uighurs anywhere,
link |
I mean Uighurs, Uighurs living abroad, basically the Uighur diaspora would have
link |
gotten infected with this zero day exploit.
link |
So in that case, they were targeting huge swaths of this one population
link |
or people interested in this one population basically in real time.
link |
Who are these attackers from the individual level to the group level?
link |
Psychologically speaking, what's their motivation?
link |
Is it purely money?
link |
Is it the challenge?
link |
Are they malevolent?
link |
Or these are big philosophical human questions, I guess.
link |
So these are the questions I set out to answer for my book.
link |
I wanted to know, are these people that are just after money?
link |
If they're just after money, how do they sleep at night?
link |
Not knowing whether that zero day exploit they just sold to a broker is being used
link |
to basically make someone's life a living hell.
link |
And what I found was there's kind of this long sordid history to this question.
link |
It started out in the 80s and 90s when hackers were just finding holes and bugs in software
link |
for curiosity's sake, really as a hobby, and some of them would go to the tech companies
link |
like Microsoft or Sun Microsystems at the time or Oracle.
link |
And they'd say, hey, I just found this zero day in your software and I can use it to break
link |
And the general response at the time wasn't, thank you so much for pointing out this flaw
link |
and our software will get it fixed as soon as possible.
link |
It was, don't ever poke around our software ever again or we'll stick our general counsel on you.
link |
And that was really sort of the common thread for years.
link |
And so hackers who set out to do the right thing were basically told to shut up and stop
link |
doing what you're doing.
link |
And what happened next was they basically started trading this information online.
link |
Now, when you go back and interview people from those early days, they all tell a very
link |
similar story, which is they're curious, they're tinkers.
link |
They remind me of like the kid down the block that was constantly poking around the hood
link |
They just couldn't help themselves.
link |
They wanted to figure out how a system is designed and how they could potentially exploit
link |
it for some other purpose.
link |
It doesn't have to be good or bad.
link |
But they were basically kind of beat down for so long by these big tech companies that
link |
they started just silently trading them with other hackers.
link |
And that's how you got these really heated debates in the 90s about disclosure.
link |
Should you just dump these things online because any script kitty can pick them up and use it
link |
for all kinds of mischief.
link |
But, you know, don't you want to just stick a middle finger to all these companies that are
link |
basically threatening you all the time.
link |
So there was this really interesting dynamic at play and what I learned in the course of
link |
doing my book was that government agencies and their contractors sort of tapped into
link |
that frustration and that resentment.
link |
And they started quietly reaching out to hackers on these forums and they said, hey,
link |
you know that zero day you just dropped online.
link |
Could you could you come up with something custom for me?
link |
And I'll pay you six figures for it.
link |
So long as you shut up and never tell anyone that we that I paid you for this and that's
link |
So throughout the 90s, there was a bunch of boutique contractors that started reaching
link |
out to hackers on these forums and saying, hey, I'll pay you six figures for that bug.
link |
You were trying to get Microsoft to fix for free and sort of so began or so catalyzed
link |
this market where governments and their intermediaries started reaching out to these hackers and
link |
buying their bugs for free.
link |
And in those early days, I think a lot of it was just for quiet counterintelligence,
link |
traditional espionage.
link |
But as we started baking the software, Windows software, Schneider Electric,
link |
Siemens industrial software into our nuclear plants and our factories and our power grid
link |
and our petrochemical facilities and our pipelines, those same zero days came to be just as valuable
link |
for sabotage and war planning.
link |
Does the fact that the market sprung up and you cannot make a lot of money change the
link |
nature of the attackers that came to the table or grow the number of attackers?
link |
I mean, what is, I guess you told the psychology of the hackers in the 90s, what is the culture
link |
today and where is it heading?
link |
So I think there are people who will tell you they would never sell a zero day to a
link |
zero day broker or a government.
link |
One, because they don't know how it's going to get used when they throw it over the fence.
link |
You know, most of these get rolled into classified programs and you don't know how they get used.
link |
If you sell it to a zero day broker, you don't even know which nation state might use it
link |
or potentially which criminal group might use it if you sell it on the dark web.
link |
The other thing that they say is that they want to be able to sleep at night.
link |
And they lose a lot of sleep if they found out their zero day was being used to, you know,
link |
make a dissident's life living hell.
link |
But there are a lot of people, good people who also say, no, this is not my problem.
link |
This is the technology company's problem.
link |
If they weren't writing new bugs into their software every day, then there wouldn't be a market.
link |
You know, then there wouldn't be a problem, but they continue to write bugs into their
link |
software all the time and they continue to profit off that software.
link |
So why shouldn't I profit off my labor too?
link |
And one of the things that has happened, which is I think a positive development over the last
link |
10 years, are bug bounty programs, you know, companies like Google and Facebook and then
link |
Microsoft and finally Apple, which resisted it for a really long time, have said, okay,
link |
we are going to shift our perspective about hackers.
link |
We're no longer going to treat them as the enemy here.
link |
We're going to start paying them for what it's essential to do.
link |
Paying them for what it's essentially free quality assurance.
link |
And we're going to pay them good money in some cases, you know, six figures in some cases.
link |
We're never going to be able to bid against a zero day broker who sells to government agencies,
link |
but we can reward them and hopefully get that to that bug earlier where we can neutralize it
link |
so that they don't have to spend another year developing the zero day exploit.
link |
And in that way, we can keep our software more secure.
link |
But every week I get messages from some hacker that says, you know, I tried to see this zero day
link |
exploit that was just found in the wild, you know, being used by this nation state.
link |
I tried to tell Microsoft about this two years ago and they were going to pay me peanuts.
link |
So it never got fixed.
link |
You know, there are all sorts of those stories that can continue on.
link |
And, you know, I think just generally hackers are not very good at diplomacy, you know,
link |
they tend to be pretty snipey, technical, crowd and very philosophical in my experience.
link |
But, you know, diplomacy is not their strong suit.
link |
Well, there almost has to be a broker between companies and hackers.
link |
We can translate effectively just like you have a zero day broker between governments and hackers.
link |
Because you have to speak their language.
link |
And there have been some of those companies who've risen up to meet that demand.
link |
And Hacker One is one of them.
link |
Bug Crowd is another.
link |
CINAC has an interesting model.
link |
So that's a company that you pay for a private bug bounty program, essentially.
link |
So you pay this company, they tap hackers all over the world to come hack your software,
link |
hack your system, and then they'll quietly tell you what they found.
link |
And I think that's a really positive development.
link |
And actually, the Department of Defense hired all three of those companies,
link |
I just mentioned, to help secure their systems.
link |
Now, I think they're still a little timid in terms of letting those hackers into the really
link |
sensitive, high side classified stuff, but, you know, baby steps.
link |
Just to understand what you were saying, you think it's impossible for companies to
link |
financially compete with the zero day brokers with governments,
link |
so like the defense can't outpay the hackers?
link |
You know, they shouldn't outpay them because what would happen if they started offering
link |
$2.5 million at Apple for any zero day exploit that governments would pay that much for
link |
is their own engineers would say, why the hell am I working for less than that
link |
and doing my nine to five every day?
link |
So you would create a perverse incentive.
link |
And I didn't think about that until I started this research and I realized,
link |
okay, yeah, that makes sense.
link |
You don't want to incentivize offense so much that it's to your own detriment.
link |
And so I think what they have though, what the companies have on government agencies
link |
is if they pay you, you get to talk about it.
link |
You know, you get the street cred.
link |
You get to brag about the fact you just found that $2.5 million, you know,
link |
iOS zero day that no one else did.
link |
And if you sell it to a broker, you never get to talk about it.
link |
And I think that really does eat at people.
link |
Can I ask you a big philosophical question about human nature here?
link |
So if you have in what you've seen, if a human being has a zero day,
link |
they found a zero day vulnerability that can hack into, I don't know,
link |
what's the worst thing you can hack into something that could launch nuclear weapons.
link |
Which percentage of the people in the world that have the skill would not share that with
link |
anyone with any bad party.
link |
I guess how many people are completely devoid of ethical concerns in your sense?
link |
So my belief is all the ultra competent people or very, very high percentage of
link |
ultra competent people are also ethical people.
link |
That's been my experience.
link |
But then again, my experience is narrow.
link |
What's your experience been like?
link |
So this was another question I wanted to answer.
link |
Who are these people who would sell a zero day exploit that would neutralize
link |
a Schneider electric safety lock at a petrochemical plant?
link |
Basically the last thing you would need to neutralize before you trigger some kind of explosion.
link |
Who would sell that?
link |
And I got my answer.
link |
Well, the answer was different.
link |
A lot of people said, I would never even look there because I don't even want to know.
link |
I don't even want to have that capability.
link |
I don't even want to have to make that decision about whether I'm going to profit off of that knowledge.
link |
I went down to Argentina and this whole kind of moral calculus I had in my head was completely
link |
So just a backup for a moment.
link |
So Argentina actually is a real hackers paradise.
link |
People grew up in Argentina and I went down there.
link |
I guess I was there around 2015, 2016, but you still couldn't get an iPhone.
link |
They didn't have Amazon Prime.
link |
You couldn't get access to any of the apps we all take for granted.
link |
To get those things in Argentina as a kid, you have to find a way to hack them.
link |
And it's the whole culture is really like a hacker culture.
link |
They say it's really like a MacGyver culture.
link |
You have to figure out how to break into something with wire and tape.
link |
And that means that there are a lot of really good hackers in Argentina who
link |
specialize in developing zero day exploits.
link |
And I went down to this Argentina conference called Echo Party.
link |
And I asked the organizer, okay, can you introduce me to someone who's selling zero day exploits
link |
And he was like, just throw a stone, throw a stone anywhere and you're going to hit someone.
link |
And all over this conference, you saw these guys who were clearly from these Gulf States,
link |
who only spoke Arabic.
link |
What are they doing at a young hacking conference in Buenos Aires?
link |
And so I went out to lunch with kind of this godfather of the hacking scene
link |
And I asked this really dumb question and I'm still embarrassed about how I phrased it.
link |
But I said, so, you know, well, these guys only sell these zero day exploits to good Western
link |
And he said, Nicole, last time I checked the United States wasn't a good Western government.
link |
You know, the last country that bombed another country into oblivion wasn't China or Iran.
link |
It was the United States.
link |
So if we're going to go by your whole moral calculus, you know, just know that we have
link |
a very different calculus down here.
link |
And we'd actually rather sell to Iran or Russia or China, maybe, than the United States.
link |
And that just blew me away.
link |
You know, he's like, we'll just sell to whoever brings us the biggest bag of cash.
link |
Have you checked into our inflation situation recently?
link |
So, you know, I had some of those like reality checks along the way.
link |
You know, we tend to think of things as is this moral, you know, is this ethical, especially
link |
as journalists, you know, we kind of sit on our high horse sometimes and write about a
link |
lot of things that seem to push the moral bounds.
link |
But in this market, which is essentially an underground market that, you know, the one
link |
rule is like fight club, you know, no one's going to do that.
link |
No one talks about fight club.
link |
First rule of the zero day market, nobody talks about the zero day market on both sides
link |
because the hacker doesn't want to lose their $2.5 million bounty and governments roll
link |
these into classified programs and they don't want anyone to know what they have.
link |
So no one talks about this thing.
link |
And when you're operating in the dark like that, it's really easy to put aside your morals sometimes.
link |
Can I, as a small tangent, ask you by way of advice, you must have done some incredible interviews.
link |
And you've also spoken about how serious you take protecting your sources.
link |
If you were to give me advice for interviewing when you're recording on mic with a video camera,
link |
how is it possible to get into this world?
link |
Like, is it basically impossible?
link |
So you've spoken with a few people.
link |
What is it like the godfather of cyber war, cyber security?
link |
So people that are already out.
link |
And they still have to be pretty brave to speak publicly.
link |
But is it virtually impossible to really talk to anybody who's a current hacker?
link |
You're always like 10, 20 years behind.
link |
It's a good question.
link |
And this is why I'm a print journalist.
link |
But when I've seen people do it, it's always the guy who's behind the shadows,
link |
whose voice has been altered.
link |
When they've gotten someone on camera, that's usually how they do it.
link |
Very, very few people talk in this space.
link |
And there's actually a pretty well known case study in why you don't talk publicly in this space
link |
and you don't get photographed.
link |
And that's the gruck.
link |
So, you know, the gruck is or was this zero day broker, South African guy lives in Thailand.
link |
And right when I was starting on this subject at the New York Times,
link |
he'd given an interview to Forbes and he talked about being a zero day broker.
link |
And he even posed next to this giant defil bag filled with cash ostensibly.
link |
And later he would say he was speaking off the record.
link |
He didn't understand the rules of the game.
link |
But what I heard from people who did business with him was that the minute that that story
link |
came out, he became PNG'd.
link |
No one did business with him.
link |
His business plummeted by at least half.
link |
No one wants to do business with anyone who's going to get on camera
link |
and talk about how they're selling zero days to governments.
link |
It puts you at danger.
link |
And I did hear that he got some visits from some security folks.
link |
And, you know, that's another thing for these people to consider.
link |
You know, if they have those zero day exploits at their disposal,
link |
they become a huge target for nation states all over the world.
link |
You know, talk about having perfect opsec.
link |
You know, you better have some perfect opsec if people know
link |
that you have access to those zero day exploits.
link |
Which sucks because, I mean, transparency here.
link |
Would be really powerful for educating the world and also inspiring other engineers to do good.
link |
It just feels like when you operate in the shadows, it doesn't help us move in the positive
link |
direction in terms of like getting more people on the defense side versus on the attack side.
link |
But of course, what can you do?
link |
I mean, the best you can possibly do is have great journalists just like you did interview
link |
and write books about it and integrate the information you get while high.
link |
And I think, you know, what hacker one has told me was, okay, let's just put away the people that
link |
are finding and developing zero day exploits all day long.
link |
Let's put that aside.
link |
What about the, you know, however many millions of programmers all over the world who've never
link |
even heard of a zero day exploit?
link |
Why not tap into them and say, hey, we'll start paying you if you can find a bug in
link |
United Airlines software or in Schneider Electric or in Ford or Tesla.
link |
And I think that is a really smart approach.
link |
Let's go find this untapped army of programmers to neutralize these bugs before the people
link |
who will continue to sell these to governments can find them and exploit them.
link |
I have to ask you about this from a personal side of it's funny enough after we agree to
link |
talk, I've gotten for the first time in my life was a victim of a cyber attack.
link |
So this is ransomware, it's called Deadbolt.
link |
People can look it up.
link |
I have a QNAP device for basically kind of cold dish storage.
link |
So it's about 60 terabytes with 50 terabytes of data on it in RAID 5 and apparently about
link |
4,000 to 5,000 QNAP devices were hacked and taken over with this ransomware.
link |
And what ransomware does there is it goes file by file almost all the files on the QNAP
link |
storage device and encrypts them.
link |
And then there's this very eloquently and politely written page that pops up.
link |
It describes what happened.
link |
All your files have been encrypted.
link |
This includes, but is not limited to photos, documents and spreadsheets.
link |
This is a lot of people commented about how friendly and eloquent this is.
link |
And I have to commend them, it is and it's pretty user friendly.
link |
This is not a personal attack.
link |
You have been targeted because of the inadequate security provided by your vendor, QNAP.
link |
You can make a payment of exactly 0.03 Bitcoin, which is about $1,000, to the following address.
link |
Once the payment has been made, we'll follow up with transaction to the same address, blah,
link |
blah, blah, they give you instructions of what happens next and they'll give you a
link |
decryption key that you can then use.
link |
And then there's another message for QNAP that says all your affected customers have
link |
been targeted using a zero day vulnerability in your product.
link |
We offer you two options to mitigate this and future damage.
link |
One, make a Bitcoin payment of five Bitcoin to the following address and that will reveal
link |
to QNAP the, I'm summarizing things here, what the actual vulnerability is or you can
link |
make a Bitcoin payment of 50 Bitcoin to get a master decryption key for all your customers.
link |
50 Bitcoin is about $1.8 million.
link |
So, first of all, on a personal level, this one hurt for me.
link |
I mean, I learned a lot because I wasn't, for the most part, backing up much of that
link |
data because I thought I can afford to lose that data.
link |
It's not horrible.
link |
I mean, I think you've spoken about the crown jewels, making sure there's things you really
link |
I mean, I have very conscious security wise on the crown jewels, but there's a bunch
link |
of stuff like, you know, personal videos, they're not like, I don't know anything creepy, but
link |
just like fun things I did that because they're very large or 4K or something like that, I
link |
kept them on there, thinking RAID 5 will protect it.
link |
Just I lost a bunch of stuff, including raw footage from interviews and all that kind
link |
And I'm sure there's a lot of painful stuff like that for the 4,000 to 5,000 people that
link |
And there's a lot of interesting ethical questions here.
link |
Does QNAP pay them?
link |
Do the individuals pay them?
link |
Especially when you don't know if it's going to work or not.
link |
So, QNAP said that please don't pay them.
link |
We're working very hard day and night to solve this.
link |
It's so philosophically interesting to me because I also project onto them thinking,
link |
what is their motivation?
link |
Because the way they phrase that on purpose, perhaps, but I'm not sure if that actually
link |
reflects their real motivation is maybe they're trying to help themselves sleep at night, basically
link |
saying this is not about you.
link |
This is about the company with the vulnerabilities.
link |
Just like you mentioned, this is the justification they have, but they're hurting real people.
link |
They hurt me, but I'm sure there's a few others that are really hurt.
link |
And the zero day factor is a big one.
link |
Their QNAP right now is trying to figure out what the hell is wrong with their system that
link |
would let this in.
link |
And even if they pay, if they still don't know where the zero day is, what's to say
link |
that they won't just hit them again and hit you again.
link |
So that really complicates things and that is a huge advancement for ransomware.
link |
It's really only been, I think, in the last 18 months that we've ever really seen ransomware
link |
exploit zero days to pull these off.
link |
Usually 80% of them, I think the data shows 80% of them come down to a lack of two factor
link |
So when someone gets hit by a ransomware attack, they don't have two factor authentication
link |
on, their employees were using stupid passwords.
link |
You can mitigate that in the future.
link |
This one, they don't know.
link |
They probably don't know.
link |
And it was, I guess it's zero click because I didn't have to do anything.
link |
The only thing, well, here's the thing.
link |
I did basics of putting it behind a firewall, I followed instructions, but I didn't really
link |
So maybe there's a misconfiguration of some sort that's easy to make.
link |
We have a personal NAS, so I'm not willing to say that I did everything I possibly could,
link |
but I did a lot of reasonable stuff and they still hit it with zero clicks.
link |
I didn't have to do anything.
link |
Well, it's like a zero day and it's a supply chain attack.
link |
You're getting hit from your supplier.
link |
You're getting hit because of your vendor.
link |
And it's also a new thing for ransomware groups to go to the individuals to pressure them
link |
There was this really interesting case, I think it was in Norway where there was a mental
link |
health clinic that got hit and the cyber criminals were going to the patients themselves to
link |
say, pay this or we're going to release your psychiatric records, I mean, talk about hell.
link |
In terms of whether to pay, that is on the cheaper end of the spectrum.
link |
From the individual or from the company?
link |
We've seen, for instance, there was an Apple supplier in Taiwan, they got hit and the ransom
link |
demand was 50 million.
link |
I'm surprised it's only 1.8 million.
link |
I'm sure it's going to go up.
link |
There's obviously governments and maybe in this case, the company are going to tell you
link |
we recommend you don't pay or please don't pay.
link |
But the reality on the ground is that some businesses can't operate, some countries
link |
I mean, the under reported storyline of colonial pipeline was after the company got hit and
link |
took the preemptive step of shutting down the pipeline because their billing systems
link |
were frozen, they couldn't charge customers downstream.
link |
My colleague David Sanger and I got our hands on a classified assessment that said that
link |
as a country, we could have only afforded two to three more days of colonial pipeline
link |
And it was really interesting.
link |
I thought it was the gas and the jet fuel, but it wasn't.
link |
We were sort of prepared for that.
link |
It was the diesel.
link |
Without the diesel, the refineries couldn't function and it would have totally screwed
link |
And so there was almost this like national security, economic impetus for them to pay
link |
And the other one I always think about is Baltimore.
link |
You know, when the city of Baltimore got hit, I think the initial ransom demand was
link |
something around 76,000.
link |
It may have even started smaller than that.
link |
And Baltimore stood its ground and didn't pay, but ultimately the cost to remediate
link |
It's a lot for the city of Baltimore.
link |
That's money that could have gone to public school education and roads and public health.
link |
And instead, it just went to rebuilding the systems from scratch.
link |
And so a lot of residents in Baltimore were like, why the hell didn't you pay the $76,000?
link |
So it's not obvious.
link |
It's easy to say, don't pay, because why you're funding their R&D for the next go round?
link |
But it's too often, it's too complicated.
link |
So on the individual level, just like the way I feel personally from this attack, have
link |
you talked to people that were kind of victims in the same way I was, but maybe more dramatic
link |
ways or so on, in the same way that violence hurts people?
link |
How much is this hurt people in your sense and the way you researched it?
link |
The worst ransomware attack I've covered on a personal level was an attack on a hospital
link |
And you think of this as like, okay, it's hitting their IT networks.
link |
They should still be able to treat patients.
link |
But it turns out that cancer patients couldn't get their chemo anymore, because the protocol
link |
of who gets what is very complicated and without it, nurses and doctors couldn't access it.
link |
So they were turning chemo patients away, cancer patients away.
link |
One nurse told us, I don't know why people aren't screaming about this, that the only
link |
thing I've seen that even compares to what we're seeing at this hospital right now was
link |
when I worked in the burn unit after the Boston Marathon bombing.
link |
They really put it in these super dramatic terms.
link |
And last year, there was a report in the Wall Street Journal where they attributed an infant
link |
death to a ransomware attack because a mom came in and whatever device they were using
link |
to monitor the fetus wasn't working because of the ransomware attack.
link |
And so they attributed this infant death to the ransomware attack.
link |
Now on a bigger scale, but less personal, when there was the not Petya attack.
link |
So this was an attack by Russia on Ukraine that came at them through a supplier attacks
link |
a software company in that case that didn't just hit any government agency or business
link |
in Ukraine that use this tax software, it actually hit any business all over the world
link |
that had even a single employee working remotely in Ukraine.
link |
So it hit Marysk, the shipping company, but hit Pfizer, hit FedEx, but the one I will
link |
never forget is Merck.
link |
It paralyzed Merck's factories.
link |
I mean, it really created an existential crisis for the company.
link |
Merck had to tap into the CDC's emergency supplies of the Gardasil vaccine that year
link |
because their whole vaccine production line had been paralyzed in that attack.
link |
Imagine if that was going to happen right now to Pfizer or Moderna or Johnson and Johnson,
link |
you know, imagine, I mean, that would really create a global cyber terrorist attack essentially.
link |
And that's almost unintentional.
link |
I thought for a long time, I always labeled it as collateral damage, but actually just
link |
today, there was a really impressive threat researcher at Cisco, which has the threat
link |
intelligence division called TALOS, who said, stop calling it collateral damage.
link |
They could see who was going to get hit before they deployed that malware.
link |
It wasn't collateral damage.
link |
It was intentional.
link |
They meant to hit any business that did business with Ukraine.
link |
It was to send a message to them, too.
link |
So I don't know if that's accurate.
link |
I always thought of it as sort of the sloppy collateral damage, but it definitely made
link |
So how much of this between states is going to be a part of war, these kinds of attacks
link |
on Ukraine, between Russia and US, Russia and China, China and US?
link |
Let's look at China and US.
link |
Do you think China and US are going to escalate something that would be called a war purely
link |
in the space of cyber?
link |
I believe any geopolitical conflict from now on is guaranteed to have some cyber element
link |
The Department of Justice recently declassified a report that said China's been hacking into
link |
our pipelines, and it's not for intellectual property theft.
link |
It's to get a foothold so that if things escalate in Taiwan, for example, they are where they
link |
need to be to shut our pipelines down, and we just got a little glimpse of what that
link |
looked like with colonial pipeline and the panic buying and the jet fuel shortages and
link |
that assessment I just mentioned about the diesel.
link |
They've gotten there.
link |
Anytime I read a report about new aggression from Chinese fighter jets in Taiwan, or what's
link |
happening right now with Russia's buildup on the Ukraine border, or India, Pakistan,
link |
I'm always looking at it through a cyber lens, and it really bothers me that other people
link |
aren't because there is no way that these governments and these nation states are not
link |
going to use their access to gain some advantage in those conflicts.
link |
And I'm now in a position where I'm an advisor to the cybersecurity infrastructure security
link |
agency at DHS, so I'm not saying anything classified here, but I just think that it's
link |
really important to understand just generally what the collateral damage could be for American
link |
businesses and critical infrastructure in any of these escalated conflicts around the
link |
world, because just generally, our adversaries have learned that they might never be able
link |
to match us in terms of our traditional military spending on traditional weapons and fighter
link |
But we have a very soft underbelly when it comes to cyber.
link |
80% or more of America's critical infrastructure, so pipelines, power grid, nuclear plants,
link |
water systems, is owned and operated by the private sector.
link |
And for the most part, there is nothing out there legislating that those companies share
link |
the fact they've been breached, they don't even have to tell the government they've
link |
There's nothing mandating that they even meet a bare minimum standard of cybersecurity.
link |
So even when there are these attacks, most of the time, we don't even know about it.
link |
So that is, if you were going to design a system to be as blind and vulnerable as possible,
link |
that is pretty good.
link |
That's what it looks like is what we have here in the United States.
link |
And everyone here is just operating like, let's just keep hooking up everything for
link |
convenience, software eats the world.
link |
Let's just keep going for cost, for convenience sake, just because we can.
link |
And when you study these issues and you study these attacks and you study the advancement
link |
and the uptick in frequency and the lower barrier to entry that we see every single
link |
year, you realize just how dumb software eats world is.
link |
And no one has ever stopped to pause and think, should we be hooking up these systems to the
link |
They've just been saying, can we, let's do it.
link |
And that's a real problem.
link |
And this, and just in the last year, you know, we've seen a record number of zero day attacks.
link |
I think there were 80 last year, which is probably more than double what it was in 2019.
link |
A lot of those were nation states, you know, we live in a world with a lot of geopolitical
link |
hot points right now.
link |
And where those geopolitical hot points are, are places where countries have been investing
link |
heavily in offensive cyber tools.
link |
If you're a nation state, the goal would be to maximize the footprint of zero day, like
link |
super secret zero day that nobody's aware of, that whenever war is initiated, the huge
link |
negative effects of shutting down infrastructure or any kind of zero day is the chaos it creates.
link |
So if you just, there's a certain threshold when you create the chaos, the markets plummeted,
link |
just everything goes, goes to hell.
link |
So it's not just zero days, you know, we make it so easy for threat actors.
link |
I mean, we're not using two factor authentication, we're not patching.
link |
There was the shell shock vulnerability that was discovered a couple years ago.
link |
It's still being exploited because so many people haven't fixed it.
link |
So you know, the zero days are really the sexy stuff.
link |
And what really got drew me to the zero day market was the moral calculus we talked about.
link |
Really from the US government's point of view, how do they justify leaving these systems
link |
so vulnerable when we use them here and we're baking more of our critical infrastructure
link |
with this vulnerable software?
link |
It's not like we're using one set of technology and Russia is using another and China is using
link |
this, we're all using the same technology.
link |
So when you find a zero day in windows, you're not just leaving it open so you can spy on
link |
Russia or implant yourself in the Russian grid, you're leaving Americans vulnerable too.
link |
But you know, but zero days are like, that is the secret sauce, you know, that's the
link |
You know, and I always say like every country now with the exception of Antarctica, someone
link |
added the Vatican to my list is trying to find offensive hacking tools and zero days to make
link |
And those that don't have the skills now have this market that they can tap into where,
link |
you know, $2.5 million, that's chump change for a lot of these nation states.
link |
It's a hell of a lot less than trying to build the next fighter jet.
link |
But yeah, the goal is chaos.
link |
I mean, why did Russia turn off the lights twice in Ukraine?
link |
You know, I think part of it is chaos, I think part of it is to sow the seeds of doubt in
link |
their current government, your government can't even keep your lights on.
link |
Why are you sticking with them, you know, come over here and we'll keep your lights
link |
on at least, you know, there's like a little bit of that.
link |
Nuclear weapons seems to have helped prevent nuclear war.
link |
Is it possible that we have so many vulnerabilities and so many attack vectors on each other that
link |
it will kind of achieve the same kind of equilibrium like mutually assured destruction?
link |
Yeah, that's one hopeful solution to this.
link |
Do you have any hope for this particular solution?
link |
You know, nuclear analogies always tend to fall apart when it comes to cyber, mainly
link |
because you don't need fissile material, you know, you just need a laptop and the skills
link |
and you're in the game.
link |
So it's a really low barrier to entry.
link |
The other thing is attributions harder and we've seen countries muck around with attribution.
link |
We've seen, you know, nation states piggyback on other countries by operations and just
link |
sit there and siphon out whatever they're getting.
link |
We learned some of that from the Snowden documents.
link |
We've seen Russia hack into Iran's command and control attack servers.
link |
We've seen them hit a Saudi petrochemical plant where they did neutralize the safety locks
link |
at the plant and everyone assumed that it was Iran, given Iran had been targeting Saudi
link |
oil companies forever, but nope, it turned out that it was a graduate research institute
link |
So you see countries kind of playing around with attribution.
link |
I think because they think, okay, if I do this, like how am I going to cover up that
link |
it came from me because I don't want to risk the response?
link |
So people are sort of dancing around this.
link |
It's just in a very different way.
link |
And, you know, at the times I'd covered the Chinese hacks of infrastructure companies
link |
I'd covered the Russian probes of nuclear plants.
link |
I'd covered the Russian attacks on the Ukraine grid.
link |
And then in 2018, my colleague David Sanger and I covered the fact that U.S. cyber command
link |
had been hacking into the Russian grid and making a pretty loud show of it.
link |
And when we went to the National Security Council, because that's what journalists do
link |
before they publish a story, they give the other side a chance to respond, I assumed
link |
we would be in for that really awkward, painful conversation where they would say, you will
link |
have blood on your hands if you publish this story.
link |
And instead they gave us the opposite answer.
link |
They said, we have no problem with you publishing this story.
link |
Well, they didn't say it out loud, but it was pretty obvious they wanted Russia to
link |
know that we're hacking into their power grid too, and they better think twice before
link |
they do to us what they had done to Ukraine.
link |
So yeah, you know, we have stumbled into this new era of mutually assured digital destruction.
link |
I think another sort of quasi norm we've stumbled into is proportional responses.
link |
You know, there's this idea that if you get hit, you're allowed to respond proportionally
link |
at a time and place of your choosing.
link |
You know, that is how the language always goes.
link |
That's what Obama said after North Korea hit Sony.
link |
We will respond at a time and place of our choosing.
link |
But no one really knows, like, what that response looks like.
link |
And so what you see a lot of the time are just these, like, just short of war attacks.
link |
You know, Russia turned off the power in Ukraine, but it wasn't like it stayed off for a week.
link |
You know, it stayed off for a number of hours.
link |
You know, not Petya hit those companies pretty hard, but no one died.
link |
You know, and the question is, what's going to happen when someone dies?
link |
And Canaanation State masquerade as a cyber criminal group, as a ransomware group.
link |
And that's what really complicates coming to some sort of digital Geneva convention.
link |
Like, there's been, there's been a push from Brad Smith at Microsoft.
link |
We need a digital Geneva convention.
link |
And on its face, it sounds like a no brainer.
link |
Why wouldn't we all agree to stop hacking into each other's civilian hospital systems,
link |
power grid, pipelines, but when you talk to people in the West, officials in the West,
link |
they'll say, we would never, we'd love to agree to it, but we never do it when you're
link |
dealing with Xi or Putin or Kim Jong Un, because a lot of times they outsource these
link |
operations to cyber criminals.
link |
In China, we see a lot of these attacks come from this loose satellite network of private
link |
citizens that work at the behest of the Ministry of State Security.
link |
So how do you come to some sort of state to state agreement when you're dealing with
link |
transnational actors and cyber criminals, where it's really hard to pin down whether
link |
that person was acting alone or whether they were acting at the behest of the MSS or the
link |
And a couple of years ago, I can't remember if it was before or after not pet you, but
link |
Putin said, hackers are like artists who wake up in the morning in a good mood and start
link |
In other words, I have no say over what they do or don't do.
link |
So how do you come to some kind of norm when that's how he's talking about these issues
link |
and he's just decimated Merck and Pfizer and however many thousand companies?
link |
That is the fundamental difference between nuclear weapons and cyber attacks is the attribution
link |
or one of the fundamental differences.
link |
If you can fix one thing in the world in terms of cyber security that would make the world
link |
a better place, what would you fix?
link |
So you're not allowed to fix authoritarian regimes and you have to keep that.
link |
You have to keep human nature as it is.
link |
In terms of on the security side, technologically speaking, you mentioned there's no regulation
link |
on companies in the United States.
link |
What if you could just fix with the snap of a finger, what would you fix?
link |
Two factor authentication, multifactor authentication.
link |
It's ridiculous how many of these attacks come in because someone didn't turn on multifactor
link |
I mean, colonial pipeline, okay, they took down the biggest conduit for gas, jet fuel
link |
and diesel to the east coast of the United States of America, how?
link |
Because they forgot to deactivate an old employee account whose password had been traded on
link |
the dark web and they'd never turned on two factor authentication.
link |
This water treatment facility outside Florida was hacked last year.
link |
How did it happen?
link |
They were using Windows XP from like a decade ago that can't even get patches if you want
link |
it to and they didn't have two factor authentication.
link |
Time and time again, if they just switched on two factor authentication, some of these
link |
attacks wouldn't have been possible.
link |
Now, if I could snap my fingers, that's a thing I would do right now.
link |
But of course, this is a cat and mouse game and then the attackers onto the next thing.
link |
But I think right now, that is like bar none, that is the easiest, simplest way to deflect
link |
the most attacks and the name of the game right now isn't perfect security.
link |
Perfect security is impossible.
link |
They will always find a way in.
link |
The name of the game right now is make yourself a little bit harder to attack than your competitor
link |
or than anyone else out there so that they just give up and move along.
link |
Maybe if you are a target for an advanced nation state or the SVR, you're going to get
link |
hacked no matter what, but you can make cyber criminal groups deadbolt, is it?
link |
You can make their jobs a lot harder simply by doing the bare basics.
link |
And the other thing is stop reusing your passwords, but if I only get one, then two factor authentication.
link |
So what is two factor authentication?
link |
Factor one is what logging in with a password, and factor two is like have another device
link |
or another channel through which you can confirm, yeah, that's me.
link |
You know, usually this happens through some kind of text, you know, you get your one time
link |
code from Bank of America or from Google, and the better way to do it is spend $20 buying
link |
yourself a Fido key on Amazon.
link |
That's a hardware device.
link |
And if you don't have that hardware device with you, then you're not going to get in.
link |
And the whole goal is, I mean, basically, you know, my first half of my decade at the
link |
Times was spent covering like the copy.
link |
It was like Home Depot got breached, News at 11, you know, Target, Neumann Marcus,
link |
like who wasn't hacked over the course of those five years.
link |
And a lot of those companies that got hacked, what did hackers take?
link |
They took the credentials.
link |
They took the passwords.
link |
They can make a pretty penny selling them on the dark web and people reuse their passwords.
link |
So you get one from, you know, God knows who, I don't know, LastPass, the worst case example
link |
actually LastPass, but you get one and then you go test it on their email account and
link |
you go test it on their brokerage account and you test it on their cold storage account.
link |
You know, that's how it works.
link |
But if you have multi factor authentication, then they can't get in because they might
link |
have your password, but they don't have your phone.
link |
They don't have your phyto key, you know, and so you keep them out.
link |
And you know, I get a lot of alerts that tell me someone is trying to get into your Instagram
link |
account or your Twitter account or your email account and I don't worry because I use multi
link |
factor authentication.
link |
They can try all day.
link |
I worry a little bit, but, you know, it's the simplest thing to do and we don't even
link |
Well, there's an interface aspect to it because it's pretty annoying if it's implemented poorly.
link |
So, so actually bad implementation of two factor authentication, not just bad, but just something
link |
that adds friction is a security vulnerability, I guess, because it's really annoying.
link |
Like, I think MIT for a while had two factor authentication, it was really annoying.
link |
I just, like the, the time, the number of times it pings you, like, uh, it re, it asked
link |
to reauthenticate across multiple subdomains, like, it just feels like a pain.
link |
I don't know what the right balance there.
link |
It feels like friction in our frictionless society, it feels like friction, it's annoying.
link |
That security is biggest problem.
link |
You know, we need the Steve Jobs of security to come along and we need to make it painless.
link |
And actually, you know, on that point, Apple has probably done more for security than anyone
link |
else simply by introducing biometric authentication first with the fingerprint and then with face
link |
And it's not perfect, but, you know, if you think just eight years ago, everyone was running
link |
around with either no passcode and optional passcode or four digit passcode on their phone
link |
that anyone, you know, think of what you can get when you get someone's iPhone, if you
link |
steal someone's iPhone and, you know, props to them for introducing the fingerprint and
link |
And again, it wasn't perfect, but it was a huge step forward.
link |
Now it's time to make another huge step forward.
link |
I want to see the password die.
link |
I mean, it's gotten us as far as it was ever going to get us.
link |
And I hope whatever we come up with next is not going to be annoying, is going to be seamless.
link |
When I was at Google, that's what we worked on is, and there's a lot of ways to call it
link |
active authentication, passive authentication.
link |
So basically you use biometric data, not just like a fingerprint, but everything from your
link |
body to identify who you are.
link |
Like movement patterns, so it basically creates a lot of layers of protection where it's very
link |
difficult to fake, including like face unlock, checking that it's your actual face, like
link |
the liveness tests.
link |
So like from video, so unlocking it with video, voice, the way you move the phone, the way
link |
you take it out of the pocket, that kind of thing.
link |
All of those factors, it's a really hard problem though.
link |
And ultimately, it's very difficult to beat the password to have a security.
link |
Well, there's a company that I actually will call out and that's abnormal security.
link |
So they work on email attacks.
link |
And it was started by a couple guys who were doing, I think, ad tech at Twitter.
link |
So you know, ad technology now, like it's a joke how much they know about us, you know,
link |
you always hear the conspiracy theories that, you know, you saw someone's shoes and next
link |
thing you know, it's on your phone, it's amazing what they know about you.
link |
And they're basically taking that and they're applying it to attacks.
link |
So they're saying, okay, you know, if you're, this is what your email patterns are, it might
link |
be different for you and me because we're emailing strangers all the time.
link |
But for most people, their email patterns are pretty predictable.
link |
And if something strays from that pattern, that's abnormal.
link |
And they'll block it, they'll investigate it, you know, and that's great.
link |
You know, let's start using that kind of targeted ad technology to protect people.
link |
And yeah, I mean, it's not going to get us away from the password and using multi factor
link |
authentication, but you know, the technology is out there and we just have to figure out
link |
how to use it in a really seamless way because it doesn't matter if you have the perfect
link |
security solution if no one uses it.
link |
I mean, when I started at the times, when I was trying to be really good about protecting
link |
sources, I was trying to use PGP encryption and it's like, it didn't work, you know, the
link |
number of mistakes I would probably make just trying to email someone with PGP just wasn't
link |
And then Signal came along and, and Signal made it a wicker, you know, they made it
link |
a lot easier to send someone an encrypted text message.
link |
So we, we have to start investing in creative minds in good security design, you know, I
link |
really think that's the hack that's going to get us out of where we are today.
link |
What about social engineering?
link |
Do you worry about this sort of hacking people?
link |
Yes, I mean, this is the worst nightmare of every chief information security officer out
link |
You know, social engineering, we work from home now.
link |
I saw this, this woman posted online about how her husband, it went viral today, but
link |
it was her husband had this problem at work.
link |
They hired a guy named John and now the guy that shows up for work every day doesn't act
link |
I mean, think about that.
link |
Like think about the potential for social engineering in that context.
link |
You know, you apply for a job and you put on a pretty face, you hire an actor or something
link |
and then you just get inside the organization and get access to all that organization's
link |
You know, a couple of years ago, Saudi Arabia planted spies inside Twitter, you know, why?
link |
Probably because they were trying to figure out who these people were, who were criticizing
link |
the regime on Twitter, you know, they couldn't do it with a hack from the outside.
link |
You know, why not plant people on the inside?
link |
And that's like the worst nightmare.
link |
And it also, unfortunately, creates all kinds of xenophobia at a lot of these organizations.
link |
I mean, if you're going to have to take that into consideration, then organizations are
link |
going to start looking really skeptically and suspiciously at someone who applies for
link |
that job from China.
link |
And we've seen that go really badly at places like the Department of Commerce where they
link |
basically accuse people of being spies that aren't spies.
link |
So it is the hardest problem to solve.
link |
And it's never been harder to solve than right at this very moment when there's so much pressure
link |
for companies to let people work remotely.
link |
That's actually why I'm single, I'm suspicious that China and Russia, every time I meet somebody,
link |
are trying to plant and get insider information, so I'm very, very suspicious.
link |
I keep putting the Turing test in front, no.
link |
No, I have a friend who worked inside NSA and was one of their top hackers.
link |
And he's like, every time I go to Russia, I get hit on by these 10s.
link |
And I come home, my friends are like, I'm sorry, you're not a 10, like the common story.
link |
I mean, it's difficult to trust humans in this day and age online, you know, because
link |
so we're working remotely, that's one thing, but just interacting with people on the internet.
link |
It sounds ridiculous, but, you know, because of this podcast in part, I've gotten to meet
link |
some incredible people, but it, you know, it makes you nervous to trust folks.
link |
And I don't know how to solve that problem.
link |
So I'm talking with Mark Zuckerberg, who dreams about creating the metaverse.
link |
What do you do about that world where more and more our lives is in the digital sphere?
link |
Like one way to phrase it is most of our meaningful experiences at some point will be online,
link |
like falling in love, getting a job, or experiencing a moment of happiness with a friend, with
link |
a new friend made online, all of those things, like more and more, the fun we do, the things
link |
that make us love life will happen online.
link |
And if those things have an avatar that's digital, that's like a way to hack into people's minds,
link |
whether it's with AI or kind of troll farms or something like that, I don't know if there's
link |
a way to protect against that.
link |
That might fundamentally rely on our faith in how good human nature is.
link |
So if most people are good, we're going to be okay.
link |
But if people will tend towards manipulation and a level of behavior in search of power,
link |
then we're screwed.
link |
So I don't know if you can comment on how to keep the metaverse secure.
link |
I mean, all I thought about when you were talking just now is my three year old son.
link |
He asked me the other day, what's the internet, mom?
link |
And I just almost wanted to cry.
link |
I don't want that for him.
link |
I don't want all of his most meaningful experiences to be online.
link |
By the time that happens, how do you know that person's human, that avatar is human?
link |
I believe in free speech.
link |
I don't believe in free speech for robots and bots.
link |
And look what just happened over the last six years.
link |
We had bots pretending to be Black Lives Matter activists just to sow some division or Texas
link |
secessionists or organizing anti Hillary protests or just to sow more division, tie us up in
link |
our own politics so that we're so paralyzed, we can't get anything done.
link |
We can't make any progress and we definitely can't handle our adversaries and their long
link |
It really scares me and here's where I just come back to just because we can create the
link |
metaverse, just because it sounds like the next logical step in our digital revolution.
link |
Do I really want my child's most significant moments to be online?
link |
They weren't for me.
link |
So maybe I'm just stuck in that old school thinking or maybe I've seen too much.
link |
And I'm really sick of being the guinea pig parent generation for these things.
link |
I mean, it's hard enough with screen time, thinking about how to manage the metaverse
link |
as a parent to a young boy.
link |
I can't even let my head go there.
link |
That's so terrifying for me.
link |
But we've never stopped any new technology just because it introduces risks.
link |
We've always said, okay, the promise of this technology means we should keep going, keep
link |
We just need to figure out new ways to manage that risk.
link |
And that's the blockchain right now.
link |
When I was covering all of these ransomware attacks, I thought, okay, this is going to
link |
be it for cryptocurrency.
link |
Governments are going to put the kibosh down.
link |
They're going to put the hammer down and say, enough is enough.
link |
We have to put this genie back in the bottle because it's enabled ransomware.
link |
I mean, five years ago, they would hijack your PC and they'd say, go to the local pharmacy,
link |
get an eGift card and tell us what the pin is, and then we'll get your $200.
link |
Now it's pay us, you know, five Bitcoin.
link |
And so there's no doubt cryptocurrencies enabled ransomware attacks, but after the colonial
link |
pipeline ransom was seized, because if you remember, the FBI was actually able to go
link |
in and claw some of it back from dark side, which was the ransomware group that hit it.
link |
And I spoke to these guys at TRM Labs.
link |
So they're one of these blockchain intelligence companies.
link |
And a lot of people that work there are used to work at the Treasury.
link |
And what they said to me was, yeah, cryptocurrency has enabled ransomware, but to track down
link |
that ransom payment would have taken, you know, if we were dealing with fiat currency,
link |
would have taken us years to get to that one bank account or belonging to that one front
link |
company in the Seychelles.
link |
And now, thanks to blockchain, we can track the movement of those funds in real time.
link |
And you know what, you know, these payments are not as anonymous as people think.
link |
Like we still can use our old hacking ways and zero days and, you know, old school intelligence
link |
methods to find out who owns that private wallet and how to get to it.
link |
So it's a curse in some ways in that it's an enabler, but it's also a blessing.
link |
And they said that same thing to me that I just said to you, they said, we've never
link |
shut down a promising new technology because it introduced risk.
link |
We just figured out how to manage that risk.
link |
And I think that's where the conversation unfortunately has to go, is how do we, in
link |
the metaverse, use technology to fix things.
link |
So maybe we'll finally be able to not finally, but figure out a way to solve the identity
link |
problem on the internet, meaning like a blue check mark for actual human and connect it
link |
to identity, like a fingerprint, so you can prove your you and yet do it in a way that
link |
doesn't involve the company having all your data.
link |
So allowing you to maintain control over your data or if you don't, then there's a complete
link |
transparency of how that data is being used, all those kinds of things.
link |
And maybe as you educate more and more people, they would demand in a capitalist society that
link |
the companies that they give their data to will respect that data.
link |
I mean, there is this company and I hope they succeed.
link |
Their name's PIIano and they want to create a vault for your personal information inside
link |
every organization.
link |
And ultimately, if I'm going to call Delta Airlines to book a flight, they don't need
link |
to know my social security number, they don't need to know my birth date.
link |
They're just going to send me a one time token to my phone.
link |
My phone's going to say, or my Fido key is going to say, yep, it's her.
link |
And then we're going to talk about my identity like a token, some random token.
link |
They don't need to know exactly who I am.
link |
They just need to know the system trust that I am, who I say I am, but they don't get access
link |
They don't get access to my social security number, my location, or the fact I'm a Times
link |
I think that's the way the world's going to go.
link |
Enough is enough on sort of losing our personal information everywhere, letting data marketing
link |
companies track our every move.
link |
They don't need to know who I am, okay, I get it.
link |
We're stuck in this world where the internet runs on ads, so ads are not going to go away,
link |
but they don't need to know I'm Nicole Perlera.
link |
They can know that I am token number X567.
link |
And they can let you know what they know and give you control about removing the things
link |
Yeah, right to be forgotten.
link |
To me, you should be able to walk away with a single press of a button.
link |
And I also believe that most people given the choice to walk away won't walk away.
link |
They'll just feel better about having the option to walk away when they understand the tradeoffs.
link |
If you walk away, you're not going to get some of the personalized experiences that you would
link |
otherwise get, like a personalized feed and all those kinds of things.
link |
But the freedom to walk away is, I think, really powerful.
link |
And obviously, what you're saying, there's all of these HTML forms.
link |
We have to enter your phone number and email and private information from Delta, every
link |
Longer times, I have so many opinions on this, just the friction and the sign up and all
link |
of those kinds of things.
link |
I should be able to, this has to do with everything.
link |
This has to do with payment too.
link |
Payment should be trivial.
link |
It should be one click and one click to unsubscribe and subscribe and one click to provide all
link |
of your information that's necessary for the subscription service, for the transaction
link |
service, whatever, that is getting a ticket as opposed to, I have all these fake phone
link |
numbers and emails that I use in Delta sign up because you never know if one site is hacked,
link |
then it's just going to propagate to everything else.
link |
And there's low hanging fruit and I hope Congress does something and frankly, I think
link |
it's negligent they haven't on the fact that elderly people are getting spammed to death
link |
on their phones these days with fake car warranty scams.
link |
I mean, my dad was in the hospital last year and I was in the hospital room and his phone
link |
kept buzzing and I look at it and it's just spam attack after spam attack, people nonstop
link |
calling about his freaking car warranty, why they're trying to get his social security
link |
number, they're trying to get his PII, they're trying to get their information.
link |
We need to figure out how to put those people in jail for life and we need to figure out
link |
why in the hell we are being required or asked to hand over our social security number and
link |
our home address and our password, all of that information to every retailer who asks.
link |
I mean, that's insanity.
link |
And there's no question they're not protecting it because it keeps showing up in spam or identity
link |
theft or credit card theft or worse.
link |
Well, spam is getting better and maybe as a side note, make a public announcement, please
link |
clip this out, which is if you get an email or a message from Lex Friedman saying how
link |
much I, Lex, appreciate you and love you and so on and please connect with me on my WhatsApp
link |
number and I will give you Bitcoin or something like that, please do not click.
link |
And I'm aware that there's a lot of this going on, a very large amount, I can't do anything
link |
This is on every single platform, it's happening more and more and more, which I've been recently
link |
informed that they're not emailing.
link |
So it's cross platform, they're taking people's, they're somehow, this is fascinating to me
link |
because they are taking people who comment on various social platforms and they somehow
link |
reverse engineer, they figure out what their email is and they send an email to that person
link |
saying from Lex Friedman and it's like a heartfelt email with links.
link |
It's fascinating because it's cross platform now, it's not just a spam bot that's messaging
link |
and a comment that's in reply, they are saying, okay, this person cares about this other person
link |
on social media, so I'm going to find another channel, which in their mind probably increases
link |
and it does the likelihood that they'll get the people to click and they do.
link |
I don't know what to do about that, it makes me really, really sad, especially with podcasting,
link |
there's an intimacy that people feel connected and they get really excited, okay, cool.
link |
I want to talk to Lex and they click and I get angry at the people that do this.
link |
I mean, it's like the John that gets hired, the fake employee, I mean, I don't know what
link |
I suppose the solution is education, it's telling people to be skeptical on the stuff
link |
they click, that balance with the technology solution of creating a maybe like two factor
link |
authentication and maybe helping identify things that are likely to be spam, I don't
link |
know, but then the machine learning there is tricky because you don't want to add a lot
link |
of extra friction that just annoys people because they'll turn it off because you have
link |
the accept cookies thing, right?
link |
That everybody has to click on us and now they completely ignore the accept cookies.
link |
This is very difficult to find that frictionless security.
link |
You mentioned Snowden, you talked about looking through the NSA documents he leaked and doing
link |
the hard work of that.
link |
What do you make of Edward Snowden?
link |
What have you learned from those documents?
link |
What do you think of him?
link |
In the long arc of history, is Edward Snowden a hero or a villain?
link |
I think he's neither.
link |
I have really complicated feelings about Edward Snowden.
link |
On the one hand, I'm a journalist at heart and more transparency is good and I'm grateful
link |
for the conversations that we had in the post Snowden era about the limits to surveillance
link |
and how critical privacy is.
link |
When you have no transparency and you don't really know in that case what our secret courts
link |
were doing, how can you truly believe that our country is taking our civil liberties
link |
On the one hand, I'm grateful that he cracked open these debates.
link |
On the other hand, when I walked into the storage closet of classified NSA secrets,
link |
I had just spent two years covering Chinese cyber espionage almost every day and the sort
link |
of advancement of Russian attacks that were just getting worse and worse and more destructive.
link |
There were no limits to Chinese cyber espionage and Chinese surveillance of its own citizens.
link |
There seemed to be no limit to what Russia was willing to do in terms of cyber attacks
link |
and also in some cases assassinating journalists.
link |
When I walked into that room, there was a part of me quite honestly that was relieved
link |
to know that the NSA was as good as I hoped they were.
link |
We weren't using that knowledge to, as far as I know, assassinate journalists.
link |
We weren't using our access to take out pharmaceutical companies.
link |
For the most part, we were using it for traditional espionage.
link |
That set of documents also set me on the journey of my book because to me, the American people's
link |
reaction to the Snowden documents was a little bit misplaced.
link |
They were upset about the phone call metadata collection program.
link |
Angela Merkel, I think, rightfully was upset that we were hacking her cell phone.
link |
But in the spy eat spy world, hacking world leader's cell phones is pretty much what most
link |
There wasn't a lot that I saw in those documents that was beyond what I thought a spy agency
link |
I think if there was another 911 tomorrow, God forbid, we would all say, how did the NSA
link |
Why weren't they spying on those terrorists?
link |
Why weren't they spying on those world leaders?
link |
There's some of that too.
link |
But I think that there was great damage done to the US's reputation.
link |
I think we really lost our halo in terms of a protector of civil liberties.
link |
And I think a lot of what was reported was unfortunately reported in a vacuum.
link |
That was my biggest gripe that we were always reporting, the NSA has this program and here's
link |
what it does and the NSA is in Angela Merkel's cell phone and the NSA can do this and no one
link |
was saying, and by the way, China has been hacking into our pipelines and they've been
link |
making off with all of our intellectual property and Russia's been hacking into our energy
link |
infrastructure and they've been using the same methods to spy on track and in many
link |
cases kill their own journalists and the Saudis have been doing this to their own critics
link |
And so you can't talk about any of these countries in isolation.
link |
It is really like spy eat spy out there.
link |
And so I just have complicated feelings.
link |
And the other thing is, and I'm sorry, this is a little bit of a tangent, but the amount
link |
of documents that we had, like thousands of documents, most of which were just crap, but
link |
had people's names on them, you know, part of me wishes that those documents had been
link |
released in a much more targeted, limited way.
link |
Just a lot of it just felt like a PowerPoint that was taken out of context.
link |
And you just sort of wish that there had been a little bit more thought into what was released
link |
because I think a lot of the impact from someone was just the volume of the reporting.
link |
But I think, you know, based on what I saw personally, there was a lot of stuff that
link |
I just I don't know why that that particular thing got released.
link |
As a whistleblower, what's the better way to do it?
link |
Because, I mean, there's fear, there's it takes a lot of effort to do a more targeted
link |
You know, if there's proper channels, you're afraid that those channels will be manipulated
link |
like who do you trust?
link |
What's a better way to do this, do you think as a journalist, this is almost like a journalistic
link |
question, reveal some fundamental flaw in the system without destroying the system.
link |
And I bring up, you know, again, Mark Zuckerberg and Metta, there was a whistleblower that
link |
came out about Instagram internal studies.
link |
And I also torn about how to feel about that whistleblower, because from a company perspective,
link |
that's an open culture.
link |
How can you operate successfully if you have an open culture where any one whistleblower
link |
can come out out of context, take a study whether it represents a larger context or not.
link |
And the press eats it up.
link |
And then that creates a narrative that is just like with the NSA, you said it's out
link |
of context, very targeted to wear while Facebook is evil, clearly, because of this one leak.
link |
It's really hard to know what to do there, because we're now in a society that's deeply
link |
distressed institutions.
link |
And so narratives by whistleblowers make that whistleblower and their forthcoming book very
link |
And so there's a huge incentive to take stuff out of context and to tell stories that don't
link |
represent the full context, the full truth.
link |
It's hard to know what to do with that, because then that forces Facebook and Metta and governments
link |
to be much more conservative, much more secretive.
link |
It's like a race to the bottom, I don't know if you can comment on any of that, how to
link |
be a whistleblower ethically and properly.
link |
I mean, these are hard questions.
link |
And even for myself, in some ways, I think of my book as sort of blowing the whistle
link |
on the underground zero day market, but it's not like I was in the market myself.
link |
It's not like I had access to classified data when I was reporting out that book.
link |
As I say in the book, listen, I'm just trying to scrape the surface here so we can have these
link |
conversations before it's too late.
link |
And I'm sure there's plenty in there that someone who's US intelligence agency's preeminent
link |
zero day broker probably has some voodoo doll of me out there.
link |
And you're never going to get it 100%.
link |
But I really applaud whistleblowers like the whistleblower who blew the whistle on the Trump
link |
call with Zelensky.
link |
People needed to know about that, that we were basically in some ways blackmailing an
link |
ally to try to influence an election.
link |
They went through the proper channels.
link |
They weren't trying to profit off of it, right?
link |
There was no book that came out afterwards from that whistleblower.
link |
That whistleblower's not like, they went through the channels.
link |
They're not living in Moscow.
link |
Let's put it that way.
link |
Can I ask you a question?
link |
You mentioned NSA, one of the things it showed, is they're pretty good at what they do?
link |
Again, this is a touchy subject, I suppose, but there's a lot of conspiracy theories about
link |
intelligence agencies.
link |
From your understanding of intelligence agencies, CIA, NSA, and the equivalent of in other countries,
link |
are they one question, this could be a dangerous question, are they competent?
link |
Are they good at what they do?
link |
And two, are they malevolent in any way?
link |
A recent conversation about tobacco companies, they see their customers as dupes.
link |
They can just play games with people.
link |
Conspiracy theories tell that similar story about intelligence agencies, that they're
link |
interested in manipulating the populace for whatever ends the powerful in dark rooms,
link |
cigarette smoke, cigar smoke filled rooms.
link |
What's your sense?
link |
Do these conspiracy theories have any truth to them or are intelligence agencies for the
link |
most part good for society?
link |
Okay, well, that's an easy one.
link |
I think it depends which intelligence agency.
link |
Think about the Mossad.
link |
They're killing every Iranian nuclear scientist they can over the years, but have they delayed
link |
the time horizon before Iran gets the bomb?
link |
Have they probably staved off terror attacks on their own citizens?
link |
None of these, intelligence is intelligence.
link |
You can't just say they're malevolent or they're heroes.
link |
Everyone I have met in this space is not the pound your chest patriot that you see on the
link |
beach on the 4th of July.
link |
A lot of them have complicated feelings about their former employers, well, at least at
link |
the NSA reminded me to do what we were accused of doing after Snowden, to spy on Americans.
link |
You have no idea the amount of red tape and paperwork and bureaucracy it would have taken
link |
to do whatever one thinks that we were supposedly doing, but then we find out in the course
link |
of the Snowden reporting about a program called Love In where a couple of the NSA analysts
link |
were using their access to spy on their ex girlfriends.
link |
There's an exception to every case.
link |
Probably I will probably get accused of my Western bias here again, but I think you can
link |
almost barely compare some of these Western intelligence agencies to China, for instance.
link |
The surveillance that they're deploying on the Uyghurs to the level they're deploying
link |
it, and the surveillance they're starting to export abroad with some of the programs
link |
like the watering hole attack I mentioned earlier, where it's not just hitting the Uyghurs
link |
inside China, it's hitting anyone interested in the Uyghur plight outside China.
link |
It could be an American high school student writing a paper on the Uyghurs.
link |
They want to spy on that person too.
link |
There's no rules in China really limiting the extent of that surveillance.
link |
We all better pay attention to what's happening with the Uyghurs because just as Ukraine has
link |
been to Russia in terms of a test kitchen for cyber attacks, the Uyghurs are China's
link |
test kitchen for surveillance.
link |
There's no doubt in my mind that they're testing them on the Uyghurs.
link |
Uyghurs are their petri dish and eventually they will export that level of surveillance
link |
I mean, in 2015, Obama and Xi Jinping reached a deal where basically the White House said
link |
you better cut it out on intellectual property theft.
link |
They made this agreement that they would not hack each other for commercial benefit.
link |
For a period of about 18 months, we saw this huge drop off in Chinese cyber attacks on
link |
American companies.
link |
Some of them continued.
link |
They continued on aviation companies, on hospitality companies like Marriott.
link |
Because that was still considered fair game to China.
link |
It wasn't IP theft.
link |
They were after it.
link |
They wanted to know who was staying in this city at this time when Chinese citizens were
link |
staying there so they could cross match for counterintelligence who might be a likely Chinese
link |
I'm sure we're doing some of that too.
link |
Counterintelligence is counterintelligence.
link |
It's considered fair game.
link |
Where I think it gets evil is when you use it for censorship to suppress any dissent,
link |
to do what I've seen the UAE do to its citizens, where people who've gone on Twitter just to
link |
advocate for better voting rights, more enfranchisement.
link |
Only find their passports confiscated.
link |
I talked to one critic, Ahmed Mansour, and he told me, you might find yourself a terrorist,
link |
labeled a terrorist one day, and you don't even know how to operate a gun.
link |
He'd been beaten up every time he tried to go somewhere.
link |
His passport had been confiscated.
link |
By that point, it turned out they'd already hacked into his phone, so they were listening
link |
He'd hacked into his baby monitor, so they're spying on his child, and they stole his car.
link |
Then they created a new law that you couldn't criticize the ruling family or the ruling
link |
He's been in solitary confinement every day since on hunger strike.
link |
We don't do that here.
link |
We have rules here.
link |
We don't cross that line.
link |
In some cases, I won't go to Dubai.
link |
I won't go to Abu Dhabi.
link |
If I ever want to go to the Maldives, too bad, most of the flights go through Dubai.
link |
There's some lines we're not willing to cross, but then again, just like you said, there's
link |
individuals within NSA, within CIA, and they may have power.
link |
To me, there's levels of evil.
link |
To me, personally, this is the stuff of conspiracy theories is the things you've mentioned as
link |
evil are more direct attacks, but there's also psychological warfare, so blackmail.
link |
What does spying allow you to do?
link |
It allows you to collect information if you have something that's embarrassing, or if
link |
you have like Jeffrey Epstein conspiracy theories active, what is it, manufacture of embarrassing
link |
things, and then use blackmail to manipulate the population or all the powerful people
link |
It troubles me deeply that MIT allowed somebody like Jeffrey Epstein in their midst, especially
link |
some of the scientists I admire that they would hang out with that person at all.
link |
I'll talk about it sometimes, and then a lot of people tell me, well, obviously, Jeffrey
link |
Epstein is the front for intelligence, and I struggle to see that level of competence
link |
and malevolence, but who the hell am I?
link |
I guess I was trying to get to that point.
link |
You said that there's bureaucracy and so on, which makes some of these things very difficult.
link |
I wonder how much malevolence, how much competence there is in these institutions.
link |
How far, it takes us back to the hacking question, how far are people willing to go if they have
link |
This has to do with social engineering, this has to do with hacking, this has to do with
link |
manipulating people, attacking people, doing evil onto people, psychological warfare and
link |
I don't know, I believe that most people are good, and I don't think that's possible in
link |
There's something that happens when you have a centralized government where power corrupts
link |
over time and you start surveillance programs, it's like a slippery slope that over time
link |
starts to both use fear and direct manipulation to control the populace, but in a free society
link |
I just, it's difficult for me to imagine that you can have like somebody like a Jeffrey
link |
Epps in the front for intelligence.
link |
I don't know what I'm asking you, but I'm just, I have a hope that for the most part
link |
intelligence agencies are trying to do good and are actually doing good for the world
link |
when you view it in the full context of the complexities of the world.
link |
But then again, if they're not, would we know?
link |
That's why Edwin Snowden might be a good thing.
link |
Let me ask you on a personal question, you have investigated some of the most powerful
link |
organizations and people in the world of cyber warfare, cyber security.
link |
Are you ever afraid for your own life, your own well being digital or physical?
link |
I mean, I've had my moments.
link |
You know, I've had our security team at the times called me at one point and said someone's
link |
on the dark web offering good money to anyone who can hack your phone or your laptop.
link |
I describe in my book how when I was at that hacking conference in Argentina, I came back
link |
and I brought a burner laptop with me, but I'd kept it in the safe anyway and it didn't
link |
have anything on it, but someone had broken in and it was moved.
link |
You know, I've had all sorts of sort of scary moments and then I've had moments where I
link |
think I went just way too far into the paranoid side.
link |
I mean, I remember writing about the times hack by China and I'd just covered a number
link |
of Chinese cyber attacks where they'd gotten into the thermostat at someone's corporate
link |
apartment and, you know, they've gotten into all sorts of stuff and I was living by myself.
link |
I was single in San Francisco and my cable box on my television started making some weird
link |
noises in the middle of the night and I got up and I ripped it out of the wall and I think
link |
I said something like embarrassing like, fuck you China, you know, and then I went back
link |
to bed and I woke up and like, it's like beautiful morning light, I mean, I'll never
link |
Like this is like glimmering morning light shining on my cable box, which has now been
link |
ripped out and is sitting on my floor and like the morning light and I was just like,
link |
no, no, no, like I'm not going down that road.
link |
Like you basically, I came to a fork in the road where I could either go full tinfoil hat,
link |
go live off the grid, never have a car with navigation, never use Google Maps, never own
link |
an iPhone, never order diapers off Amazon, you know, create an alias or I could just
link |
do the best I can and live in this new digital world we're living in.
link |
And what does that look like for me?
link |
I mean, what are my crown jewels?
link |
This is what I tell people, what are your crown jewels because just focus on that.
link |
You can't protect everything, but you can protect your crown jewels.
link |
For me, for the longest time, my crown jewels were my sources.
link |
I was nothing without my sources.
link |
So I had some sources, I would meet the same dim sum place or maybe it was a different
link |
restaurant on the same date, you know, every quarter and we would never drive there.
link |
We would never Uber there.
link |
We wouldn't bring any devices.
link |
I could bring a pencil and a notepad.
link |
And if someone wasn't in town, like there were a couple of times where I'd show up and
link |
the source never came, but we never communicated digitally.
link |
And those were the lengths I was willing to go to protect that source, but you can't do
link |
So for everyone else, you know, it was signal using two factor authentication, you know,
link |
keeping my devices up to date, not clicking on phishing emails, using a password manager,
link |
all the things that, you know, we know we're supposed to do.
link |
And that's what I tell everyone, like don't go crazy because then that's like the ultimate
link |
Then they've hacked your mind, whoever they is for you.
link |
But just do the best you can.
link |
Now, my whole risk model changed when I had a kid, you know, now it's, oh God, you know,
link |
if anyone threatened my family, God help them, but it's, it changes you and, you know, unfortunately,
link |
there are some things like I was really scared to go deep on, like Russian cybercrime, you
link |
know, like Putin himself, you know, and, and it's interesting, like I have a mentor who's
link |
an incredible person who was the Times Moscow bureau chief during the Cold War.
link |
And after I wrote a series of stories about Chinese cyber espionage, he took me out to
link |
lunch and he told me that when he was living in Moscow, he would drop his kids off at preschool
link |
when they were my son's age now.
link |
And the KGB would follow him and they would make a really like loud show of it.
link |
You know, they'd tail him, they'd, you know, honk, they'd just be a wreck, make a wreck
link |
And he said, you know what, they never actually did anything, but they wanted me to know that
link |
they were following me and I operated accordingly.
link |
And he says, that's how you should operate in, in the digital world.
link |
You know that there are probably people following you.
link |
Sometimes they'll make a little bit of noise.
link |
But one thing you need to know is that while you're at the New York Times, you have a little
link |
bit of an invisible shield on you, you know, if something were to happen to you, that would
link |
be a really big deal.
link |
That would be an international incident.
link |
So I kind of carried that invisible shield with me for years.
link |
And then a Jamal Khashoggi happened and that destroyed my vision of my invisible shield.
link |
You know, sure, you know, he was a Saudi, but he was a Washington Post columnist.
link |
You know, for the most part, he was living in the United States, he was a journalist.
link |
And for them to do what they did to him pretty much in the open and get away with it.
link |
And for the United States to let them get away with it because we wanted to preserve
link |
diplomatic relations with the Saudis, that really threw my worldview upside down.
link |
And you know, I think that sent a message to a lot of countries that it was sort of
link |
open season on journalists.
link |
And to me, that was one of the most destructive things that happened under the previous administration.
link |
And you know, I don't really know what to think of my invisible shield anymore.
link |
Like you said, that really worries me on the journalism side that people would be afraid
link |
to dig deep on fascinating topics.
link |
And you know, I have my own, that's part of the reason I would love to have kids, I would
link |
love to have a family.
link |
Part of the reason I'm a little bit afraid, there's many ways to phrase this, but the
link |
loss of freedom in the way of doing all the crazy shit that I naturally do, which I would
link |
say the ethic of journalism is kind of not is doing crazy shit without really thinking
link |
This is letting your curiosity really allow you to be free and explore.
link |
I mean, whether it's stupidity or fearlessness, whatever it is, that's what great journalism
link |
And all the concerns about security risks have made me like become a better person.
link |
The way I approach it is just make sure you don't have anything to hide.
link |
I know this is not a thing, this is not a, this is not an approach to security.
link |
I'm just, this is like a motivational speech or something.
link |
It's just like, if you can lose, you can be hacked at any moment.
link |
Just don't be a douchebag secretly, just be like a good person.
link |
Because then I see this actually with social media in general, just present yourself in
link |
the most authentic way possible, meaning be the same person online as you are privately,
link |
have nothing to hide.
link |
That's one, not the only, but one of the ways to achieve security.
link |
I'm totally wrong on this, but don't be secretly weird.
link |
If you're weird, be publicly weird.
link |
So it's impossible to blackmail you.
link |
That's my approach to it.
link |
Well, they call it the New York Times front page phenomenon, you know, don't put anything
link |
in email or I guess social media these days that you wouldn't want to read on the front
link |
page of the New York Times.
link |
And that works, but you know, sometimes I even get carry, I mean, I have not as many
link |
followers as you, but a lot of followers and sometimes even I get carried away.
link |
Just be emotional and stuff to say something.
link |
I mean, just the cortisol response on Twitter, you know, Twitter is basically like designed
link |
to elicit those responses.
link |
I mean, every day I turn on my computer, I look at my phone, I look at what's trending
link |
on Twitter and it's like, what are the topics that are going to make people the most angry
link |
today, you know, and, um, you know, it's easy to get carried away, but it's also just that
link |
sucks too that you have to be constantly censoring yourself and maybe it's for the better.
link |
Maybe you can't be a secret asshole and we can put that in the good bucket.
link |
But at the same time, you know, there is a danger to that other voice, to creativity,
link |
you know, to being weird.
link |
There's a danger to that little whispered voice that's like, well, how would people
link |
You know, how could that be manipulated?
link |
How could that be used against you?
link |
And that stifles creativity and innovation and free thought and, you know, that is on
link |
a very micro level and that's something I think about a lot.
link |
And that's actually something that Tim Cook has talked about a lot.
link |
And why he has, you know, said he goes full force on privacy is it's just that little
link |
voice that is at some level censoring you.
link |
And what, what is sort of the longterm impact of that little voice over time?
link |
I think there's a ways, I think that self censorship is an attack factor that there's
link |
In a way, I'm really inspired by Elon Musk.
link |
The solution to that is just be privately and publicly the same person and be ridiculous.
link |
Embrace the full weirdness and show it more and more.
link |
So it, you know, that's, that's memes that has like ridiculous humor.
link |
And I think, and if there is something you really want to hide, deeply consider if that
link |
you want to be that, like, why are you hiding it?
link |
What exactly are you afraid of?
link |
Because I think my hopeful vision for the internet is the internet loves authenticity.
link |
They want to see you weird.
link |
So be that and like live that fully because I think that gray area where you're kind of
link |
censoring yourself, that, that's where the destruction is.
link |
You have to go all the way, step over, be weird, be weird.
link |
And then it feels, it can be painful because people can attack you and so on, but just
link |
It's just like a skill on a social psychological level that ends up being a, an approach to
link |
security, which is like, remove the attack vector of having private information by being
link |
your full weird self publicly.
link |
What, what advice would you give to young folks today, you know, operating in, in this
link |
complicated space about how to have a successful life, a life they can be proud of, a career
link |
they can be proud of, maybe somebody in high school and college thinking about what they're
link |
Be a hacker, you know, if you have any interest, become a hacker and apply yourself to defense.
link |
You know, every time, like we do have these, these amazing scholarship programs, for instance,
link |
where, you know, they find you early, they'll pay your college as long as you commit to
link |
some kind of federal commitment to sort of help federal agencies with cybersecurity.
link |
And where does everyone want to go every year from the scholarship program?
link |
They want to go work at the NSA or cyber command, you know, they want to go work on offense.
link |
They want to go do the sexy stuff.
link |
It's really hard to get people to work on defense.
link |
It's just, it's always been more fun to be a pirate than be in the Coast Guard, you know,
link |
and so we have a huge deficit when it comes to filling those roles.
link |
There's 3.5 million unfilled cybersecurity positions around the world.
link |
I mean, talk about job security, like be a hacker and work on cybersecurity.
link |
You will always have a job.
link |
And we're actually had a huge deficit and disadvantage as a free market economy because
link |
we can't match cybersecurity salaries at Palantir or Facebook or Google or Microsoft.
link |
And so it's really hard for the United States to fill those roles.
link |
And you know, other countries have had this work around where they basically have forced
link |
conscription on some level, you know, China tells people, like, you do whatever you're
link |
going to do during the day, work at Alibaba, you know, if you need to do some ransomware,
link |
okay, but the minute we tap you on the shoulder and ask you to come do this sensitive operation
link |
for us, the answer is yes, you know, same with Russia, you know, a couple years ago
link |
when Yahoo was hacked, and they laid it all out in an indictment, it came down to two
link |
cyber criminals and two guys from the FSB, cyber criminals were allowed to have their
link |
fun, but the minute they came across the username and password for someone's personal Yahoo
link |
account that worked at the White House or the State Department or military, they were
link |
expected to pass that over to the FSB.
link |
So we don't do that here.
link |
And it's even worse on defense, we really can't fill these positions.
link |
So you know, if you are a hacker, if you're interested in code, if you're a tinker, you
link |
know, learn how to hack, there are all sorts of amazing hacking competitions you can do
link |
through the SANS org, for example, SANS.
link |
And then use those skills for good, you know, neuter the bugs in that code that get used
link |
by autocratic regimes to make people's life, you know, a living prison, you know, plug
link |
those holes, you know, defend industrial systems, defend our water treatment facilities from
link |
hacks where people are trying to come in and poison the water, you know, that I think is
link |
just an amazing, it's an amazing job on so many levels, it's intellectually stimulating,
link |
you can tell yourself you're serving your country, you can tell yourself you're saving
link |
lives and keeping people safe, and you'll always have amazing job security.
link |
And if you need to go get that job that pays you, you know, $2 million a year, you can
link |
And you can have a public profile, more so of a public profile, you can be a public rock
link |
I mean, it's the same thing as sort of the military.
link |
There's a lot of, there's a lot of well known sort of people commenting on the fact that
link |
veterans are not treated as well as they should be, but it's still the fact that soldiers
link |
are deeply respected for defending the country, the freedoms, the ideals that we stand for.
link |
And in the same way, I mean, in some ways, the cyber security defense are the soldiers
link |
And you know what's interesting?
link |
I mean, in cybersecurity, the difference is oftentimes you see the more interesting
link |
threats in the private sector, because that's where the attacks come, you know, when cyber
link |
criminals and nation state adversaries come for the United States, they don't go directly
link |
for cyber command or the NSA.
link |
No, they go for banks.
link |
They go for Google, they go for Microsoft, they go for critical infrastructure.
link |
And so those companies, those private sector companies get to see some of the most advanced
link |
sophisticated attacks out there.
link |
And you know, if you're working at FireEye and you're calling out the SolarWinds attack,
link |
for instance, I mean, you just saved God knows how many systems from, you know, that compromise
link |
turning into something that more closely resembles sabotage.
link |
So you know, go be a hacker or go be a journalist.
link |
So you wrote the book, this is how they tell me the world ends, as we've been talking about,
link |
of course, referring to cyber war, cyber security.
link |
What gives you hope about the future of our world?
link |
If it doesn't end, how will it not end?
link |
That's a good question.
link |
I mean, I have to have hope, right?
link |
Because I have a kid and I have another on the way.
link |
And if I didn't have hope, I wouldn't be having kids.
link |
But it's a scary time to be having kids.
link |
And it's like pandemic, climate change, disinformation, increasingly advanced, perhaps
link |
deadly cyber attacks.
link |
What gives me hope is that I share your worldview that I think people are fundamentally good.
link |
And sometimes, and this is why the metaverse scares me to death, but when I'm reminded
link |
of that is not online, like online, I get the opposite, you know, you start to lose hope
link |
and humanity when you're on Twitter half your day.
link |
It's like when I go to the grocery store or I go on a hike or like someone smiles at
link |
me or, you know, or someone just says something nice, you know, people are fundamentally good.
link |
We just don't hear from those people enough.
link |
And my hope is, you know, I just think our current political climate, like we've hit
link |
This is as bad as it gets.
link |
We can't do anything.
link |
Well, but I think it's a generational thing.
link |
You know, I think baby boomers, like it's time to move along.
link |
I think it's time for a new generation to come in.
link |
And I actually have a lot of hope when I look at, you know, I'm sort of like this, I guess
link |
they call me a geriatric millennial or a young gen X, but like we have this unique responsibility
link |
because I grew up without the internet and without social media, but I'm native to it.
link |
So I know the good and I know the bad.
link |
And that's true on so many different things.
link |
You know, I grew up without climate change anxiety.
link |
And now I'm feeling it and I know it's not a given.
link |
We don't have to just resign ourselves to climate change, you know, same with disinformation.
link |
And I think a lot of the problems we face today have just exposed the sort of inertia
link |
that there has been on so many of these issues.
link |
And I really think it's a generational shift that has to happen.
link |
And I think this next generation is going to come in and say, like, we're not doing
link |
business like you guys did it anymore, you know, we're not just going to like rape and
link |
pillage the earth and try and turn everyone against each other and play dirty tricks and
link |
let lobbyists dictate, you know, what we do or don't do as a country anymore.
link |
And that's really where I see the hope.
link |
It feels like there's a lot of low hanging fruit for young minds to step up and create
link |
solutions and lead.
link |
So whenever like politicians or leaders that are older, like you said, are acting shitty,
link |
I see that as a positive.
link |
They're inspiring a large number of young people to replace them.
link |
And so it's, I think you're right, there's going to be, it's almost like you need people
link |
to act shitty to remind them, oh, wow, we need good leaders, we need great creators
link |
and builders and entrepreneurs and scientists and engineers and journalists, you know, all
link |
the discussions about how the journalism is quote unquote broken and so on.
link |
That's just an inspiration for new institutions to rise up that do journalism better.
link |
We need journalists to step up and do journalism better.
link |
So I, and I've been constantly, when I talk to young people, I'm constantly impressed
link |
by the ones that dream to build solutions.
link |
And so that's, that's, that's ultimately why I put the hope, but the world is a messy
link |
Like we've been talking about the scary place.
link |
And I think you hit something, hit on something earlier, which is authenticity.
link |
Like no one is going to rise above that is plastic anymore.
link |
You know, people are craving authenticity, you know, the benefit of the internet is it's
link |
really hard to hide who you are on every single platform, you know, and some level it's going
link |
to come out who you really are.
link |
And so you hope that, you know, by the time my kids are grown, like no one's going to
link |
care if they made one mistake online so long as they're authentic, you know, and I used
link |
to worry about this.
link |
My nephew was born the day I graduated from college and I just always, you know, he's
link |
like born into Facebook and just think like, how is a kid like that ever going to be president
link |
of the United States of America?
link |
Because if Facebook had been around when I was in college, you know, like Jesus, you
link |
know, what, how is, how are those kids are going to ever be president?
link |
There's going to be some photo of them at some point making some mistake and that's
link |
going to be all over for them.
link |
And now I take that back.
link |
Now it's like, no, everyone's going to make mistakes.
link |
There's going to be a picture for everyone and we're all going to have to come and grow
link |
up to the view that as humans, we're going to make huge mistakes and hopefully they're
link |
not so big that they're going to ruin the rest of your life, but we're going to have
link |
to come around to this view that we're all human and we're going to have to be a little
link |
bit more forgiving and a little bit more tolerant when people mess up and we're going to have
link |
to be a little bit more humble when we do and like keep moving forward.
link |
Otherwise, you can't like cancel everyone, you know?
link |
Nicole, this was an incredible, hopeful conversation.
link |
Also one that reveals that in the shadows, there's a lot of challenges to be solved.
link |
So I really appreciate that you took on this really difficult subject with your book.
link |
That's journalism is best.
link |
So I'm really grateful that you did the, that you took the risk that you took that on and
link |
that you plugged the cable box back in.
link |
That means you have hope.
link |
And thank you so much for spending your valuable time with me today.
link |
Thanks for having me.
link |
Thanks for listening to this conversation with Nicole Pearlroth.
link |
To support this podcast, please check out our sponsors in the description.
link |
And now let me leave you with some words from Nicole herself.
link |
Here we are, entrusting our entire digital lives, passwords, texts, love letters, banking
link |
records, health records, credit card sources, and deepest thoughts to this mystery box whose
link |
inner circuitry most of us would never vet.
link |
Run by code written in a language most of us will never fully understand.
link |
Thank you for listening and hope to see you next time.