October 19, 2021 • 39 mins
Nobody wants to be hacked through their toaster. Or even worse, their toaster joining an army of toasters that attack critical infrastructure and send me 50 spam emails a day. The Internet of Things is the idea that any device connected to electricity will eventually be connected to the internet. It's super cool and super frightening at the same time. When researchers report these vulnerabilities to companies they're often ignored and sometimes even retaliated against. Will our defenses catch up to our technology or are we all just f****d? This episode includes expert insight from Jack Rhysider, Craig Young and Beau Woods.
Episodes I mention of Jack's show Darknet Diaries:
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Imagine that you have the ability to see flaws in
what someone else creates, Flaws that could cause millions of
dollars in damage. It could cause loss of life. They
threatened to sue you to keep you quiet so that
you couldn't reveal it. This is a situation that a
lot of cybersecurity researchers have found themselves in over the
(00:26):
past thirty years, knowing about something that they believe could
cause imminent harm and feeling threatened because they know it.
My first car was a piece of crap. When I
got somewhere, I'd locked the door and think, why am
(00:47):
I even locking this? There's nothing of value in here,
and no one would steal this over literally any other
car in this general area. And I think that's kind
of the mentality that we often have with our personal information.
What would a hacker target me instead of somebody with
a million dollars in their account? And that's completely logical.
This isn't trailer park boys. A criminal isn't trying to
(01:09):
rob every vending machine they see. If my main source
of income depended on stealing, I'd probably try and reduce
the amount of times I had to do it by
getting a lot at once, and that definitely happens. Hackers
attack large corporations with malicious software that locks down their
computers and network. It's called ransomware because it treats the
company infrastructure like a hostage. You know they're saying we
(01:32):
don't negotiate with terrorists, Well, it turns out we actually do.
Just this spring, one of the largest meat processing companies
in the world was targeted by the Russian hacking group
are Evil and paid a ransom of eleven million dollars.
In April, Colonial Pipeline was attacked and paid out four
point four million dollars to hackers. It actually impacted our
(01:55):
critical infrastructure and led to widespread shortages because vidiots who
went out in whore of gas and plastic bags or whatever.
If hackers can band together and force massive corporations to
pay millions of dollars in order to access their own network,
how devastating would a state sponsored attack be and would
we even be able to defend against it or counter
(02:16):
attack it once we've been hit. The U s Military
spending is about the size of the next seven largest
military budgets combined, and five of them are our allies.
In a very unintelligent and outdated manner. We spend the
vast majority of it on things like jets, aircraft carriers, missiles, tanks,
and ground troops. The present and future of warfare is
(02:38):
cyber There's no need to blow something up when you
can just turn it off. But back to the question
of why hackers would target people like me instead of
ones with millions of dollars, it's because they aren't targeting me.
They're targeting my device, and the attacks won't just hit mine,
they'll hit every single one. The obvious reason is to
(02:59):
steal our identities, social security numbers, and credit cards, instead
of using them one by one like your neighborhood weed
dealer will sell them in bulk on the dark web.
The other main reason, which is far more terrifying, is
to take control of those devices. It's like building an
army of zombie computers. They're called boton nets, which stands
(03:20):
for robot network. Individually, they're weak, but when you have
millions of them under your control, you can attack the
critical infrastructure that supports a nation of millions. And when
the power gets shut off, companies no longer know where
to ship the food. In the South, the red aisle
gets sold out when a couple inches of snow is forecasted,
So you can imagine how quickly our lives will be
(03:41):
altered when we're attacked. I'm lull Berlante. This is prodigy.
(04:02):
We need to defend ourselves. So cybersecurity is really important.
Last year we hit a zero percent unemployment rate, and
the industry is growing quickly. It's a very high paying
career and we need people. I don't know about you,
but being actively recruited my whole career sounds pretty nice
to me. For this episode, I talked to three cybersecurity experts,
(04:23):
Craig Young, Bo Woods, and Jack Resider. Craig Young is
a principal cybersecurity researcher at a company called trip Wire
that specializes in providing enterprise level cybersecurity solutions. Bo Woods
is a senior advisor for the Cybersecurity and Infrastructure Security Agency,
which operates under the Department of Homeland Security to help
(04:45):
keep America safe. Jack Resider was a network security engineer
until he created a hit podcast, Darknet Diaries. He recently
released his one episode, and I've listened to every single one.
Let's start with Craig Young, an early interest was pay phones,
so my friends and I would spend a lot of
time at the mall. There were different access codes that
(05:07):
you could use to get information about the phone. Get
type that into the pay phone and it would start
telling you about how much money was in the phone
and stuff like that. And this is just really quite
cool to me. My father had shown me how to
use the FTP protocol foul Transfer protocol, and I was
able to connect to NASA and start downloading some pictures.
Neighbors saw that and started telling all the kids at
(05:27):
school that Craig's a hacker. Craig's a hacker. And I
guess this kind of set a bug under me that, Wow,
that's kind of something cool. People have respect towards this.
This is Jack as a young kid. My grandma had
an Apple to e, which is just crazy to think about, right,
you know, there's no Windows operating system at that time.
What was my grandma so like into the computers and
(05:50):
into technology. So I was lucky enough to just have
a computer at home, and just that exposure alone, I
think really put me in the trajectory. So you know,
when when it was time for computer class at school,
I was like wait ahead, of everyone else. And when
you have that feeling like wow, you know, how come
I'm so good at computers and everyone else isn't it
(06:11):
gives you that kind of confidence. We had this kind
of hybrid network in my middle school where one of
the teachers I remember asking me to help with fixing
her computer. And while I was looking at figuring out
what's going on, I had access to a command prompt
and I ran some commands which ultimately sent a message
to all the computers in the school on the Novell
network network. Mrs Stemple, the computer teacher, was not happy
(06:35):
about this. She was not impressed with my computer skills,
but rather adamant about that I needed to be kicked
out of the school because all of the kids in
the computer lab at this time lost their work, had
nothing to show except for a little message that said
Hello World or something like that, something very benign. She
set up a meeting with the principle and my parents
(06:56):
were called. And I guess and Mrs Stemple is telling
Mr Rump, how I really need to be punished badly
for this, that this was very unacceptable. That I realized,
Oh Rump, that's actually the name that's associated with the
passwords that I found on every single computer, and so
I said to him, Um, Mr Rump, your password is
(07:17):
x X diamond X, isn't it. And he just looked
at me and asked how I had done this, and
I explained, Um, every single classroom has trumpet windsock on
the Windows computers at least, and they all have your
password in there, and it's very easy to open up
notepad and read it out of there. He thought about
what was going on, and I'm very very lucky that
(07:37):
he was an understanding soul, and through my parents insistence
and his understanding that I was not looking to do
any harm, that I was just a curious young person,
he was appropriate in giving me, I think, a day
of detention and nothing more than that. Fast forward a
few years. Craig is now in high school. I had
taken an ap computer science class in high school. I
(08:00):
started poking around on the systems again and noticed that
there was this visual Fox pro database that I could access.
It had some default passwords I could get into it with,
and then I had just access to all of the
HR stuff from the teachers, the grading records. I could
view what the teachers were making in terms of salary,
and separately, I could also modify what grades were being
(08:23):
given out are being reported by the teachers, and I
very quickly brought this to the attention to the school administration. Obviously,
I didn't want to have any false appearances that I
was doing something mischievous with that. There's not much bigger
that you can get first than a student being able
to access and change grades. At this point, Craig has
learned quite a bit about where the line is that
you don't want to cross, but it wasn't the last
(08:46):
time he'd run into issues. Meanwhile, Jack is figuring out
what he wants to do with his life. Because I
felt like I was good at it and I enjoyed
playing around on him and stuff, I thought, Okay, why
don't I go into a career for computers. So I
went to university to get a degree in um computer engineering.
So Jack goes to university and graduates with a degree
(09:08):
in computer engineering. He seems so driven to me that
I'm sure he got an internship at a reputable company.
I felt like hot stuff, so I just didn't choose
to take an intern I was like, what, no, man,
I'm I'm an engineer. I have an engineering degree, you
should be like, should be twenty companies looking for me.
But that just wasn't the case. So I didn't find
(09:30):
a job. And yeah, for like ten years I didn't
do anything technical. It was weird. I was just kind
of bouncing around doing odds and ends jobs not even
computer related. Like one of the jobs I had was
a dealer in a casino. I was like, okay, look,
I've got a degree in this. I need to go
back to computers. This is ridiculous. I love tech. I
(09:51):
need to be involved. So I was pretty rusty at
that point, right, ten years of not being around him,
and so I got a certificate as Cisco sort of
I network associate, and that taught me networking, which is
you know, nice fresh certificate that put me top of
the list for you know, as a job candidate and
a network operations center, so a company that monitors networks,
(10:13):
and so they hired me on from there. I just
went crazy, got cert after sir after sir after shirt.
Eventually a security engineer position opened up, and I didn't
really know what security was. I was just like, oh,
it's a it's a computer engineering position. I would love
to be an engineer. So I applied for it and
they took me on and I was like, Okay, I
(10:33):
have no idea what to do here. But as I
was learning, I was realizing, this is the perfect place
for me, because you have to really know a little
about everything. When he comes to security, Jack found the
perfect job where he was challenged enough that he could
really satisfy his curiosity. Craig is doing very well at
Georgia Tech, but learns another lesson about the egos associated
(10:54):
with responsible disclosure. I haven't told anybody else really this
story since graduating, but I had a graduate level computer
security class that I audited as an undergraduate. I'm not
going to name the professor now, but I talked to
him about doing a research project where I would see
how much you could learn by using one of the
techniques we had talked about in his class, deployed against
(11:15):
the residential networks. And he told me this would be fine,
that I could go ahead and do this, but that
I needed to document everything that I did couldn't be
harming anybody in the process, and I would simply need
to give a report about this the Office of Information Technology.
I went along with that. I did this and I
gave my report. But as soon as I got to
the point of saying there was this number of Social
(11:37):
Security numbers disclosed, and um, this number of credit card
numbers disclosed, they cut off my presentation, went and talked
to the professor for a little while and then came
back and we're demanding all of my hard drives, and
the professor was effectively disavowing me, saying, oh, no, no,
I didn't give Craig permission to do all of this. No, no,
no way. And so that was another really um pivotal
(12:02):
moment I guess in my development as a security professional
and understanding how people respond when confronted with security issues.
They had wanted to drop me out of school. Um,
that would have been a huge financial expense to me,
because I wouldn't have gotten to finish the semester that
I spent all this money on. And so I pleaded
with them and arranged that instead of getting kicked out
(12:24):
and having that kind of disciplinary action, I would develop
for them some scripts that would help their I T
operations recognize if anybody was doing the kind of thing
that I was doing. And I did do that for them.
I made for them a system I think I called
it perfume um had some clever acronym that went along
with that, because it was against people sniffing on your network.
(12:44):
I sent that over to them. I got confirmation that
I was out of hot water, so to speak, limited
my interactions with them from then on. I often say
that my ability to understand when someone shows me I'm
wrong is my greatest strength, because I feel like it's
not that calm, and people tend to get defensive, especially
when it's something you should already know by someone less
(13:05):
experienced in front of your boss, So they take advantage
of their power dynamic over Craig, and instead of praising
his disclosure, they forced him to solve the problem. Craig
had learned an important life lesson. Some people are kind
of just assholes. There's the stories of of people who
are very honest and good and just trying to help
(13:26):
reporting stuff to Google right and saying, look, there's a
bug in your Android system, uh, and I just want
to help you out. I haven't told anybody. I just
hope you see this and fix it right away. And
they retaliate by, you know, going back and telling that
person's boss and trying to get that person fired or whatever, right,
just like reporting them and it's like, are you you're
aware that your employee is hacking our Android operating system?
(13:49):
And you know this is in the days before Google
had a good bug bounty program to have of avenue
to report this kind of stuff and just in it
find it useful or helpful that people were telling them
about bucks. But Craig graduates from Georgia Tech and if
you can't tell, he's very good at what he does,
so he gets a job at a top tech company.
My first job out of Georgia Tech was working for
(14:10):
IBM Internet Security Systems. Craig's computer and security knowledge, combined
with his electrical engineering degree turned out to be a
perfect fit. This also then got me a lot of
exposure with the IBMX force team and the really amazing
security research they were doing at this time. Craig spends
five years at IBM and takes a job at a
company called end Circle. I never heard of en Circle,
(14:33):
so I was like, why leave IBM for some small team?
But en Circle was actually a big deal. They created
and sold the best vulnerability scanner designed to help enterprises
assess and remediate risk over time. My brain really started
to put together patterns on these things and recognize, here
are the things that are commonly going wrong in these
different types of software. Then I started seeing those kinds
(14:55):
of flaws myself and working with vendors and reporting them.
This job requires him to spend hundreds of hours studying vulnerabilities.
His security knowledge grew quickly and did not go unnoticed.
He started getting requests to present his research at conferences,
which gave him motivation to work even harder. So while
in school, his efforts were met with fear and retribution.
(15:15):
In the corporate world, those vulnerabilities he had been disclosing
started becoming a real issue for major corporations. And once
companies start losing clients and money, they start to pay attention.
You know. At some point there was a lesson that
Microsoft had to learn that they weren't taking security seriously.
Uh in their own products. There were hackers showing them like, hey,
we can go in and out of your systems all
(15:37):
day long. What are you gonna do about it? And
they just didn't really want to do anything. They're just like,
you guys are bad. Stop doing that. And eventually the
government or some major customers of Microsoft were like, look,
we simply cannot use your product period because it's insecure,
so goodbye. Well we don't want to do business with you.
And that's when Microsoft really realized, like, if we're gonna
(15:59):
be securing governments in sensitive places like banks and stuff,
this is a problem for us. So they completely changed
their tune. And yeah, they were one of the early
ones to adopt a bug bounty program and telling people like, look,
if you see something, tell us, because we'd love to
reward you for it. And I think in the early
days it was just maybe a T shirt or something,
but still it was a nice thank you instead of
(16:21):
just telling actors, yeah, we don't call us, we don't care,
So it was it was a nice change of pace there.
And yeah, I think they've really benefited from the community
helping them find exploits and reporting them ethically. Jack has
an amazing episode about a kid who spends years in
and out of prison for hacking. He eventually starts using
his skills for bug bounties and makes a ton of money.
(16:43):
It's episode sixty dog e g Okay. Back to Craig.
At this point, Craig has been in the industry for
years and was making a name for himself. He attended
def Con in two thousand fourteen. Def Con is like
come Con, but for cybersecurity. It's a major event, and
(17:03):
each year they hold competitions. Winning a competition can easily
get you recruited by organizations like Google or the n
s A. Def cons competitions let researchers attempt to hack
devices like the iPhone. So in two thousand fourteen, Defcon
held a competition challenging researchers to find vulnerabilities in popular routers.
(17:24):
Finding a flaw in the system or device that hasn't
been reported is called a zero day because the company
who made it has been aware of it for zero days.
I was able to find like ten zero days and
just take complete control over half the routers that they
had their finding ten zero days at Defcon is a
big deal. Since then, Craig is responsibly disclosed a ton
(17:48):
more vulnerabilities to some of the world's largest tech companies,
and even though companies have started adopting programs to reward
people like Craig, the problem has not gone away. Just
last week, a reporter discover and reported a critical vulnerability
with their States Department of Education website. Just Two days later,
the governor, Mike Parson called the reporter a hacker and
(18:10):
promised to criminally prosecute. What's tragically hilarious about this story
is in the state's press release, which stated that quote
the hacker took the records of at least three educators,
decoded the HTML source code, and viewed the social security
number of those specific educators. Wow decoded the HTML source
(18:31):
code hacker mode. If you're not aware, decoding the h
t m L is a joke. Anybody who accidentally hits
F twelve or right clicks a web page and clicks
view source code is doing the exact same thing. The
crime is that they had this private information available to anyone,
Yet to cover up their incompetence, they're trying to blame
the person who made them aware of it. This is
(18:54):
the issue we're facing. Disclosing of vulnerability can get you
criminally charged by embarrassed idiots. But back to Craig. He
now works for a company that understands and values his abilities,
but a success at def Con discovering ten zero days
and routers points out a pretty big problem with our devices.
It's a perennial problem because with some of the vendors,
(19:16):
you would find that they have all of the different
models they make being vulnerable to the same attack. But
when you would report something to them, they would say, Okay,
we'll fix it in that specific model and firmware version
that you've reported it in, but then leave a dozen
other models that are very similar, all vulnerable to the
same attack. Things have gotten better over the last seven
(19:37):
years or so, but it's been a slow, uphill battle.
I played chess a lot, and I'm always looking at
to see if somebody can checkmate me on the back rank. Right,
I've got to make sure my king has an escape route.
The definition of security to me is really being able
to do business in a hostile environment. And the Internet
is hostile and it's unpredictable. How do you do business
(20:01):
out there? You really got to secure your thing, and
how do you secure it? You got have to know
what problems exist, and how do you know what problems
you exist? The bad guys will teach you we're about
to get into the Internet of things. And instead of
breaking for a bunch of ads that only poor souls
who can't reach their phone will hear, I'm gonna just
(20:21):
talk about something I actually care about. So it's no
secret that I'm going to Reddit. I think I've mentioned
it like every episode. As I got in the podcasting subreddit,
I kept coming across the user giving really solid advice.
So I clicked his user name and checked out his profile. Okay, yeah,
(20:42):
this guy's pretty good and he has a link to
his blog. Let's see what that's about. I read a post.
All right, this is really insightful. Right click and check
the source code. Not WordPress, a different CMS called ghost
a d h D my way over to ghost pretty cool.
Back to the blog. The author's name was Jack, and
that's when I realized that this person giving a bunch
(21:03):
of random movies advice about podcasting was none other than
Jack re Cider. Here's why that's interesting. So I worked
for the biggest podcast network in the world, but I'm
also really involved in the indie community, so I sort
of see both sides. Starting a successful podcast independently is
really fun, but kind of sworta really hard. Making one
(21:25):
that gets a lot of downloads is like making a
successful app. You may have a good idea, but executing
it is neither easy nor intuitive. Jack worked in cybersecurity
and wanted to listen to a podcast telling NPR style
stories about hackers. So we looked it up and realized
it didn't exist. Damn, hang on, I'm a pretty smart guy, thought,
(21:48):
why don't I make it? Now? Millions of people have
thought the same thing, and they were probably smart too.
They bought mikes, picked a clever name, made a logo,
recorded some episodes, and finally put it out there for
the world to hear. Post a link to social media,
and seven downloads. Wow, my mom didn't even listen. Crap,
how do I do marketing? It's like a whole another job.
(22:11):
Jack didn't have a company to promote his show, like me.
He built it with careful intention. His goal was creating
a show that listeners would binge and share. That way,
marketing paid dividends. It's called Darknet Diaries, and it tells
true stories about the dark side of the Internet. I
can't recommend it enough. Here's a few of my favorite episodes,
(22:32):
all linked them in the show notes Episode one, Black Duck, Eggs, Episodet,
Xbox Underground, episode The Spy. Those are three easy ones
to get hooked, but seriously, every single one is great.
All right, back to Prodigy. This is bo. The Internet
(22:56):
of things is the idea that if it connects to
electric city, eventually it will have a computer and connectivity
in it. It will be connected and attached to the
Internet as we know it in order to serve its
purpose better or to provide more information to the people
using it and to the manufacturer or anybody else in
(23:17):
the chain of command. Most of us have a few
devices we used to access the Internet. Our phones, tablets, computers, alexas,
doorbell cameras, and TVs are probably the main ones. I
also have these WiFi connected smart bulbs so I can
adjust the color, temperature, and brightness from my phone. Some
people have smart thermostats and even refrigerators. When I first
saw those, I remember thinking like, why the hell does
(23:40):
your refrigerator need WiFi? Are people watching the office in
their kitchen? And then I saw a demo where you
could use your phone to see what was inside, or
display your calendar and do lists, and control the temperature,
and I thought that still see, it's pretty unnecessary but
kind of cool. But it's really not just about pointless
features to make your home life easier or to show
(24:00):
off to your unimpressed friends. It does make things more efficient.
When I try to think of all the Internet connected
devices I know, I immediately think of the stuff I own.
But it's not simply stuff in your house. It's everything
vending machines, buildings, and parking meters. We'd probably be okay
with all that stuff, but there's also millions of devices
in farming, healthcare, water, military, electrical transportation, government, and more.
(24:25):
The list goes on and on, so our dependence on
connected technology is growing much faster than our ability to
secure it in areas impacting human life. In public safety,
the threat of the potential harm is any capability that
you can put in the hands of a trained expert
to improve people's lives, um or that can run autonomously
(24:45):
to automate some of the things we do all the time,
can be harnessed for adversaries to do harm, either on
purpose or accidentally as a byproduct of just gaining access
to that device. May not even real is that they're
doing harm, but they can still hurt people. Smart devices
are getting cheaper and more common by the day. My
(25:06):
smart light bulbs were like ten dollars each, and I
wonder how secure they are and how fun it would
be to get hacked through my light bulb. It's currently
estimated that there are ten billion IoT devices in the
world today. We have a lot of different devices out
there now that are coming up very quickly, not having
a lot of security analysis, and they're coming out of
(25:27):
vendors that don't necessarily have strong security expertise for securing
their infrastructure. If one of these new vendors, or even
an established vendor, has a very successful product out there
gets installed in a million places and then their infrastructure
gets compromised, an attacker can actually launch malware out into
all of those different endpoints. When you have a situation
(25:47):
where you have just such a huge massive distributed computing resources,
distributed network resources that have been compromised, somebody can combine
all of that into attacks against the critical infrastructure of
the Internet. You can almost certainly take down very important
functions of society just by harnessing that power against things
like DNS servers. This is kind of something that keeps
(26:10):
me up a bit at night, the thought that we
will at some point experience an Internet wide outage because
of the abundance of IoT devices on the Internet, and
that somebody is going to take advantage of this inherent
trust that everybody has for the vendors of these IoT
devices to keep them safe. It's not some paranoid delusion
to imagine a virus that can infect millions or even
(26:32):
a billion of them. That sort of power could shut
down countries in minutes. That's kind of what um the
Marai bottonet took advantage of. Is a lot of insecure
devices out there that are just on the Internet. Right
five years ago, almost to the day, a large part
of the Internet was shut down in the East Coast
of the United States. The origin was a word that
(26:54):
infected insecure IoT devices. Once the device was infiltrated, it
would help scan the Internet for other insecure devices. After
an army of devices was amassed, the owner could attack.
What's initially funny about it is that the Marai botant
was originally created to attack Minecraft servers. Okay, so like
a bunch of twelve year olds get kicked offline or
(27:15):
whatever for a while, right, No big deal. No, Actually,
there's real money and hosting Minecraft servers. Shutting down competing
servers would lead to an influx of players to yours.
This could mean thousands of dollars every single day. But
then the hackers began targeting companies. Those hackers actually owned
a company that protected against these types of attacks, so
(27:36):
they'd attack a company then get them to hire them
to stop it. It's like firefighters putting out a fire
that they started. The way the attack worked was by
having each device request information from a server, just like
when you visit a website. When a server gets three
hundred thousand requests all at once, over and over, it's
unable to complete any of them. This is called a
(27:59):
distributed denial of service attack or didas. Bought nets are
also used to send you all the well they're freaking
spam emails we all get every day, and the calls
about extending your car's warranty. If a few hackers were
able to infect three thousand devices five years ago, imagine
what a sophisticated criminal organization or state sponsored group could do.
(28:22):
So why are these IoT devices so easily hacked? They
don't take security as their as their primary thing, right,
They just move quick, get something out there, UM, hope
for the best, and had features that nobody wants. Um,
so I want the secure features, right. I wanted to
disconnect it from the cloud and just use it internally
or something like that, like I don't need it to
(28:43):
be online. I just want it when I'm home to
be able to access it from home. But you know,
we we kind of take that approach of well, we
just wanted to work, and if we just wanted to work,
then it needs this all these extra abilities connected to
the Internet and all this kind of stuff, And that's
the trade off. There is ease of use versus secure it,
(29:05):
but make it harder to use. Also, these attacks can
often have unintended consequences, ones that might just kill you.
Bo I was at a hospital. Their natal intensive care
unit has something called fetal heart monitors, And if you
don't know, the natal intensive care unit is where the
most precious patients, the most vulnerable patients tend to go.
(29:29):
It's premature babies most often, and those premature babies are
hooked up to monitors so you can check their vital
signs like what's their temperature, what's their heart rate, what's
their blood pressure, And it really gives doctors and nurses
and competitive edge over any type of condition that would
(29:50):
cause those babies to go downhill quickly. So these heart
monitors were getting infected with a piece of malicious software
meant to steal banking passwords. The criminals just pointed it
at the internet, hit go, and they didn't know what
systems it was going to infect. Inadvertently, they ended up
(30:12):
getting onto these fetal heart monitors and causing them to
shut down about every fifteen minutes. When that happened, they
gave me a call and they said, hey, can you
fix this. I know that you don't work on medical devices,
but this looks like a computer, and so you work
on computers. Can you help out. I ended up getting
in touch with the manufacturer, and because it was malicious software,
(30:35):
they weren't able to really support that or help that.
I had a couple of options at that point. I
could either accept that and we just go back to
manual care, or we could try and figure out a
different way to get these devices fixed back in operating condition.
Working with the hospital, went to the CEO with a
(30:56):
draft memo that outlined the current state, the risks that
we had, what we planned to do, and put the
decision in their hands. They said, yep, go ahead and
take care of it. We we need those devices online.
So with the stroke of a pen gave me the
ability to go in and effectively hack those medical devices
(31:20):
the same way that the malicious software got in. But
I was able to do it in order to stop
the malicious software, close the whole that was allowing it in,
and then allow the doctors and nurses to get back
to saving those patients lives. Bo was able to use
(31:41):
his abilities to save lives. He didn't have to defeat
any ninjas or anything, but still pretty cool. The hospital
was lucky to have someone like Bow they could call on,
but that won't always be the case. Are these kind
of attacks just a part of our life now, or
is there a way to make these devices we depend
on more secure? I think that they're probably need to
be government regulations. Ultimately, they are going to address some
(32:03):
of these things, so things to make companies a little
bit more responsible for their products moving forward, not just
responsible for them until they get sold. So this is
something that also comes up. I guess in conversations about
recycling that um a company making plastic bags and plastic
packaging products might need to take on the responsibility for
(32:24):
caring about what happens to those after a consumer throws
them out. In this case, however, it's vendors. Internet vendors
need to have some level of responsibility about the security
of their devices after they've been sold, making sure that
they're getting updates, that there's due diligence being done towards security,
both at the end points and also within the infrastructure
(32:46):
that is effectively gate keeping all of these devices. And
by that, I mean when you're looking at your Alexa
device or most of these other quote unquote smart devices,
they're not really that smart. They're really just connecting back
into a larger computing system to be able to exchange
data and get software updates. And that is a central
point of weakness for all of these devices. Right now,
(33:08):
if we go into a store, you and I would
walk into a Best Buy together, we can look at
an aisle of different smart home gadgets and other things,
and the only factors that we really have for deciding
what to buy are what features and what price we see.
We don't have a really meaningful way of being able
to evaluate the security of brand A versus Brand B.
(33:30):
But if we had something like a cyber underwriter's laboratory
cyber uel and independent testing laboratory that can you know,
run through various security metrics, does this thing have default passwords,
does it take automatic updates, are the updates cryptographically signed, etcetera, etcetera,
And computing a clear, straightforward score that gets labeled onto
(33:51):
the boxes. That now allows security and privacy to become
more of a differentiating factor when consumers are really voting
with their wallet. So aside from having an awesome career
and making a bunch of money, if you get into cybersecurity,
you'll be making us more safe against criminals and state actors.
We definitely need more people getting eyes on this, and
we need a more diverse set of people so that
(34:12):
we can get a richer set of ideas, because this
is really how defenders succeed against offense. You need to
have a rich set of ideas, and you need to
have a lot of people putting a lot of effort.
We're struggling when we try and hire people that have
security expertise. It's difficult to find good qualified people and
and that's a problem because we're really getting to a
(34:33):
point in a society where very few people understand the
ins and outs of the technology, and security can very
quickly get out of hand. In a society like this,
people not being able to get their government services not
being able to access a t M S being without power,
without communication a cell phone service. That's a really, really
scary thought. We've seen with COVID nineteen how quickly some
(34:56):
aspects of society might start falling apart in these scenario
is I strongly encourage anyone listening to consider the career
path for themselves or they're lazy teenager who play sky
rim all day. Turns out those computer skills can be
put to good use and are quite valuable in general.
I'm very hopeful about a bright, connected future. I believe
(35:17):
that we're in an awkward teenage period between when we
have these capabilities and when we really know how to
harness them and use them for the best of humanity.
And what I want to do is to get to
that equilibrium faster, to understand better UH, and to build
in the types of protections that we have for everything
else so that we can trust these things more and
(35:39):
know that they are trustworthy. Jack has some advice on
how to keep your own information secure. I think that
there's three things that I recommend people do. UM get
an antavirus, keep it up to date, UM patch when
you can right so if your operating system says there's
an update, get that update, install it going, or any
apps that you have, install those updates, since as well,
(36:02):
updates are patching security fixes, right, so um, people won't
be able to infiltrate you as well as easy if
everything's patched up. And then the lastly is, yeah, I
use a password manager and have a different complex password
for every website you go to something long and crazy
that you'll never remember. And that's the reason why you
(36:23):
have a password manager, because you use one password to
get into your password manager, and then it has all
your passwords. And of course you have to make sure
nobody gets into your password manager because the they have
access to everything. But it's it's much safer because what
we've seen is, you know, like there was a big
breach that linked In in two thousand twelve, I believe,
and they leaked millions of passwords for everyone, for all
(36:47):
their users. So those passwords are now out there. And
how many people use the same password on LinkedIn as
they did on Twitter, as they did on Facebook, as
they did on PayPal on their banking websites. And that's
just a known in today's world, right, you want to
use different passwords for every website because your your password
is out there, you know, available in so many different
(37:09):
Podata based stumps. At this point, I guarantee it, so
just you know, make sure it just goes to that
one and no other, like, don't let the criminals have
an easy way to get in. By the way, Jack
has an amazing episode of Darknet Diaries about how Trump's
Twitter got hacked twice. It's episode seven The Guild of
the Grumpy Old Hackers. If you're not using a password
(37:30):
manager and reusing passwords, you need to take this message seriously.
Go to Have I Been Pooned dot com to see
what breaches got your passwords. Pound is spelled p w
n E D Have I Been Pooned dot com? Jack
recommends one password to store all your passwords. That's a
company and it's the number one one password. Also, I'm
(37:52):
a big fan of privacy dot com, which lets you
create temporary credit cards with custom limits that you can
cancel whenever. There's links to these prob ducks at Darknet
Diaries dot com. Slash sponsors, the company that Craig worked
for after IBM end Circle was bought by trip Wire,
where he currently works. They're a very reputable organization that
makes enterprise security tools. It's time to stop taking the
(38:14):
fact that your company hasn't been hacked yet for granted
and check out trip Wire. In the media industry, we
say there's two types of people, those who haven't lost
a hard drive and those who back up. You don't
have to learn every lesson the hard way. Visit trip
wire dot com and check out what they have to offer.
(38:36):
Prodigy was created and produced by me lulber Lante. The
executive producer is Tyler Clang. Prodigies production of I Her Radio.
For more podcasts in My Heart Radio, visit the I
Heart Radio app or wherever you listen to your favorite shows.
Imagine that you have the ability to see flaws in
what someone else creates, Flaws that could cause millions of
dollars in damage. It could cause loss of life. They
threatened to sue you to keep you quiet so that
you couldn't reveal it. This is a situation that a
lot of cybersecurity researchers have found themselves in over the
(00:26):
past thirty years, knowing about something that they believe could
cause imminent harm and feeling threatened because they know it.
My first car was a piece of crap. When I
got somewhere, I'd locked the door and think, why am
(00:47):
I even locking this? There's nothing of value in here,
and no one would steal this over literally any other
car in this general area. And I think that's kind
of the mentality that we often have with our personal information.
What would a hacker target me instead of somebody with
a million dollars in their account? And that's completely logical.
This isn't trailer park boys. A criminal isn't trying to
(01:09):
rob every vending machine they see. If my main source
of income depended on stealing, I'd probably try and reduce
the amount of times I had to do it by
getting a lot at once, and that definitely happens. Hackers
attack large corporations with malicious software that locks down their
computers and network. It's called ransomware because it treats the
company infrastructure like a hostage. You know they're saying we
(01:32):
don't negotiate with terrorists, Well, it turns out we actually do.
Just this spring, one of the largest meat processing companies
in the world was targeted by the Russian hacking group
are Evil and paid a ransom of eleven million dollars.
In April, Colonial Pipeline was attacked and paid out four
point four million dollars to hackers. It actually impacted our
(01:55):
critical infrastructure and led to widespread shortages because vidiots who
went out in whore of gas and plastic bags or whatever.
If hackers can band together and force massive corporations to
pay millions of dollars in order to access their own network,
how devastating would a state sponsored attack be and would
we even be able to defend against it or counter
(02:16):
attack it once we've been hit. The U s Military
spending is about the size of the next seven largest
military budgets combined, and five of them are our allies.
In a very unintelligent and outdated manner. We spend the
vast majority of it on things like jets, aircraft carriers, missiles, tanks,
and ground troops. The present and future of warfare is
(02:38):
cyber There's no need to blow something up when you
can just turn it off. But back to the question
of why hackers would target people like me instead of
ones with millions of dollars, it's because they aren't targeting me.
They're targeting my device, and the attacks won't just hit mine,
they'll hit every single one. The obvious reason is to
(02:59):
steal our identities, social security numbers, and credit cards, instead
of using them one by one like your neighborhood weed
dealer will sell them in bulk on the dark web.
The other main reason, which is far more terrifying, is
to take control of those devices. It's like building an
army of zombie computers. They're called boton nets, which stands
(03:20):
for robot network. Individually, they're weak, but when you have
millions of them under your control, you can attack the
critical infrastructure that supports a nation of millions. And when
the power gets shut off, companies no longer know where
to ship the food. In the South, the red aisle
gets sold out when a couple inches of snow is forecasted,
So you can imagine how quickly our lives will be
(03:41):
altered when we're attacked. I'm lull Berlante. This is prodigy.
(04:02):
We need to defend ourselves. So cybersecurity is really important.
Last year we hit a zero percent unemployment rate, and
the industry is growing quickly. It's a very high paying
career and we need people. I don't know about you,
but being actively recruited my whole career sounds pretty nice
to me. For this episode, I talked to three cybersecurity experts,
(04:23):
Craig Young, Bo Woods, and Jack Resider. Craig Young is
a principal cybersecurity researcher at a company called trip Wire
that specializes in providing enterprise level cybersecurity solutions. Bo Woods
is a senior advisor for the Cybersecurity and Infrastructure Security Agency,
which operates under the Department of Homeland Security to help
(04:45):
keep America safe. Jack Resider was a network security engineer
until he created a hit podcast, Darknet Diaries. He recently
released his one episode, and I've listened to every single one.
Let's start with Craig Young, an early interest was pay phones,
so my friends and I would spend a lot of
time at the mall. There were different access codes that
(05:07):
you could use to get information about the phone. Get
type that into the pay phone and it would start
telling you about how much money was in the phone
and stuff like that. And this is just really quite
cool to me. My father had shown me how to
use the FTP protocol foul Transfer protocol, and I was
able to connect to NASA and start downloading some pictures.
Neighbors saw that and started telling all the kids at
(05:27):
school that Craig's a hacker. Craig's a hacker. And I
guess this kind of set a bug under me that, Wow,
that's kind of something cool. People have respect towards this.
This is Jack as a young kid. My grandma had
an Apple to e, which is just crazy to think about, right,
you know, there's no Windows operating system at that time.
What was my grandma so like into the computers and
(05:50):
into technology. So I was lucky enough to just have
a computer at home, and just that exposure alone, I
think really put me in the trajectory. So you know,
when when it was time for computer class at school,
I was like wait ahead, of everyone else. And when
you have that feeling like wow, you know, how come
I'm so good at computers and everyone else isn't it
(06:11):
gives you that kind of confidence. We had this kind
of hybrid network in my middle school where one of
the teachers I remember asking me to help with fixing
her computer. And while I was looking at figuring out
what's going on, I had access to a command prompt
and I ran some commands which ultimately sent a message
to all the computers in the school on the Novell
network network. Mrs Stemple, the computer teacher, was not happy
(06:35):
about this. She was not impressed with my computer skills,
but rather adamant about that I needed to be kicked
out of the school because all of the kids in
the computer lab at this time lost their work, had
nothing to show except for a little message that said
Hello World or something like that, something very benign. She
set up a meeting with the principle and my parents
(06:56):
were called. And I guess and Mrs Stemple is telling
Mr Rump, how I really need to be punished badly
for this, that this was very unacceptable. That I realized,
Oh Rump, that's actually the name that's associated with the
passwords that I found on every single computer, and so
I said to him, Um, Mr Rump, your password is
(07:17):
x X diamond X, isn't it. And he just looked
at me and asked how I had done this, and
I explained, Um, every single classroom has trumpet windsock on
the Windows computers at least, and they all have your
password in there, and it's very easy to open up
notepad and read it out of there. He thought about
what was going on, and I'm very very lucky that
(07:37):
he was an understanding soul, and through my parents insistence
and his understanding that I was not looking to do
any harm, that I was just a curious young person,
he was appropriate in giving me, I think, a day
of detention and nothing more than that. Fast forward a
few years. Craig is now in high school. I had
taken an ap computer science class in high school. I
(08:00):
started poking around on the systems again and noticed that
there was this visual Fox pro database that I could access.
It had some default passwords I could get into it with,
and then I had just access to all of the
HR stuff from the teachers, the grading records. I could
view what the teachers were making in terms of salary,
and separately, I could also modify what grades were being
(08:23):
given out are being reported by the teachers, and I
very quickly brought this to the attention to the school administration. Obviously,
I didn't want to have any false appearances that I
was doing something mischievous with that. There's not much bigger
that you can get first than a student being able
to access and change grades. At this point, Craig has
learned quite a bit about where the line is that
you don't want to cross, but it wasn't the last
(08:46):
time he'd run into issues. Meanwhile, Jack is figuring out
what he wants to do with his life. Because I
felt like I was good at it and I enjoyed
playing around on him and stuff, I thought, Okay, why
don't I go into a career for computers. So I
went to university to get a degree in um computer engineering.
So Jack goes to university and graduates with a degree
(09:08):
in computer engineering. He seems so driven to me that
I'm sure he got an internship at a reputable company.
I felt like hot stuff, so I just didn't choose
to take an intern I was like, what, no, man,
I'm I'm an engineer. I have an engineering degree, you
should be like, should be twenty companies looking for me.
But that just wasn't the case. So I didn't find
(09:30):
a job. And yeah, for like ten years I didn't
do anything technical. It was weird. I was just kind
of bouncing around doing odds and ends jobs not even
computer related. Like one of the jobs I had was
a dealer in a casino. I was like, okay, look,
I've got a degree in this. I need to go
back to computers. This is ridiculous. I love tech. I
(09:51):
need to be involved. So I was pretty rusty at
that point, right, ten years of not being around him,
and so I got a certificate as Cisco sort of
I network associate, and that taught me networking, which is
you know, nice fresh certificate that put me top of
the list for you know, as a job candidate and
a network operations center, so a company that monitors networks,
(10:13):
and so they hired me on from there. I just
went crazy, got cert after sir after sir after shirt.
Eventually a security engineer position opened up, and I didn't
really know what security was. I was just like, oh,
it's a it's a computer engineering position. I would love
to be an engineer. So I applied for it and
they took me on and I was like, Okay, I
(10:33):
have no idea what to do here. But as I
was learning, I was realizing, this is the perfect place
for me, because you have to really know a little
about everything. When he comes to security, Jack found the
perfect job where he was challenged enough that he could
really satisfy his curiosity. Craig is doing very well at
Georgia Tech, but learns another lesson about the egos associated
(10:54):
with responsible disclosure. I haven't told anybody else really this
story since graduating, but I had a graduate level computer
security class that I audited as an undergraduate. I'm not
going to name the professor now, but I talked to
him about doing a research project where I would see
how much you could learn by using one of the
techniques we had talked about in his class, deployed against
(11:15):
the residential networks. And he told me this would be fine,
that I could go ahead and do this, but that
I needed to document everything that I did couldn't be
harming anybody in the process, and I would simply need
to give a report about this the Office of Information Technology.
I went along with that. I did this and I
gave my report. But as soon as I got to
the point of saying there was this number of Social
(11:37):
Security numbers disclosed, and um, this number of credit card
numbers disclosed, they cut off my presentation, went and talked
to the professor for a little while and then came
back and we're demanding all of my hard drives, and
the professor was effectively disavowing me, saying, oh, no, no,
I didn't give Craig permission to do all of this. No, no,
no way. And so that was another really um pivotal
(12:02):
moment I guess in my development as a security professional
and understanding how people respond when confronted with security issues.
They had wanted to drop me out of school. Um,
that would have been a huge financial expense to me,
because I wouldn't have gotten to finish the semester that
I spent all this money on. And so I pleaded
with them and arranged that instead of getting kicked out
(12:24):
and having that kind of disciplinary action, I would develop
for them some scripts that would help their I T
operations recognize if anybody was doing the kind of thing
that I was doing. And I did do that for them.
I made for them a system I think I called
it perfume um had some clever acronym that went along
with that, because it was against people sniffing on your network.
(12:44):
I sent that over to them. I got confirmation that
I was out of hot water, so to speak, limited
my interactions with them from then on. I often say
that my ability to understand when someone shows me I'm
wrong is my greatest strength, because I feel like it's
not that calm, and people tend to get defensive, especially
when it's something you should already know by someone less
(13:05):
experienced in front of your boss, So they take advantage
of their power dynamic over Craig, and instead of praising
his disclosure, they forced him to solve the problem. Craig
had learned an important life lesson. Some people are kind
of just assholes. There's the stories of of people who
are very honest and good and just trying to help
(13:26):
reporting stuff to Google right and saying, look, there's a
bug in your Android system, uh, and I just want
to help you out. I haven't told anybody. I just
hope you see this and fix it right away. And
they retaliate by, you know, going back and telling that
person's boss and trying to get that person fired or whatever, right,
just like reporting them and it's like, are you you're
aware that your employee is hacking our Android operating system?
(13:49):
And you know this is in the days before Google
had a good bug bounty program to have of avenue
to report this kind of stuff and just in it
find it useful or helpful that people were telling them
about bucks. But Craig graduates from Georgia Tech and if
you can't tell, he's very good at what he does,
so he gets a job at a top tech company.
My first job out of Georgia Tech was working for
(14:10):
IBM Internet Security Systems. Craig's computer and security knowledge, combined
with his electrical engineering degree turned out to be a
perfect fit. This also then got me a lot of
exposure with the IBMX force team and the really amazing
security research they were doing at this time. Craig spends
five years at IBM and takes a job at a
company called end Circle. I never heard of en Circle,
(14:33):
so I was like, why leave IBM for some small team?
But en Circle was actually a big deal. They created
and sold the best vulnerability scanner designed to help enterprises
assess and remediate risk over time. My brain really started
to put together patterns on these things and recognize, here
are the things that are commonly going wrong in these
different types of software. Then I started seeing those kinds
(14:55):
of flaws myself and working with vendors and reporting them.
This job requires him to spend hundreds of hours studying vulnerabilities.
His security knowledge grew quickly and did not go unnoticed.
He started getting requests to present his research at conferences,
which gave him motivation to work even harder. So while
in school, his efforts were met with fear and retribution.
(15:15):
In the corporate world, those vulnerabilities he had been disclosing
started becoming a real issue for major corporations. And once
companies start losing clients and money, they start to pay attention.
You know. At some point there was a lesson that
Microsoft had to learn that they weren't taking security seriously.
Uh in their own products. There were hackers showing them like, hey,
we can go in and out of your systems all
(15:37):
day long. What are you gonna do about it? And
they just didn't really want to do anything. They're just like,
you guys are bad. Stop doing that. And eventually the
government or some major customers of Microsoft were like, look,
we simply cannot use your product period because it's insecure,
so goodbye. Well we don't want to do business with you.
And that's when Microsoft really realized, like, if we're gonna
(15:59):
be securing governments in sensitive places like banks and stuff,
this is a problem for us. So they completely changed
their tune. And yeah, they were one of the early
ones to adopt a bug bounty program and telling people like, look,
if you see something, tell us, because we'd love to
reward you for it. And I think in the early
days it was just maybe a T shirt or something,
but still it was a nice thank you instead of
(16:21):
just telling actors, yeah, we don't call us, we don't care,
So it was it was a nice change of pace there.
And yeah, I think they've really benefited from the community
helping them find exploits and reporting them ethically. Jack has
an amazing episode about a kid who spends years in
and out of prison for hacking. He eventually starts using
his skills for bug bounties and makes a ton of money.
(16:43):
It's episode sixty dog e g Okay. Back to Craig.
At this point, Craig has been in the industry for
years and was making a name for himself. He attended
def Con in two thousand fourteen. Def Con is like
come Con, but for cybersecurity. It's a major event, and
(17:03):
each year they hold competitions. Winning a competition can easily
get you recruited by organizations like Google or the n
s A. Def cons competitions let researchers attempt to hack
devices like the iPhone. So in two thousand fourteen, Defcon
held a competition challenging researchers to find vulnerabilities in popular routers.
(17:24):
Finding a flaw in the system or device that hasn't
been reported is called a zero day because the company
who made it has been aware of it for zero days.
I was able to find like ten zero days and
just take complete control over half the routers that they
had their finding ten zero days at Defcon is a
big deal. Since then, Craig is responsibly disclosed a ton
(17:48):
more vulnerabilities to some of the world's largest tech companies,
and even though companies have started adopting programs to reward
people like Craig, the problem has not gone away. Just
last week, a reporter discover and reported a critical vulnerability
with their States Department of Education website. Just Two days later,
the governor, Mike Parson called the reporter a hacker and
(18:10):
promised to criminally prosecute. What's tragically hilarious about this story
is in the state's press release, which stated that quote
the hacker took the records of at least three educators,
decoded the HTML source code, and viewed the social security
number of those specific educators. Wow decoded the HTML source
(18:31):
code hacker mode. If you're not aware, decoding the h
t m L is a joke. Anybody who accidentally hits
F twelve or right clicks a web page and clicks
view source code is doing the exact same thing. The
crime is that they had this private information available to anyone,
Yet to cover up their incompetence, they're trying to blame
the person who made them aware of it. This is
(18:54):
the issue we're facing. Disclosing of vulnerability can get you
criminally charged by embarrassed idiots. But back to Craig. He
now works for a company that understands and values his abilities,
but a success at def Con discovering ten zero days
and routers points out a pretty big problem with our devices.
It's a perennial problem because with some of the vendors,
(19:16):
you would find that they have all of the different
models they make being vulnerable to the same attack. But
when you would report something to them, they would say, Okay,
we'll fix it in that specific model and firmware version
that you've reported it in, but then leave a dozen
other models that are very similar, all vulnerable to the
same attack. Things have gotten better over the last seven
(19:37):
years or so, but it's been a slow, uphill battle.
I played chess a lot, and I'm always looking at
to see if somebody can checkmate me on the back rank. Right,
I've got to make sure my king has an escape route.
The definition of security to me is really being able
to do business in a hostile environment. And the Internet
is hostile and it's unpredictable. How do you do business
(20:01):
out there? You really got to secure your thing, and
how do you secure it? You got have to know
what problems exist, and how do you know what problems
you exist? The bad guys will teach you we're about
to get into the Internet of things. And instead of
breaking for a bunch of ads that only poor souls
who can't reach their phone will hear, I'm gonna just
(20:21):
talk about something I actually care about. So it's no
secret that I'm going to Reddit. I think I've mentioned
it like every episode. As I got in the podcasting subreddit,
I kept coming across the user giving really solid advice.
So I clicked his user name and checked out his profile. Okay, yeah,
(20:42):
this guy's pretty good and he has a link to
his blog. Let's see what that's about. I read a post.
All right, this is really insightful. Right click and check
the source code. Not WordPress, a different CMS called ghost
a d h D my way over to ghost pretty cool.
Back to the blog. The author's name was Jack, and
that's when I realized that this person giving a bunch
(21:03):
of random movies advice about podcasting was none other than
Jack re Cider. Here's why that's interesting. So I worked
for the biggest podcast network in the world, but I'm
also really involved in the indie community, so I sort
of see both sides. Starting a successful podcast independently is
really fun, but kind of sworta really hard. Making one
(21:25):
that gets a lot of downloads is like making a
successful app. You may have a good idea, but executing
it is neither easy nor intuitive. Jack worked in cybersecurity
and wanted to listen to a podcast telling NPR style
stories about hackers. So we looked it up and realized
it didn't exist. Damn, hang on, I'm a pretty smart guy, thought,
(21:48):
why don't I make it? Now? Millions of people have
thought the same thing, and they were probably smart too.
They bought mikes, picked a clever name, made a logo,
recorded some episodes, and finally put it out there for
the world to hear. Post a link to social media,
and seven downloads. Wow, my mom didn't even listen. Crap,
how do I do marketing? It's like a whole another job.
(22:11):
Jack didn't have a company to promote his show, like me.
He built it with careful intention. His goal was creating
a show that listeners would binge and share. That way,
marketing paid dividends. It's called Darknet Diaries, and it tells
true stories about the dark side of the Internet. I
can't recommend it enough. Here's a few of my favorite episodes,
(22:32):
all linked them in the show notes Episode one, Black Duck, Eggs, Episodet,
Xbox Underground, episode The Spy. Those are three easy ones
to get hooked, but seriously, every single one is great.
All right, back to Prodigy. This is bo. The Internet
(22:56):
of things is the idea that if it connects to
electric city, eventually it will have a computer and connectivity
in it. It will be connected and attached to the
Internet as we know it in order to serve its
purpose better or to provide more information to the people
using it and to the manufacturer or anybody else in
(23:17):
the chain of command. Most of us have a few
devices we used to access the Internet. Our phones, tablets, computers, alexas,
doorbell cameras, and TVs are probably the main ones. I
also have these WiFi connected smart bulbs so I can
adjust the color, temperature, and brightness from my phone. Some
people have smart thermostats and even refrigerators. When I first
saw those, I remember thinking like, why the hell does
(23:40):
your refrigerator need WiFi? Are people watching the office in
their kitchen? And then I saw a demo where you
could use your phone to see what was inside, or
display your calendar and do lists, and control the temperature,
and I thought that still see, it's pretty unnecessary but
kind of cool. But it's really not just about pointless
features to make your home life easier or to show
(24:00):
off to your unimpressed friends. It does make things more efficient.
When I try to think of all the Internet connected
devices I know, I immediately think of the stuff I own.
But it's not simply stuff in your house. It's everything
vending machines, buildings, and parking meters. We'd probably be okay
with all that stuff, but there's also millions of devices
in farming, healthcare, water, military, electrical transportation, government, and more.
(24:25):
The list goes on and on, so our dependence on
connected technology is growing much faster than our ability to
secure it in areas impacting human life. In public safety,
the threat of the potential harm is any capability that
you can put in the hands of a trained expert
to improve people's lives, um or that can run autonomously
(24:45):
to automate some of the things we do all the time,
can be harnessed for adversaries to do harm, either on
purpose or accidentally as a byproduct of just gaining access
to that device. May not even real is that they're
doing harm, but they can still hurt people. Smart devices
are getting cheaper and more common by the day. My
(25:06):
smart light bulbs were like ten dollars each, and I
wonder how secure they are and how fun it would
be to get hacked through my light bulb. It's currently
estimated that there are ten billion IoT devices in the
world today. We have a lot of different devices out
there now that are coming up very quickly, not having
a lot of security analysis, and they're coming out of
(25:27):
vendors that don't necessarily have strong security expertise for securing
their infrastructure. If one of these new vendors, or even
an established vendor, has a very successful product out there
gets installed in a million places and then their infrastructure
gets compromised, an attacker can actually launch malware out into
all of those different endpoints. When you have a situation
(25:47):
where you have just such a huge massive distributed computing resources,
distributed network resources that have been compromised, somebody can combine
all of that into attacks against the critical infrastructure of
the Internet. You can almost certainly take down very important
functions of society just by harnessing that power against things
like DNS servers. This is kind of something that keeps
(26:10):
me up a bit at night, the thought that we
will at some point experience an Internet wide outage because
of the abundance of IoT devices on the Internet, and
that somebody is going to take advantage of this inherent
trust that everybody has for the vendors of these IoT
devices to keep them safe. It's not some paranoid delusion
to imagine a virus that can infect millions or even
(26:32):
a billion of them. That sort of power could shut
down countries in minutes. That's kind of what um the
Marai bottonet took advantage of. Is a lot of insecure
devices out there that are just on the Internet. Right
five years ago, almost to the day, a large part
of the Internet was shut down in the East Coast
of the United States. The origin was a word that
(26:54):
infected insecure IoT devices. Once the device was infiltrated, it
would help scan the Internet for other insecure devices. After
an army of devices was amassed, the owner could attack.
What's initially funny about it is that the Marai botant
was originally created to attack Minecraft servers. Okay, so like
a bunch of twelve year olds get kicked offline or
(27:15):
whatever for a while, right, No big deal. No, Actually,
there's real money and hosting Minecraft servers. Shutting down competing
servers would lead to an influx of players to yours.
This could mean thousands of dollars every single day. But
then the hackers began targeting companies. Those hackers actually owned
a company that protected against these types of attacks, so
(27:36):
they'd attack a company then get them to hire them
to stop it. It's like firefighters putting out a fire
that they started. The way the attack worked was by
having each device request information from a server, just like
when you visit a website. When a server gets three
hundred thousand requests all at once, over and over, it's
unable to complete any of them. This is called a
(27:59):
distributed denial of service attack or didas. Bought nets are
also used to send you all the well they're freaking
spam emails we all get every day, and the calls
about extending your car's warranty. If a few hackers were
able to infect three thousand devices five years ago, imagine
what a sophisticated criminal organization or state sponsored group could do.
(28:22):
So why are these IoT devices so easily hacked? They
don't take security as their as their primary thing, right,
They just move quick, get something out there, UM, hope
for the best, and had features that nobody wants. Um,
so I want the secure features, right. I wanted to
disconnect it from the cloud and just use it internally
or something like that, like I don't need it to
(28:43):
be online. I just want it when I'm home to
be able to access it from home. But you know,
we we kind of take that approach of well, we
just wanted to work, and if we just wanted to work,
then it needs this all these extra abilities connected to
the Internet and all this kind of stuff, And that's
the trade off. There is ease of use versus secure it,
(29:05):
but make it harder to use. Also, these attacks can
often have unintended consequences, ones that might just kill you.
Bo I was at a hospital. Their natal intensive care
unit has something called fetal heart monitors, And if you
don't know, the natal intensive care unit is where the
most precious patients, the most vulnerable patients tend to go.
(29:29):
It's premature babies most often, and those premature babies are
hooked up to monitors so you can check their vital
signs like what's their temperature, what's their heart rate, what's
their blood pressure, And it really gives doctors and nurses
and competitive edge over any type of condition that would
(29:50):
cause those babies to go downhill quickly. So these heart
monitors were getting infected with a piece of malicious software
meant to steal banking passwords. The criminals just pointed it
at the internet, hit go, and they didn't know what
systems it was going to infect. Inadvertently, they ended up
(30:12):
getting onto these fetal heart monitors and causing them to
shut down about every fifteen minutes. When that happened, they
gave me a call and they said, hey, can you
fix this. I know that you don't work on medical devices,
but this looks like a computer, and so you work
on computers. Can you help out. I ended up getting
in touch with the manufacturer, and because it was malicious software,
(30:35):
they weren't able to really support that or help that.
I had a couple of options at that point. I
could either accept that and we just go back to
manual care, or we could try and figure out a
different way to get these devices fixed back in operating condition.
Working with the hospital, went to the CEO with a
(30:56):
draft memo that outlined the current state, the risks that
we had, what we planned to do, and put the
decision in their hands. They said, yep, go ahead and
take care of it. We we need those devices online.
So with the stroke of a pen gave me the
ability to go in and effectively hack those medical devices
(31:20):
the same way that the malicious software got in. But
I was able to do it in order to stop
the malicious software, close the whole that was allowing it in,
and then allow the doctors and nurses to get back
to saving those patients lives. Bo was able to use
(31:41):
his abilities to save lives. He didn't have to defeat
any ninjas or anything, but still pretty cool. The hospital
was lucky to have someone like Bow they could call on,
but that won't always be the case. Are these kind
of attacks just a part of our life now, or
is there a way to make these devices we depend
on more secure? I think that they're probably need to
be government regulations. Ultimately, they are going to address some
(32:03):
of these things, so things to make companies a little
bit more responsible for their products moving forward, not just
responsible for them until they get sold. So this is
something that also comes up. I guess in conversations about
recycling that um a company making plastic bags and plastic
packaging products might need to take on the responsibility for
(32:24):
caring about what happens to those after a consumer throws
them out. In this case, however, it's vendors. Internet vendors
need to have some level of responsibility about the security
of their devices after they've been sold, making sure that
they're getting updates, that there's due diligence being done towards security,
both at the end points and also within the infrastructure
(32:46):
that is effectively gate keeping all of these devices. And
by that, I mean when you're looking at your Alexa
device or most of these other quote unquote smart devices,
they're not really that smart. They're really just connecting back
into a larger computing system to be able to exchange
data and get software updates. And that is a central
point of weakness for all of these devices. Right now,
(33:08):
if we go into a store, you and I would
walk into a Best Buy together, we can look at
an aisle of different smart home gadgets and other things,
and the only factors that we really have for deciding
what to buy are what features and what price we see.
We don't have a really meaningful way of being able
to evaluate the security of brand A versus Brand B.
(33:30):
But if we had something like a cyber underwriter's laboratory
cyber uel and independent testing laboratory that can you know,
run through various security metrics, does this thing have default passwords,
does it take automatic updates, are the updates cryptographically signed, etcetera, etcetera,
And computing a clear, straightforward score that gets labeled onto
(33:51):
the boxes. That now allows security and privacy to become
more of a differentiating factor when consumers are really voting
with their wallet. So aside from having an awesome career
and making a bunch of money, if you get into cybersecurity,
you'll be making us more safe against criminals and state actors.
We definitely need more people getting eyes on this, and
we need a more diverse set of people so that
(34:12):
we can get a richer set of ideas, because this
is really how defenders succeed against offense. You need to
have a rich set of ideas, and you need to
have a lot of people putting a lot of effort.
We're struggling when we try and hire people that have
security expertise. It's difficult to find good qualified people and
and that's a problem because we're really getting to a
(34:33):
point in a society where very few people understand the
ins and outs of the technology, and security can very
quickly get out of hand. In a society like this,
people not being able to get their government services not
being able to access a t M S being without power,
without communication a cell phone service. That's a really, really
scary thought. We've seen with COVID nineteen how quickly some
(34:56):
aspects of society might start falling apart in these scenario
is I strongly encourage anyone listening to consider the career
path for themselves or they're lazy teenager who play sky
rim all day. Turns out those computer skills can be
put to good use and are quite valuable in general.
I'm very hopeful about a bright, connected future. I believe
(35:17):
that we're in an awkward teenage period between when we
have these capabilities and when we really know how to
harness them and use them for the best of humanity.
And what I want to do is to get to
that equilibrium faster, to understand better UH, and to build
in the types of protections that we have for everything
else so that we can trust these things more and
(35:39):
know that they are trustworthy. Jack has some advice on
how to keep your own information secure. I think that
there's three things that I recommend people do. UM get
an antavirus, keep it up to date, UM patch when
you can right so if your operating system says there's
an update, get that update, install it going, or any
apps that you have, install those updates, since as well,
(36:02):
updates are patching security fixes, right, so um, people won't
be able to infiltrate you as well as easy if
everything's patched up. And then the lastly is, yeah, I
use a password manager and have a different complex password
for every website you go to something long and crazy
that you'll never remember. And that's the reason why you
(36:23):
have a password manager, because you use one password to
get into your password manager, and then it has all
your passwords. And of course you have to make sure
nobody gets into your password manager because the they have
access to everything. But it's it's much safer because what
we've seen is, you know, like there was a big
breach that linked In in two thousand twelve, I believe,
and they leaked millions of passwords for everyone, for all
(36:47):
their users. So those passwords are now out there. And
how many people use the same password on LinkedIn as
they did on Twitter, as they did on Facebook, as
they did on PayPal on their banking websites. And that's
just a known in today's world, right, you want to
use different passwords for every website because your your password
is out there, you know, available in so many different
(37:09):
Podata based stumps. At this point, I guarantee it, so
just you know, make sure it just goes to that
one and no other, like, don't let the criminals have
an easy way to get in. By the way, Jack
has an amazing episode of Darknet Diaries about how Trump's
Twitter got hacked twice. It's episode seven The Guild of
the Grumpy Old Hackers. If you're not using a password
(37:30):
manager and reusing passwords, you need to take this message seriously.
Go to Have I Been Pooned dot com to see
what breaches got your passwords. Pound is spelled p w
n E D Have I Been Pooned dot com? Jack
recommends one password to store all your passwords. That's a
company and it's the number one one password. Also, I'm
(37:52):
a big fan of privacy dot com, which lets you
create temporary credit cards with custom limits that you can
cancel whenever. There's links to these prob ducks at Darknet
Diaries dot com. Slash sponsors, the company that Craig worked
for after IBM end Circle was bought by trip Wire,
where he currently works. They're a very reputable organization that
makes enterprise security tools. It's time to stop taking the
(38:14):
fact that your company hasn't been hacked yet for granted
and check out trip Wire. In the media industry, we
say there's two types of people, those who haven't lost
a hard drive and those who back up. You don't
have to learn every lesson the hard way. Visit trip
wire dot com and check out what they have to offer.
(38:36):
Prodigy was created and produced by me lulber Lante. The
executive producer is Tyler Clang. Prodigies production of I Her Radio.
For more podcasts in My Heart Radio, visit the I
Heart Radio app or wherever you listen to your favorite shows.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com