Darknet Diaries - 74: Mikko
Episode Date: September 15, 2020Poker is a competitive game. Unlike other casino games, poker is player vs player. Criminal hackers have understood this for a while and sometimes hack the other players to get an edge. And t...hat small edge can result in millions of dollars in winnings.This episode contains a story from Mikko Hypponen of F-Secure. We also interview Mikko to know more about him and the history of malware.SponsorsThis episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Sources https://www.cardplayer.com/poker-news/18318-wsop-bracelet-winner-jailed-for-web-poker-cheating https://forumserver.twoplustwo.com/29/news-views-gossip/my-unbelievable-ept-barcelona-story-hotel-rooms-arts-barcelona-broken-into-plant-trojans-1369171/ Mikko’s research on bypassing hotel room keys https://archive.f-secure.com/weblog/archives/00002647.html https://pokerfuse.com/news/live-and-online/more-stories-of-tampered-laptops-emerge-in-wake-of-ept-barcelona-scam-24-09/ https://forumserver.twoplustwo.com/showpost.php?p=40050535&postcount=410 https://forumserver.twoplustwo.com/showpost.php?p=40099537&postcount=794 https://igaming.org/poker/news/danish-former-high-stakes-pro-reported-to-police-for-massive-fraud-1602/ https://nyheder.tv2.dk/krimi/2019-12-02-dansk-pokerspiller-far-konfiskeret-26-millioner-kroner https://www.flushdraw.net/news/peter-jepsen-verdict-a-mixed-victory-for-poker-justice/ https://www.bankrollmob.com/poker-news/2019123/danish-poker-pro-sentenced-jail-cheating-others-online-poker Video: Peter Jepsen talks about an attempted hack on him https://www.sijoitustieto.fi/comment/29593#comment-29593 https://forumserver.twoplustwo.com/29/news-views-gossip/sad-conclusion-my-barcelona-incident-1397551/ Video: Brain Searching for the first PC virus in Pakistan https://archive.org/details/malwaremuseum
Transcript
Discussion (0)
Poker is such an interesting game.
Cards get dealt, money gets bet, and the winner is not the person with the best hand, but
it's the person who plays the best.
The game is to play the person, not the cards.
In fact, some of the top poker players don't even consider it gambling.
Here, take this clip from the movie Rounders, for example.
Why does this still seem like gambling to you?
I mean, why do you think the same five guys make it to the final table at the World Series
of Poker every single year? What are they, the luckiest guys in Las Vegas? It's a skill game,
Joe. It's a good point, right? There is a lot of skill in poker. And with the right play style,
you could do pretty well. Because when you play poker, you're playing against another person,
not against a casino or some machine. There's another person sitting on the other end of the table,
and it's you versus them. Can you make them believe you have a good hand when you don't?
Or can you call them out when they're bluffing? Being able to read the person is critical.
But then there's online poker, places that let you gamble for real money against real players on a computer. But it's a lot harder to read the player when you can't see them.
And when there's a lot of money involved with something like this,
people will go to extraordinary lengths to try to get an edge.
Take the story of Darren Woods.
In 2011, he won a World Series of Poker bracelet,
and he enjoyed playing online poker a lot.
But his win rate on the online games were really high.
The online poker community watched him play and meticulously took notes. They determined Darren had to have been cheating
because he was winning some very strange hands. But how? Well, as it turned out, Darren had set
up 50 different accounts at this online poker site and was playing multiple accounts at once. So
basically he could in fact see some of the other cards dealt on the table since he controlled
multiple seats on the table. And how does this give you an advantage you might ask? Well we know
there are four aces in a deck of cards and if he had one ace in his hand and there were two aces on
the board and that last ace was in one of his other
players hands then he knew for a fact his real opponents did not have another ace and this is
a small edge that he had on his opponents but it was enough for him to win pretty big and with the
help of players reporting this the poker website figured out what he was doing banned him and
called the cops darren pled guilty to some of his charges
and ended up being sentenced to 15 months in prison over this.
I say all this because I want to tell you
about how someone tried to cheat at high-stakes online poker.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive, it's endless.
And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service
that finds and removes personal information
from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my name Bye. for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan
when you go to
joindeleteme.com
slash darknetdiaries
and use promo code
darknet at checkout.
The only way to get 20% off
is to go to
joindeleteme.com
slash darknetdiaries
and enter code
darknet at checkout.
That's
joindeleteme.com
slash darknetdiaries
and use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and
find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com There's this poker player who lives in Finland named Jens Kilonen.
And for the last 15 years or so, he's been raking it in.
He started playing poker with his friends back when he was a kid.
Here's an old interview of him of how he got started.
I started with friends like 17 years old, I think.
And just read some books and slowly started.
And like in a year I already played pretty high, like 5-10, no limit hold and 10-20.
And just pretty quickly, it's always been a pretty quick move upwards.
And I won a free roll, or I think I cashed in a three-year-old and from that
from that I started just grinding grinding my way up and I never deposited anything more like that
grinding his way up he did he was a really good poker player he was getting better and better at
poker and playing bigger and bigger pots and making pretty good money from it. In 2009, he played in the European
Poker Tournament and took first place in the No Limit Texas Hold'em event. The prize was 1.1
million US dollars. Around this time, Jens began playing a lot of high stakes online poker,
but still played in in-person tournaments too. Here's a clip of him getting into a tournament in 2012, which had a $1 million buy-in.
The youngest player in the field, 22-year-old Jens Cologne, decided to put up the entire million himself.
I mean, I view this more as, you know, kind of a gamble, you know.
It's not like how I normally would play, like with bankroll management anyway, you know.
It's sort of like i could either
buy something nice you know like a nice car or house or or play this tournament i just feel like
i'm gonna get more out of playing this tournament than doing one of those other stuff so wow the
fact that he could afford to put a million of his own dollars on the line for this tournament
he's obviously doing pretty good to afford that. And from what I could tell,
I think he lost it all in that tournament. But that didn't stop Jens from playing even higher
stakes. Jens was really good at online poker at this point and would play in major online
tournaments with millions of dollars as the grand prize. But then, in 2013, came the European Poker
Tournament in Barcelona, Spain. The PokerStars.com European Poker Tournament in Barcelona, Spain.
The PokerStars.com European Poker Tour has hit its 10th season and is back where it all began.
Barcelona.
This tournament was held at the Arts Hotel in Barcelona.
It's a five-star luxury hotel, which is right on the edge of the sea, too.
The tournament was in one of the conference rooms, and there's a casino right next to it to it too. This was a good size event. I looked at some video of it. I counted 20
full poker tables in the room during the tournament. Jens and his buddy Henry flew from Finland to
Barcelona to participate in this tournament. They stayed in the same room together. And I should
quickly explain who Henry is. Henry lives in Finland, not far from where Jens lives, and they hang out at each other's house sometimes and go on trips together. At one point, Henry and Jens took a two-month table, looks around, and decides to go up to his
room and surf the internet on his laptop, which was in his room. So he goes up the elevator to
his floor. He gets his room key out. It's a little mag stripe hotel key card. He swipes it into the
lock, but the lock doesn't open. Red light flashes, indicating it's not the right key.
Huh.
He tries again, and again, and again.
He can't get the key to open the door.
He goes down to the front desk.
They re-sync his room key for him and tell him,
go on up, try again, it should work now.
He goes up to his room, tries the key, and it works.
The door opens, he goes in.
But as soon as he enters the room,
he immediately notices something isn't right. He knows exactly where he left his laptop that
morning. It was on the desk, but his laptop was not there on the desk. His laptop charger was
there sitting in the exact spot where his laptop should have been, but no laptop. He looked around the room a little bit,
but he couldn't find the laptop anywhere in his room. Huh. He thought maybe Henry borrowed it,
or it was stolen. He goes down to the casino and finds Henry playing poker and asks him,
and Henry says he hasn't touched Jens' laptop, but Henry says his room key wasn't working that day either.
Huh, that is pretty strange.
Jens goes back up to the room
to search for his laptop some more.
But when he gets in the room,
he sees the laptop is right there on the desk,
exactly where he left it earlier that day.
What?
His mind starts racing. He's questioning his
sanity at this point. Was it really gone a minute ago? But he remembers clearly seeing the charger
there on the table by itself without the laptop. And now the laptop is there where the charger was.
He remembers this clearly because it was just 10 minutes ago. Jens starts to get scared. Someone
had been in his room in the last 10 minutes and
they put his laptop in the exact place where he left it. He thinks the person might still be in
the room right now too, hiding in the bathroom or something. So he darts out of there, gets into the
elevator, goes down to reception and talks with the guest relations supervisor, Leia.
Leia listens to Jens'
story and does two things. First, she
recodes the lock on the door and recodes
both Henry and Jens' hotel
room keys. She says this way, if someone did
have a duplicate key, the duplicate key
would no longer be active because the code is
changed on the door. And second, she tells
them she'll work with security to look at the
hallway cameras for that time.
Jens goes back up to his room.
He opens the laptop and turns it on, but something's wrong.
It boots to a black screen, which says,
Windows failed to start.
A recent hardware or software change may be the cause.
Do you want to repair or start normally?
Huh? Jens' computer was working fine up until this point.
Now it's showing an error?
And when he gets past that screen, it gives another warning.
Do you want to restore your computer?
What?
This is super strange.
Something went on here, and it's freaking him out.
He goes down to meet with Leia again, the hotel supervisor.
She tells him the cameras in that specific hallway,
yeah, they haven't been working for the last week, so they have no CCTV footage of whoever entered his room
at that time. Leia doesn't seem to be taking this matter seriously and says they'll continue to
investigate, but she doesn't say how. Jens goes back up to his room. He swipes the room key card in the door and it's not working again.
No matter how many times he swipes or how he swipes, the door just doesn't open.
Huh?
Jens runs back to reception, tells Leia.
Leia resyncs his card and then walks with him personally to his room to check on this lock.
The card now opens the door just fine,
but as soon as they get in, Jens immediately sees that his laptop had gone missing again.
Jens is in complete shock. He doesn't even know how to explain what's happening.
Leia calls hotel security. They apologize and agree to upgrade his room to a suite which is two floors up.
Jens decides to go downstairs and look for some friends,
and he asks them if he can use their laptop.
He immediately goes to all his online poker accounts and shuts them all down,
thinking someone must be trying to hack his accounts.
After that, he goes to talk with Leia again.
She's on the phone, talking in Spanish.
She asks Jens, can you describe your laptop? Yens. of a panic attack. Who keeps stealing his laptop? Why does his key card keep getting deactivated?
Why did the laptop show up in the lobby? If a thief took it and panicked, why not throw it in
the sea? He opens it up. It boots up just fine, but something is different. Normally when it boots up,
it's password protected and he has to enter his password to get in, but it's no longer asking for the password and it's just
booting right up into Windows. Okay, so he definitely knows someone has hacked his computer.
He takes the laptop to the poker tournament and starts telling their IT and security teams about
this. Everyone there is pretty friendly and helpful. The poker tournament security team
takes down all his information and begins to investigate. Jens and Henry go up to their new, upgraded suite and head to bed for
the night, thinking there has to be some security camera footage somewhere of whoever did this.
And now that two different security teams are looking into it, surely they'll find out something
by morning, and they both rest their head down on their pillows for the night. But it's hard to sleep. I mean, the day started with losing the tournament and ended with them
getting their room broken into at least three times and his laptop hacked. When that happens
to you, you can't relax. The computer feels defiled and gross, and your sense of security
is eroded. And at this point in the story, I'm now wondering, how can someone even get in their room like that?
And I have a few theories.
First, you might be thinking that someone might have just brushed up against them in the lobby
and cloned his card.
Yeah, I don't think so.
That typically works for RFID type of cards.
This was a mag stripe card.
So in order to clone it, you would have to swipe the card through a machine.
I guess it's possible someone pickpocketed him, magstripe card. So in order to clone it, you would have to swipe the card through a machine.
I guess it's possible someone pickpocketed him, cloned the card, and then put it back in his pocket. But it just seems unlikely that that would happen twice in one day. But then you also have
the problem of making both guest room keys invalid. How's that happening? Well, because this is a
magstripe card, it's possible that a powerful magnet can be put next to or under the lock.
And so when a card gets near the lock,
the magnet screws up the data on the mag stripe and ruins it.
So there's two types of way mag stripes work, low-co and high-co.
This is low-coercivity and high-coercivity,
which pretty much means how well the mag stripe will retain data on the card.
Like your credit card isn't going to be reprogrammed anytime soon, so it needs to hold
the data on there for years. So it uses HiCo. But a hotel room key will have its data rewritten
many times, maybe once a day. So it uses LoCo. And because it uses LoCo, it's easy for a magnet
to screw up the card.
And so if someone wanted to go in that room,
but did not want anyone coming in while they were there,
they could put a magnet on the door,
which would ruin whatever card was swiped and stop them from entering.
This would alert whoever's in the room,
and also buy them a couple minutes to get out. And as they're leaving, they could remove the magnet from the lock and walk away.
Okay, so that's a good theory
on how the cards got ruined.
But still, how did someone get the key to get in?
Maybe it was plucked from a cleaning cart.
Or maybe someone went to the front lobby
and posed as Jens, saying,
my key doesn't work in my room.
Can you reset it for me? And then they give Jens, saying, my key doesn't work in my room, can you reset it for me?
And then they give Jens' room number.
Would the front desk check the ID before issuing a card to a guest like this?
Is it possible to social engineer the front desk person to do it without checking ID?
Yeah, that is possible.
But then the camera didn't work in that specific hallway.
Did someone know that?
And that's why this room was targeted?
Perhaps this was an inside job.
Someone who worked at the hotel knew those cameras didn't work
and had access to reprogrammed key cards.
They could certainly be in on this.
This is the type of stuff that raced through Jens' mind all night long as he tried to
sleep. 5.30 in the morning. Hello? Your taxi is ready. What taxi? The taxi to the airport.
With whose name? No name, just room number. Jens tells the person on the
phone they didn't order a taxi, and that person hung up. Was this a wrong number? A mind game of
some kind? How strange. Jens lays awake for an hour thinking about this, but eventually falls back asleep.
9.30 in the morning, Jens wakes up.
Hello? Do you want to make business?
What?
Do you want to make business?
Huh? About what?
About the woman.
No! And Jens hangs up the phone.
Two phone calls in one morning for the wrong number?
Or was it the wrong number? Were these calls just some strange attempt at checking to see if somebody was in the room? Or verifying where Jens was staying? Jens has a meeting with hotel
security at noon, so he gets ready and goes downstairs to meet with Leia.
She has an older guy with her, who is the head of hotel security.
He doesn't seem interested in helping, though.
He says, well, look, we already upgraded your room to a suite, and your laptop's not missing now,
and you said there's nothing else missing, so there's no problem, right?
Jens can't seem to explain to security the severity of this.
Jens asks, how many cameras are broken in the hotel? And the man says, only eight. Jens asks, can you check the elevator cameras?
And the security guard says, no, there's too many visitors and there's too much footage to look
through. Jens says, but we've narrowed it down to a 10 minute window. Security doesn't seem
interested in helping. They just want this problem to go away.
His suspicion is growing that this might be an inside job. But before he leaves, security hands
him a printout of the logs of what key cards opened his room for that previous day. It's kind
of hard to read. And at this point, Jens is tilted. He's crushed. And so he just puts the logs in his pocket and walks away. Jens felt like this meeting went terrible. And now there's like no chance of
figuring out who went into his room. He goes to meet with the poker tournament security. Maybe
they have found something. But the poker tournament security team were trying to say that Henry might
have done all this. But Jens wasn't buying it. If Henry wanted to do this, he would have done it at Jens' house if he wanted to.
Why do it here?
It made no sense, and there was no help from this security team either.
Jens was crushed.
He was so confused why nobody was taking him seriously and conducting a major investigation about this.
He was so worried that his hands and legs were shaking, and he felt like he was going to vomit at any moment.
He takes the room access logs out of his pocket
and starts to look through it.
It doesn't make sense at first,
but he studies it more.
He's able to connect some dots.
It shows the exact time when the cleaning service came in
and the exact time when someone came to restock the minibar.
And it also shows when each guest came in the room
with the code from
their key. So this actually makes a perfect timeline of events. It shows when Jens and
Henry visited the room and exactly when their card stopped working. But in the logs, it also
showed there was a third guest key card that had opened the door. Just when Jens went downstairs to reception that first time
to reprogram his card, someone with a third guest key card had entered the room exactly two minutes
and 41 seconds before Jens came in and found his laptop gone for the first time.
Jeez, maybe they were hiding in the bathroom when he was in there. Jens was getting even more scared after looking at this,
and even more angry that the hotel security didn't see the same log entry just as alarming as him.
Either security couldn't read their own logs, or they didn't care, or they were trying to cover something up.
Jens couldn't take this anymore.
He started packing his bags to get out of there.
He was going back home to finland this was
no place for him now and as he was going through the lobby he ran into another player that knew him
and he told that player his laptop was just stolen and that player said the same thing happened to
him but that player said the cameras were working on the floor where he was staying so jens took
this player to hotel security and tried to explain,
look, this same thief who stole my laptop probably stole his laptop.
And can you look at the cameras in that hallway?
But security said, oh, there's nothing we can do right now.
Not until 8 a.m. tomorrow.
So Jens, all fed up, just left the hotel and left Barcelona and flew back to Finland.
Where does Jens go when he gets back home? Straight to Mikko.
My name is Mikko Hypponen. I am the chief research officer for F-Secure Corporation,
which is a security company headquartered in Helsinki, Finland.
F-Secure is known for creating a pretty good antivirus tool. And since it was right there
in Finland, it made sense for Jens to bring his laptop to them for analysis.
Well, he contacted us. He was looking for somebody to go through his laptop because he was suspecting
that, you know, it wasn't just about stealing the laptop. Maybe somebody was trying to put
something on the laptop. So he brought it into our lab. He parked in our parking place with his Audi
R8 and brought the laptop into our lab.
Mikko and his team took a look at the laptop.
They scanned it and examined it for malware.
And yeah, it was infected.
So the reason why all of this happened was that somebody had manually installed a Java runtime
and a Java-based remote access toolkit, which would basically send a screenshot to a remote address every time the attacker requested.
And that basically means you see the poker cards another person is holding.
And if you know anything about poker, well, then you know that if I know your cards, I'm going to win.
Aha! This was targeting Yen specifically, or at least a high roller
online poker player specifically. The malware would send screenshots of the laptop to someone
who presumably would be at the same online poker table as Yen's. How clever. Yeah, it's kind of
interesting when you think about the amount of money at stake here.
These high rollers who play poker online, who have been playing poker online for years,
the potential of money you can steal from a player like this is hundreds of thousands of dollars or even millions of dollars. And we've found several cases like this.
And it's not always about a physical break-in. We have one
high roller we were working with, a famous poker player, who actually had been infected for almost
a year. And the reason why he started suspecting that there's something weird was that he was
keeping very close statistics about his winnings. And historically, he was making roughly the same rate of winnings
in the real world, on real poker tables and in the online poker tables.
And then suddenly it started looking different.
And he was always losing.
In the long run, he was losing in the online games
and he couldn't figure it out.
So eventually he started suspecting that there's something wrong with the laptop.
He brought the laptop to us something wrong with the laptop. He brought
the laptop to us. We analyzed the laptop. And yes, there was this tool for calculating pot odds,
which contained, again, a remote access Trojan. And we discussed how did he get this tool on his
laptop. And he had installed it by himself. So why did you install this tool? Well, it was recommended to me by someone he plays
against regularly in online tables. And that someone had set everything up from the beginning,
had this trojanized pot odd calculator created, had it posted online on a download site,
then just waited until a high roller he would know what would be downloading and installing
it and the attacker was
so clever because he wasn't just
immediately starting to
wait for big hands
and go all in
and steal the money. He was
carefully and slowly using
this in online games for 12
months without
I mean until it was, you know,
people started suspecting that something is wrong.
So he was able to make hundreds of thousands of dollars
with this ongoing scam.
And this is a great lesson also
for people who do important things
with their computers.
I mean, if you are a poker player and you use a laptop
where hundreds of thousands of dollars go through the laptop,
well, you should be keeping very safe, very close tabs on that laptop.
You don't install random junk on it.
You don't play Doom on it.
You don't watch porn on it. If you're not
with the laptop, you put the laptop in a safe. And these guys are millionaires. I mean, if you
want to do something else, buy another laptop. But this laptop is your tool. And, you know,
as a professional, you don't fuck around with your tools. You keep good care of your tools. That's what I told him. And I believe
he believed me. But I can't imagine a skilled high roller poker player being able to write
malware and then distribute that malware and get it going. So there had to be like another person
involved to do that. That's correct. That's correct. So these guys had outsourced the
development of the malware to third parties. Basically, correct. That's correct. So these guys had outsourced the development of the malware
to third parties.
Basically, they were going
to online programming sites
for freelancers
and had someone to write
these programs for them.
So Mikko and his team at F-Secure,
being the curious researchers they are,
they began trying to figure out
who was behind this.
Obviously, most malware writers
don't want to be caught,
so they don't leave clues about themselves within the virus code. But one of the most typical ways we have been
able to figure out who's involved with a piece of malware is Whois records.
A Whois record is a public record of who owns a domain name. Every domain name in the world
is registered by someone. And sometimes whoever registered it has their information printed right there on it.
Miko checked the malware to see if any custom domains were used, and looked up the Whois
record for those domains. But typically, cybercriminals will register domains anonymously,
so you can't see who owns it. But there are more techniques you can use. Historical Whois records.
Maybe at first
they didn't register it anonymously and then switched to be anonymous at some point. Miko and
the team at F-Secure kept looking at the malware for clues. When Jens was in Barcelona, he wanted
to call the police, but the poker tournament people didn't want him to because they said they'll
contact the police themselves. So Jens followed up with the PokerStars staff to see what the update
was, but they didn't contact the police right away. Inens followed up with the PokerStars staff to see what the update was.
But they didn't contact the police right away.
In fact, it wasn't until weeks later that they finally reported this to authorities.
Jens was upset that the investigation was not acted on quicker.
F-Secure was able to get some details to Jens about who they think did this,
but it wasn't the whole picture.
F-Secure posted a blog post titling this type of attack an evil maid attack. And this
is where you trust the items that are in your hotel room are secure, but someone with access
to your room could hack into your stuff. On top of that, F-Secure classified this not as a fishing
attack or even a whaling attack, but a sharking attack because it targeted poker sharks. At this point, the investigation totally stalled out.
The PokerStars team wasn't doing much.
The hotel wasn't doing anything.
The authorities were quiet.
And F-Secure concluded their investigation.
So I know this story because Jens wrote it all out
the day after it happened on a poker forum.
And I tried many times to get Jens to come on this show and tell his story,
but he declined all my invitations and said it's too soon to tell the story,
even though it happened seven years ago.
And so that makes me think that either Jens felt threatened by whoever hacked him,
or he thinks it's just not safe to talk about this for
other reasons. Maybe he didn't want to talk bad about PokerStars, since he likes competing in
their tournaments. I don't know. But this forum post that Jens wrote blew up. It has over 1,300
replies at this point, which is a lot for this poker forum. So let's read what everyone says.
The first interesting post I see here is from Lee Jones,
the head of communications for the tournament ran by PokerStars.
Lee confirms Yenza's story is accurate
and says they are doing what they can to investigate,
but they're limited in the authority that they have.
Like they can't pull surveillance video or door logs,
but he does say he was contacting the police about all this.
And then there was another post
further on down by a US poker player named Scott Seaver. He says the same thing happened to him in
Berlin and Jason Kuhn too, and poker stars wouldn't help either of them. He doesn't go into detail
about what happened to him, but Scott Seaver has won three World Series of Poker Tournament
bracelets. I reached out to him, but no reply.
He mentions that this happened to Jason Kuhn, too, which is another U.S. high-stakes poker player.
But when I looked into Jason's story, it has a different attack method.
One where he was online playing against someone else, going head-to-head with another player,
and he thought he was going to win that hand, but then he got disconnected from the server, forcing him to fold.
Okay, back to this forum post.
Scrolling down, there's another story from another high roller named Ankush Mandavia.
He's also known as Pistons87.
He's a US high-stakes poker player, and he says he was staying at the same hotel as Jens at the same poker tournament.
And Ankush also said he received a few mysterious phone calls.
And multiple times he went up to his room room but his key card wouldn't work either. He says his computer
was crashing while in Barcelona but he didn't think anything of it until he read Jens's post
and it all became clear. When Ancush got home his computer was no longer password protected
which was really weird because it always is password protected.
And every time you try to boot it up, it would just crash and show a blue screen. The story
does seem to match exactly. I reached out to Ankush, but no response. So that forum post alone
seems to outline five major poker players who were victims to this attack.
Jens, the guy Jens met at the hotel who said the same thing happened to him,
David, Jason, and Enkush.
On top of that, Miko told me he helped remove malware on two more poker players' computers.
So that's seven victims that I count.
Whoever this hacker was, was pretty busy.
Then, a year later, in 2014, the Danish police issued a statement saying they are
investigating a high-stakes Danish poker player for allegedly planning Trojan viruses on other
high-stake poker players. They say the software that was installed would allow the hacker to see
the other players' hole cards, or the ones that are face down that you aren't supposed to see.
This would allow the hacker to play on the same online table as his victims
and make millions of dollars off them by cheating.
The Danish police continued to say they interviewed a victim
who claimed someone disabled the video surveillance of his house,
then broke into the house, planted the malware on his laptop, and left.
Whoa, I thought breaking into a hotel room was crazy. Now this hacker is breaking into the homes
of high-stakes poker players? This is even crazier. But after that, silence. No more information from Danish police. For four more years. Then, in December 2019, the final card was dealt.
The Danish police raided the home of a hacker and seized four million US dollars worth of Danish
money. They had evidence that this was the hacker who had been planting Trojans on the poker player's
computers. The evidence they had was that one day he was walking with another friend and told the story to him, and that friend called the police. From there,
they were able to find other evidence on his computer which showed he had access to other
players' cards. The Danish police gave him a $3.9 million fine and sentenced him to two and a half
years in prison. However, the Danish police refused to say the name of this
person. So I went back to the poker forums to see what people were saying. Now, the Danish police
described this man they arrested. He was 32 years old in 2014. He's Danish, and he won a European
poker tournament once before. So if you look up all the Danish poker players who have won European poker tournaments,
it quickly boils down to one person, Peter Jeppsen, sometimes known as Zupp. Now, I'm not saying Peter Jeppsen is who did this. I want to be clear. This is speculation. And if I get anything to counter
this claim, I will update this audio here. But Peter Jeppsen is no longer part of the poker team
he was once on. They dropped him years ago, and his blog has remained dormant for years,
and his social media accounts have been silent for a while too.
So he's gone completely quiet, and appears to have stopped playing poker.
I at least can't find him, and that might be because he might be in a Danish prison.
Now, the Danish police say this hacker was planting Trojans on players between
2008 and 2014.
So I tried to find what Peter
was up to before 2008.
And I found this
amazing interview.
So I'm sitting here with Peter Supjepsen
from Denmark, who
actually had a pretty scary scam
coming to him through a mail the other day.
Can you tell us about it, Peter?
Yeah, what happened was that I was playing on full tilt,
and I've been doing really well for that night.
And just a couple of hours after my session ended,
I received an email in my inbox,
and they wanted to tell me about a cash game that they were doing,
that they wanted to film with Scandinavian players.
And I think we wrote like three or four emails back and forth.
I asked about the buy-in, all kinds of stuff.
And in the end, he sent me an email with a link.
In the link, there was a specific place at the homepage
where I could download information about blinds and everything. And right when I was supposed
to download it, I noticed that the file was supposed to be
a PDF, an Acrobat Reader file, but it was actually an EXA file.
So I was like, that's weird.
I downloaded it anyways, but I did it into a secure folder
that was monitored by my antivirus.
And right away when I started downloading, it said that, wait, this is a Trojan horse.
Oh, my God.
This is a pretty advanced scam, isn't it?
Yeah, I've never seen anything like it.
I've never heard.
I mean, in the poker business, I've never heard of anything like it.
I've never heard of anything like that.
I've never heard about anyone getting scammed that way.
It wouldn't be a surprise if we saw a couple of other guys in your league,
so to speak, that would get emails like this.
Yeah, exactly.
You want to warn them about this, right? Yeah, I just think that if just a few people can avoid being scammed by people like that,
that would be great.
So I think people should just generally be very careful when they download stuff online.
Yeah, so what do you think?
Is there any chance to get hold of guys like this?
I mean, could you hunt them down?
No, I mean, I wouldn't make this for myself.
I don't really know, but I'd say that professional guys like these, I mean, they're probably way over the mountains.
Yeah, of course. It's impossible to catch guys like these, I mean, they're probably way over the mountains. Yeah, of course.
It's impossible to catch guys like that.
They don't even leave any electronic
traces or anything. No, no, no.
A lot of hackers I talk
to say they got in hacking because
they got hacked, and it fascinated
them to want to know everything about how to
do it. Again, I don't know whether
Peter Jeppesen is
the hacker behind all this or not. The Danish police refused to give the name, and I've only
come to his name from my own deductions, but it's possible that if he was hacked in 2008,
this might meant he was immediately fascinated with it to the point where he wanted to learn
how it was done. But if Peter was hacked himself, then this means there was more than one hacker doing stuff like this.
In fact, after news got out and it was suspected that Peter was behind this,
Jens made a follow-up forum post with his thoughts. Jens said this is the first time,
to his knowledge, that anyone has gone to prison for this type of hack, and that this problem has plagued Nordic poker players for
quite some time. He says the rumor is that there's a Swedish gang involved with this,
but they have strong connections to the underworld that nobody is brave enough to go up against
and seek justice. Jens writes that Peter may have joined this gang. Jens doesn't know if it was
Peter who hacked him or someone else.
So once I read that, I immediately started to google Swedish gang hacking high roller poker players and found some interesting stuff. There's not a lot of evidence, but there is accusation
there are three men from a Swedish biker gang who did try to hack high roller players. The
authorities are investigating this,
but that's all I got. And honestly, when I look into the other crimes that this motorcycle gang
was accused of, I kind of don't want to dig any further. Because some suspect this biker gang
murdered a Swedish guy who started an online poker news site. So it sounds like while one hacker was arrested and put in prison,
a few might still be on the loose. The mystery still remains as to who was behind this,
and how they did it all. Your whole card still might not be safe. But I find this story
fascinating because of the extreme lengths that some hackers go to just to get an edge in online poker.
There's been an update to this story.
In December 2020, the Eastern High Court of Denmark announced that they did in fact arrest Peter Jebsen and put him on trial for hacking poker players.
And he was found guilty and was sentenced to three years in prison. The police also confiscated $3.6 million from him, and he also must pay $144,000 to one of his victims.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily, taking action on your company's exposure is more important than ever.
I recently visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections, get your free Darknet Exposure Report at
spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Oh, so back to Miko. One of the things I like doing on this show is introducing you to people
who are legends in the cybersecurity space.
And Miko is a legend.
I mean, he's got 200,000 followers on Twitter at this point and is known worldwide as an information security expert.
So while we have him here, let's get to know him.
And you've almost, you're almost born like in connection with the internet, right?
Like you were born, what, on the day ARPANET was created or something?
Close.
I was born in late 1969.
And TCP IP, well,
the TCP IP protocol comes from the innovations
which were done in California in October 1969
or maybe November 1969. So basically I'm as old as the internet.
But of course, that doesn't mean anything. Most people had no idea about ARPANET or internet or
any of that until 1990s, when the web made the internet something people actually were aware of.
Yeah, yeah. And then you pretty much spent your whole life
focusing on the internet ever since you were able to. I started programming at the age of 14 in 1984.
That was because we got a Commodore 64 into our family. And that happened because my mother,
my late mother, Rauha, bought us a computer from her work, which was the State Computing Center. So I guess it runs in at an early age. By the time I was 16,
I had already sold my first programs. I was writing utilities. And of course,
I was writing games as well. So that's where I started with computers.
And let me do the math here. So you've been at the same company for almost 30 years now. That is correct. I joined
a company called Data Fellows in 1991 as employee number six. The company was established in 1988,
and I'm still there today. The company isn't called Data Fellows anymore because we renamed
the company to F-Secure in 1999 when the company went public.
But yeah, it is the same company. I've been working there all my life. And I guess if you
would be employee number six in a Silicon Valley company for 30 years and the company grows big
and goes public while you're there, you would end up to be a very wealthy individual. It doesn't work exactly
like that over here in Finland, but I'm still at the same company. And I got to tell you,
it's been a wild ride. I've seen a company change from a small startup to a player which
works all over the world. We now have offices in 29 countries around the world.
In June 1991, Mikko started working at F-Secure, doing security type work.
And because of all this, he's a bit of a malware historian.
So I took this chance to talk with him about some of the early malware we ever saw, like Brain.
Brain was founded in 1986, which means I wasn't in the industry yet.
But I did end up analyzing brain by the time I started doing
malware analysis professionally, because I wanted to analyze every single virus there was. And
when I started doing virus analysis in the early days, there were very few viruses. We weren't
receiving, you know, thousands of new samples every day. We would get a new malware sample in the mail,
on a floppy, maybe once a week.
So I did go through the brain.a code as well
when I started professionally doing malware analysis.
Brain is actually how I first learned who Mika was,
because of a video he made about it.
And brain.a is such an important piece of malware history
because it was the first PC virus ever. Now,
we had, I mean, there was some specific malware cases before Brain on other platforms, for example,
on Amiga and Apple too, but the first PC virus is important because we're still
fighting PC viruses today. That's basically where it started from.
And I revisited the brain code in 2011,
on the 25th anniversary of brain,
basically because our marketing people and salespeople asked me that,
you know, it's going to be the 25th anniversary of the first PC virus. Would you like to, you know, say something on this
or should we do something about this?
And we had a meeting about it
and they suggested we would build
some kind of an awareness campaign
on malware, whatever, something boring.
And I just told them that, you know,
that's a bad idea.
Why don't we instead put me in a plane
and I go and try to find the guys
who wrote the first PC virus 25 years ago
and that's what we did and of course I said that because I knew there was a lead because in the
code of brain.a virus there is a street address an address which points to a street in the city
of Lahore which is a city in Pakistan so 2011, I went to Lahore to look for
the guys who wrote the brain virus. And we did a video about this. You can watch the video on
YouTube. There's a link to that video in the show notes. You really should check it out. It's
awesome. But malware made in 1986 is very different than the malware today. Back then,
first of all, writing viruses was not illegal.
If you wrote a piece of malware
and you infected the whole world,
you didn't break a single law.
The laws in any of the countries at the time
didn't take crime like this into account at all.
Second of all,
the early malware writers didn't have,
they didn't have motives. They didn't really gain anything by
writing these early viruses, which were spreading on floppy disks or over early networks.
They basically got just chuckles out of the idea that their malware was spreading around the world.
And it is interesting because I've met during the early days, I met some of the idea that their malware was spreading around the world. And it is interesting because I've met, during the early days,
I met some of the early virus writers.
In particular, I remember this one kid, 16-year-old kid,
who was from Finland.
And I found him.
He was spreading some of his malware in BBS systems of the time
where it was being spread over modems from one computer to
another. And I spoke with him on the phone and I spoke with his parents and it was fairly eye
opening because he told me that, you know, he's living in this small rural town in central Finland
in the middle of nowhere. I mean, there's nothing around. There's no neighbors. There's just snow, basically.
And he's bored out of his mind.
He can't escape.
He's with his mother and father
in the middle of nowhere.
But he does have a computer
and he does have a modem.
And he wrote this virus.
He called the virus Cinderella.
And then when he saw
that the virus was spreading
from one computer to another, and eventually he saw that the virus spread to California, he somehow felt that he couldn't escape, but his virus could.
And that was his motive for writing viruses back then, years and years ago. So the motives of the virus riders have completely changed. If you talk
to current online criminals, nobody's riding malware for fun. Nobody's doing it for anything
like that. It's all about money. It's all about organized crime, trying to make money with
ransomware and botnets, or it's governmental activity or spying. So the good old days of, you know, happy hackers is long gone.
Yeah, but I'm also thinking like when a virus hits today, it's got a plan.
Like it's going to take my contacts list or spread an email or try to find something internal or take control.
These viruses back in the 80s and 90s
weren't doing stuff that sinister, were they?
Most of the early viruses either did nothing
except spread further,
or they might be destructive.
We saw surprisingly many examples of malware
which would just overwrite hard drives
on certain dates or things like that.
Or they would do something visible. They would play music, they would show you animations,
they would play games with the users. And I've always found that part of malware or early
viruses very interesting. And many of them look actually pretty nice when you look at them with today's
eyes and you sort of respect the art in the early viruses when you look at it today.
I definitely wasn't respecting that back then when I was fighting these viruses,
but this is one of the reasons why I've been volunteering at the Internet Archive
and curating a collection of old viruses,
which you can now run safely in your browser by executing the original code of viruses from the 1980s and 1990s,
especially the kind of viruses which actually show you stuff, show you animations, or maybe play music on your computer.
And that's something you can all check out by visiting the Malware Museum at the Internet
Archive. If you ever get bored, this is an interesting site to explore. Some of this
malware just has like a message display, like this one. Just prints out a note on the screen,
which says, Terminator message, don't be afraid. I am a kind virus. Have a nice day. Goodbye.
Press any key to continue. And then it just quits that's it no damage just
affects your computer to say hi and then it moves on and then there's other ones that display like
weird graphics or they make the screen look glitchy that's just it graphics and sounds
nothing more that's the virus and i guess what makes it a virus is that somehow these programs were installed and ran on your computer without your consent or your doing.
Mikko's favorite malware of all time is the whale virus.
Whale was found in 1990 and it's one of the big mysteries we still don't understand in the early days of malware.
Early viruses started to get more and more complicated.
They started to use encryption
because they were being fought by antivirus software,
such as the software we were writing back then.
Another early software which still exists today is McAfee.
McAfee is actually older by one year than F-Secure,
and obviously McAfee is still around.
Now, an easy way to evade detection was to use encryption.
So you would just encrypt the code of the malware,
and the antivirus guys like me,
we couldn't find a way to detect the malware because it's encrypted.
You could change the key for every sample and all that.
However, the weak point of that technique
is that we can pick up a detection signature from the decryption loop.
So this is when we started finding viruses which would use metamorphic or polymorphic algorithms, including Vail.
Every time the Vail malware would replicate to a new file, it would rewrite itself. So it would basically recompile
the binary. It would look different every time. And this was really groundbreaking at the time.
And there were plenty of mysterious messages left inside of the malware and plenty of early
researchers spent a lot of time trying to figure out what was the motive of whale, where did it come from, who wrote it?
We still don't know that. accessible to anybody, anybody who was writing viruses around two years later, when a Bulgarian
virus writer called Dark Awanger released a toolkit called MTE, Mutation Engine. And this
was basically a toolkit you could use to wrap any program inside a layer of polymorphic encryption.
And this was really complicated. You would replicate sample twice
and there wouldn't be a single byte
which would be constant in these two samples.
So detection was a nightmare.
However, at that time,
we were working closely with a researcher
called Friedrich Skulason from Reykjavik.
And he came up with this clever idea
that instead of trying to detect malware with static signatures or looking for certain bytes in certain offsets, what we would start doing is that we would simply execute the malware in a virtual machine.
Basically, let the malware run safely as long as it needs to run so it decrypts the stuff that's hidden by the layer
of polymorphic encryption. So we would basically let the malware decrypt itself for us. And the
virus writers of the time couldn't figure this out for years. I mean, they just couldn't understand
that, you know, no matter how well they were trying to hide the payload,
no matter how many layers of encryption they would add,
we would still find it
because the encryption layers they were adding meant nothing.
They would, in the end,
end up decrypting the hidden stuff underneath for us
and we could detect it
just like there wouldn't be encryption at all.
Keep in mind, up until this point, this malware, which was targeting PCs, was just for DOS.
Windows wasn't even out yet. So at this time, in the 90s, when Miko was researching this stuff,
people would send him this malware in the mail on floppy disks. It was a weird time for malware.
Viruses were really slow to make the jump from MS-DOS to MS-Windows.
MS-Windows started to get traction.
I mean, Windows 3.0 was the first success story,
and then 3.1 and 3.11, it became bigger and bigger.
But all the malware we were analyzing were still running on MS-DOS.
And of course, Windows systems at the time were running on top of MS-DOS.
So this malware was still partially functional
until we then found
the very first Windows virus. And I remember this very, very well because it really changed
our contacts within the industry. This was 1992. And we found a sample that we believed to be a
Windows virus from Sweden. And it was very hard to analyze because it was the first Windows virus.
And Windows at the time
wasn't as accessible
as you might think to, you know,
debug or reverse engineer.
But me and Ismo,
one of our coders at the time,
spent a couple of days
trying to figure out this sample.
And it turned out to be
the very first Windows virus in history.
So, well, we named it.
The finder names the virus, so we called it VIR, like Windows virus.
And we wrote a description about it.
We added detection for it.
We were all done.
But then we realized that, holy hell, this is news.
Right, this has to be news.
I mean, the first Windows virus in history.
So what should we do?
Should we do a press release?
Well, the company had never done a press release, so we had no idea how to do a press release.
But we had seen press releases, so we just copied the formats, you know, date, location.
Data Fellows has today announced the discovery of the first Windows virus and then go
through the technical details.
Very important detail.
When we wrote this press release,
the first press release in the history of the company,
we wrote it in English,
not in Finnish. We were
headquartered in Helsinki. All of our clients
were in Finland, but we automatically
assumed that this is an international
news item. We have to tell the world. And then when we had the press release ready, we printed it out,
we had it in our hands. Then what do you do? Well, we had no idea. So we faxed it to Reuters in
London and Reuters picked it up. They wrote a wire article about it. They ran with the story.
It became news item all over the world. New York
Times ran the Reuters story. The next day, we start getting phone calls from research labs all
over the world. Especially, I remember picking up the phone and it's coming from New Jersey. It's
from the T.J. Watson Research Center of IBM. And they were very interested about our discovery, and they wanted to initiate an official malware sample exchange between IBM and we.
And we were like, OK, now we are in the big boys league.
Now we've really made it.
And that's how we started international contacts with other research labs.
And, of course, that was very important in the early days for the company.
Viruses continued to mutate all through the 90s. Mikko was developing new ways of detecting malware
and implementing that into the F-Secure antivirus software. He was also working with software
companies to get them to fix the bugs which allowed this virus to run in the first place.
But in the year 2000, email began picking up in popularity.
So when email became commonplace in offices, malware started spreading more and more over email attachments instead of floppies.
So that's when the era of email worms started.
And we saw so many so fast outbreaks, first with Happy99, then with Melissa, and then the biggest of them all at the time,
Love Letter in May 2000. Now, this Love Letter virus, or sometimes known as Love Bug, or I Love
You, would send an email to thousands of people with this message, kindly check the attached
Love Letter. And then there was an attachment named loveletter4u.txt.vbs.
It's kind of easy to see this is a phishing attempt now, but in 2000, we weren't getting
phishing emails very much, and we wanted to see who sent us this love letter. And while this file
looks like a text file, it's actually a Visual Basic script. Often, Windows will hide the
extensions, so for a lot of
people, it just looked okay, like a text file. But when you opened it, Windows knows how to execute
the commands in the script and runs them. So what's Love Letter do when you open the file?
Well, it first propagates itself and sends an email to everyone that's in your address book,
and then it proceeds to overwrite and corrupt random files on your computer. Office documents, images, and songs essentially get ruined,
which are the most valuable files on your computer.
Because it would send emails to everyone in the victim's address book,
this made the love letter virus a worm because it could self-propagate,
which made it one of the fastest growing viruses of all time.
Now, when something like this hits the world
and a major virus is spreading,
causing destruction, what's an antivirus company like F-Secure do? They get right to work.
And that was sort of really exciting back then because you would typically get woken up at 3
a.m. and there's a massive outbreak going on and we get the sample, we decode it, we pick a search
string or build a detection, we test it, we name them while we write the sample, we decode it, we pick a search string or build a detection,
we test it, we name them while we write the description,
we test the detection, we ship the detection, and we just save the world.
So very, very exciting times, except then it happens again two days later,
and again a day later, and again.
Wow, that does sound exciting.
To save the world by writing antivirus updates.
But yeah, it must be exhausting too.
In fact, the most exhausting time for Mikko was the summer of 2003,
when his team went to do battle against the botnet called SoBig.
We saw a massively large run for the first version, that's Sobig.a. And this was so huge
outbreak from the beginning because they were using an existing botnet to kickstart the email
sending. And the email Sobig was using to fool people into opening up the attachment were pretty clever. They looked like
emails coming in from Microsoft, and they were speaking about an update for security
vulnerabilities in your system. This is still the time before Windows Update even existed,
so people were still downloading updates manually from Microsoft.com. Well, in this case,
you get this prompt for updates for this month, and it would
actually automatically change the month. So if you would receive a Sobic mail today, it would speak
about year 2020 and the current month, which is a neat trick. It actually makes the malware live
much longer. And when we were fighting through Sobic A, we then found Sobic B and C and D and then F.
And F, the fifth version, was the largest of the outbreaks.
By the time the Sobic F variant showed up, it had infected millions of computers worldwide.
But what did this malware do?
Well, it's a botnet.
So all these millions of computers were under the control
of someone. That person could instruct these computers to do something like send an email to
millions of people or attack a system. But in order to do that, each of the computers had to
reach out to a central command and control computer to get instructions on what it should do.
Some machines were seeing a proxy server getting installed,
which meant the hackers could funnel their traffic through these botnet computers in order to disguise
where they're coming from. Regardless of what it was doing, this was now a big problem for companies
all over the world. They would ultimately spend billions of dollars cleaning up so big from
infected computers. Now when a computer gets infected, it has that code on the computer.
And somewhere in that code
is instructions of what the botnet should do.
And this is great for antivirus companies
to look at, to try to stop
or reverse engineer the virus.
But there was a problem with this code.
Sobic F had this encrypted code in it, which was a mystery for us.
We couldn't crack the encryption and figure out exactly what it was supposed to do.
So the team at F-Secure began trying to crack the encryption of this code,
which is interesting to think about, right?
F-Secure is supposed to defend computers from viruses.
But here they are, trying to use offensive tools to break and hack and crack the code of this malware,
which was left on the computer.
And this was hard, because good encryption is hard to break.
But then one of our Hungarian coders
figured out how the runtime encryption works,
and we found this code,
which basically said that on Friday of that week,
every single infected computer would contact 10 different servers.
So these would be command and control servers controlled by the malware author.
So they cracked this code on Tuesday.
And the code said that on Friday,
it would reach out to command and control servers for instructions on what to do. This left us for four days to contact authorities or contact internet operators or contact certs
and work together to take down these servers before Friday.
There was actually a timestamp.
Friday evening, 10 p.m. is when the activity would start.
We got most of the servers down fairly quickly
by just calling up the operators
and telling them what was going on.
But some of these were taking none of us,
none of our words for granted.
I mean, this funny company from Finland
is calling them and asking them to shut down the server.
Why would they do that?
So then we were working together with the FBI
and then we were calling my contacts
at the Microsoft headquarters to get something happening.
And it was already Friday, early hours of Friday, when we had like four servers left.
And I remember at some stage we wanted to get the support of the global cert community and i tried emailing a list of the ip addresses we had decoded
from the body of the malware to cert finland and i i mailed them then i called them like two hours
later to ask what's what's happening and they they told me that they never got my mail and i i was
surprised about that and they told me that, well, actually,
they have massive problems with their email servers
because of SoBigF.
SoBigF outbreak was still so massively spreading
that email wasn't functioning as well as you were hoping for.
So they asked me if I could fax them the list.
And of course, we didn't have a fax anymore
because we were considering ourselves to be modern companies.
So I printed the list on a piece of paper and I gave it to a friend of mine, Yusu, who worked in the lab.
And I told him to go and drive to the CERT headquarters and just deliver it by hand.
And he jumped into the car and started driving there and then got stuck in a traffic jam.
We never really have traffic jams in Helsinki.
It's not a big city, but there was an accident.
So he was stuck.
So he abandoned his car and ran all the way to the CERT headquarters to deliver the piece of paper to hand.
And I still remember how desperate we were.
But in the end, we were able to shut down all of the servers except the two last ones.
And when the threshold date and time came, there were so many thousands of infected machines
all over the world that they all tried connecting these two servers.
And there was just
so much traffic that these both servers just crashed under the load, which means nothing
happened, which means we were successful. Taking down a global threat like a botnet is a great
feeling. Miko has gone to battle and brought down a few botnets. He has a few different methods for taking them down.
And if you are able to do this right, the whole botnet dies immediately. And that's the best
feeling in the world. I mean, we're trying to save the users. We're trying to defend people's
security. We're trying to defend their computers. And of course, we are doing this for our clients. But when you do something like
this, you're not only protecting your clients and customers, you're actually protecting the
whole world. The whole world is safer because of what you just did. And that feels great. That's
one of the things that keeps me running and keeps me in the industry year after year. The feeling
that you're actually able to make a difference. The feeling that you're actually able to make a difference,
the feeling that you're actually able to defend the users.
In fact, when they took down Sobig, they had a bit of a celebration after.
Yeah, when we felt that we've just saved the world, we did go and have a party.
I guess that just goes with the culture.
And since, well, since I was working in Finland, that always meant going to sauna. In Finland, every house has a sauna. Every office has a sauna. Every single F-Secure office. Well, the very first office did not have a sauna, but our headquarters today has a sauna floor a beer and we would be looking at the news and chuckling on ourselves about how they got the details wrong because we knew exactly what the malware was doing because
we had decoded it a couple of hours earlier okay so this one i have to ask about there's a law
named after you what is the hoopenin's law yeah i didn't really coin it as a law in the beginning
but someone picked it up and now there's a w Wikipedia page for the Hüpponen law, which is the Hüpponen law on IoT security.
In a nutshell, it just says that if something is smart, what it really is, is vulnerable.
And this is a very pessimistic law, but it's also true.
The more functionality and connectivity we add to things,
the more vulnerable they become. My favorite example is a wristwatch. If you have a traditional
old school wristwatch that you have to wind, it's unhackable. How do you hack a windable wristwatch?
Well, you don't. And then if you take a modern smartwatch with
internet connectivity, it might be hard to hack, but of course it is hackable. So if it's smart,
it's hackable, including our smart cars, smart houses, smart cities, smart crits, it's all
hackable. What's kept you on the good side all this time, instead of taking your knowledge and
saying, you know what, I know exactly what these cyber criminals do.
And I see that they're making much more than I am.
And I know how to hide myself.
You ever think about that?
Well, Jack, if I would have gone to the dark side, how would you know?
If you look at my Twitter bio, it says I'm a super villain.
Oh, yes.
A big thank you to Mikko Hupanen for coming on the show, sharing your stories and teaching us more about malware.
You can follow Mikko on Twitter.
His name there is just Mikko, M-I-K-K-O.
He tells me he's writing a book about all this.
So hopefully that'll come out soon and I'm sure it'll be super fascinating.
If you like this show and it brings value to you, consider donating some money through Patreon.
By directly supporting the show, it helps keep ads at a minimum. It also allows me to get more Patreon by directly supporting the show. It helps keep
ads at a minimum. It also allows me to get more people to help make the show. And it tells me
you want more of it. Please visit patreon.com slash darknetdiaries and consider supporting
the show. Thank you. The show is made by me, the never bluffing, Jack Recyder. Sound design and
original music was created by Andrew Merriweather, who swears he dreams in color. Editing help this episode is by the heat-sinking Damien,
and our theme music is by the botnet blocker Breakmaster Cylinder. And even though some
people still insist on pushing code to production on a Friday afternoon,
and that's really a bad idea, this is Darknet Diaries.