Darknet Diaries - 88: Victor
Episode Date: March 30, 2021Victor looks for vulnerabilities on the web and reports them responsibly. This is the story about discloser number 5780.Listen to episodes 86, and 87 before this one to be caught up on the s...tory leading up to this.SponsorsThis podcast is sponsored by Navisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. Visit Navisite.com/go.This podcast is sponsored by the JSCM Group. They have a service called ClosedPort: Scan, and it’s is a monthly Penetration Test performed by Cyber Security Experts. Contact JSCM Group today at jscmgroup.com/darknet.Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.
Transcript
Discussion (0)
Real quick, before we get started, this is like part two, or actually it's part three of a series.
We're talking with Victor in this episode, who's part of the Guild of the Grumpy Old Hackers.
And to learn who they are, you need to check out the episode before this.
In fact, I'm going to reference the last episode quite a bit in this episode.
But to understand what happened in the last episode, you really should listen to the episode before that.
So yeah, this is a three-parter, which is intended for you to listen to episode 86 first, called LinkedIn,
then episode 87, and now this one, episode 88.
All right, let's do this.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete.me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics,
and so much more. But get this, the whole thing is pay what you can. Black Hills believes that
great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
So we're picking back up with one of the members of the Guild of the Grumpy Old Hackers. We're
talking with Victor, and I'm fascinated with his work. He's known on Twitter as ZeroXDude,
and he's made a life out of filing coordinated vulnerability disclosures.
He's a self-proclaimed janitor of the internet.
Victor is constantly scanning around,
looking for vulnerabilities and reporting them.
And I'm not talking about a few reports here and there.
So your Twitter bio says 5,789 responsible disclosures. What? How? Well, that started like in 1998.
That's a lot. So you're talking, you've been doing responsible disclosure for over 20 years?
Yeah, it's 22 years now. Yeah. Yeah. All right. So let's actually go back to his first vulnerability
disclosure. He used to go to a video store sometimes to rent movies when he was younger.
Before Netflix, there were like these stores that you could go in and browse for the movies
and borrow one for the night or whatever.
The store wasn't far from his house.
He'd head down there every Friday to pick up some movies for the weekend.
Problem was, everyone also had that same idea.
Friday evening, that was always rush hour.
People piled into the store and pestered whoever was behind the counter.
Hey, is this movie in?
Or do you have this one yet?
Or I want to watch this one.
Is it available?
And employees would have to stop whatever they were doing and try to answer all these questions.
And they got fed up with that.
So the store installed a computer that customers could use to look for the titles themselves. But to Victor, this open and unlocked computer,
which was connected to the store's network and inventory,
really caught his attention.
So he got on it, but the computer was locked down
and only gave users access to search the store's inventory
and what was in stock.
You couldn't do anything else on this computer.
But Victor took that as a challenge
to see if there was something else he could do on it.
That terminal, that was just a Unix terminal,
and it didn't have any security,
but with Control-Shift-F1,
I could break out of the shell
and just get access to that system.
Bam.
By just hitting Control-Shift-F1,
Victor could take over this
computer. He could slyly pull up his account, reserve movies, and add credits to his account.
He could see all the other people's accounts too, and take a look at what movies they'd checked out.
Victor told the store that this new computer is a liability. And they said there wasn't much they
could do about it because the company that wrote the software is really out of business.
But the store took this warning and tried to fix the problem themselves, which actually was kind of a joke to Victor.
So the funny part was that a week later, the owner of that store said, well, we fixed the security because they put like a plastic layer cover on the keyboard. Basically, they just covered some of the keys with a shield
to prevent people from typing certain keys like Shift-Control-F1.
Victor told them that doesn't quite work.
But the store disagreed.
So Victor set out to prove them wrong.
I used a paperclip, two paperclips to get under the plastic
and still pressing those buttons.
But Edward Paperclip Hands here screwed it up, and he hit the wrong key.
I did like Control F2, which was the option for reboot server.
And the server did reboot, but it didn't start up anymore.
So he was trying to prove to the store that the shield just didn't work,
but now he made it worse and crashed the system on accident.
He glanced over at the checkout counter.
The employees were trying to
scan the barcodes on movies, but it wasn't working. It turned out this computer had more than one job
and it wasn't just there to allow customers to search for movies. They had to write down
everything by hand. So I created a little traffic jam. The store eventually got things up and
running again. And what Victor learned from this whole thing was finding vulnerabilities on computers is fun.
But if he was going to do this kind of work,
he'd have to be more cautious.
If I want to do a good thing, I have to be very careful.
I have to be very descriptive.
And I have to stay in conversation with the people
who are responsible for their systems
and find a fine line between being helpful
and being obnoxious.
It was about the same time that Victor found himself at a crossroads in life.
While he was working on these early vulnerability disclosures, this ethical hacking, he was
also busy cracking software, which is illegal to circumvent copyrighted protections on software.
And he realized this ethical dilemma and he came to a realization.
If I keep going in this direction, I will get nowhere.
So I was like, okay, what can I do?
What can I do to make it more useful, that I can help other people without getting in
trouble and still doing cool things?
Because I'm still accessing systems without permission.
You know, that's still damn cool.
It was at this
moment that Victor realized he needed to use his skills for good. This meant he was going to keep
hacking and looking for vulnerabilities. He'd have to do it under a strict code of ethical conduct,
though. He'd spent years practicing and honing his techniques to do this. And yes, it is damn
cool to still get to hack into systems and not get in trouble for it. So after college, Victor
began his career in IT.
He worked his way up from system administrator to network administrator
and got a job with the Dutch government.
Over the years, he kept finding vulnerabilities
and issuing these disclosures to people, kind of like a hobby.
But one day he realized he wanted to get even more serious about it.
It was in 2016.
Him and a friend started a non-profit
that was all about finding and reporting vulnerabilities.
They called it the GDI Foundation.
Their hope was that people in other countries
would start GDI chapters
and build a global network of volunteers
working to help secure the internet.
Their mission is, quote,
to protect the free and open internet
by trying to make it safe
and by thus guarding the well-being of humans online.
To ensure respect for all human intellectual freedom and to prevent and mitigate digital abuse.
End quote.
Victor didn't mess around.
He asked for an entire year off from his day job.
Not just any year either.
It was 2016, a leap year.
Let's do for one year, 366 days, nonstop finding vulnerabilities as much
as humanly possible. Victor and his friends went all in that year. There's a lot of insecure stuff
on the internet. Databases just left open with default credentials, servers wide open,
and different services and ports that were not secured. It's pretty sad how easy it is to find
vulnerabilities out there. But the tricky part is telling someone about it,
trying to find who owns that server and the contact details of who the stuff belongs to.
After 15 minutes investigating a database, most of the time you know who the owner is.
Once they know who's in charge of it, they send over a responsible disclosure email
outlining the problem and how to fix it.
After all that, GDI adds a database to a script that's constantly running.
It checks up on the database every so often just to see if stuff gets patched.
Or worse, if a hacker got in and stole some data or wiped the whole thing.
Because that's an option too.
A hacker could just get in there and delete everything.
By the summer of 2016, just a couple months into this new GDI adventure,
Victor was the database watchdog.
I think I've seen every open database at that moment
that was connected to the internet.
So here's the basic process.
Databases run on a certain port.
So like MySQL, for example, runs on port 3306.
And so he could just scan the internet
or use a website like Shodan
to first look for any IPs that have port 3306 open.
And then once he finds that, he'll try default usernames and passwords, or maybe a handful of very weak passwords like
the word password to see if that's it. And yeah, from this alone, he was tripping over tons of open
databases. Some didn't even have passwords at all. Then they'd tell all the database owners that their stuff is insecure. As their efforts grew, so did the number of people pitching in to help GDI.
In the beginning, it was just Victor and his friends, but almost 50 different volunteers
have joined on in the last five years. In that time, the foundation has filed coordinated
vulnerability disclosures on over a million security issues out there on the internet.
You can see us like the volunteer fire brigade or emergency help.
We want to prevent that people become a victim.
We are a group of volunteers that help prevent abuse
by trying to report the systems that are already indexed
by other sources as soon as possible.
And we are just one of those many, many volunteering groups online that does these kind of things.
Victor could have called it good after starting up the GDI Foundation.
But no, he's possessed.
And he takes his self-proclaimed role of the internet janitor seriously.
In 2019, he got involved with another non-profit.
This one's called the Dutch Institute for Vulnerability Disclosure, or DIVD.
And Victor's the chairman.
DIVD is a lot like GDI, but it's ran by Dutch researchers.
And they often scan computers in the Netherlands for vulnerabilities.
If we cannot find the organization within a minute,
then we immediately take the entire collection and send it off to the ISP,
an internet service provider, who can, of course, then send it back to their customers.
And they sometimes find problems on the Dutch government's network,
which is interesting because Victor works for the Dutch government.
By putting these communication frameworks in place and these agreements,
we can prevent that vulnerability to stay longer online.
Which is definitely a noble thing to do.
But let's pump the brakes here for a second, because there's a catch to doing all this
do-gooding.
So let's talk about the ethics here for a second.
Yeah.
You are actively looking for vulnerabilities in companies that aren't asking you to look
for vulnerabilities.
Exactly.
Is there an ethics problem with that?
It depends who you ask. For me, no. Very simple. The work that we do is non-profit.
It's voluntarily. And it's to prevent that the people that we, or organizations that we warn,
that they become a victim.
Victor says what it really comes down to is what your aim is.
There is that fine line where you have to look,
what is the intention?
You know, am I going to access a system on our account
and starting showing it off or use it for my own benefits
to show that I had access to it?
Or am I going to be as discreet as possible
and try to inform, you know, this is your issue.
You need to fix this. And this is what you can do to protect yourself. this is your this is your issue you need to fix
this and this is what you can do to protect yourself so if your purpose is to surf around
the internet poking and prodding looking for weaknesses but you're not planning to tell anyone
about it well you look a lot like a hacker who's up to no good but if you're going to coordinate
with the person who you found the vulnerability with and tell them privately and they can fix it,
well, then you've crossed into the good side. But where is that line though? The GDI Foundation and DIVD mark that line with a strict code of conduct and mission statements, which is posted to their
websites. Here's an outline. First, they don't do this for profit. They don't ask for any boundary
reward or ransom for finding a vulnerability.
They're non-profits and they're supported by donations and sponsors. They don't launch attacks
against networks that would degrade the service in any way. They don't buy or sell stolen data.
They look for well-known vulnerability, stuff that doesn't require advanced skills or tools to
exploit. And they only use passive scans and only push deeper if they find something.
We act on where there's smoke, there must be fire.
I'm not going to kick in my neighbor's door because I think there is a fire.
Well, there's no smoke outside.
If there are no signals that there's something wrong,
then there should not be a reason for me to start digging into it.
Finally, and this is important, they don't air people's dirty laundry.
When they find a problem, it stays between them and the owner.
And they don't ask them to admit anything to the public.
They just ask that it gets fixed and then they move on.
It's great to have an ethical framework and a strict code of conduct.
But there can still be gray areas.
For example, this whole thing with Trump's Twitter in 2016. That did expose Trump's dirty laundry, so to speak. It hit the news and everything.
But I think they preferred it if it was done quietly. And so when you've got the world's
attention, you have to tread a little more carefully. Okay, so as promised, the story of
Victor's coordinated disclosure number 5780.
See, I first interviewed the grumpy hackers back in October 2020, and I was going to post this episode right around election time.
But then something happened, which really put a twist in the story.
So it was just a couple of weeks before the U.S. presidential election.
Victor's Twitter feed is crammed with election coverage and conspiracy theories.
Some people are getting, you know, these elections are rigged.
People are going to try to mess with it, probably for your social media.
I was like, OK, it's interesting.
Let's see which social media accounts are all, you know, involved with this election.
The presidential election of 2020 was a pretty volatile time.
Disinformation was spreading everywhere.
And yeah, if someone were to hack a political figure's Twitter account, it could have some serious consequences. So Victor was
curious about the security of the Twitter accounts for the presidential candidates.
He was looking at both their personal and official accounts. The personal ones are like
at Joe Biden, at Mike Pence, at real Donald Trump, and have blue check marks, which means Twitter has
verified these people. But then there's official accounts like at POTUS and at VP.
And these have a little American flags followed by US government account.
So how can you check the security of these accounts?
Well, it turns out if you type in the username and just a bogus password,
it'll tell you two different messages,
depending on if you have two-factor
authentication turned on or not. Victor figured out these error codes, which meant he could see
if somebody had two-factor authentication on or not. So he went through a bunch of the presidential
candidate Twitter accounts to see if they had extra security features turned on, like two-factor
authentication.
Since he already knew everyone's username,
he would just go to the Twitter login page,
type in their username, and then some bogus password.
Let's try Biden.
Okay, let's try Pence.
Let's try the VP account.
If it told him the error message,
which indicated this had two-factor authentication turned on,
he'd just move on to the next one.
All those Twitter accounts are protected with extra security measures, except Donald Trump.
Wait, what? Donald Trump's personal Twitter account didn't have two factor authentication turned on in 2020 as the sitting U.S. president? After everything that happened four years ago,
you would think that he would have
two-factor authentication turned on, right? Well, he didn't. The president of the U.S. did not have
two-factor authentication enabled on his Twitter account. And when Victor typed in a bogus password,
it just said, that's the wrong password, which meant he could try again and again and again.
Now, I only half blame Trump here. With all the stink that the grumpy old
hackers made about this in 2016, Twitter should have absolutely required two-factor authentication
for all major accounts. At least the president of the U.S. should have this required and enforced
by Twitter, right? Maybe everyone with over a million followers should be required to have
two-factor authentication enabled. Or heck, you could even enforce everyone with a blue checkmark to have it on, too.
I'm just saying, any high-profile account is going to see attempts for people trying to log in as them,
and this should warrant extra account security.
Right?
I asked the CEO of Twitter about this, but he didn't respond.
But actually, Twitter published a blog post a month before this, which says, quote,
We're taking the additional step of proactively implementing account security measures for a designated group of high-profile election-related Twitter accounts in the U.S.
Starting today, these accounts will be informed via an in-app notification from Twitter of some of the initial account security measures we will be requiring or strongly recommending going forward.
End quote.
They go on to say that these designated groups are people in the U.S. executive branch,
which would be the president, as well as other members of government and political journalists.
So it's clear that Twitter did take the steps to make this happen,
but something clearly wasn't going as planned.
Again, the CEO of Twitter never got back to me on why.
This risk was there at that moment.
Why? I don't know. I would like to know.
A couple weeks before all this, Trump had been in the hospital for COVID-19.
Maybe while he was there, a staffer was in charge of his Twitter,
and they just turned off two-factor authentication.
Or maybe Trump turned it off because he was just tired of all these extra steps to get logged in.
You know, this guy is over 70. He's like 74.
My mother is the same age and has the same security sense.
See, he also keeps switching off two-factor authentication because it's not convenient.
It's a hassle. It's annoying.
Whatever the reason, two-factor authentication was definitely turned off on real Donald Trump's account.
This was a problem for Victor, just like it was in 2016.
This account was the mouthpiece of a powerful U.S. president
and should be locked down.
Victor was worried that a hacker could get in and do some kind of damage.
He can make a remark about an organization or a company
that can influence the stock market,
or he could do damage from that thing
because he has a lot of followers
that will blindly believe anything that he writes.
And for Trump, his Twitter account is everything to him.
You know, that's his way to communicate with people
without being obstructed by mainstream media.
It felt like a weird cycle, like 2016 repeating itself.
At this point, Victor could walk away
from this whole thing because he'd submitted a responsible disclosure to Trump four years ago,
explaining this exact problem. And so it was up to Trump's team to fix it and keep it fixed.
But obviously that wasn't happening. And not only is it happening again, it's worse because this is
now the sitting U.S. president and his account is vulnerable weeks before an election.
This was ludicrous.
Victor couldn't let it go.
He smelled the smoke, but wanted to see if there was fire.
Stay with us because after the break, he finds out.
This episode is sponsored by SpyCloud.
With major breaches and cyberattacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and
your organization at risk and what to remediate is critical for protecting you and your users
from account takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in
identity threat protection, you're never in the dark about your company's exposure
from third-party breaches, successful phishes,
or info-stealer infections.
Get your free Darknet Exposure Report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. Victor decided to try to log in as Donald Trump on Twitter.
His first thought was to see if Trump's password was the same from 2016,
which I downed his computer, closed his eyes, and typed in,
You're fired. It didn't work. Wrong password.
He took a break to think of another guess and glanced at his Twitter feed.
I saw a tweet pass by with someone sharing the Wi-Fi password of one of the Trump rallies.
The tweet was a picture of some Wi-Fi login credentials for a Trump rally.
The event had happened on October 13th in Johnstown, Pennsylvania.
Trump's team had set up a Wi-Fi network at the rally.
The photo in the tweet showed the network ID was Make America Great Again,
and the password was MAGA2020!
That's interesting.
That was probably done by Team Trump, you know, hislamation point. That's interesting. That is probably done by his, by Team Trump,
you know, his support crew. Victor thought this might be a good next guess for Trump's Twitter
account. If Trump's people had a bunch of passwords to keep track of, they might reuse some,
or maybe they'd use slightly different versions of the same password. Victor gave this password a shot. No. He tried all lowercase
MAGA 2020. Nope. He tried with an uppercase M. Nope. For his fifth guess, he typed in all lowercase
MAGA 2020 exclamation point and pressed enter. Twitter kind of hung there for a few seconds.
This took like four or five seconds.
It was way longer.
So I was like, okay, great.
You know, I'm going to get the suspicious login error now
because I'm locked out.
But Victor wasn't locked out
and no error message appeared.
Instead, Trump's Twitter account
loaded up on Victor's screen.
And it took me like a few seconds to realize, shit, it worked.
Victor was logged into Twitter as the president of the United States with 66 million followers.
Whoa, he felt a surge of adrenaline.
He was totally shocked.
Was this actually happening?
My eyes go to the left corner where I see his username instead of my own.
Yes, this was happening again. This is the second time Victor got into Trump's account.
It's like a bad dream. And it left him stunned.
I think I sit still for at least 20 seconds. It was one of
those go stare out the window and contemplate life kind of moments. While it might seem like
this could have been a victorious moment, it was less than ideal for Victor. Because of all the
people that I wanted this to work, I would be nice if it was someone else. I would have preferred if it was Biden. But no,
it was him. Which frustrated Victor. There's a history. We had a history with this person
where we reported something. We really saved his ass if it comes to reputation. And we never,
never got a thank you. Even from the most horrible organizations in the world,
where we reported things, we got an okay or a thank you back. Not only was Victor salty about the way the
2016 disclosure went down, he was also in another ethical gray area now. Normally,
when he submitted a vulnerability disclosure, he wouldn't go back and test that vulnerability
again. But he'd cross that line, all to make sure that this powerful Twitter account was secure.
Victor felt uneasy. He didn't want to mess anything up, as he set about filing the second
coordinated vulnerability disclosure. That pressure alone, even when I'm doing this for years,
it's like, oh, okay, I have to be very careful. Don't do anything stupid. Do the right thing,
you know, not only for myself, but also for everyone that does this kind of work
or wants to do this or for the volunteers.
If I do it wrong, that's it.
There is no coming back.
There were a lot of lines he wanted to make sure he didn't cross.
For instance, sending any kind of tweet as Trump
was definitely not going to happen.
But also taking a peek at his messages was clearly unethical too.
Victor fell back on the muscle memory of all the other disclosures he's done before
and executed his next steps with extreme precision.
He took a screenshot that he was logged in and then went to change the Twitter bio
just to show he had access to be able to change the account details.
Then he checked the account's security settings to confirm two-factor authentication was off.
Took a screenshot of that too.
In total, he was in the account for about 10 minutes,
then logged out.
Then he sent an email to Trump,
outlining the problem, showing screenshots,
listing his password, and what to do to fix it.
He didn't hear anything back for a while,
so he kept tabs on the account
to see if someone updated the security.
Every two hours, going back, checking,
is it fixed? No, it's not fixed, okay.
Maybe I should start calling him, you know,
because his mobile number is in his account.
Maybe I should call that.
Victor could see in the account settings
a mobile number and called it.
It went directly to voicemail.
He tried calling it again.
Same thing.
He was desperate to get in touch with someone
and to get this account fixed.
What was your opening remark to him if he was to answer, hey, this is the Donnie, what's up?
Well, good evening, sir.
I want to inform you that I tried to send you an email with this subject regarding your Twitter account.
Can you please take a look at it, you know, and you or your staff, please respond to it and have a nice day.
Victor saved the number to his phone under
Donald Trump, and he tried calling it again and again and again. He called it five times,
but never got through. He also tried getting in touch with Trump through Twitter, Parler,
LinkedIn, but no reply in any of these places. He wasn't sure what to do next. He thought about
reaching out to a tech journalist and sharing the login credentials. But that didn't feel right either.
Remember, he doesn't want to air dirty laundry on someone that has poor security.
The ethical thing to do was to keep it quiet and to let Trump's people take care of this,
not to get it published in any news outlet.
Trump was busy recovering from COVID and strangely holding campaign rallies at the same time to try to get reelected.
Victor watched online as Trump gave a
speech at one rally in Prescott, Arizona. Suddenly, Trump started talking about hacking.
Scully got hacked, right? Scully. He was a never-Trumper. He got hacked.
So just to give some quick background here, Steve Scully was scheduled to moderate the
second presidential debate, which was just a few days away. And he's been with C-SPAN for like 30 years. But at some point, he said publicly that he'd never vote for Trump himself.
Well, this resulted in Trump talking about this with Fox News that same day.
The Commission on Presidential Debates announcing this morning
that the second presidential debate will be virtual. Are you saying you're not going to
participate? No, I'm not going to waste my time on a virtual debate.
I have a host who I always thought was a nice guy, but I see he's a never-Trumper.
We do have some of them, Maria, believe it or not, because they don't like to win.
Trump said some other negative things towards Scully, too.
And the next day, Scully tweeted publicly at Anthony Scaramucci, and it said,
Do you think I should respond to Trump? It was very out of norm for
Scully. It wasn't anything a moderator should have probably tweeted. So he came under pressure
for this tweet. And then Scully said his account was hacked and he didn't actually tweet that.
And that's what Trump is talking about here. So let's listen again.
Scully got hacked, right? Scully.
He was a never-Trumper. He got hacked.
You know, I've never known a person that said he got hacked.
They got hacked. Nobody gets hacked.
To get hacked, you need somebody with 197 IQ,
and he needs about 15% of your password, right?
It doesn't happen. So Scully got hacked.
What? Seriously? Nobody gets hacked?
This triggered Victor. That was my snap moment. That was my moment of, come on, you know,
now's enough. I tried you. I tried your family, your staff, your government, you know, who have
to ping across the ocean to get, you know, to get the message across. This is ridiculous.
Victor decided to go semi-public. He tweeted at Trump with a vague message,
which said something like, do me a favor, respond to the email, get that issue fixed.
Journalists saw this tweet and remembered that Victor had hacked Trump back in 2016
and decided to look into this. Journalists were questioning Victor and investigating this to
see what happened. Oh, and it's interesting. That second debate with Steve Scully was canceled
because, well, Trump had COVID and didn't want to do a virtual debate and probably didn't like
Steve Scully at all. But it turned out that Scully lied and changed the story about his account being
hacked. And he just tweeted that in frustration, but regretted it and tried to come up
with a cover story. C-SPAN actually suspended Scully for lying about being hacked, which means
Trump was right, kinda. I mean, the mental calculus you have to do to try to understand
what Trump is saying is dizzying. But this is what he said. Scully got hacked, right? Scully.
You know, I've never known a person that
said he got hacked. They got hacked. Nobody gets hacked. I mean, he has to know that's not true.
His own account has been hacked two times before this. And the first one, he did admit it was
hacked. So by his own logic, maybe he lied about his account being hacked when someone posted
Lil Wayne lyrics on there. But I'll give him the benefit of the doubt and assume he knows that, but was trying to say something else.
It just came out wrong.
And so what I think what he was trying to say was that Steve Scully is a liar, which was true at the time.
Scully was still holding on to the story that his account was hacked.
So if that's what Trump meant to say, then he was right.
Scully did lie about it.
To get hacked, you need somebody with 197 IQ,
and he needs about 15% of your password, right? But what the heck is all this crap about IQ and
15% of a password? This makes no sense to me. And this quote made quite the rounds in the Twitter
security community. This was a ridiculous thing to say, and it really does highlight how little the president knew about computers and cybersecurity.
But anyway, journalists made some noise about Victor's tweet, which really triggered a chain of events that ended with someone from the Secret Service reaching out to Victor.
Looking back, that was not the correct thing to do, because normally we don't do that.
I should have kept my mouth shut.
But was it necessary?
Yeah, there was no other way. On the phone with the Secret Service,
Victor was flabbergasted to find out they weren't aware of the 2016 Twitter hack he did on Trump.
I guess in 2016, Trump wasn't president yet. So he must have had a different group of people taking care of him then. I don't know why they didn't know. So for me, that shows that even when you report things to a government,
not everyone are always immediately aware of it.
Which can lead to history repeating itself like it was right then.
Victor forwarded his coordinated disclosure to the Secret Service.
They said they'd investigate it and take care of things.
And after he got off the phone, that was case closed for disclosure number 5,780.
Victor hacked Trump a second time.
It felt good that he'd gotten through to someone in authority and that somebody was doing something about this.
But then Twitter and the White House denied that all this happened.
What Twitter says is we don't see evidence in our log files.
That's not denying it didn't happen if you take it very literally.
The White House was very clear from this absolutely true, this never happened.
Twitter did say in a statement that was widely circulated by news outlets that they
hadn't seen any evidence to corroborate the claim. They also added that they upped security
for high-profile election-related Twitter accounts in the U.S. A quote from the White
House Deputy Press Secretary
Judd Deere also spread around. He denied the claim, saying it was, quote, absolutely not true,
end quote. But Victor had all this evidence. And so to see these denies was just flabbergasting to
him. I guess with the election so near, the White House just didn't want the bad press that Trump's
password was MAGA2020! But now Victor's name was all over this news story. The wider world became aware
of what he did. And you might guess that not everyone thought he did the right thing.
You see the DMs that I got. Wow.
What were they?
Most of them were very supportive. But there were people that don't know me personally or know
the work that I do. And they reacted like from, why you do this? You are a fraud. You do it for
the money. That kind of remark is like, okay, apparently you don't know me at all. It's fine.
You know, I respect your opinion. But looking back, if I could have done differently, if I
could have done this quietly, yeah, that would have been better for all parties involved.
Some people also called Victor out for doing unwanted pen tests against Trump, raising again the ethical question, is it OK to test someone's security if they didn't ask for it?
To verify that someone's accounts or an election or a person itself is at risk, I don't see that as an unwanted pen test.
If you look technically to the law, then you are accessing a system without permission. True.
So you're breaking a rule, but are you breaking a rule with the intention to do good?
Victor believed what he was doing was for the greater good, to help secure the president's
Twitter account. He also said his definition of a pen test is to use any tool to get in and just stop at nothing.
He says he didn't do that.
He saw the potential of a problem and took limited action to investigate.
If the first try would immediately give that error message,
then I would have moved on and, you know, I would be busy doing something else.
If Trump had two-factor authentication turned on, this would have never even been a story.
And looking back, busy doing something else?
Sure is a nice thought.
Because Victor's saga with Trump
was about to take a turn for the worse.
It all started after U.S. authorities
reached out to the Dutch government
and asked someone to take a look into Victor's claims.
I was asked to testify,
to show the evidence that I have,
the way that the responsible disclosure was done,
the investigation, the handling of it, the communication.
This was heavy. This was a criminal investigation,
which I don't think the Dutch government took it upon themselves.
It seems to me that the White House was pushing the Dutch government
to conduct this investigation.
And for Victor, it wasn't a good look.
It was really stressful too.
Yeah, sure, he was getting weird DMs and getting called out online.
But now he was under a criminal investigation in his own country.
And there were major consequences for this.
If the public prosecutor's office decided he was guilty,
this could be big problems for him. Especially if he were to get extradited to the U.S.
I could lose my job. Even if they say, you're guilty, but you will not be punished,
that would be enough for me to lose my job because a civil servant is not allowed to have a criminal
record. And when I cannot work for the government anymore, that means I have to stop my volunteers
work that I do in my own free time. So I will lose everything.
Victor says his employer with the Dutch government was nervous too. They knew Victor was passionate
about cleaning up the internet, securing all those thousands of open ports and databases.
But all this bad press about Trump was putting pressure on his employer. And sometimes that
alone is enough to get you fired.
Simply that your employer doesn't want to go through the stress of handling this incident.
Because what Victor did was making some pretty big news.
When you enter the Twitter account of the President of the United States,
that is something else.
This was all turning into a nightmare. The pileup of stress reminded Victor that, just like in 2016,
the timing of all this,
with the election just a few weeks away, added extra stress to the situation.
It was the most horrible timing if it comes to a case like this.
When the Dutch high-tech crimes unit came knocking,
Victor spent hours answering their questions over the course of a day.
They want to make sure that I did everything according to the book,
with the best intentions, as I say so. I have to be able to prove that, of course. Victor showed them everything.
Screenshots, emails, phone logs. Everything that he showed was what he did, how he did it, and how
he tried to get in touch with Trump. And he had to sign a witness statement. He felt solid about
how he handled it, though. He had stuck to his strict code of conduct and hadn't done anything evil while in Trump's account.
There were things he was careful not to do.
Do not send DMs, do not put flags or, you know, tweets or anything else.
Don't do anything bad because that will be unexplainable.
He also felt good about working with the high-tech crimes unit.
These aren't technology amateurs.
They're experts, too, and have a good understanding of cybersecurity. For me, it's nice to know that someone is handling
and looking at the case, knowing exactly what's going on. Yeah, because if someone had investigated
this case and didn't understand the depth or nuances of the situation, this could have made
Victor look like a criminal. But Victor would have to put those good vibes aside
because the ultimate decision about whether or not he committed a crime
was resting with the public prosecutor's office.
His professional life and non-profit work were left hanging in the balance for weeks.
There is no more ethical way to do this.
If there is a better way to do it, sure,
the next time we will take certain steps or we do it probably different or hopefully better. This was done in the best way
possible at that moment. Still, if it's with the best intention, you're breaking the law
because of a very good reason. This case was on the line of, okay, if you do this,
then it's acceptable. If you do that, then it's not acceptable. Where is the line of, okay, if you do this, then it's acceptable. If you do that, then it's not acceptable.
Where is the line?
What Victor did have going for him was his 22-year history
of ethical hacking and responsible disclosures.
The moment someone starts investigating him,
they're going to see his connection with the Dutch Institute
for Vulnerability Disclosures and the GDI Foundation.
Maybe an investigator will think,
if we dig further, something's got to come up. Yeah, that's just not the GDI Foundation. Maybe an investigator will think, if we dig further,
something's got to come up. Yeah, that's just not the case with Victor. He walks proudly on
the ethical side of the line. The good thing is that if you start looking for my name,
this is how I always work. So for that part, I was not worried.
After three weeks, the Dutch prosecutor made a decision. They said yes, gaining unauthorized access to someone else's account is illegal in the Netherlands.
But there's a special circumstance that allows for it, which is responsible disclosure.
And it's supported by case law.
They confirmed that Victor had gotten into Trump's Twitter, but carefully considered his intentions.
Their analysis revealed that Victor's intentions were good and that he was free to go as an ethical hacker. What a relief. It's been a long road for Victor
and the other grumps too from back in 2016. They'd been nervous about their 2016 hack,
concerned that if they came to the US like for DEFCON or something that they might get detained
or that Trump might be out to get them.
But then that nightmare went on repeat in 2020 and hung like a dark cloud over Victor's head.
But finally, it was all over.
And he had an official ruling to back up that his actions were ethical.
I'm happy that this case got solved, that it got fixed.
I don't look at it as a successful responsible disclosure.
This doesn't count towards one of the 5,789 responsible
disclosures you have? Yeah,
it counts as one. It is a case number.
It is case number 5780,
but it was not
successful because the person
to which it addressed did not accept the message.
And I hope
I will not find more Twitter accounts
for U.S. elections open anymore.
I don't think that...
I think there's also a responsibility
for platforms like Twitter,
for everyone that has a verified account
or a very important account
should have two-factor authentication by default.
There are some worries about
if they actually learned something about it.
What I do hope is that other people read this story and are like,
ooh, I don't have such a good password either, or I reuse this password also here.
Maybe I should, you know, enable to affect authentication.
So if that happens based on this story, I'll be happy with the output of that.
I hope for the best.
It's hard to know what's changed for sure over at Twitter
since this incident. I guess Twitter banned Trump. So that kind of fixes the problem, right?
Like you can't hack an account that doesn't exist. But it's not clear how much Twitter is enforcing
this two-factor authentication requirement for political accounts or major influential accounts.
However, Victor and I tried to do this again by looking for accounts that
don't have two-factor authentication turned on, and we no longer see the message that used to be
displayed. No matter if someone has two-factor authentication turned on or not, you get the
same error message when putting in the wrong password. Which is good. It means if someone
was going to be like Victor but had malicious intent, they'd have a harder time finding insecure
accounts. Victor hasn't slowed down since this incident. He's still finding vulnerabilities and
reporting them in a proper way. In fact, he's launching the DIVD Academy soon, which aims to
teach young adults IT security and research skills that he thinks schools aren't providing.
Him and the guild of the grumpy olders want to keep an eye on the younger generation
to help guide them and coach them
to be safe and responsible in this digital age.
They believe the youth are the future
and want to help make the future a better place.
A big thank you to Victor for sharing your adventures with us.
You can follow Victor on Twitter.
His name there is 0xDude.
And you can find links to this story on darknetdiaries.com.
The other day, someone told me they got into a ride share
and the driver was listening to Darknet Diaries when they got in.
And the show was so interesting that they just made the driver
keep driving around town until the episode was over.
If you're that kind of listener that gets hooked on this show and love it when new episodes come out, please consider donating to it to show your support through Patreon. By giving,
it sets a new standard of how you support content that you like and want to see more of. Visit
patreon.com slash darknetdiaries to donate. Thank you. This show is made by me, the guy who's been wearing a mask all his life
and doesn't even know how to take it off anymore,
Jack Recider.
This episode was produced by the font-conscious Charles Bolte.
Original music and scoring for this episode
was done by the melodic Garrett Tiedemann.
Editing helped this episode by the true type, Damien.
And our theme music is done by the still-spinning
Breakmaster Cylinder.
And even though I've got nothing against bots, you know, some of my best friends are bots.
This is Darknet Diaries.