Darknet Diaries - Ep 49: Elliot
Episode Date: October 15, 2019In this episode we meet Elliot Alderson (@fs0c131y) from Twitter. Who is this strange masked person? What adventures have they gotten themselves into? Many stories will be told. The mask will... be lifted.SponsorsThis episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Go to https://nordvpn.com/darknet to get 70% off a 3 year plan and use code darknet for an extra month for free!
Transcript
Discussion (0)
There's a TV show called Mr. Robot.
Elliot Alderson, he's the main character, he's a hacker.
He says stuff that always gets me thinking about life, like this.
Every day we change the world, but to change the world in a way that means anything,
that takes more time than most people have.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight. But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it
and they immediately got busy scouring the internet for my name and gave me reports on what they found
and then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners. Today get 20% off your Delete.me plan
when you go to join delete.me.com slash darknetdiaries and use promo code darknet at checkout. Thank you. EliteMe.com slash Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company,
John Strand, is a teacher and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can black hills
believes that great intro security classes do not need to be expensive and they are trying to break
down barriers to get more people into the security field and if you decide to pay over 195 you get
six months access to the meta ctf cyber range which is great for practicing your skills and
showing them off to potential employers head on over to blackillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Okay, so I like hanging out on Twitter.
It seems to be the hot spot for all the people in security.
And one guy keeps coming across on my Twitter feed.
His name is Elliot Alderson.
Hmm.
That's the same name as the main hacker guy on the TV show Mr. Robot, a fictional character.
He has the same Mr. Robot image in his avatar, too.
And his username is Fsociety.
Is this some sort of gimmick account?
No, he's posting real and useful information about reverse engineering.
Hmm.
Whoa, Elliot Alderson on Twitter has 120,000 followers?
Jeez, who is this guy?
I had to find out, so I called him up.
Well, he's French, and he said his name is Robert Baptiste.
Or we can call him Elliot.
He's got a double identity.
And this double identity is really fascinating.
So I think it's time we get to know Robert Baptiste or Elliot Alderson on Twitter.
I try to be good at Android and especially reverse Android application and find vulnerability in Android application.
Robert is from Paris and sometimes it's a little hard to understand,
so I might have to step in and sort of translate for him.
Basically, Robert's expertise is in Android applications, and he loves reverse engineering them.
When I see something cool, a new application, I'm trying to find some vulnerability or some issue with the app.
Robert likes to pick on Android, since that's what he's most familiar with.
I started my career as a...
He started his career as an Android developer and spent years creating Android applications.
Then he dug deeper and started working on the Android open source project.
The OSPs.
And this allowed him to create custom variants of Android itself.
But as his career went on, he eventually switched to security,
specifically looking for vulnerabilities in apps.
In order to find vulnerabilities everywhere.
Then he actually started his own company. And he has clients who make apps,
and then he tries to reverse engineer them to make them do things that they shouldn't be doing.
All this is fine and good for Robert, not a big deal at all.
But sometimes he gets bored and becomes Elliot Alderson
and decides
he wants to hack into something.
So he starts grabbing anything that
looks interesting from the Google Play
Store and just starts testing
the apps himself.
Now one of
the Twitter accounts that Robert likes to follow
is the Fox News account. Don't ask
me why. And on one day they tweeted something that caught his attention.
I saw a tweet from Fox.
It was three hours after the release of Donald Daters.
The tweet was talking about a new Android application called Donald Daters.
Basically, it's a dating app specifically for people who like Donald Trump.
So Robert turned into Elliot and downloaded this app to see if he could have some fun with it.
Android apps are bundled in what's called an APK file. It's sort of like a zip file.
In this, it contains the executables, the graphics, the sound, the whole app. It's all packaged in this file. Elliot moved the APK from his phone to the computer, then he extracted the files from
the APK and decompiled the app. This showed him a file called androidmanifest.xml. In there,
he saw what database they were using. Yeah, I just looked at the Android app, and in order to
create a database, they use Firebase Database Realtime,
which is a service offered by Google.
Firebase is an online database.
For this app, all user data was stored in this online database.
Okay, good to know.
Next, Elliot looks at values slash strings dot XML.
This file might contain some extra information about this app.
Sure enough, it contained both the Firebase URL and the keys used to access it.
Now, Elliot knows Firebase really well.
He's created a few apps using this and is familiar with it.
And he knows that Firebase doesn't really require a key or a password to read or write to the database.
Instead, Firebase has configured with a set of permit and allow rules on the Google side. Only people matching these conditions can read or write into the database. Instead, Firebase has configured with a set of permit and allow rules on the Google side.
Only people matching these conditions can
read or write into the database.
So right away, Elliot took this
Firebase URL that he found in the app
and tried to see if he could see
what's in the Donald Dater's database.
It took me like five minutes
to get the old database
because
they keep the debug settings so they keep the debug settings.
So they kept the debug settings
and so it was pretty easy to get everything.
Whoa, what?
Within five minutes,
Elliot has gained access
to the entire Donald Dater's database.
I had access to everything,
all the messages,
all the people details.
All usernames,
all private messages between people and all the user details.
This is crazy.
The database had no security on it at all to keep anyone from just reading through the
entire database.
So Elliot was seeing everything.
Now to you and I, this might have been a big moment for us.
We got in.
Whoa, this is a rush.
But for Elliot?
This one, it got in. Whoa, this is a rush. But for Elliot? This one, it's fine.
I mean, I have better moments than this one.
And I think that might be because this app was so new.
It was only one day old at the time when he broke into it.
So it didn't really have that many users yet.
It just wasn't that big of a deal, you know?
And maybe this is typical because he's
seen a lot too. So since it wasn't that hard, the feeling wasn't that great. But Elliot was
curious anyway and looked through the database to see what's in there.
There were 1,607 users at the time, and out of them, there were only 128 matches that had taken place so far.
Okay. He looked at the messages between the matches that were sent between each other.
The longest message exchanged he found was 62 messages sent back and forth between two people
within the Donald Dater's app. But as he looked closer, he learned it was a conversation between
two developers of the app.
So Elliot started downloading some of the content from this database,
and he grabbed all of the profile pictures that users had for their dating accounts
and started posting them to Twitter.
His tweet said,
Hi Fox News and Donald Trump supporters, you should not use this app.
Within five minutes, I managed to get a list of all the people
registered all their names all their photos or personal messages and a token to steal their
sessions he then went on to post a bunch of slightly blurred photos of the users of the site
proving he had access to it now elliot is known for stuff like. This is why he has such a huge Twitter following.
And of course, tech journalists watch what he's tweeting too, and they saw this.
Within two hours of his tweet, Vice's motherboard wrote a story about this
and how the Donald Data app is exposing its users' data.
And shortly after that, TechCrunch wrote an article saying the database has been leaked.
For any respectable company, this would have been a huge problem. And shortly after that, TechCrunch wrote an article saying the database has been leaked.
For any respectable company, this would have been a huge problem.
This is what we call the B-word, a breach.
A hacker broke in and took the database.
But what's more is that anyone can get in and see the database with just a single URL.
Seriously, this entire hack is just visiting a single URL.
And here's the actual URL.
donalddaters2018.firebaseio.com slash dot json If you went to that URL, you would see the entire database.
There was zip for permission and security there.
No key was needed.
You didn't have to bypass anything.
There was no authentication that was defeated. Just the URL extracted from the strings file in the APK.
You know, the developer didn't ask you to find vulnerabilities in this,
but you went and you found a vulnerability. Did you feel like that was crossing a line?
No, in my opinion, no, because I'm not looking at this vulnerability with a malicious intent.
My goal is never to use this kind of vulnerability as a malicious actor.
So what I'm doing, I'm trying to help them and I'm trying to help their users.
And in general, the contact is quite good with the companies because they understand they have an issue and they want to fix this issue.
So everybody is happy to discuss and it's fine.
And for me, you don't cross a line when you find a vulnerability
like this because you try to
help the company. But if you use this
vulnerability to earn money, if you use this vulnerability
to, I don't know, because you want some fame
or something like this.
This is bad, and you are crossing the line.
Now, I'm confused, because when I saw this news,
it looked to me like you were trying to embarrass this company, right?
And now you just told me that you're here to help this company and to help
these users. So
did you like this company or did you not
like this company?
I don't have
an opinion on the companies
where I'm
looking for vulnerabilities.
I don't like
Donald Eitos, but
I'm not...
You see what I mean, right? You're not
quite helping users if you're really
making fun of them.
Why? It's not a problem. I mean,
you can do both.
People need to understand that you can help a company,
you can protect the user data,
but at the same time, you can sort of public shaming the company.
And you can do both.
And for me, it's not a problem.
You can publicly say, okay, this company has a big issue.
This is a scandal because they kept the debug setting on Firebase.
And this is stupid.
But at the same time, you did the job.
You protect the data of their user.
And yeah, that's fine.
This is quite fascinating to me.
So let me pose some rhetorical questions for you, the listener.
He claims that it's okay for him to do this because he doesn't have malicious intent.
Is the intention enough to consider this to be okay?
Do you think he's embarrassing them or helping them?
Maybe a little bit of both?
After all this exploded in the media, the owner of the application decided to have a chat with Elliot.
I discussed with some members of the company and they thanked me in private.
And they thanked me in public with their official handle on Twitter. they said, oh yes, we did a big mistake and we are happy that it's happening right now and not when our database will be bigger.
And that was that.
Everything got cleaned up and that story is over.
And after the break, we'll hear some other adventures
that Elliot got himself involved in.
Stay with us.
This episode is sponsored by Shopify. The new year is a great time to ask yourself,
what if? When I was thinking, what if I start a podcast? My focus was on finding a catchy name,
some cool stories, and working out the best way to record. But oh, so much more goes into making
a podcast than that. If you're
thinking, what if I start my own business? Don't be scared off because with Shopify,
you can make it a reality. Shopify makes it simple to create your brand, open for business
and get your first sale. Get your store online easily with thousands of customizable drag and
drop templates. And Shopify helps you manage your growing business. Shipping, taxes and payments are
all visible from one dashboard,
allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet.
Go to shopify.com slash darknet and start selling with Shopify today. shopify.com slash darknet.
For this next part, we need to understand what Adhar is. And to do that, I'm going to call up a listener of mine in India.
Hello, can you hear me? Am I audible to you? Yeah, I can hear you.
What's up? How's it going? I'm doing a story about somebody finding security weaknesses in Adhar. So I want to understand more about Adhar.
Yeah, you're talking
about that guy, Elliot Anderson on Twitter? Yes. Of course, why not? He's famous in India.
Jeez, of course. Elliot is famous worldwide. France, the US, no, India. Okay, so Adhar. This
is a card that everyone in India carries with them in their wallet or purse. It's sort of like
a social security card in the US. Kind of of same thing as adhar so adhar is
basically um an identity which now our government is linking to each and every document that we have
each and every like you know um if you're getting going to get a sim card you need to have your
adhar link to it wait so if i want to get a bank account oh my gosh so you're saying if i want to
get a cell phone or a bank account i have to to show them my Aadhaar card, which then links that to me. Or maybe you have a gas connection. Even that counts in it. I mean, whatever things you're getting from the government
or maybe semi-government bodies,
you need to get your Aadhaar linked with it.
So that's what they're doing.
And since it is linked to sensitive information,
so that's why it's highly vulnerable.
Okay, I think we know enough about Aadhaar now.
Let's go back to Elliot.
Yes.
So why, I mean, you're in France. Okay. I think we know enough about Aadhaar now. Let's go back to Elliot. Yes. So why, I mean, you're in France.
Yeah.
Aadhaar is in India.
Why do you care about this issue?
First, I didn't know about Aadhaar two years ago.
And one of my followers, multiple followers came to me and said,
oh, you should look at the ADA Android application.
You will find some issue.
And I did.
I found like five or six different issues in their application.
And I started to learn more about the whole program.
I was like, this is not possible.
This is horrible in terms of security.
The biometric data of people are in danger and they don't care.
And also, it's not because I'm living in France
that I should not care about this
because we will have something like this pretty soon in France.
I was discussing with someone in the French government
and they want to implement something pretty similar in France.
So it will give some idea to European countries.
So this is why we need to stay vigilant and we need to advise government to tell them,
OK, if you want to have a number, be careful, because as you can see in India, they have a lot of issues.
They made these mistakes and don't do the same mistakes.
As Elliot learned more about Adhar, the more he didn't like it.
He started reading up on it more and more and learned everything he could about it.
One news article stood out for him.
That someone with a fake car and only with the correct photo and the other number managed to open
some new phone line, managed to use some service for another person.
Someone created a fake photo and used another person's AdHard number and opened a credit card
for that other person. This story made it clear to Elliot that AdHard numbers should never be
posted publicly because someone can assume your identity and do things in your name.
But more so, your phone is tied to this number and your bank account and other things, maybe your house too.
And if the underlying system to Aadhaar is weak and exposes too much information about someone,
this can have horrible consequences.
They have to be very careful about this.
And this is like, you have this also in the US, the social security number.
You don't publish your social security number online.
In France, you cannot find your identity card.
It's super complicated in France to find another identity card.
In India, you can find thousands of other cards.
And they have to consider this other number, this other card,
like identity card, like social security number.
And they don't, and this is personal data, and they shouldn't share it publicly.
So as Elliot is researching this, he decides to challenge himself.
He decided to see how many AdHard numbers he could find publicly in three hours.
These would be numbers that maybe someone tweeted about or posted or put on a website.
And he wasn't sure how he'd find them or where he'd find them, These would be numbers that maybe someone tweeted about or posted or put on a website.
And he wasn't sure how he'd find them or where he'd find them,
but he wanted to know how many of these were exposed to anyone on the internet.
It was pretty easy to find Adar cards online because everybody was asking to Indians their Adar cards and nobody secured the data.
So what I did is with some pretty Google search query, I found a lot of other cards. And after that, I created an automatic scrapper in order to
retrieve all the data automatically. And like this, I managed to find thousands and thousands of cards.
Keep in mind, not a single one of these AdHard card numbers should be publicly exposed. Yet,
he was finding a bunch. And he was live tweeting this entire challenge.
His first search, he found 25 cards.
Then he refined his search and was able to find a huge list of 18,000 Adhar numbers.
Then he tweeted that he found a few more here and a few more there,
then another dump of 500 more cards. And then he found 700 more. Within three hours, Elliot found 20,000 Adhar numbers listed publicly online for anyone to see who would just do this simple Google search.
This was bad.
Yes, and if I remember correctly, there was another center of the government. So one of the instances I found was owned by the place where people
are going in order to create an AdHard card. And this is why there was so much card in it.
Jeez, even the place that makes AdHard cards was leaking information.
After this challenge, Elliot put his Google searches and Python script onto his GitHub account and published it for everyone to see how they can find their own
Adhar numbers online. And at this point, the Indian government started to take notice of Elliot's
tweets. Yes, they did. They removed everything at least, I think, two days or three days after that.
Crazy. Elliot is sort of like an internet vigilante, helping a little there, embarrassing a little here.
Wherever he goes, security does seem to get better.
Elliot kept poking around in India, checking out the scene, learning the culture.
The prime minister of India is Narendra Modi, and he has his own website, narendramodi.in. Elliot went to this
website and inspected it a little. He discovered a vulnerability on it, which allowed him to upload
whatever file he wanted to their site. This was definitely not good for the prime
minister's website to have a vulnerability. So what's Elliot do? He tweets it. His tweet said,
Hi, at Narendra Modi. A security issue has been detected on your website. An anonymous source
uploaded a text file containing my name on the prime minister's website. contacted me. And these guys were pretty friendly and the contact was good and they tried to
understand what was the issue. You hear that? This absolutely boggles my mind. Elliot apparently
hacked into the prime minister's website and then tweeted about it. And he was called by their
office. And then Elliot describes the experience as they were friendly and it was cool. Other hackers might have had a really hard time doing this,
and I just wonder why Elliot is able to get away with this.
Is it because of so many Twitter followers he has,
or the intent that makes it okay?
His history of doing this?
It's just so strange to me.
Hacking into someone else's websites and apps should be illegal, right?
But he's perfectly fine doing it
and being open about it. I mean, yeah, he goes by Elliot online, but you heard him at the top of the
show say his real name, Robert Baptiste. He's not hiding from anyone while he does all this.
No wonder it's so exciting to watch his Twitter account. Now, as you might have guessed, there
are factions within India. Some people like the Adadhaar system and think it's great.
Others don't.
There's a government official named R.S. Sharma.
He's the chairman of India's Telecom Regulatory Authority.
And this isn't the agency that handles the Aadhaar numbers,
but instead it deals with telecom stuff.
Okay, fine.
But one day, R.S. Sharma, a government official,
got tired of hearing people complain about Aadhaar,
and he tweeted something. R.S. Sharma, a government official, got tired of hearing people complain about Adhar, and he tweeted something.
R.S. Sharma wrote, quote,
My Adhar number is 7621-7768-2740.
Now I give this challenge to you.
Show me one concrete example where you can do any harm to me.
Oh my gosh.
RS Sharma, you are about to meet Elliot Alderson.
People help me.
So a lot of people send me information.
But we did it and we managed to find
almost everything on him pretty easily.
Like what?
Like his? Everything.
Elliot started posting a flood of tweets.
First, this guy's phone number, then the phone number of his secretary,
then his email address, and then Elliot checked his email in haveibeenpwned.com,
and yep, the email was in a breach as well.
Then Elliot used the AdHard number to figure out his WhatsApp profile picture and posted that.
Then his date of birth, then his home address,
and Elliot somehow checked to see if there was a bank account tied to this Adhart number,
but there wasn't.
Doxing is very, very, very bad and people shouldn't do it.
So I only publish a redacted screenshot and I try to remove all his personal details.
I just wanted to show him that we have that we had his info, that's all.
So the goal was really not to publish his details,
and this is not doxing.
The goal was not to dox him.
Just in case you didn't make that out,
Elliot was blacking out the actual details in these tweets,
and he was just showing enough information to prove that he had the info. Elliot and his followers were using a combination
of open source research like scouring Google, but also exploiting some of the weaknesses in
Adhar itself. At this point, RS Sharma saw Elliot's tweets. I think this guy was surprised because he was convinced that nobody will manage to find something.
So I think he was surprised.
And a few days after that, he tried to say,
no, you shouldn't publish your other number,
but I didn't manage to find
my personal data through my
ADAR number, so it means
they find
my personal details because I am
a public person, so it
means ADAR
is safe, which
is partially false
because
some of the information has been formed with some other vulnerability.
From the looks of Arash Sharma's tweets after this, it doesn't look like he learned his lesson.
Just to give you an example, his tweet where his Aadhaar number is posted publicly is still up for anyone to see right now.
I received a direct message on Twitter on a guy from India told me,
I think I found something interesting,
but you should look at this.
I don't have any details, but yeah, just look at this.
He sent me a URL. The URL was a website called Indane. It's a gas company in India,
and they serve 90 million families and have 9,000 distributors. When I look at the URL in the code,
there was a number of Indane users.
And what I did is I managed to modify the URL
in order to find all the distributors of Indane. of ending. And with that, I wrote an automatic scraper
in order to do my request automatically.
And like this, I managed to get millions of Aadhaar numbers.
By just tweaking the URL in the website
to try different combinations,
he found that one of the URLs exposed millions of AdHard numbers,
all without authentication
or using an exploit to bypass.
Just if you know the right URL,
it'll give it all to you.
Elliot knew this was a big deal
and this company should not be leaking
possibly millions of AdHard numbers like this.
So he contacted a journalist
to work together on this one.
My goal, I was working with a journalist at work together on this one. how many other numbers were leaked. And the goal was not to get the data.
I didn't retrieve the data.
I just wanted to see how many other numbers were available.
He created a scraper to go through the website
to try to understand how many numbers were leaked.
And after this script ran,
he had the total number of Adhar numbers exposed.
It was 6,700,000.
Which is a big number.
What did you do with this information?
I directly shared the information with a journalist and together
we tried to contact him
in order to fix
the issue.
But the problem with this kind
of very, very big companies,
nobody is answering
you. So we wait a little
bit
and after that
Zach from TechCrunch published a story and two hours later as the
problem was fixed two hours later the problem was fixed whoa this guy's crazy
i'm sure he never is going to go to india he's ruined his reputation there
it's not no it's not like that actually honest. Like, he's kind of a hero.
I find him like a heroic personality because he just opened the eyes, like he made us aware
like how vulnerable it is and how stupid this idea is of like getting an ab heart.
I actually got a chance to meet Elliot in person this year, at DEF CON, of course,
which I just realized is in Paris, in Vegas.
Right at home for him, I suppose.
Together we sat and watched a conference talk together and then chatted for a while.
He really does seem like a great guy with good intent,
willing to give free security assessments to anyone he finds interesting
and to help people understand the risks of poorly
built websites and applications. And after talking with him, I do get a better sense of what all this
is about. Elliot's a busy guy, always looking for the next thing to do, and he's endlessly curious.
He loves looking for problems, but then when he finds them, he just wants to forget about them
and move on. And the easiest way for him to forget about it is just to publish it and let someone else deal with it. It's like he's transferring consciousness. Oh man, I sound
hippy-dippy on that one. But yeah, he finds this problem, it's in his head, he tweets it,
and this lets him forget it, and now it's in someone else's head to deal with.
This lets him move on to the next thing more quickly. Earlier this year, Elliot was where
he naturally hangs out, on Twitter.
And he checked to see what Fox News was posting that day
and he saw another interesting app.
Like Donald Dato's,
I saw an ad,
I think on the Fox News Twitter account.
And I was like,
okay, maybe I can try to find something on it.
So I downloaded the application.
This was an Android app and it was called 63 Red.
It was an app that's exactly like Yelp, but for people who like Donald Trump.
I'm not exactly sure why they need their own apps like this.
What makes them so special?
But yeah, this is another one of those apps.
And of course, Elliot decides to take a look at it um very quickly i managed to find a big vulnerability
in their api so an android app can be made two ways you can write code for it and compile the
program to run or you can just make the app in html5 using javascript and it will run just like
a website would it'll look like an app but it's run just like a website would. It'll look like an app, but it's actually just like a website underneath.
And because the app was made like this,
Elliot was able to see all the JavaScript used
to create this website app.
And in there, he found the database URL
and API keys to access it.
This really is as safe as writing your password
on a postcard.
You just turn the card over to see the password.
Or in this case, right-click, view source,
and you see the password.
There was no authentication process,
so everybody has the ability to modify,
to do whatever they want.
So you were able to ban an account,
to create some friendship between accounts,
to create as much account as you want.
You were able to do whatever you want.
And also, there was an ad-coded credential
multiple times on the source code.
Elliot found this URL and the API keys, which gave him full read-write access to this entire
database.
You want to give yourself 1,000 five-star reviews?
No problem.
Done.
You want the email addresses of all the users?
Okay, here.
What Elliot found gave him full control of the database.
When I found the vulnerability, so I tried everything in order to see if I could confirm the vulnerability.
After that, I didn't contact the company.
I directly published some screenshots of the vulnerability on Twitter. Twitter and I tried to redact as maximum I could on the screenshot. After that, the guy from 63
Red were pretty angry and they threatened me to call the FBI. And so, yeah, it was not good.
Aha! See, I knew this was illegal.
I knew this was going to happen, right?
You break into someone else's stuff, you hack their database,
you post it on Twitter.
Yeah, sure, it's redacted, but it's also proof that you were there.
This is going too far. It's breaking the law.
And sure enough, the 63 Red team did see it that way.
They claimed
to have called the FBI to report a, quote, politically motivated attack. And they said
they want, quote, this perpetrator will be brought to justice and we will pursue this matter and all
attacks failed or otherwise to the utmost extent of the law, end quote. Elliot put his hand in the fire too many times. Now he's getting burned. security researchers, hackers are not bad guys. And we are here to help
and the InfoSec community
in general is here to
help companies.
We are working in companies.
This is what we are doing as a job.
And we are not here to
destroy their business.
And
this is never good to react like this,
like 63 Red did,
because you are threatened.
A security researcher is very, very bad
and it's giving a very bad signal to the community.
And if someone is finding a vulnerability
in your system, in your company uh you have to thank him
and say okay thank you for for finding this and you you you save me some money because maybe uh
someone with bad intention uh will uh maybe already find it on will find it or will use it for another purpose
so we are the bad guy
we are the good guy
in this story
that was a Freudian slip in there
because that's what
I think a lot of listeners are going to wonder
if you're a good guy or a bad guy
no
this is very important I'm really a good guy I don guy. No, this is very important.
I'm really a good guy,
and I don't earn money with that.
This is important
because this work has to be done
by someone who needs to do this work.
Yeah.
It's still funny to me
that if you're not a Trump supporter,
you don't like Trump, and you're there to help people do security research for free, yes, I found vulnerability
to
pro-Trump application, but
you just have to give me other
US-American
application
and I will be happy to find
other vulnerability.
It was just
an opportunity, but my work
is way bigger than this.
I'm not a political opponent of Trump.
I'm not doing politics, and I'm not even living in the U.S.,
so I don't care about Trump at all.
Yes, I found vulnerability in pro-Trump apps,
but yeah, give me application of Democrat, and I will be happy to find a vulnerability in it.
And this is what I did in India too. I managed to find vulnerability in application of both sides.
So I don't care about the political side of the owner.
And you don't care I mean you say
your name I mean you told me just at the beginning
of the show Robert and you don't
care that that's open
as well
yes I mean
I'm a public person
for two years no
I was on TV
in the US and I was on
national TV in the US in was on national TV in the US
in Canada, in India, in France
so I'm a public person
so I'm not doing bad stuff
and this is why I'm not a bad guy
I'm really trying to do good things
and I'm doing good things publicly
and this is really my action
I'm trying to spread the message. Security is
important. Accuracy InfoSec community is here to help. And we are not afraid. We are not hiding.
We are here to communicate about security, to find issues. And we have no reason to hide.
I did nothing wrong. So I don't have any reason to hide my identity.
Well, I mean, from where the law is,
you're not allowed to access equipment that's not yours.
This is not black and white.
In Europe, for example, if your intent is to find,
if you want to find vulnerabilities,
if your purpose is to find security issues,
there is some exception.
You have the right.
And what I'm doing is not, I'm not hacking stuff.
I'm finding vulnerability, but I'm
not exploiting this
vulnerability. There is a difference
between finding a vulnerability
and extracting data
with this
vulnerability. And my goal is
just to point out,
to point the finger on
this vulnerability, and
that's all. I'm not getting the user data.
I never are.
I don't care about user data.
Do you ever get
afraid like when
63 Red said we're going to contact the FBI?
Did that scare you or anything?
I was not afraid but
I was not happy because
this is not cool.
And the goal is, again, the goal is to have a conversation on security.
The goal is to help the company.
And when the guys are angry like this, it's a problem because we cannot discuss.
And I don't like that.
So did anything happen after that, after they threatened the FBI?
No, nothing happened. They removed the application from the store,
but they have like three or four different applications,
and people find those of vulnerability in it.
They contact 63 Red, but they get nothing.
Do you get an adrenaline rush when you find these vulnerabilities?
I'm starting to get used to this kind of thing.
So I published a lot of things
and I managed to find a lot of cool vulnerability like this so but you still you you
have a specific feeling you know that you have something interesting uh this is something cool
this is something you shouldn't have in theory and uh you you are excited but at the same time, you know that you cannot do,
you have to be careful with that,
and you need to be responsible.
Yeah, it sounds like you have a lot of responsibility
because of that, you know?
Like, you keep finding vulnerability after vulnerability
from companies that don't ask you to find these vulnerabilities.
So you're, in a sense, you're a little bit black hat.
No, no, I would not say that.
I'm more a gray hat in reality
because a black hat is a guy who has malicious intent.
And I want this to be clear.
I never earn money
with the vulnerability I found.
Never, ever.
And my
intent are never malicious.
So this is why I'm not a black
cat. But as you said,
I don't have the authorization
and explicit authorization
to find this kind of vulnerability.
So you can consider me between the white hat and the gray hat,
something like this.
Yeah.
It sounds to me like you're a vigilante.
I don't know.
At this point, I'm baffled on what to think.
I still believe if a company does not ask you to do this, and they don't have a bug bounty program,
and you actively go and search for vulnerabilities and then post what you found on Twitter, this is against the law.
But maybe things are different in Europe.
But even so, I've seen him personally in Las Vegas, where he's freely coming and going in and out of the U.S.
without being arrested or any
charges against him. Typically, people commit computer crimes because of economic benefits,
power, revenge, adventure, ideology, or lust. But none of these actually match what Elliot is doing.
He's saying he's helping people secure their apps better by hacking them and telling them he did it. He doesn't ask for a
reward of any kind or any special recognition. He just does it and tells the company how vulnerable
they are. It's rather odd to me, but in the end, I do believe what he's doing is good for everyone.
Somebody needs to be doing this, and it should be the companies who do this work,
but since they don't, he sometimes takes it
on himself. And I'm still not sure if Robert Baptiste, aka Elliot Alderson, is famous or infamous.
A big thank you to Robert Baptiste for sharing some of these crazy stories with us.
Of course, you can find him on Twitter as Elliot Alderson, and his name there is F Society.
Good luck out there, Elliot.
The devil is strongest when you're looking the other way, like a program running in the background silently.
Also, a big thanks to Terabyte for being boots on the ground for me in India and teaching us all about Adhar.
It was really cool.
This show is created by me, The Dark Rose,
Jack Recyder, and editing
helped this episode by our in-house Root Kid
writer, Damien, and our theme
music is created by DJ Mobley's apprentice,
Breakmaster Cylinder.
And even though the Dark Army starts following
me for days, every time I say it,
this is Darknet Diaries.