Lex Fridman Podcast - #266 – Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar
Episode Date: February 21, 2022Nicole Perlroth is a cybersecurity journalist and author. Please support this podcast by checking out our sponsors: - Linode: https://linode.com/lex to get $100 free credit - InsideTracker: https://in...sidetracker.com/lex and use code Lex25 to get 25% off - Onnit: https://lexfridman.com/onnit to get up to 10% off - ROKA: https://roka.com/ and use code LEX to get 20% off your first order - Indeed: https://indeed.com/lex to get $75 credit EPISODE LINKS: Nicole's Twitter: https://twitter.com/nicoleperlroth Nicole's Website: https://nytimes.com/by/nicole-perlroth Nicole's Book: https://amzn.to/3sOQjrs PODCAST INFO: Podcast website: https://lexfridman.com/podcast Apple Podcasts: https://apple.co/2lwqZIr Spotify: https://spoti.fi/2nEwCF8 RSS: https://lexfridman.com/feed/podcast/ YouTube Full Episodes: https://youtube.com/lexfridman YouTube Clips: https://youtube.com/lexclips SUPPORT & CONNECT: - Check out the sponsors above, it's the best way to support this podcast - Support on Patreon: https://www.patreon.com/lexfridman - Twitter: https://twitter.com/lexfridman - Instagram: https://www.instagram.com/lexfridman - LinkedIn: https://www.linkedin.com/in/lexfridman - Facebook: https://www.facebook.com/lexfridman - Medium: https://medium.com/@lexfridman OUTLINE: Here's the timestamps for the episode. On some podcast players you should be able to click the timestamp to jump to that time. (00:00) - Introduction (06:54) - Zero-day vulnerability (12:55) - History of hackers (27:47) - Interviewing hackers (31:49) - Ransomware attack (44:33) - Cyberwar (57:41) - Cybersecurity (1:06:48) - Social engineering (1:23:41) - Snowden and whistleblowers (1:33:11) - NSA (1:42:58) - Fear for cyberattacks (1:50:29) - Self-censorship (1:54:50) - Advice for young people (2:00:07) - Hope for the future
Transcript
Discussion (0)
The following is a conversation with Nicole Pearl Roth, cybersecurity journalist, and
author of This is How They Tell Me The World Ends, The CyberWeapons Arm Race.
And now a quick few second mention of each sponsor.
Check them out in the description.
It's the best way to support this podcast.
First is Linode, Linux Virtual Machines.
Second is Inside Tracker, a service I used to track my biological data.
Third is Onnet, a nutrition supplement and fitness company. Fourth is Roca. My favorite song
glasses and prescription glasses and fifth is indeed a hiring website. So the choice is
computation, health, style, or building an amazing team. She's wisely my friends.
And now onto the full ad reads.
As always, there's no ads in the middle.
I try to make this interesting,
but if you skipped them, please still check out
the sponsors I enjoy their stuff, maybe you will too.
This episode is sponsored by Linode,
Linux Virtual Machines.
It's an awesome compute infrastructure
that lets you develop, deploy, and scale
what applications you build faster and easier.
This is both for small personal projects and huge systems.
Lower costs and AWS, but more important to me is the simplicity and quality of their
customer service with real humans.
24, 7, 365.
Their motto is, if it runs on Linux, it runs on Linux,
I have not shut up in saying how much I love Linux,
every single distribution, Gen2, Arch Linux,
everything based on Arch Linux,
Ubuntu, everything based on Debian.
I used to use,
did I already mention Gen2, there's Linux Mint,
all the sexy new
flavors based on the old school. Of course, there's Red Hat and Fedora and all that.
Anyway, I love Linux. I love computing for structure. What else can you say? Linux is
awesome. Visit linode.com slash Lex and click on the Create Free Account button to get
started with $100 in free credit.
This shows also brought to you by Inside Tracker, a service I used to track my biological data.
They have a bunch of plans, most of which include a blood test that gives you a lot of information
that you can then make decisions based on.
They use machine learning algorithms to then analyze that data and that comes from blood
data, DNA data, fitness tracker data, all that to provide you with a clear picture with going on inside
your body and to offer you signs, back recommendations for positive diet and lifestyle changes.
This to me feels like the future.
It's obvious that medicine, lifestyle, all your decisions come from your own personal
data.
By the way, this is something that comes up more and more.
The privacy of that data, the control over that data
is really important.
Getting that right in the future will be a very difficult problem.
But what isn't difficult is to understand
that decisions should be made based on information coming
from your own body.
And that's what InsideTracker is about.
For a limited time, you get 25% off the entire inside tracker store. If you go to inside tracker.com slash
Lex, that's inside tracker.com slash Lex. This episode is also brought to you by Onnet,
a nutrition supplement and fitness company that make alpha brain, which is a newtropic
that helps you support memory, mental speed and focus. I use it
not every day but when I want to boost my thinking, the clarity, the focus, the
mental speed in a deep work session, a particularly difficult deep work session
when I have to struggle through a hard problem. That's where I will take an alpha brain.
It's a boost, a rocket launcher from my mind.
One thing I should mention is the thing that makes a work session hard
is when there's a lot of tangents,
a lot of side roads that lead to a dead end
and force me to backtrack. That is the most exhausting thing.
So yeah, in those cases I'll sometimes take an alpha brain and it really helps.
Anyway, go to lexfreedman.com slash on it to get up to 10% off alpha brain,
that's lexfreedman.com slash on it. This show is also brought to you by Eroka, the makers of
glasses and sunglasses that I love wearing for their designed feel and innovation on material, optics and grip.
Roka was started by two all-american swimmers from Stanford and it was born out of an obsession
with performance.
I met one of said founders, they have a place here in Austin.
I love it when not only the product is great, but the people
that make the product is great.
And obviously the product I love, it's designed to be active in, extremely lightweight.
The grip is comfortable but strong and the style is just like I like it, it's classy,
it's minimalist, holds up in all conditions, I'll wear it while wearing a suit, I'll wear
it while running, running gear, freezing weather,
super hot, you know, I wore it through the Austin 100 degree summer.
Check them out for both prescription glasses and sunglasses at
roca.com and into code and Lex,
the safe 20% off on your first order.
That's roca.com and into code Lex.
This show is also brought to you by indeed a hiring website.
I've used them as part of many hiring efforts I've done for the teams I've led in the past.
They have tools like indeed InstaMatch that gives you quality candidates who's resumes
and indeed figure job description immediately. I am one of those people that believe that a great team is not just about productivity,
a great team is a source of happiness. It's a source of meaning. It's a source of personal
growth. Hiring is the most important thing for those of us that spend a significant percentage
of our life at work or working on something we love. It doesn't feel like work and one of the reasons
it might not feel like work is because you're working with people you love, you respect,
that challenge you, that excite you, all those kinds of things. And that's all about
hiring. So you should be using the best tools for the job. Anyway, right now I'll get a
free $75 sponsor job credit to upgrade your job post at indeed.com slash Lex terms and conditions apply
Go to indeed.com slash Lex
This is the Lex reading podcast and here is my conversation when Nicole Pearl Roth You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer scientists,
government officials, forensic investigators, and mercenaries.
So let's talk about cyber security and cyber war.
Start with a basics.
What is a zero-day vulnerability?
And then a zero-day exploit or attack?
So at the most basic level, let's say I'm a hacker,
and I find a bug in your iPhone iOS software that no one else
knows about, especially Apple.
It's called a zero day because the minute it's discovered engineers have had zero days
to fix it.
If I can study that zero day, I could potentially write a program to exploit it.
And that program would be called a zero-to-exploit.
And for iOS, the dream is that you craft a zero-to-exploit that can remotely exploit someone
else's iPhone without them ever knowing about it.
And you can capture their location, you can capture their contacts that record their telephone calls, record their
camera without them knowing about it. Basically, you can put an invisible ankle bracelet on
someone without them knowing. And you can see why that capability, that zero-to-explite,
would have immense value for a spy agency or a government that wants to monitor its critics or dissidents.
And so there's a very lucrative market now for zero to exploit.
So you said a few things there.
One is iOS, why iOS, which operating system, which one is the sexier thing to try to get
to or the most impactful thing.
And the other thing you mentioned is remote versus like having to actually
come in physical contact with it. Is that the distinction?
So, iPhone exploits have just been a government's number one priority. Recently, actually, the
price of an Android remote zero-dex exploit, something that can get you into Android phones, is actually
higher, the value of that is now higher on this underground market for zero-dexplates,
then an iPhone iOS exploit.
So things are changing.
So there's probably more Android devices, so that's why it's better.
But then the iPhone side, if I, it's all my Android person,
because I'm a man of the people.
But it seems like all the elites use iPhone,
all the people at nice dinner parties.
So is that the reason that the more powerful people
use iPhones, is that why?
I don't think so.
I actually, so it was about two years ago
that the price has flipped.
It used to be that if you could craft a remote zero click exploit for iOS, then that was
about as good as it gets.
You could sell that to a zero-day broker for $2 million.
The caveat is, you can never tell anyone about it because the minute you tell someone
about it, Apple learns about it, they patch it in that $2.5 million investment that that
zero-day broker just made goes to dust.
So a couple of years ago, and don't quote me on the prices, but an Android zero click remote exploit for the first time topped the iOS.
And actually a lot of people's read on that was that it might be a sign that Apple security
was falling.
And that it might actually be easier to find an iOS zero toto-X-Po-T then find an Android 0-to-X-Po-T. The other thing is
market share. There are just more people around the world that use Android. A lot of governments
that are paying top dollar for 0-to-X-Po-T these days are deep-pocketed governments in the Gulf
that want to use these exploits
to monitor their own citizens, monitor their critics.
And so it's not necessarily that they're trying to find elites.
It's that they want to find out who these people are
that are criticizing them or perhaps
planning the next Arab Spring.
So in your experience, are most of these attack
targeted to cover a large population or is there
attacks that are targeted to a specific individuals? So I think it's both. Some of the zero day
exploits that have fetched top dollar that I've heard of in my reporting in the United States were
highly targeted. You know, there was a potential terrorist attack. They wanted to get into this
person's phone. It had to be done in the next 24 hours.
They approached hackers and say,
we'll pay you, you know, X millions of dollars
if you can do this.
But then you look at,
when we've discovered iOS zero to exploits in the wild,
some of them have been targeting large populations
like weekers.
So a couple of years ago,
there was a watering hole attack.
Okay, it's a watering hole attack.
There's a website, it was actually,
it had information aimed at weekers
and you could access it all over the world.
And if you visited this website,
it would drop an iOS zero day exploit onto your phone.
And so anyone that visited this website that was about Wiggers anywhere, I mean, Wiggers,
Wiggers living abroad, basically the Wigger diaspora would have gotten infected with this zero day exploit.
So in that case, you know, they were targeting huge swaths
of this one population or people interested in this one
population, basically in real time.
Who are these attackers from the individual level to the
group level psychologically speaking?
What's their motivation?
Is it purely money?
Is it the challenge?
Are they malevolent?
Is it power?
These are big philosophical human questions, I guess.
So these are the questions I set out to answer for my book.
I wanted to know, are these people that are just after money.
If they're just after money,
how do they sleep at night,
not knowing whether that zero-to-x plate
they just sold to a broker is being used
to basically make someone's life a living hell.
And what I found was there's kind of this long-sorted history
to this question.
It started out in the 80s and 90s when hackers were just finding holes and bugs and software
for curiosity's sake, really as a hobby, and some of them would go to the tech companies
like Microsoft or Sun Microsystems at the time, or Oracle.
And they'd say, hey, I just found this zero day in your software and I can use it to break
in an ASA.
And the general response at the time wasn't, thank you so much for pointing out this flaw
and our software.
We'll get it fixed as soon as possible.
It was, don't ever poke around our software ever again or we'll stick our general counsel
on you.
And that was really sort of the common thread for years.
And so hackers who set out to do the right thing
were basically told to shut up and stop doing what you're doing.
And what happened next was they basically started
trading this information online.
Now when you go back and interview people from those early days, they all tell a very
similar story, which is, they're curious, they're tinkers.
They remind me of the kid down the block that was constantly poking around the hood of
his dad's car.
They just couldn't help themselves.
They wanted to figure out how a system is designed
and how they could potentially exploit it
for some other purpose.
It doesn't have to be good or bad.
But they were basically kind of beat down
for so long by these big tech companies
that they started just silently trading them with other hackers
and that's how you got these really heated debates in the 90s about disclosure.
Should you just dump these things online because any script kitty can pick them up and use
it for all kinds of mischief.
But don't you want to just stick a middle finger to all
these companies that are basically threatening you all the time. So there is this really
interesting dynamic at play. And what I learned in the course of doing my book was that government
agencies and their contractors sort of tapped into that frustration and that resentment. And they
started quietly reaching out to hackers on these forums. And they said, hey, you
know that zero day you just dropped online. Could you could you come up with
something custom for me? And I'll pay you six figures for it so long as you
shut up and never tell anyone that we that I paid you for this. And that's what happened.
So throughout the 90s, there was a bunch of boutique contractors that started reaching
out to hackers on these forums and saying, hey, I'll pay you six figures for that bug.
You were trying to get Microsoft to fix for free and sort of so began or so catalyzed
this market where governments and their intermediaries
started reaching out to these hackers
and buying their bugs for free.
And in those early days, I think a lot of it
was just for quiet counterintelligence,
traditional espionage.
But as we started baking the software,
Windows software, Schneider Electric, Siemens Industrial Software
into our nuclear plants and our factories and our power grid and our petrochemical facilities
and our pipelines, those same zero days came to be just as valuable for sabotage and
war planning.
Does the fact that the market sprung up and you
cannot make a lot of money change the nature of the attackers that came to the table or grow the
number of attackers? I mean, what is I guess you told the psychology of the hackers in the 90s?
What is the culture today? And where is it heading? So I think there are people who will tell you they would never sell a zero day to a zero
day broker or a government. One, because they don't know how it's going to get used when they
throw it over the fence. Most of these get rolled into classified programs and you don't know how
they get used. If you sell it to a zero day broker, you don't even know which nation state might use it.
If you sell it to a zero day broker, you don't even know which nation state might use it.
Or potentially which criminal group might use it
if you sell it on the dark web.
The other thing that they say is that
they wanna be able to sleep a night.
And they lose a lot of sleep if they found out
their zero day was being used to make a dissident's life
living hell.
But there are a lot of people, good people, who also say, no, this is not my problem.
This is the technology company's problem.
If they weren't writing new bugs into their software every day, then there wouldn't be
a market.
Then there wouldn't be a problem.
But they continue to write bugs into their software all the time, and they continue to profit off that software.
So why shouldn't I profit off my labor, too?
And one of the things that has happened,
which is, I think, a positive development
over the last 10 years, are bug bounty programs.
Companies like Google and Facebook,
and then Microsoft and finally Apple, which
resisted it for a really long time, have said, okay, we are going to shift our perspective
about hackers.
We're no longer going to treat them as the enemy here.
We're going to start paying them for what it's essentially free quality assurance.
And we're going to pay them good money in some cases, you know,
six figures in some cases. We're never going to be able to bid against a zero-day broker
who sells to government agencies, but we can reward them and hopefully get that to that bug
earlier where we can neutralize it so that they don't have to spend another year developing
the zero-day exploit. And in that way, we can keep our software more secure.
But every week, I get messages from some hacker that says,
you know, I tried to see this zero-day exploit that was just found in the wild,
you know, being used by this nation state.
I tried to tell Microsoft about this two years ago,
and they were going to pay me peanuts so it never
got fixed.
They're all sorts of those stories that can continue on.
And I think just generally hackers are not very good at diplomacy.
They tend to be pretty snipy, technical, crowd, and very philosophical in my experience, but diplomacy is not their
strong suit.
There almost has to be a broker between companies and hackers.
We can translate effectively just like you have a zero-day broker between governments
and hackers.
You have to speak their language.
There have been some of those companies who've risen up to meet that demand.
And hacker one is one of them.
Bug crowd is another.
Synac has an interesting model.
So that's a company that you pay for a private bug bounty program essentially.
So you pay this company.
They tap hackers all over the world to come hack your software, hack your system, and then
they'll quietly tell you what they found.
I think that's a really positive development.
Actually, the Department of Defense hired all three of those companies, I just mentioned,
to help secure their systems.
Now, I think they're still a little timid in terms of letting those hackers into the really sensitive, high-side classified stuff, but, you know, baby steps.
Just to understand what you were saying, you think it's impossible for companies to
financially compete with the zero-day brokers with governments. So, like, the defense can't all pay the hackers.
It's interesting, you know, they, they shouldn't outpay them because what would happen if
they started offering $2.5 million at Apple for any, you know, zero-dexplate that governments
would pay that much for is their own engineers would say,
why the hell am I working for less than that and doing my 9-5 every day.
So you would create a perverse incentive and I didn't think about that until I started
this research and I realized, okay, yeah, that makes sense.
You don't want to incentivize offense so much that it's to your own detriment. And so I think what they
have though, what the companies have on government agencies is if they pay you, you get to talk about
it, you know, you get the street cred, you get to brag about the fact you just found that $2.5 million
dollar, you know, iOS zero day that no one else did.
And if you sell it to a broker, you never get to talk about it.
And I think that really does eat at people.
Can I say a big philosophical question about human nature here?
So if you have,
even what you've seen,
if a human being has a zero day, they found a zero day vulnerability that can hack into, I
don't know, what's the worst thing you can hack into? Something that could launch nuclear
weapons, which percentage of the people in the world that have the skill would not share
that with anyone, with a bad party? I guess how many people are completely devoid of ethical concerns in your sense. So my
belief is all the ultra-competent people or very, very high percentage of ultra-competent people
are also ethical people. That's been my experience, but then again, my experience is narrow.
That's been my experience, but then again, my experience is narrow. What's your experience been like?
So this was another question I wanted to answer.
Who are these people who would sell a zero-day exploit that would neutralize a Schneider
Electric Safety Lock at a petrochemical plant?
Basically the last thing you would need to neutralize before you trigger some kind of explosion. Who would sell that? And I got my answer. Well the answer was different.
A lot of people said I would never even look there because I don't even want to know. I don't even
want to have that capability. I don't like I don't even want to have to make that decision,
I don't even want to have that capability. I don't like, I don't even want to have to make that decision, but whether I'm going
to profit off of that knowledge.
I went down to Argentina and this whole kind of moral calculus I had in my head was completely
flipped around.
So just a backup for a moment.
So Argentina actually is a real hacker's paradise. People grew up in Argentina
and you know, I went down there, I guess I was there around 2015, 2016, but you still
couldn't get an iPhone, you know, they didn't have Amazon Prime, you couldn't get access
to any of the apps we all take for granted. To get those things in Argentina as a kid, you have to find a way to hack
them. And it's, the whole culture is really like a hacker culture. They say, it's really
like a maghiver culture. You have to figure out how to break into something with wire
and tape. And that means that there are a lot of really good hackers in Argentina who are, who specialize in developing
zero-dexplates. And I went down to this Argentina conference called Echo Party. And I asked the organizer,
okay, can you introduce me to someone who's selling zero-dexplates to governments? And he was like,
just throw a stone. Throw a stone anywhere and you're
gonna hit someone. And all over this conference you saw these guys who were clearly from these
Gulf states who only spoke Arabic. You know what are they doing at a young hacking conference
in Buenos Aires? Oh boy. And so I went out to lunch with kind of this godfather of the hacking scene.
There and I asked this really dumb question and I'm still embarrassed about how I phrased it.
But I said, so, you know, well, these guys only sell these zero-day exploits to good western
governments. And he said, Nicole, last time I checked the United States wasn't a good Western government. The last country that bombed another country into oblivion wasn't China or Iran.
It was the United States.
If we're going to go by your whole moral calculus, just know that we have a very different calculus
down here.
We'd actually rather sell to Iran or Russia or China maybe than the United States. And that just blew me away.
Like, wow, you know, he's like, we'll just sell to ever brings us the biggest bag of cash. Have
you checked into our inflation situation recently? So, you know, I had some, some of those like
reality checks along the way. You know, we tend to think of things as is this moral, is this ethical, especially
as journalists. We kind of sit on our high horse sometimes and write about a lot of things
that seem to push the moral bounds. But in this market, which is essentially an underground
market, the one rule is like Fight Club. No one talks about Fight Club. First rule of
the zero-day market, nobody talks about the zero day market on both sides.
Because the hacker doesn't want to lose
their $2.5 million bounty
and governments roll these into classified programs
and they don't want anyone to know what they have.
So no one talks about this thing.
And when you're operating in the dark like that,
it's really easy to put aside your morals sometimes.
Can I as a small tangent ask you by way of advice, you must have done some incredible interviews.
And you've also spoken about how serious you take protecting your sources.
If you were to give me advice for interviewing when you're recording on Mike with a video camera
How is it possible to get into this world like is it basically impossible?
So you've you've spoken with a few people
What is it like the godfather of cyber war cyber security some people that are already out and
There still have to be pretty brave to speak publicly.
But is it virtually impossible to really talk to anybody who is a current hacker?
Are you always like 10, 20 years behind?
It's a good question.
And this is why I'm a print journalist.
But you know, a lot, when I've seen people do it, it's always the guy who's behind the
shadows, whose voice has been altered, you know, when they've gotten someone on camera,
that's usually how they do it.
You know, very, very few people talk in this space.
And there's actually a pretty well-known case study in why you don't talk publicly in
this space and you don't get photographed.
And that's the gruck.
So, you know, the gruck is, or was, this zero day broker, South African guy lives in Thailand.
And right when I was starting on this subject at the New York Times, he'd given an interview
to Forbes.
And he talked about being a zero day broker. And he even posed next
to this giant, defl bag filled with cash ostensibly. And later he would say he was speaking
off the record. He didn't understand the rules of the game. But what I heard from people
who did business with him was that the minute that that story came out, he became PNGed.
No one did business with him.
His business plummeted by at least half.
No one wants to do business with anyone
who's gonna get on camera
and talk about how they're selling zero days to governments.
It puts you at danger.
And I did hear that he got some visits
from some security folks.
And that's another thing for these people to consider.
If they have those zero-day exploits at their disposal,
they become a huge target for nation-states
all over the world.
Talk about having perfect op-sec.
You better have some perfect op-sec.
If people know that you have access to those zero-day
exploits. Which sucks because I mean transparency here would be really powerful
for educating the world and also inspiring other engineers to do good. It just
feels like when you operate in the shadows it doesn't help us move in the
positive direction in terms of like getting
more people on the defense side versus on the attack side.
But of course, what can you do?
I mean, the best you can possibly do is have great journalists, just like you did interview
and write books about it, and integrate the information you get while hiding the sources.
Yeah.
And I think, you know, what hacker one has told me was,
okay, let's just put away the people that are finding
and developing zero-dexplates all day long.
Let's put that aside.
What about the, you know,
however many millions of programmers all over the world
who've never even heard of a zero-dexplate?
Why not tap into them and say,
hey, we'll start paying
you if you can find a bug in United Airlines software or in Schneider Electric or in Ford
or Tesla. And I think that is a really smart approach. Let's go find this untapped army
of programmers to neutralize these bugs before the people who will continue to sell these to governments can find them and exploit them. Okay, I have to ask you about this
From a personal side of it's funny enough after we agreed to talk
I've gotten for the first time in my life was a victim of a cyber attack
So this is ransomware. It's called deadbolt people can look it up was a victim of a cyber attack.
So this is ransomware, it's called deadbolt.
People can look it up.
I have a QNAP device for basically kind of cold-ish storage.
So it's about 60 terabytes with 50 terabytes of data on it
in RAID 5.
And apparently about four to 5,000 QNAP devices were hacked and taken over with this ransomware.
And what ransomware does there is it goes file by file, almost all the files on the QNAP storage device and encrypts them.
And then there's this very eloquently and politely written page that pops up, it describes what happened.
All your files have been encrypted.
This includes, but is not limited to photos, documents, and spreadsheets.
Why me?
This is a lot of people commented about how friendly and eloquent this is.
And I have to commend them.
It is, and it's pretty user friendly. Why me? This is not a personal
attack. You have been targeted because of the inadequate security provided by your vendor,
QNAP. What now? You can make a payment of exactly 0.03 Bitcoin, which is about $1,000 to
the following address. Once the payment has been made, we'll follow up with transaction to the same address, blah, blah, blah.
They give you instructions of what happens next and they'll give you a decryption key that you can then use.
And then there's another message for QNAP that says,
all your affected customers have been targeted using a zero-day vulnerability in your product.
We offer you two options to mitigate this and future damage.
One, make a Bitcoin payment of five Bitcoin to the following address, and that will reveal to
CUNUP the, I'm summarizing things here, what the actual vulnerability is, or you can make a Bitcoin
payment of 50 Bitcoin to get a master decryption key for all your customers.
50 Bitcoin is about $1.8 million.
Okay.
So, first of all, on a personal level, this one hurt for me.
There's, I mean, I learned a lot because I wasn't, for the most part backing up much of that data because I thought I can
afford to lose that data. It's not like horrible. I mean, I think you've spoken about the crown
jewels, like making sure there's things you really protect. And I have thing, I have, you
know, I'm very conscious security wise on the crown jewels. But there's a bunch of stuff like, you know, personal videos, they're not, like,
I don't know anything creepy, but just like fun things I did that because they're
very large or 4K or something like that, I kept them on there, thinking raid 5 will
protect it.
You know, just I lost a bunch of stuff, including raw footage from interviews and all that kind of stuff. So it's painful.
And I'm sure there's a lot of painful stuff like that for the four to five
thousand people that use QNAP. And there's a lot of interesting ethical
questions here. Do you pay them? Does QNAP pay them? Do the individuals pay them?
Especially when you don't know if it's going
to work or not. Do you wait? So, QNAP said that, please don't pay them. We're working very
hard day and night to solve this. It's so philosophical and interesting to me because
I also project onto them thinking, what
is their motivation?
Because the way they phrase that on purpose, perhaps, but I'm not sure if that actually
reflects their real motivation is maybe they're trying to help themselves sleep at night,
basically saying, this is not about you.
This is about the company, with the vulnerability.
It's just like you mentioned, this is the justification they have, but they're hurting real people.
They hurt me, but I'm sure there's a few others that are really hurt.
And the zero day factor is a big one.
That their QNAP right now is trying to figure out what the hell is wrong with their system
that would let this in. And even if they pay, if they still don't know where the zero day is, what's to say that
they won't just hit them again and hit you again.
So that really complicates things and things.
And that is a huge advancement for ransomware.
It's really only been, I think, in the last 18 months that we've ever really seen ransomware
exploit zero days to pull these off.
Usually 80% of them, I think the data shows 80% of them come down to a lack of two factor
authentication.
So when someone gets hit by a ransomware attack, they don't have two factor authentication
on.
Their employees were using stupid passwords.
Like, you can mitigate that in the future.
This one, they don't know.
They probably don't know.
Yeah, and it was, I guess it's zero click,
because I didn't have to do anything.
The only thing, well, here's the thing.
I did basics of, I put it behind a firewall.
I follow instructions, but like I wasn't,
I didn't really pay attention.
So maybe there's like, maybe there's a misconfiguration
of some sort that's easy to make.
It's difficult.
We have a personal NAS.
So I don't, I'm not willing to sort of say
that I did everything I possibly could.
But I did a lot of reasonable stuff and they still hit it with zero clicks.
I didn't have to do anything.
Yeah, well, it's like a zero day and it's a supply chain attack.
You're getting hit from your supplier.
You're getting hit because of your vendor.
It's also a new thing for ransomware groups to go to the individuals to pressure them to pay.
There was this really interesting case. I think it was a Norway where there was a mental health clinic that got hit.
And the cybercriminals were going to the patients themselves to say,
pay this or we're going to release your psychiatric records. I mean, talk about hell.
In terms of whether to pay, you know, that is on the cheaper end of the spectrum.
From the individual, from the company.
Both.
You know, we've seen, for instance, there was an Apple supplier in Taiwan.
They got hit and the ransom demand was 50 million.
I'm surprised it's only 1.8 million, I'm sure it's going to go up.
And it's hard.
There's obviously governments, and maybe in this case the company
are going to tell you, we recommend you don't pay or please don't pay.
But the reality on the ground is that some businesses can't operate.
Some countries can't function.
I mean, the under reported storyline of colonial pipeline was after the company got hit and
took the preemptive step of shutting down the pipeline because they're billing systems
were frozen.
They can charge customers downstream.
My colleague David Zanger and I got our hands
on a classified assessment that said that as a country,
we could have only afforded two to three more days
of colonial pipeline being down.
And it was really interesting.
I thought it was the gas and the jet fuel, but it wasn't.
You know, we were sort of prepared for that. It was really interesting. I thought it was the gas and the jet fuel, but it wasn't. We were sort of prepared for that.
It was the diesel.
Without the diesel, the refineries couldn't function.
It would have totally screwed up the economy.
There was almost this national security, economic impetus for them to pay this ransom.
The other one I always think about is Baltimore.
You know, when the city of Baltimore got hit, I think the initial ransom
demand was something around 76,000. It made it if you've been started smaller than that.
And Baltimore stood at its ground and didn't pay,
but ultimately the cost to remediate was $18 million.
It's a lot for the city of Baltimore.
That's money that could have gone
to public school education and roads and public health.
And instead, it just went to rebuilding
the systems from scratch.
And so a lot of residents in Baltimore were like,
why the hell didn't you pay the $76,000?
So it's not obvious. It's easy to say don't pay because why you're
funding their R&D for the next go round. But it's too often, it's too complicated.
So on the individual level, just like, you know, the way I feel personally from this attack,
have you talked to people that were kind of victims in the same way I was, but maybe more dramatic ways or so on?
In the same way that violence hurts people.
How much is this hard people in your sense
and the way you researched it?
The worst ransomware attack I've covered
on a personal level was an attack on a hospital in Vermont. And you know, you think of this
as like, okay, it's hitting their IT networks, they should still be able to treat patients.
But it turns out that cancer patients couldn't get their chemo anymore because the protocol
of who gets what is very complicated and without it it, nurses and doctors can access it. So they
were turning chemo patients away, cancer patients away. One nurse told us, I don't know why
people aren't screaming about this. The only thing I've seen that even compares to what
we're seeing at this hospital right now was when I worked in the burn unit after the Boston Marathon bombing.
You know, they really put it in these super dramatic terms.
And last year, there was a report in the Wall Street Journal where they attributed an
infant death to a ransomware attack because a mom came in and whatever device they were using to monitor the fetus wasn't
working because of the ransomware attack and so they attributed this infant
death to the ransomware attack. Now on a bigger scale but less personal when
there was the not-petch-a attack. So this was an attack by Russia on Ukraine that came at them through a supplier attacks
a software company in that case that didn't just hit any government agency or business in
Ukraine that used this tax software.
It actually hit any business all over the world that had even a single employee working
remotely in
Ukraine. So it merriscs the shipping company but it fyser hit FedEx but the
one I will never forget is Merck. It paralyzed Merck's factories. I mean it
really created an existential crisis for the company. Merck had to tap into the
CDC's emergency supplies of the Gartisill vaccine that year because
their whole vaccine production line had been paralyzed in that attack.
Imagine if that was going to happen right now to Pfizer or Moderna or Johnson and Johnson,
imagine.
I mean, that would really create a global cyber terrorist attack, essentially.
And that's almost unintentional.
I thought for a long time, I always labeled it as collateral damage.
Oh, damage, yeah.
But actually, just today, there was a really impressive threat researcher at Cisco,
which has the threat intelligence division called TALOS, who said, stop calling it collateral damage.
They could see who was going to get hit before they deployed that malware.
It wasn't collateral damage.
It was intentional.
They meant to hit any business that did business with Ukraine.
It was to send a message to them too.
So I don't know if that's accurate. that did business with Ukraine. It was to send a message to them too.
So I don't know if that's accurate.
I always thought of it as sort of
the sloppy collateral damage,
but it definitely made me think.
So how much of this between states
is going to be a part of war?
This kind of these kinds of attacks on Ukraine
between Russia and US, Russia and China, China and
US. Let's look at China and US. Do you think China and US are going to escalate something
that would be called a war purely in the space of cyber. I believe any geopolitical conflict from now on is guaranteed to have some cyber element to it.
The Department of Justice recently declassified a report that said China has been hacking into our pipelines,
and it's not for intellectual property theft.
It's to get a foothold so that
if things escalate in Taiwan, for example, they are where
they need to be to shut our pipelines down and we just got
a little glimpse of what that looked like with colonial
pipeline and the panic buying and the jet fuel shortages and
that assessment I just mentioned about the diesel. So they're
there. You know, they've
got in there. Um, anytime I read a report about new aggression from fighter jets, Chinese
fighter jets in Taiwan, or what's happening right now with Russia's buildup on the Ukraine
border, or India, Pakistan, I'm always looking at it through cyber lens and it really
bothers me that other people aren't because there is no way that these governments and these
nation-states are not going to use their access to gain some advantage in those conflicts.
in those conflicts. And I'm now in a position where I'm an advisor
to the cybersecurity infrastructure security agency
at the DHS.
So I'm not saying anything classified here,
but I just think that it's really important
to understand just generally what the collateral damage could be for American businesses and critical
infrastructure in any of these escalated conflicts around the world. Because just generally,
our adversaries have learned that they might never be able to match us in terms of our
traditional military spending on traditional weapons and fighter jets.
But we have a very soft underbelly when it comes to cyber. 80% or more of America's critical
infrastructure. So pipelines, power grid, nuclear plants, water systems is owned and operated by the private sector.
And for the most part, there is nothing out there legislating that those companies share
the fact they've been breached.
They don't even have to tell the government they've been hit.
There's nothing mandating that they even meet a bare minimum standard of cybersecurity.
And that's it.
So even when there are these attacks most of the time,
we don't even know about it.
So that is, you know, if you were gonna design a system
to be as blind and vulnerable as possible,
that's just pretty good.
That's what it looks like is what we have here
in the United States.
And everyone here is just operating like, let's just keep
hooking up everything for convenience.
Software eats the world.
Let's just keep going for cost, for convenience sake, just
because we can.
And when you study these issues, and you study these attacks,
and you study the advancement
and the uptick and frequency and the lower barrier to entry that we see every single year,
you realize just how dumb software eats world is.
And no one has ever stopped to pause and think, should we be hooking up these systems
to the internet?
They've just been saying, can we? Let's do it. And that's a real problem. And this,
and just in the last year, you know, we've seen a record number of zero day attacks. I think
there were 80 last year, which is probably more than double what it was in 2019. A lot of
those were nation states. You know, we live in a world with a lot of those were nation-states.
You know, we live in a world with a lot of geopolitical hot points right now.
And where those geopolitical hot points are, are places where countries have been investing,
heavily, and offensive cyber tools.
If you're a nation-state, the goal would be to maximize the footprint of zero day, like
super secret zero day, that nobody is aware of.
That whenever war is initiated, the huge negative effects of shutting down infrastructure
or any kind of zero day is the chaos it creates.
So if you just, there's a certain threshold when you create the chaos, the market's
plumage, everything goes to hell.
So there-
So it's not just zero days.
We make it so easy for threat actors.
I mean, we're not using two factor authentication.
We're not patching.
There was the shell shock vulnerability that was discovered a couple years ago.
It's still being exploited because so many people haven't fixed it.
So the zero days are really the sexy stuff and what really got drew me to the zero day
market was the moral calculus we talked about.
Particularly from the US government's point of view, how do they justify
leaving these systems so vulnerable when we use them here, and we're baking more of our
critical infrastructure with this vulnerable software? It's not like we're using one set of
technology and Russia is using another and China is using this. We're all using the same technology.
and Russia is using another and China is using this, we're all using the same technology.
So when you find a zero day in windows,
you're not just leaving it open
so you can spy on Russia or plant yourself
in the Russian grid,
you're leaving Americans vulnerable too.
But zero days are like, that is the secret sauce.
That's the superpower.
And I always say like every country now with the
exception of Antarctica, someone added the Vatican to my list, is trying to find offensive
hacking tools and zero days to make them work. And those that don't have the skills now
have this market that they can tap into, where $2.5 million, that's a chunk change for a lot of these nation states. It's a hell of a lot less than
trying to build the next fighter jet. But yeah, the goal is chaos. I mean, why did
Russia turn off the lights twice in Ukraine? You know, I think part of it is
chaos. I think part of it is to sow the seeds of doubt in their current government.
Your government can't even keep your lights on. Why are you sticking with them? Come over
here and we'll keep your lights on at least. There's a little bit of that.
Nuclear weapons seems to have helped prevent nuclear war. Is it possible that we have so many vulnerabilities
and so many attack vectors on each other
that it will kind of achieve the same kind of equilibrium
like mutually shared destruction?
Yeah.
That's one hopeful solution to this.
Do you have any hope for this particular solution?
You know, nuclear analogies always tend to fall apart when it comes to cyber, mainly because
you don't need fissile material.
You know, you just need a laptop and the skills and you're in the game.
So it's a really low barrier to entry.
The other thing is attributions harder.
And we've seen countries muck around with attribution.
We've seen, you know, nation states piggyback on other countries spy operations and just
sit there and siphon out whatever they're getting.
We've learned some of that from the Snowden documents.
We've seen Russia hack into Iran's command and control attack servers.
We've seen them hit a Saudi petrochemical plant where they did neutralize the safety locks at the plan and everyone assumed that it was Iran given Iran had been targeting Saudi oil companies forever, but nope turned out that it was a graduate research institute outside Moscow.
So you see countries kind of playing around with attribution. Why? I think because they think, okay, if I do this, like, how am I gonna cover up that it came for me
because I don't wanna risk the response?
So people are sort of dancing around this.
It's just in a very different way.
And, you know, at the times,
I'd covered the Chinese hacks of infrastructure companies
like pipelines.
I'd covered the Russian probes of nuclear plants. I'd
covered the Russian attacks on the Ukraine grid. And then in 2018, my colleague
David Sanger and I covered the fact that US cyber command had been hacking into
the Russian grid and making a pretty loud show of it. And when we went to the
National Security Council, because that's what journalists
do before they publish a story, they give the other side a chance to respond, I assumed
we would be in for that really awkward, painful conversation where they would say, you will
have blood on your hands if you publish the story. And instead, they gave us the opposite
answer. They said, we have no problem with you publishing this story.
Why? Well, they didn't say it out loud, but it was pretty obvious they wanted Russia to know
that we're hacking into their power grid too, and they better think twice before they do to us
what they had done to Ukraine. So yeah, you know, we have stumbled into this new era of mutually assured digital destruction.
Um, I think another sort of quasi norm we've, uh, stumbled into is proportional responses.
You know, there's this idea that if you get hit, you're allowed to respond proportionally
at a time and place of your choosing, you know, that is how the language always goes.
That's what Obama said after North Korea hit Sony.
We will respond at a time and place of our choosing.
But no one really knows what that response looks like.
And so what you see a lot of the time, it's just these like just short of war attacks.
You know, Russia turned off the power in Ukraine, but it wasn't like it stayed off for a week.
You know, it stayed off for a number of hours. You know, not Petsha, hit those companies,
pretty hard, but no one died. You know, and the question is, what's going to happen when someone dies?
And can a nation-state
masquerade as a cyber criminal group, as a ransomware group? And that's what really complicates
coming to some sort of digital Geneva convention. Like, there's been a push from Brad Smith
at Microsoft. We need a digital Geneva convention. And on its face, it sounds like a no-brainer.
Yeah.
Why wouldn't we all agree to stop hacking into each other's civilian hospital systems, elections,
power grid, pipelines?
But when you talk to people in the West, officials in the West, they'll say, we would never, we'd
love to agree to it, but we'd never do it when you're dealing with
she or Putin or Kim Jong Un.
Because a lot of times they outsource
these operations to cyber criminals.
In China, we see a lot of these attacks come
from this loose satellite network of private citizens
that work at the behest of the Ministry of State Security.
So how do you come to some sort of state-to-state agreement when you're dealing with transnational
actors and cyber criminals, where it's really hard to pin down whether that person was acting
alone or whether they were acting at the behest of the MSS or the FSB.
And a couple of years ago, I can't remember if it was before
after not pet ya, but Putin said, hackers are like artists
who wake up in the morning in a good mood and start painting.
In other words, I have no say over what they do or don't do.
So how do you come to some kind of norm
when that's how he's talking about these issues
and he's just decimated Merck and Pfizer and another, however many thousand companies?
That is the fundamental difference between nuclear weapons and cyber attacks as the attribution
or one of the fundamental differences.
If you can fix one thing in the world, in terms of the cybersecurity, that would make the world a better place. What would you fix? So you're
not allowed to fix like authoritarian regimes. Right. You have to keep that. You have to
keep human nature as it is. In terms of on the security side, technologically speaking, you mentioned there's no regulation on companies
in their states.
What if you could just fix,
well, the snap of a finger, what would you fix?
Two factor authentication,
multifactor authentication.
It's ridiculous how many of these attacks come in
because someone didn't turn on multifactor
authentication. I mean, colonial pipeline, okay. They took down the biggest conduit for gas,
jet fuel, and diesel to the east coast of the United States of America, how? Because they
forgot to deactivate an old employee account whose password had been traded on the dark web,
and they'd never turned on two-factor authentication.
This water treatment facility outside Florida was hacked last year.
How did it happen?
They were using Windows XP from like a decade ago that can't even get patches if you want
it to, and they didn't have two-factor authentication.
Time and time again if they just switched on to factor on an occasion. Some of these attacks
would have been possible. Now if I could snap my fingers, that's the thing I would do right
now. But of course, you know, this is a cat in mouse game and then the attacker's on to
the next thing. But I think right now that is like bar none. That is just that is the easiest
simplest way to deflect the most attacks.
And you know, the name of the game right now isn't perfect security.
Perfect security is impossible.
They will always find a way in.
The name of the game right now is make yourself a little bit harder to attack than your competitor
than anyone else out there so that they just give up and move along. And maybe if you are a target for an advanced nation state, or the SVR, you're going to
get hacked no matter what.
But you can make cyber criminal groups, deadbolt, you can make their jobs a lot harder, simply
by doing the bare basics.
And the other thing is stop reusing your passwords.
But if I only get one, then two factor authentication.
So what is two factor authentication?
Factor one is what logging in with a password.
Factor two is like having another device
or another channel through which you can confirm,
yeah, that's me.
Yes, you know, usually this happens
through some kind of text.
You know, you get your one time code
from Bank of America
or from Google. And the better way to do it is spend $20 buying yourself a phyto key on Amazon.
That's a hardware device. And if you don't have that hardware device with you, then you're not
going to get in. And the whole goal is, I mean, basically, you know, my first half of my decade at the times was spent covering like the copy.
It's like, Home Depot got breached, news at 11, you know, Target, Neiman Marcus, like
who wasn't hacked over the course of those five years.
And a lot of those companies that got hacked, what did hackers take?
They took the credentials, they took the passwords.
They can make a pretty
penny selling them on the dark web and people reuse their passwords. So you get one from, you know,
God knows who, I don't know, last pass, worst case example, actually last pass, but you get one,
and then you go test it on their email account, and you go test it on their brokerage account,
and you test it on their cold storage account.
That's how it works.
But if you have multifactor authentication, then they can't get in because they might have
your password, but they don't have your phone, they don't have your phyto key.
So you keep them out.
I get a lot of alerts that tell me someone is trying to get into your
Instagram account or your Twitter account or your email account. And I don't worry because I use
multi-factor authentication. They can trial day. Okay, worry a little bit, but you know, it's
it's the simplest thing to do and we don't even do it. Well, there's an interface aspect to it because it's pretty annoying if it's implemented poorly.
Yeah.
So actually bad implementation of two-factor authentication, not just bad, but just something
that adds friction is a security vulnerability, I guess, because it's really annoying.
I think MIT for a while had two-factor authentication, it's really annoying. I think MIT for a while had two factor authentication.
It was really annoying. The number of times it pings you, it asks to re-authenticate across
multiple subdomains. It just feels like a pain. I don't know what the right balance
there is.
It feels like friction in our frictionless society. It feels like friction. It's annoying.
That's security's biggest problem. It's annoying. We need the Steve Jobs of security to come
along and we need to make it painless. Actually, on that point, Apple has probably done more for security than anyone else, simply by introducing
biometric authentication first with the fingerprint
and then with Face ID.
And it's not perfect, but, you know,
if you think just eight years ago,
everyone was running around with either no passcode
and optional passcode or four digit passcode on their phone
that anyone, you know, think of what you can get when you get someone's iPhone
if you steal someone's iPhone.
And props to them for introducing the fingerprint
and face ID and again, it wasn't perfect,
but it was a huge step forward.
Now it's time to make another huge step forward.
I want to see the password die.
I mean, it's gotten us as far as it was ever going to get us.
And I hope whatever we come up with next is not going to be annoying. It's going to be seamless.
When I was at Google, that's what we worked on. There's a lot of ways to call this active
authentication, passive authentication. So basically, you use biometric data, not just like a fingerprint,
but everything from your body to identify who
you are, like movement patterns.
So basically create a lot of layers of protection where it's very difficult to fake, including
like face unlock, checking that it's your actual face, like the live-ness tests.
So like from video, so unlocking it with video, voice, the way
you move the phone, the way you take it out of the pocket, that kind of thing. All of
those factors, it's a really hard problem though. And ultimately, it's very difficult
to beat the password during the security.
Well, there's a company that I actually will call out and that's abnormal security, so
they work on email attacks.
It was started by a couple guys who were doing, I think, AdTech at Twitter.
So, you know, AdTech, now, it's a joke how much they know about us.
You always hear the conspiracy theories that you saw someone choose, and next thing you know, it's a joke how much they know about us. You always hear the conspiracy theories that you saw someone choose and next thing you know,
it's on your phone.
It's amazing what they know about you.
And they're basically taking that and they're applying it to attacks.
So they're saying, okay, you know, this is what your email patterns are.
It might be different for you and me
because we're a mailing strangers all the time.
But for most people, their email patterns are pretty predictable.
And if something strays from that pattern, that's abnormal.
And they'll block it, they'll investigate it.
You know, and that's great.
You know, let's start using that kind of targeted ad technology to protect people.
And yeah, I mean, it's not going to get us away from the password and using multi-factor
authentication, but the technology is out there.
We just have to figure out how to use it in a really seamless way because it doesn't
matter if you have the perfect
security solution if no one uses it.
I mean, when I started at the times when I was trying to be really good about protecting
sources, I was trying to use PGP encryption and it's like, it didn't work.
You know, the number of mistakes I would probably make just trying to email someone with
PGP just wasn't worth it.
And then Signal came along and Signal made it wicker.
Here, they made it a lot easier to send someone an encrypted text message.
So we have to start investing in creative minds, in good security design.
I really think that's the hack
that's gonna get us out of where we are today.
What about social engineering?
Do you worry about this sort of hacking people?
Yes, I mean, this is the worst nightmare
of every chief information security officer out there.
You know, social engineering, we work from home now.
I saw this woman posted online about how her husband, it went viral today, but it was her
husband had this problem at work.
They hired a guy named John and now the guy that shows up for work every day doesn't act like John. I mean,
think about that. Like think about the potential for social engineering in that context. You
apply for a job and you put on a pretty face, you hire an actor or something and then you just
get inside the organization and get access to all that organization's data. A couple of years ago, Saudi Arabia planted spies inside Twitter.
Why?
Probably because they were trying to figure out who these people were, who were criticizing
the regime on Twitter.
They couldn't do it with a hack from the outside, so why not plant people on the inside?
And that's like the worst nightmare. And it also, unfortunately, creates all kinds of xenophobia
and a lot of these organizations.
I mean, if you're going to have to take that into consideration,
then organizations are going to start looking really skeptically
and suspiciously at someone who applies for that job from China.
And we've seen that go really badly
at places like the Department of Commerce,
where they basically accuse people of being spies that aren't spies. So it is the hardest
problem to solve. And it's never been harder to solve than right at this very moment when there's
so much pressure for companies to let people work remotely. That's actually why I'm single. I'm suspicious.
China and Russia.
Every time I meet somebody,
are trying to plant, get inside their information.
So I'm very, very suspicious.
I keep putting the touring test in front.
No.
No, I have a friend who worked inside NSA
and was one of their top hackers.
And he's like, every time I go to Russia,
I get hit on by these tens.
And I come home, my friends are like,
I'm sorry, you're not a 10.
Like, yeah, yeah, yeah.
The common story.
I mean, it's difficult to trust humans in this day and age
online, you know, because so we're working remotely.
That's one thing.
But just interacting with people on the internet, sounds ridiculous. But you know, I've,
because of this podcast and part, it's gotten to me some incredible people. But it, you
know, it makes you nervous to trust folks. And I don't know how to solve that problem. So I'm talking with Mark Zuckerberg
who dreams about creating the metaverse. What do you do about that world where more and
more are lives in the digital sphere? Like one way to phrase it is most of our meaningful experiences at some point will be online.
Like falling in love, getting a job, or experiencing a moment of happiness with a friend,
with a new friend made online, all of those things. Like more and more, the fun we do, the things that make us
love life will happen online.
And if those things have an avatar that's digital, that's like a way to hack into people's
minds, whether it's with AI or kind of troll farms or something like that.
I don't know if there's a way to protect against that. That might fundamentally rely on our faith in how good human nature is.
So if most people are good, we're going to be okay.
But if people will tend towards manipulation and on level of behavior in search of power,
then we're screwed.
So I don't know if you can comment on how to keep the metaverse secure.
Yeah, I mean, I, all I thought about when you were talking just now, it's my three year old son.
Yeah.
Yeah, he asked me the other day, what's the internet mom?
And I just almost wanted to cry.
You know, I don't want that for him. I don't want all of his most meaningful experiences to be online. You know, by the time that
happens, how do you know that person's human, that avatars human? You know, I believe in free
speech. I don't believe in free speech for robots and bots. And like, look
what just happened over the last six years. We had bots pretending to be Black Lives Matter activists
just to sow some division or Texas secessionists or organizing anti-hillary protests or just just so more division to Tiasp and our own politics
so that we're so paralyzed, we can't get anything done, we can't make any progress,
and we definitely can't handle our adversaries. And they're a long-term thinking.
It really scares me. And here's where I just come back to just because we can create
the metaverse, you know, just because it sounds like the next logical step in our digital
revolution. I do, I really want my, my child's most significant moments to be online, they weren't for me. So maybe I'm just stuck in that old school thinking, or maybe I've seen too much.
And I'm really sick of being the guinea pig parent generation for these things. I mean, it's hard enough with screen time, like thinking about how to manage the metaverse as a parent to a young boy, like, I can't even let my head go there.
That's so terrifying for me. But we've never stopped any new technology just because it
introduces risks. We've always said, okay, the promise of this technology
means we should keep going, keep pressing ahead.
We just need to figure out new ways to manage that risk.
And that's the blockchain right now.
Like, when I was covering all of these ransomware attacks,
I thought, okay, this is going to be it for cryptocurrency.
You know, governments are going to put the kibosh down. They're going to put the hammer down and say
enough is enough. Like, we have to put this genie back in the bottle because it's enabled ransomware.
I mean, five years ago, they would hijack your PC and they'd say, go to the local pharmacy,
get a eGift card and tell
us what the pin is and then we'll get your $200.
Now it's pay us, you know, five bit coin.
And so there's no doubt cryptocurrencies enabled ransomware attacks, but after the colonial
pipeline ransom was seized, because if you, the FBI was actually able to go in and claw some of it back from Dark Side,
which was the ransomware group that hit it.
And I spoke to these guys at TRM labs.
So they're one of these blockchain intelligence companies.
And a lot of people that work there
used to work at the Treasury.
And what they said to me was, yeah,
cryptocurrency has enabled ransomware.
But to track down that ransom payment would have taken, you know, if we were dealing with
Fiat currency, would have taken us years to get to that one bank account at the, or belonging
to that one front company in the seashells.
And now, thanks to the blockchain, we can track the movement of those funds in real time.
And you know what?
You know, these payments are not as anonymous as people think.
Like we still can use our old hacking ways in zero days and, you know, old school intelligence
methods to find out who owns that private wallet and how to get to it.
So it's a curse in some ways and that it's an
eniepler but it's also a blessing. And they said that same thing to me that I
just said to you. They said, we've never shut down a promising new technology
because it introduced risk. We just figured out how to manage that risk.
And I think that's where the conversation unfortunately has to go is how do we in the metaverse use technology to fix things. So maybe we'll finally
be able to not finally, but figure out a way to solve the identity problem on
the internet, meaning like a blue check mark for actual human and connected to identity
like a fingerprint so you can prove your you and yet do it in a way that doesn't involve the
company having all your data. So giving you allowing you to maintain control over your data or if
you don't then there's a complete transparency of how that data is being
used, all those kinds of things.
And maybe as you educate more and more people, they would demand in a capitalist society
that the companies that they give their data to will respect that data.
Yeah.
I mean, there is this company, and I hope they succeed.
They're named PII ono, Piano.
And they want to create a vault
for your personal information inside every organization.
And ultimately, if I'm going to call Delta Airlines
to book a flight, they don't need to know my social security
number, they don't need to know my birth date.
They're just going to send me
at one time token to my phone. My phone's going to say, or my, you know, phyto-key is
going to say, yep, it's her. And then we're going to talk about my identity like a token,
you know, some random token. They don't need to know exactly who I am. They just need to know,
I am, you know, the system trust that I am, who I say I am, but they don't get access to my
PII data.
They don't get access to my social security number, my location, or the fact I'm a
times journalist.
I think that's the way the world's going to go.
We have enough is enough on sort of losing our personal information everywhere, letting
data marketing companies track our
every move, they don't need to know who I am.
Okay, I get it.
We're stuck in this world where the internet runs on ads.
So ads are not going to go away, but they don't need to know I'm Nicole Pearlera.
They can know that I'm token number, you know, X-5, 6, 7.
And they can let you know what they know
and give you control about removing the things they know.
Yeah, right, to be forgotten.
To me, you should be able to walk away
with a single press of a button.
And I also believe that most people,
given the choice to walk away, won't walk away.
They'll just feel better about having the option to walk away, won't walk away. They'll just feel better
about having the option to walk away. When they understand the tradeoffs, if you walk away,
you're not going to get some of the personalized experiences that you would otherwise get,
like a personalized feed and all those kinds of things. But the freedom to walk away is,
I think really powerful. And obviously what you're saying, it's definitely, there's all
of these HTML forms. We have to enter your phone number and email and private information
from Delta every single airline, New York Times. I have so many opinions on this, just the
friction and the sign up and all those kinds of things. I should be able to, this has to do with everything.
This has to do with payment to, as the payment should be trivial.
It should be one click and one click to unsubscribe and subscribe.
And one click to provide all of your information that's necessary for the subscription service,
for the transaction service, whatever that is getting a ticket as opposed to I have all
of these fake phone numbers and emails that I use and I'll just sign out because you know, you never
know if one side is hacked, then it's just going to propagate to everything else. Yeah. And you know,
there's low hanging fruit and I hope Congress does something and frankly, I think it's negligent they haven't on the fact that elderly people are getting
spammed to death on their phones these days with fake car warranty scams.
And I mean, my dad was in the hospital last year and I was in the hospital room and his
phone kept buzzing.
And I look at it and it's just spam attack after spam attack. People
non-stop calling about it's freaking car warranty. Why they're trying to get a social security
number? They're trying to get us PII. They're trying to get this information. We need to figure
out how to put those people in jail for life. And we need to figure out why in the hell we are
being required or asked to hand over our social security number and our home address and our past
more, you know, all of that information to every retailer who asks. I mean, that's that's insanity.
to every retailer who asks. I mean, that's insanity. And there's no question. They're not protecting it
because it keeps showing up in, you know, spam or identity theft or credit card theft doors.
Well, spam is getting better and maybe I need to, as a side note, make a public announcement. Please clip this out, which is if you get an email or a message
from Lex Friedman saying how much I Lex, you know, appreciate you and love you and so on
and please connect with me on my WhatsApp number and I will give you Bitcoin or something like that.
Please do not click and I, I'm aware that there's a lot of this going on,
a very large amount, I can't do anything about it.
This is on every single platform,
it's happening more and more and more,
which I've been recently informed that they're not emailing.
So it's cross platform.
They're taking people's, there's somehow,
this is fascinating to me,
because they are taking people who comment
on various social platforms,
and they somehow reverse engineer,
they figure out what their email is,
and they send an email to that person
saying from Lex Friedman,
and it's like a heartfelt email with links.
It's fascinating because it's cross platform now. It's not just a spam
bot that's messaging us and a comment that in reply. They are saying, okay, this person cares about this other person on social media
So I'm going to find another channel
Which in their mind probably increases in it does the likelihood that they'll get
in their mind probably increases in it does the likelihood that they'll get the people to click and they do. I don't know what to do about that. It makes me really, really sad, especially with
podcasting, there's an intimacy that people feel connected and they get really excited. Okay,
cool. I want to talk to Lex and they click and like I get angry at the people that do this.
I mean, you're, it's like the John,
it gets hired, the fake employee.
I mean, I don't know what to do about that.
I mean, I suppose that's the, I suppose the solution is education.
It's telling people to be skeptical on the stuff they click. That's that
balance for the technology solution of creating a maybe like two factor authentication and
maybe helping identify things that are likely to be spam. I don't know. But then the machine
learning there is tricky because you don't want to add a lot of extra friction that just annoys people because they'll turn it off because you have the except cookies thing,
right? That everybody has to click on them so now they completely ignore the except cookies.
This is very difficult to find that frictionless security. You mentioned Snowden. You've talked about looking through the NSA documents he leaked
and doing the hard work of that. What do you make of Edward Snowden? What have you learned
from those documents? What do you think of him? In the long arc of history, is Edward Snowden
a hero or a villain? I think he's neither.
I have really complicated feelings about Edward Snowden.
On the one end, I'm a journalist at heart,
and more transparency is good.
And I'm grateful for the conversations that we had
in the post Snowden era about the limits to surveillance and how
critical privacy is. And when you have no transparency and you don't really know in that case what our
secret courts were doing, how can you truly believe that our country is taking our civil liberties seriously?
So, on the one hand I'm grateful that he cracked open these debates.
On the other hand, when I walked into the storage closet of classified NSA secrets. I had just spent two years covering Chinese
cyber espionage almost every day and this sort of advancement of Russian attacks that were just
getting worse and worse and more destructive. And there were no limits to Chinese cyber espionage and Chinese
surveillance of its own citizens. And there seemed to be no limit to what Russia was
willing to do in terms of cyber attacks and also in some cases assassinating journalists.
So when I walked into that room, there was a part of me quite honestly that was relieved
to know that the NSA was as good as I hoped they were.
And we weren't using that knowledge to as far as I know, assassinate journalists.
We weren't using our access to, you know, take out pharmaceutical
companies. For the most part, we were using it for traditional espionage. Now, that
set of documents also set me on the journey of my book, because to me, the
American people's reaction to the Snowden documents was a little bit misplaced.
They were upset about the phone call metadata collection program.
Angela Merkel, I think rightfully, was upset that we were hacking her cell phone.
But in sort of the spy-eats-by-world hacking world-beater cell phones is pretty much what most
spy agencies do.
And there wasn't a lot that I saw in those documents that was beyond what I thought a spy
agency does. And I think if there was another 9-11 tomorrow, God forbid, we would all say,
how did the NSA miss this? Why weren't they spying on those terrorists?
Why weren't they spying on those world leaders?
You know, there's some of that too.
But I think that there was great damage done
to the US's reputation.
I think we really lost our halo
in terms of a protector of civil liberties. And I think a lot of what was reported was unfortunately reported in a vacuum.
That was my biggest gripe that we were always reporting the NSA has this program.
And here's what it does. And the NSA is in
Angla Mirkel's cell phone and the NSA can do this and no one was saying and by
the way, China has been hacking into our pipelines and they've been making off
with all of our intellectual property and Russia has been hacking into our energy
infrastructure.
And they've been using the same methods to spy on track and in many cases kill their own
journalists and the Saudis have been doing this to their own critics and dissidents.
And so you can't talk about any of these countries in isolation.
It is really like spiked spy out there. And so I just have complicated feelings.
You know, and the other thing is, and I'm sorry, it's a little bit of a tangent, but
the amount of documents that we had, like thousands of documents, most of which were just crap,
but had people's names on them. You know, part of me wishes that those documents had been released in a much more targeted, limited way.
It's just a lot of it just felt like a PowerPoint that was taken out of context.
And you just sort of wish that there had been a little bit more thought into what was released
because I think a lot of the impact from someone was just the volume of the reporting.
But I think, you know, based on what I saw personally, there was a lot of stuff that
I just, I don't know why that particular thing got released.
As a whistleblower, what's the better way to do it?
Because I mean, there's fear, there's,
it takes a lot of effort to do a more targeted release.
You know, if there's proper channels, you're afraid
that those channels would be manipulated,
like, who do you trust?
Mm-hmm.
What's the better way to do this, do you think?
As a journalist, this is almost like a journalistic question.
Reveals some fundamental flaw in the system without destroying the system. I bring up, you know, again, Mark Zuckerberg and Metta, there was a whistleblower
that came out about Instagram and Journal studies.
And I also torn about how to feel about that whistleblower. Because from a company
perspective that's an open culture, how can you operate successfully if you have an open
culture where anyone whistleblower can come out out of context, take a study, whether
represents a large of context or not. And the press eats it up. And then that creates a narrative that is just like
with the NSA, you said, it's an auto context, very targeted to where, well, Facebook is
evil clearly because of this one leak. It's really hard to know what to do there because
we're now in a society that's deeply distrust institutions. And so narratives by whistleblowers make that whistleblower
and therefore the coming book very popular. And so there's a huge incentive to take stuff out of
context and to tell stories that don't represent the full context, the full truth. It's hard to know what
to do with that because then that forces Facebook, Metta, and governments
to be much more conservative, much more secretive.
It's like a race to the bottom.
I don't know.
I don't know if you can comment on any of that, how to be a whistleblower ethically and
properly.
I don't know.
I mean, these are hard questions.
And even for myself, in some ways,
I think of my book as sort of blowing the whistle
on the Underground Zero Day market.
But it's not like I was in the market myself.
It's not like I had access to classified data
when I was reporting out that book.
As I say in the book, like, listen,
I'm just trying to scrape the surface here so we can have these conversations before it's
too late. And, you know, I'm sure there's plenty in there that someone who's, you know,
US intelligence agencies preeminent zero-day broker probably has some voodoo doll of me out there.
And you know, you're never going to get it 100%.
But I really applaud whistleblower's like, you know, the whistleblower who blew the whistle
on the Trump call with Zelensky.
I mean, people needed to know about that, that we were basically in some ways blackmailing
an ally to try to influence an election.
I mean, they went through the proper channels, they weren't trying to profit off of it, right?
There was no book that came out afterwards from that whistleblower.
That whistleblower's not like, they went through the channels,
they're not living in Moscow.
You know, let's put it that way.
You can ask you a question.
You mentioned NSA.
One of the things that showed is they're pretty good at what they do.
Again, this is a touchy subject, I suppose, but there's a lot of conspiracy theories about intelligence
agencies. From your understanding of intelligence agencies, CIA, NSA, and the equivalent of in
other countries, are they one question, this could do? And two, are they malevolent in any way?
Sort of a recent conversation about tobacco companies that kind of see their customers as
doops, like they can just play games with people.
Conspiracy theories tell that similar story about intelligence agencies
that they're interested in manipulating the populace for whatever ends the powerful in dark
rooms, cigarette smoke, cigar smoke filled rooms. What's your sense? Do these conspiracy theories have kind of any truth to them or are intelligence agencies
for the most part good for society?
Okay, well that's an easy one.
Is it?
No, I think, you know, depends which intelligence agency.
Think about the M Assad. They're killing every Iranian nuclear
scientist they can over the years. But have they delayed the time horizon before Iran gets the bomb?
Yeah. Have they probably steved off terror attacks on their own citizens?
Yeah.
You know, none of these intelligence is intelligence.
You know, you can't just say like they're malevolent or they're heroes.
You know, everyone I have met in this space is not like the pound your chest,
patriot that you see on the beach on the 4th of July.
A lot of them have complicated feelings
about their former employers.
Well, at least at the NSA reminded me to do what we were
accused of doing after Snowden to spy on Americans. You have no idea the
amount of red tape and paperwork and bureaucracy it would have taken to do whatever one thinks
that we were supposedly doing. But then, you know, we find out in the course of this note in reporting about a program called
Love In, where a couple of the gonna say analysts were using their access to spy on their
ex-girlfriends.
So, you know, there's an exception to every case.
Generally, I will probably get, you know, accused of my Western bias here again, but I think you can almost barely
compare some of these Western intelligence agencies to China, for instance.
And the surveillance that they're deploying on the Uyghurs to the level they're deploying it.
And the surveillance, they're starting to export abroad with some of the programs like the
watering hole attack I mentioned earlier. Where it's not just hitting the Uyghurs inside China,
hitting anyone interested in the Uyghur plate outside China. It could be an American high school
student writing a paper on the Uyghurs. They want to spy on that person too. You know, there's no rules in China really
limiting the extent of that surveillance. And we all better be at attention to what's
happening with the Uyghurs because just as Ukraine has been to Russia in terms of a test kitchen for its cyber attacks.
The Uighurs are China's test kitchen for surveillance.
And there's no doubt in my mind that they're testing them on the Uighurs.
Uighurs are their Petri dish and eventually they will export that level of surveillance overseas.
that level of surveillance overseas. I mean, in 2015, Obama and she,
Jean-Pang reached a deal where basically the White House said,
you better cut it out on intellectual property theft.
And so they made this agreement that they would not hack each other
for commercial benefit.
And for a period of about 18 months, we saw this huge drop off in Chinese cyber attacks
on American companies, but some of them continued.
Where do they continue?
They continued on aviation companies,
on hospitality companies like Marriott.
Why?
Because that was still considered fair game to China.
It wasn't IP theft. They were
after it. They wanted to know who was staying in this city at this time when Chinese citizens
were staying there so they could cross match for counterintelligence, who might be a likely
Chinese spy. I'm sure we're doing some of that too. Counterintelligence is counterintelligence. It's considered fair game.
But where I think it gets evil is when you use it for censorship, you know, to suppress any dissent,
to do what I've seen the UAE do to its citizens, where people who've gone on Twitter just to advocate for better voting rights,
weren't franchisement, suddenly find their passport confiscated.
I talked to one critic on the man's sore and he told me, you might find yourself a terrorist,
labeled a terrorist one day, you don't even know how to operate a gun.
I mean, he'd been beaten up every time he tried to go somewhere.
His passport had been confiscated by that point.
It turned out they'd already hacked into his phone.
So they were listening to us talking.
They'd hacked into his baby monitor.
So they're spying on his child and they stole his car.
And then they created a new law that you couldn't criticize the,
the ruling family or the ruling
party on Twitter.
And he's been in solitary confinement every day since on hunger strike.
So that's evil, you know, that's evil.
And we still we don't do that here, you know, we have rules here.
We don't cross that line.
So yeah, in some cases, like I won't go to Dubai.
You know, I won't go to Abu Dhabi. If I ever want to go to the Maldives, like too bad,
like most of the flights go through Dubai. So there's some lines we're not willing to cross,
but then again, just like you said, there's individuals within NSA, within CIA, and they may have
power. And to me, there's levels of evil. To me, personally,
this is the stuff of conspiracy theories is the things you've mentioned as evil are more
direct attacks. But there's also psychological warfare. So blackmail. So what is what is
spying allow you to do? Allow you to collect information
if you have something that's embarrassing
or if you have like Jeffrey Epstein conspiracy theories
active, what is it?
Manufacture of embarrassing things
and then use blackmail to manipulate the population
or all the powerful people involved.
It troubles me deeply that MIT allowed somebody
like Jeffrey
Epstein in their midst, especially some of the scientists I admire that they would hang out
with that person at all. And so, you know, I'll talk about it sometimes. And then a lot of people
tell me, well, obviously, Jeffrey Epstein is a front for intelligence. And I just, I struggled to see that level of competence
and malevolence.
But, you know, who the hell am I?
And I guess I was trying to get to that point.
You said that there is bureaucracy and so on,
which makes some of these things very difficult.
I wonder how much malevolence, how much competence there is in these institutions.
Like, how far this takes us back to the hacking question. How far are people willing to go
if they have the power? This has to do with social engineering, this has to do with hacking,
this has to do with manipulating people, attacking people, doing evil onto people,
psychological warfare and stuff like that.
I don't know.
I believe that most people are good.
And I don't think that's possible.
In a free society, there's something that happens
when you have a centralized government
where power corrupts over time
and you start surveillance programs
kind of, it's like a slippery slope that over time starts to both use fear and direct manipulation
to control the populace. But in a free society, I just, it's difficult for me to imagine that
you can have like,
some of you like a Jeffy Epps, you know, front for intelligence.
I don't know what I'm asking you, but I'm just, um,
I have a hope that for the most part intelligence agencies are trying to do
good and are actually doing good for the world.
When you view it in the full context of the complex cities of the world.
But then again, if they're not, would we know? That's why I don't know it and it might
be a good thing. Let me ask you on a personal question. You have investigated some of the
most powerful organizations and people in the world of cyber warfare, cyber security.
Are you ever afraid for your own life, your own well-being digital or physical?
I mean, I've had my moments, you know, I've had our security team at the times called me at one
point and said someone's on the dark web offering, money to anyone who can hack your phone or your laptop.
I described in my book how when I was at that hacking conference in Argentina, I came back and I brought a burner
laptop with me, but I'd kept it in the safe anyway and it didn't have anything on it, but someone had broken in and it was moved.
I've had all sorts of scary moments.
Then I've had moments where I think I went just way too far into the paranoid side.
I remember writing about the Times hack by China.
I just covered a number of Chinese cyber attacks
where they'd gotten into the thermostat
at someone's corporate apartment,
and they got it into all sorts of stuff.
And I was living by myself.
I was single in San Francisco,
and my cable box on my television
started making some weird noises in the middle of the night.
And I got up and I ripped it out of the wall and I think I said something like embarrassing like
look you China, you know. And then I went back to bed and I woke up and like it's like beautiful
morning light. I mean I'll never forget it. Like this is like glimmering morning light is shining
on my cable box which has now been ripped out and is sitting on my floor and like the morning light. I mean, I'll never forget it. Like this is like glimmering morning light is shining on my cable box, which has now been ripped out and is sitting on my floor and like the morning light.
And I was just like, no, no, no, like I'm not going down that road. Like you basically, I came to
to a road, you know, a fork in the road where I could either go full tin foil hat, go live off the grid, never
have a car with navigation, never use Google Maps, never own an iPhone, never ordered diapers
off Amazon, you know, create an alias or I could just do the best I can and live in this
new digital world we're living in.
And what does that look like for me?
I mean, what are my crown jewels?
This is what I tell people.
What are your crown jewels?
Because just focus on that.
You can't protect everything,
but you can protect your crown jewels.
For me, for the longest time,
my crown jewels were my sources.
I was nothing without my sources.
So I had some sources. I would meet without my sources. So I had some sources I would meet the same dim someplace
or maybe it was a different restaurant. On the same date, you know, every quarter and we would
never drive there. We would never Uber there. We wouldn't bring any devices. I could bring a pencil
and a notepad. And if someone wasn't in town,
like there are a couple times where I'd show up
and the source never came.
But we never communicated digitally.
And those were the links I was willing to go
to protect that source.
But you can't do it for everyone.
So for everyone else, you know,
it was signal using two factor authentication,
you know, keeping my devices up to date,
not clicking on phishing emails,
using a password manager, all the things that,
we know we're supposed to do.
And that's what I tell everyone,
like don't go crazy because then that's like the ultimate hack,
then they have hacked your mind,
whoever they is for you.
But just do the best you can.
Now, my whole risk model changed when I had a kid.
You know, now it's a God. You know, if anyone threatened my family, God helped them.
But it changes you.
And, you know, unfortunately, there are some things like I was really scared to go deep
on, like Russian cybercrime, you know, like Putin himself, you know.
And it's interesting, like I have a mentor who's an incredible person who was the Times Moscow Bureau Chief during
the Cold War.
And after I wrote a series of stories about Chinese cyber espionage, he took me out to
lunch.
And he told me that when he was living in Moscow, he would drop his kids off at preschool
when they were my son's age now.
And the KGB would follow him.
And they would make a really like loud show
of it. You know, they'd tail him, they'd, you know, honk, they'd just be a wreck at, make
a wreck us. And he said, you know what, they never actually did anything, but they wanted
me to know that they were following me. And I operated accordingly. And he says, that's
how you should operate in in in the digital world.
Know that there are probably people following you. Sometimes they'll make a little bit of
noise, but one thing you need to know is that while you're at the New York Times, you have
a little bit of an invisible shield on you. You know, if something were to happen to you,
that would be a really big deal. That would be an international incident.
So I kind of carried that invisible shield with me for years.
And then Jamal Kashogi happened.
And that destroyed my vision of my invisible shield.
You know, sure, you know, he was a Saudi, but he was a Washington Post columnist.
You know, for the most part, he was living in the United States. He was a Saudi, but he was a Washington Post columnist, you know, for the most part,
he was living in the United States. He was a journalist. And for them to do what they did to him,
pretty much in the open and get away with it. And for the United States to let them get away with
it, because we wanted to preserve diplomatic relations with the Saudis, that really
threw my world view upside down.
And I think that sent a message to a lot of countries that it was sort of open season
on journalists.
And to me, that was one of the most destructive things that happened under the previous administration. And, you know,
I don't really know what to think of my invisible shield anymore.
Take a said that really worries me on the journals and side that people will be afraid to dig deep
on fascinating topics. And, you know, I have my own, that's part of the reason I, I, I, I would love to have kids.
I would love to have a family part of the reason I'm a little bit afraid.
There's many ways to phrase this, but the loss of freedom in the way of
doing all the crazy shit that I naturally do, which I would say the ethic of journalism
is kind of not, is doing crazy shit without really thinking about it.
This is letting your curiosity really allow you to be free and explore.
It's, I mean, whether it's stupidity or fearlessness, whatever it is, that's what great journalism
is. And all the concerns
about security risks have made me become a better person. The way I approach it is just
make sure you don't have anything to hide. I know this is not a thing, this is not a
approach to security. I'm just, this is like a motivational speech or something. It's
just like if you can
lose, you can be hacked at any moment. Just don't be a douchebag secretly. Just be like a good person.
Because then I see this actually with social media in general. Just present yourself in the most
authentic way possible, meaning be the same person online as you are privately, have nothing to hide.
That's one, not the only, but one of the ways to achieve security.
Maybe I'm totally wrong on this, but don't be secretly weird.
If you're weird, be publicly weird, so it's impossible to blackmail you.
That's my approach to that.
Yeah. Well, they call it the New York Times front page phenomenon. You know, don't
put anything in email or I guess social media these days that you wouldn't want
to read on the front page of the New York Times. And that works, but you know,
sometimes I even get carried. I mean, I have, I don't know, not as many followers as you,
but a lot of followers.
And sometimes even I get carried away.
It's been emotional stuff to say something.
Yeah, I mean, just the cortisol response on Twitter.
And Twitter is basically designed to elicit those responses.
I mean, every day I turn on my computer, I look at my phone, and look at what's trending
on Twitter, and it's like, what are the topics that are going to make people the most angry
today?
You know?
And, you know, it's easy to get carried away, but it's also just, that sucks too, that
you have to be constantly censoring yourself.
And maybe it's for the better.
Maybe you can't be a secret asshole.
We can put that in the good bucket.
But at the same time, there is a danger to that other voice, to creativity, to being weird.
There is a danger to that little whispered voice that was that's like,
well, how would people read that? You know, how could that be manipulated? How could that be used
against you? And that stifles creativity and innovation and three thought. And you know,
that's that that is on a very micro level. And that's something I think about a lot.
And that's actually something that Tim Cook has talked about a lot.
And why he has said he goes full force on privacy is it's just that little voice
that is at some level censoring you.
And what what is sort of the long-term impact
of that little voice over time?
I think there's a ways, I think that self-sensorship
is an attack factory that there's solutions to the way
I'm really inspired by Elon Musk.
The solution to that is just be privately
and publicly the same person and be ridiculous and brace the full
weirdness and show it more and more. So, you know, that's, that's memes that has like
ridiculous humor and I think, and if there is something you really want to hide deeply
consider if that you want to be that. Like, why are you hiding it? What exactly are you afraid of?
Because I think my hopeful vision for the internet
is the internet loves authenticity.
They want to see you weird.
So be that and like live that fully
because I think that gray area
where you're kind of censoring yourself,
that's where the destruction is.
You have to go all the way step over.
Be weird.
Be weird.
And then it feels it can be painful because people
can attack you and so on, but just write it.
I mean, that's just a skill on the social psychological level
that ends up being an approach to security, which
is like remove the attack vector of having private information
by being your full, weird self publicly.
What advice would you give to young folks today, operating in this complicated space, about
how to have a successful life, a life that can be proud of, a career that can be proud
of maybe somebody in high school and college thinking about what they're going to do. to have a successful life, a life that can be proud of a career that can be proud of
maybe somebody in high school and college thinking about what they're going to do.
Be a hacker. If you have any interest, become a hacker and apply yourself to defense.
Every time we do have these amazing scholarship programs, for instance, where they find you early, they'll pay your college as long as you commit to some kind of federal commitment
to sort of help federal agencies with cybersecurity.
And where does everyone want to go every year
from the scholarship program?
They want to go work at the NSA or cyber command.
They want to go work on offense.
They want to go do this, Exy stuff. It's really hard to get people to work on defense. It's just, it's
always been more fun to be a pirate than being the Coast Guard. You know, and so
we have a huge deficit when it comes to filling those roles. There's 3.5
million unfilled cyber security positions around the world.
I mean, talk about job security.
Like, be a hacker and work on cybersecurity.
You will always have a job.
And we're actually at a huge deficit and disadvantage as a free market economy.
Because we can't match cybersecurity salaries at Palantir or Facebook or Google or Microsoft.
And so it's really hard for the United States to fill those roles.
And you know, other countries have had this workaround where they basically have forced
conscription on some level. You know, China tells people like, you do whatever you're gonna do during the day, work at Alibaba,
you know, if you need to do some rants somewhere, okay, but the minute we tap you on the shoulder
and ask you to come do this sensitive operation for us, the answer is yes.
Same with Russia, a couple of years ago when Yahoo was hacked, and they laid it all out in an indictment,
it came down to two cyber criminals and two guys from the FSB.
Cyber criminals were allowed to have their fun, but the minute they came across the user
name and password for someone's personal Yahoo account that worked at the White House
or the State Department or military, they were expected to pass that over to the FSB.
So we don't do that here and it's even worse on defense.
We really can't fill these positions.
So, you know, if you are a hacker, if you're interested in code,
if you're a tinker, you know, learn how to hack,
they're all sorts of amazing hacking competitions
you can do through the Sands org, for example, SANS.
Then use those skills for good.
Neuter the bugs in that code that get used by
autocratic regimes to make people's life a living prison.
Plug those holes, defend industrial systems,
defend our water treatment facilities from hacks where people are trying to come in and poison the water.
You know, that I think is just an amazing, it's an amazing job on so many levels. It's intellectually stimulating.
You can tell yourself you're serving your country. You can tell yourself you're saving lives and keeping people safe. And you'll
always have amazing job security. And if you need to go get that job that pays you, you know,
$2 million a year, you can do that too. And you can have a public profile more so of a
public profile. You can be a public rock star. I mean, it's of well-known sort of people commenting on the fact that veterans
are not treated as well as they should be, but it's still the fact that soldiers are deeply
respected for defending the country, the freedoms, the ideals that we stand for. And in the
same way, I mean, in some ways, the cyber security defense are the soldiers of the future.
Yeah.
And you know, it's interesting.
I mean, in cyber security, the difference is,
oftentimes, you see the more interesting threats
in the private sector, because that's where the attacks come.
When cyber criminals and nation state adversaries
come for the United States, they don't go directly
for cyber command or the NSA. Now, they go for banks, they go for Google, they go for Microsoft,
they go for critical infrastructure. And so those companies, those private sector companies,
get to see some of the most advanced sophisticated attacks out there. And, you know, if you're working at Fire Eye and you're
calling out the Solar Winds attack, for instance, I mean, you just saved God knows how many systems
from, you know, that compromise turning into something that more closely resembles sabotage.
resemble sabotage. So, you know, go go be a hacker and or go be a journalist. So, you wrote the book. This is how they tell me the world ends as we've been talking about, of course,
referring to cyber war, cyber security. What gives you hope about the future of our world if it doesn't end? How will it not end?
That's a good question. I mean, I have to have hope, right? Because I have a kid and I have
another on the way. And if I didn't have hope, I wouldn't be having kids. But it's a scary time to be
But it's a scary time to be having kids. And now it's like pandemic, climate change,
disinformation, increasingly advanced,
perhaps deadly cyber attacks.
What gives me hope is that I share your world view
that I think people are fundamentally good.
And sometimes, and this is why the
metaverse scares me to death, but when I'm reminded of that is not online. Like online,
I get the opposite. You know, you start to lose hope and humanity when you're on Twitter half
your day. It's like when I go to the grocery store or I go on a hike or like someone smiles at me,
go to the grocery store or I go on a hike or like someone smiles at me or you know or someone just says something nice. You know people are fundamentally good. We just don't
hear from those people enough. And my hope is you know I just think our our current political
climate like we've hit rock bottom. You And this is as bad as it gets.
We can't do anything.
Don't jinx it.
Well, but I think it's a generational thing.
You know, I think baby boomers, like it's time to move along.
I think it's time for a new generation to come in.
And I actually have a lot of hope when I look at you.
I'm sort of like this, I guess they call it me a And I actually have a lot of hope when I look at you.
I'm sort of like this, I guess they call it me
a geriatric millennial or a young Gen X.
But we have this unique responsibility
because I grew up without the internet
and without social media, but I'm native to it.
So I know the good and I know the bad.
And that's true on so many different things.
I grew up without climate change anxiety.
And now I'm feeling it and I know it's not a given.
We don't have to just resign ourselves to climate change.
Same with disinformation.
And I think a lot of the problems we face today
have just exposed the sort of inertia that
there's been on so many of these issues.
And I really think it's a generational shift that has to happen.
And I think this next generation is going to come in and say, like, we're not doing business
like you guys did it anymore, you know?
We're not just going to like rape and pillage the earth and try and turn everyone against
each other and play dirty tricks and let lobbyists dictate, you know, what we
do or don't do as a country anymore.
And that's really where I see the hope.
It feels like there's a lot of low hanging fruit for young minds to step up and create
solutions and lead. So whenever like politicians or leaders that are older,
like you said, are acting shitty, I see that as a positive. They're inspiring a large
number of young people to replace them. And so it's, I think you're right, there's going
to be it's almost like, you need people to act shitty to remind them, oh, wow, we need good leaders, we need great creators and builders and entrepreneurs and scientists
and engineers and journalists. Yeah. Yeah. All the discussions about how the journalism is
quote unquote broken and so on, that's just an inspiration for new institutions to rise up,
that do journalism better, new journalists to step up and do journalism better. So I, and I've been constantly, when I talk to young people, I'm constantly impressed
by the ones that dream to build solutions. And so that's, that's ultimately why I put the
hope, but the world is a messy place, like we've been talking about, the scary place.
whole, but the world is a messy place like we've been talking about the scary place.
Yeah, and I think you hit something, hit on something earlier, which is authenticity.
Like, no one is going to rise above that is plastic anymore. You know, people are craving authenticity. You know, the benefit of the internet is it's really hard to hide who you are
on every single platform, you know, on some level it's going to come out who you really are.
And so you hope that, you know, by the time my kids are grown, like no one's going to care
if they made one mistake online. So long as they're authentic.
And I used to worry about this.
My nephew was born the day I graduated from college.
And I just always, he's born into Facebook.
And I just think how is a kid like that ever
gonna be president of the United States of America?
Because if Facebook had been around
when I was in college, you know, like Jesus.
You know, how are those kids gonna ever be president?
There's gonna be some photo of them at some point
making some mistake and that's gonna be all over for them.
And now I take that back, now it's like, no,
everyone's gonna make mistakes. There's gonna be a picture for them. And now I take that back. Now it's like, no, everyone's going to make mistakes.
There's going to be a picture for everyone. And we're all going to have to come and grow
up to the view that as humans, we're going to make huge mistakes. And hopefully they're
not so big that they're going to ruin the rest of your life. But we're going to have to
come around to this view that we're all human. And we're going to have to be a little bit
more forgiving and a little bit more tolerant when people mess up. And we're going to have to come around to this view that we're all human and we're going to have to be a little bit more forgiving
and a little bit more tolerant when people mess up and we're going to have to be a little bit more humble when we do
and like keep moving forward. Otherwise, you can't like cancel everyone.
Nicole, this is an incredible, hopeful conversation. Also,
and also one that reveals that in the shadows,
there's a lot of challenges to be solved. So I really appreciate that you took on this
really difficult subject with your book.
That's journalism is best.
So I'm really grateful that you took the risk
that you took that on.
And that you plugged the cable box back in,
that means you have hope.
And thank you so much for spending your valuable time with me today.
Thank you, thanks for having me.
Thanks for listening to this conversation with Nicole Pearl Roth.
To support this podcast, please check out our sponsors in the description.
And now, let me leave you with some words from Nicole herself.
Here we are, interesting our entire digital lives,
passwords, texts, love letters, banking
records, health records, credit card sources, and deepest thoughts to this mystery box, whose
inner circuitry most of us would never vet.
Run by code written in a language most of us will never fully understand.
Thank you for listening, and hope to see you next time.
you