Sean Carroll's Mindscape: Science, Society, Philosophy, Culture, Arts, and Ideas - 238 | Scott Shapiro on the Technology and Philosophy of Hacking
Episode Date: May 29, 2023Modern computers are somewhat more secure against being hacked - either by an inanimate virus or a human interloper - than they used to be. But as our lives are increasingly intertwined with computers..., the dangers that hacking poses are enormously greater. Why don't we just build unhackable computers? Scott Shapiro, who is a law professor and philosopher, explains why that's essentially impossible. On a philosophical level, computers rely on an essential equivalence between "data" and "code," which is vulnerable to exploitation. And on a psychological level, human beings will always be the weakest link in the chain of security. Web page with transcript: https://www.preposterousuniverse.com/podcast/2023/05/29/238-scott-shapiro-on-the-technology-and-philosophy-of-hacking/ Support Mindscape on Patreon. Scott Shapiro received a J.D. from Yale Law School and a Ph.D. in philosophy from Columbia. He is currently the Charles F Southmayd Prof of Law and Philosophy at Yale University. He is the Director of the Yale Center for Law and Philosophy and also Director of the Yale Cybersecurity Lab. He is the Co-Editor of Legal Theory, and Co-Editor for philosophy of Law at the Stanford Encyclopedia of Philosophy. His new book is Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks. Yale web page Google Scholar publications Wikipedia Twitter
Transcript
Discussion (0)
When energy dips, your reviving routine deserves more than a quick fix.
Reach for Vital Proteins, Collagen and Protein Shake and Chocolate.
With 30 grams of protein and 10 grams of collagen peptides,
it helps support healthy hair, skin, nails, and joints in a smooth, ready-to-drink shake.
So your afternoon reset actually sets you up for success.
Vital Proteins, stay vital.
Visit VitalProtines.com to get started.
These statements have not been evaluated by the Food and Drug Administration.
These products are not intended to diagnose, treat, cure, or prevent any disease.
Hey everyone, it's Cal Penn.
I'm inviting you to join the best-sounding book club you've ever heard with my podcast, Earsay,
the Audible and I-Heart Audio Book Club.
Every episode, I nerd out with amazing guests and dive into the best new audiobooks available on Audible.
It's the book club for your ears.
Listen to Earsay, the Audible and I-Heart Audio Book Club on the I-Heart Radio app or wherever you get your podcasts.
Hello, everyone.
Welcome to the Mindscape Podcast.
I'm your host, Sean Carroll.
It's kind of a cliche to say that even though in some sense our lives change quite rapidly
because of the advance of technology, often it doesn't seem like it's changing that rapidly.
Like we anticipate certain things, like where's my jetpack and rocket car and whatever?
And we're not seeing those things.
So we miss the changes that are actually happening.
The most obvious example here is the computer, right?
When I was growing up, we did not have computers in my house.
house. When I was in high school, there was a computer lab you could go to. When I was in college,
you could go to the department and work on the computers there, but I didn't have my own. That wasn't
until grad school that I really late in grad school that I really started that I bought my first
personal computer. And the very idea of a computer and what it is should not be taken for granted,
even though that's what we do. A computer is not just a calculator. Computers do lots of things.
The miracle of the computers we use now is that they are general purpose machines.
You can use a computer to watch movies, listen to podcasts, read your email, play games,
calculate important integrals, if that's the kind of thing you'd like to do.
And it kind of goes back to Alan Turing, the one who really first argued for the generalness of computers.
It turns out that this feature of computers, their generalness, their flexibility, is closely related to their vulnerability.
We all know that there are worries that we have about computer hacking, bringing down the internet, stealing our emails, things like that.
Today's guest is Scott Shapiro, and he's going to tell us a little bit about the philosophy and technology of computer hacking.
It's somewhat reminiscent of our recent conversation with Nita Farahani, who is a law professor and philosophy professor,
who talked about the privacy issues that come up when you have the possibility of reading your mind with technology,
Neuroscanning. And part of the lesson there, the worry, was that human beings, when faced with a
trade-off between privacy and convenience, are almost always going to choose convenience. We really
like convenience. You will give away our privacy. Today with Scott, we're going to talk about
computer hacking and the danger that that has for us. And part of the lesson is that when faced with
security versus convenience, human beings often choose convenience. But it actually is going to go
deeper than that, even people who are pretty well-meaning and try their best to choose security,
human beings. They're always the problem. They get in the way. That's where it becomes a philosophical
issue, as well as a tech issue and a legal issue. How do we think about the way to shape human
beings and their relationships with the machines they use in such a way to make us a little bit more
secure? Scott Shapiro has a new bookout called Fancy Bear Goes Fishing. That's fishing with a P-H-I-N-E-E-E-E-E.
age. And the subtitle is The Dark History of the Information Age in five extraordinary hacks. It's a
detailed book, very readable and fun to read, but there's a lot of stuff in there. But the five
hacks that he chooses, historically, you know, these five examples of when people hacked into
the computers in one way or the other, they're very fun. You learn a lot about who becomes a hacker,
why they do it, and what the rest of us, who are hopefully not hackers, can and should do
to stop it from happening to us. So that's useful advice, I think, for all of us. Let's go.
Scott Shapiro, welcome to the Mindscape Podcast. Thank you so much, Sean, for having me.
I think this is one of those episodes where a little bit of history is going to help us, a little bit of
path dependence as to how we got here, because you're a philosophy professor. I know also in the law
school, so that's kind of a natural intersection. But now we're talking about hacking and cyber
security, which is maybe not so natural. How did we get here? And what did these things have to do with
each other? Yeah, sure. So I got, so two things. So first of all, I have a computer science background
like so many young boys, people, my age, I grew up in the 1970s and 80s when the personal
computer revolution came along. And my classroom in ninth grade had a TRS 80,
from Radio Shack and my parents bought me in Apple 2.
And, you know, for the first time in the history of the world, you could go into a store
and buy a general all-purpose computer.
And, you know, I mean, for so many people, I was intoxicated by it and, you know,
coding all the time.
And then when I studied computer science at Columbia and I had a computer company and I had a computer company.
and before the World Wide Web came, came on.
And so I was just, I was a computer person until I switched to be a law and philosophy person.
So that's the first thing.
But really, the way I got into this was that my previous work had been on the history of war.
That is, in a book I had published before, the fancy,
Eric called the internationalist. It was a story about how war had gone from being a perfectly
legitimate way in which states enforced their rights to illegal, that war is illegal except in cases
of self-defense. And then people, so it was like from 1600 to 2015, that was like the
history. And then, of course, people said, well, what about 2016? What about 2017? What about
cyber war. And I was like, oh, what about cyber war? That's super interesting. And that sucked me into
this space. And it was, it was incredibly interesting journey. I mean, it's an incredibly interesting
field of cybersecurity. Are you teaching philosophy courses that relate to this topic?
So it's funny because when I first started teaching, I taught this course with two other colleagues,
one, a law professor, Honathaway, and another one, a mathematical cryptographer, Joan Feigenbaum.
And we taught a class called the law and technology of cyber conflict, where half the students were computer scientists, half the students were law students.
And so we'd explain the law to the technology people and the technology to the law people.
And it was just terrible.
Just like the absolute worst course I ever taught in my life.
And that is because, you know, both law and computer science, they're technical subjects.
And so at any given time, half the class was bored and the other half was confused.
And we just switched back and forth throughout the semester.
And then I realized that, you know, you can't, well, at least I hadn't figured out how to teach all of it together.
So I've taught just a pure hacking class, just pure technology, then a pure law.
class and then just a pure philosophy class to try to figure out how to get how to get into
the subject in the book and in some sense is a combination of all those.
What is the name of the philosophy class?
Oh, it was called the philosophy of internet hacking.
Okay.
We'll find out what that is.
I mean, one of the main ideas of the book is that hackers don't just exploit computer
code, but also the philosophical principles of computation.
And it says something I hope we'll talk about.
But to me, the technical, philosophical, and legal are really tightly connected.
Yeah.
Okay.
And not to be too professorial here, but let us define the term hacking.
What do we mean exactly?
Because this might not even mean the thing that people think it means.
Yeah.
So when I use the term hacking, I use it as an activity that attempts to defeat a security control.
So there are all these controls that are put on our computers like have to enter credentials,
username and passwords.
That's a security control.
And if you can defeat that security control, you have hacked that system.
And so, like, if you just leave your computer open and somebody comes over and reads your email, they have not hacked your computer because they have not defeated anything that was designed for you not to do it unless they picked your lock into your room or something like that.
But if they trick you into sending them your email address or your password, I should say.
Right. So that's exactly right.
So if they somehow use fraud deception in order to work around something that was designed for you not to gain access to the account, that is hacking.
But I think a lot of people probably have in mind the idea of viruses or some kind of tools that led you get around a firewall.
So is that still a lot?
I mean, getting people to send you their passwords is great, but is there still a lot of tricks?
with viruses and worms and so forth. And do we need to know the difference between a virus and a
worm? Yeah, right. Exactly. So, you know, I'm a philosopher. So whereas, you know, other people
may not be that obsessed with what is the difference between a virus and a worm. I was particularly
obsessed with like trying to come up with, you know, why they're different. And I can talk about it.
But one of the things I try to show is that viruses and worms, which very basically one might
considered to be self-replicating computer programs. They all use forms of trickery, but they use
trickery in different ways. Viruses use trickery to get users to execute them, to click on links,
to download them. Worms trick, not users, but their operating systems or their other types.
of network protocols or the likes. So there's always trickery going on. The question is who's being
tricked? I guess I'm not sure how that relates to what I had in mind. I'm taking the biological
metaphor too seriously. But I think of viruses as things that live within another program
and worms that things that are living organisms by themselves. Yeah, no. So in some sense,
that was the historical origin of the terms virus and worm. So for example,
worms from tape worms, and tapeworms are hermaphroditic organisms that can reproduce by themselves.
And so that was the idea of a worm. The biological metaphor helps, but as I try to show in the book,
it doesn't actually really work. There are fully self-contained viruses. There are worms that are
part of other computer programs. So the difference in the virus,
and worms is not whether they're stand alone or part of something else. They're really two main
differences. One is who executes them? Is it the user? Does the user need to click on the thing?
And whereas a worm can can, is autonomous can operate by itself. And the second is like, how does
it spread? Does it spread through networks? Worms spread through networks. And that's why worms are
so dangerous on the internet because the internet wins a network of networks. And viruses are
local. That is, they infect your computer, but they don't move from one computer to another via
networks. Okay. How do they move from one computer? Well, you know, they used to, the main way in which
viruses used to travel what was called sneaker net, which is like you just get a, get a, you'd have a
flop, you'd have a game that had a virus in it. You'd put your floppy in there and you'd give it to your
friend and they would put the floppy into their hard drive, into their into their floppy drive,
and then they would get the virus. That's the way it normally happened. In the early 1990s,
it was estimated that it took two weeks for a virus to get from Europe to the United States.
I'm glad we went over that because you and I are indeed part of that generation that used floppy drives during our formative years.
But I bet a lot of people listening have no idea what we're talking about here.
Floppy disks are known only as a joke, right?
Like they knew that that's an ancient technology.
No, absolutely.
And so, I mean, so there's the floppy disk.
So there's the eight and a half floppy.
They were really floppy.
If you held them by the corner, they really did flop over.
Then you had the five and a quarter, which was less floppy, but still pretty floppy.
And then you had the hard floppy disks, the three and a half inch ones.
And that's what, you know, yeah, I try to tell my students this because they're also upsettingly young.
But like when you save your word document, you're clicking on a floppy drive icon that maybe they haven't seen or haven't remembered.
The iconography will live forever.
Yeah.
When people turn to telehealth for weight loss, they're looking for real support.
That's why more people are choosing orderly meds.com.
Orderly meds connects you with real doctors and access to proven GLP1 medications like
semaglutide and terseptatide.
No guessing, just a more supportive experience, and all ship directly to your door
and discreet packaging.
Do your research.
Ask questions.
Then visit orderly meds.com slash podcast for an exclusive offer.
That's orderlymeds.com slash podcast.
Individual results may vary on.
Medical advice, eligibility required seaside for details.
Hey, everyone, it's Cal Penn. I'm the host of Earsay, the Audible and I Heart Audiobook Club. This week on the podcast, I'm sitting down with Ray Porter, the narrator of Andy Weir's audiobook Project Hail Mary, massive sci-fi adventure about survival and science. And what happens when you wake up alone very far from Earth?
I really had to make a decision because I caught myself getting that frog in my throat and starting to get teary as I'm narrating.
some of these sections and it's like, okay, yo, yeah, yo, is this indulgent? And I really thought about it. I was like, no, at this point, it would kind of be betraying the trust the author and the listener have in telling this story if I don't go through it. But there's places in this book that deeply emotionally affected me and I left it on the mic. That's great. Because it served the story. People will say like, oh my God, I cried at the end. It's like, yeah, dude, me too.
Listen to Earsay, the Audible and IHeart Audio Book Club on the IHeart Radio app or wherever you get your podcasts.
And then before getting into the, sorry, let's back up. You've written a book, Fancy Bear Goes Fishing.
And you will talk about, you talk in the book about these, you've picked out five paradigmatic, I suppose, hacks that we'll get through because they're all really great stories and they illustrate some of the points.
But before we go into the details about I do want to get some of the philosophical background on the table.
You talk about how the idea of just stopping hacking is a little bit utopian.
It's not going to happen.
It's sort of in the notion of a computer that it can be hacked.
Is that an accurate paraphrase?
Yes, exactly.
It's not like people are silly or they make mistakes.
It is part of the ultimate fabric of the universe that you cannot make computers that are unhackable.
And this goes back to Alan Turing, who gets name checked a lot.
Yes, it does go back to Alan Turing.
What I think is so fascinating about Turing.
I mean, Turing is one of the most fascinating figures in the history of science, certainly of the 20th century.
And, you know, when, you know, some of the listeners might have heard of things like Turing machines that are named after Alan Turing, Alan Turing in 1936, he's 20, he wrote it when he was 23, published in 24, comes up with this theory of how general computing devices are possible.
Like, you can make a mechanical general computing device. And this is just, this is, of course, a massive intellectual brain.
breakthrough and the principles that he lays out for how general computing devices are possible,
which we can go into, turns out to be exactly the principles that hackers exploit when they hack a computer.
So, and I'm happy to talk about this because I think this is one of the main messages of the book is that the very things that make computers possible,
make hacking possible
and you can't get rid of one without the other
and that's like such a deep
part of the world
of the metaphysics so to speak of the world
that no amount of money, time, or effort
is ever going to change that.
On occasional rare moments
I begin to think that I'm a little bit smart
and then I remember people like Alan Turing
who when they're 23 years old
invent the general theory of a computing machine.
Oh, it's just crazy.
And not only see, not only he come up,
with this idea that general computing devices are possible, he does that to show that computers
can't solve every problem.
Right.
Which, you know, talk about, you know, like that is galaxy brain stuff.
Like you can like, okay, computers are possible.
Actually, general computing, you can solve any solvable problem, but you know what?
There are problems that no finite devices ever going to solve.
like in one article.
I still struggle with that fact that he got 100 years ago, yeah.
Yeah, it's just astonishing to talk about, you know, going from first principles and just
driving just through pure reason to figure out something unbelievably deep about the universe
is just, it's mind-boggling.
And like you, makes me feel bad about myself.
Yeah, I think so.
I think it's okay.
But if I'm going to package the connection there, and you can fill in the details, it's because touring appreciated that there's not quite as sharp a distinction between data and code as you might have expected.
Yeah.
So, I mean, this turns out to be, I think of this is like, you know, one of the two or three greatest philosophical discoveries of the 20th century that no one knows about.
I mean, I shouldn't say no one knows about, I mean, lots of people know about it, of course, but they don't appreciate it as just an massive intellectual breakthrough.
So the idea is that, you know, we have these two categories of things, code and data.
So code, instructions, active, does things, data, information, passive, has things done to it.
And so, you know, so shut the door, print your resume.
may add two numbers. That's code. That's data. It's 80 degrees outside. And so you might think,
like, these things are so different from one another. One does something. The other thing,
the other thing has something done to it. One's active, one's passive. So you might think,
like, they're so different. They can't possibly be represented by the same symbols. I mean,
we normally think of code as represented by, you know, at least for programmers,
we think of it as like English or English-like words, natural language, a data we think is
normally represented by numbers, although it doesn't have to be. So these seems to be so, like
numbers and words seem to be so different. And what Turing did, building on the inside of
Kurt Gödel, the great logician, which is that you can always take code and turn it into a number
and a unique number.
And so you could have code and data represented by numbers, by the same symbols.
And since all numbers can be represented by binary symbols, ones and zeros,
you could have code and data, these very different things,
represented by the same strings of ones and zeros,
which means that your computer need only understand one language,
the language of ones and zeros.
And it means that you don't have to rebe,
build your computer every time you want to run a different program, which is what, you know,
team of women programmers you had to do in the 1940s with the ENIAC. They didn't have software.
Everything was hardware, so you had to change everything. If you use the Turing process of
converting code into numbers, what you could do is have a computer that accepts numbers and then
runs it as code, accept numbers treated as data, and then run the data. And then run the computer.
the code on the data, which makes, that's why I only have one laptop as opposed to 87 for every
application that I use, because I can just always download or load code into my computer.
Part of me, this is very unfair, but part of me thinking like a physicist wants to say,
of course code and data are the same because they're all atoms.
And thinking about them as either code or data is a human choice that we make for
our convenience. And touring is really just reminding us that there's a commonality there
that this human invention is not absolute. Yeah. But, but, you know, right now you're, I mean,
that's absolutely true. But, you know, I just want to notice that, point out that you're, I mean,
quite naturally, because in some sense, this was another great advance of Turing's, which is
that you're trying to assimilate a computer, computing device to a physical system.
And that was another great discovery, actually, of Turing that computation is a physical process and that you could build a contraption, a mechanical contraption that just manipulate symbols according to the laws of physics.
And somehow through some very basic manipulation actions like, you know, writing the number one,
erasing the number one, moving along a tape, that was sufficient for solving every solvable problem.
So when you say, yes, of course, you know, words or atoms or, you know, actually the string is made up of atoms,
Well, that is to use the other insight of Turing, which is that computing devices are physical devices.
And these insights together are what underlie the claim that hacking is always going to be with us.
Yeah, so let me just take the second thing that I just mentioned about, you know, competing devices are physical devices for manipulating symbols.
You know, that is one of the main ways in which hacking occurs, which is that hackers,
exploit the physical limitations of physical systems.
You know, think of it, think of polygraphs.
So a polygraph is a way of trying to, let's assume that they're good, you know,
that they work, okay, for the moment, okay?
The idea of a polygraph is to try to peer into your mind not by asking,
not by actually reading the neural patterns in your head,
but to try to see that your brain is connected to your body
and that we might be able to discover
through increased heart rate or sweating
that you think something.
And that's a way of hacking the physical body, human body,
to figure out what's going on.
In cybersecurity, this is called a,
side channel attack. It's to try to read off information from the changes in the physical system
that's being studied. So, you know, there are all these cool things where, you know, hackers can
discover your passcode because you have an accelerometer in your, in your smartphone, which can tell
which numbers you've pressed because the, the phone shifts a little bit. And so they, they,
They're very sophisticated exploits that use this.
The second one is in the book I call this duality,
which is the first principle we had been talking about,
that code and data can be represented by the same symbols.
Well, if they can be represented by the same symbols,
when the computer or the user is expecting data,
the hacker can send code.
And that is the other major way in which hacking occurs.
So one thing I think you can see is that the very thing that makes computers possible,
that is that their physical devices and that they can manipulate both code and data through binary symbols
or the very things that get exploited by hackers.
And when I mean, thinking about it this way, I think kind of takes things that seem very disconnected from one another
and they show the common things, commonality.
So fishing attempts are attempts to exploit imperfect human psychology.
That's, we have imperfect human psychology because we need shortcuts.
The same thing with side channel attacks on computers, they're also exploiting the physical nature of the system.
So that's a way of seeing how to group hacks together.
And there's one other distinction that you raised that I really liked between upcode and downcode while we're talking about code.
So what is that?
Yeah, sure.
So, you know, think when you're typing on your computer.
Downcode is all the code below your fingertips.
So your operating system, your application, network protocol.
how your router works, firmware, all that kind of stuff.
Upcode is all the norms and rules and code above your fingertips.
So your psychology, social norms, legal norms, professional ethics, terms of service, employment contracts,
all the norms that go above.
And I call that upcode.
And the standard way that people think about cybersecurity and hacking is almost purely through a downcode lens.
And so they think, okay, we got some technical vulnerability.
We got some bug.
Let's fix it.
And the argument that I make in the book is that this is a bad way to address cybersecurity
that we ought to be looking at the upcode, the norms, which provide incentives for
coders and for users to use their computers in a certain way to develop code in a certain
way.
And so what we ought to be looking for is not so much the technical vulnerability.
and the downcode, but the human and political and social vulnerabilities in the upcode.
And let's look at exactly those. So you have these wonderful examples. And I like the very first one,
Robert Morris in 1988, because I remember I was a first year grad student at that time at Harvard.
And the first, this is big news. The internet went down. The internet was a very tiny thing at the time.
but it shows one of these human psychological aspects, because I was at Harvard.
The first guess was that this is somehow affiliated with MIT.
But then at some point, there was an idea that, in fact, the person who did it was affiliated
with Harvard, and they were very proud.
They were happy.
Like, we beat MIT somehow.
It turned out not to exactly be the full story in either way.
But tell us what the story was.
Yeah, sure.
Did you know Cliff Stoll?
I've seen him give talks and I read his cuckoo eggs, cuckoo's egg.
Okay, because he was a, he's an astronomer and a computer security expert who was at Harvard at the time and who also spent a central role in trying to remediate and explain what had happened.
So here's what happened.
Right, it's 1988, November 2nd, 1988, Robert 2nd, 1988, Robert, Jr., who's a, Robert Morris Jr., who's a,
first year graduate student in computer science at Cornell University had been a Harvard undergraduate
logs in to Richard Stallman's email, a computer account at MIT because Richard Stallman,
who is the often known as the father of free and open source software, he didn't have a password
on his account.
And, you know, so, so rubber Morris did not hack the MIT computer.
But what he did was he released three binary files, which he released as an experiment.
The basic idea of the swarm that he created was it exploited some multiple vulnerabilities
in the Unix operating systems, particularly Unix,
4.2, the Berkeley software distribution 4.2, which was the first Unex distribution, or I should
say first major unix distribution that was hooked up to the internet. And so what Robert Morris
did was he exploited those vulnerabilities because he was kind of a, he was, he was extraordinarily
knowledgeable. And he was really just interested in figuring out,
like how big the internet was.
You know, it was a science experiment for him.
And for reasons which I can go into, the worm was so effective at infecting computers
that it reinfected those computers over and over again.
And so these computers crashed, not because he was trying to crash them,
but because they were so busy copying worms and distributing them.
The, it's a, you know, one of the things that, so on the same age as Robert Morris Jr., he is right now a 10-year professor at MIT, his best, his friend that I talk about in the book, Paul Graham. Paul Graham is the one of the founders of Y Combinator, the giant tech venture capital firm that, you know, is responsible for funding Dropbox and Airbus.
B&B and stuff like that. But this is a story of like when they're grad students. And, you know,
when the whole, when the internet goes down, it's on the cover of the New York Times on the, you know,
on the national, on national news. Robert Morris Jr. has to call Robert Morris Sr.
Bob Morris, who's his dad, who's the head of cybersecurity for the NSA. Just imagine, you know,
crashing the internet. And you have to tell your dad who's responsible for, um, uh, cybersecurity for the
National Security Agency. I mean, just an incredible, like just makes, it just makes me cringe every
time I think about it. And then he gets prosecuted and convicted for the first one to be convicted
of violating the Computer Fraud and Abuse Act. And he does not go to jail. But it's a very,
it's a harrowing story of what he went through.
Hey, everyone. It's Cal Penn. I'm the host of Earsay.
the Audible and I Heart Audio Book Club.
This week on the podcast, I am sitting down with Ray Porter,
the narrator of Andy Weir's audiobook Project Hail Mary,
massive sci-fi adventure about survival and science,
and what happens when you wake up alone very far from Earth?
I really had to make a decision because I caught myself getting that frog in my throat
and starting to get teary as I'm narrating some of these sections,
and it's like, okay, yo, yeah, yo, is this indulgent?
And I really thought about it.
I was like, no, at this point, it would kind of be betraying the trust the author and the listener have in telling this story if I don't go through it.
But there's places in this book that deeply emotionally affected me.
And I left it on the mic.
That's great.
Because it served the story.
People will say like, oh, my God, I cried at the end.
It's like, yeah, dude, me too.
Listen to EIRSA, the Audible and IHeart Audio Book Club on the IHart Radio app or wherever you get your podcasts.
And just so people are correctly normalized in their expectations here, the internet existed in
1988, but it was a different thing. What we call the World Wide Web did not exist.
That's right. So one of the things I try to explain in the book, right, is that, you know,
the web and the Internet are often conflated for, you know, for good reasons, in part because
the web is a protocol for that that works on top of the internet.
And so just like email uses the internet, browsers uses the internet.
And it turned, the, the worldwide web is created, I think a year later in 1989.
And then it comes online with the first browser in the 1993.
with Mosaic, which becomes Netscape.
So we're talking like right before everyone starts thinking about the web and the
internet.
And one of the things is fascinating.
And I didn't realize this from my research, first time Americans or anybody had ever
heard the word internet before.
I was kind of shocked about this.
And they don't even know how to, like when newspapers are writing this up, they don't even
know how to refer to it as it.
The internet? Is it internet? Is it the internet network? Is it the internet with the N? Second
N capitalized? A lot of experimenting. But the first time people know that the internet exists,
it basically is when it crashes. And it was essentially, it wasn't malicious, right? It was like
you said, it was kind of a science experiment. It was not an attempt to bring down the internet.
It was kind of like, yeah, we're young and it's a brave new world. Let's see what we can do.
Yeah, I mean, so much, you know, the thing is that I think it was so shocking to people precisely because it wasn't malicious.
It was like, you know, Robert Morris Jr. had found security vulnerabilities in internet protocols before.
He was like basically the network administrator for Harvard before he went to Cornell.
I mean, he was, you know, he was, you know, a white hat.
You know, he's one of the good guys.
And one of our people crashed the internet.
What would a black hat do?
And that, that, I think that just freaked everyone out, scared everyone.
Of course, everyone was worried about connect.
It was the internet connected to the, uh, the, uh,
nuclear arsenal, the movie War Games, which maybe, you know, some of your listeners remember,
I bet you remember it, Matthew Broderick film, which tells a story of how this teenager
kind of what's now we call it war dialing after war games is you randomly dialing numbers
through his modem and then connects to a NORAD computer, which he thinks is,
a video game repository and he almost starts World War III. And this, I mean, it's amazing that
Ronald Reagan sees this movie at the White House and then freaks out and then gets everyone to like,
get like, can this really happen? And we get the next year, the computer fraud, the first
iteration of the computer fraud and abuse act, the first federal law against hacking. You know,
it's too perfect. You know, movie star president sees this movie.
movie, we get this law, and then a couple years later, the whole internet goes down and people,
you know, see these things connected and they get very, very, very anxious.
And that anxiety, in many ways, has not gone away.
I'm always fascinated by the similarities, but also differences between a complex system like
the internet or even a single computer and complex systems like a living organism or an ecosystem,
which the biggest single difference is that one was designed, at least partly, and the other one kind of evolved.
Does that difference make the Internet more or less vulnerable?
You know, it sort of hasn't grown up through being buffeted by a whole bunch of different evolutionary challenges.
But on the other hand, there's people trying to keep it safe.
Is that an easy question to answer?
No.
It's really, I mean, you know, like any question involving complex systems is not easy.
to answer.
And so, and it's not even, I would be honest, it's not even my area.
I will say that two things of real importance comparing computers to biological systems.
So the first one is that the person who was most moved by the analogy was, you know,
another genius of the 20th century John von Neumann.
And John von Neumann was, he was involved in the ENIAC, which is the first electronic
computer, and then he's very central to building the first digital computer, the EDVAC,
which uses a system that we talked about earlier of loading code.
to your computer and then loading data so you don't have to rebuild it every time. And so one of the
things that von Neumann discovered when he was trying to build this computer was how ridiculously
vulnerable they are. Like one little, one little vacuum tube and it's gone. And he's like, but human
beings or like, you know, moths or fruit flies, it's not like that at all. You know, things get
messed up all the time, and yet, and yet biological systems are so resilient. So he set out
to figure out how could it be that biological systems is so resilient, but computers that
computers that he had seen were so fragile. And he came up with the idea that what we need
to understand that what biological systems do is that they're so resilient because they're self-replicating,
that they're parts, they can rebuild their parts.
And this idea of like, Van Neumann has,
how is self-replication possible becomes the basis for how computer viruses and computer worms are possible?
So the very things that make life possible also are the things that make computer viruses possible.
And that's a really fascinating.
this is again another one of these ideas, which is that you can't have the good without the bad.
You can't have computers without hacking.
You can't have life without the possibility of cancer or malware of sorts.
So the connection between biological systems and computer systems has been an incredibly important historical and intellectual analogy.
Has any progress been made at getting computer systems either hardware or software to be more self-repairing than they would be?
It doesn't seem that way from my novice point of view.
Yeah, no.
So there are lots and lots of mathematical models out there for self-repairing automata.
and people have tried to, there's now efforts to create to create, especially using AI Engine self-reparing code.
Right.
And so there have been all these attempts.
It will be fascinating to see when,
automata are sufficekin enough to take human form and they can regenerate their own parts.
That will be unbelievable.
Good.
All right.
We don't want to get too hung up.
Robert Morris was a pioneer, absolutely.
But then we take a turn for the slightly darker with literally Dark Avenger.
These people are not the most creative at coming up with names for themselves, but Dark Avenger captures something.
Right. Yeah. No. So the second story is like the Bulgarian virus factories in the early 1990s. So for people who remember this stuff, Bulgarian viruses were like the big thing in the early 1990s. And I was fascinated by like why. Like why Bulgaria?
Of all places, why were the Bulgarians so into virus writing and why were they so.
good at it and besides what are viruses and so it turns out the story so what I did
talk about is like what what computer viruses are the self-replicating programs
which are user executed and don't use networks to to travel which makes a lot
of sense at the time because in their early 1990s you don't really have personal
computers hooked up to networks it really viruses really do
work travel via sneaker net.
And the,
so I was really interested in like what are viruses and how do they work.
But there was this one person named Dark Avenger who was a cut above everyone else in writing viruses.
And they traveled around the world and it caused a lot of problems for people.
And this person was named Dark Avenger because he was really into heavy metal and in particular, I believe it was Metallica.
And no, I'm sorry, Iron Maiden.
Excuse me, not Metallica, Iron Maiden.
And he names his viruses after them.
He's got strings of the songs in his viruses.
and people don't know who he is.
Now, that by itself is kind of interesting, but Dark Avenger does something which threatens
to destroy the personal computer industry, which is that he figures out how to create
a polymorphic virus engine, meaning taking a virus, which is downcode, which is computer
code and introducing mutations so that every new virus that gets spread has a new genetic signature.
So it's like CRISPR, but for computer code.
And the way in which most antiviral software had worked at the time was it was called
signature-based.
It scanned programs to see, does it have?
the kind of signature that we can identify with known viral samples. And what the mutation engine
did, which was written by Dark Avenger, is scrambled it every single time it was copied,
which defeated the antiviral software. And everyone was really, really freaked out because
how are they going to solve this problem?
I will also say it gave me the opportunity to talk about upcode, like why Bulgaria, Bulgaria,
because at the time in the 1970s and particularly in 1980s, Bulgaria was the Silicon Valley of the Eastern Bloc.
And what you did was you had all these basically young men who were under-employed.
They had excellent engineering educations.
They, you know, they were very good coders.
but they had no outlet.
They had no job to go to.
And so they sat around doing fun stuff, making viruses.
So this becomes a kind of a main theme in the book, which is that so much of cyber crime is a response to underemployment in less developed tech economies.
Do we know today who Dark Avenger is slash was?
So we, I do not.
I do not.
I do not.
The person who did the most work understanding the mind of virus writers and try to, and got very close to Dark Avenger, she knows, she will not tell me because she believes she owes.
this person anonymity as a research subject.
I will, after the podcast is over, I will tell you some communications I've gotten,
but I don't know who it is.
But I do speculate.
There's a bunch of speculation in the book about who he or they are.
And this is Sarah Gordon, the researcher who.
Yes, exactly.
We know who she is.
Right.
Yeah.
So Sarah Gordon is she gets a virus.
She buys a used computer and she gets this ping pong virus and she's like, what's a virus?
And she goes on the internet and there's no like web yet.
So she goes to this thing called Phytonet, which is all these viral bulletin boards hooked up together.
And she starts talking to people.
And she was a, I mean, she's a fascinating person.
She did crisis counseling for young.
men and she kind of got them. They were like immature, slightly stunted young men who hadn't
aged out yet of the process of virus writing, but they probably would. And she got into,
she was a pioneer. She is a pioneer. And she got a lot of blowback from saying that virus writers
are not evil maniacs. And I'm really happy because she
She was very courageous, went out there, made these claims, and got pilloried by the antivirus community.
And I'm really happy that maybe like 30 years later, I've been able to kind of at least tell her side of the story.
How much is this related to ongoing concerns just about young men being alienated and online extremism, in-cell communities?
I mean, as a world, at least in the Western world, are we just failing boys between 15 and 25 and some of them become hackers?
Yes, I do think, I do think that that's right.
So before there were hackers before in cells, there were hackers before people who posted Pepe or Elon Musk tweets.
You, you know, young boys, and let me just say something about the gender issue, they are almost all boys and young men.
It is a well-known phenomenon that in the virus, in the hacking community, there are, of course, women hackers.
They're, of course, excellent, excellent women hackers.
Women have achieved very important leadership positions in the cybersecurity security community.
But it is still, the gender imbalance is quite bad.
I always joke about like the only time I ever have to wait to get into the men's room is at a hacking conference.
You know, women, there's no line outside the women's bathroom.
So these boys are just bored.
They have these skills.
And I understand it.
I learned and I know how to hack.
Sometimes I want to do it and break the law because it's, I mean, breaking the law is not fun.
But hacking is really fun.
And, you know, of course, they wanted to do it.
And one of the suggestions that I make is, and this has been implemented by the UK,
The Netherlands, the United States is catching up to this, which is to try to create legitimate
hacking venues and to try to divert young offenders into the legitimate cybersecurity industry
as opposed to the black hat activities.
And you emphasize in the book that despite what you might think, hacking has an absolutely
crucial social aspect, even if people are anonymous or pseudonymous on the internet,
internet, they want credit for the cool things they've done.
Yes.
I mean, this is the, I mean, I would say this was the most shocking social insight for
my research, which was that hackers are not loners.
The picture that they have is that they are freaks.
You know, they suffer from any sort of neurodivergent syndrome.
They have multiple personalities, disorders, you know, whatever.
But that's just kind of not true.
You know, they're like, they're like you and me. Maybe they're a little kind of stunted. Maybe they're little, you know, they have social anxieties about face-to-face activities. But really, they want clout. They want their peers online to think that they are excellent hackers. One of the things that shocked me, I've been fortunate to be able to,
talk to some of the hackers that I write about when the hacking groups for the Marai Botnet came to
my class, my cybersecurity class and spoke to my class along with the FBI agent that caught them.
And one of the things I was really fascinated by, the just, well, maybe we'll talk about it later,
but the Mariah botnet, three teenagers who created this botnet, which took down the internet,
they get caught in part because they release the code onto the internet.
Coters really want to know what other coders think of their code.
And that is really amazing.
And, you know, people.
are really social.
You know, human beings are social.
And even hackers are social.
And if you really want to divert them away from kind of the dark side, you should give them social incentives to participate.
Like, you know, capture the flag competitions, mentoring, things like that, which is programs which have been created, which I think are really, really promising.
ways of addressing this problem.
Ready or not, summer is coming, and Wayfair's Memorial Day clearance is on now.
Right now through May 25th, get up to 70% off everything home at Wayfair.
Plus, score amazing Doorbuster deals all sale long and surprise flash deals on Memorial Day.
We're talking thousands of products at every style and budget.
Now is the time to save big on must-haves for your patio, backyard, and beyond.
These savings won't last, so don't wait.
Shop Wayfair's Memorial Day clearance now through May 25th.
Way fair, every style, every home.
Hey, everyone, it's Cal Penn.
I'm the host of Earsay, the Audible and I Heart Audio Book Club.
This week on the podcast, I am sitting down with Ray Porter,
the narrator of Andy Weir's audiobook Project Hail Mary,
massive sci-fi adventure about survival and science,
and what happens when you wake up alone very far from Earth?
I really had to make a decision because I caught myself
getting that frog in my throat and starting to get teary as I'm narrating some of these sections.
And it's like, okay, yo, yeah, yo, is this indulgent?
And I really thought about it.
I was like, no, at this point, it would kind of be betraying the trust the author and the listener have in telling this story if I don't go through it.
But there's places in this book that deeply emotionally affected me and I left it on the mic.
That's great.
Because it served the story.
People will say like, oh my God, I cried at the end.
It's like, yeah, dude, me too.
Listen to Earsay, the Audible and IHeart Audio Book Club on the IHeart Radio app or wherever you get your podcasts.
Well, let's talk about the Marai Botnet. We don't need to go in the same order that you went in your book, but it naturally leads in because this question of motivations is just a crucial one.
And as I understand it, Pross Ja was just upset. He couldn't get into a certain class at Rutgers and that set him down a path.
Yeah. I mean, you know, it's just like, I mean,
He doesn't want to take his calculus exam.
And so, well, you know, the first thing he does is he wants to get into an elective class.
So he gets in, he's a first year student at Rutgers.
And he wants to get into a higher, you know, upper level elective.
In advance, an upper level computer course.
I'm a professor.
I can't even remember the terms for academic.
courses, right. So once again, to an upper, upper level course. And as, as we know, you know,
normally first year students are not given priority in registration. More advanced students are.
So what he did was, is he deduced the registration website. So no one was able to do it. And then
when, when, when the thing comes back on, he then signs up for it. And then he uses, he deduces the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the.
main Rutgers system because he doesn't want to take his calculus exam. And then he keeps on doing
this. He really does not like the fact that Rutgers in order to mitigate the, I should just define
DDoS as a distributed denial of service attack. It's an attempt to take a computer website network
offline by overloading it and consuming its resources. He, he's really upset that the firm that Rutgers hires
in Capsula to mitigate these DDoS attacks doesn't use his firm because Pross had this
firm called Protraf where he did DDoS mitigation.
So it's like a classic offer you can't refuse.
He says, you know, basically Senator Rectors, you know, use my mitigation company because
your mitigation company is terrible because I can break it.
And which he did. He just kept on bringing it cost that Rutgers had to increase their tuition by several percent in order to pay for all the cybersecurity stuff. So it was fun in games, but actually it spread costs to the entire student body.
And even though it was fun and games legally, it's just good old fashion racketeering. He was a shakedown.
Yeah, it's a classic offer you can't refuse. It's racketeering. It's racketeering.
And it is a very standard story in the history of cybersecurity that the ones who purvey the cures are often the ones who are also purveying the diseases.
It's really amazing.
So you offer protection services for problems that you yourself create.
There's a very kind of standard mob technique.
And that's what happens a lot when it comes to DDoS protection.
And the interesting wrinkle technologically downstream from this was the actual Mirai Botnet took advantage of the Internet of Things, right?
It sort of spread itself to devices other than computers and so forth.
And that's a scary new thing we're going to have to confront.
Right, yeah.
So one argument that I make in the book about why upcode, we should be thinking about upcode,
rather than downcode is that upcode shapes downcode, gives people incentives to produce code of certain type.
Another reason why upcode is the thing we should be focusing on rather than downcode, and this story exemplifies this reason, is that the downcode uses data produced by the upcode.
So just think about it like this, you know, so it doesn't matter how good your operating system is.
It doesn't matter how good your cryptography is.
None of that matters is if you go to human resources and you at or IT of your of your
company or a different company and you ask them for credentials to somebody else and they
is somebody else's account and they give it to you.
So the the upcode here would be the corporate policies or the academic policies about
who's entitled to what data.
So it doesn't actually.
matter how good your operating system is if like the upcode is just undermining it.
So this is exactly what happens in the Marai Botnet.
The Marai Botnet takes advantage of what you said, the Internet of things, the Internet of things
like smart toasters and camcorders and things like that, which are devices which are hooked
up to the Internet and which communicate with each other rather than communicating primarily
with human beings.
and when these Internet of Things came online in 2014, 2015, 2015, 2016, you know, they don't really come with any security controls.
You know, the passwords are default passwords like 1, 2, 3, or password, or admin, or whatever,
because who's going to worry about the security of their toaster?
And, you know, these Mariah guys, they realize, wait a second, if there are all these default
passwords, default passwords, which they just found through Google because they're in the manuals.
So they download the PDFs in the manuals. They look at the passwords. They build a worm-like,
not a worm, but a worm-like botnet that exploits these default passwords and then are able to create
and just such an enormous digital canon that I remember in October 21st, 2016, right before the
election, I remember my internet goes out for most of the day. And of course, everyone thinks it's
Russia. And it turns out to be these kids who just exploit this very simple upcode vulnerability,
you know, using default passwords. And so they just entered into these toastings.
and then generate this enormous botnet, which can take down the internet.
And it's a, again, it's another example of, you know, it doesn't matter how good your tech is
if your policy surrounding it are bad.
And this is the case where they uploaded their code to the internet so anyone can do it.
My impression is that these sets of worms are still going around.
Yes, exactly.
there are many many many different variants of the marai botnet still around the it's
one's called satari i mean one of the things also that you learn um from doing this stuff is like
you know hackers lie um i hate to break it to you but um so what what they'll often do is
they'll often take the same malware and they'll rename it with a different anime name and then
say it's the new improved malware or somebody will take it and they will package it as their own
and they'll rebrand it as the Matsusuko variant or something like that. But this is still
causing significant problems around the world through their quite irresponsible action of
you know, just releasing this very powerful malware onto the internet.
You know, boys, young men make terrible mistakes.
These three boys, young men have, they plead.
They are, they're facing many years in jail.
But the FBI and the FBI agent who catches them, special agent,
Elliot Peterson has this idea that what if we can use these skilled professionals for law enforcement.
And so instead of putting them in jail, the court orders them for 2,500 hours of community service
where they are helping the FBI catch a lot of these malware purveyors.
So you have this kind of catch me if you can, patch me if you can type situation.
So I think this is a really excellent model for how to deal with some of these offenders.
And they're almost finished with their community service.
In October, they'll be finished.
And they're fascinating people.
Well, speaking of young men and exploiting the upcode, we can't get away without talking about Paris Hilton's cell phone.
Yeah, right.
Yeah. So I, you know, so Parasilton, what thing's so upsetting is that like some of my students don't know who Parasilton is, which really, I mean, doing this, doing this book really made me feel old.
So Parasilton, of course, it girl in 2005, big news that her cell phone was hacked and nude photos were posted on the internet and you can't get them down.
and the big question is how in the world does this happen?
So Paras Hilton, she comes on the scene around 2001.
She's like everywhere, like every form of media is Paras Hilton, Paras Hilton.
And then we want to, and then her phone, her cell phone gets hacked.
And people are like, how could you hack her phone?
She's constantly surrounded by bodyguards.
Who's going to like, you know, snatch her phone and like do something?
People don't realize that in 2004, 2005, we have this new invention called the cloud.
And that her cell phone is not hacked.
It is the cloud that is hacked.
And it is hacked by a 16-year-old boy known as Cameron LaCroix who figures out how to exploit web interfaces in order to gain access to
data on cell phones. And he manages to get Paris Hilton's phone number. He knows that she has a
T-Mobile account because he sees a commercials, which he's in with Snoop Dog, and then calls up a
T-Mobile office in California and says that he's from corporate headquarters and he wants the
username and password to their system to check if everything is okay and the manager gives it to him.
And so he goes and he looks up Parasilton's number, he gets it.
And then he realizes that if he wants to register a T-Mobile account, all he has to do is use a
sidekick because sidekick at the time had a deal with T-Mobile that they would use
that that would be the carrier.
And so if you tried to register your phone from the sidekick,
T-Mobile assumed that you were T-Mobile customer.
Once he realized that, he went to his browser,
told his browser to pretend to be the sidekicks browser,
and then entered Parris Hilton's number and got all her data.
I mean, so it's just, you know, it's a store,
and then when you, why did he do it?
Why did he do it?
Because he wanted to be famous.
So there's just like the upcoat, you know, so you have Parasilton, who's, of course,
famous for being famous.
You have this, you know, 16-year-old boy who, you know, his mother dies when he's two years
old from a fentanyl overdose.
He has depression.
He's suffering through various types of, you know, mental health concerns.
And he wants to be famous.
and he exploits these terrible corporate policies of T-Mobile, like give your password over to somebody who claims they're from corporate.
Or let's build terrible, terrible authentication systems that don't work.
Why are they doing it?
Because they're trying to gain as much market share as they possibly can.
So, you know, the hackers out there are going to be disappointed because it turns out that the hack was so simple.
By the way, nobody knows this story.
Now people will know the story.
I was able to track Cameron LaCroix down after four years because he was in jail and in jail during COVID.
And it took me a very long time to catch, to track him down.
It took me about three years.
And then two weeks before the book had to literally go to press, I found out the story, the true story of Howie Hacked her.
Oh, okay.
Wow.
Yeah.
Yeah.
Yeah. Well, and it's, it's, there are themes emerging here, right? I mean, things are, there's an intrinsic worry with computers because code and data are not two separate things. Things become more difficult to control when everything is connected to everything else, where there's a cloud, whether there's these devices. And the human beings are the weakest link in almost all these stories.
Yes, absolutely. I mean, when it, when it all bottoms out, it's like, you know, human beings behind the key.
board.
Yeah.
And one of the things, so, you know, people might say, what is a law professor doing,
writing about cybersecurity?
And I want to say, you know, one of the things that law professors do is that we're coders,
we're up coders.
We think about and we help teach students how to design and how to implement upcode.
And I teach students how to hack because I want that.
to understand the downcode, the technology, but really what I want them to understand is
how might we change the rules to give people the proper incentives either to produce really
good downcode or to ensure that they don't get fooled by bad downcode.
And so that's the mission.
I think it's a much more efficient, cost-effective way of trying to solve these problems
and telling these stories are ways of getting people to see.
So I explain all the technical stuff, what a buffer overflow is, how SQL injections work,
yada, yada, yada.
But I also want them to appreciate that there's this other story going on.
Actually, there are two other stories.
There's a philosophical story, which we talked about earlier.
And then there's this social upcode story, which is in many ways doing so much of the work.
And it gets hidden because people get understandably freaked out by a technical subject like cybersecurity.
And they shut off and they think, what can I contribute actually a tremendous amount because you understand how human beings work?
And I think it kind of all comes together, but in a slightly darker way, in the Fancy Bear story, which gives your book its title.
And I know that it was the fourth of the five that you talk about, but to me it's the culmination of the whole thing because it was malicious from the start.
It was not a 16-year-old just messing around.
So I don't know.
There's a lot of threads that come into it.
Where do you like to start telling that story?
Yeah.
So so many of the people in my book that initially, I mean, there's a standard trope which runs through so much of cybersecurity history, but certainly this book, there's a hack. It's spectacular.
Some nation state, probably Russia did it. And it kind of often turns out that it's like teenagers.
Okay. But sometimes it turns out to be Russia. And one of the things I wanted to show was,
It's, if you just look at the technical indicators, yes, of course, attribution is always hard and
you can trick people and, you know, bubble at false flags and all that stuff, disinformation.
But, you know, it's unbelievably hard to say that Russia did not hack the DNC when you actually
just kind of lay out what we know from publicly available sources.
That's the first thing.
The second thing is, I really was so fascinated by just like that.
like with the Bulgaria case, why are all viruses coming from Bulgaria? I was like, why did this
happen? One of the central mysteries of the DNC case is the fact that the FBI, it took the FBI a year
from learning that Russia was in the DNC networks to actually getting them to focus on and meeting up
with them to take care of it. And the question is, why did the FBI take so long to contact the
the Democratic National Committee that Russians were in their network.
The second question is it takes about six months for the DNC to get back to the FBI.
Why don't they take it seriously?
So it feels like everyone's messing up.
Everyone's acting irresponsibly.
But if actually you understand the upcode, you'll see that everyone's acting perfectly
rationally because there's this one thing that is so central to the way the world works
that most people don't know, which is that when hacking is done for the purposes of collecting
national security information, it is known as espionage, spying. And spying is legal under international
law. That is why every state hacks every other state. So the fact that the FBI knows that
Russia has hacked or has gained a foothole in the Democratic National Committee network, I think
the response is, you know, tell me something I don't know. You know, the Russians had tried to get
into the White House, the Pentagon Joint Chiefs earlier, they get thrown out. And so what do you do
if you're an intelligence agency? You start looking wider. You start looking for, you know,
softer targets. The Russians aren't just in the DNC. They're in Brookings. They're in, you know,
political science departments around the country. They're just looking everywhere. So it's like dog bites man,
news at 11. It's like not news for people. So they don't take that seriously. And then the DNC,
on the other hand, why doesn't the DNC respond? Well, one of the things you also have to understand
about the FBI is that it's a very unusual institution because it's a hybrid one, half intelligence agency.
they catch spies in the United States, but another half, they're the main federal law enforcement agency.
And so at the time that the DNC is being hacked, Hillary Clinton is being investigated for her private email server.
And so it's highly likely bordering uncertainty that the DNC is worried that the FBI is contacting them because they want information.
about Hillary's emails.
Here's another upcode piece that most people don't know.
FBI prosecutors may not lie.
FBI agents are.
They are allowed to lie.
The person who contacted the DNC was from the law enforcement side and it was an agent.
He wasn't lying, but he was allowed to lie.
So on the one hand, you have the FBI, you know, basically calling around
to everyone saying, you know, you probably have Russians in your system. The DNC is like,
you're not going to fool me. And so everyone's kind of acting rationally given the circumstance
of the way intelligence and the FBI works and the cultural, social, political setting at the time.
And it all comes together because there's one other change in upcode that nobody predicts.
that is the basic principle is that, of course, other states are allowed to invade the digital systems of another to collect at least national security information.
But you're supposed to keep it quiet.
You're not supposed to dump it.
And a cozy bear, which is in the network for a year, they just keep the information because they're trying to, you know, produce analysis for,
for the Kremlin, whereas Fancy Bear takes this information and does something which had not been
done before, which is this massive dump of information, which takes something from espionage and
turns it more into something that some people have been tempted to say is cyber war.
So everyone's following the upcode at the time and the big disaster happens because there's a
change.
And I think when you think about it that way, things,
become much more explicable. It seems to make sense. It's not a mystery. And then we should start
thinking, how do we deal with these situations? And I always like to imagine that, you know,
someone 50 years from now is listening to these podcasts. So just to be perfectly clear, this was a
hack that we're pretty sure is done by the Russian government of the Democratic National Committee,
the political party. And they released a lot of emails right before a presidential election. And it
might have had a kind of big impact on that presidential election.
Yes, I'm sorry. You're absolutely right. I was assuming that everyone knows about the DNC hacks
by Russia in 2016. But, you know, now we think about it's just seven years ago.
It's so real to me. It's so live. But you're right. That's exactly what happened. And I should
have explained that. And you do a pretty good job to the extent that it's even possible,
which is very hard of like painting the reality of this Russian agency.
Like we know a little bit about it, right?
Yeah, actually, we know a lot about it because as it turns out, you know, I was speaking to somebody very high up in the CIA who once told me the biggest problem that the CIA faces that no one can be a spy anymore.
Why? Because unless you are raised in a hermetically sealed box, the, you know, you have.
You know, you have social media accounts.
You have tons of things that we say on the internet, especially like if you're 13, 14, 15, 16 years old.
And then maybe you get recruited by the Russian government at some point.
And you go into the intelligence agency.
And then you have all these people like Bellingcat and these open source intelligence firms going around,
looking at Russian Facebook and trying to see do these people.
have a Facebook account, and yes, they do. And you know the amazing things that you can find.
Like, fancy bear, when they, when they, when they registered their cars, they used fancy bears address.
They don't have very good operational security, as it turns out. But one of the, I mean, I think the big
lesson here is that in a world where everyone is connected,
in a world of social media, it's unbelievably difficult to be anonymous.
And so now if you look up, you can learn a lot about the various bears.
I talk about some of these people in the book, but you can learn a lot about them if you
Google because there are researchers out there that are mining the internet for all this.
And yet, according with the themes that we've been talking about, despite the massive resources
of this state-sponsored agency technologically and so forth,
the crucial step, as I understand it, was John Podesta giving up his password to the Russians.
Yeah, you know, this makes me cringe so bad because so the, so I mean, it's,
let me begin by saying that securing a political campaign is incredibly difficult.
It's incredibly difficult because lots of times people come in from outside as to be part of the campaign and they have a zillion social media accounts.
They have different phones.
They have different, you know, and so there are just so many ways to kind of get into a political campaign.
So let me just begin by saying that.
It's a very, very difficult problem to secure a plight.
political campaign. So the IT person, they don't actually have a dedicated IT person. It's a
consultant. And he, I'm sorry, I'm going to back up because, let me back. Okay, John Podesta.
One of the ironies of but her emails, the Hillary Clinton email scandal is,
that her campaign had excellent cybersecurity. They used two-factor authentication.
Robbie Mook, the campaign manager, had signs on the bathroom mirror saying, you don't share your
toothbrush, don't share your password. The Russians initially were not able to get into Hillary
for America. So what did they do? They started looking around and they started going after the
personal accounts, in this case the Gmail accounts of people high up.
in the campaign. And they targeted John Podesta. John Podesta got a fishing email which had said that
Google, it was ostensibly from Google. It was not. It was from Fancy Bear. It was sent out, you know,
during Russian, during Moscow working hours. And it said that somebody has your password, you should change it.
And John Podesta sends his email to IT saying, hey, is this legitimate?
And the guy writes back, this is a legitimate email.
And he claims he meant to say this is not a legitimate email.
I love that story.
It's just, it's even plausible.
It just makes you just want to die.
Now, I would say, you know, it sounds like a lie, but I believe it.
And the reason why I believe it is because, like, IT had been seeing these phishing emails come across their network for several weeks before they caught pedesta.
So it's highly unlikely that, oh, I should say, you know, from the outside it seems unlikely that,
that they were fooled. I think he meant to say this is not a legitimate email. And he just,
you know, sometimes we mistype and, oh, my lord, you know, he changes his password, which is
handing his password to credentials to Russian military intelligence. They immediately,
go in, change the password, get all of his files.
And it becomes a scandal when they release Podesta's shrimp risotto recipe.
It just shows how it was the appearance of something.
The doxing, well, it was exactly doxing, the exfiltration and dumping of the information.
There wasn't that much in the information that was so.
important or politically damaging. There were some things. But it was more the appearance of people
dumping all this information and saying, oh my God, look at this. This is a corrupt organization.
And people like, oh, yeah, I guess you're right. And so that just, you know, again, a serious
human vulnerability which led to very damaging political consequences. And presumably it's not
the last that we're seeing of this. I know that it's hard to predict the future, but I mean,
maybe say for our final wrap-up thought here a little bit about how you tried to write a book
that straddled the line between crazy alarmist and, oh, don't worry, well, here's how to fix it.
Yeah, no, that's right. So, like, so I think cybersecurity books have this, on the one hand,
we're all going to die apart to it. I mean,
And then we're seeing this with AI.
We're all going to die.
And then the other side is like, eat your vegetables, make sure your password is 20 characters long.
You know, it's just like this, just bummer.
And so what I try to do is I try to kind of steer between alarmism and complacency.
So here's a kind of bottom line, I would say to people, most people, you know, hackers don't care about you.
they don't even care about your data so much by which I mean like your you know the pictures of your
kids or the kind of you know arch thing you said about your friend over email what they want
is to make money and and it's a high volume business you know they're scanning the internet
they're sending out these fishing emails and basically they do
do not want to get into your computer because they want to spy on you. See, you make dinner.
What they want is to either, you know, pull your, your laptop into a botnet or they want to use it.
They want to exfiltrate your banking information, credit card information. Maybe they want to encrypt your hard drive.
They don't want to spend that much time on you. And so they want to catch the people who are kind of reckless, who do.
don't really take any precautions who essentially leave the keys in their car with the door
unlocked running.
Don't click on links from people you don't know.
You know, don't wait 20 months before you update your computer.
It doesn't mean you've got to do it, you know, this second.
Just don't be reckless.
If you are not reckless, for most of us, we will be fine.
Because we just have to be faster than the next guy.
We just have to make sure that we are not an easy target.
That is not true for so-called high-value targets.
High-value targets, which I'm including journalism, politicians, people in the C-suite,
you know, CO, CFOs, COOs, you know, human rights activists, people like that, government,
government official, they are high-value targets.
they must assume that they are being targeted. They should have professional help unless they're
sophisticated. And I'm not being alarmist to say, if you're human rights activist or a journalist or
CEO, you really need to be really battened down because people will try to get you.
Another thing I want to say is that there's no way we will ever stop the hacking of nation states
against nation states for the purposes of getting national security information because that's what
states do. Their job is to protect their state, maybe their power, and it is legal. It's probably
beneficial for states to know secrets of other states. So, you know, the person who reads this book,
who's not a high-value target, I think it's, you know, some very basic things that you can do
not to get yourself in harm's way, but if you are a high-value target, I will describe the various
ways in which you could get caught and you really ought to seek expert help.
Well, I think that almost by definition, every listener of the Mindscape podcast is a high
value target. So I think that they should all buy your book and that will be very helpful to
them.
Yeah, no, that's absolutely right. I mean, it's reckless not to buy my book.
It's reckless. We wouldn't want that. So Scott Shapiro, thanks so much for being on the Mindscape
podcast.
Oh, thank you so much. This was really fun. I really appreciate it. Thank you.
What if you could have even more and more and more help to pursue your goals?
At LPL Financial, we offer more ways for advisors and their clients to thrive.
So what if you could?
Paid advertisement. Investing involves risk, including potential loss of principal, LPL Financial LLC member FINRA SIPC.