The Jordan Harbinger Show - 647: Karim Hijazi | When Cyber War Goes Kinetic

Episode Date: April 5, 2022

Karim Hijazi (@karimhijazi) is the founder, chairman, and CEO of cyber intelligence company Prevailion, and creator and host of The Introverted Iconoclast podcast. What We Discuss with Karim ...Hijazi: How vulnerable is the Internet and how much of our current infrastructure would suffer if it were to go down tomorrow? What are the biggest threats to the security of your privacy, your bank account, your company, and your country? How cyber warfare can lead to kinetic (i.e., real) warfare with physical consequences. Why the current efforts of companies and governments to mitigate digital security risks are woefully insufficient. What are our best practices for staying as safe from cyber attacks as possible? And much more... Full show notes and resources can be found here: jordanharbinger.com/647 Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course! Miss the show we did with award-winning cybersecurity journalist Nicole Perlroth? Catch up with episode 542: Nicole Perlroth | Who’s Winning the Cyberweapons Arms Race? here! Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Transcript
Discussion (0)
Starting point is 00:00:00 Coming up next on the Jordan Harbinger Show. Let's face the music now, guys. We're really in a position that's really, really precarious because there is a great end of the bed, and there's a string going out the window, and it's just a matter of pulling it. Imagine if we're really up for the end of the movie Fight Club, if we've ever seen the end of that, where literally the entire system goes down. That's not too far off from a cyber perspective, sadly. Welcome to the show. I'm Jordan Harbinger.
Starting point is 00:00:26 On the Jordan Harbinger show, we decode the stories, secrets, and skills are the world's most fascinating people. We have in-depth conversations with scientists and entrepreneurs, spies and psychologists, even the occasional Emmy-nominated comedian Mafia Enforcer, former jihadi, or gold smuggler. And each episode turns our guest's wisdom into practical advice you can use to build a deeper understanding of how the world works and become a better critical thinker. If you're new to the show or you want to tell your friends about it, and thank you very much for doing that. I suggest our episode starter packs. These are collections of our favorite episodes organized by topic to help new listeners get
Starting point is 00:01:01 a taste of everything that we do here on this show. Topics like persuasion and influence, disinformation and cyber warfare, China and North Korea, crime and cults, and more. Just visit jordanharbinger.com slash start or take a look in your Spotify app to get started. Today, a good friend of mine and a dangerous man, Karim Hajazi. He won't say this, but I will. He is one of the most skilled cybersecurity professionals in the game. In fact, he's so skilled that criminals and even nation states want him dead or at least
Starting point is 00:01:29 out of commission. Today on the show, we'll explore some of the biggest threats to the security of your privacy, your bank, your company, and even the country you live in, and we'll uncover what companies and governments are doing to combat this. And spoiler alert, not nearly enough. Also, how cyber warfare can lead to kinetic warfare. In other words, how what starts off as a hack can end up killing people and destroying huge expensive things that we kind of need, like seaports, electrical grids, and water systems. Last but not least, should we be hacking back at Russia and other country's intent on doing us harm. Why or why not? A scary but fascinating episode here with Kareem Hajazi. Here we go. Interesting place to start because sort of just bantering pre-show, but you were saying, yeah, what if the internet goes down, it's going to change this business. But that's kind of like saying, wouldn't a missile strike on the United States change this business? Yeah, it would change everything. Because even people, I was talking to a buddy of mine who does like construction of things and he's like, well, I don't need the internet. And I go, well, how do people
Starting point is 00:02:29 pay you. Oh, they wire me the money or I have like a stripe account. I'm like, hello, all of this banking payment systems, everything is reliant upon the internet. And yeah, look, I could record phone interviews or something like that, which wouldn't be ideal. But that's the least of our concerns if the internet goes down. Well, phone systems go through the internet now. Of course, yeah. They've done away with it. Everything is reliant on it. It's the most cost effective. So they've sort of gone the most cost effective route. And now here we are potentially hobble. by that entirely. So that whole idea of that cloud infrastructure we were talking about before the show, if they all go down in unison and in symphony, we've got a massive problem on our hands, not just
Starting point is 00:03:11 because databases aren't accessible. That's not a geeky problem. This is an issue of medical records, water treatment facilities, critical infrastructure rely on cloud infrastructure at this point. So, yeah, I mean, I know I'm sounding a little silly here, you know, podcasting dies. Oh, God, you know, we're all going to freak out. That's like the least of our worries. You're right. The screenshot I was going to send you last night prior to this because I was like, look at this, Jordan. I didn't. I figured we'd talk about it because who knows, we might be days away from something that feels more kinetic in terms of the attacks and everything that we've been sort of talking about for a few weeks now. And what everyone's been waiting and pending
Starting point is 00:03:47 situation is going to be with Ukraine and Russia. So pretty terrifying. Yeah, we'll get to that in a bit. I want to back up a little because as I'm doing prep for our interview, there's a few here on MSNBC and Fox and CNN all the time because of your work at Prevallion and your previous company. And I think it was you or a newscaster that said something like there's nation states that want you gone because of what you're doing. So why are you so dangerous to nation states and hacker groups? Yeah, it's a interesting reason. My career has taken a lot of twists and turns, but it ultimately landed with my last company
Starting point is 00:04:24 where I figured out a way with the team to be clear. so I'm not taking credit alone here. They're one of dead as well, that we could take over part of the infrastructure that the adversary set up. And in doing so, we can see what they see, which is in turn the victims, right? And now we can deliver that intelligence
Starting point is 00:04:42 to the victims directly and we can help remediate the problem. So we essentially thwart the efforts of the adversary rather than try to be defensive. Most cybersecurity, for all these years, has been essentially build some bigger, thicker, taller wall, build a castle moat strategy to the problem. My strategy was more on the offensive side of the equation, which is, how about we go and insert ourselves into the communication channels of these
Starting point is 00:05:05 bad guys and collect exactly what they're doing, what they're planning on doing, and by definition, I'm messing with their money, right? So it always comes down to that. I think every interview ever do with anyone in these lines of work, if you're messing of someone's money, they want you dead typically. And now we're at a level with cyber where the money is so huge and impact on it can be pretty dramatic to the outcome of what these guys are expecting. And these are big syndicates now. We've certainly ruffled some feathers. And now I've started a second company that does that in a more extended capacity where I can actually deliver intelligence on the supply chain risk. So I can help an organization preemptively not even get compromised if they'll take the intelligence
Starting point is 00:05:47 that I have around their partner ecosystems. So I'm kind of one, step ahead of these bad guys, which really irritates them because they're so used to being ahead. I mean, Jordan, the asymmetric nature of bad guys is that they can always try, fail, try again, and, you know, fail again, and then finally get it right. Security, we essentially can never mess up. If you mess up once, it's all over. So. Right. They have to get lucky one time and you almost have to be consistently lucky. It's like the reverse of a police officer. My cop friends used to say, Criminals have to be lucky every day, but I only have to get lucky once. Yeah.
Starting point is 00:06:21 And that's how people get caught. It's kind of the opposite with security. Like, you have to consistently keep people out of the castle. I love these explainer videos. This almost sounds like a corporate interview the way I'm about to do it, but I swear it's not. So prevailing the software and the company that you run now, the demo of it was really cool. And the explainer videos that I saw in some of the screenshots and stuff that I've seen, hopefully I'm allowed to talk about that.
Starting point is 00:06:43 Oh, yeah, absolutely. We're really interesting. where like, you know, normally it's funny, there's this newscaster on, I forget which channel it was, MSNBC or something, he's like, well, aren't the companies in a better position to see what's on their network? And it's like, no, what I'm doing is, and I'm going to defer to you to explain this at a second here, but what you're looking for is not something installed on the computer like an antivirus software would. You're actually looking on the web for the pings that malware sends to control servers. So you're looking for the smoke from the fire. You're not,
Starting point is 00:07:15 looking for the fire. So if they hide the fire and they hide the heat, right, they're hiding the virus and the malware inside the system, they can do a literally perfect job of that. The problem is that software has to go, by the way, I'm still over here in case you want to send me any instructions. And it has to do that at some point. And you're looking for those signals. That's right. And when you get those signals, now you go, oh, okay, this is not only infected with malware, we get that, but it's also reaching out to this server. And so let's go into that server and see what's going on. And then that server has logs of everything it's received from all its bots, right, from botnets. And you can see everyone who's infected on the whole freaking internet,
Starting point is 00:07:53 which is insane. That's right. And, you know, I like in this, I'm a big Cold War 80s buff. And what I find really interesting is when you start to parallelize old school espionage tactics. So let's use something appropriate for today's world. Russian spy, physical human spy, makes this way into the U.S. through a false identity, gets a job at the White House through a variety of social engineering tactics and falsified information, and is actually allowed into the offices. They're now able to steal things, but what they have to be able to do is call back to their handler to use kind of an espionage term. That spy is malware today. That handler is the command of control environment, literally, and that's another word they took from the military for cybersecurity.
Starting point is 00:08:35 What we're doing at Pervalian is we're taking over the phone at the Kremlin that he's going to be calling from the White House. And so when we pick up that phone call from that spy in the White House, we're like, so where are you? You're in the Oval Office? Got it. Okay. Call me back. Give me a call in a few minutes. And we get them to call back over and over and over to where we can then indicate to the White House that there's a spy over the Oval Office, go get it. So that's the equivalency on a human level that we're doing now. And now this happens at machine speed, right? So the problem is everything's gotten super time compressed for speed and the ability for a cybersecurity professional to really zero in on that very quickly on the inside. Basically, someone has to stumble across the fact that someone falsified documents or the malware
Starting point is 00:09:18 was clicked in a phishing email as equivalency. Now that takes a long time, if ever, to ever happen. The only way to catch it, to your point, is that Achilles heel of it communicating out. That communication need by that spy is how we catch them. And they really can't do without it. So it's not like these guys are like, oh, darn it, Kareem and Pervillion, forgot a way to get us. Yeah. They're always going to have to use that.
Starting point is 00:09:39 They're always going to have to have some means of communication with the outside world to complete their objective. Yeah, that was my next question is, what if they just stop the pings? But not quite that simple. It's kind of like saying, what, what, smart guy? Yeah, exactly. Okay, gotcha. You know, you're observing it on exactly the issue here that, you know, everyone asks the same question, which is, why aren't they going to figure this out and work around it?
Starting point is 00:09:59 And there's conceivably some workarounds. But here's the reason they have to communicate with the outside world. When you break into a household, you need to get out of the house with your stolen goods to make it a fruitful effort, right? So there's that obvious situation, which is if they're stealing material or intellectual property or they're encrypting something on the network, like in the ransomware situations, they've got to be able to either steal that information for extortion reasons or whatever the case may be. But the second reason why is that unlike the human spy analogy, think like the Mission Impossible movies where Tom Cruise could constantly put that mask on and change his face to it. any kind of spy he wanted to be. That's what malware is able to do electronically. It can change its shape.
Starting point is 00:10:39 It's called polymorphism. And it literally can download a new version of itself and completely avoid detection. Because I think everyone knows what an antivirus is by now, what, 30, 40 years later. Sure. Antivirus relies on signature. It's the equivalency of a bouncer at a club looking at you and looking at your ID saying, okay, that's who you are, you're allowed in. If I can change my identification or ID, off I go, I'm able to just,
Starting point is 00:11:03 persist in these environments without ever getting caught, which is really fascinating. You don't want to put too many bells and whistles and backup plans on to these things, right? Because then it becomes easier to detect. You don't want to have it, oh, what also pings using the cellular network? Okay, so now if I find a cell signal, I find this otherwise invisible thing. That's not going to work in every situation. You're right. Yeah, too many modes of communication or an overabundance of communication if the cadence is really high, the frequency is really high. These are all like triggers that we'll look for to identify it, right? And that's typically what someone would do on the inside of a network. For us, though,
Starting point is 00:11:38 I don't care if it calls out once a month or every six months. Frankly, as long as it calls back to its home base, if you will, which is what I've infiltrated, I'm able to see it. And that's what gives us the advantage over others. At one point, you discovered the largest botnet in history. And I thought it was interesting that it had a Slovenian name. By the way, Slovenia is such a lovely place. I don't know if you've ever been there. Former Yugoslavia, it's absolutely gorgeous. Kind of relatively untouched by the war. You don't think of that as, oh, this is where a bunch of criminal masterminds live, right? Like Yugoslavia, maybe, yeah, but you normally when you think criminal masterminds of former Yugoslavia, I like to give the credit to the Serbs, the Bosnians,
Starting point is 00:12:16 you know, like these are like some crafty sort of guys that have also been through a lot of stuff and countries that are torn by war off and have like higher levels of organized crime. Slovenia, it's almost like they dodged most of the bullets, literally. I guess the thing is they have tons of talent in that area of the world. And so you're going to have a criminal element that says, why am I earning money, you know, and then getting screwed over by trying to buy imports and euros when I can just steal tons of money and live well? That's exactly the reason.
Starting point is 00:12:43 They're really talented, I have to say. I mean, it was interesting because it was called metallurgy, which was this word, which is Slovenian for butterfly. And it was a take on the formerly largest botnet ever called Mariposa, which was Spanish. for butterfly. And so we sort of said, all right, well, we'll just, you know, kind of put a spin on it and call it that. But yeah, it was fascinating. It was absolutely everywhere. That was way back when. I mean, I think this is 2011 or so. And this gives you a sense that this has been going on a very long time, this whole idea of proliferating out and infecting machines that are not yours to become zombies to
Starting point is 00:13:17 work at your disposal. This has been going on forever. Even before it was a mainstream issue with commercial entities that were worried about it, the government had concerns. They were worried about things like StormBot. StormBot was this big horrifying concept of a denial of service attack thing that could take down the Pentagon or take down, you know, satellite systems. And that's, here we are. We're literally in the throes of it today. Everything they worried about 20 years ago has manifested. So a botnet, you sort of explained it, is when other computers are taken over by essentially like a virus or malware and then they reach out at the same time. So you're talking about maybe millions or at least hundreds of thousands of different machines. They might all reach out to. let's say one server at one time, and they're just hammering it with 100,000 connections a minute or whatever, and that will slow down a major website. Like, we're using Zoom. Let's say they're all trying to connect to every single port on Zoom all at the same time. Now, us legitimate Zoom users can never get on because there's way too much traffic and the traffic
Starting point is 00:14:15 is bad and it's confusing the Zoom server and causing it to work extra hard and it just can't scale up to service that many zombie computers at once. And you could do that against Pentagon or some other super important thing, like banks. This can happen to banks and then you can't use the banking computers anymore. I think Facebook went through one of these a couple years ago, where they were down for a while because of this or something similar to this? Yeah, they go through this every few months. Oh, okay.
Starting point is 00:14:43 You know, yeah, like, I mean, DDoS attacks are sort of a perpetual, persistent thing across everything. It's whenever they get lucky and they are able to achieve it. Because what you can do to essentially stifle these things is to limit communications from a set of IP addresses that things are coming from, right? But they're getting clever, right? The bad guys are always, it's a chess game. It's a perpetual one-upmanship of what I can do next. And they're going to say, oh, you're going to block a set of IPs I'm coming from? Fair enough. I'm going to start flexing those. I'm going to start attacking you from within your own environment.
Starting point is 00:15:13 I'm going to send, I'm going to get legitimate Facebook users, machines infected, and someone that would normally come to Facebook normally, I'm going to have that be the source of the attack. And now Facebook has a very, Facebook's an example, of course, this could be anyone. They have a very challenging situation of, oh, God, am I blocking a legitimate request or am I stopping a bad guy that's actually taken over a legitimate environment? The bad guys have a very, again, to use a term, again, asymmetric advantage to the good guys because they can lurk within good infrastructure and do some serious damage. And then services that rely on their constituents and people that will actually log in and
Starting point is 00:15:48 see things and you want users on, they can't. differentiate what's malicious and what's benign. So that gets to be really hard. You mentioned that there's a lot of money in this. Do you have any concept of how much some of these criminal groups are making with cyber attacks? To give you a scale, it used to be in the hundreds of thousands of dollars a year in maybe the early 2000s, I would say. Okay. Botnets amp that up to millions. And I'm being very broad. I mean, there's all kinds of ways they're making money. They're either stealing information and brokering it on the dark web. They're stealing credit card information. and doing fraud.
Starting point is 00:16:24 They're using cycles of the machine to mine crypto. I mean, there's any number of things that these botnets could be used for. Today, with the ransomware scourge, we're talking billions. So we're really at a threshold of it eclipse just about every other type of crime out there because it's so easy.
Starting point is 00:16:41 And the thing is that technology like ransomware and other types of technology are force multipliers. You build it once, use it many times. Think about like an old bank robber, like the risk you take robbing a bank, physically with a gun and a mask, and maybe you get one vault when you can literally go in with the same malware, and it's incredible. So the ransomware groups are oligarchs now, man, literally. Oh, so those people have done so well that they've become oligarchs, where it's like,
Starting point is 00:17:07 okay, now I have a billion dollars, it's all stolen, it's in cryptocurrency, so now I'm laundering it through 50 countries. Remember during 2017 when all these shady crypto exchanges popped up, and they were in, like, Ukraine and Moldova and stuff? Now, some of that was literally, legitimate entrepreneurship where these people are like, hey, I understand this and I can make tons of money in Bitcoin and then I don't have to worry about my totally unreliable local corrupt banks. Right. But some of that, I couldn't help but think, if these guys are stealing millions and tens of
Starting point is 00:17:37 millions in Bitcoin, the best way to launder it would be to have a crypto business that you could just keep your Bitcoin in there, mix it with a bunch of legitimate people, and then connect it with foreign banks, and then have people withdraw it as cash anywhere in the world. And so it has just made money laundering so easy in huge amounts. Right. And I know that people are worried about Bitcoin getting around the sanctions and Russia and things like that. I don't think the volume is there to run a whole country.
Starting point is 00:18:05 But certainly these big criminals could become multi, multi-millionaires, if not billionaires, at that point with the amount of cryptocurrency that they're able to steal and regular currency for that matter, that they're able to steal and ransom from small businesses. And we'll talk about some of these ransomware attacks in a second. I want to go back to the nation states that want you dead because it's a cheerful topic. Now, there's nation states and there's cyber militias, right? So like hacktivists or just criminal groups that are maybe sanctioned by nation states. Can you tell us about the difference between these groups?
Starting point is 00:18:37 Because we have the NSA here in the United States. They're constrained by laws and things like that. But then we have groups like anonymous that are not. They have nothing to do with the government. But it seems like in foreign countries, especially like Russia, you have these groups, but they're also sort of maybe kind of FSB related to Putin or at least given his godfather-like blessing to operate. Absolutely correct.
Starting point is 00:18:59 So that's what's fascinating. There's a lot of great areas and there's a lot of cross-pollination between these groups, especially over there. So I'll start in reverse to your question. Without question, Russia, we're almost certain that operatives that work within the intelligence services like GRU or FS or SVR, one's military intelligence, the other one's the espionage division, it's almost clear now that their tactics and methods are identical to what we're seeing with some of these cyber crime groups that are really prolific. So they're probably moonlighting.
Starting point is 00:19:30 They're probably doing their day job in the government. They do what they need to do for Putin, and then they go do what they need to do from a cyber, you know, theft perspective or cyber crime perspective. Now all of them. I don't want to suggest that this is like universal because, you know, you can go on to Instagram and Twitter and find these guys in there like, you know, mink coats on a yacht in Santropay and Cap Demtib and you name it. It's funny because you're not kidding about this, right? Like, so another guest on the show, he exposes British real estate. He wrote a book about this.
Starting point is 00:20:02 His name's Oliver Bolo. He wrote a book about how basically a lot of these properties in London are owned by oligarchs and African strongmen and dictators and things like that. But he talked about how he did an expose with Vice where he found a bunch of oligarchs kids on Instagram and he said, look, man, it's really, not hard to do because this is a small enough group of people. You know their names. All you had to do is search. And they did this whole expose. And Vice couldn't air the documentary because I can't remember who it was. Abramovich or one of the oligarchs was like, I will sue everyone that works there.
Starting point is 00:20:35 Even if I lose, I'm just going to file a thousand lawsuits. Right. If you do this and I'm going to ruin your lives, all of you. So just don't do it. And Vice, which normally doesn't shy away from stuff like that was like, we literally can't afford to fight this rich, crooked mafioso. So we're just not going to air this. And yes, the photos that I saw were like a weird guy sitting on a really ugly, gaudy colored Lamborghini that's on a dock next to a yacht. And he's wearing a mint coat and like a crown.
Starting point is 00:21:05 And you're just thinking, this is a guy who, the more money he has, the bigger of a dipshit he becomes, which, you know, to be fair, a lot of people are like that, but just ridiculous. Yeah, absolutely. And I'm not suggesting that those individuals weren't formally Russian trained operatives in some capacity. Perhaps they're former, perhaps they're not former, right? You know, anyone's guess there. But yes, to answer your question, the nation state actors that we're referring to are typically people that are commissioned, trained, and bankrolled by a nation state,
Starting point is 00:21:37 a country with an objective that is generally not financially driven, right? They're usually trying to gather intelligence or they're doing influence campaigns like we've seen plenty as of late. There's, we watched the whole 2016 situation with, you know, GRU and the Russians. And then more recently, we watched interference with the German elections, same group, by the way. And now we're seeing the same group actively create disinformation campaigns with this mess going on with Ukraine and Russia. So that's part of the objectives. Now, the financially motivated side of it, I think we all feel like this is wink, wink, nod, by Putin that, yeah, go do that. It creates more havoc. No problem. Is he setting government initiatives out for things like harvesting cash?
Starting point is 00:22:21 Probably not. I don't doubt that he's probably benefiting from it in some capacity, again, outside of just the disruption piece of it. Now, the hacktivist stuff, just to kind of pivot to that, that's an entirely different sort of segment of the problem. And I say that because I know a lot of people are very, they're lauding the efforts of anonymous recently with some of what they put out on Twitter. Who's anonymous for people who aren't really in this sector?
Starting point is 00:22:43 So Anonymous is a hacktivist collective or hacker collective. that seems to be leaderless. It seems to be this sort of general, nebulous group of people. They're most notably identified by this Guy Fawkes mask they have on when they broadcast their wins. They've been around for a long time. Rose of Fame right around the anonymous WikiLeaks mask with Julian Assange back in 2010. They sort of came to his defense in the name of free speech and whatnot. But they've kind of splintered off into various groups.
Starting point is 00:23:11 As you know, Jordan, I had my tussle with a subset of those guys, which we can talk about. Yeah. Which was fascinating and irritating at the same time. But they're back. Here they are. And the problem with that, that's probably the most dangerous contingent because they're not really armed with the right intelligence to really know the ramifications of their attacks. And in many cases, like, this is nothing to do with what's going on with Ukraine and Russia.
Starting point is 00:23:36 Was it 2012? I may be getting the date wrong, give or take a year. But Anonymous went after a Border Patrol group out of Arizona, I believe. and they exposed long-term coverts in the cartels to the cartels. And all those people got killed. Like they were absolutely summarily dispatched after that was disclosed. And it's like, what are you doing? You know, like what was the point of that?
Starting point is 00:23:59 That was a flagrant murder for all intents of purposes done by way of cyber means. And it kind of came and it went from the headlines because it was sort of this obscure thing. But those are the kinds of things that can ramificate into horrible, right? Kind of like what we talked about with the Russia stuff, which we'll get into. Yeah, this whole thing is quite fascinating because there's a lot of folks. It's hard to, I have to phrase this the right way, but like there are these hacktivist groups and hacker groups in Ukraine, and I'm helping them find defensive, people who are capable of running defensive operations, like looking in Ukrainian computers from malware, things that you might know a lot about
Starting point is 00:24:33 over at Prevalient. Right. And some folks are like, yeah, I want to take down a Russian satellite. And it's like, whoa, there's a lot of concerns that go. with this that are not good. And in fact, we can talk about that right now. You know, it's all fun in games until I think one of the recent concerns is what happens if someone shuts down a Russian satellite network. Well, if the satellites are designed to see incoming nuclear missiles and those are shut down, does that look like, oh, those hackers are at it again? Darn you, Western hackers? Or does it look like the NSA shut down the nuclear detection system so that we can send nukes over to Russia? And then if that's what that looks like, what is Russia? What is Russia?
Starting point is 00:25:14 has response, launching nukes in return. Right. So that could be really, really, really bad if this ill-conceived plan to, you know, give Putin a black eye or a blind eye for even an hour looks instead like a nuclear attack from the United States. I mean, this could trigger, I hate to be hyperbolic on the show, but it could trigger at least World War III, but also just a massive amount of millions of dead people slash Armageddon, right? I totally agree. And we've been talking about people that may be physically hands-on keyboard trying to break into places unknowingly, maybe best intentioned, but then they do something like you just mentioned. There's something else that's even more sinister and a little bit ominous,
Starting point is 00:25:53 which is, and again, I'm doing my best to not be hyperbolic here as well, but this is real. 2015, for those folks that don't know, the Russia-Ukrainian cyber debacle has been brewing forever. I mean, this is why for us, this is not new. We've just been kind of holding our breath. In fact, right now we're still just waiting for the other shoe to drop. We're sort of saying, okay, we saw the test run, what's going to really happen now? And that test run back in 2015 was these exact groups that you were asking me about, these Russian nation state groups like GRU and SVR, the guys that love me, that were doing a test on the Ukrainian infrastructure back then. And what they were able to do was they deployed a piece of malware that was
Starting point is 00:26:35 literally very similar to what we're hearing today. It was Wiper malware. It was called KillDisc. and then it subsequently took down the power stations in Ukraine. The problem with it was they didn't design it to stay there. They designed it to proliferate and latterly move through the network. And the problem is you can't, it's not like a missile. A missile has a target, it blows up, it's done. It doesn't get up and go to the next target. Malware does, right?
Starting point is 00:27:00 What I really, really worried about among my peers is a wormable threat. And a worm for those that are somewhat familiar and it sounds like what it is, it worms its way through networks. It goes from Jordan's computer to my computer to my wife's computer to my kids, and then all my kids' friends and then their parents, and it just finds its way through the network by default. And that's exactly what happened in 2015. That was sandworm, right, where Russia turned off the power and dramatic.
Starting point is 00:27:25 And they show, we'll put a video in the show notes. There's a cool animation where essentially the workers at this power plant were watching somebody controlling their screen and just flipping all the breakers. And these breakers weren't like lights in living room. The breakers were like lights in Kiev, lights in Chernobyl, lights in Odessa. And it was just cut and cut, cut, cut, cut, cut, cut. And they just cut off all the power to regions at a time. And then they said, oh, that worked.
Starting point is 00:27:51 And then they improved on that software. And unfortunately, the United States didn't do anything because we were distracted by other hacking against DNC computers and other like leaks that were being done by. I think the same group or very similar groups were doing the same thing. We just sort of missed the opportunity, the Obama administration, I would say, missed the opportunity to say, hey, this is not good. I mean, I don't know exactly what they did diplomatically, but it obviously wasn't enough. Right. Because it led to the other thing that you're mentioning, which was, I believe, called Not Petia.
Starting point is 00:28:20 Right. That shut down airports, banks, railways, government installations, hospitals. And then, like you said, it wormed over to FedEx, Merck and Maersk, which are like these massive, massive organizations that had a lot to do with shipping. and 20% of the entire global shipping operation, just 20% of global shipping, froze on the spot and took weeks to recover and caused over $10 billion in damage. And that was the accidental part, causing $10 billion. Imagine if they actually got 80% of global shipping to freeze on the spot. That might take months to recover.
Starting point is 00:28:55 Exactly. No reason to think that this is over, especially now with the Russian military doing so poorly in Ukraine, cyber's kind of, they're good at that. They're obviously not good at invasion convoy and things like that, not to make light of it, but cyber is something that they don't get hold up in the woods and get their tanks stuck with no gas in the mud and then leave, right? Exactly. They don't need to deploy the proverbial cyber threat.
Starting point is 00:29:20 It's been deployed. Back to square one in our conversation. I see that deployment. I see that pre-established plumbing by these adversaries in the environments that we have in country and our allies. And I'm watching it communicate out like that spy calling back to headquarters to its handler saying, hey, I'm here whenever you need me. And I've actually watched a shift in the communication. I've seen it decline and spread the pattern out to be wider because they know that security professionals are getting more vigilant. So they're saying, let's programmatic control over this
Starting point is 00:29:53 to where it goes a little bit dark and it goes to ground until we need it. So that's what's menacing here is that we're sort of, to your point about the not petia, the switch is being flipped. We're literally waiting for that. We're waiting for them to flip a switch and say, okay, let's turn that axis on that we have. Now, don't get me wrong, we as a country have those implants there as well. And this is exactly where there's this sort of stalemate, high noon kind of situation of who's going to pull the switch first. You're listening to the Jordan Harbinger show with our guest, Karim Hajjazi. We'll be right back. If you're wondering how I'm to book all these great authors, thinkers, and creators every single week. It's because of my network.
Starting point is 00:30:35 I'm teaching you how to build your network for free over at Jordan Harbinger.com slash course. Now, the course is about improving your networking and connection skills, but also about inspiring others to develop a personal and professional relationship with you. It'll make you a better networker, a better connector, and most importantly of all, a better thinker. That's all at Jordan Harbinger.com slash course. And by the way, most of the guests you hear on the show, they already subscribe and contribute it to the course. So come join us. You'll be in smart company where you belong. Now, back to my conversation with Kareem Hajazi. Let me put it this way. I don't want Moscow's water system to get polluted and
Starting point is 00:31:11 dirty and poison and kill people. Right. But I also really don't want that to happen to the Los Angeles or the New York City water system getting poison and killing people. It doesn't make me feel better that we can also kill innocent people in Russia if they kill innocent people in the United States. Like, that doesn't make me feel better at all. Right. And the fact that the switches are already implanted in these systems, that should scare everyone. Because I think a lot of people, and I think you might have said this during an interview, people think we're vulnerable, but what they don't realize is we're already compromised. We're not just vulnerable. This is already installed. The grenade is already under your bed. It's not that someone could theoretically put one
Starting point is 00:31:48 there. It's already there. The string is already going from the pin out the window. You're just waiting for somebody to yank on it, but nobody's listening to the call. Very few people are heating the call. That's it. That's it. Because it's a mashup of snake oil by other security organizations that say, no, no, we got it covered. We've defended you adequately. And I'm not picking on those companies. I'm just saying that let's face the music now, guys. We're really in a position that's really, really precarious. Because to your point, that analogy is fantastic. There is a great under the bed and there's a string going out the window and it's just a matter of pulling it. Now, whether that string pull opens up another door or whether that string pull does something like wiper malware, where it gets rid of the entire. of our records for something. Imagine if we're really up for the end of the movie fight club, if we've ever seen the end of that where literally the entire system goes down. That's not too far off from a cyber perspective, sadly. I know I've spent the last 15 minutes being foreboding and ominous and terrifying, but that's, you know, I've been very measured on this until now, because I think we're really at a, we're at an inflection point with this situation with Ukraine that
Starting point is 00:32:51 it'll escalate. And it has almost nothing to do with them. We're going to either see co-tailors like other nation-state actors, like the Iranians, you know, nation-state groups or the Chinese groups or the North Koreans. What better time, Jordan, than now to go act on something and just point the Russians? Sure. It's like cyber looting. It's literally what the equivalency is. Oh, that's interesting. Yeah, I've got friends in big tech companies. I was going to name it. I almost did. I've got friends who are the head of security for, let's say it's a phone operating system that everyone uses, who uses a certain brand of phone. A friend of mine is in their security department and I said, oh, so what's going on? And he's like, I'm slammed because
Starting point is 00:33:27 countries that I can't name that you maybe just did name are always trying to break into these phones because imagine if you get a foothold inside a new operating system that's going to be installed on hundreds of millions of people's phones at all levels. And then you can control them and you can use them at any time. And that stuff is terrifying. And I kind of want to talk about the capabilities of those in a bit. But Nicole Pearl Roth, who you probably know, on this show episode 5, 4, 2, she talked about the cyber pandemic just waiting to be activated. Like what you were saying, I think something like 80 to 90% of companies are compromised by malware at some point, not the whole company maybe, but that's a lot.
Starting point is 00:34:09 Eight to nine out of ten companies have malware that is possibly wormable to the rest of the company. And that is extremely bad news if we're talking about systems getting infected. because of course, even if 80% of those companies were sort of not banking and not hospitals and not really important records, what if 80 to 90% of the businesses suddenly started having cyber issues all at once? It would take years to recover that because all the professionals who do that are going to be, I'm going to have an 18-month waiting list just to take a look at the problem that you have if this gets activated all at once. Absolutely. And I know Nicole touched
Starting point is 00:34:44 on this in the past, too, whether it was in her writings or the interview with you, perhaps. there's even greater problems around critical infrastructure. Who is I talking to? It might have been someone in Sisa within our government that actually, you know, they're in charge of that critical infrastructure security. It's a 50-year project, Jordan, to get us back into a position where that infrastructure has been retooled and rehabilitated to not being hackable. I'll tell you, you know, I've lived all over the world.
Starting point is 00:35:09 I've been able to see a lot of infrastructure. I've seen refineries. I've seen operational control panels of different things at places like that. Today, like, no kidding, today we're talking, we're still seeing machines in there running control panel systems that are running on like Windows XP or Windows ME. It's like 20 years ago. They're not even supported by Microsoft anymore. And so like there's not even an update going to them to protect them anymore.
Starting point is 00:35:35 They're literally just jettisoned infrastructure, old sunset software that frankly they can't swap away from because the control panel systems and the operational technology and SCADA systems is what they're called in, you know, big factory environments run on that operating system and they can't be upgraded. Literally, the amount of times we like catch that exact sigh with my team and I and the hands up in the air like, I guess we'll just hope because it's gotten to that point. And here we are again at that precipice of something to where they could flip a switch on something like that. And it's a cascading effect, whether by design or by accident, a wormable event or a malicious activist group that thinks they're doing something right.
Starting point is 00:36:15 and they actually mis-target something, and it bounces right back, and it comes at us in the States. I mean, dude, it's an endless amount of scenarios that kind of keep us up at night. I would imagine. Yeah, I remember Richard Clark on this show a long time ago talking about,
Starting point is 00:36:30 he was talking about going and touring this amazing sort of like underground bunker-type place. This is episode 240 of the show, where, like, you have to go in this area that's almost always flooded and then open up this hatch and then you go down underneath the ground on a ladder or stairway, and you walk into this computer control room, and he's like, the guy's showing
Starting point is 00:36:50 Richard Clark, and he's saying, yeah, this is so secure, nobody can get in here. And he goes, well, how do you get in here? I notice this is flooded, and you know, you're always pumping the water out. And what happens if you need to get in? And the guy goes, don't worry. We actually hooked it up to the phone line. So we can just dial in from home. And Richard's like, so you've got an underground bunker. Imagine what kind of critical infrastructure is in an underground bunker. And then imagine that somebody just plugged that into the open internet using a computer system that was never designed to be connected to the internet, so has absolutely no security other than like type in your password and a lock over the keyboard or something, thinking like that's going to be enough to
Starting point is 00:37:27 keep out people. This is like drilling a hole in the hull of a ship so that you can pull your luggage directly into your state room instead of going up and down the stairs, right? Like, that's perfect. You're just making this thing that was relatively secure because you'd have to break in there with military weaponry at which point someone's hitting an off switch. Yeah. Then they're like, no, don't worry, I can log in from my palm pilot because I just plugged a phone line into this thing using some Radio Shack shit. It's mind-blowing.
Starting point is 00:37:54 I mean, in this day and age, right, where we're still under this assumption that things have been secured and there's this overarching faith. And I'm not trying to pick on our government in any way. This is an insurmountable problem for even just the government to handle. The only way to manage this is a public-private cooperation of some kind over a very long period of time. It's not like, oh, if we decide to cooperate, it's going to be fixed. It's a huge amounts of effort. The continuation of the issue is that that story is fantastic from Richard Clark because, let me put it this way,
Starting point is 00:38:24 even if they didn't have that bloody phone line set up, I guarantee you there's probably some system in there running some update to a server that is not protected. So they'll use a supply chain attack to get in through there. So even if there wasn't the phone line, there's probably some kind of, like, have you ever looked at your Mac or any kind of laptop or your phone? Do you know how many times that thing calls out to the internet without you doing a thing? Like it just sits there? I'm sure all the time. Yeah.
Starting point is 00:38:50 In your business, you know, not necessarily podcasting, but if you have an ad on your website, that ad server that serves that ad to that website is a completely different server than your server. And if that gets compromised, that's a doorway right into your environment. So the interconnectivity of the world today is absolutely impossible to navigate. And if you're a determined adversary, you'll find a way in. Yeah. That's the part that makes us impossible. Every week or so I get this update, like your site has been updated to the newest version of WordPress or whatever, right?
Starting point is 00:39:19 Right. And what happens if somebody just compromises the WordPress update server, then 10 bazillion websites all update their newest version of WordPress that is a backdoor for the FSB or for Iranian secret services to go and totally. turn the site off or scramble all the data and get rid of it and stop the backups, things like that. And you mentioned before that attribution is tough. Yeah. Right.
Starting point is 00:39:42 So Russia might get access to something, get the information it needs, and then hand it off to China or to Iran to do something. And that makes finding out who's doing this stuff really, really hard. And you're right. I think a lot of groups would be super active right now. You and I were talking about a social engineering attack that was happening on me as a result of me talking about this Ukrainian cyber defense. issue. And I said, why do they always pick an Asian female as the icon? And my wife said, oh, probably because they know you're married to an Asian. So they think you're like, all one of those like white dudes who only likes Asian women, which, by the way, I am not for the record.
Starting point is 00:40:17 And I thought that was an interesting thing. And you said, hey, man, they might just be doing that because then you'll say, oh, Chinese intelligence is attacking me again. Because they've done that before because I talk negatively about the Chinese Communist Party on this podcast a lot of the time. And so then I'll just say, ah, the Chinese are at it again, the Chinese intelligence service from the CCP. Meanwhile, yeah, it could be the Russians just going, hey, we don't really need a lot of cover. It could be anybody posing as Russia now and then just saying, hey, look, now that these guys are in the crosshairs, Iran could be posing as Russia. China could be posing as Russia to infiltrate these systems. And then you're right, the U.S. or the West isn't going to do anything because we are already on tilt trying not to start World War III with tactical nukes.
Starting point is 00:41:01 So it's a really good umbrella to get under if you're a cyber criminal. Just pretend you're the Russian GRU or SVR and you're virtually consequence free. Absolutely. Even if you get caught. Let's not forget there's cooperation between nation state actors that have a concerted or unified effort against the West. So for example, Siller wins. Everyone remembers that recently, not recently, but what, now a year and a half ago. This is a big hack, yeah?
Starting point is 00:41:27 Yeah, big hack. most notably a supply chain hack is what, again, I used that term earlier. And what that is, is by definition, you get into a single organization that has massive amounts of links and connectivity to many, many other organizations, preferably your actual targets, right? So you just get into this other organization with arguably weaker operational security or controls or teams to protect it. And then you can just ride on in to that trusted channel of connectivity into these other targets. And that's exactly what happened at SolarWinds. SolarWinds is a company out of Texas that provides management software for thousands of companies. You know, when you start thinking about
Starting point is 00:42:09 this from an adversary perspective, that's the perfect target, right? But what's fascinating and what probably wasn't really hitting the headlines as much was that when we were all looking at it and the term we use in the industry is TTP, which is tactics, techniques, and procedures. So it's literally these are the methods that we look at to define who it might be, to your point about attribution. It doesn't always work because a lot of actors have the very same tactics and methods. But in this particular case, there were two distinct things that were really, really interesting. One was exquisitely written, call it malware, because they actually signed the malware with a legitimate certificate. So it looked like it was part of the software.
Starting point is 00:42:48 It was really, really intense. And it was Mandiant that actually found it. And they got actually compromised in the process, too. So this is a very, very well-known cybersecurity firm. just got bought by Google like a week ago. That was compromised. They were very clear about their disclosure on it. They did the right thing. But they were like, look, we got attacked and we got compromised. This is the information we know about this.
Starting point is 00:43:11 And by the way, this cleanup on this is still going on. We're far from like contending with this thing being done with. But I want to share the last little bit here, which makes it interesting and it ties to your point here. So this was probably a all signs lead to a Russian written piece. of software. But then the access and then the loitering and bull and a china shop activities within some of these environments looks like another nation state, less capable. So it almost looks like there was initial access facilitated by one and then a subsequent actor given, who knows, maybe they paid
Starting point is 00:43:45 for the access or they were just given it so they could rifle through it and ransack the place and sort of hide the efforts of the much more sophisticated cat burglar. This is interesting, right? So let's use an actual burglary kind of scenario. This is kind of like I break into your house and I steal a bunch of stuff and then I go, you know, there's probably fingerprints somewhere in there. I was in there for like three hours cleaning the place out. I'm just going to burn your house down. But I don't have any gasoline. So here's what I'm going to do. I'm going to pay a bunch of kids that are playing down the street a hundred bucks and I'm going to say you should have a party in here. And break as much shit as you can because, you know, this person is, they're awful and I'm giving you guys a thousand bucks. Just break everything in here. here and throw it all over the play and film it and put it on TikTok. Yep. So now everyone goes, oh, these kids broke into this house and they just smash everything and they probably stole some stuff.
Starting point is 00:44:36 And look, there's fingerprints. Yeah, but it's all on broken stuff and it's from these kids. Meanwhile, I've got all of your valuables. No one's looking for me. That's it. Right? Because I've covered my tracks. Yeah, that's sort of what that sounds like.
Starting point is 00:44:48 Yeah, exactly. So the kids got to steal other stuff in there, right? And literally in this particular scenario, what seems like lesser capable nation state stole the red teaming tools out of Mandient. And what those tools are are tools that companies use to try to emulate the way a hacker would attack your company so they can prep you for how it would happen if it really happened to you. So we were certain that it wasn't something like the Russians that would have stolen that,
Starting point is 00:45:17 they already know all that. Like they're literally, they're being copied to build these red teaming tools. The last thing they're going to go get is that. But for lesser capable ones, that's a dream. Now they've got all the tools that let them know exactly what they need to not do going forward. They could just completely shift their tactics and be more effective going forward. Oh, man. So yeah, really, really something.
Starting point is 00:45:36 And we're not talking that long ago. I mean, a year and a half ago to where we are today, are those tools now being employed, meaning reverse engineered essentially by these adversaries so that now we have to redefine our playbook for identifying attacks and how they're going to come about because essentially, yeah, I mean, the word playbook is really, really appropriate. If you get the other team's playbook, you're going to win the game. You know, every move they're going to make and you've got a whole means to win. Now, these cyber attacks can become kinetic.
Starting point is 00:46:05 Escalation can be pretty quick. Like, imagine if hackers get an oil finery in Louisiana to explode. That's the same as flying over it with an airplane and dropping a bomb on it, right? It may sound or feel less aggressive, but it's really not. If your whole point is to release a bunch of toxic gas and kill people in the small town or to cause something to overheat and then cause a massive fire, that ends up killing 64 people, you may as well have walked up to it and lobbed a grenade in the tank yourself. And that kind of thing can go wrong.
Starting point is 00:46:34 You mentioned it's like a baby with a gun. A lot of times these hacking groups, they might even be teenagers or like, oh, man, we got into British Petroleum and now we can control the boats. Going back to the OG hackers movie from the 90s, right, his whole thing was he was going to tip over an oil tanker or something like that, right? By flooding it, you could end up doing something like that by accident. That's absolutely correct. And I think what's fascinating about this is that that goes back to what we're talking about with this Russian situation. You brought up the whole concept of taking down a satellite. Those systems that run those environments are not uniquely built for those systems.
Starting point is 00:47:13 Like in other words, the satellite control systems aren't just like satellite control systems. You could build a malware that will infect something that was intended to stop a railway that will find its way, unfortunately, into a satellite environment. So there's that kind of concern too, which is that you might build something thinking that you've got something that's only purpose built for your target, but it just proliferates to all these other things. So to your point about shifting something cyber into kinetic, you brought it up a little earlier and I want to kind of go back to it. Water treatment is the one that really freaks me out because all you need to do is change levels. You don't need to break anything. You just change the pH levels or the potability of some sort of gray water. and you got mass dysentery, and now you got people flooding into the hospitals.
Starting point is 00:47:56 And if you really want to be a prick, now you turn off the power grids or you start attacking power grids. And now you've got mass chaos. And that's actually what I think everyone was worried might happen in the Ukraine that they were going to make life so miserable that people would just sort of be like, okay, we give up. Now that didn't happen. Not really sure why. It's because Ukrainians can survive on a diet of cigarettes and bathtub vodka. And I say that as a compliment. I spent a summer in Ukraine and it's like, talk about a group of people that you don't want to try and wear down through hardship. They've already been through the hardship Olympics by being part of the Soviet Union and on the edge of that and then having 2014 happen.
Starting point is 00:48:35 And now this, this is like, I won't say it's just another day in Ukraine. It certainly isn't, but these are some of the toughest people on Earth. I think we're seeing that firsthand now. So they definitely expected them to cave, but I'm not entirely sure why. That was a losing bet. Yeah, absolutely. I won't beat this to death because I've shared it in a number of other places with conversations. But I do want to just at least highlight this that everyone that kind of thought we were going to see the die hard movie, you know, that whole like fire sale thing. Oh, everything goes down at once. Well, you know, let's not forget that this is all visualized in retrospect with cyber because people usually think there's some sort of malfunction and it's user error. And that usually happens for days before they assume it's malware or some sort of hacker. So we may find the stories manifest here in the next few months. about what really happened and what really was the Russians in there or some sort of hacktivist or loyalist group to Russia affecting things. But it's going to be a little while. I don't think we're going to see it in real time. It seems like a lot of the work from home environment is going to increase vulnerability inside, especially Western companies, U.S. companies, right? Because
Starting point is 00:49:37 people will say things, who told me this the other day? I was talking to a friend. I was like, oh, yeah, aren't you worried about your systems? And they said, well, you know, we have to use this VPN. And I'm like, so you're using a piece of software that cuts through all the other security software on your network. You know, it would be one thing if you had to be in the office to use the network. But now, no, you get to be from home. And so the company says, well, we can install this and we're kind of fine. Meanwhile, they can't deploy new security stuff and then train the entire 5,000 person company on how to use it. So most people are just making their system available from the outside and using a VPN and kind of calling it a day.
Starting point is 00:50:14 And that just means that anybody can access that whole network. And they don't have to steal a laptop to do it. They just have to get some credentials and use a VPN. You want to laugh what I call a VPN. And it's not to criticize it as a technology because it has a purpose, right? It certainly has its utility. But there's this sort of catch-all idea that it's securing you like your friend said with all due respect to him. But what I call a VPN, it's a cyberhyperdermic needle to the organization.
Starting point is 00:50:40 It literally, to your point, exactly right, cuts through all of the security of the organization. because it's a trusted channel in. So to use the hyperdermic needle analogy, which is pretty visceral, and if you have a syringe with tainted payload in it, and you literally shovel that through, so like my kid's home network is not my own home network. I literally have it segregated. So all the Xbox garbage and all the other computers that they're using
Starting point is 00:51:04 are cesspools of malware, I can't afford a risk to have that bounce into my laptop and then use that as the VPN access to my corporate environment. Now, most average into people aren't going to necessarily split their networks up. And even if you do, there's no guarantee, especially with Apple and other solutions. You know, I'm not picking on Apple, but this whole like universal connectivity that my iPad talks to my laptop that talks to my phone, with that convenience comes access to the adversary. And I think that that's what people forget about a lot. Yeah, isn't that called bonjour, bonjour, right?
Starting point is 00:51:35 They have like, it creates like an ad hoc network. And I've heard that you just see it pop up sometimes if you're a Mac user. And I'm like, what is that? I know it's some sort of networking protocol. And then a couple of hacker friends of mine were talking about bonjourer payloads. And I'm like, oh, yeah, that thing that's always running in the background that that's my phone, talk to that. I'm like, all you have to do is find me when I'm out, dump something onto my phone. I just bring that home.
Starting point is 00:51:58 It's like a bad STD. It's just bring it home to my whole family. Yeah. I'm sorry, I'm laughing because the STD analogy comes up fortnightly at the company because it's so parallelized, man. I mean, my God, you know, the promiscuous nature of your devices, literally, it's what that is. Man, I worry about, you mentioned supply chain attacks. That's a totally different kind of supply chain. But now that we're actually talking about the real supply chain because of the shortages we have in the shipping debacle and the, what was that ship that got caught in the Suez Canal, all that stuff, right?
Starting point is 00:52:30 Oh, yeah. You could shut down the shipping. We mentioned that attack before, not just critical infrastructure, but what if we know that ports are the bottleneck and shipping and that they're way behind? That was the thing with the shortage a few weeks ago or a few months ago, maybe still is going on. Right. You could just target something like that, some sort of bottleneck in the supply chain, and then it's like, well, I guess technically that might be considered critical infrastructure, but all you have to do is go after a few different small systems. You don't really have to shut off the water and the power and the shipping and the blah-bo. You really just have to make it really hard for a country, especially one that's maybe in a conflict, to get goods and services into the ports.
Starting point is 00:53:09 and then they are super, super screwed. Everything has to be done manually. Yeah. I read an article about those hackers in Belarus shutting down the automatic train switches to stop Russian troops from deploying quickly. And this is a country that's probably very used to manually switching trains.
Starting point is 00:53:26 I mean, it's Belarus. They probably just got automatic switching sometime shortly after in the 90s, right? I mean, the guys that are working on these trains probably really know what they're doing and they're nowhere near as fast as the computers at switching the trains. And so you really just have to attack a,
Starting point is 00:53:39 few sort of bottlenecks in the whole supply chain or something very, very critical can go down in the middle of a war like they're in now. Right. Yeah. No, you're right. It's a cascading effect. And then let's not forget the rules of war, conventional ones, meaning the ones that go back to Sun Tzu level stuff, right? Those principles are still very viable today for cyber. So, for example, if you're going to go and impact, like you said, we keep talking about critical infrastructure, but this could be logistics as well, like you said, why not wait until there's a really serious deep freeze about to happen in the winter. Or let's wait till the hottest day in the summer that's projected to actually impact something that's got already immense amounts
Starting point is 00:54:17 of pressure on it from environmental reasons or natural reasons. So those are things that are being looked at by these groups. They're not one dimensional in their approach. They're not like, oh, we're going to go hack it. It's literally, what confluence of events can I kick off and instigate to really facilitate a nightmare scenario? And that's exactly what you're talking about. If you get the right shipment to be stifled, that'll create a massive cascading effect. Like, for example, now neon is being, there's a shortage of neon because that was a huge product of Ukraine. And that's a key component of microchip and semiconductor development.
Starting point is 00:54:50 The actual gas of neon? Yeah. Oh, okay. Did not know that. So not only do we have a semiconductor problem before this, now we got another ingredient that's actually going to be a shortage around. So maybe we can expect our Tesla's to be delayed longer and more laptops to be delayed and everything else that uses a chip.
Starting point is 00:55:05 Jeez. I've been waiting forever for this new car. They said March, now it says July. There you go. But you know what? A high quality problem. This is the Jordan Harbinger show with our guest, Kareem Hajazi. We'll be right back. I just want to say thank you so much for listening to and, of course, for supporting this show. Your support of the sponsors and the advertisers is what keeps us going. All those deals and discount codes and clunky URLs, they're all in one place. We put them all on one page. Jordan Harbinger.com slash deals is where you can. find him. Please consider supporting those who make this show possible. Now for the rest of my conversation
Starting point is 00:55:42 with Kareem Hajazi. It's so hard to complain about anything now because I'm like, well, our country is safe and secure. I don't have to worry about my kids drinking clean water or getting bombed, you know, or anything like that. And I talk to people in Ukraine on WhatsApp, and it's like, it's just hell on earth in so many places. So I feel like such an a-hole being like, my Tesla is going to be three months late. Like, shut up, Jordan. you prick, you know. Speaking of critical infrastructure, ransomware, we kind of touched on that before, hospitals, fuel infrastructure, that colonial pipeline hack that happened where they wanted
Starting point is 00:56:19 to ransom the data, that type of thing seems like we're in the early days, right? They can get in there, encrypt computers. They can sell the data if they get good corporate data. They don't just have to ransom it. They could sell it on the dark web. They could go into social security systems or medical records and things like that. that, that stuff freaks me out. And I talk with executive friends and they go, well, we have a lot of backups. I'm like, well, what happens if they frigging encrypt the backups or turn them off? Are you
Starting point is 00:56:46 going to notice? You're not going to notice. How often you check your backups? Or if they get them both on the same day, what are you going to do? You back up a bunch of encrypted stuff. Like, I assume you're looking at this and not super satisfied with the solutions that these companies are coming up with. No, because I'm hearing exactly what you just said. I'm hearing that, well, we have remediation and business continuity plans in place. And I'm like, that's the first thing the adversary is going to go after is your business continuity plan. They're going to deploy something to do reconnaissance in your environment. They're going to find the backups and they're going to encrypt the backups before they encrypt anything else. That's the whole point. They don't want you to have a remediation plan.
Starting point is 00:57:19 They want you to be able to bow down to their ask of money so they can give you a decryption key that won't work probably. But let me tell you what's even more like ridiculous about that colonial pipeline situation. This one statement will kind of really lay the foundation that this is never going to go away. Colonial was not actually literally hacked. Like no hacker pounded on the door somewhere until they finally got their way in. They found stolen VPN credentials to get into the organization on the dark web. So they started on the dark web and they probably ended on the dark web. They stole information to get in that allowed them to steal information and then extort them for money to then sell back out on that dark web again.
Starting point is 00:58:00 So it's endless. You know, human behaviors is the one piece of the equation that you know very well, we both do that is eternally hackable. Machines, I mean, you know, inevitably, they'll come a time where we get a pretty good handle on how to make them pretty hard to get into. Like, we can make the machine pretty binary about what it arrives at. But the minute a user gives authorization to something to run, you know, all bets are off. Like at that point, that malware is functioning like a legitimate piece of software in the
Starting point is 00:58:28 So this is what I think people misrepresent a lot that they think hackers have this like malicious virus that's a scourge and it's going to be identified within the network because we're still living in the antivirus days and those days are gone. Now this stuff runs like it's meant to run in the organization because the users allow it to and give it authorization. That's interesting, the social engineering angle. You and I've spoken about this. In fact, now's probably a good time to discuss this.
Starting point is 00:58:51 We don't have to do a whole show on it here because, you know, for time. But when I was young, I was also like hacktivist, right? I was like, I'm going to help these groups. I wasn't a capable hacker or anything, but I was in the IRC channel. We call it pound freak. So hashtag, really, freak, PHR, A. I remember that. Right, so I lived in that channel, man, all day and all night.
Starting point is 00:59:10 I was in there. And one of the things that they were talking about was there's an old phone company that probably doesn't exist anymore called MCI. And they probably became AT&T or something like that later on, you know, merged or whatever. WorldCom. Yeah. Well, the WorldCom got bought by AT&T, I think. But yeah, MCI, WorldCom.
Starting point is 00:59:25 I'll never forget that. I think it was the same channel with you. Yeah, we probably were the same channel. It's funny. So MCI was running phone exchanges, so phone systems in Iraq. And the guys were like, hey, we should shut this thing down. Because, of course, the United States is going to take out actual, like, microwave command and control.
Starting point is 00:59:47 That was part of the thing, because I think Saddam had used microwaves above ground to signal to radar stations and missile defense and stuff like that. And somehow these guys knew that. And so what they did was they said, well, they're going to default to landline phones. A lot of those are buried. A lot of times military doesn't take out phone lines because civilian infrastructure, et cetera. And also it's a big, big, big network.
Starting point is 01:00:09 You'd have to take out a lot of phone lines. So we were like, we can totally just take down the phone exchange. Because if freakers, which are like phone hackers, for those who don't know, if we know anything, it's how phone systems work and how to screw them up, especially old ones that are in a foreign country that are not maintained well and have old software and old systems. So we decided to take down the MCI phone system in Iraq. And you'd said, wow, I bet that was a rush. Yeah, it was. It definitely was. And you'd think that that kind of thing would be harder to do today, but I think more vectors than ever are out there. You know, like, back then, we had hackers that were getting access points and
Starting point is 01:00:47 dialing into Iraqi phones from their modems and things like that. We tricked people. I literally, I remember, I called repeatedly on a line. I used my modem to make the phone call sound really distorted. You know how you could talk through your modem and it would sound like crap, right? It would be like a PC speaker. I'd create a bunch of static so they didn't know that I was a kid. And may or may not have pretended to be a woman because I was like 14 years old. By the way, it's easier to make your voice higher when you're 14 and then to make it lower just in case anyone's wondering.
Starting point is 01:01:18 And, you know, I get a hold of these like telco guys. in Iraq, okay, that are just beyond stoked that an American woman from New Jersey or whatever is calling. And, you know, so Janice from New Jersey, I want to make sure your MCI service isn't interrupted if we can during the conflict, you know, blah, blah, blah, we just need X, Y, and Z. I may or may not have been like, you know, Janice from Jersey Shore, chewing some gum, right? You could literally say something like, I'm returning a call from Colonel Hamza's office, right? because Hamza happened to be, one, a super common name, but also my buddy was Lebanese,
Starting point is 01:01:54 and that was like his uncle's name. And I grew up in Detroit. So I knew tons of Arabic dudes from Lebanon, and half of them were named Hamza or something along those lines. And I was like, all right, this is Arabic sounding. That was the logic. And you could get them to be like, oh, yeah, when you go to this, you have to type in this MCI-1234, and the password is also MCI-1234, and then you put Hamza at the end or something
Starting point is 01:02:16 like that. you know, you put Muhammad at the end. And they would just tell us, like, how to log in. You have to tell net, which I don't know if that still exists. You have to tell net to this area and you can log in and that's the administrative thing. If you need to look at our configurations. And I'd be in there and I'm like, okay, so here's how they shut things down. Here's how they reroute things.
Starting point is 01:02:36 And we just caused absolute hell in those phone systems. And we would get control of like all of Baghdad's phone systems. That's amazing. And we would route them so they couldn't call, you know, know, domestically, they could only call outside or they could only call MCI numbers. We would change things during the conflict. So if they had it figured out, we would just change it an hour and a half later. Like, social engineering is the most dangerous because you don't need special software. You just don't. Hacking still relies heavily on that piece.
Starting point is 01:03:06 So really, frankly, an influence operation that we were talking about earlier, that's nothing more than a social engineering effort, but by way of like a phishing email or something else. it's really still getting the user to do something that you need them to do by convincing them in some fashion, right? It's not always so slick. It's not always so covert. Certainly once you have that initial vector of access, off you go. Yeah, now you can deploy anything you want. Now that's when the malware really comes in. But the first stages of this are very much still old school, getting a user to actually click on something. And now fishing, you know, is the big vector of attack these days, right? And when Microsoft's exchange servers got hacked by the Chinese group, that Nobelium group, which was in the news a while ago, I really was like, oh, crap, this is going to get really hairy quick because if you can get people's email servers, now I can send an email as Jordan Harbinger from Jordan Harbinger.com without it being misspelled or some sort of spoofed version of it. It's literally coming from your server. And if I'm really good, I'm going to read everything you've ever written for the last six months. So I can get it. I can
Starting point is 01:04:11 get your tone and your cadence on how you write and maybe even some of the nicknames you have with friends of yours. And they're going to open. They're going to read that email and they're going to do whatever you sort of ask them to do because it's coming from you. No software in the world is going to be able to identify it as fraudulent because it passes all the sniff tests that's coming from Jordan. And that's absolutely possible today. So if you lay all the groundwork for the parameters to be that it is legitimate and then you're really skilled at creating the content like what you were doing, that's really formidable. And that's, what these guys are being trained to do. And so, yeah, there is no technical solution to this.
Starting point is 01:04:46 You know, I'm the guy that tries to build the technical solutions. I'm the guy that does the intel to identify where these things are. And I can be the first person to say that there's probably never going to be a fix that just works. Yeah. It's going to be a training issue. The joke is always there's no patch for stupidity, but here's the thing. Right. These people aren't stupid. You know, maybe if they're getting tricked by a 14-year-old who's pretending to be a woman calling from New Jersey, they're a little bit naive, but this is like early 90s. so forgivable. But people get conned all the time. Right. I mean, if you don't believe it, look at Bernie Madoff, who conned like billions of dollars out of people. You see inventing Anna on
Starting point is 01:05:21 Netflix and you think, how can these people be so dumb? And the truth is, if you work hard enough on somebody and you build rapport and you build trust and you're skilled con artist, you can get people to do things, especially if they kind of don't really care and they kind of don't think that what they're giving you is that important and they're relatively convinced and they want something from you that they think you can give them. I mean, all these switches are hardwired into us as humans, and it's very rare that someone's going to be able to turn all of them off. Training or not, you know, there's a reason that people break training protocol and get busted sleeping with spies because those spies are pushing all the right levers and buttons,
Starting point is 01:05:56 and those people will do something they know was wrong. That's why background checks see if you have drug addiction or gambling debt or other sort of issues like that, because those are all, those are vectors that work like every damn time, right? Yep. And they will never stop working. So the best thing to do is make sure that that person is not in a position to divulge or screw anything up. What do you think of Russia being removed from Swift, you know, the banking system?
Starting point is 01:06:21 Yeah. Can you tell us what Swift is? I think a lot of people don't even know. No, absolutely. So Swift is literally the banking communication network. It was built a very long time ago with no security in mind to begin with, I might add. and it was intended for various banks all over the world to communicate with each other and all of the transactions that you do, whether it's a deposit or withdrawal or wire, all of those go through that network. So it's sort of this private bit of a silly analogy, but it's sort of a private internet within the internet for the banks, right? And what they're threatening to do, they being us, is take Russia off of it. Now Iran's been off of it for a while. I think they've been off of it for eight to ten years now as part of the sanctions against Iran. Now, here's where I really hope that the decision to do this has been really, really thought through by
Starting point is 01:07:10 a variety of professionals, including cybersecurity and intelligence and geopolitical analysts, because Jordan, I don't believe that there are that many folks that have that set of talent all in one. And you're getting a lot of contradiction and a lot of contrary ideas around things. It's kind of like the movies where you get that like four star general that wants to hit the nuke button quick. Like, let's take them out, you know? And it's like, and then you got this very reserved hero of the movie that's like, wait, but you know, that'll cause this. And that's exactly what's happening here. So to answer your question, if you take Russia off something like Swift, which you can do,
Starting point is 01:07:44 you can pull them off and essentially deep hear them from it, what I think might happen. And again, this is a conjecture, but it is a very likely scenario. They're not going to have any reservations about attacking it because they were benefiting from it before. And everyone's kind of betting that they don't have an alternative. Well, we all know now, the intelligence community is well aware of it, that they have an alternative with China. China has built a very similar system privately that Russia can absolutely link into. And yeah, is it perfect? No, is it eating hot dogs for the year to survive? Maybe.
Starting point is 01:08:16 But it's survival. And it's probably more than survival. China's a massive economy. You know, we can't forget who we're dealing with here. This is, again, highly and hotly debated that all these sanctions are going to destroy the Russian economy. I'm not as sold on that. I need more convincing because I think there's a lot of alternatives they have there that they've already sort of figured out well in advance of the situation. But yeah, the fear very plainly
Starting point is 01:08:41 and I'll let you kind of drill it down into this, they will have no compunction to take it down and working symphony with someone like Iran to go after it. Because if they're not benefiting from it, why let us have it to function freely? And if they do that, well, you know, you go to the bank and things aren't going to work. What are you going to do?
Starting point is 01:08:58 Yeah, yeah, they're going to have to secure Swift. And it's going to be a major target, right? I mean, it's just so important. And now there's no collateral damage that they care about. Right. Maybe it have been tougher for them to attack because, well, then we can't use it and we rely on this. But, yeah, if you're forcing them to go and create a way around it and bypass it, even if that bypass is less efficient, it's kind of like, well, if we can't use it, then we're just going to make it impossible for you to use too. Why not?
Starting point is 01:09:24 Yeah. That's no good. And now's not the time to go fix it. Not when we've made the threat that we're going to take them off of and be like, all right, let's get to work to make sure this doesn't get hacked. It's like, no, that should have started about 10 years ago. Oh, man. So the same as a critical infrastructure problem. We can't start retooling when we're under attack.
Starting point is 01:09:39 It's not going to work. Yeah, that's a good point. I mean, all those vulnerabilities were probably in there forever anyways. I want to be conscious of your time here, but I do have to hear about how this off shoot of anonymous went after you and why. Because you're making friends out there, man. You know, you got nation states and cyber militias that don't like you. I think that's a good place to close is why you're such a thorn in their side. What's going on?
Starting point is 01:10:00 Yeah, you know, and I definitely am not stopping. I guess I just glutton for punishment with this kind of thing. But Lulsec was an interesting group. Now, I'm certainly not the only one that they went after. They went after Sony. They went after the CIA. I think PBS is another target of theirs at one point. This is in the 2011 or so timeframe. And they also went after Stratfor, if you remember that. That was a really interesting situation. Stratfor was a strategic intelligence company that got attacked by them. Whole other ball of wax I'll have to share with you at some point. Jordan's pretty. interesting. But ultimately, in 2011, I was doing what I do best, which is take down or infiltrate infrastructure that adversary set up. And I did it fairly indiscriminately. So, like, I wasn't as targeted
Starting point is 01:10:43 as I am now where it's like I'm going after a very specific, you know, nation state actor. Back then, if I found a piece of malware that had a command of control capability, it was fair game for me to go after. So we ended up inadvertently taking down the denial of service. attack botnet on Sony that this group set up. So they were probably sitting back in their chairs probably watching Sony flounder with this denial of service attack and then all of a sudden it went off. And they're like, what? Who turned it off? You know, who unplugged this thing? And they went and they found that we had actually taken over the single command of control domain that was associated with that threat that they were using or that denial of service attack. I basically drew their
Starting point is 01:11:27 fire. And there's a very involved story in how they got my credentials to come at me. But what's most disturbing about it was they actually got them from something called InfraGard in Atlanta. And InfraGard is the FBI. So it's an FBI private sector cooperation environment. And Lulls like literally went into that database. They hacked into that to get my credentials from there that allowed them to get to me. This didn't really hit the news quite as loudly as the other stuff did, but which was really disconcerting because I was like, these are credentials I used specifically for that. That means they got them from there,
Starting point is 01:12:02 which is concerning. I didn't know who I was dealing with in the beginning. And the way they made themselves known to me was a very cryptic email that I got from them at like two in the morning, mid-May of 2011. And the mail literally had one of my password in the subject line and this one-line email of, we should talk, period.
Starting point is 01:12:22 And I was like, oh, man, this is either a bunch of kids or it's a buddy that's gone too far with a joke or it's something real you know something like your password it's never cool i mean even you know we could prank each other all day long jordan but the last thing i'm going to do is put one of your passwords in an email man that's not cool yeah yeah so it was one of those things where i was like this is going a little too far so i replied with what do you want to talk about and they came back around and indicated that they had already infiltrated our systems and they had gotten a hold of certain information that they were going to disclose to the media and share like they hacked us and this and that.
Starting point is 01:12:57 And they would only withhold that doxing effort. And doxing is that whole sharing of your information publicly to kind of disgrace you or humiliate you in some way. If I shared the, well, one gave them back the access to that DDoS threat. But then more importantly, they realized what we were doing. And they're like, wow, if we actually get this company to give us access to all the other botnets that they've actually got control of, we can really, really be powerful. So they tried to extort me for that and then threatened that if I called law enforcement or the
Starting point is 01:13:26 intelligence community, they would, you know, release the information. So I did. I called everyone I knew. Yeah, because I was going to say, if you get hacked, what do you do? You have to call the FBI or something. Exactly. And it's really interesting because there is no phone number to call. It's interesting. You know, you think about this. And I had to face that, which is crap, people call me for this. Who am I going to call? Right? Like, wait a second. Yeah. Why does this work? And I did. I called law enforcement. And, you know, it took me forever, get to the right layers within the FBI. The intelligence community was tracking these guys for reasons that had to do more with the WikiLeaks mess and whatnot. And ultimately, I was instructed to keep the communication flowing with the individual that
Starting point is 01:14:05 was at the helm of this, who turned out to be the head of LULSEC, and our information eventually got translated back through the right channels to the IC. And they found him and got him, and he was arrested. I think he served time and a variety of other things. But there's a deeper, darker part of this that had to do with that. them using information to your point about taking something that should have been just a cyber attack to something more kinetic. I had worked with a company called Palantir and MIT on this think tank project well in
Starting point is 01:14:34 advance of this attack by these guys. And they used that report to wordsmith and construct this narrative that I was some sort of deep, dark secret government guy doing offensive operations against the Middle East. And this is right when the Arab Spring was going on. So there was a lot of tension. and, you know, people were ready to fly off the handle. And I don't think my name falls flat on anyone. It's pretty bloody Arabic to begin with, right?
Starting point is 01:15:00 So it was like great. And so I had all of these Libyan separatist types that were threatening me, that were going to come out and kill me and my family. And so I did. I'm one of the few people that's probably been victimized from a cyber perspective that moves squarely into something that could have been physical. I have thankfully lived through it, helped get these guys nabbed. And the good news is that my firm was ultimately acquired.
Starting point is 01:15:22 shortly thereafter by a company called Mandiant, which has been in the news recently. One hell of a story, Jordan. Yeah, that's really scary. Are you worried about anything like that happening now? Because like I said, you know, these nation states are, they don't like you. And they're far more capable than some punk-ass kids who got into your email and maybe your company. I mean, these are, you've seen what happened to like Sergei Skripal in the UK where they
Starting point is 01:15:44 were like, oh, let's just poison this guy and do it on video and get away with it. Right. You know, are you worried about something like that? Yeah. I mean, I definitely think that the job comes with this inherent risks. It's sort of one of these unfortunate situations where I have to sort of temper my risk of verseness to what I'm actually doing. And I think as I get older, I sort of rethink how I would actually do things better because you can only office get yourself so much. You know, when you're running a company that's privately funded
Starting point is 01:16:08 and, you know, needs to be out in the public. You need to share what you're able to know. I mean, there's so many other stories that I could share with you. I mean, I literally shared with the media information about actual organizations in the U.S. that were compromised, and even the media shied away from sharing that information because they were scared of the repercussions from those organizations, that blowback, not just the adversaries being mad at you, but the companies that don't want to be disgraced or see their stock dip, because the information we share could impact people's reputation, people meaning companies, you know, large public sector firms that ride the market heavily.
Starting point is 01:16:44 And if there's anything that could sort of impact their shareholder or stakeholder confidence, that's disruptive. So, yeah, speaking of making friends everywhere, it's not just those guys. It's even some of the companies I'm trying to help that actually get very upset with me. Right. So your customers are also, that's such a complicated relationship. Like, your customers are like, thanks for this. By the way, don't tell anyone, are we going to sue you into oblivion?
Starting point is 01:17:08 Yeah. Right. Yeah, exactly. Exactly. So, you know, I think this may be the last time I do this type of stuff, but who knows what's next. It'll be interesting to see what happens. Well, I'd ask you what keeps you up at night, but I think we covered it. You know, critical infrastructure being totally unprotected.
Starting point is 01:17:22 I mean, we talked about a lot of things that are certainly going to keep me up at night for at least a week. So maybe we have that covered already. What do you think? Fairly certain. Yeah, there's probably a slew of other things, but frankly, they all dovetail into the fact that I'm either pissing someone off or a country off or an intelligence agency off or a large multinational organization with likely their own henchmen. So it's, you know, take your pick. Well, it's good to be your friend. And I say that now, you know, not having to dodge bullets,
Starting point is 01:17:48 cyber or otherwise while sitting next to you. But, you know, I'm glad to know you because I feel like I'm slightly less safe for that. But on the other hand, you're an interesting guy. And that's the spice of life. Appreciate it, Jordan. Same here, ma'am. You're about to hear a preview of the Jordan Harbinger Show about how you can be affected by ransomware and cyber attacks on the rise now all over the world. still don't know just how deep the Russians are into our government systems. So it's going to be at least a year or more before we can stand up and confidently say we've eradicated Russian hackers from nuclear labs, the Department of Homeland Security, the Treasury, the Justice Department. How do you
Starting point is 01:18:31 trust that any of the software you're using is secure and not a Russian Trojan horse? We live in the glaciest of glass houses. makes escalation, you know, that much more of a risk. We're getting close enough that I think we're going to see a cyber attack within the next four years even that causes substantial loss of life. For more with Nicole Pearl Roth on what the U.S. should do to push back against cyber warfare, check out episode 542 on the Jordan Harbinger show. Man, we could have gone on for a long time. Pegasus, the spyware that's in your phone that can take over your camera and take over the microphone and hear and see what you're doing. I mean, all of this stuff is terrifying,
Starting point is 01:19:15 but there are other things that are even worse and more terrifying and even more invasive, which is absolutely incredible. Basically, people in Russia and Iran are watching you in the shower. If you take your phone in the shower like everyone else to listen to this podcast, maybe, if you are soaping up right now, somebody could be watching you. Just saying that. It's not me. Don't worry. I won't subject myself to that, but no promises. Could be one of Putin's cronies. So hopefully you've been working out. Also, of course, I asked Kareem about encryption. And he told me, encryption really, for the most part, it's only good for data at rest or in transit. The minute we need to read it or hear it or play it, it is of course decrypted, and then
Starting point is 01:19:52 it's available to prying eyes and ears, likely some form of malware. So all those encrypted messaging apps and all that stuff, great unless something is monitoring what goes onto your screen or looking at your screen or listening to the things that you play. So all these encryption plays are great, but really they don't necessarily stop a dedicated actor from trying to see what you are doing or typing or listening to. It's great if you want to stop data in transit from being intercepted by somebody like Facebook or whatever, but it's not going to help if you are really up to something and the state doesn't want you to do that. Back in the 90s, the government and military, they had a program called Tempest. And I can't remember exactly how this worked, but it was
Starting point is 01:20:29 able to grab the thermal emanations off of a screen. Remember those green monitors that everybody had back in the day, it could see your screen through walls. And if something like that exists for modern screens, and let's be honest, of course it does, then all those encryption apps and those encrypted chats and all that stuff just is useless if somebody outside is grabbing what you are literally seeing on the screen. Remember, it doesn't have to be a camera. It can go through walls and go through you. It can just be a sensor that can read things that are on a screen. Absolutely incredible. By the way, a bit of a special announcement here. If you know anyone who is an experienced cybersecurity security professional and or a very capable computer or IT professional. Not the kid who set up your
Starting point is 01:21:07 AOL email account, but a legit expert, and they'd like to help Ukraine remotely. There are some groups out there who may be interesting to you. I'd encourage you to take a look. I may be able to help guide you here a bit as well. The best groups are going to be helping in the cyber defense arena. This is nonviolent stuff. You're not going to be blowing up a chemical plant or a reactor. You're not going to be poisoning a water system or something horrible that harms civilians. You're going to be, let's say, making invasion logistics that much slower and more difficult. I am not affiliated with any particular group. I'm simply offering some advice here for those who keep asking. Now, in a group such as this, you'd be reverse engineering new malware and threats, working
Starting point is 01:21:46 on identification of unpatched and vulnerable systems, and identification of supply chain, organization, that kind of thing. So again, I'm happy to help guide you if you're rooting for the underdog. A lot of these groups are trying to make the world a safer place by buying some time for Ukraine and for the military there. This is a humanitarian effort. Again, I have nothing to do with these groups other than helping to spread the word like any other journalist and trying to save the lives of people on the ground. And of course, I wouldn't want you to do anything illegal. I've got a reputation to uphold here. If there's anything you know about me, it's that I am on the right side of the law at all times, am I right? If that interests you, go ahead and reach out to
Starting point is 01:22:22 me and maybe I can point you to the right place. Thanks to Kareem for doing the show today. Everything Kareem Hajjazi will be linked up at Jordan Harbinger.com. Please use our website. links if you buy the book. It does help support the show. Transcripts are in the show notes as well. Videos are on YouTube, advertisers, deals, and discount codes are all at Jordan Harbinger.com slash deals. Please consider supporting those who support this show. I'm at Jordan Harbinger on both Twitter and Instagram, or you can connect with me there on LinkedIn. I'm teaching you how to connect with amazing people and manage your relationships for professional reasons, of course, using software systems and tiny habits. That's our six-minute networking course. That course is free. It always will be
Starting point is 01:23:00 free. It's over at Jordan Harbinger.com slash course. Dig the well before you get thirsty. Build those relationships before you need them. Most of the guests on the show, subscribe to the course. Come join us. You'll be in smart company where you belong. This show is created in association with Podcast 1. My team is Jen Harbinger, Jace Sanderson, Robert Fogart, Millio Campo, Ian Baird, Josh Ballard, and Gabriel Mizrahi. Remember, we rise by lifting others. The fee for this show is that you share it with friends when you find something useful or interesting. If you know somebody's into the cybersecurity thing or just interested in hacks in what might come of a cyber war, share this episode with them. The greatest compliment you can give us is to share the show with those you care about.
Starting point is 01:23:39 In the meantime, do your best to apply what you hear on the show so you can live what you listen, and we'll see you next time. This episode is sponsored in part by What Was That Like podcast? If you're looking for a new show to add to your rotation, something that'll make you stop mid-dishwashing and go, wait, what that actually happened? You got to subscribe to What Was That Like? It's real people telling the most surreal moments of their lives, and they're not just giving any of the highlights. They're walking you through it from the inside as a person who actually lived it, which means you're basically getting a front row seat to the chaos. One episode is about Scott getting locked up in a foreign jail for a crime he didn't commit. Sure, Scott. Another is
Starting point is 01:24:16 Sue's parachute failing. Wow, I'm surprised she was around to tell that story. And then there's Michael who was stabbed on a bus, which makes your commute instantly feel a little bit more relaxing. Do what you think? So if you want to hear some wild and inspiring firsthand stories, I invite you to check out what was that like. Every story is verified. Their site even has photos, so you know even the most bizarre stuff you're hearing is somebody's real life. Listen to what was that like on Apple Podcasts, Spotify, or whatever app you're using right now. This episode is sponsored in part by Something You Should Know podcast. Finding a new great podcast shouldn't be this hard, so let me save you some time.
Starting point is 01:24:49 If you like the Jordan Harbinger show, you'll probably like Something You Should Know with Mike Carruthers. It's one of those shows that makes you smarter in a practical, useful way. Same curiosity vibe we go for here, just in a fast-focused format. Mike brings on top experts and asks the exact questions that you'd want to ask, and the topics are all over the place in the best way. Recently, they've covered things like why we care so much what other people think, the benefits of laughter, why sports fans get so invested, and what makes people like you or not. The through line is always the same. Smart ideas you can actually use in real life. Something You Should Know has been featured in Apple's shows
Starting point is 01:25:22 we love, and it's got thousands of five-star reviews because it's consistently interesting. So if you want another show that scratches that I want to understand how people in the world really work itch search for something you should know wherever you get your podcasts look for the bright yellow light bulb and start listening you can thank me later

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.