238 | Scott Shapiro on the Technology and Philosophy of Hacking

Modern computers are somewhat more secure against being hacked - either by an inanimate virus or a human interloper - than they used to be. But as our lives are increasingly intertwined with computers, the dangers that hacking poses are enormously greater. Why don't we just build unhackable computers? Scott Shapiro, who is a law professor and philosopher, explains why that's essentially impossible. On a philosophical level, computers rely on an essential equivalence between "data" and "code," which is vulnerable to exploitation. And on a psychological level, human beings will always be the weakest link in the chain of security.

scott shapiro

Support Mindscape on Patreon.

Scott Shapiro received a J.D. from Yale Law School and a Ph.D. in philosophy from Columbia. He is currently the Charles F Southmayd Prof of Law and Philosophy at Yale University. He is the Director of the Yale Center for Law and Philosophy and also Director of the Yale Cybersecurity Lab. He is the Co-Editor of Legal Theory, and Co-Editor for philosophy of Law at the Stanford Encyclopedia of Philosophy. His new book is Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks.

0:00:00.0 Sean Caroll: Hello everyone, welcome to The Mindscape Podcast. I'm your host, Sean Carroll. It's kind of a cliche to say that even though in some sense, our lives change quite rapidly because of the advance of technology, often it doesn't seem like it's changing that rapidly, like we anticipate certain things like, where is my jet pack and rocket car and whatever, and we're not seeing those things. So we miss the changes that are actually happening. The most obvious example here is the computer. When I was growing up, we did not have computers in my house, when I was in high school, there was a computer lab you could go to.

0:00:36.1 SC: When I was in college, you could go to the department and work on the computers there, but I didn't have my own, that wasn't until grad school that I really... Late in grad school that I really started... That I bought my first personal computer. And the very idea of a computer and what it is, should not be taken for granted, even though that's what we do on. A computer is not just a calculator. Computers do lots of things. The miracle of the computers we use now is that they are general purpose machines. You can use a computer to watch movies, listen to podcasts, read your email, play games, calculate important integrals, if that's the kind of thing you'd like to do.

0:01:16.5 SC: And it kind of goes back to Alan Turing, the one who really first argued for the generalness of computers. It turns out that this feature of computers, their generalness, their flexibility is closely related to their vulnerabilities. We all know that there are worries that we have about computer hacking bringing down the internet, stealing our emails, things like that. Today's guest is Scott Shapiro, and he's gonna tell us a little bit about the philosophy and technology of computer hacking. It's somewhat reminiscent of our recent conversation with Nita Farahany, who is a law professor and philosophy professor who talked about the privacy issues that come up when you have the possibility of reading your mind with technology, neuro-scanning.

0:02:02.9 SC: And part of the lesson there, the worry was that human beings when faced with the trade-off between privacy and convenience are almost always gonna choose convenience, we really like convenience, we will give away our privacy. Today with Scott, we're gonna talk about computer hacking and the danger that that has for us. And part of the lesson is that when faced with security versus convenience, human beings often choose convenience, but it actually is gonna go deeper than that.

0:02:32.6 SC: Even people who are pretty well-meaning and try their best to choose security, human beings, they're always the problem, they get in the way. That's where it becomes a philosophical issue as well as a tech issue and a legal issue. How do we think about the way to shape human beings and their relationships with the machines they use in such a way to make us a little bit more secure? Scott Shapiro has a new book out called Fancy Bear Goes Phishing, that's phishing with a P-H-I-S-H, and the subtitle is, The Dark History of the Information Age, in Five Extraordinary Hacks. It's a detailed book, very readable and fun to read. But there's a lot of stuff in there. But the five hacks that he chooses historically, these five examples of when people hacked into the computers in one way or the other, they're very fun. You learn a lot about who becomes a hacker, why they do it, and what the rest of us who are hopefully not hackers can and should do to stop it from happening to us. So, that's useful advice, I think, for all of us. Let's go.

[music]

0:03:53.9 SC: Scott Shapiro, welcome to the Mindscape Podcast.

0:03:56.2 Scott Shapiro: Yeah, thank you so much Sean for having me.

0:03:57.4 SC: I think this is one of those episodes where a little bit of history is going to help us a little bit of path dependence as to how we got here because you're a philosophy professor, I know also in the law school. So that's kind of a natural intersection. But now we're talking about hacking and cybersecurity, which is maybe not so natural. How did we get here and what do these things have to do with each other?

0:04:21.7 SS: Yeah, sure. So I got... So two things. So first of all, I have a computer science background, like so many young boys, people my age, I grew up in the 1970s and '80s when the personal computer revolution came along. And my class room in 9th grade had a TRS-80 from Radio Shack and my parents bought me an Apple II. And for the first time in the history of the world, you could go into a store and buy a general all-purpose computer. And for so many people, I was intoxicated by it and coding all the time.

0:05:04.1 SS: And then I studied Computer Science at Columbia, and I had a computer company and before the World Wide Web came on. And so I was just, I was a computer person until I switched to be a law and philosophy person. So that's the first thing. But really, the way I got into this was that my previous work had been on the history of war, that is the... In a book I had published before the Fancy Bear, called The internationalists, it was a story about how war had gone from being a perfectly legitimate way in which states enforce the rights to illegal. That war is illegal accepting cases of self-defense. And then people... So it was like from 1600 to 2015, that was like the history. And then of course, people said, "Well, what about 2016? What about 2017? What about cyber war?" And I was like, "Oh, what about cyber war? That's super interesting." and that sucked me into this space and it was an incredibly interesting journey, it's incredibly interesting field of cybersecurity.

0:06:26.5 SC: Are you teaching philosophy courses that relate to this topic?

0:06:29.4 SS: So it's funny because when I first started teaching, I taught this course with two other colleagues, one, a law professor Ann Hathaway, and another one, a mathematical cryptographer, Joan Feigenbaum. And we taught a class called the law and technology of cyber conflict, where half the students were computer scientists, half the students were law students. And so we'd explained the law to the technology people and the technology to the law of people, and it was just terrible. And just like the absolute worst course I ever taught in my life. And that is because both law and computer science they are technical subjects.

0:07:15.6 SS: And so at any given time, half the class was bored and the other half was confused, and we just switched back and forth throughout the semester. And then I realized that you can't... Well at least I hadn't figured out how to teach all of it together. So I've taught just a pure hacking class, just pure technology, than a pure law class, and then just a pure philosophy class to try to figure out how to get into the subject. And the book and in some sense is a combination of all those.

0:07:47.9 SC: What is the name of the philosophy class?

0:07:51.0 SS: Oh it's It was called The Philosophy of Internet Hacking.

0:07:52.8 SC: Okay we'll find out what that is.

0:07:56.2 SS: Because as you... One of the main ideas of the book is that hackers don't just exploit computer code, but also the philosophical principles of computation. And that's something I hope we'll talk about. But to me, the technical, philosophical and legal are really tightly connected.

0:08:18.9 SC: Yeah. Okay. And not be too professorial here, but let us define the term hacking. What do we mean exactly? 'Cause this might not even mean the thing that people think it means.

0:08:29.5 SS: Yeah. So when I use the term hacking, I use it as an activity that attempts to defeat a security control. So there are all these controls that are put on our computers, like have to enter credentials, username and passwords. That's a security control. And if you can defeat that security control, you have hacked that system. And so if you just leave your computer open and somebody comes over and reads your email, they have not hacked your computer because they have not defeated anything that was designed for you not to do it. Unless they picked your lock into your room or something like that.

0:09:17.9 SC: But if they trick you into sending them your email address or your password, I should say.

0:09:24.8 SS: Right, so that... That's exactly right. So if they somehow use fraud deception in order to work around something that was designed for you not to gain access to the account that is hacking.

0:09:41.2 SC: But I think a lot of people probably have in mind the idea of viruses or some kind of tools that let you get around a firewall. So is that still a lot... I mean getting people to send you their passwords is great, but is there still a lot of trickiness with viruses and worms and so forth, and do we need to know the difference between a virus and a worm?

0:10:02.5 SS: Yeah You're right, exactly. So I'm a philosopher, so whereas other people may not be that obsessed with what is the difference between a virus and a worm, I was particularly obsessed with trying to come up with a... Why they're different. And I can talk about it, but one of the things I try to show is that viruses and worms, which very basically one might consider to be self-replicating computer programs, they all use forms of trickery, but they use trickery in different ways. Viruses use trickery to get users to execute them, to click on links to download them. Worms trick, not users, but their operating systems, or their other types of network protocols or lex... So there's always trickery going on. The question is, who's being tricked?

0:11:02.8 SC: I guess, I'm not sure how that relates to what I had in mind. Maybe I'm taking the biological metaphor too seriously, but I think of viruses as things that live within another program and worms the things that are living organism by themselves.

0:11:15.9 SS: Yeah, no that... So in some sense that was the historical origin of the terms virus and worms. For example, worms from tapeworms and tapeworms are hermaphroditic organisms that can reproduce by themselves. And so that was the idea of a worm. The biological metaphor helps, but as I try to show in the book, it doesn't actually really work. There are fully self-contained viruses, there are worms that are part of other computer programs. So the difference between virus and worms is not whether they're stand alone or part of something else. They're really... Two main differences. One is who executes them, is it the user... Does the user need to click on the thing? And whereas a worm can... Is autonomous can operate by itself. And the second is, how does it spread? Does it spread through networks, worms spread through networks, and that's why worms are so dangerous on the internet, 'cause the internet means a network of networks. And viruses are local, that is they infect your computer, but they don't move from one computer to another via networks.

0:12:37.7 SC: Okay, how do they move from one computer to another.

0:12:40.7 SS: Well they used to... The main way in which viruses used to travel, what was called Sneakernet, which is like you just get a... You'd have a flop... You'd have a game that had a virus in it, you'd put your floppy in there and you'd give it to your friend. And they would put the floppy into their hard drive... Into their floppy drive, and then they would get the virus. That's the way it normally happened. In the early 1990s, it was estimated that it took two weeks for a virus to get from Europe to the United States.

0:13:20.1 SC: That's... I'm glad we went over that because you and I are indeed part of that generation that used floppy drives during our formative years, but I bet a lot of people listening have no idea what we're talking about here. The floppy disks are known only as a joke, right? They knew that that's an ancient technology.

0:13:38.5 SS: No, absolutely. And so there's the floppy disk, so there's the 8 1/2 floppy. They were really floppy. If you held them by the corner they really did flop over, then you had the 5 1/4, which was less floppy, but still pretty floppy, and then you had the hard floppy disks, the 3 1/2 inch ones. And that's right. I try to tell my students this, 'cause they're also upsettingly young. But when you save your Word document, you're clicking on a floppy drive icon that maybe they haven't seen or haven't remembered.

0:14:15.6 SC: The iconography will live forever.

0:14:17.8 SS: Yeah.

0:14:18.1 SC: And then before getting into the... So let... Sorry, let's back up, you've written a book, Fancy Bear Goes Phishing, and you will talk about... You talk in the book about these... You've picked out five paradigmatic I suppose hacks that we'll get through 'cause they're all really great stories and illustrate some of the points. But before we go into the details about that, I do wanna get some of the philosophical background on the table. You talk about how the idea of just stopping hacking is a little bit utopian, it's not gonna happen, it's sort of in the notion of a computer that it can be hacked. Could you... Is that an accurate paraphrase?

0:15:00.0 SS: Yes, exactly. It's not like people are silly or they make mistakes, it is part of the ultimate fabric of the universe. You cannot make computers that are unhackable.

0:15:12.0 SC: And this goes back to Alan Turing, who gets name checked a lot.

0:15:16.5 SS: Yes, it does go back to Alan Turing. What I think is so fascinating about Turing of... I mean Turing is one of the most fascinating figures in the history of science, certainly of the 20th century. And when... Some of the listeners might have heard of things like Turing machines that are named after Alan Turing. Alan Turing in 1936, he's 20... He wrote it when he was 23, published it when he's 24, comes up with this theory of how general computing devices are possible. Like you can make a mechanical general computing device, and this is just... This is of course, a massive intellectual breakthrough.

0:16:00.7 SS: And the principles that he lays out for how general computing devices are possible, which we can go into, it turns out to be exactly the principles that hackers exploit when they hack a computer. And I'm happy to talk about this 'cause I think this is one of the message... Main messages of the book, is that the very things that make computers possible, make hacking possible. And you can't get rid of one without the other, and that's like a... Such a deep part of the world of the metaphysics, so to speak, of the world that no amount of money, time or effort is ever gonna change that.

0:16:46.2 SC: On occasional rare moments, I begin to think that I'm a little bit smart, and then I remember people like Alan Turing who when they're 23 years old, invent the general theory of the computing machine.

0:16:57.1 SS: Oh it's... He just crazy. And not only is he... Not only has he come up with this idea that general computers are... General computing devices are possible. He does that to show that computers can't solve every problem, which talk... That is Galaxy brain stuff. You can like, Okay. Computers are possible. Actually, general computing, you can solve any solvable problem but you know what, there are problems that not... No finite devices ever gonna solve. Like in one article.

0:17:30.3 SC: I still struggle with that fact that he got 100 years ago. Yeah.

0:17:34.1 SS: Yeah, it's just astonishing to talk about going from first principles and just driving just through pure reason to figure out something unbelievably deep about the universe is just... That's mind boggling. And like you, makes me feel bad about myself.

0:17:52.0 SC: Yeah I think so. I think it's okay. But if I'm gonna package the connection there and you can fill in the details, it's because Turing appreciated that there's not quite as sharp a distinction between data and code as you might have expected.

0:18:09.6 SS: Yeah, so this turns out to be... I think if this is like one of the two or three greatest philosophical discoveries of the 20th century that no one knows about. Or I shouldn't say no one knows about, lots of people know about it, of course, but they don't appreciate it as a just a massive intellectual breakthrough. So the idea is that we have these two categories of things, code and data. So code, instructions, active does things. Data information, passive has things done to it. And so, shut the door. Print your resume, add two numbers, that's code. 2, that's data, it's 80 degrees outside. And so you might think these things are so different from one another. One does something other thing, the other thing has something done to it. One's active, one's passive. So you might think they're so different, they can't possibly be represented by the same symbols.

0:19:17.6 SS: I mean, we normally think of code is represented by, at least for programmers, we think of it as like English, or English, like words, natural language. Co... Data we think is normally represented by numbers, although it doesn't have to be. So these seems to be so... Like numbers and words seem to be so different. And what Turing did building on the insight of Kurt Gödel the great logician. Which is that you can always take code and turn it into a number, and a unique number.

0:19:49.6 SS: And so you could have code and data represented by numbers, by the same symbols. And since all numbers can be represented by binary symbols, ones and zeros, you could have code and data, these very different things represented by the same strings of ones and zeros, which means that your computer need only understand one language, the language of ones and zeros.

0:20:14.3 SS: And, it means that you don't have to rebuild your computer every time you wanna run a different program, which is what team of women programmers had to do in the 1940s with the ENIAC. They didn't have software. Everything was hardware. So you had to change everything. If you use the Turing process of converting code into numbers, which you could do is have a computer that accepts numbers and then runs it as code. Accept numbers treated as data, and then run the code on the data, which makes... That's why I only have one laptop as opposed to 87 for every application that I use, because I can just always download or load code into my computer.

0:21:03.8 SC: Part of me... This is very unfair, but part of me thinking like a physicist wants to say, "Of course, code and data are the same 'cause they're all atoms." And thinking about them as either code or data is a human choice that we make for our convenience. And Turing is really just reminding us that there's a commonality there, that this human invention is not absolute.

0:21:25.8 SS: Yeah. So but right now you're... I mean, that's absolutely true. But I just wanna notice that... Point out that you're quite naturally, because in some sense this was another great advance of Turing's. Which is that you're trying to assimilate a computer, a computing device to a physical system. And that was another great discovery actually of Turing that computation is a physical process and that you could build a contraption, a mechanical contraption that just manipulates symbols according to the laws of physics. And somehow through [laughter] some very basic manipulation actions like, writing the number 1, erasing the number 1, moving along a tape, that was sufficient for solving every solvable problem. So when you say yes, of course, words are atoms or actually the string is made up of atoms. Well, that is to use the other insight of Turing, which is that computing devices are physical devices.

0:22:44.4 SC: And these insights together are what underlie the claim that hacking is always gonna be with us.

0:22:52.4 SS: Yeah. Yeah. So let me just take the first... The second thing that I just mentioned about, computing devices are physical devices for manipulating symbols. You know, that is one of the main ways in which hacking occurs, which is that hackers exploit the physical limitations of physical systems. Think of polygraphs. So a polygraph is a way of trying to... Let's assume that they're good, that they work for the moment. The idea of a polygraph is to try to peer into your mind, not by asking and not by actually reading the neural patterns in your head. But to try to see that your brain is connected to your body. And that we might be able to discover through increased heart rate or sweating, that you think something. And that's a way of hacking the physical body, human body to figure out what's going on. In cybersecurity, this is called a side-channel attack, is to try to read off information from the changes in the physical system that's being studied.

0:24:16.8 SS: So there are all these cool things where hackers can discover your passcode because you have an accelerometer in your smartphone, which can tell which numbers you've [laughter] pressed...

0:24:30.7 SC: Oh my goodness.

0:24:32.8 SS: Because the phone shifts a little bit. And so there are very sophisticated exploits that use this. The second one is, in the book I call this Duality, which is the first principle we had been talking about. That code and data are... Can be represented by the same symbols. Well, if they can be represented by the same symbols, when the computer or the user is expecting data, the hacker can send code. And that is the other major way in which hacking occurs. So one thing I think you can see is that the very thing that makes computers possible, that is that they're physical devices and that they can manipulate both code and data through binary symbols, are the very things get exploited by hackers. And when I... Thinking about it this way I think kind of takes things that seem very disconnected from one another and they show the common things, commonalities. So phishing attempts are attempts to exploit imperfect human psychology. That's, we have imperfect human psychology because we need shortcuts. The same thing with side-channel attacks on computers, they're also exploiting the physical nature of the system. So that's a way of seeing how to group hacks together.

0:26:06.3 SC: And there's one other distinction that you raised that I really liked between upcode and downcode while we're talking about code. So what is that?

0:26:16.1 SS: Yeah, sure. So think of when you're typing on your computer. Downcode is all the code below your fingertips. So your operating system, your application, network protocols, how your router works, firmware, all that kind of stuff. Upcode is all the norms and rules and code above your fingertips. So your psychology, social norms, legal norms, professional ethics, terms of service, employment, contracts, all the norms that go above. And I call that upcode. And the standard way that people think about cybersecurity and hacking is almost purely through a downcode lens. So they think, "Oh, okay, we got some technical vulnerability, we got some bug, let's fix it." And the argument that I'm make in the book is that this is a bad way to address cybersecurity. That we ought to be looking at the upcode, the norms which provide incentives for coders and for users to use their computers in a certain way to develop code in a certain way. And so what we ought to be looking for is not so much the technical vulnerabilities and the downcode, but the human and political and social vulnerabilities and the upcode.

0:27:34.5 SC: And let's look at exactly those. So you have these wonderful examples and I like the very first one Robert Morris in 1988 because I remember I was a first year grad student at that time at Harvard. And the first... This is big news, the internet went down. The internet was a very tiny thing at the time. But there... [chuckle] it shows one of these human psychological aspects because I was at Harvard. The first guess was that this is somehow affiliated with MIT. But then at some point there was idea that in fact the person who did it was affiliated with Harvard. And they were very proud. They were happy. Like we beat MIT somehow [laughter], it turned out not to exactly be the full story in either way, but tell us what the story was.

0:28:19.4 SS: Yeah, Sure. Did you know Cliff Stoll?

0:28:22.9 SC: I've seen him give talks and I've read his Cuckoo's Egg.

0:28:26.0 SS: Okay. Because he's an astronomer and a computer security expert who was at Harvard at the time and who also spent essential role in trying to remediate and explain what had happened. So here's what happened. It's 1988, November 2nd 1988. Robert Morris Jr. Who's a first year graduate student in computer science at Cornell University had been a Harvard undergraduate. [laughter] Logs into Richard Stallman's email... Computer account in... At MIT because Richard Stallman, who is the, often known as the Father of free and open source software he didn't have a password on his account. And, so Robert Morris did not hack the MIT computer, but what he did was he released three binary files, which he released as an experiment.

0:29:35.9 SS: The basic idea of this worm that he created was it exploited some multiple vulnerabilities in the Unix operating systems, particularly Unix 4.2, the Berkeley software distribution 4.2, which was the first opera first Unix distribution or I should say first major Unix distribution that was hooked up to the internet. And so what Robert Morris did was he exploited those vulnerabilities because he was extraordinarily knowledgeable and he was really just interested in figuring out how big the internet was. It was a science experiment for him and for reasons which I can go into, the worm was so effective at infecting computers that it reinfected those computers over and over again. And so these computers crashed not because he was trying to crash them, but because they were so busy copying worms and distributing them.

0:30:47.8 SS: One of the things that... So I'm the same age as Robert Morris Jr. He is right now a tenured professor at MIT. His friend that I talk about in the book, Paul Graham. Paul Graham is the... One of the founders of Y Combinator giant tech venture capital firm that is responsible for funding Dropbox and Airbnb and stuff like that. But this is a story of like, when they're grad students, and when the internet goes down, it's on the cover of the New York Times, on national news. Robert Morris Jr. Has to call Robert Morris, senior Bob Morris, who's his dad, who's the head of cybersecurity for the NSA. [laughter] Just imagine crashing the internet and like you have to tell your dad who's responsible for cybersecurity for the National Security Agency. Just an incredible... Like it just makes me cringe every time I think about it. And then he gets prosecuted and convicted for... The first one to be convicted of violating the Computer Fraud and Abuse Act. And he does not go to jail. But it's a very... It's a harrowing story of what he went through.

0:32:11.0 SC: And just so people are correctly normalized in their expectations here, the internet existed in 1988, but it was a different thing. What we call the World Wide Web did not exist.

0:32:23.9 SS: That's right. So one of the things I try to explain in the book, right? Is that the web and the internet are often conflated for good reasons, in part because the web is a protocol for... That works on top of the internet. And so just like email uses the internet browsers uses the internet. And the World Wide Web is created I think a year later in 1989. And then it comes online with the first browser in the 1993 with Mosaic, which becomes Netscape. So we're talking like right before everyone starts thinking about the web and the internet. And one of the things that's fascinating, and I didn't realise this from my research, the first time Americans or anybody had ever heard the word internet before. I was...

0:33:27.8 SC: Was when it went down.

0:33:27.9 SS: Kinda shocked about this. And they don't even know how to... Like when newspapers are writing this up, they don't even know if how to refer to it. Is it the internet? Is it internet? Is it the internet network? Is it the internet with the N, second N capitalized. [laughter] There's a lot of experimenting. But the first time people know that the internet exists, basically is when it crashes.

0:33:51.8 SC: And it was essentially... It wasn't malicious. It was, like you said, it was kind of a science experiment. It was not an attempt to bring down the internet. It was kind of like, yeah, we're young and it's a brave new world. Let's see what we can do.

0:34:05.5 SS: Yeah. I mean, so much... The thing is that I think it was so shocking to people precisely because it wasn't malicious. It was like, Robert Morris Jr. Had found security vulnerabilities in internet protocols before. He was basically the network administrator for Harvard before he went to Cornell. He was a white hat. He's one of the good guys. And one of our people crashed the internet. What would a black hat do? [laughter] And I think that just freaked everyone out, scared everyone. Of course, everyone was worried about connect... Was the internet connected to the nuclear arsenal? The movie War Games which maybe, some of your listeners remember [laughter], I bet you remember it.

0:35:11.0 SC: I do.

0:35:11.8 SS: Matthew Broderick film, which tells a story of how this teenager kind of... What's now we call it wardialing after War Games, is dude randomly dialing numbers through his modem and then connects to a NORAD computer, which he thinks is a video game repository. And he almost starts World War III. [laughter] And this, it's amazing that Ronald Reagan sees this movie at the White House and then freaks out and then gets everyone to like... Get, like, "Can this really happen?" And we get the next year, the first iteration of the Computer Fraud and Abuse Act, the first federal law against hacking it's too perfect. [laughter] You know, movie star president sees this movie, we get this law. And then a couple years later, the whole internet goes down and then people see these things connected and they get very, very, very anxious. And that anxiety in many ways has not gone away.

0:36:16.6 SC: I'm always fascinated by the similarities, but also differences between a complex system like the internet or even a single computer and complex systems like a living organism or an ecosystem, which the biggest single difference is that one was designed at least partly, and the other one kind of evolved. Does that difference make the internet more or less vulnerable? You know, sort of hasn't grown up through being buffeted by a whole bunch of different evolutionary challenges. But on the other hand, there's people trying to keep it safe. Is that an easy question to answer?

0:36:52.7 SS: No, it's really, I mean, you know, like any question involving complex systems is not easy to answer. And so... And it's not even... I would be honest, it's not even my area. I will say that two things of real importance comparing computers to biological systems. So the first one is that the person who was most moved by the analogy was another genius of the 20th century, John von Neumann. And John von Neumann, he was involved in the ENIAC, which is first electronic computer. And then he's very central to building the first digital computer, the EDVAC. Which uses a system that we talked about earlier of loading code into your computer and then loading data so you don't have to rebuild it every time.

0:37:58.0 SS: And so one of the things that von Neumann discovered when he was trying to build this computer was how ridiculously vulnerable they are. [laughter] Like one little vacuum tube, and it's gone. And he's like, "But human beings, or like moths or foo flies, it's not like that at all."

0:38:21.2 SC: Yeah.

0:38:22.0 SS: Things get messed up all the time. And yet biological systems are so resilient. So he set out to figure out how could it be that biological systems are so resilient, but the computers that he had seen were so fragile. And he came up with the idea that what we need to understand that what biological systems do is that they're so resilient because they're self-replicating, that their parts, they can rebuild their parts. And this idea of, like... Von Neumann has, how can... How is self replication possible? Becomes the basis for how computer viruses and computer worms are possible.

0:39:09.6 SS: So the very things that make life possible also are the things that make computer viruses possible and that's a really fascinating... This is again, another one of these ideas, which is that you can't have the good without the bad. You can't have computers without hacking. You can't have life without the possibility of cancer or malware of sorts. So the connection between biological systems and computer systems, has been an incredibly important historical and intellectual analogy.

0:39:50.1 SC: Has any progress been made at getting computer systems, either hardware or software to be more self-repairing than they would be? It doesn't seem that way from my novice point of view.

0:40:00.6 SS: Yeah, no. So there are lots and lots of mathematical models out there for self-repairing automata. And, people have tried to... There's now efforts to create, especially using AI engines, self-repairing code.

0:40:29.1 SC: Right. Yeah.

0:40:31.4 SS: And so there have been all these, attempts. It will be fascinating to see when automata are sophisticated enough to take human form and they can regenerate their own parts, that will be...

0:40:53.5 SC: That'll be a thing.

0:40:53.9 SS: Unbelievable.

0:40:55.4 SC: Good. [laughter] All right. We don't wanna get too hung up. Robert Morris was a pioneer. Absolutely. But then we take a turn for the slightly darker, with literally Dark Avenger. These people are not the most creative at coming up with names for themselves, but Dark Avenger captures something.

0:41:06.9 SS: Right. Yeah, no. So, the second story is like the Bulgarian virus factories in the early 1990s. So for people who remember this stuff, Bulgarian viruses were like the big thing in the early 1990s. And I was fascinated by like, why? Like, why Bulgaria?

0:41:35.4 SC: Why that country, right?

0:41:36.0 SS: Of all places. Why were the Bulgarians so into virus writing? And why were they so good at it? And besides what are viruses? And so it turns out the story... So what I did talk about is like what computer viruses are, the self-replicating programs, which are user executed and don't use networks to travel. Which makes a lot of sense at the time. 'Cause in the early 1990s you don't really have personal computers hooked up to networks. It really... Viruses really do work... Travel via Sneakernet and the... So I was really interested in like what are viruses and how do they work? But there was this one person named Dark Avenger who was a cut above everyone else in writing viruses. And they traveled around the world and it caused a lot of problems for people.

0:42:43.1 SS: And this person was named Dark Avenger because he was really into heavy metal and in particular I believe it was Metallica and... No, I'm sorry, Iron Maiden, excuse me. Not Metallica, Iron Maiden. [laughter] And, he names his viruses after them. He's got strings of the songs in his viruses and people don't know who he is. Now that by itself is kind of interesting. But Dark Avenger does something which threatens to destroy the personal computer industry, which is that he figures out how to create a polymorphic virus engine. Meaning taking a virus, which is downcode, which is computer code, and introducing mutations so that every new virus that gets spread has a new genetic signature. [laughter] So it's like CRISPR but for computer code.

0:43:51.0 SS: And the way in which most antiviral software had worked at the time was called signature based. It scanned computer... Scanned programs to see does it have the kind of signature that we can identify with known viral samples. And what the mutation engine did was... Which was written by Dark Avenger is scrambled it every single time it was copied, which defeated the antiviral software. And everyone was really, really freaked out [laughter] 'cause how were they going to solve this problem?

0:44:35.8 SS: I will also say it gave me the opportunity to talk about upcode, like why Bulgaria? Bulgaria because at the time in the 1970s, and particularly in 1980s, Bulgaria was the Silicon Valley of the Eastern block. And what you did was you had all these basically young men who were underemployed. They had excellent engineering educations. They were very good coders, but they had no outlet, they had no job to go to. And so they sat around doing fun stuff, making viruses that... So this becomes a kind of a main theme in the book, which is that so much of cyber crime is a response to underemployment in less developed tech economies.

0:45:27.7 SC: Do we know today who Dark Avenger is/was?

0:45:35.0 SS: So we... I do not. [laughter] so I...

0:45:36.7 SC: I don't.

0:45:38.6 SS: I do not. The person who did the most work understanding the mind of virus writers and, tried to and got very close to Dark Avenger, she knows. She will not tell me, because she believes she owes this person anonymity as a research subject. I will... I... After the podcast is over, I will tell you some communications I've gotten but, I don't know who it is. But I do speculate. There's a bunch of speculation in the book about who he or they are.

0:46:27.6 SC: And this is Sarah Gordon, the researcher who you're talking about?

0:46:28.5 SS: Yes. Exactly.

0:46:28.7 SC: We know who she is. Yeah.

0:46:30.7 SS: Sarah... Right. Yes. So Sarah Gordon is... She gets a virus. She buys a used computer, and she gets this ping pong virus. And she's like, "What's a virus?" And she get... She goes on the internet and there's no like web yet. So she goes to this thing called FidoNet, which is the, all these viral bulletin boards hooked up together. And she starts talking to people. And she was a... I mean, she's a fascinating person. She's... She did crisis counseling for young men, and she kind of got them. They were immature slightly stunted young men who hadn't aged out yet of the process of virus writing, but they probably would. And she got into... She was a pioneer... She is a pioneer. And she got a lot of blowback from saying that virus writers are not evil maniacs. [laughter] And I'm really happy because she was very courageous, went out there, made these claims and got pilloried by the antivirus community. And I'm really happy that like, maybe like 30 years later I've been able to kind of at least tell her side of the story.

0:47:48.0 SC: How much is this related to ongoing concerns just about young men being alienated and online extremism incel communities? I mean, as a world, at least in the Western world, are we just failing boys between 15 and 25 and some of them become hackers?

0:48:07.3 SS: Yes, I do think... I do think that that's right. So before there were in... There were hackers before incels. There were hackers before people who posted Pepe or Elon Musk tweets. Young boys... And let me just say something about the gender issue. They are almost all boys or young men. It is a well known phenomenon that in the virus... In the hacking community. There are of course women hackers. There are of course excellent, excellent women hackers. Women have achieved in very important leadership positions, in the cybersecurity community. But it is still, the gender imbalance is quite, bad. I always joke about like, the only time I ever have to wait to get into the men's room is at a hacking conference.

0:49:15.1 SS: Women... There's no line outside the women's bathroom. So these boys are just bored. They have these skills... And I understand it. I learnt and I know how to hack. Sometimes I wanna do it and break the law because it's... I mean, breaking law is not fun, but, hacking is really fun. And, of course they wanted to do it. And one of the suggestions that I make is... And this has been implemented by the UK, the Netherlands, United States is catching up to this, which is to try to create legitimate hacking venues. And to try to divert young offenders into the legitimate cybersecurity industry, as opposed to the, the black hat activities.

0:50:02.9 SC: And you emphasize in the book that despite what you might think, hacking has an absolutely crucial social aspect. Even if people are anonymous or pseudonymous on the internet, they want credit for the cool things they've done.

0:50:18.1 SS: Yes. I mean, this is the... I mean, I would say this was the most shocking social insight from my research, which was that hackers are not loners. The picture that they have is that they are freaks, they suffer from any sort of neurodivergent syndrome. They have multiple personalities disorders, they... Whatever. But that's just kind of not true. They're like... They're like you and me. Maybe they're a little kind of stunted, maybe they're little, they have social anxieties about face-to-face activities. But really they want clout. They want their peers online to think that they are excellent hackers. One of the things that, shocked me... I've been, fortunate to be able to talk to some of the hackers that I write about.

0:51:19.1 SS: One of the hacker... One of the hacking groups for the Mirai Botnet came to my class, my cybersecurity class and spoke to my class along with the FBI agent that caught them. And one of the things I was really fascinated by the just... Maybe we'll talk about it later, but the Mirai Botnet, three teenagers who created this botnet which took down the internet, they get caught in part because they released the code, onto the internet. Coders really wanna know what other coders think of their code and that is really amazing. [laughter] And people are really social. Human beings are social, and even hackers are social. And if you really want to divert them away from kind of the dark side, you should give them social incentives to participate, like capture the flag competitions, mentoring, things like that. Which is, programs which have been created, which I think are really, really promising ways of addressing this problem.

0:52:40.0 SC: Well, let's talk about the Mirai Botnet. We don't need to go in the same order that you went in your book, but it naturally leads in because this question of motivations is just a crucial one. And as I understand it, Paras Jha was just upset he couldn't get into a certain class at Rutgers, and that set him down a path. [laughter]

0:53:00.8 SS: Yeah, I mean, it's just... I mean, he doesn't wanna take his calculus exam and so... Well, the first thing he does is he wants to get into, an elective class. So he gets in... He's a first year student at Rutgers, and he wants to get into a... In a higher...

0:53:22.0 SC: Yeah. An upper level elective.

0:53:25.2 SS: An advanced, an upper level computer course. I'm a professor and I can't even remember the terms for academic courses. Right. So he wants to get into an upper level course. And as we know, normally, first year students are not given priority in registration. More advanced students are. So what he did was, is he DDoSed the registration website, so no one was able to do it. And then when the thing comes back on, he then signs up for it and then he uses, he DDoSes the... Basically the main Rutgers system, 'cause he doesn't want to take his calculus exam. And then he keeps on doing this. He really does not like the fact that Rutgers, in order to mitigate the... I should just define, DDoS a Distributed Denial of Service attack.

0:54:20.6 SS: It's an attempt to take, computer website network offline by overloading it and consuming its resources. He's really upset that the firm that Rutgers hires Incapsula, to mitigate these DDoS attacks, doesn't use his firm. 'Cause Paras had this, firm called ProTraf where he did DDoS mitigation. So it's like a classic offer you can't refuse.

0:54:47.9 SC: Yeah.

0:54:49.1 SS: He says to... Basically he's saying to Rutgers, use my mitigation company because your mitigation company is terrible because I can break it. [laughter] And which he did, he just kept on breaking it. And cost the... Rutgers had to increase their tuition by several percent in order to pay for all the cybersecurity stuff. So it was fun and games, but actually it spread costs to the entire student body.

0:55:22.9 SC: And even though it was fun and games, that legally, it's just good old fashioned racketeering. He was a shakedown.

0:55:28.1 SS: Yeah. It's a classic offer you can't refuse. It's racketeering. And it is a very standard story in the history of cybersecurity. That the ones who purvey the cures are often the ones who are also purveying the diseases. It's really amazing. So you offer protection services for problems that you yourself create. [laughter] That's a very kind of standard mob technique. And that's what... That's what happens a lot when it comes to DDoS protection.

0:56:04.0 SC: And the interesting wrinkle, technologically, downstream from this was the actual Mirai Botnet took advantage of the internet of things, right? It sort of spread itself to devices other than computers and so forth. Right. And that's a scary new thing we're gonna have to confront.

0:56:22.9 SS: Right. Yeah. So one of the... So one argument that I make in the book about why upcode... We should be thinking about upcode rather than downcode is that upcode shapes downcode gives people incentives to produce code of certain type. Another reason why upcode is the thing we should be focusing on rather than downcode. And this story exemplifies this reason, is that the downcode uses data produced by the upcode. So just think about it like this, so it doesn't matter how good your operating system is. It doesn't matter how good your cryptography is. None of that matters, is if you go to human resources or IT of your company or a different company and you ask them for credentials to somebody else's account and they give it to you.

0:57:15.4 SS: So the upcode here would be the corporate policies or the academic policies about who's entitled to what data. So it doesn't actually matter how good your operating system is, if like the upcode is just undermining it. So this is exactly what happens in the Mirai Botnet. The Mirai Botnet takes advantages of what you said, the internet of things. The internet of things is like smart toasters and camcorders and things like that, which are devices which are hooked up to the internet and which communicate with each other rather than communicating primarily with human beings.

0:57:52.3 SS: And what... When these internet of things came online in 2014, 2015, 2016, they don't really come with any security controls. The passwords are default passwords, like 123 or password or admin or whatever, because who's gonna worry about the security of their toaster? And these Mirai guys, they realized, wait a second if there are these... All these default passwords, default passwords which they just found through Google, 'cause they're in the manuals. So they download the PDFs and the manual, they look at the passwords, they build a worm-like, not a worm, but a worm-like botnet that exploits these default passwords and then are able to create in just such an enormous digital canon.

0:58:51.2 SC: That I remember in October 21st, 2016, right before the election, I remember my internet goes out for most of the day. And of course, everyone thinks it's Russia, and it turns out to be these kids who just exploit this very simple upcode vulnerability using default passwords. And so they just entered into these toasters and then generate this enormous botnet which can take down the internet. And again, it's another example of, it doesn't matter how good your tech is if your policy surrounding it are bad.

0:59:34.5 SC: And this is the case where they uploaded their code to the internet, so anyone can do it. My impression is that these sets of worms are still going around.

0:59:43.9 SS: Yes, exactly. There are many, many, many different variants of the Mirai Botnet still around. One's called Satori. One of the things also that you learn from doing this stuff is like hackers lie. I hate to break it to you, but... So what they'll often do is they'll often take the same malware and they'll rename it with a different anime name. And then say it's the new improved malware. Or somebody will take it and they will package it as their own and they're re-brand it as the Matsasuko variant or something like that.

1:00:26.8 SS: But this is still causing significant problems around the world through their quite irresponsible action of just releasing this very powerful malware onto the internet. Boys, young men make terrible mistakes. These three boys, young men have... They plead. They're facing many years in jail, but the FBI and the FBI agent who catches them a Special Agent, Elliott Peterson has this idea that what if we can use these skilled professionals for law enforcement. And so instead of putting them in jail, the court orders them for 2500 hours of community service, where they are helping the FBI catch a lot of these malware purveyors. So you have this kind of catch me if you can patch me if you can type situation. So I think this is a really excellent model for how to deal with some of these offenders. And they're almost finished with their community service, in October they'll be finished. And they're fascinating people.

1:01:58.1 SC: Well, speaking of young men and exploiting the upcode there is... We can't get away without talking about Paris Hilton's cell phone.

1:02:06.7 SS: Right, yeah. So Paris Hilton... One thing so upsetting is that some of my students don't know who Paris Hilton is, which really... Doing this book really made me feel old. So Paris Hilton, of course it girl in 2005. Big news that her cell phone was hacked and nude photos were posted on the internet, and you can't get them down. And the big question is how the hell... How in the world does this happen? So Paris Hilton, she comes on the scene around 2001, she's like everywhere, every form of media is Paris Hilton, Paris Hilton, Paris Hilton and then we wanna...

1:02:50.3 SS: And then her phone, her cell phone gets hacked. And people are like, "How could you hack her phone? She's constantly surrounded by bodyguards." Who's gonna snatch her phone and do something. People don't realize that in 2004, 2005, we have this new invention called the cloud. And that is not... Her cell phone is not hacked, it is the cloud that is hacked and it is hacked by a 16-year-old boy known as Cameron LaCroix who figures out how to exploit web interfaces in order to gain access to data on cell phones. And he manages to get Paris Hilton's phone number, he knows that she has a T-Mobile account because he sees it... Commercials which she's in with Snoop Dog. And then calls up a T-Mobile... Calls up a T-Mobile office in California and says that he's from corporate headquarters and he wants the username and password to their system to check if everything is okay, and the manager gives it to him.

1:04:05.3 SC: That's the problem right there.

1:04:05.4 SS: And so he goes and looks at Paris Hilton's number, and he gets it. And then he realizes that if he wants to register a T-Mobile account, all he has to do is use a Sidekick. Sidekick at the time had a deal with T-Mobile that they would use... That that would be the carrier. And so if you try to register your phone from the Sidekick, T-Mobile assumed that you were T-Mobile customer. Once he realized that he went to his browser, told his browser to pretend to be the Sidekick's browser, and then entered Paris Hilton's number and got all of her data.

1:04:53.1 SS: I mean, so it's just... It's a store... And then when you, "Why did he do it? Why did he do it?" 'Cause he wanted to be famous. So there's just like the upcode... So you have Paris Hilton, who's of course famous for being famous. You have this 16-year-old boy who... His mother dies when he was two years old from a fentanyl overdose, he has depression, he's suffering through various types of mental health concerns, and he wants to be famous. And he exploits these terrible corporate policies of T-Mobile, like give your password over to somebody who claims they're from corporate. Or let's build terrible, terrible authentication systems that don't work. Why are they doing it? Because they're trying to gain as much market share as they possibly can. So the hackers out there can be disappointed because it turns out that the hack was so simple.

1:05:55.2 SS: By the way, nobody knows the story. Now, people will know the story. I was able to track Cameron LaCroix and after four years because he was in jail and jail during COVID, and it took me a very long time to catch... To track him down him down. It took me about three years, and then two weeks before the book had to literally go to press, I found out the story, the true story of how he hacked her, so...

1:06:21.6 SC: Oh, okay. Wow.

1:06:22.3 SS: Let's move it along.

1:06:23.8 SC: Yeah. Yeah, well, and there are themes emerging here, right? There's an intrinsic worry with computers because code and data are not two separate things. Things become more difficult to control when everything is connected to everything else. Where there's a cloud, where there's these devices, and the human beings are the weakest link in almost all of these stories.

1:06:47.7 SS: Yes, absolutely. When all bottoms out, it's like human beings behind the keyboard. And one of the things... So people might say, "What is a law professor doing writing about cybersecurity?" And I wanna say, one of the things that law professors do is that we're coders, we're up coders. We think about and we help teach students how to design and how to implement upcode. And I teach students how to a hack 'cause I want them to understand the downcode, the technology, but really what I want them to understand is how might we change the rules to give people the proper incentives, either to produce really good downcode or to ensure that they don't get fooled by bad downcode.

1:07:44.7 SS: And so that's the mission. I think it's a much more efficient, cost-effective way of trying to solve these problems and telling these stories are ways of getting people to see. So I explain all the technical stuff, what a buffer overflow is. What... How SQL injections work, yada, yada yada. But I also want them to appreciate that there's this other story going on... Actually, there're two other stories, there's a philosophical story, which we talked about earlier, and then there's the social upcode story, which is in many ways doing so much of the work, and it gets hidden because people get understandably freaked out by a technical subject like cybersecurity. And they shut off and they think, what can I contribute? Actually a tremendous amount because you understand how human beings work.

1:08:45.6 SC: And I think it kind of all comes together, but in a slightly darker way in the Fancy Bear story, which gives your book its title, and I know that it was the fourth of the five that you talk about. But to me, it's the culmination of the whole thing, 'cause it was malicious from the start, it was not a 16-year-old just messing around, so I don't know, there's a lot of threads that come into it, where do you like to start telling that story?

1:09:09.7 SS: Yeah. So many of the people in my book that initially... There's a standard trope which runs through so much of cybersecurity history, but certainly this book, there's a hack, it's spectacular. Some nation state, probably Russia did it, and it kinda often turns out that it's like teenagers. Okay. But sometimes it turns out to be Russia. And one of the things I wanted to show was like if you just look at the technical indicators.

1:09:43.8 SS: Yes, of course, attribution is always hard, and you can trick people and babble at false flags and all that stuff, disinformation and all that. But it's unbelievably hard to say that Russia did not hack the DNC. When you actually just kinda lay out what we know from publicly available sources. That's the first thing. The second thing is, so I really was so fascinated by just like with the Bulgaria case, why are all viruses coming from Bulgaria? I was like, Why did this happen? One of the central mysteries of the DNC case is the fact that the FBI... It took the FBI a year from learning that Russia was in the DNC networks, to actually getting them to focus on and meeting up with them to take care of it.

1:10:34.0 SS: And the question is, why did the FBI take so long to contact the Democratic National Committee that Russians were in their network. The second question is, it takes about six months for the DNC to get back to the FBI. Why don't they take it seriously? So it feels like everyone's messing up, everyone's acting irresponsibly. But if actually you understand the upcode, you'll see that everyone's acting perfectly rationally because there's this one thing that is so central to the way the world works that most people don't know. Which is that when hacking is done for the purposes of collecting natural security information, it is known as espionage, spying.

1:11:21.0 SS: And the spying is legal under international law, that is why every state hacks every other state. So the fact that the FBI knows that the Russia has hacked or has gained a foothold in the Democratic National Committee Network, I think the response is, tell me something, I don't know. The Russians had tried to get into the White House, the Pentagon, the Joint Chiefs earlier, they get thrown out. And so what do you do if you're an intelligence agency, you start looking wider, you start looking for softer targets. The Russians aren't just in the DNC, they're in Brookings, they're in political science departments around the country, they're just looking everywhere.

1:12:10.7 SS: So it's like, dog bites man, news at 11. It's like not news for people, so they don't take that seriously. And then the DNC on the other hand, why doesn't the DNC respond? Well, one of the things you also have to understand about the FBI is that it's a very unusual institution because it's a hybrid one, half intelligence agency, they catch spies in the United States. But another half, they're the main federal law enforcement agency. And so at the time that the DNC is being hacked, Hillary Clinton is being investigated for her private email server. And so it's highly likely bordering on certainty that the DNC is worried that the FBI is contacting them 'cause they want information about Hillary's emails.

1:13:05.9 SS: Here's another upcode piece that most people don't know. FBI prosecutors may not lie, FBI agents are. They are allowed to lie. The person who contacted the DNC was from the law enforcement side, and he was an agent, he wasn't lying, but he was allowed to lie. So on the one hand, you have the FBI basically calling around to everyone saying, "You probably have Russians in your system." The DNC is like, "Ugh, you're not gonna fool me." and so everyone's kind of acting rationally, given the circumstance of the way intelligence and the FBI works and the cultural, social, political setting at the time.

1:13:57.2 SS: And it all comes together because there's one other change in upcode that nobody predicts, that is the basic principle, is that of course, other states are allowed to invade the digital systems of another to collect at least national security information. But you're supposed to keep it quiet, you're not supposed to dump it. And a cozy bear, which is in the network for a year, they just keep the information because they're trying to produce analysis for the Kremlin. Whereas, Fancy Bear takes this information and does something which had not been done before, which is this massive dump of information, which takes something from espionage and turns it more into something that some people have been tempted to say, is cyber war.

1:14:51.2 SS: So everyone's following the upcode at the time. And the big disaster happens because there's a change. And I think when you think about it that way, things become much more explicable. It seems to make sense. It's not a mystery. And then we should start thinking, How do we deal with these situations?"

1:15:10.7 SC: And I always like to imagine that someone 50 years from now is listening to these podcasts. So just to be perfectly clear, this was a hack that we're pretty sure is done by the Russian government of the Democratic National Committee, the political party. And they released a lot of emails right before a Presidential election and it might have had a kind of big impact on that Presidential election.

1:15:33.2 SS: Yes, I'm sorry, you're absolutely right. I was assuming that everyone knows about the DNC hacks by Russia in 2016, but now we think that... So seven years ago.

1:15:46.4 SC: I know.

1:15:48.7 SS: It's so real to me. It's so live. But you're right, that's exactly what happened, and I should have explained that.

1:15:54.2 SC: And you do a pretty good job to the extent that it's even possible, which is very hard of painting the reality of this Russian agency. We know a little bit about it, right?

1:16:05.7 SS: Yeah, actually, we know a lot about it because as it turns out, I was speaking to somebody very high up in the CIA who once told me the biggest problem the CIA faces is that no one can be a spy anymore. Why? Because unless you are raised in a hermetically sealed box, you have social media accounts, so you have tons of things that we say on the internet, especially like if you're 13, 14, 15, 16 years old. And then maybe you get recruited by the Russian government at some point and you go into the intelligence agency, and then you have all these people like Bellingcat and these the open source intelligence firms going around looking at Russian Facebook and trying to see, do these people have a Facebook account? And yes, they do. And you know the amazing things that you can find like Fancy Bear when they registered their cars, they used Fancy Bear's address.

1:17:16.1 SS: They don't have very good operational security as it turns out. But one of the... I mean, I think the big lesson here is that in a world where everyone is connected in a world of social media it's unbelievably difficult to be anonymous. And so now if you look up, you can learn a lot about the various Bears. [laughter] I talk about some of these people in the book but you can learn a lot about them if you Google, because there are researchers out there that are mining the internet for all this.

1:17:51.0 SC: And yet despite the... According with the themes that we've been talking about, despite the massive resources of this state-sponsored agency technologically and so forth, the crucial step as I understand it, was John Podesta giving up his password to the Russians. [laughter]

1:18:10.9 SS: Yeah. This makes me cringe so, so bad because... Let me begin by saying that securing a political campaign is incredibly difficult. It's incredibly difficult. 'Cause lots of times people come in from outside as to be part of the campaign, and they have a zillion social media accounts. They have different phones, they have different... And so there are just so many ways to get into a political campaign. So let me just begin by saying that it's a very, very difficult problem to secure a political campaign. So the IT person, they don't actually have a dedicated IT person. It's a consultant. And I'm gonna back up because... Let me back. Okay. John Podesta. One of the ironies of... But her emails the Hillary Clinton email scandal is that her campaigning had excellent cybersecurity. [laughter]

1:19:30.5 SS: They used two-factor authentication. Robby Mook the campaign manager had signs on the bathroom mirror saying, "You don't share your toothbrush, don't share your password." The Russians initially were not able to get into Hillary for America. So what did they do? They started looking around and they started going after the personal accounts. In this case, the Gmail accounts of people high up in the campaign. And they targeted John Podesta. John Podesta got a phishing email, which had said that Google... It was ostensibly from Google. It was not, it was from Fancy Bear. It was sent out during Moscow working hours. And it said that somebody has your password, you should change it. And John Podesta sends his email to IT saying, "Hey is this legitimate?" And the guy writes back, "This is a legitimate email." And he claims he meant to say, "This is not a legitimate email."

1:20:47.8 SC: I love that story. [laughter] And it's even plausible.

1:20:50.9 SS: It just makes you...

1:20:51.8 SC: It could be true.

1:20:52.6 SS: Just want a die. Now I would say, it sounds like a lie, but I believe it. And the reason why I believe it is because, like IT had been seeing these phishing emails come across the network for several weeks before they caught Podesta. So it's highly unlikely that... Oh, I should say from the outside, it seems unlikely that they were fooled. I think he meant to say, "This is not a legitimate email." And he just... Sometimes we mistype and oh my lord you know...

1:21:38.4 SC: Butterfly effect.

1:21:38.9 SS: He changes his password which is handing his password to... Credentials to Russian military intelligence. They immediately go in, change the password, get all of his files, and it becomes a scandal when they release Podesta's shrimp risotto recipe. [laughter] It just shows how it was the appearance of something... The doxing. Well, it wasn't exactly doxing, the exfiltration and dumping of the information. There wasn't that much in the information that was so important or politically damaging. There was some things that were, but it was more the appearance of people dumping all this information and saying, "Oh my God, look at this. This is a corrupt organisation." And people are like, "Oh, yeah, I guess you're right." And so that just you know... Again a serious human vulnerability, which led to very damaging political consequences.

1:22:49.8 SC: And presumably, it's not the last that we're seeing of this. And I know that it is hard to predict the future, but I mean, maybe say for our final wrap up thought here a little bit about how you tried to write a book that straddle the line between crazy alarmist and, oh, don't worry. Well, here's how to fix it.

1:23:10.7 SS: Yeah, no, that's right. So I think cybersecurity books have this, on the one hand, we're all gonna die part to it. I mean, and then we're seeing this with AI we're all gonna die. And then the other side is like, eat your vegetables. Make sure your password is 20 characters long. It's just like this. Just bummer. And so what I try to do is I try to kind of steer between alarmism and complacency. So here's kind of bottom line I would say to people, most people... Hackers don't care about you. They don't even care about your data so much. By which I mean like the pictures of your kids or the kind of you know arch thing you said about your friend over email. What they want is to make money.

1:24:08.6 SS: And it's a high volume business. They're scanning the internet. They're sending out these phishing emails. And basically they do not want to get into your computer because they wanna spy on you, see you make dinner. What they want is to either, pull your laptop into a botnet, or they want to use it... They want to exfiltrate your banking information, credit card information. Maybe they wanna encrypt your hard drive. They don't wanna spend that much time on you. And so they wanna catch the people who are kind of reckless. Who don't really take any precautions, who essentially leave the keys in their car with the door unlocked running. Don't click on links from people you don't know. [laughter] Don't wait 20 months before you update your computer. It doesn't mean you ain't gotta do it this second, just don't be reckless.

1:25:13.8 SS: If you are not reckless, for most of us, we will be fine because we just have to be faster than the next guy. We just have to make sure that we are not an easy target. That is not true for so-called high value targets. High value targets, which I'm including journalism, politicians, people in the C-suite, you know, CEO, CFOs, COOs, human rights activists, people like that, government official. They are high value targets. They must assume that they are being targeted. They should have professional help, unless they're sophisticated. And I'm not being an alarmist to say if you're a human rights activist or a journalist or CEO, you really need to be really battened down because people will try to get you. Another thing I wanna say is that there's no way we will ever stop the hacking of nation states, against nation states for the purposes of getting national security information, because that's what states do.

1:26:27.0 SS: Their job is to protect their state, maybe their power. And it is legal. It's probably beneficial for states to know secrets of other states. So the person who reads this book, who's not a high value target, I think it's some very basic things that you can do not to get yourself in harm's way. But if you are a high value target, I will describe the various ways in which you could get caught and you really ought to seek expert help.

1:27:08.8 SC: Well, I think that almost by definition, every listener of the Mindscape Podcast is a high value target. [laughter] So I think that they should all buy your book and that will be very helpful to them. [laughter]

1:27:17.9 SS: Yeah, no, that's absolutely right. I mean, it's reckless not to buy my book.

1:27:22.6 SC: It's reckless. We wouldn't want that. So, Scott Shapiro, thanks so much for being on the Mindscape Podcast.

1:27:27.8 SS: Oh, thank you so much. This was really fun. I really appreciate it. Thank you.

[music]

Scroll to Top