WEBVTT 00:00:00.240 --> 00:00:02.530 JACK: Hey, it’s Jack, host of the show. 00:00:02.530 --> 00:00:04.720 When I was a kid, I got an ant farm for my birthday. 00:00:04.720 --> 00:00:09.270 It’s like, two panes of glass with some sand in between and you can watch the ants 00:00:09.270 --> 00:00:10.670 dig tunnels and go about their day. 00:00:10.670 --> 00:00:13.200 It was really cool. 00:00:13.200 --> 00:00:17.610 But when you get the ant farm, it doesn’t contain any ants. 00:00:17.610 --> 00:00:20.970 You have to order the ants and they’re mailed to you. 00:00:20.970 --> 00:00:26.020 The first thing I thought about when I was a kid and I heard about this was wait a minute, 00:00:26.020 --> 00:00:29.380 I can mail ants to anyone I want? 00:00:29.380 --> 00:00:34.010 I think that is basically the hacker mindset; to completely ignore something’s intended 00:00:34.010 --> 00:00:36.910 use and find new ways to employ it. 00:00:36.910 --> 00:00:41.011 Today we’re gonna talk with a hacker who sees the world this way, and we’ll hear 00:00:41.011 --> 00:00:45.300 all the joy and trouble it’s brought him over the years. 00:00:45.300 --> 00:00:53.680 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:00:53.680 --> 00:00:58.900 I’m Jack Rhysider. 00:00:58.900 --> 00:01:02.150 This is Darknet Diaries. 00:01:02.150 --> 00:01:07.640 [INTRO MUSIC ENDS] 00:01:07.640 --> 00:01:19.890 JACK: Okay, today we’re gonna have a chat with someone so infamous he has his own worm 00:01:19.890 --> 00:01:22.180 named after him; the Samy worm. 00:01:22.180 --> 00:01:25.939 That’s right; today we’re talking with Samy Kamkar. 00:01:25.939 --> 00:01:28.570 Samy is a hacker in almost every way. 00:01:28.570 --> 00:01:29.900 He does things he’s not supposed to do. 00:01:29.900 --> 00:01:34.600 He’s the kind of guy that thinks buttons are toys and you push them for fun just to 00:01:34.600 --> 00:01:38.049 see what they do which often ends up breaking something. 00:01:38.049 --> 00:01:40.369 SAMY: I was never a malicious person at all. 00:01:40.369 --> 00:01:44.130 All this hacking, all of this exploitation, it’s really about a puzzle. 00:01:44.130 --> 00:01:46.720 To me, this was all a puzzle, a really fun puzzle. 00:01:46.720 --> 00:01:51.490 JACK: There’s a lot of reasons to call Samy infamous but to tell his story, we need to 00:01:51.490 --> 00:01:54.149 go back to his childhood. 00:01:54.149 --> 00:02:00.500 SAMY: [MUSIC] When I was nine years old, my mom bought me my first computer. 00:02:00.500 --> 00:02:04.049 She sort of spent everything she had so I’d have something to do during the summer. 00:02:04.049 --> 00:02:08.459 She knew I loved computers; I’d always go to the library with her or to her university 00:02:08.459 --> 00:02:13.790 and go and just spend all day at the library on the computers that they had. 00:02:13.790 --> 00:02:18.780 Immediately, I went online and I started searching for the X-Files, which is obviously the best 00:02:18.780 --> 00:02:20.330 TV show of the time. 00:02:20.330 --> 00:02:25.670 I found some message boards and that quickly became really frustrating to have to refresh 00:02:25.670 --> 00:02:27.910 and refresh and wait for people to update that message board. 00:02:27.910 --> 00:02:32.700 Then, I found something called IRC, Internet Relay Chat. 00:02:32.700 --> 00:02:37.010 I jumped on, I went into a channel and said hey, who wants to chat about the X-Files? 00:02:37.010 --> 00:02:40.310 Immediately someone told me get out. 00:02:40.310 --> 00:02:44.769 I’m thinking that’s weird; this is a random person I don’t know on the internet and 00:02:44.769 --> 00:02:46.110 they’re telling me to do something? 00:02:46.110 --> 00:02:47.110 No. 00:02:47.110 --> 00:02:48.870 So, I told the guy no. 00:02:48.870 --> 00:02:52.300 Then he said you have ten seconds to get out of this chat room. 00:02:52.300 --> 00:02:54.150 I said no. 00:02:54.150 --> 00:02:59.510 Ten seconds later, the brand-new computer that my mom spent everything on crashes. 00:02:59.510 --> 00:03:02.540 I had a blue screen and I freaked out. 00:03:02.540 --> 00:03:03.930 I had no idea what to do. 00:03:03.930 --> 00:03:07.680 I pulled the power from the back of the computer. 00:03:07.680 --> 00:03:12.040 I waited about half an hour for all the bad stuff to get out of the computer; I think 00:03:12.040 --> 00:03:15.750 that’s what you’re supposed to do, and then I plugged it back in. 00:03:15.750 --> 00:03:18.290 Fortunately, it came back up. 00:03:18.290 --> 00:03:24.209 Everything was fine but really, with the adrenaline still rushing through my veins, I was thinking 00:03:24.209 --> 00:03:26.220 that is the coolest thing ever. 00:03:26.220 --> 00:03:27.330 How do I do that? 00:03:27.330 --> 00:03:32.989 JACK: [MUSIC] From that point forward, Samy was addicted to computers. 00:03:32.989 --> 00:03:34.520 This was so fascinating to him. 00:03:34.520 --> 00:03:38.830 He wanted to understand how this had been possible so he began studying computers and 00:03:38.830 --> 00:03:40.770 practicing programming. 00:03:40.770 --> 00:03:44.659 Since he now had a computer at home, he got into video games, too. 00:03:44.659 --> 00:03:48.080 Counter-Strike was his favorite game; you know, the first-person shooter? 00:03:48.080 --> 00:03:49.390 He played it a lot. 00:03:49.390 --> 00:03:51.001 [00:05:00] He was addicted to it. 00:03:51.001 --> 00:03:53.940 SAMY: It was fun, I mean, it was a ton of fun. 00:03:53.940 --> 00:03:58.370 I had a clan and was playing with a bunch of friends in high school. 00:03:58.370 --> 00:04:02.099 I remember just one day I was playing and I heard some footsteps. 00:04:02.099 --> 00:04:07.730 My computer has two speakers, one on the left side and one on the right side, so some stereo 00:04:07.730 --> 00:04:08.730 sound. 00:04:08.730 --> 00:04:11.470 [FOOTSTEPS] I hear some footsteps coming from the right speaker. 00:04:11.470 --> 00:04:15.150 Then I hear them panning to the left speaker, so that immediately tells me oh, there’s 00:04:15.150 --> 00:04:19.190 someone behind me, ‘cause I can’t see them in my visual field of view in the game. 00:04:19.190 --> 00:04:23.760 Immediately, I’m like wait, that means someone is behind me in the game. 00:04:23.760 --> 00:04:27.600 This is a live person, someone else on the internet playing Counter-Strike with me, but 00:04:27.600 --> 00:04:30.970 I can’t see them in my radar which means they’re on the opposing team. 00:04:30.970 --> 00:04:36.120 I wondered right then, couldn’t I really use that information, that sound information 00:04:36.120 --> 00:04:37.580 on the computer itself? 00:04:37.580 --> 00:04:43.410 I’m sure that person killed me pretty quickly, but afterwards I exited Counter-Strike and 00:04:43.410 --> 00:04:45.759 I started looking into how can I pull that information? 00:04:45.759 --> 00:04:49.890 What’s telling the computer to play footsteps on the right speaker rather than the left 00:04:49.890 --> 00:04:50.890 speaker? 00:04:50.890 --> 00:04:53.860 Because that means there’s positional information there, that someone is on the right side versus 00:04:53.860 --> 00:04:54.860 the left side. 00:04:54.860 --> 00:05:00.620 Sure enough, I started learning about packet sniffing, and then memory injection, and intercepting 00:05:00.620 --> 00:05:05.870 function calls within the DLLs of Counter-Strike itself, and intercepting basically everything 00:05:05.870 --> 00:05:11.130 between the binary, the Counter-Strike executable, and the DLLs that it used so that I could 00:05:11.130 --> 00:05:12.389 intercept things like footsteps. 00:05:12.389 --> 00:05:17.810 Once I would hook that function, I was then able to get exact coordinates of everyone, 00:05:17.810 --> 00:05:21.400 because everyone’s footsteps is actually being sent to you, at least within some range. 00:05:21.400 --> 00:05:25.060 You will then get that and that’s just telling your computer where to play that sound, but 00:05:25.060 --> 00:05:28.040 that location is exactly where that person is located. 00:05:28.040 --> 00:05:32.370 At that point, I started using OpenGL at the time and just drawing where the user is on 00:05:32.370 --> 00:05:35.820 the map in a little heads-up display, in a little radar. 00:05:35.820 --> 00:05:39.060 Then I started sort of jumping into writing Counter-Strike cheat software. 00:05:39.060 --> 00:05:40.080 That was a lot of fun. 00:05:40.080 --> 00:05:42.180 JACK: What were some of the cheats you could do? 00:05:42.180 --> 00:05:48.440 SAMY: Just writing aim bots, so being automatically aiming at people, being able to make any smoke 00:05:48.440 --> 00:05:52.290 bomb or smoke grenade, or flash bang, just make those transparent to me. 00:05:52.290 --> 00:05:57.680 I could go into a room that I knew was full of opposing team members and throw in a flash 00:05:57.680 --> 00:05:58.680 bang. 00:05:58.680 --> 00:06:01.320 They’re all gonna see white for three seconds and I’m gonna run in there and see absolutely 00:06:01.320 --> 00:06:05.380 nothing because I’ve hooked that function and said do nothing; just return out, do a 00:06:05.380 --> 00:06:10.030 return before you actually do any of the visualization to wipe my screen. 00:06:10.030 --> 00:06:12.240 Little things like that became really fun. 00:06:12.240 --> 00:06:13.690 I couldn’t actually modify my health. 00:06:13.690 --> 00:06:16.790 That was controlled by the server so I couldn’t actually make myself invincible. 00:06:16.790 --> 00:06:20.970 Adding zoom to every weapon, so weapons that didn’t normally have zoom or might have 00:06:20.970 --> 00:06:24.790 a scope on them so you’d lose a lot of the screen because it’s now blacked out. 00:06:24.790 --> 00:06:27.100 I would just remove those – there’s no reason that a screen needs to be blacked out. 00:06:27.100 --> 00:06:28.320 I would remove that. 00:06:28.320 --> 00:06:31.650 There’s no reason that zoom should be better in one weapon and not the other, so I added 00:06:31.650 --> 00:06:33.790 zoom to all weapons. 00:06:33.790 --> 00:06:40.750 This is all totally unfair, and pretty quickly it actually became not fun at all. 00:06:40.750 --> 00:06:44.690 All the fun of the game went away entirely because all of a sudden it was practically 00:06:44.690 --> 00:06:45.690 god-mode. 00:06:45.690 --> 00:06:49.160 JACK: Samy released the Counter-Strike cheats as open-source software. 00:06:49.160 --> 00:06:51.970 He was beginning to get bored playing the game. 00:06:51.970 --> 00:06:54.410 Then PunkBuster came out. 00:06:54.410 --> 00:06:58.500 PunkBuster is a program that’s designed to scan the memory to see if anyone is cheating 00:06:58.500 --> 00:06:59.750 in the game. 00:06:59.750 --> 00:07:06.680 PunkBuster stopped Samy from using his cheats, but now the new game was for Samy to try to 00:07:06.680 --> 00:07:10.230 circumvent whatever PunkBuster was using to detect him. 00:07:10.230 --> 00:07:14.699 SAMY: All of a sudden, this game was fun again because I was no longer playing the game. 00:07:14.699 --> 00:07:17.789 I was now playing against these engineers on PunkBuster. 00:07:17.789 --> 00:07:20.699 They were doing their own memory inspection; they were looking for my process. 00:07:20.699 --> 00:07:24.849 They were doing all sorts of things to stop my cheats and other people’s cheats as well. 00:07:24.849 --> 00:07:26.490 That became fun. 00:07:26.490 --> 00:07:28.230 At that point, I was probably fifteen years old. 00:07:28.230 --> 00:07:33.569 I was so attached to this that I stopped going to high school and I started updating my cheats 00:07:33.569 --> 00:07:36.349 because this was just so fun, and it would be cat and mouse. 00:07:36.349 --> 00:07:40.930 I would release a new version that defeated their software and two days later, they would 00:07:40.930 --> 00:07:43.630 release a new version and then I would have to figure out what did they do? 00:07:43.630 --> 00:07:45.099 How did they figure it out? 00:07:45.099 --> 00:07:46.410 That was like, training. 00:07:46.410 --> 00:07:51.620 It was sort of very rapid training in how does, at the very least, software networking 00:07:51.620 --> 00:07:52.620 work? 00:07:52.620 --> 00:07:56.100 I think I probably learned a ton just during that short stint when I was writing this cheat 00:07:56.100 --> 00:07:57.100 software. 00:07:57.100 --> 00:07:58.510 JACK: At sixteen, you dropped out of high school. 00:07:58.510 --> 00:07:59.510 SAMY: Yeah. 00:07:59.510 --> 00:08:00.780 JACK: What did you do after that? 00:08:00.780 --> 00:08:02.310 SAMY: I wasn’t good at school. 00:08:02.310 --> 00:08:04.720 I didn’t care about most classes so I did not do well. 00:08:04.720 --> 00:08:06.440 I was not a good learner. 00:08:06.440 --> 00:08:08.530 No one ever taught me how to learn something. 00:08:08.530 --> 00:08:10.919 I think that was something that I learned later in life. 00:08:10.919 --> 00:08:15.130 I just wish there were tools that were taught at school for me. 00:08:15.130 --> 00:08:17.180 I think I would have been a much better student. 00:08:17.180 --> 00:08:21.620 However, if I’m enjoying something, then I’ll absolutely learn it, right, I’ll 00:08:21.620 --> 00:08:22.620 spend all my time on it. 00:08:22.620 --> 00:08:27.240 I’m still not necessarily a fast learner; I’ve always known that people can pick up 00:08:27.240 --> 00:08:30.569 stuff much faster than me but if there’s something I enjoy, then I’m just gonna spend 00:08:30.569 --> 00:08:31.569 all my time on it. 00:08:31.569 --> 00:08:32.720 I’m very persistent. 00:08:32.720 --> 00:08:36.620 JACK: Samy was living at home with his mom in Los Angeles at the time. 00:08:36.620 --> 00:08:41.969 She had recently lost her job and now that she was home more often, she noticed Samy 00:08:41.969 --> 00:08:45.910 wasn’t going to school and told him if he’s not gonna go to school, he needs to get a 00:08:45.910 --> 00:08:47.400 job to help pay the rent. 00:08:47.400 --> 00:08:50.779 So, Samy started applying for [00:10:00] any job he thought he could get. 00:08:50.779 --> 00:08:54.779 SAMY: I got an e-mail out of the blue from a company in San Diego and said hey, we saw 00:08:54.779 --> 00:08:57.500 your cheat software, your Counter-Strike stuff. 00:08:57.500 --> 00:09:02.690 [MUSIC] Will you be willing to contract and just write code for us remotely? 00:09:02.690 --> 00:09:03.690 I was blown away. 00:09:03.690 --> 00:09:06.640 I was like wait; someone will pay me to write code? 00:09:06.640 --> 00:09:10.660 I thought this was just useful for basically writing cheat software. 00:09:10.660 --> 00:09:12.920 I had no idea that you could use it for other things. 00:09:12.920 --> 00:09:16.290 It was obvious that you could program things but I just didn’t know someone would pay 00:09:16.290 --> 00:09:17.640 me money to do that. 00:09:17.640 --> 00:09:21.500 I was really, really fortunate in getting that e-mail. 00:09:21.500 --> 00:09:24.510 I started working with them and remotely writing code for them. 00:09:24.510 --> 00:09:26.550 They never met me; we never even talked on the phone. 00:09:26.550 --> 00:09:27.709 It was just all over e-mail. 00:09:27.709 --> 00:09:31.649 They said hey, do you want to move to San Diego and work full-time with us? 00:09:31.649 --> 00:09:33.329 I said absolutely. 00:09:33.329 --> 00:09:38.830 So, I took my mom’s car and then I just drove down and I met them. 00:09:38.830 --> 00:09:42.459 I think they were kind of weirded out because they didn’t expect a fifteen-year old to 00:09:42.459 --> 00:09:43.459 show up. 00:09:43.459 --> 00:09:45.079 They weren’t even sure if that was legal. 00:09:45.079 --> 00:09:47.390 I was like oh no, don’t worry, I looked into it. 00:09:47.390 --> 00:09:48.390 It’s totally legal. 00:09:48.390 --> 00:09:51.750 Here’s a work permit that I got from my school, which was really just a work permit 00:09:51.750 --> 00:09:54.190 I had forged and printed out. 00:09:54.190 --> 00:09:56.769 I just started working with this company down in San Diego. 00:09:56.769 --> 00:09:58.190 That was really cool. 00:09:58.190 --> 00:10:02.570 That allowed me to support myself and my mom, and she continued to live in LA but I got 00:10:02.570 --> 00:10:05.519 to start my own life down there which was really great. 00:10:05.519 --> 00:10:08.260 JACK: That is incredible. 00:10:08.260 --> 00:10:13.709 In San Diego as a teenager, Samy was working as a programmer but eventually took on the 00:10:13.709 --> 00:10:16.670 responsibilities of a systems administrator. 00:10:16.670 --> 00:10:19.529 He was making pretty good money for his age. 00:10:19.529 --> 00:10:24.269 Then someone in LA tried to recruit him to work at a startup. 00:10:24.269 --> 00:10:26.820 This was the deal; quit your job and come work for us. 00:10:26.820 --> 00:10:31.279 Initially we can’t pay you but you can have some equity in the company and sleep on the 00:10:31.279 --> 00:10:33.790 founder’s couch while the startup gets off the ground. 00:10:33.790 --> 00:10:37.790 SAMY: I said uh, well, thanks for that offer; no, no thank you. 00:10:37.790 --> 00:10:39.990 He said well, what do you want to do with your life? 00:10:39.990 --> 00:10:42.900 What do you want to do in the next few years? 00:10:42.900 --> 00:10:44.180 I thought that was a really good question. 00:10:44.180 --> 00:10:45.630 I honestly had not thought about it. 00:10:45.630 --> 00:10:47.590 It’s not something I’d normally think about. 00:10:47.590 --> 00:10:50.640 I thought about it for a while and I was like well, I want to learn how to start a company. 00:10:50.640 --> 00:10:55.130 I want to learn how to start a successful company that employs people and works on cool 00:10:55.130 --> 00:10:56.130 projects. 00:10:56.130 --> 00:11:00.610 He said okay, well, I just sold my last company for thirty million dollars cash. 00:11:00.610 --> 00:11:02.130 I’ve started multiple companies. 00:11:02.130 --> 00:11:06.870 I’ve done this before, so why don’t you meet my co-founder and learn with me and you 00:11:06.870 --> 00:11:08.800 can handle the technical side? 00:11:08.800 --> 00:11:12.220 I thought about that for a second and was like well, I probably won’t get that opportunity 00:11:12.220 --> 00:11:14.110 ever again, so I jumped in. 00:11:14.110 --> 00:11:15.620 I said okay, let’s do that. 00:11:15.620 --> 00:11:21.200 [MUSIC] I quit my job in San Diego, came back up to LA, slept on his couch, and that’s 00:11:21.200 --> 00:11:23.460 when we started a company called Fonality. 00:11:23.460 --> 00:11:26.460 JACK: Fonality was creating voiceover IP solutions for companies. 00:11:26.460 --> 00:11:27.700 Samy wasn’t getting paid at first. 00:11:27.700 --> 00:11:32.490 He had some savings but was blowing through it pretty quick and living as cheap as possible, 00:11:32.490 --> 00:11:34.269 sleeping on a couch. 00:11:34.269 --> 00:11:38.320 But eventually the company started making money which meant Samy started getting paid. 00:11:38.320 --> 00:11:41.720 SAMY: Then, I think after we were actually making money, ‘cause we had become profitable 00:11:41.720 --> 00:11:44.170 at some point, and then I had a salary. 00:11:44.170 --> 00:11:46.930 Then that salary grew as we became more profitable. 00:11:46.930 --> 00:11:53.740 At some point I was really fortunate to be able to still support my mom and also have 00:11:53.740 --> 00:11:55.100 some nice toys. 00:11:55.100 --> 00:11:57.770 JACK: Things were really looking good for Samy at this point. 00:11:57.770 --> 00:12:02.670 He was nineteen years old, making great money at a company that he helped create. 00:12:02.670 --> 00:12:07.660 Samy was a smart young lad, but eventually he got bored. 00:12:07.660 --> 00:12:11.470 What do you get when you have a bored hacker? 00:12:11.470 --> 00:12:14.390 Yeah, you guessed it; trouble. 00:12:14.390 --> 00:12:20.019 SAMY: [MUSIC] That’s when I started playing with MySpace. 00:12:20.019 --> 00:12:24.839 MySpace was the number one site on the internet and all my friends had it. 00:12:24.839 --> 00:12:29.610 I held off for a while and then one day I said okay, pretty much all my friends have 00:12:29.610 --> 00:12:33.760 it so I should just go on there, make an account, see what this is about. 00:12:33.760 --> 00:12:34.760 I made an account; I was like oh, this is pretty cool. 00:12:34.760 --> 00:12:35.760 It’s a social network. 00:12:35.760 --> 00:12:39.790 You can post pictures and you can post on people’s – I guess you called them profiles 00:12:39.790 --> 00:12:40.790 back then. 00:12:40.790 --> 00:12:41.930 We didn’t call them walls. 00:12:41.930 --> 00:12:45.139 You’d have music that auto-played which is terrible. 00:12:45.139 --> 00:12:49.241 You could do really awful CSS things to your page, but you could also do cool things and 00:12:49.241 --> 00:12:50.241 I really liked that. 00:12:50.241 --> 00:12:54.690 I actually really appreciated the fact that you could style the page in any way you wanted. 00:12:54.690 --> 00:12:58.230 You really could theme it and show a little personality. 00:12:58.230 --> 00:13:02.220 I thought that was really cool and not something you get to do everyday anymore. 00:13:02.220 --> 00:13:07.700 I made a profile and at this point, pretty technically competent, or I felt that way. 00:13:07.700 --> 00:13:11.440 I thought well, maybe I can make my profile cooler than some of my friends’, just more 00:13:11.440 --> 00:13:12.440 interesting or unique. 00:13:12.440 --> 00:13:16.980 I started saying alright, well, I can do all the CSS stuff but how can I really do something 00:13:16.980 --> 00:13:17.980 interesting? 00:13:17.980 --> 00:13:22.240 I started looking and I think I had gotten a digital camera and I found that the limitation 00:13:22.240 --> 00:13:26.060 on the profile pictures was – you could only have twelve photos. 00:13:26.060 --> 00:13:28.070 I thought it would be funny just to have a thirteenth photo. 00:13:28.070 --> 00:13:29.779 It’s just a limitation that they had. 00:13:29.779 --> 00:13:31.330 No one would really notice. 00:13:31.330 --> 00:13:35.430 You’d really have to think about it or know this limitation even to realize, but I thought 00:13:35.430 --> 00:13:36.950 that would be subtle and funny. 00:13:36.950 --> 00:13:40.730 JACK: Samy figured out that the limitation on the number of photos that MySpace users 00:13:40.730 --> 00:13:44.480 were allowed to post was set by client-side validation. 00:13:44.480 --> 00:13:49.130 He realized he could bypass this validation and talk directly to the API server, [00:15:00] 00:13:49.130 --> 00:13:52.910 and he could submit as many photos as he wanted to MySpace. 00:13:52.910 --> 00:13:55.529 It worked. Unbelievable. 00:13:55.529 --> 00:13:56.959 So cool. 00:13:56.959 --> 00:14:04.560 But now that he had bypassed one validation check, he wondered what else could he do? 00:14:04.560 --> 00:14:08.920 When you look at a MySpace user’s profile, you can see what birthday they have displayed, 00:14:08.920 --> 00:14:13.600 what their favorite foods are, their music, and movies, but there’s also a place to 00:14:13.600 --> 00:14:15.800 describe your relationship status. 00:14:15.800 --> 00:14:18.589 It was a little drop-down box. 00:14:18.589 --> 00:14:25.010 You could pick Single, Married, Engaged, or In a Relationship, but you were bound to only 00:14:25.010 --> 00:14:27.420 be able to pick one of these that were in the drop-down box. 00:14:27.420 --> 00:14:30.300 There was no way to enter your own relationship status. 00:14:30.300 --> 00:14:33.040 SAMY: I wanted mine to say In a Hot Relationship. 00:14:33.040 --> 00:14:34.970 That would be funny. 00:14:34.970 --> 00:14:37.190 Again, a subtle change. 00:14:37.190 --> 00:14:41.680 You couldn’t really do that, at least back then with that version of CSS, but I started 00:14:41.680 --> 00:14:44.540 playing around and said well, maybe I can execute JavaScript because JavaScript should 00:14:44.540 --> 00:14:47.900 be able to modify the DOM, modify the page in any way I want. 00:14:47.900 --> 00:14:51.930 I started playing around and found that they pretty much blocked JavaScript in any possible 00:14:51.930 --> 00:14:52.930 way. 00:14:52.930 --> 00:14:55.509 Then I started saying okay, well, maybe I can mess with the browser. 00:14:55.509 --> 00:15:01.759 I started looking to exploit the browser’s interpretation of tags and found that yes, 00:15:01.759 --> 00:15:06.120 there’s actually a way that I could execute JavaScript that technically isn’t compliant 00:15:06.120 --> 00:15:09.779 with say, the W3C SAC of how HTML should be interpreted. 00:15:09.779 --> 00:15:14.620 But browsers happen to be pretty lenient and they want web pages to work, even if the developer 00:15:14.620 --> 00:15:16.139 made an error. 00:15:16.139 --> 00:15:21.570 I found a way to execute JavaScript within a CSS tag and then access some data somewhere 00:15:21.570 --> 00:15:25.190 else on the page and execute JavaScript code. 00:15:25.190 --> 00:15:30.690 This was really cool, so this allowed me to now change my In a Relationship to In a Hot 00:15:30.690 --> 00:15:31.690 Relationship. 00:15:31.690 --> 00:15:34.089 JACK: Wow, another fun and awesome win for Samy. 00:15:34.089 --> 00:15:38.130 At this point, he’s conducted two hacks against MySpace and is looking to see what 00:15:38.130 --> 00:15:39.130 else he can do. 00:15:39.130 --> 00:15:43.889 He realized that when he changed the relationship status, he could get the browser to execute 00:15:43.889 --> 00:15:46.089 whatever JavaScript he wanted. 00:15:46.089 --> 00:15:51.690 But it’s not just that; he could get whoever visited his profile to execute the JavaScript 00:15:51.690 --> 00:15:55.060 code that he wrote. 00:15:55.060 --> 00:15:58.829 To be able to control the browser of whoever visits his page? 00:15:58.829 --> 00:16:01.120 This was a seriously big deal. 00:16:01.120 --> 00:16:03.550 SAMY: At that point, it’s like what else could I do that could be fun? 00:16:03.550 --> 00:16:04.550 I started playing around. 00:16:04.550 --> 00:16:06.130 I was just doing silly things. 00:16:06.130 --> 00:16:09.279 I wanted to see okay, if someone visits my profile and we’re not already friends, can 00:16:09.279 --> 00:16:11.250 I make them add me as a friend? 00:16:11.250 --> 00:16:12.460 I could. 00:16:12.460 --> 00:16:15.690 Then I found well, if I can control their browser, couldn’t I just update their own 00:16:15.690 --> 00:16:16.690 profile? 00:16:16.690 --> 00:16:20.290 I found yeah, whenever they visit my profile, I can make them update anything on their profile. 00:16:20.290 --> 00:16:24.449 I didn’t want to be malicious; I just wanted to do something that I thought was funny. 00:16:24.449 --> 00:16:28.269 I made it so that if you visit my profile, not only would you add me as a friend, but 00:16:28.269 --> 00:16:32.149 then you would add ‘but most of all, Samy is my hero’ to the bottom of your profile. 00:16:32.149 --> 00:16:34.660 I thought that would be kind of funny. 00:16:34.660 --> 00:16:37.600 After a few days, maybe a few of my friends would have it on their profiles and I could 00:16:37.600 --> 00:16:40.769 just be like hey, cool, point that out to them. 00:16:40.769 --> 00:16:44.139 I release this and a few days go by, and nothing really happens. 00:16:44.139 --> 00:16:48.680 Virtually none of my friends have hit it because a lot of people aren’t going to my profile. 00:16:48.680 --> 00:16:52.680 I think okay, well, how do I make this spread a little faster? 00:16:52.680 --> 00:16:57.760 I’m thinking alright, if I can make you add me as a friend and add me as a hero to 00:16:57.760 --> 00:17:01.449 your profile, couldn’t I just copy the code to your profile as well? 00:17:01.449 --> 00:17:05.949 That way, if someone visits that profile, they’ll also add me as a friend, add me 00:17:05.949 --> 00:17:09.410 as a hero, and then the code will copy to their profile. 00:17:09.410 --> 00:17:13.000 Within my friend group, it should probably hit them all within a week or so and that’ll 00:17:13.000 --> 00:17:14.000 be pretty funny. 00:17:14.000 --> 00:17:17.540 Someone will complain and it’ll get taken down and no big deal. 00:17:17.540 --> 00:17:22.569 I launch it one night and I go to sleep. 00:17:22.569 --> 00:17:28.309 I wake up hoping to get at least a couple of hits and unfortunately, I wake up to 10,000 00:17:28.309 --> 00:17:30.299 new friends. 00:17:30.299 --> 00:17:36.530 JACK: 10,000 new friends? 00:17:36.530 --> 00:17:38.840 Samy was just trying to have some fun. 00:17:38.840 --> 00:17:44.770 He didn’t intend to be malicious, but then it dawned on him; he’s actually created 00:17:44.770 --> 00:17:47.679 a virus on MySpace. 00:17:47.679 --> 00:17:52.190 Anyone who visited his profile would immediately add him as a friend, but then the code to 00:17:52.190 --> 00:17:57.590 add Samy as a friend was copied to that person’s profile, so anyone who visited that person’s 00:17:57.590 --> 00:18:00.120 profile now had the code to add Samy as a friend. 00:18:00.120 --> 00:18:01.820 It just kept spreading. 00:18:01.820 --> 00:18:07.490 A virus that spreads itself like this is not just a virus; it’s a worm. 00:18:07.490 --> 00:18:13.640 Samy has just created a MySpace worm and it’s spreading way beyond what he thought it would 00:18:13.640 --> 00:18:19.590 become; perhaps he could get a few dozen friends or even a hundred new friends, but now he’s 00:18:19.590 --> 00:18:24.049 got 10,000 new friends and it’s just constantly going up. 00:18:24.049 --> 00:18:25.920 SAMY: At that point I just freak out. 00:18:25.920 --> 00:18:27.070 I have no idea what to do. 00:18:27.070 --> 00:18:31.210 I’m sitting in my apartment and I’m kind of baffled. 00:18:31.210 --> 00:18:34.559 I realize oops, I just wrote a virus. 00:18:34.559 --> 00:18:35.559 What should I do? 00:18:35.559 --> 00:18:37.070 The problem with a virus is you can’t just remove it. 00:18:37.070 --> 00:18:40.500 I could remove it from my own profile but that doesn’t mean it’s gonna stop spreading 00:18:40.500 --> 00:18:42.270 because it’s already spread to thousands of profiles. 00:18:42.270 --> 00:18:44.650 JACK: Were you getting flooded with messages as well? 00:18:44.650 --> 00:18:47.860 Like, you know, you’re just really popular at the same time as having friends? 00:18:47.860 --> 00:18:51.780 SAMY: People were messaging me; they were like [00:20:00] hey, why are you on my profile? 00:18:51.780 --> 00:18:53.630 Hey, every time I try to delete you, you come back. 00:18:53.630 --> 00:18:56.980 That’s because every time they would delete me from their profile, it would return them 00:18:56.980 --> 00:19:00.440 to their own profile which re-executed the code, which re-added me as a friend. 00:19:00.440 --> 00:19:03.580 They couldn’t actually delete the virus either, themselves. 00:19:03.580 --> 00:19:05.480 They really needed MySpace to do that. 00:19:05.480 --> 00:19:09.050 At that point, I’m like okay, it’s time for damage control, as much as I can do. 00:19:09.050 --> 00:19:10.690 I e-mail MySpace anonymously. 00:19:10.690 --> 00:19:13.590 BOT: Hi, I’m a random user of MySpace. 00:19:13.590 --> 00:19:15.340 I have no idea what’s going on. 00:19:15.340 --> 00:19:17.940 There’s some weird stuff on my profile. 00:19:17.940 --> 00:19:21.840 It looks like a bunch of obfuscated code and I’m not really sure what it does. 00:19:21.840 --> 00:19:27.500 SAMY: But I think it does detailed explanation of exactly what was going on. 00:19:27.500 --> 00:19:32.080 I think you could fix it by; here’s a detailed explanation of exactly how to fix this problem. 00:19:32.080 --> 00:19:33.600 I just prayed that they got it. 00:19:33.600 --> 00:19:34.951 I just continued my day. 00:19:34.951 --> 00:19:36.980 At that point, I really couldn’t think. 00:19:36.980 --> 00:19:38.570 I drove to the office. 00:19:38.570 --> 00:19:42.780 JACK: The whole time he was at work, he’s looking at his MySpace profile and just watching 00:19:42.780 --> 00:19:46.740 the number of friends he has rising higher and higher and higher. 00:19:46.740 --> 00:19:49.790 SAMY: It went 50,000, 100,000. 00:19:49.790 --> 00:19:51.690 I could not think about anything. 00:19:51.690 --> 00:19:53.940 It was just refreshing. 00:19:53.940 --> 00:19:56.190 Went home; 500,000, 600,000. 00:19:56.190 --> 00:19:59.009 JACK: 600,000 new MySpace friends? 00:19:59.009 --> 00:20:01.340 This is going way out of control. 00:20:01.340 --> 00:20:02.450 This has to be stopped. 00:20:02.450 --> 00:20:05.840 Samy tried to stop the worm by removing the code on his profile. 00:20:05.840 --> 00:20:08.850 SAMY: I removed the code from my own profile but that doesn’t do anything, right? 00:20:08.850 --> 00:20:13.280 It only removes it so that anyone who visits my profile doesn’t get it, but it’s already 00:20:13.280 --> 00:20:14.590 spreading from anyone else. 00:20:14.590 --> 00:20:17.150 Once someone else has it, it would just continue to spread. 00:20:17.150 --> 00:20:19.520 There was no other way to really control it. 00:20:19.520 --> 00:20:21.680 MySpace would have to remove it themselves. 00:20:21.680 --> 00:20:25.240 JACK: Samy goes off to work, does his shift, comes back home. 00:20:25.240 --> 00:20:27.490 SAMY: 600,000, 700,000. 00:20:27.490 --> 00:20:28.490 It hits a million. 00:20:28.490 --> 00:20:31.980 I just take a screenshot because now I’m just like, that’s a lot of people. 00:20:31.980 --> 00:20:33.900 I had no idea that many people were even on MySpace. 00:20:33.900 --> 00:20:36.500 I just had no idea how big it was. 00:20:36.500 --> 00:20:42.370 I was hoping it would hit a hundred max over the course of a week or a month or something. 00:20:42.370 --> 00:20:44.721 Once it hit 10,000, I knew I had done something wrong. 00:20:44.721 --> 00:20:48.490 I was like oh, I did not think this through. 00:20:48.490 --> 00:20:50.559 I was just freaked out the entire time. 00:20:50.559 --> 00:20:56.590 I was super concerned because if it hit 10,000 overnight, then at that point it was obvious; 00:20:56.590 --> 00:20:59.299 oh yeah, it’s just gonna grow ridiculously out of proportion. 00:20:59.299 --> 00:21:02.202 Now I’m refreshing purely because I’m curious how fast it’s spreading. 00:21:02.202 --> 00:21:04.690 I refresh, I refresh, I refresh. 00:21:04.690 --> 00:21:08.480 At this point it’s spreading at about 3,000 people per second. 00:21:08.480 --> 00:21:14.640 As I’m doing this little test of how fast it’s moving, I refresh once again and finally, 00:21:14.640 --> 00:21:16.900 my profile’s been taken down. 00:21:16.900 --> 00:21:18.179 I’m pretty happy about this. 00:21:18.179 --> 00:21:23.450 Then I was wondering okay, the virus was probably out for about twenty hours and I’m thinking 00:21:23.450 --> 00:21:26.200 alright, does it still say ‘Samy is my hero’ on other people’s profiles? 00:21:26.200 --> 00:21:27.299 How did they take this down? 00:21:27.299 --> 00:21:31.909 [MUSIC] I go to someone else’s profile and then I see that that profile is also down. 00:21:31.909 --> 00:21:32.909 I’m like, oh no. 00:21:32.909 --> 00:21:38.640 So, I go to myspace.com, just to the website, and it says the whole site is down; the whole 00:21:38.640 --> 00:21:42.010 team is here working on it. 00:21:42.010 --> 00:21:44.380 I felt absolutely awful. 00:21:44.380 --> 00:21:47.440 I know what it’s like to have servers that are down and I would never want to do that 00:21:47.440 --> 00:21:52.160 to somebody and I’m thinking okay, the number one site on the internet is down, and I also 00:21:52.160 --> 00:21:56.419 recall that MySpace had just been purchased by Fox for half a billion dollars. 00:21:56.419 --> 00:22:01.279 I didn’t really want Fox to come after me so I was like oh no, what do I do? 00:22:01.279 --> 00:22:05.510 I thought about it and MySpace is in LA so maybe I should just drive over there with 00:22:05.510 --> 00:22:09.080 some coffee and donuts and be like hey guys, I’m Samy. 00:22:09.080 --> 00:22:10.150 I’m so sorry. 00:22:10.150 --> 00:22:11.150 Can I help do anything? 00:22:11.150 --> 00:22:12.740 Can I write some SQL queries? 00:22:12.740 --> 00:22:14.670 What can I do? 00:22:14.670 --> 00:22:18.160 But I thought that would be a bad idea in case they were just really upset, which I 00:22:18.160 --> 00:22:19.409 would totally understand. 00:22:19.409 --> 00:22:21.690 I was worried I’d go to jail. 00:22:21.690 --> 00:22:24.500 I had no idea what the ramifications of something like this was. 00:22:24.500 --> 00:22:25.610 I really had no idea. 00:22:25.610 --> 00:22:27.440 JACK: Did you tell anyone then? 00:22:27.440 --> 00:22:29.260 What did your friends think of this at this point? 00:22:29.260 --> 00:22:32.760 ‘Cause I mean, the people you work with and stuff, did they know that day, like hey… 00:22:32.760 --> 00:22:33.760 SAMY: No. 00:22:33.760 --> 00:22:34.760 JACK: …it’s going crazy. 00:22:34.760 --> 00:22:35.799 Your friends, did they know? 00:22:35.799 --> 00:22:39.909 And you’re like hey, and call one of them and say I think I just took MySpace down? 00:22:39.909 --> 00:22:43.130 SAMY: I messaged like, one or two friends about it. 00:22:43.130 --> 00:22:47.900 I actually remember explicitly one friend I messaged just before doing it and he’s 00:22:47.900 --> 00:22:51.140 like hey, don’t do that. 00:22:51.140 --> 00:22:52.810 He was much smarter than I was. 00:22:52.810 --> 00:22:55.580 I think during the thing, I don’t think I talked to anyone about it. 00:22:55.580 --> 00:22:59.080 Maybe my girlfriend; I told her and she thought the whole thing was funny. 00:22:59.080 --> 00:23:01.090 Really, back then, it was just a social network. 00:23:01.090 --> 00:23:04.480 It was a small social network, right, nothing compared to the networks we have today like 00:23:04.480 --> 00:23:05.500 Facebook and Twitter. 00:23:05.500 --> 00:23:09.799 Granted, it was the largest at the time but it was 2005; smart phones had not come out. 00:23:09.799 --> 00:23:14.840 It was a much smaller – people on the internet just didn’t seem as serious. 00:23:14.840 --> 00:23:17.240 JACK: At this point, MySpace is down. 00:23:17.240 --> 00:23:19.080 Like, the whole website. 00:23:19.080 --> 00:23:20.530 Samy is worried and scared. 00:23:20.530 --> 00:23:23.840 The team at MySpace is probably totally freaking out. 00:23:23.840 --> 00:23:27.799 This was the largest social networking site in the world at the time, and it’s down 00:23:27.799 --> 00:23:30.230 because Samy decided to have a laugh? 00:23:30.230 --> 00:23:31.679 This is not good. 00:23:31.679 --> 00:23:35.470 Samy’s anxiety is growing every minute that the site is down. 00:23:35.470 --> 00:23:37.700 He can’t focus on real life right now. 00:23:37.700 --> 00:23:40.170 Forget about work, forget about going out with friends. 00:23:40.170 --> 00:23:43.080 What the heck happened to MySpace? 00:23:43.080 --> 00:23:44.970 Was it his worm that took down MySpace? 00:23:44.970 --> 00:23:48.370 How much trouble will he be in if it was? 00:23:48.370 --> 00:23:50.610 Hours went by and the [00:25:00] site was still down. 00:23:50.610 --> 00:23:54.760 He was getting more and more anxious as he kept refreshing the page, waiting for it to 00:23:54.760 --> 00:23:56.080 come back up. 00:23:56.080 --> 00:24:00.660 Then, hours after the site went down, MySpace came back online. 00:24:00.660 --> 00:24:05.140 SAMY: Actually, I feel very good that the site is up a few hours later. 00:24:05.140 --> 00:24:07.950 At this point I don’t really know what to do. 00:24:07.950 --> 00:24:10.110 I sit around, I just start working on other things. 00:24:10.110 --> 00:24:13.880 I’m kind of just waiting for the police to come knock on my door. 00:24:13.880 --> 00:24:16.240 A day goes by and a week goes by. 00:24:16.240 --> 00:24:20.990 I start getting e-mails from random people on the internet; blog writers and magazines 00:24:20.990 --> 00:24:23.179 that are like hey, we heard about this worm you wrote. 00:24:23.179 --> 00:24:25.000 I’m like, I don’t know what you’re talking about. 00:24:25.000 --> 00:24:26.220 They said, is your name Samy? 00:24:26.220 --> 00:24:29.190 I’m was like yeah, my name’s Samy but I’m not sure what you’re talking about. 00:24:29.190 --> 00:24:31.440 Then they sent me a picture and they’re like, is this you? 00:24:31.440 --> 00:24:33.900 It was my profile picture so of course it’s me. 00:24:33.900 --> 00:24:35.080 I’m like, okay, fine. 00:24:35.080 --> 00:24:36.080 That was me. 00:24:36.080 --> 00:24:38.110 They start asking me what was this about? 00:24:38.110 --> 00:24:39.830 What was your intention? 00:24:39.830 --> 00:24:42.664 I was like, this is just a prank gone terribly wrong. 00:24:42.664 --> 00:24:43.664 They ask has MySpace contacted you? 00:24:43.664 --> 00:24:44.664 I said no. 00:24:44.664 --> 00:24:45.664 Have the police contacted you? 00:24:45.664 --> 00:24:46.664 I said no. 00:24:46.664 --> 00:24:48.390 A week goes by, two weeks, three months. 00:24:48.390 --> 00:24:51.980 Finally, after three months, I’m like okay, I’m super fortunate. 00:24:51.980 --> 00:24:56.020 No one from MySpace or the police or anything ever contacted me so I’m really, really 00:24:56.020 --> 00:24:57.020 lucky. 00:24:57.020 --> 00:25:00.340 I did something pretty dumb and I’m never doing that again. 00:25:00.340 --> 00:25:03.630 I got away scot-free. 00:25:03.630 --> 00:25:05.940 JACK: What a lesson learned, huh? 00:25:05.940 --> 00:25:11.850 To accidentally take down the largest social network in the world and not hear from MySpace 00:25:11.850 --> 00:25:12.850 or the police? 00:25:12.850 --> 00:25:15.039 Lucky guy, because you know what? 00:25:15.039 --> 00:25:16.820 Samy’s fingerprints are all over this worm. 00:25:16.820 --> 00:25:22.299 I mean, the worm follows Samy and then the worm actually says above all, Samy is my hero, 00:25:22.299 --> 00:25:27.240 so it would be really easy for MySpace to track this back to Samy, but nothing. 00:25:27.240 --> 00:25:33.429 So, Samy just goes back to his regular life, back to his job at Fonality which is starting 00:25:33.429 --> 00:25:34.720 to pay him even more now. 00:25:34.720 --> 00:25:38.169 In fact, he was making enough to buy his dream car. 00:25:38.169 --> 00:25:40.640 SAMY: I got a Porsche Boxter. 00:25:40.640 --> 00:25:43.380 JACK: At the age of nineteen. 00:25:43.380 --> 00:25:47.370 Anyway, he got a brand-new car and one day, he’s leaving his apartment. 00:25:47.370 --> 00:25:49.840 He goes down the elevator to the parking garage. 00:25:49.840 --> 00:25:50.880 SAMY: I’m walking down to it. 00:25:50.880 --> 00:25:56.080 [MUSIC] It was a brand-new car, and I see two guys basically standing next to it, or 00:25:56.080 --> 00:25:57.080 sitting on it. 00:25:57.080 --> 00:25:58.909 I’m like oh no, I’m getting car-jacked. 00:25:58.909 --> 00:26:03.014 Two more guys walk up behind me and then they say Samy? 00:26:03.014 --> 00:26:06.250 I was like, oh no. 00:26:06.250 --> 00:26:08.460 I realized that car jackers, they don’t know your name. 00:26:08.460 --> 00:26:09.700 They said Samy? 00:26:09.700 --> 00:26:11.160 We have a search warrant for you. 00:26:11.160 --> 00:26:13.500 JACK: This was a surprise. 00:26:13.500 --> 00:26:19.279 Six months ago is when he launched the MySpace worm and now they’re coming for him? 00:26:19.279 --> 00:26:20.279 Ugh. 00:26:20.279 --> 00:26:24.830 These were representatives from the Secret Service’s Electronic Crimes Task Force, 00:26:24.830 --> 00:26:29.460 the LA District Attorney’s office, and the California Highway Patrol. 00:26:29.460 --> 00:26:32.980 The Highway Patrol was there because they had suspicion that Samy’s fancy new car 00:26:32.980 --> 00:26:34.260 might have been stolen. 00:26:34.260 --> 00:26:38.340 [MUSIC] The agents took Samy into custody and head back up to his apartment. 00:26:38.340 --> 00:26:42.700 SAMY: We all walk up and as we go into my place, there’s a dozen agents already there, 00:26:42.700 --> 00:26:43.760 going through everything. 00:26:43.760 --> 00:26:48.210 What they’re doing is they’re taking everything, so anything that has data; CD, DVD, my laptop, 00:26:48.210 --> 00:26:52.150 my computer, my Xbox, even my iPod. 00:26:52.150 --> 00:26:53.789 That was probably the worst; they took my iPod. 00:26:53.789 --> 00:26:55.060 All my music was gone. 00:26:55.060 --> 00:27:00.149 I love music so that was actually somewhat challenging because all my MP3s and any legitimate 00:27:00.149 --> 00:27:03.110 or illegitimate music I had was gone. 00:27:03.110 --> 00:27:07.150 I was kind of terrified but also somewhat go with the flow. 00:27:07.150 --> 00:27:08.850 Things happen in life and you deal with them. 00:27:08.850 --> 00:27:12.480 I’m just waiting for all this to be over and now I’m reading the search warrant because 00:27:12.480 --> 00:27:14.550 I really want to find out is this about MySpace? 00:27:14.550 --> 00:27:15.980 Is this about something else? 00:27:15.980 --> 00:27:17.330 Is this about some computers I hacked into? 00:27:17.330 --> 00:27:18.330 I had no idea. 00:27:18.330 --> 00:27:22.429 I’m reading through, reading through, and then finally I see the words myspace.com. 00:27:22.429 --> 00:27:23.429 Okay, good. 00:27:23.429 --> 00:27:24.429 So, it’s about that. 00:27:24.429 --> 00:27:27.679 At least that was one was a prank. 00:27:27.679 --> 00:27:30.140 Then I’m reading, reading, reading, and then I see another address that they’re 00:27:30.140 --> 00:27:31.690 allowed to search, and it’s my office. 00:27:31.690 --> 00:27:34.220 So, I ask them are you guys gonna search my office? 00:27:34.220 --> 00:27:36.460 They’re like oh, we’re already there. 00:27:36.460 --> 00:27:39.000 One of the agents asked me what’s that on your counter? 00:27:39.000 --> 00:27:44.720 So, in my living room there was a table and it had some equipment on it, some smart card 00:27:44.720 --> 00:27:46.940 reader/writer stuff, and some smart cards and stuff. 00:27:46.940 --> 00:27:48.590 He’s like, what are you doing with that? 00:27:48.590 --> 00:27:53.380 At this point, I’m thinking okay; the Secret Service agent just asked me what these smart 00:27:53.380 --> 00:27:54.380 cards are. 00:27:54.380 --> 00:27:59.549 In my head I’m like, should I tell them or should I lie about what this is? 00:27:59.549 --> 00:28:03.250 My friend was staying at my apartment to work at my company. 00:28:03.250 --> 00:28:07.679 I was showing him that I had hacked the laundry machines in our apartment building so that 00:28:07.679 --> 00:28:08.679 I could get free laundry. 00:28:08.679 --> 00:28:13.990 I was basically cloning smart cards or replaying the information from a smart card to make 00:28:13.990 --> 00:28:16.570 it appear that it had more money than it did. 00:28:16.570 --> 00:28:20.750 I decided I should not lie to these people so I just told them that and fortunately, 00:28:20.750 --> 00:28:22.370 they all just laughed. 00:28:22.370 --> 00:28:24.500 Nothing else came of that. 00:28:24.500 --> 00:28:28.120 Afterwards, they collected everything and then they walked out. 00:28:28.120 --> 00:28:31.530 I’m like hey guys, are you taking me with you? 00:28:31.530 --> 00:28:35.130 They said no, no, you’re not under arrest, at least for now. 00:28:35.130 --> 00:28:36.330 I said oh, okay. 00:28:36.330 --> 00:28:37.330 Then they walked away. 00:28:37.330 --> 00:28:39.559 All of a sudden, I just had no computers. 00:28:39.559 --> 00:28:43.330 I went to the office and fortunately, somehow the CEO was able to convince them that I was 00:28:43.330 --> 00:28:47.200 an intern and that I had no access to anything because when they came in, they said hey, 00:28:47.200 --> 00:28:48.870 what does Samy Kamkar have access to? 00:28:48.870 --> 00:28:50.490 [00:30:00] The CEO was like well, everything. 00:28:50.490 --> 00:28:52.700 They’re like alright guys, take everything. 00:28:52.700 --> 00:28:55.490 This is a Cloud-based company, so you take everything. 00:28:55.490 --> 00:28:59.000 Back then we ran all the servers, so they were about to take all of our servers which 00:28:59.000 --> 00:29:00.809 would just bankrupt us instantly. 00:29:00.809 --> 00:29:05.330 Fortunately, he convinced them something else, that I was an intern or something weird, and 00:29:05.330 --> 00:29:08.409 they only took my stuff; just my computer and my phone. 00:29:08.409 --> 00:29:12.950 At that point I got an attorney and we ended up basically fighting with the LA DA for about 00:29:12.950 --> 00:29:13.950 six months. 00:29:13.950 --> 00:29:18.559 JACK: The Los Angeles DA charged Samy with modifying data on a remote machine. 00:29:18.559 --> 00:29:23.100 In settlement talks, prosecutors proposed that Samy serve some time in prison and not 00:29:23.100 --> 00:29:27.070 be able to use his computer for the rest of his life. 00:29:27.070 --> 00:29:31.450 Keep in mind that Samy was supporting his mother and as a high school dropout, his only 00:29:31.450 --> 00:29:36.950 skill set and his livelihood were entirely dependent on using a computer. 00:29:36.950 --> 00:29:41.740 Samy was so bright and gifted and passionate about computers and technology and the internet 00:29:41.740 --> 00:29:42.920 and hacking. 00:29:42.920 --> 00:29:48.010 You can imagine how scary it was for him to face the prospect of having to live the rest 00:29:48.010 --> 00:29:52.279 of his life without ever being able to use a computer again. 00:29:52.279 --> 00:29:56.850 SAMY: [MUSIC] Probably the hardest part, really, the hardest part of anything, I think at least 00:29:56.850 --> 00:30:00.159 for me, is not knowing what an outcome will be. 00:30:00.159 --> 00:30:05.149 I think it’s much easier to deal with maybe even the most challenging outcome if I know 00:30:05.149 --> 00:30:06.159 that’s going to happen. 00:30:06.159 --> 00:30:08.990 You just tell me okay, I’m gonna go to the prison for the rest of my life, then I can 00:30:08.990 --> 00:30:13.010 at least mentally try to prepare for that but not knowing was just really difficult 00:30:13.010 --> 00:30:14.010 to deal with. 00:30:14.010 --> 00:30:18.409 But ultimately, I took a plea agreement with them and the plea agreement was no prison 00:30:18.409 --> 00:30:19.970 time, so that was nice. 00:30:19.970 --> 00:30:23.020 However, I would not be able to touch a computer for the rest of my life. 00:30:23.020 --> 00:30:25.760 That was still in there, and probation indefinitely. 00:30:25.760 --> 00:30:29.600 I would have to pay some restitution, I’d have to do a ton of community service, like 00:30:29.600 --> 00:30:31.490 picking up so much trash. 00:30:31.490 --> 00:30:34.340 Glad I could really help make those streets cleaner. 00:30:34.340 --> 00:30:39.399 But the silver lining was that if I was on good behavior, if my probation officer said 00:30:39.399 --> 00:30:43.200 I was a good person, after some number of years I could get everything removed. 00:30:43.200 --> 00:30:47.029 As long as I completed my community service, I would be able to get rid of the probation 00:30:47.029 --> 00:30:51.419 and be a normal citizen again and be able to touch a computer and the internet. 00:30:51.419 --> 00:30:54.049 I said okay, well, that at least is a known quantity. 00:30:54.049 --> 00:30:56.340 I don’t think I’m going to be writing anymore viruses. 00:30:56.340 --> 00:30:59.220 I can do a couple years of no computers, no internet. 00:30:59.220 --> 00:31:00.980 So, I agree to that. 00:31:00.980 --> 00:31:05.880 I was probably twenty at this point because this process was just such a long process. 00:31:05.880 --> 00:31:10.040 One day, I went to court and all of a sudden, I can no longer touch a computer or touch 00:31:10.040 --> 00:31:11.040 the internet. 00:31:11.040 --> 00:31:17.910 In fact, it also explicitly stated I could not access myspace.com, in case I was somehow 00:31:17.910 --> 00:31:21.269 able to access it without the internet or a computer. 00:31:21.269 --> 00:31:24.100 JACK: That was it. 00:31:24.100 --> 00:31:25.630 Samy had lost everything. 00:31:25.630 --> 00:31:29.640 I mean, forget about the Porsche at this point because on top of all this, they gave him 00:31:29.640 --> 00:31:32.690 a $20,000 fine. 00:31:32.690 --> 00:31:36.870 Between having to pay all the lawyers and the fine and still having to support his mom, 00:31:36.870 --> 00:31:43.950 yeah, he was almost completely wiped out, almost back to zero, living as cheap as possible. 00:31:43.950 --> 00:31:45.440 But still, forget all that. 00:31:45.440 --> 00:31:47.669 I don’t think Samy cared about the money at this point. 00:31:47.669 --> 00:31:52.340 He was back to trying to figure out what he should do with his entire life. 00:31:52.340 --> 00:31:55.019 No internet for life? 00:31:55.019 --> 00:31:59.299 Everything he’s been working towards, all his skills and knowledge, are useless now. 00:31:59.299 --> 00:32:04.809 Samy had 720 hours of community service he had to complete, so every Saturday morning 00:32:04.809 --> 00:32:10.130 he’d get up at 5:00 a.m. and go clean trash on the side of the highway for years. 00:32:10.130 --> 00:32:16.159 Even if he did six hours every Saturday, that’s still just 300 hours a year. 00:32:16.159 --> 00:32:21.010 Everything about Samy’s life was changed and he had to find new things to do that didn’t 00:32:21.010 --> 00:32:23.240 involve a computer to keep himself busy. 00:32:23.240 --> 00:32:25.889 SAMY: But I was really fortunate; I met new people. 00:32:25.889 --> 00:32:30.649 I spent all that time just doing other things that I had never really spent time doing. 00:32:30.649 --> 00:32:31.890 I went outside, I saw the sun. 00:32:31.890 --> 00:32:34.610 I was like ah, it’s so bright, but I got used to it. 00:32:34.610 --> 00:32:35.610 I made friends. 00:32:35.610 --> 00:32:38.740 I turned twenty-one so I could start going out meeting people. 00:32:38.740 --> 00:32:43.110 I started learning to socialize a lot more so it was really, really beneficial to me 00:32:43.110 --> 00:32:45.000 and something I wouldn’t really change today. 00:32:45.000 --> 00:32:49.380 I learned so much from that experience and I think it was good for someone so introverted 00:32:49.380 --> 00:32:53.840 and so stuck to a computer to be able to go out and experience other things. 00:32:53.840 --> 00:33:01.769 JACK: So, Samy spent years of his life offline doing his community service and trying to 00:33:01.769 --> 00:33:04.120 socialize with his friends. 00:33:04.120 --> 00:33:06.389 But the story doesn’t end here. 00:33:06.389 --> 00:33:09.820 After the break, Samy gets to use computers again. 00:33:09.820 --> 00:33:15.409 [00:35:00] After two years of probation, Samy has served all 720 hours of his community 00:33:15.409 --> 00:33:16.409 service. 00:33:16.409 --> 00:33:17.570 He had great behavior. 00:33:17.570 --> 00:33:21.950 The probation officer didn’t find anything wrong that Samy did and since he had such 00:33:21.950 --> 00:33:26.140 great behavior, they went back to court to see if he could get the probation lifted. 00:33:26.140 --> 00:33:30.830 SAMY: After a few years, I went back to the court and said hey, my probation officer loves 00:33:30.830 --> 00:33:31.830 me. 00:33:31.830 --> 00:33:33.770 It says I’m her favorite client. 00:33:33.770 --> 00:33:37.350 They said okay, you are allowed to touch computers again. 00:33:37.350 --> 00:33:41.230 [MUSIC] That was a very interesting experience. 00:33:41.230 --> 00:33:43.870 I felt really weird touching a computer afterwards. 00:33:43.870 --> 00:33:49.019 You kind of just get used to the rules that you’re abiding by and it’s definitely 00:33:49.019 --> 00:33:51.190 an awkward feeling, jumping back in. 00:33:51.190 --> 00:33:54.290 JACK: What happened on that day that you got it back? 00:33:54.290 --> 00:34:00.519 SAMY: I definitely remember that day because I drove to the LA courthouse and after I left 00:34:00.519 --> 00:34:05.499 the courthouse, I drove to the Apple store and found whatever the latest top-of-the-line 00:34:05.499 --> 00:34:07.021 – I don’t even think it was a MacBook. 00:34:07.021 --> 00:34:08.310 It might have been a PowerBook at that time. 00:34:08.310 --> 00:34:13.099 I bought the top-of-the-line PowerBook and I went to a coffeeshop. 00:34:13.099 --> 00:34:18.169 I pulled it open, I connected to the WiFi, and I visited a couple websites. 00:34:18.169 --> 00:34:21.409 I think I visited Slashdot just to see what’s going on. 00:34:21.409 --> 00:34:25.919 I just felt really weird and I just shut the laptop and I went to go hang out with friends. 00:34:25.919 --> 00:34:29.470 JACK: This started the next chapter in Samy’s life. 00:34:29.470 --> 00:34:35.349 Now that he was free to use the computer again, he eventually got back into it, way into it. 00:34:35.349 --> 00:34:39.030 Even though he hadn’t been allowed to use a computer for the last two years, he had 00:34:39.030 --> 00:34:42.250 spent that time thinking of all sorts of things he can do with them. 00:34:42.250 --> 00:34:46.440 SAMY: During that time that I had no internet, I had no computers, I started thinking about 00:34:46.440 --> 00:34:51.140 new exploits, new ways to really manipulate more systems and exploit routers and exploit 00:34:51.140 --> 00:34:56.450 firewalls, and just had some concepts literally just in my head and I couldn’t confirm whether 00:34:56.450 --> 00:35:00.030 they were accurate or not, whether they would work after I came back online. 00:35:00.030 --> 00:35:03.570 I started thinking well, this stuff is fun. 00:35:03.570 --> 00:35:08.110 Maybe I can do this stuff but not impact websites, not impact people negatively. 00:35:08.110 --> 00:35:12.349 How can I investigate the technology around us, look for the vulnerabilities around us 00:35:12.349 --> 00:35:16.020 and then share that information publically in an entirely legal way? 00:35:16.020 --> 00:35:19.120 People actually understand the problems and can use solutions. 00:35:19.120 --> 00:35:25.510 JACK: So, just six months after Samy had completed his probation for hacking MySpace, it was 00:35:25.510 --> 00:35:26.510 2018. 00:35:26.510 --> 00:35:31.930 Samy was around twenty-one years old and he starts looking into hacking credit cards, 00:35:31.930 --> 00:35:35.390 specifically the NFC and RFID chips on them. 00:35:35.390 --> 00:35:39.990 SAMY: Yeah, some other researchers and myself, we were looking at these NFC credit cards 00:35:39.990 --> 00:35:44.690 which are becoming a lot more ubiquitous today, but back then – it was kind of funny, they 00:35:44.690 --> 00:35:49.590 actually came out with these credit cards with NFC and pretty quickly – they were 00:35:49.590 --> 00:35:51.050 encrypted, some were encrypted. 00:35:51.050 --> 00:35:55.210 However; you could actually just buy a chip with the decryption key. 00:35:55.210 --> 00:36:00.030 You would just buy a chip from a company and you could then decrypt anyone’s credit card, 00:36:00.030 --> 00:36:03.170 access their credit card info, and then literally steal stuff with it. 00:36:03.170 --> 00:36:06.589 That was not my intention but I wanted to show that this stuff is not secure. 00:36:06.589 --> 00:36:11.200 I just created a proof-of-concept that opened up this to some additional credit cards. 00:36:11.200 --> 00:36:14.950 There were some other tools that did similar things for other types of credit cards. 00:36:14.950 --> 00:36:18.100 I know mine was a VISA Chase card that no one had done this for yet. 00:36:18.100 --> 00:36:21.990 JACK: How close to someone do you have to be to get their credit card details? 00:36:21.990 --> 00:36:22.990 Does it work from far away? 00:36:22.990 --> 00:36:26.079 SAMY: I haven’t really experimented with how far you can do it. 00:36:26.079 --> 00:36:27.300 I’m not sure. 00:36:27.300 --> 00:36:31.430 You do need to be close to them; it’s very easy to be within proximity of many, many 00:36:31.430 --> 00:36:32.430 people. 00:36:32.430 --> 00:36:35.190 You just go to a crowded place and now you can steal many, many credit cards and then 00:36:35.190 --> 00:36:38.620 you can go home and buy a ton of stuff online or you can sell those credit cards online 00:36:38.620 --> 00:36:40.150 and steal money. 00:36:40.150 --> 00:36:45.849 JACK: Even just bumping up against someone in a line, if they have an NFC or RFID vulnerable 00:36:45.849 --> 00:36:50.020 credit card in their pocket, that would be good enough to steal their credit card, right? 00:36:50.020 --> 00:36:51.020 SAMY: That’s correct. 00:36:51.020 --> 00:36:52.270 JACK: That’s such a trip. 00:36:52.270 --> 00:36:56.700 SAMY: You know what’s funny is after releasing that and demonstrating that, NFC then disappeared 00:36:56.700 --> 00:36:58.010 from our credit cards. 00:36:58.010 --> 00:37:03.390 It only recently re-emerged in the past few years and now with much stronger cryptography 00:37:03.390 --> 00:37:06.670 and additional safeguards from these sorts of attacks. 00:37:06.670 --> 00:37:08.069 However, there are other attacks. 00:37:08.069 --> 00:37:10.180 It will always be cat and mouse. 00:37:10.180 --> 00:37:13.760 Nothing is ever perfectly secure and to be fair, it’s much easier to be the attacker. 00:37:13.760 --> 00:37:17.760 JACK: While Samy studied how to hack the chips within credit cards, he never did anything 00:37:17.760 --> 00:37:18.869 malicious with this. 00:37:18.869 --> 00:37:21.960 He never actually stole anyone’s credit cards that he didn’t have permission to 00:37:21.960 --> 00:37:22.960 steal. 00:37:22.960 --> 00:37:26.210 [MUSIC] Instead, he started blogging about this and teaching others about the safety 00:37:26.210 --> 00:37:30.310 involved with these products in an attempt to make them more secure. 00:37:30.310 --> 00:37:35.450 From then on, Samy would continue to research the security of so many more things, but always 00:37:35.450 --> 00:37:37.400 in an ethical and safe way. 00:37:37.400 --> 00:37:40.710 He would do this on his own equipment and disclose what he found to vendors. 00:37:40.710 --> 00:37:46.040 For instance, Samy recently released a proof-of-concept to show how you can steal passwords and encryption 00:37:46.040 --> 00:37:47.880 keys by just listening. 00:37:47.880 --> 00:37:51.420 SAMY: This sort of stuff has been done for years by [00:40:00] other people, by researchers, 00:37:51.420 --> 00:37:54.900 and I’m just trying to see can I do this on a two-dollar chip or an Arduino that many 00:37:54.900 --> 00:37:59.310 people know how to use and many makers can just buy off the shelf, and then can they 00:37:59.310 --> 00:38:00.930 perform these types of attacks? 00:38:00.930 --> 00:38:05.310 There’s attacks out there where researchers have demonstrated just taking a phone, a regular 00:38:05.310 --> 00:38:09.960 phone, putting it near a computer and when a computer is doing some sort of cryptographic 00:38:09.960 --> 00:38:13.349 operation and maybe it’s encrypting an e-mail, maybe it’s trying to send some Bitcoin, 00:38:13.349 --> 00:38:17.260 maybe it’s doing a financial transaction, maybe it’s logging into a bank. 00:38:17.260 --> 00:38:21.700 When any of these things are being done and the processor is processing those instructions 00:38:21.700 --> 00:38:26.910 in a certain order, well, that processor requires power and different instructions require different 00:38:26.910 --> 00:38:28.530 amounts of power. 00:38:28.530 --> 00:38:34.020 Addition will be less power than a multiplication which is really just a bunch of additions. 00:38:34.020 --> 00:38:38.400 You can then measure that power but if you have a phone, you can use the microphone. 00:38:38.400 --> 00:38:41.990 Let’s say I put a phone next to someone’s laptop and they’re encrypting and e-mail 00:38:41.990 --> 00:38:43.580 with a secret key. 00:38:43.580 --> 00:38:47.839 Well, when that CPU is pulling power from all these capacitors, those capacitors are 00:38:47.839 --> 00:38:52.650 going through this thing called electrostrictive effect and they’re physically moving inside 00:38:52.650 --> 00:38:53.650 your computer. 00:38:53.650 --> 00:38:57.230 They’re moving at a speed, a rate, against the circuit board inside that produces ultrasound. 00:38:57.230 --> 00:39:01.650 [MUSIC] You and I can’t hear ultrasound but the phones that we have, the mobile devices 00:39:01.650 --> 00:39:05.390 we have, those microphones actually can listen all the way into the ultrasound range. 00:39:05.390 --> 00:39:09.690 If you have, say, an Android device with the microphone enabled and it listens to that 00:39:09.690 --> 00:39:14.140 ultrasound, you can then look at that sound, that amperage or the volume of the sound, 00:39:14.140 --> 00:39:17.840 and then correlate it and say well, the higher the sound, the more power those capacitors 00:39:17.840 --> 00:39:19.080 are using and feeding to the CPU. 00:39:19.080 --> 00:39:24.760 If I know it’s this much power for this long, well, I can do timing and power analysis 00:39:24.760 --> 00:39:27.329 and say well, that means you’re doing an addition here or you’re probably doing a 00:39:27.329 --> 00:39:30.900 jump or a branch here, or a comparison here. 00:39:30.900 --> 00:39:35.010 This looks like you’re doing an AES encryption, a 128-bit key. 00:39:35.010 --> 00:39:39.130 If you’re encrypting with a 0-bit versus a 1-bit, that’s gonna take different instructions 00:39:39.130 --> 00:39:42.190 with a different amount of power and then I can fully recover that key. 00:39:42.190 --> 00:39:46.740 It’s pretty impressive, and these are the types of attacks that are really exploiting 00:39:46.740 --> 00:39:51.240 physical phenomena, things that a software developer might implement something perfectly, 00:39:51.240 --> 00:39:53.720 but there’s still these other attacks. 00:39:53.720 --> 00:39:58.390 JACK: Samy continued finding new areas to do security research in and at some point, 00:39:58.390 --> 00:39:59.610 he got interested in cookies. 00:39:59.610 --> 00:40:04.890 [MUSIC] Cookies are what web browsers use to remember who you are so when you return 00:40:04.890 --> 00:40:09.200 to a website, they can log you in or show you content that’s just for you. 00:40:09.200 --> 00:40:13.849 Cookies are a tracking mechanism and browsers store these cookies on the user’s computer 00:40:13.849 --> 00:40:16.010 in a very specific location. 00:40:16.010 --> 00:40:20.810 But as Samy looked into it, he was noticing some websites figured out a way to track users 00:40:20.810 --> 00:40:24.110 without storing the cookie in that traditional location. 00:40:24.110 --> 00:40:28.290 For instance, some sites ran Flash to display fancy graphics. 00:40:28.290 --> 00:40:32.910 Well, when you get to that website, the Flash video is downloaded and stored on your computer 00:40:32.910 --> 00:40:36.640 and the next time you go to that website, your browser checks to see if you already 00:40:36.640 --> 00:40:39.250 have that video or if you need to download it. 00:40:39.250 --> 00:40:43.030 SAMY: But people were really concerned because some researchers found that some companies 00:40:43.030 --> 00:40:45.871 were using Flash to store cookies on people’s computers. 00:40:45.871 --> 00:40:51.640 The benefit of this was that if a user deletes their normal cookies, their normal web browser 00:40:51.640 --> 00:40:55.500 cookies, which is what advertisers use to track you, well, then the Flash cookie was 00:40:55.500 --> 00:40:59.560 essentially acting as a backup and really surreptitiously because they obviously did 00:40:59.560 --> 00:41:02.720 that intentionally because they knew users might delete their normal cookies. 00:41:02.720 --> 00:41:05.470 I was thinking well, your processor’s a pretty powerful piece of software. 00:41:05.470 --> 00:41:06.800 It does a lot of things. 00:41:06.800 --> 00:41:11.540 I wondered what other mechanisms where I could actually store information locally, and again, 00:41:11.540 --> 00:41:16.290 this is sort of a proof-of-concept to demonstrate what are all the ways that we can store information 00:41:16.290 --> 00:41:19.380 on a person’s computer whether they know it or not? 00:41:19.380 --> 00:41:23.630 I created this open-source JavaScript library called Evercookie. 00:41:23.630 --> 00:41:27.099 It used normal cookies so it would essentially generate a random ID to track somebody, and 00:41:27.099 --> 00:41:30.500 then you’d store it in their normal cookies, you’d store it in Flash cookies. 00:41:30.500 --> 00:41:34.930 But then I tried to find every possible other mechanism that you could use locally, so there 00:41:34.930 --> 00:41:39.760 was Silverlight, the new Silverlight storage, and then Java, and HTML 5 came out so then 00:41:39.760 --> 00:41:44.570 there was local storage and session storage, global storage, SQLite, local cache, your 00:41:44.570 --> 00:41:46.079 web history. 00:41:46.079 --> 00:41:50.160 My friend Matt came up with a really cool idea of destroying the data in an image that 00:41:50.160 --> 00:41:53.050 would get cached and then you could actually read out the pixels in the image and then 00:41:53.050 --> 00:41:54.810 convert it back to an ID. 00:41:54.810 --> 00:41:55.810 All sorts of stuff. 00:41:55.810 --> 00:41:59.560 That was people like Matt and other people also started contributing to this project 00:41:59.560 --> 00:42:02.890 as it’s not entirely an open-source project on GitHub that anyone can actually contribute 00:42:02.890 --> 00:42:03.890 to. 00:42:03.890 --> 00:42:09.040 JACK: This Evercookie project that Samy made really demonstrated how easy it is for websites 00:42:09.040 --> 00:42:13.270 to track their users even if they delete their cookies. 00:42:13.270 --> 00:42:17.280 This was a really effective technique, so effective that when Snowden released a bunch 00:42:17.280 --> 00:42:22.730 of classified documents about what the NSA is doing, in there it even said that the NSA 00:42:22.730 --> 00:42:26.710 sometimes uses Evercookie to track its users through Tor. 00:42:26.710 --> 00:42:29.980 SAMY: A couple people pointed out to me over the years that different governments have 00:42:29.980 --> 00:42:32.450 been using Evercookie to try to track people. 00:42:32.450 --> 00:42:37.170 It definitely feels good that federal governments are using my software; granted, they’re 00:42:37.170 --> 00:42:39.900 doing it for a reason that I’m not into. 00:42:39.900 --> 00:42:45.140 But I actually think the net gain of the entire project is extremely positive because what 00:42:45.140 --> 00:42:49.650 Evercookie really provided and still provides today, is an asset test. 00:42:49.650 --> 00:42:54.200 Now, browsers essentially [00:45:00] can use Evercookie to see okay, does my private mode, 00:42:54.200 --> 00:42:58.550 does my incognito mode, does that provide the necessary protection to make it challenging 00:42:58.550 --> 00:43:03.010 to track this user at least using local storage mechanisms? 00:43:03.010 --> 00:43:07.170 Before Evercookie, there was nothing like that so no one knew about many of these techniques. 00:43:07.170 --> 00:43:11.550 It’s very trivial for any company or government to then generate their own techniques. 00:43:11.550 --> 00:43:15.850 But by consolidating it into a very simple to use library and always trying to keep it 00:43:15.850 --> 00:43:19.750 up to date – people today are still updating Evercookie with new techniques. 00:43:19.750 --> 00:43:24.260 Modern browsers that want to provide consumers and users and businesses privacy, it gives 00:43:24.260 --> 00:43:28.420 them that capability because they know okay, I’ve tested it at least against Evercookie 00:43:28.420 --> 00:43:33.069 which is sort of state-of-the-art and local storage mechanisms. 00:43:33.069 --> 00:43:36.770 Evercookie can’t track it, so at least it makes it very difficult. 00:43:36.770 --> 00:43:40.400 Governments who are using it, they’re really only able to track all browser users who don’t 00:43:40.400 --> 00:43:44.290 upgrade their browsers or operating systems, where people who actually do care about their 00:43:44.290 --> 00:43:48.070 privacy, those people typically know to use modern, up-to-date software. 00:43:48.070 --> 00:43:50.890 I think the overall net gain is extremely beneficial. 00:43:50.890 --> 00:43:54.859 JACK: Let’s talk about Skyjack then, ‘cause I think this is a really cool project. 00:43:54.859 --> 00:43:56.560 What is Skyjack? 00:43:56.560 --> 00:44:02.069 SAMY: Skyjack started when I started hearing that Amazon was potentially going to use drones 00:44:02.069 --> 00:44:04.550 to deliver packages. 00:44:04.550 --> 00:44:06.070 I thought that was really cool. 00:44:06.070 --> 00:44:07.890 I think it’s really awesome that we have drones. 00:44:07.890 --> 00:44:09.589 I think drones are super interesting. 00:44:09.589 --> 00:44:14.500 They’re low-cost and they’ll probably enable a lot of really useful things for humans. 00:44:14.500 --> 00:44:18.290 [MUSIC] However, I was somewhat concerned that that was the idea, I was like, delivering 00:44:18.290 --> 00:44:21.869 just packages because I don’t really know if there was any security on drones. 00:44:21.869 --> 00:44:22.869 I wasn’t sure. 00:44:22.869 --> 00:44:27.119 I really didn’t know anything about drones so I went out and I bought the most ubiquitous 00:44:27.119 --> 00:44:28.520 consumer drone. 00:44:28.520 --> 00:44:32.609 Then soon after, I also bought industrial drones, the type of drones that police use. 00:44:32.609 --> 00:44:35.890 Immediately I started looking to see what are the protection mechanisms, at least in 00:44:35.890 --> 00:44:36.970 the consumer drone. 00:44:36.970 --> 00:44:40.849 Immediately I found absolutely zero; literally none. 00:44:40.849 --> 00:44:46.690 One drone was using essentially WiFi to be controlled and you could hijack that connection. 00:44:46.690 --> 00:44:51.790 You could only have one person controlling the drone at a time so if – I would just 00:44:51.790 --> 00:44:55.210 essentially kick that person off and then I would take over. 00:44:55.210 --> 00:44:59.360 Then I would modify the drone’s software so that the person could never log back in 00:44:59.360 --> 00:45:02.109 and then I would have full control. 00:45:02.109 --> 00:45:05.250 I found that I could do that, and then I started looking at more industrial drones and found 00:45:05.250 --> 00:45:06.420 that they did have encryption. 00:45:06.420 --> 00:45:08.740 However, that encryption was not good at all. 00:45:08.740 --> 00:45:13.349 Basically, if you sat on a radio frequency channel, essentially, it’s doing frequency-hopping. 00:45:13.349 --> 00:45:17.440 The transmitter is jumping around to different frequencies for various reasons; partially 00:45:17.440 --> 00:45:22.540 security, partially to prevent jamming or if there’s a lot of interference, that interference 00:45:22.540 --> 00:45:24.750 will disappear after it hops to the next frequency. 00:45:24.750 --> 00:45:26.950 But that was also based off the encryption key. 00:45:26.950 --> 00:45:31.369 I found if I could sit on a single frequency and I see two packets come in from that drone, 00:45:31.369 --> 00:45:34.970 essentially it would have hopped hundreds of times, and then I jump onto another frequency 00:45:34.970 --> 00:45:38.320 and I see it hop on that frequency two times. 00:45:38.320 --> 00:45:40.970 All of that would typically take a couple seconds, tops. 00:45:40.970 --> 00:45:43.700 I would then be able to reverse the key within a second. 00:45:43.700 --> 00:45:47.410 I would be able to understand what the encryption key is, and then I would be able to hop along 00:45:47.410 --> 00:45:49.420 and take over that drone as well. 00:45:49.420 --> 00:45:53.100 At that point, I put all of this into an open-source project called Skyjack. 00:45:53.100 --> 00:45:57.849 I put it on GitHub and I took a Raspberry Pi Linux computer, I put my software on it, 00:45:57.849 --> 00:46:02.900 I added some WiFi transceivers and some Sub-Gigahertz transceivers for the industrial drones. 00:46:02.900 --> 00:46:07.000 You would then attach this Raspberry Pi to your own drone and you’d fly your own drone 00:46:07.000 --> 00:46:08.000 around. 00:46:08.000 --> 00:46:12.180 While you’re flying your drone around, if Skyjack ever saw another drone on any of these 00:46:12.180 --> 00:46:17.270 wireless frequencies or within wireless range, it would then hijack and take over that drone. 00:46:17.270 --> 00:46:19.500 You would now be in control of both drones. 00:46:19.500 --> 00:46:22.951 In fact, any wireless drones that you found in the vicinity, you would take over all of 00:46:22.951 --> 00:46:27.550 them and you’d be controlling a swarm of zombie drones, entirely under your control 00:46:27.550 --> 00:46:28.680 from one transmitter. 00:46:28.680 --> 00:46:30.600 That was the proof-of-concept there. 00:46:30.600 --> 00:46:34.070 It was a really fun project, especially fun to be testing it. 00:46:34.070 --> 00:46:38.130 Of course, I was testing only on my own drones that I owned, but it of course affected pretty 00:46:38.130 --> 00:46:40.850 much all models of all major drones at the time. 00:46:40.850 --> 00:46:44.500 JACK: Now, I’ve flown a drone and one of the scariest feelings I’ve ever had is when 00:46:44.500 --> 00:46:48.470 you lose control of the thing and it just starts doing its own thing for whatever reason, 00:46:48.470 --> 00:46:49.470 right. 00:46:49.470 --> 00:46:51.450 I mean, that’s a little bit evil what you’re doing here. 00:46:51.450 --> 00:46:57.030 SAMY: I’m not taking over anyone else’s drone; I’ve only taken over my own. 00:46:57.030 --> 00:46:59.980 JACK: Okay, but giving the world the ability to do it? 00:46:59.980 --> 00:47:01.180 I don’t know. 00:47:01.180 --> 00:47:04.920 SAMY: I would disagree with that statement because the world has always had that capability 00:47:04.920 --> 00:47:05.920 of doing it, right? 00:47:05.920 --> 00:47:08.110 How do you know other people aren’t doing it already? 00:47:08.110 --> 00:47:11.329 I would actually suspect that there are plenty of organizations who are doing it. 00:47:11.329 --> 00:47:13.040 They’re just not gonna tell you about it. 00:47:13.040 --> 00:47:14.359 They’re not gonna put it on the internet. 00:47:14.359 --> 00:47:17.660 They’re not gonna put it on GitHub and let you know that they’re taking over people’s 00:47:17.660 --> 00:47:20.900 drones or that they’ve developed the software and hardware necessary to do it. 00:47:20.900 --> 00:47:24.200 They’re just going to create that and they’re going to stockpile it so that they can use 00:47:24.200 --> 00:47:27.210 it against people or companies or governments at their will. 00:47:27.210 --> 00:47:31.740 That’s what we found when the NSA leaks came out; we found out that they were stockpiling 00:47:31.740 --> 00:47:35.960 all of these vulnerabilities including major, major vulnerabilities that affected many – and 00:47:35.960 --> 00:47:40.460 even the NSA that wants to protect America knows that everyone’s running, say, Windows 00:47:40.460 --> 00:47:42.640 computer – or many people are running Windows computers. 00:47:42.640 --> 00:47:45.829 They stockpiled Windows vulnerabilities, zero-days that nobody knew about. 00:47:45.829 --> 00:47:50.700 It was only when one of these databases from the NSA was leaked that [00:50:00] criminals 00:47:50.700 --> 00:47:55.660 were then able to use those exploits and actually attack many, many millions of computers around 00:47:55.660 --> 00:47:58.200 the internet, Americans and non-Americans. 00:47:58.200 --> 00:48:00.530 I don’t think it matters where you’re from. 00:48:00.530 --> 00:48:04.559 What I’m doing by releasing this stuff is demonstrating that yes, this is the issue 00:48:04.559 --> 00:48:06.030 and you can patch it. 00:48:06.030 --> 00:48:08.900 If I don’t release it, then the issue will continue to exist. 00:48:08.900 --> 00:48:12.070 You might ask well, why don’t I just directly communicate with the companies? 00:48:12.070 --> 00:48:16.030 Often, I do and I found over time that when you communicate directly with companies, they 00:48:16.030 --> 00:48:20.961 typically don’t resolve these sorts of things unless you’re talking maybe existing, specific 00:48:20.961 --> 00:48:23.490 software vulnerabilities in their architecture. 00:48:23.490 --> 00:48:26.890 But if you’re saying hey, you’re not using encryption or you’re using it really wrong 00:48:26.890 --> 00:48:30.931 or it’s really the underlying protocol that is the issue, I found that that’s when people 00:48:30.931 --> 00:48:32.450 don’t actually resolve anything. 00:48:32.450 --> 00:48:37.790 That’s when I started releasing stuff publically and finding oh, if you release a cool proof-of-concept 00:48:37.790 --> 00:48:42.579 that demonstrates the real problem, the underlying, core problem, even if it’s not necessarily 00:48:42.579 --> 00:48:47.010 an issue with maybe the manufacturer but rather a problem with the underlying protocol and 00:48:47.010 --> 00:48:51.780 just assumptions that were made, there is enough public pressure that causes that company 00:48:51.780 --> 00:48:55.900 to then resolve that issue due to the public pressure, not due to the vulnerability itself 00:48:55.900 --> 00:48:59.400 because that’s often what companies are trying to do and no fault to them; they’re 00:48:59.400 --> 00:49:01.010 trying to do what their customers want. 00:49:01.010 --> 00:49:05.290 They’re trying to do what might move the needle for them and I found that this is an 00:49:05.290 --> 00:49:08.849 effective and appropriate way, I believe, to move the needle in a direction that I believe 00:49:08.849 --> 00:49:13.960 will help many people overall rather than just the manufacturer or company or specific 00:49:13.960 --> 00:49:14.960 organization. 00:49:14.960 --> 00:49:19.109 JACK: Has any company gotten upset with you and tried to come after you for some reason 00:49:19.109 --> 00:49:22.390 of disclosing vulnerabilities in their system publically? 00:49:22.390 --> 00:49:27.119 SAMY: I’ve gotten cease-and-desists many times and that makes it extremely fortunate 00:49:27.119 --> 00:49:31.740 that the EFF, the Electronic Frontier Foundation, they have actually been very helpful to me. 00:49:31.740 --> 00:49:36.660 They’re a non-profit of attorneys who are really just looking out for consumers and 00:49:36.660 --> 00:49:38.230 digital rights. 00:49:38.230 --> 00:49:43.619 Your ability to have free speech online, your ability to inspect the software and hardware 00:49:43.619 --> 00:49:45.840 you use, the ability to own the things that you purchase. 00:49:45.840 --> 00:49:49.700 There are companies who are trying to take this away from us but the EFF, I’ve been 00:49:49.700 --> 00:49:52.680 really fortunate where they’ve defended me in some of these regards. 00:49:52.680 --> 00:49:57.850 I’ve never had to succumb to and actually agree to a cease-and-desist to this day. 00:49:57.850 --> 00:50:03.569 JACK: [MUSIC] For the last decade, Samy has continued to take on very interesting projects; 00:50:03.569 --> 00:50:06.109 hacking into stuff and exposing vulnerabilities. 00:50:06.109 --> 00:50:11.190 Like, another thing he found was that smart phones were tracking their users without their 00:50:11.190 --> 00:50:15.920 knowledge which was a revelation that led to a class action lawsuit. 00:50:15.920 --> 00:50:20.660 SAMY: This all started because I was looking at, I think a beta version of Firefox at the 00:50:20.660 --> 00:50:21.880 time. 00:50:21.880 --> 00:50:25.920 I was looking at the release notes and it talked about geo-location. 00:50:25.920 --> 00:50:27.089 I said well, that’s interesting. 00:50:27.089 --> 00:50:30.670 I’ve always been interesting in location, like being able to locate where someone is 00:50:30.670 --> 00:50:34.579 whether it’s on their cell phone or their computer or their laptop or whatever. 00:50:34.579 --> 00:50:39.470 There’s always been these geo-IP databases that sort of give you a geography but really, 00:50:39.470 --> 00:50:43.060 they’re maybe accurate to the city but often not. 00:50:43.060 --> 00:50:45.160 Even city accuracy is not that great. 00:50:45.160 --> 00:50:49.180 I saw this thing about HTML 5 geo-location in a Firefox beta and I started investigating. 00:50:49.180 --> 00:50:50.910 I wrote some code according to their API of how it worked. 00:50:50.910 --> 00:50:56.750 I ran it and all of a sudden, my browser showed me exactly where I was. 00:50:56.750 --> 00:51:00.800 Like, literally, it showed me the physical address of my home. 00:51:00.800 --> 00:51:02.569 I was like, that’s absolutely crazy. 00:51:02.569 --> 00:51:04.809 I’m on the laptop and my laptop does not have GPS. 00:51:04.809 --> 00:51:06.210 I know that for a fact. 00:51:06.210 --> 00:51:08.780 So, how does it know where I am? 00:51:08.780 --> 00:51:12.520 I started sniffing the packets to see where it was going and granted, you could just look 00:51:12.520 --> 00:51:13.520 at the source code. 00:51:13.520 --> 00:51:15.510 It’s Firefox, so it’s open-source. 00:51:15.510 --> 00:51:19.950 After sniffing and I think maybe intercepting the TLS, I saw that it’s taking all of the 00:51:19.950 --> 00:51:24.650 wireless MAC addresses, all of the unique MAC addresses of all the routers around you, 00:51:24.650 --> 00:51:26.890 NAPs, and sending that to Google. 00:51:26.890 --> 00:51:30.590 Even if your wireless routers are encrypted, and even if you don’t have one and there 00:51:30.590 --> 00:51:34.680 are other people who have them, even if they’re encrypted, the MAC address is a unique identifier 00:51:34.680 --> 00:51:37.190 that is unencrypted. 00:51:37.190 --> 00:51:42.430 Your computer sends all of those to Google, and Google returns the exact location that 00:51:42.430 --> 00:51:43.430 you’re located. 00:51:43.430 --> 00:51:46.670 You’re also sending not only the wireless routers but the signal strength of each of 00:51:46.670 --> 00:51:49.200 them, so then they can actually perform what’s called trilateration. 00:51:49.200 --> 00:51:53.390 [MUSIC] It’s like triangulation but essentially, they use that signal strength to then really 00:51:53.390 --> 00:51:54.859 accurately determine where you are. 00:51:54.859 --> 00:51:56.829 I’m like, this is absolutely crazy. 00:51:56.829 --> 00:51:58.599 How are they figuring all this out? 00:51:58.599 --> 00:52:02.960 I found that you’re basically sending all of these unique MAC addresses of all these 00:52:02.960 --> 00:52:06.950 routers around you and Google would send back your exact location. 00:52:06.950 --> 00:52:11.980 Then, I’m wondering well, how does Google know where all these routers are? 00:52:11.980 --> 00:52:15.099 I thought about it some and I thought about it some more, and I realized oh, there’s 00:52:15.099 --> 00:52:19.369 these Google street-view cars and these Google street-view cars are driving around and they 00:52:19.369 --> 00:52:20.490 have cameras on them. 00:52:20.490 --> 00:52:24.720 That’s where you get street-view from, that really helpful feature of Google Maps where 00:52:24.720 --> 00:52:27.109 you can see a street-view. 00:52:27.109 --> 00:52:32.190 I realized that they must have computers and WiFi systems on there that are also monitoring 00:52:32.190 --> 00:52:36.819 for these WiFi MAC addresses and then correlating it with the GPS of the street-view car, and 00:52:36.819 --> 00:52:37.880 then uploading it all to Google. 00:52:37.880 --> 00:52:39.810 That’s how they’re getting this information. 00:52:39.810 --> 00:52:41.750 I was like, that’s really clever. 00:52:41.750 --> 00:52:45.680 I started doing talks about this because I then found a way that I could essentially 00:52:45.680 --> 00:52:49.630 abuse that API and use it for myself whenever someone visits my website and I could see 00:52:49.630 --> 00:52:50.640 exactly where they were. 00:52:50.640 --> 00:52:52.950 [00:55:00] I could even show them; you’d come to my website. 00:52:52.950 --> 00:52:56.730 Without your authorization, I could then send your MAC address and find where you are. 00:52:56.730 --> 00:53:00.940 I was talking about this in Bratislava in Slovakia, and afterwards someone said hey 00:53:00.940 --> 00:53:04.970 Samy, it’s interesting but fortunately this does not apply to us because Google street-view 00:53:04.970 --> 00:53:07.970 cars are not allowed here. 00:53:07.970 --> 00:53:12.619 [MUSIC] Interesting, so I’ll just give it a shot and try running it just to confirm. 00:53:12.619 --> 00:53:14.369 Oddly enough, it still worked. 00:53:14.369 --> 00:53:15.670 It actually worked very accurately. 00:53:15.670 --> 00:53:16.750 I was like, wait a second. 00:53:16.750 --> 00:53:20.210 I don’t think Google’s lying; I don’t believe that they’re doing something illegal. 00:53:20.210 --> 00:53:23.900 I don’t think they have street-view cars when they say they’re not doing that, and 00:53:23.900 --> 00:53:24.900 you would notice. 00:53:24.900 --> 00:53:28.240 Those cars would stick out with these massive sensors on top of them. 00:53:28.240 --> 00:53:33.350 So, what else might Google have access to, especially in somewhere random like Bratislava? 00:53:33.350 --> 00:53:37.790 I thought a little bit more and then realized oh wait, Android phones. 00:53:37.790 --> 00:53:42.020 There are Android phones everywhere and I wonder if these Android phones are actually 00:53:42.020 --> 00:53:43.680 wardriving machines. 00:53:43.680 --> 00:53:48.280 After reverse-engineering some binary blobs on Android devices, this was not actually 00:53:48.280 --> 00:53:50.080 in the source code that I could find. 00:53:50.080 --> 00:53:54.609 I found these binaries that were essentially grabbing all WiFi MAC addresses and sending 00:53:54.609 --> 00:53:59.410 the signal strength of all these wireless routers up to Google, along with GPS coordinates. 00:53:59.410 --> 00:54:04.520 Essentially, every Android phone in existence is a wardriving machine for Google that’s 00:54:04.520 --> 00:54:07.360 grabbing all this information, grabbing all this location data. 00:54:07.360 --> 00:54:12.020 So, even if you don’t use an Android phone, other Android phones near you are then taking 00:54:12.020 --> 00:54:14.960 your router’s information and sending it up with their location. 00:54:14.960 --> 00:54:19.250 JACK: Samy also figured out that iPhones were doing the same thing but sending the data 00:54:19.250 --> 00:54:20.880 to Apple instead of Google. 00:54:20.880 --> 00:54:24.970 What’s worse is that in some cases, this was happening even after users turned off 00:54:24.970 --> 00:54:26.869 the location services or GPS. 00:54:26.869 --> 00:54:29.950 SAMY: Well, this was encrypted so it took a little time to really understand what was 00:54:29.950 --> 00:54:32.480 going on and reverse-engineer some of that stuff. 00:54:32.480 --> 00:54:37.380 To really just demonstrate this as a fun proof-of-concept, I created a tool; really just a simple mobile 00:54:37.380 --> 00:54:40.440 app that behaved just like Google Maps. 00:54:40.440 --> 00:54:43.869 I found that Google was actually doing something really clever with their information. 00:54:43.869 --> 00:54:47.340 Not only were they collecting where everyone was at all times via Android devices, but 00:54:47.340 --> 00:54:49.390 that’s also how they collect traffic. 00:54:49.390 --> 00:54:53.760 That’s how you know whether a street is green, yellow, or red and whether there’s 00:54:53.760 --> 00:54:57.160 traffic or not in Google Maps, is because all of the phones are constantly delivering 00:54:57.160 --> 00:54:58.880 their GPS location. 00:54:58.880 --> 00:55:02.590 If you time that, if you say alright, I’m here now and in ten seconds I’m here, well, 00:55:02.590 --> 00:55:05.890 you can calculate the distance they traveled over that time and know how fast they’re 00:55:05.890 --> 00:55:06.890 moving. 00:55:06.890 --> 00:55:08.070 That’s how they get Google Maps traffic. 00:55:08.070 --> 00:55:12.160 JACK: Samy thought about this for a minute and realized if the Android phones are the 00:55:12.160 --> 00:55:17.500 ones that are delivering data to Google and giving the traffic updates for the Google 00:55:17.500 --> 00:55:21.809 Maps, could he somehow exploit that? 00:55:21.809 --> 00:55:25.619 Could he somehow trick Google’s servers into thinking there’s a traffic jam when 00:55:25.619 --> 00:55:26.619 there’s really not? 00:55:26.619 --> 00:55:28.770 SAMY: I created an app that was just like Google Maps. 00:55:28.770 --> 00:55:33.250 You’d start from point A and say I’m at this location and I want to drive to wherever, 00:55:33.250 --> 00:55:34.250 to West Hollywood. 00:55:34.250 --> 00:55:37.960 It would give you turn-by-turn directions but on those turn-by-turn directions of my 00:55:37.960 --> 00:55:43.020 route, it would simultaneously pretend to be thousands and thousands of other Android 00:55:43.020 --> 00:55:44.590 devices. 00:55:44.590 --> 00:55:48.190 All those devices, all those fake devices, would send up information to Google saying 00:55:48.190 --> 00:55:51.710 hey, I’m one of these Android devices and I’m moving zero miles per hour. 00:55:51.710 --> 00:55:56.319 All of a sudden, my route, the route that my app gave me, would turn red and black for 00:55:56.319 --> 00:56:00.789 everyone else and they would get diverted to different routes on Google Maps. 00:56:00.789 --> 00:56:05.040 Hopefully, my route would be a little bit faster as there would be less cars on the 00:56:05.040 --> 00:56:06.040 road. 00:56:06.040 --> 00:56:08.119 That was sort of my proof-of-concept of demonstrating this issue. 00:56:08.119 --> 00:56:11.839 [MUSIC] Some of it is good to even continue even when you’ve turned off these features, 00:56:11.839 --> 00:56:12.839 like location. 00:56:12.839 --> 00:56:14.020 JACK: I love this hack. 00:56:14.020 --> 00:56:19.840 To make it so wherever you drive, Google Traffic is diverting drivers to go away from you because 00:56:19.840 --> 00:56:24.260 it’s congested wherever you are, even though it’s not congested where you are. 00:56:24.260 --> 00:56:26.059 You’re just sending fake data to Google. 00:56:26.059 --> 00:56:27.470 It’s just brilliant. 00:56:27.470 --> 00:56:33.690 SAMY: Yeah, it’s a proof-of-concept just to poke fun at the information and just demonstrate 00:56:33.690 --> 00:56:35.380 what this information is capable of doing. 00:56:35.380 --> 00:56:40.619 JACK: While this is cool, the underlying issue here is that users were unknowingly sending 00:56:40.619 --> 00:56:43.050 their exact location to Google. 00:56:43.050 --> 00:56:47.770 I don’t know about you, but I don’t personally like that Google knows exactly where my phone 00:56:47.770 --> 00:56:49.280 is at all times. 00:56:49.280 --> 00:56:52.380 I just think it’s a violation of privacy of some sort. 00:56:52.380 --> 00:56:53.380 You know what? 00:56:53.380 --> 00:56:54.480 I’m not the only one who thinks that. 00:56:54.480 --> 00:56:59.310 SAMY: Yeah, so ultimately the biggest issue was that people weren’t accepting that A, 00:56:59.310 --> 00:57:04.630 they were sending all this data up, so ultimately both Google and Apple had to appear on Capitol 00:57:04.630 --> 00:57:07.920 Hill because they previously said no, we’re not tracking you. 00:57:07.920 --> 00:57:11.910 This research demonstrated that yes, in fact, they were tracking exactly where you are virtually 00:57:11.910 --> 00:57:12.910 at all times. 00:57:12.910 --> 00:57:17.050 In some cases, against your consent when you’ve turned off location services on Apple. 00:57:17.050 --> 00:57:21.420 Again, those devices were still sending information that allowed full location of where you were 00:57:21.420 --> 00:57:24.790 because it was sending MAC addresses which they already knew where those were. 00:57:24.790 --> 00:57:28.150 It’s simply one-step correlation in a database they already have. 00:57:28.150 --> 00:57:31.570 It’s not really fair to say that they’re not grabbing at information. 00:57:31.570 --> 00:57:33.599 Ultimately, they did resolve these things. 00:57:33.599 --> 00:57:36.150 It’s funny; the same thing is still happening, right? 00:57:36.150 --> 00:57:37.930 All these phones are still doing the same things. 00:57:37.930 --> 00:57:41.990 The only difference is now you click OK when they say they do it. 00:57:41.990 --> 00:57:45.539 But the benefit here is that for people who don’t want this sort of technology to run, 00:57:45.539 --> 00:57:47.400 they can say no on their phone. 00:57:47.400 --> 00:57:50.990 The scarier thing though is that even if you don’t even have one of these phones, [01:00:00] 00:57:50.990 --> 00:57:55.119 it’s all the phones around that are still collecting that information of your router, 00:57:55.119 --> 00:57:58.520 of the devices on your network even though it’s somebody else’s device. 00:57:58.520 --> 00:58:05.119 JACK: I saw a video the other day about a guy who put like, a hundred Android cell phones 00:58:05.119 --> 00:58:07.930 all in a wagon and slowly walked down the road. 00:58:07.930 --> 00:58:14.670 This triggered the Google location API thing to make it show that the road was really congested 00:58:14.670 --> 00:58:16.390 and made it turn red, as well. 00:58:16.390 --> 00:58:21.720 It looks like this API is still under attack just by researchers and people doing weird 00:58:21.720 --> 00:58:23.480 stunts and stuff. 00:58:23.480 --> 00:58:26.619 So, yeah, Samy has a pretty cool YouTube channel. 00:58:26.619 --> 00:58:27.780 You should check that out. 00:58:27.780 --> 00:58:33.599 He’s also given a lot of talks at various conferences like jeez, all over the world. 00:58:33.599 --> 00:58:35.869 How many talks have you given at this point, Samy? 00:58:35.869 --> 00:58:37.740 SAMY: I don’t know; maybe fifty or so. 00:58:37.740 --> 00:58:39.660 JACK: Where are you working now after all this? 00:58:39.660 --> 00:58:42.579 I mean, this is just such a whirlwind life you’ve had so far. 00:58:42.579 --> 00:58:46.549 SAMY: I’ve started a company called Openpath with some friends and we’ve been growing 00:58:46.549 --> 00:58:47.549 quite a bit. 00:58:47.549 --> 00:58:51.710 I’ve done some research in RFID and cloning badges and being able to demonstrate how to 00:58:51.710 --> 00:58:53.349 break into buildings many years ago. 00:58:53.349 --> 00:58:58.109 We found that technology has not changed in the ten years since I’ve looked, wrote software 00:58:58.109 --> 00:59:02.580 that was able to clone badges and break into various levels of security for physical access 00:59:02.580 --> 00:59:03.580 for buildings. 00:59:03.580 --> 00:59:07.839 We were sitting around and thinking well, why is it still a problem and it’s still 00:59:07.839 --> 00:59:08.839 inconvenient? 00:59:08.839 --> 00:59:10.770 Why do I have to carry around this thick card in my wallet? 00:59:10.770 --> 00:59:12.549 I’m trying to get rid of my wallet. 00:59:12.549 --> 00:59:16.500 We ended up building this business called Openpath where you can essentially have physically 00:59:16.500 --> 00:59:20.569 access control for businesses and buildings where A, you don’t need a card. 00:59:20.569 --> 00:59:22.829 You could use a card if you wanted but you could just use your phone. 00:59:22.829 --> 00:59:25.069 Your phone actually has really strong encryption. 00:59:25.069 --> 00:59:29.589 We have things like TLS, we have AES, we have open encryption standards that people have 00:59:29.589 --> 00:59:33.549 been trying to break for many, many years and haven’t, that are entirely open and 00:59:33.549 --> 00:59:35.140 can be inspected by anyone. 00:59:35.140 --> 00:59:39.609 We’re using those technologies to essentially unlock doors and you don’t even need to 00:59:39.609 --> 00:59:40.609 pull your phone out. 00:59:40.609 --> 00:59:45.039 You literally just get within Bluetooth range of one of these devices and you can walk right 00:59:45.039 --> 00:59:46.349 in as long as you have authorization. 00:59:46.349 --> 00:59:51.490 We’re trying to really make a modern and Cloud-based and secure way of getting into 00:59:51.490 --> 00:59:55.119 buildings that is just really convenient ‘cause I’m just trying to get rid of the things 00:59:55.119 --> 00:59:57.760 in my wallet and this kind of technology, it’s just really interesting. 00:59:57.760 --> 01:00:02.600 JACK: Yes, that technology is interesting but so much technology is interesting and 01:00:02.600 --> 01:00:06.610 we live in a time where technology is in abundance, all around us. 01:00:06.610 --> 01:00:10.850 If you think about technology as much as Samy does, it’s like a playground for him; to 01:00:10.850 --> 01:00:14.310 be able to tinker with it all and take it apart, and put it back together in ways it 01:00:14.310 --> 01:00:15.670 was never intended. 01:00:15.670 --> 01:00:20.350 Samy’s hacker mindset is still going strong today and it will probably be strong for decades 01:00:20.350 --> 01:00:25.569 more to come, provided he doesn’t accidentally launch another worm and take down the largest 01:00:25.569 --> 01:00:28.750 social networking website once again. 01:00:28.750 --> 01:00:38.150 JACK (OUTRO): [OUTRO MUSIC] A big thank you to Samy Kamkar for coming on and telling us 01:00:38.150 --> 01:00:39.150 all this. 01:00:39.150 --> 01:00:42.450 To learn more about what Samy’s up to, check out his website. 01:00:42.450 --> 01:00:43.710 It’s samy.pl. 01:00:43.710 --> 01:00:47.890 This show is created by me, a replicant, Jack Rhysider. 01:00:47.890 --> 01:00:49.920 Production assistance from John Kalish. 01:00:49.920 --> 01:00:51.650 Sound design by Andrew Meriwether. 01:00:51.650 --> 01:00:55.610 The theme music was created by the mysterious Breakmaster Cylinder. 01:00:55.610 --> 01:01:00.290 Even though some bro is gonna ask me how to make money on the darknet every time I say 01:01:00.290 --> 01:01:10.830 it, this is Darknet Diaries.