WEBVTT

00:00:00.000 --> 00:00:04.560
JACK: Hey, it’s Jack, host of the show. I’ve been making this show about cyber-crime for a few years

00:00:04.560 --> 00:00:09.760
now. I’ve interviewed attackers, defenders, black hats, white hats, law enforcement,

00:00:09.760 --> 00:00:14.320
even nation state actors. But there’s one type of person who always refuses

00:00:14.320 --> 00:00:18.840
to be interviewed for the show, and that’s people who find vulnerabilities and sell

00:00:18.840 --> 00:00:23.840
those exploits to governments or companies that will use it to attack people with.

00:00:23.840 --> 00:00:28.320
This is the grey market for exploits. It’s completely legal since it’s often governments

00:00:28.320 --> 00:00:34.040
who buy the exploit, but it’s just very secretive. Maybe there’s NDAs behind each deal

00:00:34.040 --> 00:00:39.560
where the people who bought it want the exploit to remain as unknown as possible. On top of that,

00:00:39.560 --> 00:00:44.440
they don’t want anyone to know they just acquired it, because if someone buys an exploit for say,

00:00:44.440 --> 00:00:50.560
$100,000, it’s like buying a weapon. Someone can use that to access a victim’s device without

00:00:50.560 --> 00:00:56.760
them knowing. But that expensive weapon can instantly become worthless if it becomes known

00:00:56.760 --> 00:01:02.040
to the vendor and they create a patch for it. In fact, that’s where the name zero-day comes from,

00:01:02.040 --> 00:01:06.800
that vendors have known about the exploit for zero days. In this episode, we get

00:01:06.800 --> 00:01:16.977
a peek into the secret world of zero-day brokers. So come on, let’s check it out.

00:01:16.977 --> 00:01:19.320
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:01:19.320 --> 00:01:36.640
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:01:36.640 --> 00:01:46.260
JACK: So, first of all, who are you and what do you do?

00:01:46.260 --> 00:01:50.720
NICOLE: I am Nicole Perlroth and I am a cyber-security and

00:01:50.720 --> 00:01:53.980
digital espionage reporter at The New York Times.

00:01:53.980 --> 00:02:02.080
JACK: Wow, that sounds exciting. So, as you are a cyber-security reporter and digital espionage

00:02:02.080 --> 00:02:11.540
reporter, have you ever been a – or target of an attack because you were investigating something?

00:02:11.540 --> 00:02:18.840
NICOLE: Yes. So, I have been a target and a victim, although I don’t know to what extent. So,

00:02:18.840 --> 00:02:26.520
I talk about how my first real experience with journalists being a legitimate target for nation

00:02:26.520 --> 00:02:34.560
state spies was within a year of joining the Times, the Chinese military – we actually still

00:02:34.560 --> 00:02:41.080
don’t know if it was the military or a contractor – hacked The New York Times. I was tipped off to

00:02:41.080 --> 00:02:49.600
it, [MUSIC] and to the Times’ eternal credit, they let me in bed with our security team and Mandiant,

00:02:49.600 --> 00:02:56.080
which wasn’t owned by FireEye yet, and the FBI, and for several months we watched the

00:02:56.080 --> 00:03:01.200
guy we called the Beijing Summer Intern roll into our systems at 10:30 in the

00:03:01.200 --> 00:03:09.280
morning Beijing time and roll out at 4:30 or 5:00 PM Beijing time in search of our sources.

00:03:09.280 --> 00:03:14.840
They weren’t after me; they were actually after the sources for a colleague of mine, David

00:03:14.840 --> 00:03:22.680
Barboza’s stories about some of the corruption going on in China’s ruling families. Funny enough,

00:03:22.680 --> 00:03:27.880
his sources for those stories were just public documents. There was no real anonymous source,

00:03:27.880 --> 00:03:33.640
but nevertheless, they were crawling around our systems. One of the fears we had was that it

00:03:33.640 --> 00:03:39.920
might be a kind of destructive attack; they might try to shut down our printing. I had a big event

00:03:39.920 --> 00:03:43.800
like the election that year, so we really didn’t know what they were doing at first,

00:03:43.800 --> 00:03:48.840
and then slowly it became clear they were after our sources. So, that was my first front row

00:03:48.840 --> 00:03:56.860
seat to the lengths that nation states would go to try to get access to journalist sources.

00:03:56.860 --> 00:04:03.840
JACK: Whoever got into The New York Times was in the network during the 2012 US presidential

00:04:03.840 --> 00:04:09.400
election, which you can probably imagine how much of a huge embarrassment it would be if

00:04:09.400 --> 00:04:15.520
the news room got taken down on the night of the election results. But whoever got in wasn’t there

00:04:15.520 --> 00:04:21.040
to sabotage the Times. This was an espionage attack. Malware was installed on a computer

00:04:21.040 --> 00:04:26.200
in The New York Times network which gave an attacker access to the network. From there,

00:04:26.200 --> 00:04:32.200
the attackers gained access to fifty-three computers belonging to New York Times employees.

00:04:32.200 --> 00:04:37.840
But the focus seemed to be looking through the reporters’ computers who covered China.

00:04:37.840 --> 00:04:43.840
This attack originated from a university in China, and the malware used seemed to be something that

00:04:43.840 --> 00:04:49.040
Chinese hackers use frequently. Once the Times found that this attacker was in the network,

00:04:49.040 --> 00:04:52.340
they were able to lock them out and clean the systems that were infected.

00:04:52.340 --> 00:04:57.720
NICOLE: It was funny, actually; it was only later after we published that one of my colleagues said

00:04:57.720 --> 00:05:02.240
oh, by the way, I want – I meant to tell you that [00:05:00] I showed up at work one day

00:05:02.240 --> 00:05:08.240
and my entire computer was gone and all these wires were just sitting on my desk and there was

00:05:08.240 --> 00:05:16.680
just a note that said ‘Took your computer. It’s not going to return.’ It turned out,

00:05:16.680 --> 00:05:24.480
his computer had been used for – to stage some of the attacks on other accounts in the Times.

00:05:24.480 --> 00:05:29.760
JACK: So, what’s a big news agency do when they discover that some unauthorized person

00:05:29.760 --> 00:05:35.280
is in their network connecting from China for at least four months? Because sometimes when a

00:05:35.280 --> 00:05:40.520
company admits that they were hacked, there’s some big public shaming that follows. It’s embarrassing

00:05:40.520 --> 00:05:45.500
to admit such things. Their stock could take a big tumble and executives could lose their jobs.

00:05:45.500 --> 00:05:50.680
NICOLE: Well, it was so interesting because they didn’t want me talking about it, so I couldn’t

00:05:50.680 --> 00:06:00.200
actually talk about what I was doing beyond my immediate editor and his editor. There were only

00:06:00.200 --> 00:06:06.560
maybe three or four people in the news room who knew what I was working on for several months.

00:06:06.560 --> 00:06:10.400
But I never mentioned it in story meetings and that kinda thing because we were really keeping

00:06:10.400 --> 00:06:17.000
it quiet until we felt confident that we had eradicated them from our systems. [MUSIC] We

00:06:17.000 --> 00:06:23.720
had these last minute discussions at The New York Times and I remember some of the editors

00:06:23.720 --> 00:06:31.240
gut-checking and just asking wait, should we publish this story? What will The Wall Street

00:06:31.240 --> 00:06:36.520
Journal and The Washington Post say? I said, they’re not gonna say anything because there’s a

00:06:36.520 --> 00:06:43.480
very good chance that they were hacked, too. So, we came out. We decided to publish this story,

00:06:43.480 --> 00:06:50.200
and it changed everything. It was a time when so many companies had been infiltrated by Chinese

00:06:50.200 --> 00:06:55.760
hackers and their intellectual property had been stolen, and no one wanted to talk about it.

00:06:55.760 --> 00:07:00.680
Everyone feared that it would put a scarlet letter on their brand or lower their stock price or lead

00:07:00.680 --> 00:07:08.440
to class action lawsuits. So, we were one of the first companies after Google’s hack in 2009,

00:07:08.440 --> 00:07:14.240
2010 that came out and announced that we had been hacked by China and talked about what the hack

00:07:14.240 --> 00:07:22.240
looked like and who was behind it and what they were after. I remember within twenty-four hours,

00:07:22.240 --> 00:07:27.840
The Wall Street Journal and The Washington Post and a lot of journalists raised their hands on

00:07:27.840 --> 00:07:31.640
Twitter and said we were also hacked, we were also hacked. It was almost like you weren’t

00:07:31.640 --> 00:07:38.080
cool unless you had been hacked by China. It really helped shift the conversation I think

00:07:38.080 --> 00:07:45.800
away from victim-blaming to this is a gigantic problem. News rooms are facing it and American

00:07:45.800 --> 00:07:50.240
companies and Western companies all over the world are facing this, and it’s been going on

00:07:50.240 --> 00:07:57.320
for a really long time. We need to start talking about deterrents and penalties and defense.

00:07:57.320 --> 00:08:02.360
JACK: The Times published an article titled Hackers in China Attacked the Times for the

00:08:02.360 --> 00:08:06.960
Last Four Months. Other news agencies started speaking up and admitted they were hacked by

00:08:06.960 --> 00:08:12.525
China, too. China saw people were blaming them and gave a public response to all these accusations.

00:08:12.525 --> 00:08:14.720
HOST: [BACKGROUND TALK IN CHINESE] According to some investigative results which

00:08:14.720 --> 00:08:20.320
showed no proof and had groundless evidence and baseless conclusion,

00:08:20.320 --> 00:08:29.240
China had participated in online attacks. That is a totally irresponsible conclusion.

00:08:29.240 --> 00:08:35.580
China’s also a victim of online attacks. China’s laws clearly ban online attacks.

00:08:35.580 --> 00:08:40.000
JACK: Well, it’s true that in 2012 when this happened, there was an agreement between

00:08:40.000 --> 00:08:45.640
the US and China that neither country would hack into companies in the other nation. So,

00:08:45.640 --> 00:08:50.160
this was against the rules laid down in the agreement, but it was clear from all these

00:08:50.160 --> 00:08:54.080
companies that were coming forward that China wasn’t respecting that agreement.

00:08:54.080 --> 00:08:58.280
NICOLE: Since that happened, I’ve been a complete paranoid tinfoil

00:08:58.280 --> 00:09:01.240
hat person when it comes to protecting my sources.

00:09:01.240 --> 00:09:05.600
JACK: This was a good lesson for her to learn because a few years later,

00:09:05.600 --> 00:09:09.424
Nicole became the target of online attacks.

00:09:09.424 --> 00:09:13.760
NICOLE: [MUSIC] It was other stuff, then it was getting a security alert from our

00:09:13.760 --> 00:09:22.400
internal security team saying hey, someone on the dark web is advertising good money to anyone who

00:09:22.400 --> 00:09:29.880
can get them access to your phone and your e-mail account. This was a few years ago, but most people

00:09:29.880 --> 00:09:37.800
knew I was working on this book in this trade, and I don’t know whether it was related to the book or

00:09:37.800 --> 00:09:43.760
it was related to one particular story, or maybe I just pissed someone off on Twitter, but it’s never

00:09:43.760 --> 00:09:49.320
a good feeling to know that someone on the dark web is offering money to people to hack your phone

00:09:49.320 --> 00:09:55.580
or your computer. I would say that was probably one of the scariest things I went through.

00:09:55.580 --> 00:09:59.760
JACK: Yikes, that is scary. But let’s talk about her book. Earlier this year,

00:09:59.760 --> 00:10:03.640
Nicole published a [00:10:00] book called This Is How They Tell Me the World Ends. I read it

00:10:03.640 --> 00:10:08.600
cover to cover and I thought I was tuned into this world, but even I was picking up my jaw

00:10:08.600 --> 00:10:14.840
off the floor sometimes. Nicole really did some top-notch investigations into the zero-day market.

00:10:14.840 --> 00:10:20.120
She wanted to find out who’s out there developing exploits and who they’re selling them to. So,

00:10:20.120 --> 00:10:23.440
we’re gonna use the term zero-day a lot in this episode, and I want you to understand what it

00:10:23.440 --> 00:10:27.760
is so you’re not lost. A zero-day exploit is basically a vulnerability in software

00:10:27.760 --> 00:10:32.080
that the makers of that software don’t know exists yet. It’s called zero-day because the

00:10:32.080 --> 00:10:36.280
vendor has been aware of it for zero days, which means the vendor is completely unaware of it,

00:10:36.280 --> 00:10:42.120
so it goes unfixed for some time. A zero-day is a working exploit that nobody knows about except

00:10:42.120 --> 00:10:47.200
the person who found it and whoever they give it to. Now, for Nicole to research this story,

00:10:47.200 --> 00:10:51.000
she traveled all over the world meeting with zero-day developers and brokers.

00:10:51.000 --> 00:10:56.360
NICOLE: Okay, so, I went down to Argentina because I kept hearing over and over again

00:10:56.360 --> 00:11:00.760
that some of the best zero-day exploit developers were in the Southern Hemisphere,

00:11:00.760 --> 00:11:09.200
that they were in Argentina. So, I had met an Argentine hacker by the name of Cesar Cerrudo.

00:11:09.200 --> 00:11:15.480
He had approached me because he was really focused on smart cities and the vulnerabilities of smart

00:11:15.480 --> 00:11:22.640
cities. He had done this proof-of-concept hack of traffic lights where he had actually been able to

00:11:22.640 --> 00:11:30.560
hack into the traffic light system in DC and I believe Manhattan, too. So, I had worked with

00:11:30.560 --> 00:11:36.280
him on putting a story together, and I had the opportunity to talk to him a little bit about

00:11:36.280 --> 00:11:41.040
this Argentine exploit development scene that I kept hearing about. He said you should really come

00:11:41.040 --> 00:11:49.720
down and come to Ekoparty [MUSIC] which is a big hacking conference every year in Buenos Aires. So,

00:11:49.720 --> 00:11:56.520
that year I pitched my editors on doing a story about the conference and I went down. I stayed in

00:11:56.520 --> 00:12:04.480
Palermo which is a really nice, hip neighborhood in Buenos Aires. I stayed in this boutique hotel.

00:12:04.480 --> 00:12:09.960
I was hanging out with these hackers and noticing that there were clearly people from front

00:12:09.960 --> 00:12:17.440
companies there who were interested in buying their zero-day exploits. I had talked to some

00:12:17.440 --> 00:12:25.320
of the godfathers of the Argentine hacking scene who really made clear that Argentina had become

00:12:25.320 --> 00:12:32.120
what they called the India of exploit development. That is, people outsource a lot of their software

00:12:32.120 --> 00:12:38.160
engineering to India and in their minds, Argentina had become this big outsourcing hub for exploit

00:12:38.160 --> 00:12:45.040
development. This is where governments and front companies and brokers came to purchase

00:12:45.040 --> 00:12:53.240
zero-day exploits that they could use for their stockpiles of offensive cyber-espionage tools. So,

00:12:53.240 --> 00:13:00.160
one night I went out, and I had always been really careful to bring basically pen and paper

00:13:00.160 --> 00:13:06.920
to these conferences. Ever since that Chinese hack, I realized that the biggest thing that

00:13:06.920 --> 00:13:12.200
I needed to protect was my sources and my conversations with sources, so I have been

00:13:12.200 --> 00:13:19.480
very old school about using pen and paper, about bringing [MUSIC] burner laptops and devices to

00:13:19.480 --> 00:13:26.560
these conferences. If I have to, I’ll use Signal, the encrypted messaging app, but usually with my

00:13:26.560 --> 00:13:32.760
most sensitive conversations – like, I have one source that we just meet up once a month on the

00:13:32.760 --> 00:13:39.160
same day at the same place and we don’t bring our devices and we don’t ever – about those meetings;

00:13:39.160 --> 00:13:46.280
we just show up with pen and paper and I take notes. That is how I protect those conversations.

00:13:46.280 --> 00:13:50.560
But in this case I had brought a burner laptop down with me. I never opened it because it was

00:13:50.560 --> 00:13:56.960
so clunky and useless, and I just write quicker sometimes with pen and paper. I put it in the safe

00:13:56.960 --> 00:14:05.200
in my hotel room, and that night I had gone out by myself. I came home and the door to my hotel

00:14:05.200 --> 00:14:12.200
room was open, the safe was open, there was still the cash I had taken out from the Cueva sitting

00:14:12.200 --> 00:14:18.160
on a table, so no one had stolen anything. When I first saw the door open I thought oh, maybe

00:14:18.160 --> 00:14:23.560
they’re doing late turndown service or something, but the door to the safe was open with my laptop

00:14:23.560 --> 00:14:29.880
in it and my laptop was in a different position. I don’t know what happened, you know? Someone

00:14:29.880 --> 00:14:35.200
clearly opened the safe, they moved it around, they didn’t take any money, but they also left my

00:14:35.200 --> 00:14:41.400
door open. So, I never knew whether they actually did something or put something on the laptop

00:14:41.400 --> 00:14:46.960
or looked at the laptop and saw that there was nothing there, or whether they just left it open

00:14:46.960 --> 00:14:52.960
to scare me or send a message. But regardless, I just took it, put it in the plastic garbage bag

00:14:52.960 --> 00:14:58.670
that was sitting in the bathroom, brought it back down to the lobby, and threw it in the trash can.

00:14:58.670 --> 00:15:01.101
JACK: You just threw the whole thing away.

00:15:01.101 --> 00:15:04.720
NICOLE: [00:15:00] Yeah, I just threw the whole thing away. I mean, I never used it. It was this

00:15:04.720 --> 00:15:12.400
old PC and I had covered enough attacks to know that when someone goes to the extra trouble of

00:15:12.400 --> 00:15:19.400
planting something in your laptop, often they do it in places that can be very hard to wipe.

00:15:19.400 --> 00:15:24.260
I was down there by myself and I just was like you know what? I’m just gonna throw it away.

00:15:24.260 --> 00:15:29.400
JACK: Okay, so as I was saying earlier, I cannot seem to find exploit developers to agree to an

00:15:29.400 --> 00:15:33.880
interview. Neither buyers or sellers are willing to talk. Now, I’m not talking about bug hunters

00:15:33.880 --> 00:15:38.480
who are looking for bugs to submit to companies for a bug bounty reward. I’ve interviewed them.

00:15:38.480 --> 00:15:42.440
Nor am I talking about the ethical hackers who just want to help make the world more secure by

00:15:42.440 --> 00:15:47.360
telling companies they’re vulnerable for free, and I have no problem finding people who find bugs to

00:15:47.360 --> 00:15:53.120
compete in a contest to win cash prizes for their bugs. The most elusive people who I can’t get on

00:15:53.120 --> 00:15:58.800
the show are people who look for vulnerabilities and then sell them to the highest bidder. Nicole

00:15:58.800 --> 00:16:03.640
has had that same experience many times, but she’s more determined to get responses and is

00:16:03.640 --> 00:16:08.160
willing to travel the world to talk to some of these people. Guess what? For this book,

00:16:08.160 --> 00:16:13.680
she did interview quite a few of these kind of people. But they’re really hard to find. Even

00:16:13.680 --> 00:16:18.420
though she was in Argentina at Ekoparty, she still had a hard time finding them.

00:16:18.420 --> 00:16:24.480
NICOLE: One thing I did notice was there were a lot of young hackers there. I’m talking

00:16:24.480 --> 00:16:33.800
young like fifteen, fifteen-year-olds. When I would approach them and I would say I’m here,

00:16:33.800 --> 00:16:43.000
I’m trying to learn more about the exploit market, and they would just kind of scatter.

00:16:43.000 --> 00:16:50.360
I remember asking Federico Kirschbaum who is a friend and runs the conference and I

00:16:50.360 --> 00:16:53.440
got to know him very well when I was there, I said I really want to talk to someone who’s

00:16:53.440 --> 00:16:59.040
selling exploits to governments or brokers. We were standing in the middle of this square at

00:16:59.040 --> 00:17:03.440
the conference and he said just throw a stone; you’ll hit all – throw a stone in

00:17:03.440 --> 00:17:09.680
any direction and you’ll hit one. [MUSIC] But they didn’t want to talk to me. It was just a

00:17:09.680 --> 00:17:21.960
weird scene. It was just people with the skills demoing how they could hack cars or the latest app

00:17:21.960 --> 00:17:33.040
or enterprise applications on stage. Then after these people would demo what they did on stage,

00:17:33.040 --> 00:17:42.000
I would see them kind of swarmed by these people who clearly were representatives from governments.

00:17:42.000 --> 00:17:45.440
I’ve been called out on this for saying some of them were Middle Eastern but I mean,

00:17:45.440 --> 00:17:52.080
some of them spoke Arabic. I kept running into them at the conference and I didn’t know where

00:17:52.080 --> 00:17:58.120
they had come from. They studiously avoided me but sometimes we’d end up in the same conversation,

00:17:58.120 --> 00:18:04.080
that kind of thing. I asked Fede, like why are they – if they’re interested in buying exploits,

00:18:04.080 --> 00:18:09.400
why are they going up to the people who just demoed their best exploit on stage? He said oh,

00:18:09.400 --> 00:18:12.960
they’re not interested in that; they want to know what they’re working on next or what

00:18:12.960 --> 00:18:18.680
their side hustle is, or what’s the thing they’re not going to demo on stage? Because

00:18:18.680 --> 00:18:25.240
they know it would make so much more money on the underground grey market for zero-day exploits. So,

00:18:25.240 --> 00:18:33.360
that made sense. I ultimately ended up sitting down with Ivan Arce who is one of the older

00:18:33.360 --> 00:18:42.120
godfathers of the scene. One thing that Ivan told me was the next generation has these other

00:18:42.120 --> 00:18:46.480
opportunities. [MUSIC] They don’t need to just work in the penetration testing business when they

00:18:46.480 --> 00:18:55.360
can make so much money selling a single zero-day exploit to a government or to a government broker.

00:18:55.360 --> 00:19:01.040
They can do it tax-free, they don’t have to worry about Argentina’s inflation problems,

00:19:01.040 --> 00:19:09.600
they don’t have to – this isn’t taxable income, and it has this fun James Bond element to it. So,

00:19:09.600 --> 00:19:15.320
there is this entirely new generation of Argentina exploit developers who are not using this for

00:19:15.320 --> 00:19:21.520
penetration testing. But I found that they can make a lot of money and live pretty large in

00:19:21.520 --> 00:19:27.680
Buenos Aires by selling these capabilities under the table to governments or front companies or

00:19:27.680 --> 00:19:35.840
brokers. So, that is sort of how I told the story of the Argentina hacking scene,

00:19:35.840 --> 00:19:42.000
but none of those young Argentine exploit developers who sell them would talk to me.

00:19:42.000 --> 00:19:47.160
They really did studiously avoid me until maybe the very last day of the conference.

00:19:47.160 --> 00:19:51.040
Then later when the book came out, it was funny because some of them said oh,

00:19:51.040 --> 00:19:58.680
I thought – I would have told you more but I could have sworn you were a CIA agent or a fed.

00:19:58.680 --> 00:20:05.840
JACK: So, let’s back up for a second; how did we get [00:20:00] here where

00:20:05.840 --> 00:20:09.600
our current world consists of people making exploits in secret and selling

00:20:09.600 --> 00:20:14.760
them to secret entities all under the table? Well, it wasn’t always like that. I think to

00:20:14.760 --> 00:20:19.584
understand how we got here, we should rewind to when Microsoft was still a young company.

00:20:19.584 --> 00:20:24.360
NICOLE: [MUSIC] Microsoft was really, in particular, trying to play catch-up with Netscape

00:20:24.360 --> 00:20:30.240
on the internet. They really missed the boat on the internet. They dominated the PC market but

00:20:30.240 --> 00:20:37.000
they just didn’t see the internet coming. So, they were racing to catch up and they were just putting

00:20:37.000 --> 00:20:43.720
out this crap, these web servers and software that was just riddled with holes because they were more

00:20:43.720 --> 00:20:50.480
focused on speed and getting this stuff to market and catching up to Netscape than they were with

00:20:50.480 --> 00:20:57.440
security. So, hackers would find these holes and they told me in those days, there was no 1-800

00:20:57.440 --> 00:21:04.760
number to call up Microsoft and say hey, I just used your web server to break into NASA. Those

00:21:04.760 --> 00:21:10.600
channels didn’t exist yet. Often when they would flag these problems for the companies, they would

00:21:10.600 --> 00:21:16.600
get ignored or they would get a sternly-worded letter back from the general council. So, they

00:21:16.600 --> 00:21:22.680
started just dumping these things on forums like Bugtraq which was sort of like an early version

00:21:22.680 --> 00:21:31.880
of Reddit. You would just dump what you found on Bugtraq and it was in part for the street cred

00:21:31.880 --> 00:21:40.360
and part to shame these vendors like Microsoft and some microsystems into fixing these holes.

00:21:40.360 --> 00:21:44.200
It also gave – a lot of people on those forums were IT administrators,

00:21:44.200 --> 00:21:50.360
so it kind of gave them a heads-up to these flaws and they could help develop workarounds for their

00:21:50.360 --> 00:21:57.840
employers and customers. So, there was just – the relationship was very broken. It was only

00:21:57.840 --> 00:22:06.520
when Microsoft had these very public failures, when these giant worms like Nimda exploited

00:22:06.520 --> 00:22:14.320
Microsoft problems to essentially impact some of Microsoft’s biggest customers in government

00:22:14.320 --> 00:22:22.440
and Ford and others that Bill Gates really started to take security seriously. Since then,

00:22:22.440 --> 00:22:27.200
he wrote this famous memo. I think it was in 2002 called The Open Trustworthy Computing

00:22:27.200 --> 00:22:34.160
Memo where he said security will be critical to the internet and to software going forward,

00:22:34.160 --> 00:22:41.320
and we’re going to re-prioritize our organizational structure to make security

00:22:41.320 --> 00:22:48.080
a real priority. People laughed it off as a joke or a PR stunt, but slowly it became

00:22:48.080 --> 00:22:55.320
true. Microsoft really started putting channels in place to allow hackers to contact them with flaws.

00:22:55.320 --> 00:23:00.920
I heard that they actually had a pretty interesting database where they would track

00:23:00.920 --> 00:23:07.600
these hackers’ personality quirks and flaws so they knew who to handle with kid gloves, who,

00:23:07.600 --> 00:23:13.000
if they brought you anything, you needed to stop what you were doing and take it very seriously,

00:23:13.000 --> 00:23:21.920
and who was just sort of trolling them. Then later, after Google was hacked by China and

00:23:21.920 --> 00:23:28.600
saw that security was going to be a huge challenge for these companies because now they didn’t have

00:23:28.600 --> 00:23:33.320
to just worry about fraud; they had to worry about military level criminals and hackers,

00:23:33.320 --> 00:23:37.800
they had to worry about nation states breaking into their systems. They started improving

00:23:37.800 --> 00:23:44.000
their security and offering bug bounties to [MUSIC] hackers who brought this code to them.

00:23:44.000 --> 00:23:48.880
JACK: Okay, so, at that point we started to see that vulnerabilities were worth

00:23:48.880 --> 00:23:54.040
money. Microsoft was paying for bugs to get vulnerabilities fixed, but at the same time,

00:23:54.040 --> 00:23:59.440
nation states around the world were also trying to develop their own bugs and software to collect

00:23:59.440 --> 00:24:06.000
intelligence from foreign adversaries. So, it became a sort of arms race between governments

00:24:06.000 --> 00:24:10.240
and Microsoft. No matter what Microsoft offered for bug bounties, the governments

00:24:10.240 --> 00:24:15.480
were willing to pay a little bit more to get access to zero-day exploits within Microsoft

00:24:15.480 --> 00:24:21.760
tools. This creates a problem for software companies who want to make secure software.

00:24:21.760 --> 00:24:26.920
NICOLE: They were never going to pay the rates that governments and brokers were going to be

00:24:26.920 --> 00:24:34.000
offering for these tools, right? Like, the going rate for a zero-day exploit that gets you into an

00:24:34.000 --> 00:24:41.680
iPhone’s IOS software remotely is $2.5 million, although I found one broker in researching the

00:24:41.680 --> 00:24:46.480
book called Crowdfense that now offers even more than that; they offered $3 million for that same

00:24:46.480 --> 00:24:53.680
capability, so we’re getting out-priced these days by other countries. But Apple was never

00:24:53.680 --> 00:24:58.600
going to be able to match that, and Apple was one of the last companies, major companies,

00:24:58.600 --> 00:25:04.600
in Silicon Valley to start offering a bug bounty for these tools. They offer a pretty

00:25:04.600 --> 00:25:10.160
good [00:25:00] price, but they’re never going to match government prices, nor would they really

00:25:10.160 --> 00:25:15.840
want to because they don’t want to incentivize their own security engineers from essentially

00:25:15.840 --> 00:25:22.960
leaving the company and making more money on the outside. There’s a very careful calculus at play.

00:25:22.960 --> 00:25:27.160
JACK: Those are the options here; either you can be ethical and sell your bugs to

00:25:27.160 --> 00:25:31.640
software makers or you can shop around on the grey market where they’ll potentially

00:25:31.640 --> 00:25:36.040
buy vulnerabilities for much more. But still, you might be wondering

00:25:36.040 --> 00:25:41.320
what governments would even be interested in buying exploits? Well, I think to answer that,

00:25:41.320 --> 00:25:45.760
we should go back even further in time, before the internet was even here, back to the Ronald

00:25:45.760 --> 00:25:51.240
Reagan era. It was there where Nicole found an interesting story where all this started.

00:25:51.240 --> 00:25:55.520
NICOLE: I was really worried. I had a lot of anxiety about doing this book because I wanted

00:25:55.520 --> 00:26:01.360
to have a character represent one slice of the industry, but the slice of the industry I really

00:26:01.360 --> 00:26:08.720
worried about was the US government because all of these programs are classified. Who

00:26:08.720 --> 00:26:17.720
was going to talk to me about the development of America’s offensive cyber-exploitation programs?

00:26:17.720 --> 00:26:24.120
I was really worried about this. One day I was at work and I was sitting at my cubicle desk and

00:26:24.120 --> 00:26:30.800
I was sort of ruing about this out loud, like god, who am I gonna get from the NSA to talk

00:26:30.800 --> 00:26:36.240
about this? John Markoff, who’s my predecessor at The New York Times, covered cyber-security for

00:26:36.240 --> 00:26:42.386
twenty-something years, said oh, you should just talk to the godfather of cyber-war.

00:26:42.386 --> 00:26:46.440
[MUSIC] I was like, what? He’s like oh yeah, Jim Gosler. I think that’s his name. He was like, I’ll

00:26:46.440 --> 00:26:50.600
send you an e-mail with his name. So, he sends me this e-mail with this guy’s name. I’d never

00:26:50.600 --> 00:26:57.920
heard of him. I start asking around; no one in the InfoSec Twitter world had ever heard of him. But

00:26:57.920 --> 00:27:06.520
I start asking every time I had the opportunity to interview a US leader of one of these intelligence

00:27:06.520 --> 00:27:12.360
agencies over the last seven years. I would make a point to ask them who do you think –

00:27:12.360 --> 00:27:17.720
if you had to name one person who’s the godfather of American cyber-war, who would you say? They all

00:27:17.720 --> 00:27:26.000
without fail said oh, James Gosler. So, one day I called James Gosler and he had spent the bulk

00:27:26.000 --> 00:27:34.200
of his career at Sandia National Labs which is one of the nuclear labs that develops the

00:27:34.200 --> 00:27:39.200
components and evaluates the components that make its – make their way into our nuclear arsenal.

00:27:39.200 --> 00:27:47.240
But he had also spent a large chunk of his career at the NSA and the CIA. So,

00:27:47.240 --> 00:27:52.360
he’s a terrific guy. I say this in the book; he looks like Santa Claus. When I told him that,

00:27:52.360 --> 00:27:57.200
he laughed and said some people would probably describe me more as Satan,

00:27:57.200 --> 00:28:05.040
but okay. He lives in Nevada out in the desert these days, outside Las Vegas,

00:28:05.040 --> 00:28:09.880
and he was retired by the time I got in touch with him. He was really careful to not tell

00:28:09.880 --> 00:28:18.260
me anything classified. But one thing he could point to was this operation called Project Gunman.

00:28:18.260 --> 00:28:21.640
JACK: The French intelligence service told the US

00:28:21.640 --> 00:28:26.920
government that they found Russian bugs listening to their communications. They

00:28:26.920 --> 00:28:31.500
warned the US that we should assume the Russians are spying on us, too.

00:28:31.500 --> 00:28:36.280
NICOLE: We started to suspect that someone had planted a bug inside the

00:28:36.280 --> 00:28:40.880
US embassy in Moscow or something worse than a bug. We started to suspect that

00:28:40.880 --> 00:28:44.600
the Soviets were essentially capturing all of our communications and even our

00:28:44.600 --> 00:28:50.906
unspoken communications. We were worried that there might be a mole at the embassy.

00:28:50.906 --> 00:28:55.440
JACK: [MUSIC] This investigation was kicked off by the NSA and was code-named the Gunman

00:28:55.440 --> 00:29:01.880
Project. It started in 1983 but was signed and approved by President Ronald Reagan in 1984.

00:29:01.880 --> 00:29:08.920
NICOLE: We looked around at our inventory and at that point, we were actually building a new

00:29:08.920 --> 00:29:14.840
embassy in Moscow which had become a total disaster because they were finding bugs in

00:29:14.840 --> 00:29:23.240
the concrete of the construction and it was clear that basically the entire new embassy was becoming

00:29:23.240 --> 00:29:28.920
a Soviet listening device and it was gonna be years before we were going to be confident that

00:29:28.920 --> 00:29:36.680
we could move in without just being surveiled 24/7. So, we knew we had to find the bug in

00:29:36.680 --> 00:29:43.080
the machinery inside the existing embassy. So, Reagan essentially approved this project. You

00:29:43.080 --> 00:29:50.320
get all of the embassy’s equipment, everything with a plug, back to Fort Meade from Moscow,

00:29:50.320 --> 00:29:56.360
to do it in a way that the Soviets would not have the ability to intercept the machinery en route

00:29:56.360 --> 00:30:03.080
back to Fort Meade and remove their bugs, and that we would x-ray and evaluate every last piece of

00:30:03.080 --> 00:30:08.960
equipment at the embassy at Fort Meade in search of the bug. [00:30:00] They gave it six months,

00:30:08.960 --> 00:30:14.000
and I think it took a hundred days just to get all that machinery back to Fort Meade

00:30:14.000 --> 00:30:21.120
without giving the Soviets any opportunity to intercept it as it was making its way back.

00:30:21.120 --> 00:30:27.640
Then they tapped I think something like two dozen of the NSA’s best analysts to work out

00:30:27.640 --> 00:30:34.880
in this trailer in the parking lot at Fort Meade and basically search this gear for any evidence

00:30:34.880 --> 00:30:39.720
of a bug, and they were sure that it was going to be in the crypto-gear. But they went through all

00:30:39.720 --> 00:30:45.520
the crypto-gear and they put it through x-rays and they couldn’t find a bug. They went through

00:30:45.520 --> 00:30:49.720
the teleprinters and everything that had been bugged at the French embassy and they couldn’t

00:30:49.720 --> 00:30:57.840
find the bug. Then finally, they did an x-ray of a typewriter that – they had discovered sort of

00:30:57.840 --> 00:31:02.560
an extra coil sitting on the back and they ran it through the x-ray machine. Lo and behold,

00:31:02.560 --> 00:31:08.440
what they found in that coil was the most sophisticated exploit that we had ever

00:31:08.440 --> 00:31:16.800
seen. [MUSIC] It was a tiny magnetometer that recorded the slightest disturbance in

00:31:16.800 --> 00:31:24.240
the Earth’s magnetic field. Then next to it was a device that would catalogue and record

00:31:24.240 --> 00:31:32.400
each disturbance from each typewritten stroke, and then send it to a radio – via radio to a

00:31:32.400 --> 00:31:39.440
listening unit that was buried in the embassy’s chimney and relay it to the Soviets. The Soviets

00:31:39.440 --> 00:31:44.960
could turn it off when they’re – when they knew there were inspectors in the area.

00:31:44.960 --> 00:31:51.800
By the time we found that bug and did a full inventory of all the typewriters at the embassy,

00:31:51.800 --> 00:31:59.840
we learned that the Soviets had been in Americans’ typewriters at embassies and consulates all over

00:31:59.840 --> 00:32:05.200
Russia for something like seven or eight years and had been capturing all of our communications in

00:32:05.200 --> 00:32:11.280
unencrypted form that way. So, what Jim Gosler told me was you need to go back and learn as

00:32:11.280 --> 00:32:16.960
much as you can about Project Gunman, because that was really our a-ha moment. Before that,

00:32:16.960 --> 00:32:25.600
we were just living in La-La Land. After that, we realized that if we did not catch up to the

00:32:25.600 --> 00:32:32.040
Soviets in terms of our own exploitation, if we weren’t trying to find a way to capture every

00:32:32.040 --> 00:32:37.400
last communication from every new technology that hit the market, we would probably lose the Cold

00:32:37.400 --> 00:32:44.120
War and worse, we would never catch up to the Soviets in terms of espionage capabilities. So,

00:32:44.120 --> 00:32:52.040
that is what kickstarted this off. What I learned from more general conversations with Jim Gosler

00:32:52.040 --> 00:32:58.800
and then others and then the Snowden documents, it was very clear that any time any new technology

00:32:58.800 --> 00:33:05.000
came on the market, the NSA was finding ways inside, ways to implant itself inside.

00:33:05.000 --> 00:33:10.440
JACK: So, yeah, that was it. After the Gunman Project in 1984, it was clear to

00:33:10.440 --> 00:33:16.240
the US that the Soviets would go to great lengths to embed themselves in communication devices. So,

00:33:16.240 --> 00:33:20.840
the US government had to figure out ways to embed themselves in devices, too. At first,

00:33:20.840 --> 00:33:25.720
the US government wanted to figure out a way just to make a backdoor into US-made devices, but the

00:33:25.720 --> 00:33:30.960
tech community would always quickly point out how backdoors are vulnerable. So, the US government

00:33:30.960 --> 00:33:35.480
had to figure out how to find exploits in software and communication channels to break into them to

00:33:35.480 --> 00:33:40.320
collect their intelligence. Of course, it’s not just the US and Russia who go to great lengths

00:33:40.320 --> 00:33:45.080
to spy on other countries. There are many other countries in the world who either have or want

00:33:45.080 --> 00:33:49.960
this capability. But you might think doesn’t the NSA have their own research and development

00:33:49.960 --> 00:33:55.420
lab to create their own exploits? Well, yeah, they do. But things are changing over time.

00:33:55.420 --> 00:33:59.680
NICOLE: Well, I think for a long time, the NSA didn’t play in the zero-day market. They

00:33:59.680 --> 00:34:07.160
had the best cryptographers and hackers and operations people in-house, so they

00:34:07.160 --> 00:34:12.280
didn’t have to play in this market. So, when I talked to one of the original zero-day brokers,

00:34:12.280 --> 00:34:16.640
what he said was the NSA didn’t really play in this market for a long time. The biggest

00:34:16.640 --> 00:34:24.920
business that these private exploit developers and brokers had was with other agencies who were

00:34:24.920 --> 00:34:31.080
trying to play the NSA’s game but didn’t have the same talent pool in-house. So,

00:34:31.080 --> 00:34:37.360
agencies like the CIA and some I had never heard of – like, the Missile Defense Agency

00:34:37.360 --> 00:34:43.320
I learned played in this market. I had never heard of the Missile Defense Agency until

00:34:43.320 --> 00:34:48.360
someone who sells zero-day exploits told me that they sold to the Missile Defense Agency.

00:34:48.360 --> 00:34:56.400
I guess it makes sense because if you want to somehow perhaps interfere with

00:34:56.400 --> 00:35:02.680
North Korea’s missile launching tests, then you want to get into the missile systems. Or

00:35:02.680 --> 00:35:07.560
if you want to find out what the schedule is [00:35:00] for North Korea’s missile launches,

00:35:07.560 --> 00:35:11.760
you’d want to hack into the systems that contain details about the dates they plan

00:35:11.760 --> 00:35:18.320
these tests. So, it makes sense that they would be participating in this market. But for a long time,

00:35:18.320 --> 00:35:25.240
the NSA did not because they had a lot of these capabilities in-house. But then later,

00:35:25.240 --> 00:35:31.840
thanks to Snowden, we know that there was a line item added to their black budget,

00:35:31.840 --> 00:35:39.360
and it wasn’t very big; it was something like $25.1 million to buy these capabilities in

00:35:39.360 --> 00:35:48.280
2013. We know that they have purchased these vulnerabilities from the outside.

00:35:48.280 --> 00:35:52.160
JACK: We know the NSA was buying exploits from outside contractors,

00:35:52.160 --> 00:35:55.880
and they would do this very covertly, so there’s not much information about who

00:35:55.880 --> 00:36:00.360
they’re buying from or what they’re buying. After all, if we knew what they were buying,

00:36:00.360 --> 00:36:04.800
the software company would just patch it and would instantly make that million-dollar vulnerability

00:36:04.800 --> 00:36:10.304
worthless. But Nicole was able to talk with some former NSA employees to learn more.

00:36:10.304 --> 00:36:16.600
NICOLE: [MUSIC] Yeah, so, some of the people I talked to were basically among the top hackers

00:36:16.600 --> 00:36:24.040
within Tailored Access Operations, the NSA’s hacking unit. Some of them, when I talked to

00:36:24.040 --> 00:36:29.160
their former colleagues, were described as the guy you’d go to for the impossible. When

00:36:29.160 --> 00:36:36.320
you cannot get into that terrorist’s cell phone, what do you do? You would go to one

00:36:36.320 --> 00:36:44.240
of these guys and they would find a way around it whether it was hacking their cleaning lady or

00:36:44.240 --> 00:36:51.060
their spouse or finding something in their house to plant a bug in, that kinda thing.

00:36:51.060 --> 00:36:55.120
JACK: Okay, so there’s this group of people who were at the NSA who were one of the best that the

00:36:55.120 --> 00:37:01.120
NSA had for hacking into target computers. They saw this shift in the wind that the NSA was paying

00:37:01.120 --> 00:37:07.920
huge amounts for exploits while their pay was just government office salaries. On top of that,

00:37:07.920 --> 00:37:13.280
there was a lot of bureaucracy. They loved the mission but got frustrated with all the

00:37:13.280 --> 00:37:18.320
red tape that they constantly had to go through. It was slowing them down and frustrating them.

00:37:18.320 --> 00:37:26.160
NICOLE: They left together and they started Vulnerability Research Labs. The goal was to

00:37:26.160 --> 00:37:35.160
develop really reliable click-and-shoot espionage tools for their former employer and for these

00:37:35.160 --> 00:37:41.400
other agencies, and then eventually Five Eyes. What they could do on the outside that they

00:37:41.400 --> 00:37:49.760
couldn’t do on the inside was really interesting. They were all American but being on the outside,

00:37:49.760 --> 00:37:56.160
they could buy zero-days from hackers in other countries. Then they would

00:37:56.160 --> 00:38:02.360
use their fuzz farms and their skills to essentially turns these into very slick,

00:38:02.360 --> 00:38:07.200
seamless click-and-shoot tools for their former employer and these other agencies.

00:38:07.200 --> 00:38:13.720
One of the things they said was when they were in the agency, one of the biggest problems

00:38:13.720 --> 00:38:18.080
was when it came time to deploy a zero-day exploit that was sitting in their stockpile,

00:38:18.080 --> 00:38:23.360
oftentimes it didn’t work. It just didn’t work with that particular system or it crashed systems

00:38:23.360 --> 00:38:27.520
on the other end which is a big problem when you’re running these operations, because you don’t

00:38:27.520 --> 00:38:32.880
want to tip off the target. Obviously if your computer suddenly crashes for no reason, then you

00:38:32.880 --> 00:38:41.640
become suspicious if you’re a high-value, paranoid target. So, they really worked on the reliability

00:38:41.640 --> 00:38:48.280
and click-and-shoot elements of these tools and would turn over – develop this reputation

00:38:48.280 --> 00:38:53.760
for developing some of the easiest to use, most reliable tools that some of these agencies use.

00:38:53.760 --> 00:38:59.440
JACK: Interesting stuff. Some of the best hackers within the NSA turned into independent

00:38:59.440 --> 00:39:05.480
contractors so they could work faster and make more money, but were on the outside? This is one

00:39:05.480 --> 00:39:09.920
of those things that someone like Microsoft is afraid of, too. If they pay too much for bugs,

00:39:09.920 --> 00:39:14.440
then some of their internal bug hunters might decide to quit but keep doing the same thing;

00:39:14.440 --> 00:39:19.000
just make more money on the outside. But I wonder what does it look like in the NSA

00:39:19.000 --> 00:39:22.840
when you’re trying to break into a foreign adversary? How do you know what top-secret

00:39:22.840 --> 00:39:28.640
tools you can use? Is there a list of what exploits the NSA has in their arsenal? Or

00:39:28.640 --> 00:39:33.040
is there a book of something to flip through to find what’s the right exploit for the job?

00:39:33.040 --> 00:39:37.640
NICOLE: I have a hard time visualizing it, too. The only thing that I was really told

00:39:37.640 --> 00:39:44.240
was that basically they have a catalogue that – when they want to get into a certain system,

00:39:44.240 --> 00:39:48.440
they can check in and see what they have in their catalogue. But I don’t know if that

00:39:48.440 --> 00:39:54.640
catalogue is on a hard disc, I don’t know if it’s run by a certain secret

00:39:54.640 --> 00:39:59.594
software that no one else uses. I don’t know what it actually looks like exactly.

00:39:59.594 --> 00:40:04.080
JACK: Yeah, and then the team at VRL, do they have to demonstrate it? Do they come in for

00:40:04.080 --> 00:40:08.740
training and [00:40:00] say alright, here’s how to use these things? There’s a whole…

00:40:08.740 --> 00:40:14.560
NICOLE: Those are all great questions. I know they did do trainings, but one of the things

00:40:14.560 --> 00:40:20.640
that he told me was once they sold it, what they didn’t get to do is what they got to do

00:40:20.640 --> 00:40:25.400
at the agency which was they got to actually push the button and use it and see what it

00:40:25.400 --> 00:40:32.560
turned over on the other side. That is what you don’t get to do once you leave these agencies,

00:40:32.560 --> 00:40:38.520
is you don’t get to be involved in the actual mission. What they said was we just got these

00:40:38.520 --> 00:40:42.000
things working and then we threw it over the fence, and we didn’t really know how

00:40:42.000 --> 00:40:49.240
they got used. We used to work at that agency, so we had a good idea of how these were used,

00:40:49.240 --> 00:40:55.120
but as someone put it to me under Trump, they didn’t know if the use cases were changing or

00:40:55.120 --> 00:41:01.200
there was more leeway being given in terms of how these capabilities would get used or

00:41:01.200 --> 00:41:07.700
who they would get used against. It started to change their own moral calculus a little bit.

00:41:07.700 --> 00:41:13.040
JACK: Yeah. Yeah, and that is an interesting question. I don’t know

00:41:13.040 --> 00:41:16.400
if we can – I don’t know where else to go with this interview because it’s just so

00:41:16.400 --> 00:41:21.680
great so far and wherever you go, it’s – I do love exploring all these ideas that come up.

00:41:21.680 --> 00:41:25.760
NICOLE: Mm-hm. Don’t you feel weird even talking about it in the open on

00:41:25.760 --> 00:41:33.546
a microphone? This is – for whatever reason, this is Fight Club. No one talks about this.

00:41:33.546 --> 00:41:37.440
JACK: [MUSIC] It does feel weird because it’s a really weird situation. Software

00:41:37.440 --> 00:41:42.280
companies like Microsoft take their security very seriously, but their own government is trying to

00:41:42.280 --> 00:41:47.240
find flaws in Microsoft products in order to collect intelligence from foreign adversaries,

00:41:47.240 --> 00:41:51.600
so it’s almost like the US government is enemies with Microsoft, especially

00:41:51.600 --> 00:41:56.320
since Microsoft has to do damage control of stuff that the NSA has known about for years.

00:41:56.320 --> 00:42:02.160
NICOLE: We discovered Flame, which we believe was maybe the precursor to Stuxnet,

00:42:02.160 --> 00:42:09.320
that was either US-Israeli or just US or just Israeli that was being used to spy on Iranian

00:42:09.320 --> 00:42:17.080
systems. That utilized – that exploited the Microsoft software update mechanism which is

00:42:17.080 --> 00:42:24.280
the – such a point of trust between Microsoft and its customers. If you can’t trust that the

00:42:24.280 --> 00:42:29.000
prompt you’re getting that you need to update your software is coming from Microsoft and not

00:42:29.000 --> 00:42:39.080
the NSA or Unit 8200 in Israel or whoever, then that is a real problem for the company. When

00:42:39.080 --> 00:42:44.120
Flame was discovered and when it was discovered that it was exploiting the Microsoft software

00:42:44.120 --> 00:42:51.400
update mechanism, people inside Microsoft lost their heads. They could not believe that

00:42:51.400 --> 00:42:58.280
their own government potentially was exploiting their software and this communication channel,

00:42:58.280 --> 00:43:04.440
this trusted communication channel with customers to hack Iranian systems, that they would basically

00:43:04.440 --> 00:43:10.280
throw Microsoft under the bus in the name of espionage and battlefield preparations.

00:43:10.280 --> 00:43:18.920
They were already reeling from that, and then the Snowden leaks didn’t improve the situation. At

00:43:18.920 --> 00:43:27.800
first, when The Guardian and others dropped those documents, the Prism slides, it looked like the

00:43:27.800 --> 00:43:35.400
NSA had some secret backdoor in Microsoft systems. Later we would learn that was not the case. But in

00:43:35.400 --> 00:43:41.600
terms of perception, it was a huge PR nightmare for the company and hugely destructive for the

00:43:41.600 --> 00:43:46.360
relationship between Microsoft and government and the fact that Microsoft couldn’t even come

00:43:46.360 --> 00:43:52.400
out and say wait a minute, no, we do not give the government real-time access to our servers, but

00:43:52.400 --> 00:43:58.720
we do comply with lawful requests. But we can’t tell you how many we get a year. They started

00:43:58.720 --> 00:44:07.480
fighting those battles in court. But over and over again when the NSA was hacked by Shadowbrokers;

00:44:07.480 --> 00:44:13.320
we don’t know who Shadowbrokers are, but we know that they dumped an exploit online that

00:44:13.320 --> 00:44:21.480
contained a zero-day in Microsoft’s code that the NSA had held onto for more than five years.

00:44:21.480 --> 00:44:29.440
When I dug into that exploit and I interviewed people at the agency, they knew that that code

00:44:29.440 --> 00:44:35.800
– they likened it to fishing with dynamite. They knew that that code that they were using,

00:44:35.800 --> 00:44:40.800
which by the way was netting some of the best counterintelligence they got, they told me,

00:44:40.800 --> 00:44:46.600
would have been extremely dangerous in the hands of anyone else. Lo and behold,

00:44:46.600 --> 00:44:52.000
after it was hacked and dumped online by the Shadowbrokers, it was picked up by North Korea

00:44:52.000 --> 00:44:59.560
and it was picked up by Russia. It was used in a NotPetya attack which cost FedEx $400 million

00:44:59.560 --> 00:45:07.040
and decimated vaccine production lines at Merck and [00:45:00] set a – turned off the radiation

00:45:07.040 --> 00:45:12.880
monitoring systems at the Chernobyl nuclear site and took out the production lines in Tasmania,

00:45:12.880 --> 00:45:23.720
the Cadbury Egg chocolate factory. It was clear that by holding onto that code for that long,

00:45:23.720 --> 00:45:27.620
we were leaving Americans at risk if that ever got out, and it got out.

00:45:27.620 --> 00:45:32.360
JACK: The other thing the US government is known to do sometimes is to go to software

00:45:32.360 --> 00:45:37.380
companies and try to get these companies to just give them secret access to their products.

00:45:37.380 --> 00:45:43.040
NICOLE: What happened was I was part of a team at The New York Times with ProPublica and The

00:45:43.040 --> 00:45:51.800
Guardian that got access to the Snowden documents. It was clear that the NSA knew that there

00:45:51.800 --> 00:45:58.400
was a – that the NSA could break through this essentially weak random number generator and were

00:45:58.400 --> 00:46:05.520
pushing the international standard bodies that set encryption standards to use this weak random

00:46:05.520 --> 00:46:11.720
number generator that the agency could break. [MUSIC] So, I wrote about that, and then Joe

00:46:11.720 --> 00:46:18.960
Menn at Reuters did a subsequent story where he found out that actually, it appeared that the NSA

00:46:18.960 --> 00:46:25.520
might have actually been paying RSA to bake these weak number generators into some of their security

00:46:25.520 --> 00:46:34.280
products. So, still unclear what exactly happened there. But it looked like once again the US

00:46:34.280 --> 00:46:42.800
government was pushing this vulnerable system into commercial products because it enabled

00:46:42.800 --> 00:46:50.680
them to conduct espionage. Once again, it’s just another example of the trade-off that the US was

00:46:50.680 --> 00:47:00.840
willing to make in the name of national security but would have left Americans more vulnerable.

00:47:00.840 --> 00:47:04.560
JACK: Like I was saying, it’s not just the US government that’s doing this. There’s

00:47:04.560 --> 00:47:09.960
governments all over the world now using computers and exploits to break into communication channels

00:47:09.960 --> 00:47:15.760
to collect intelligence. Some countries like China use these exploits to spy on their own

00:47:15.760 --> 00:47:21.640
people. North Korea uses these cyber-capabilities to make money by robbing banks and launching

00:47:21.640 --> 00:47:26.680
ransomware on the world. It seems like the cards are stacked against us when it comes to securing

00:47:26.680 --> 00:47:32.680
our lives. It’s very asymmetrical because if you become the target of a government cyber-attack,

00:47:32.680 --> 00:47:37.520
they pretty much have endless resources to get what they want, and you simply won’t be able to

00:47:37.520 --> 00:47:42.040
defend yourself effectively. Of course, when a government becomes so secretive,

00:47:42.040 --> 00:47:48.320
it becomes much less transparent. We know less and less about what they’re doing in cyber-space which

00:47:48.320 --> 00:47:53.600
means we have to trust them more and more. But look at some of our political leaders;

00:47:53.600 --> 00:47:58.160
they didn’t grow up with computers and they don’t understand the nuances of what goes on in the

00:47:58.160 --> 00:48:05.440
wires. So, I’m not confident that tech-illiterate leaders can lead effectively in the digital age.

00:48:05.440 --> 00:48:10.080
We need people who understand this even at a basic level so they can make good decisions

00:48:10.080 --> 00:48:14.960
for our future. For the last few decades, countries around the world have been watching

00:48:14.960 --> 00:48:20.320
the US to see how they should act when conducting digital espionage. When you have the US doing

00:48:20.320 --> 00:48:25.800
things like developing exploits and sabotaging nuclear enrichment facilities only to deny that

00:48:25.800 --> 00:48:30.960
they had any involvement with it, that’s what other countries will see and follow and do,

00:48:30.960 --> 00:48:36.320
too. Nations around the world now are acting like there’s no consequence for hacking into

00:48:36.320 --> 00:48:42.480
foreign nations or companies or people. They’ll develop or buy exploits to use and keep them

00:48:42.480 --> 00:48:48.080
extremely secret. I don’t know, when the world is connected in the way it is now,

00:48:48.080 --> 00:48:53.760
it just seems like we’re all headed towards a major catastrophic digital disaster. That

00:48:53.760 --> 00:48:58.880
kind of thing freaks me out sometimes. So, I think I’ll sign off here and go make another

00:48:58.880 --> 00:49:16.297
backup of my digital life and store it in a Faraday cage and bury it underground somewhere.

00:49:16.297 --> 00:49:19.440
(OUTRO): [OUTRO MUSIC] A big thank you to Nicole Perlroth for coming on the show and telling

00:49:19.440 --> 00:49:23.480
us about this. Look, her book is top-notch and amazing, and when you’re done with it,

00:49:23.480 --> 00:49:27.480
you’ll find yourself staring out the window contemplating the meaning of life. It’s

00:49:27.480 --> 00:49:32.600
thought-provoking and gives you an incredible peek into the esoteric world of zero-day brokers

00:49:32.600 --> 00:49:37.240
that no one has exposed before like the way she has. The book is called This Is How They Tell Me

00:49:37.240 --> 00:49:41.680
the World Ends. I’ll have an affiliate link to both Amazon and Audible in the show notes. If

00:49:41.680 --> 00:49:46.040
you’re new to Audible, you can get the book for free through my link. This show is made by me,

00:49:46.040 --> 00:49:50.120
the lone survivor, Jack Rhysider. Sound design was done by the synth known as

00:49:50.120 --> 00:49:54.520
Andrew Meriwether. Editing help this episode by the railroad veteran Damienne and our theme

00:49:54.520 --> 00:50:00.120
music is by the brotherhood of steel recruit, Breakmaster Cylinder. Even though – alright,

00:50:00.120 --> 00:50:05.381
I can’t think of a joke, so let’s try this; okay Google, [BEEP] tell me a joke.

00:50:05.381 --> 00:50:06.500
GOOGLE: [00:50:00] Your privacy…

00:50:06.500 --> 00:50:13.800
JACK: What? This is Darknet Diaries.