WEBVTT

00:00:00.210 --> 00:00:04.080
JACK: Real quick before we get started, this is like Part 2 or actually it’s Part 3 of

00:00:04.080 --> 00:00:05.080
a series.

00:00:05.080 --> 00:00:08.270
We’re talking with Victor in this episode who’s part of the Guild of the Grumpy Old

00:00:08.270 --> 00:00:09.270
Hackers.

00:00:09.270 --> 00:00:11.770
To learn who they are, you need to check out the episode before this.

00:00:11.770 --> 00:00:16.010
In fact, I’m gonna reference the last episode quite a bit in this episode but to understand

00:00:16.010 --> 00:00:19.320
what happened in the last episode, you really should listen to the episode before that.

00:00:19.320 --> 00:00:24.130
So yeah, this is a three-parter which is intended for you to listen to Episode 86 first, called

00:00:24.130 --> 00:00:28.150
LinkedIn, then Episode 87, and now this one, Episode 88.

00:00:28.150 --> 00:00:30.410
Alright, let’s do this.

00:00:30.410 --> 00:00:38.170
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:00:38.170 --> 00:00:42.750
I’m Jack Rhysider.

00:00:42.750 --> 00:00:46.910
This is Darknet Diaries.

00:00:46.910 --> 00:00:53.500
[INTRO MUSIC ENDS]

00:00:53.500 --> 00:01:02.920
JACK: So, we’re picking back up with one of the members of the Guild of the Grumpy

00:01:02.920 --> 00:01:03.920
Old Hackers.

00:01:03.920 --> 00:01:06.580
We’re talking with Victor and I’m fascinated with his work.

00:01:06.580 --> 00:01:11.549
He’s known on Twitter as @0xDUDE and he’s made a life out of filing coordinated vulnerability

00:01:11.549 --> 00:01:12.549
disclosures.

00:01:12.549 --> 00:01:15.070
He’s a self-proclaimed janitor of the internet.

00:01:15.070 --> 00:01:18.860
Victor is constantly scanning around, looking for vulnerabilities and reporting them.

00:01:18.860 --> 00:01:21.250
I’m not talking about a few reports here and there.

00:01:21.250 --> 00:01:28.150
[MUSIC] So, your Twitter bio says 5,789 responsible disclosures.

00:01:28.150 --> 00:01:30.150
What? How?

00:01:30.150 --> 00:01:32.660
VICTOR: Well, that started in 1998.

00:01:32.660 --> 00:01:34.280
JACK: That’s a lot.

00:01:34.280 --> 00:01:38.600
So, you’re talking – you’ve been doing responsible disclosure for over twenty years?

00:01:38.600 --> 00:01:40.369
VICTOR: Yeah, it’s twenty-two years now.

00:01:40.369 --> 00:01:41.369
Yeah, yeah.

00:01:41.369 --> 00:01:44.990
JACK: Alright, so let’s actually go back to his first vulnerability disclosure.

00:01:44.990 --> 00:01:49.240
He used to go to a video store sometimes to rent movies when he was younger.

00:01:49.240 --> 00:01:52.540
Before Netflix there were these stores that you could go in and browse for the movies

00:01:52.540 --> 00:01:54.469
and borrow one for the night or whatever.

00:01:54.469 --> 00:01:56.210
This store wasn’t far from his house.

00:01:56.210 --> 00:02:00.270
He’d head down there every Friday to pick up some movies for the weekend.

00:02:00.270 --> 00:02:02.640
Problem was, everyone also had that same idea.

00:02:02.640 --> 00:02:05.380
VICTOR: Friday evening, that was always rush hour.

00:02:05.380 --> 00:02:09.890
JACK: [MUSIC] People piled into the store and pestered whoever was behind the counter.

00:02:09.890 --> 00:02:13.080
Hey, is this movie in or hey, do you have this one yet?

00:02:13.080 --> 00:02:15.830
Or, I want to watch this one; is it available?

00:02:15.830 --> 00:02:19.150
Employees would have to stop whatever they were doing and try to answer all these questions.

00:02:19.150 --> 00:02:23.680
They got fed up with that, so the store installed a computer that customers could use to look

00:02:23.680 --> 00:02:25.080
for the titles themselves.

00:02:25.080 --> 00:02:32.040
But to Victor, this opened and unlocked computer which was connected to the store’s network

00:02:32.040 --> 00:02:36.050
and inventory really caught his attention.

00:02:36.050 --> 00:02:41.810
So, he got on it, but the computer was locked down and only gave users access to search

00:02:41.810 --> 00:02:44.739
the store’s inventory on what was in stock.

00:02:44.739 --> 00:02:48.989
You couldn’t do anything else on this computer but Victor took that as a challenge to see

00:02:48.989 --> 00:02:51.260
if there was something else he could do on it.

00:02:51.260 --> 00:02:56.630
VICTOR: That terminal, that was just a UNIX terminal and it was – didn’t have any

00:02:56.630 --> 00:02:57.630
security.

00:02:57.630 --> 00:03:03.370
With Ctrl + Shift + F1, I could break out of a shell and just get access to that system.

00:03:03.370 --> 00:03:08.989
JACK: Bam, by just hitting Ctrl + Shift + F1, Victor could take over this computer.

00:03:08.989 --> 00:03:13.840
He could slyly pull up his account, reserve movies, and add credits to his account.

00:03:13.840 --> 00:03:17.790
He could see all the other people’s accounts too and take a look at what movies they’d

00:03:17.790 --> 00:03:18.840
checked out.

00:03:18.840 --> 00:03:23.250
Victor told the store that this new computer is a liability and they said there wasn’t

00:03:23.250 --> 00:03:28.549
much they could do about it because the company that wrote the software is really out of business.

00:03:28.549 --> 00:03:33.010
But the store took this warning and tried to fix the problem themselves which actually

00:03:33.010 --> 00:03:34.700
was kind of a joke to Victor.

00:03:34.700 --> 00:03:39.620
VICTOR: The funny part was that a week later, the owner of that store says well, we fixed

00:03:39.620 --> 00:03:45.379
the security because they put a plastic layer – cover on the keyboard.

00:03:45.379 --> 00:03:48.819
JACK: Basically, they just covered some of the keys with a shield to prevent people from

00:03:48.819 --> 00:03:52.820
typing certain keys like Shift, Ctrl, F1.

00:03:52.820 --> 00:03:56.799
Victor told him that doesn’t quite work, but the store disagreed.

00:03:56.799 --> 00:03:58.970
[00:05:00] So, Victor set out to prove them wrong.

00:03:58.970 --> 00:04:03.470
VICTOR: [MUSIC] I used a paperclip – two paperclips to get under the plastic and still

00:04:03.470 --> 00:04:04.470
pressing those buttons.

00:04:04.470 --> 00:04:09.220
JACK: But Edward Papercliphands here screwed it up and he hit the wrong key.

00:04:09.220 --> 00:04:14.209
VICTOR: I did like, Ctrl + F2 which was the option for reboot server, and the server did

00:04:14.209 --> 00:04:16.310
reboot but didn’t start up anymore.

00:04:16.310 --> 00:04:20.570
JACK: So, he was trying to prove to the store that the shield just didn’t work but now

00:04:20.570 --> 00:04:23.850
he made it worse and crashed the system on accident.

00:04:23.850 --> 00:04:25.610
He glanced over at the checkout counter.

00:04:25.610 --> 00:04:30.380
The employees were trying to scan the barcodes on movies but it wasn’t working.

00:04:30.380 --> 00:04:34.930
It turned out this computer had more than one job and it wasn’t just there to allow

00:04:34.930 --> 00:04:36.460
customers to search for movies.

00:04:36.460 --> 00:04:41.130
VICTOR: They had to write down everything by hand, so I created a little traffic jam.

00:04:41.130 --> 00:04:45.220
JACK: The store eventually got things up and running again and what Victor learned from

00:04:45.220 --> 00:04:50.789
this whole thing was finding vulnerabilities on computers is fun but if he was gonna do

00:04:50.789 --> 00:04:53.590
this kind of work, he’d have to be more cautious.

00:04:53.590 --> 00:04:56.930
VICTOR: If I want to do the good thing, I have to be very careful.

00:04:56.930 --> 00:05:02.430
I have to be very descriptive and I have to stay in conversation with the people who are

00:05:02.430 --> 00:05:08.970
responsible for the systems and find a fine line between being helpful and being obnoxious.

00:05:08.970 --> 00:05:14.190
JACK: [MUSIC] It was about the same time that Victor found himself at a crossroads in life.

00:05:14.190 --> 00:05:18.069
While he was working on these early vulnerability disclosures, this ethical hacking, he was

00:05:18.069 --> 00:05:23.280
also busy cracking software, which is illegal to circumvent the copyrighted protections

00:05:23.280 --> 00:05:24.330
on software.

00:05:24.330 --> 00:05:27.970
He realized this ethical dilemma and he came to a realization.

00:05:27.970 --> 00:05:31.520
VICTOR: If I keep going in this direction, I will get nowhere.

00:05:31.520 --> 00:05:38.220
So it was like okay, what can I do to make it more useful, that I can help other people

00:05:38.220 --> 00:05:41.660
without getting in trouble and still doing cool things?

00:05:41.660 --> 00:05:45.039
Because I’m still accessing systems without permission, you know?

00:05:45.039 --> 00:05:46.039
That’s still damn cool.

00:05:46.039 --> 00:05:50.729
JACK: It was at this moment that Victor realized he needed to use his skills for good.

00:05:50.729 --> 00:05:53.120
This meant he was gonna keep hacking and looking for vulnerabilities.

00:05:53.120 --> 00:05:56.770
He’d have to do it under a strict code of ethical conduct, though.

00:05:56.770 --> 00:06:01.311
He’d spent years practicing and honing his techniques to do this and yes, it is damn

00:06:01.311 --> 00:06:04.750
cool to still get to hack into systems and not get in trouble for it.

00:06:04.750 --> 00:06:07.880
So, after college Victor began his career in IT.

00:06:07.880 --> 00:06:12.580
He worked his way up from system administrator to network administrator and got a job with

00:06:12.580 --> 00:06:13.580
the Dutch government.

00:06:13.580 --> 00:06:18.500
[MUSIC] Over the years he kept finding vulnerabilities and issuing these disclosures to people, kind

00:06:18.500 --> 00:06:19.900
of like a hobby.

00:06:19.900 --> 00:06:23.710
But one day he realized he wanted to get even more serious about it.

00:06:23.710 --> 00:06:29.240
It was in 2016; him and a friend started a non-profit that was all about finding and

00:06:29.240 --> 00:06:30.479
reporting vulnerabilities.

00:06:30.479 --> 00:06:32.780
They called it the GDI Foundation.

00:06:32.780 --> 00:06:36.820
Their hope was that people in other countries would start GDI chapters and build a global

00:06:36.820 --> 00:06:39.960
network of volunteers working to help secure the internet.

00:06:39.960 --> 00:06:44.620
Their mission is quote, “To protect the free and open internet by trying to make it

00:06:44.620 --> 00:06:49.880
safe and by thus guarding the wellbeing of humans online, to ensure respect for all human

00:06:49.880 --> 00:06:53.580
intellectual freedom and to prevent and mitigate digital abuse.”

00:06:53.580 --> 00:06:54.780
End quote.

00:06:54.780 --> 00:06:56.270
Victor didn’t mess around.

00:06:56.270 --> 00:07:02.460
He asked for an entire year off from his day job and not just any year, either; it was

00:07:02.460 --> 00:07:03.759
2016, a leap year.

00:07:03.759 --> 00:07:10.180
VICTOR: Let’s do for one year, 366 days, nonstop finding vulnerabilities, as much as

00:07:10.180 --> 00:07:11.470
humanly possible.

00:07:11.470 --> 00:07:13.990
JACK: Victor and his friends went all-in that year.

00:07:13.990 --> 00:07:18.840
There’s a lot of insecure stuff on the internet; databases just left open with default credentials,

00:07:18.840 --> 00:07:22.330
servers wide open, and different services and ports that were not secured.

00:07:22.330 --> 00:07:25.780
It’s pretty sad how easy it is to find vulnerabilities out there.

00:07:25.780 --> 00:07:29.990
But the tricky part is telling someone about it, trying to find who owns that server and

00:07:29.990 --> 00:07:33.080
the contact details of who this stuff belongs to.

00:07:33.080 --> 00:07:38.380
VICTOR: After fifteen minutes investigating a database, most of the time you know of who

00:07:38.380 --> 00:07:39.380
the owner is.

00:07:39.380 --> 00:07:42.651
JACK: [MUSIC] Once they know who’s in charge of it, they send over a responsible disclosure

00:07:42.651 --> 00:07:45.419
e-mail outlining the problem and how to fix it.

00:07:45.419 --> 00:07:48.800
After all that, GDI adds the database to a script that’s constantly running.

00:07:48.800 --> 00:07:53.250
It checks up on the database every so often just to see if stuff gets patched, or worse;

00:07:53.250 --> 00:07:57.720
if a hacker got in and stole some data or wiped the whole thing, because that’s an

00:07:57.720 --> 00:07:58.720
option, too.

00:07:58.720 --> 00:08:00.830
A hacker could just get in there and delete everything.

00:08:00.830 --> 00:08:06.409
By the summer of 2016, just a couple months into this new GDI adventure, Victor was the

00:08:06.409 --> 00:08:07.600
database watchdog.

00:08:07.600 --> 00:08:13.280
VICTOR: I think I’ve seen every open database at that moment that was connected to the internet.

00:08:13.280 --> 00:08:18.169
JACK: Here’s the basic process; databases run on a certain port, so MySQL, for example,

00:08:18.169 --> 00:08:23.270
runs on port 3306, and so he could just scan the internet or use a website like Shodan

00:08:23.270 --> 00:08:27.740
to first look for any IPs that have port 3306 open.

00:08:27.740 --> 00:08:31.860
Then once he finds that, he’ll try default usernames and passwords or maybe a handful

00:08:31.860 --> 00:08:36.470
of very weak passwords like the word ‘password’ to see if that’s it.

00:08:36.470 --> 00:08:40.800
Yeah, from this alone, he was tripping over tons of open databases.

00:08:40.800 --> 00:08:43.870
Some didn’t even have passwords at all.

00:08:43.870 --> 00:08:48.130
Then they’d tell all the database owners that their stuff is insecure.

00:08:48.130 --> 00:08:51.870
As their efforts grew, so did the number of people pitching in to help GDI.

00:08:51.870 --> 00:08:55.860
[MUSIC] In the beginning, it was just Victor and his friends but almost fifty different

00:08:55.860 --> 00:08:58.840
volunteers have joined on [00:10:00] in the last five years.

00:08:58.840 --> 00:09:04.440
In that time, the foundation has filed coordinated vulnerability disclosures on over a million

00:09:04.440 --> 00:09:07.500
security issues out there on the internet.

00:09:07.500 --> 00:09:12.270
VICTOR: You can see us like the volunteer fire brigade or emergency help.

00:09:12.270 --> 00:09:15.640
We want to prevent that people become a victim.

00:09:15.640 --> 00:09:21.829
We’re a group of volunteers that help prevent abuse by trying to report these systems that

00:09:21.829 --> 00:09:25.790
are already indexed by other sources as soon as possible.

00:09:25.790 --> 00:09:32.490
We’re just one of those many, many volunteering groups online that does these kind of things.

00:09:32.490 --> 00:09:38.020
JACK: Victor could have called it good after starting up the GDI Foundation but no, he’s

00:09:38.020 --> 00:09:42.519
possessed and he takes his self-proclaimed role of the internet janitor seriously.

00:09:42.519 --> 00:09:46.510
In 2019 he got involved with another non-profit.

00:09:46.510 --> 00:09:52.709
This one’s called the Dutch Institute for Vulnerability Disclosure, or DIVD, and Victor’s

00:09:52.709 --> 00:09:53.709
the chairman.

00:09:53.709 --> 00:09:57.870
DIVD is a lot like GDI but it’s ran by Dutch researchers and they often scan computers

00:09:57.870 --> 00:09:59.590
in the Netherlands for vulnerabilities.

00:09:59.590 --> 00:10:03.130
VICTOR: If we cannot find an organization within minutes, then we immediately take the

00:10:03.130 --> 00:10:07.750
entire collection and send it off to the ISP, the internet service provider, who gonna of

00:10:07.750 --> 00:10:11.260
course then send it back to their customers.

00:10:11.260 --> 00:10:15.600
JACK: They sometimes find problems on the Dutch government’s network which is interesting

00:10:15.600 --> 00:10:17.750
because Victor works for the Dutch government.

00:10:17.750 --> 00:10:24.690
VICTOR: By putting these communication frameworks in place and these agreements, we can prevent

00:10:24.690 --> 00:10:26.880
that vulnerabilities stay longer online.

00:10:26.880 --> 00:10:30.540
JACK: Which is definitely a noble thing to do but let’s pump the brakes here for a

00:10:30.540 --> 00:10:33.250
second because there’s a catch to doing all this do-gooding.

00:10:33.250 --> 00:10:36.640
So, let’s talk about the ethics here for a second.

00:10:36.640 --> 00:10:37.640
VICTOR: Yeah.

00:10:37.640 --> 00:10:43.459
JACK: [MUSIC] You are actively looking for vulnerabilities in companies that aren’t

00:10:43.459 --> 00:10:45.150
asking you to look for vulnerabilities.

00:10:45.150 --> 00:10:46.150
VICTOR: Exactly.

00:10:46.150 --> 00:10:48.510
JACK: Is there an ethics problem with that?

00:10:48.510 --> 00:10:50.259
VICTOR: It depends who you ask.

00:10:50.259 --> 00:10:51.750
For me, no.

00:10:51.750 --> 00:10:56.040
For example, the work that we do is non-profit.

00:10:56.040 --> 00:11:01.540
It’s voluntarily and it’s to prevent that the people that we – or organization that

00:11:01.540 --> 00:11:03.459
we warn that they’ve become a victim.

00:11:03.459 --> 00:11:07.230
JACK: Victor says what it really comes down to is what your aim is.

00:11:07.230 --> 00:11:12.339
VICTOR: There is that fine line where you have to look what is the intention?

00:11:12.339 --> 00:11:18.399
Am I going to access the system or account and starting showing it off or use it for

00:11:18.399 --> 00:11:21.320
my own benefit to show that I had access to it?

00:11:21.320 --> 00:11:26.070
Or I’m going to be as discreet as possible and try to inform you that this your issue;

00:11:26.070 --> 00:11:29.010
you need to fix this and this is what you can do to protect yourself?

00:11:29.010 --> 00:11:32.861
JACK: So, if your purpose is to surf around the internet poking and prodding, looking

00:11:32.861 --> 00:11:37.230
for weaknesses but you’re not planning to tell anyone about it, well, you look a lot

00:11:37.230 --> 00:11:39.610
like a hacker who’s up to no good.

00:11:39.610 --> 00:11:44.139
But if you were going to coordinate with the person who you found the vulnerability with

00:11:44.139 --> 00:11:49.190
and tell them privately and they can fix it, well, then you’ve crossed into the good

00:11:49.190 --> 00:11:50.190
side.

00:11:50.190 --> 00:11:51.690
But where is that line, though?

00:11:51.690 --> 00:11:56.840
The GDI Foundation and DIVD mark that line with a strict code of conduct and mission

00:11:56.840 --> 00:11:59.200
statements which is posted to their websites.

00:11:59.200 --> 00:12:03.290
Here’s an outline; first, they don’t do this for profit.

00:12:03.290 --> 00:12:07.910
They don’t ask for any bounty reward or ransom for finding a vulnerability.

00:12:07.910 --> 00:12:11.730
They’re non-profits and they’re supported by donations and sponsors.

00:12:11.730 --> 00:12:16.510
They don’t launch attacks against networks that would degrade the service in any way.

00:12:16.510 --> 00:12:19.339
They don’t buy or sell stolen data.

00:12:19.339 --> 00:12:23.510
They look for well-known vulnerabilities, stuff that doesn’t require advanced skills

00:12:23.510 --> 00:12:29.170
or tools to exploit, and they only use passive scans and only push deeper if they find something.

00:12:29.170 --> 00:12:31.959
VICTOR: We act on where there is smoke, there must be fire.

00:12:31.959 --> 00:12:36.980
I’m not going to kick in my neighbor’s door because I think there is a fire while

00:12:36.980 --> 00:12:37.980
there’s no smoke outside.

00:12:37.980 --> 00:12:43.120
If there are no signals that there’s something wrong, then there should not be a reason for

00:12:43.120 --> 00:12:46.060
me to start digging into it.

00:12:46.060 --> 00:12:49.850
JACK: Finally – and this is important – they don’t air people’s dirty laundry.

00:12:49.850 --> 00:12:54.350
When they find a problem, it stays between them and the owner and they don’t ask them

00:12:54.350 --> 00:12:56.060
to admit anything to the public.

00:12:56.060 --> 00:12:58.810
They just ask that it gets fixed and then they move on.

00:12:58.810 --> 00:13:03.310
It’s great to have an ethical framework and a strict code of conduct but there can

00:13:03.310 --> 00:13:04.700
still be grey areas.

00:13:04.700 --> 00:13:09.930
For example, this whole thing with Trump’s Twitter in 2016; that did expose Trump’s

00:13:09.930 --> 00:13:11.709
dirty laundry, so to speak.

00:13:11.709 --> 00:13:16.019
It hit the news and everything but I think they preferred it if it was done quietly.

00:13:16.019 --> 00:13:20.870
So, when you’ve got the world’s attention, you have to tread a little more carefully.

00:13:20.870 --> 00:13:26.949
[MUSIC] Okay, so as promised, the story of Victor’s coordinated disclosure number 5,780.

00:13:26.949 --> 00:13:32.079
See, I first interviewed the Grumpy Hackers back in October 2020, and I was gonna post

00:13:32.079 --> 00:13:34.269
this episode right around election time.

00:13:34.269 --> 00:13:37.810
But then something happened which really put a twist in the story.

00:13:37.810 --> 00:13:42.050
So, it was just a couple of weeks before the US presidential election.

00:13:42.050 --> 00:13:46.750
Victor’s Twitter feed is crammed with election coverage and conspiracy theories.

00:13:46.750 --> 00:13:50.480
VICTOR: Some people were getting, you know, these elections are rigged, people are going

00:13:50.480 --> 00:13:53.769
to try to mess with it, probably through the social media.

00:13:53.769 --> 00:13:54.970
I was like okay, interesting.

00:13:54.970 --> 00:13:59.110
Let’s see which social media accounts are all [00:15:00] involved with this election.

00:13:59.110 --> 00:14:02.590
JACK: The presidential election of 2020 was a pretty volatile time.

00:14:02.590 --> 00:14:06.230
Disinformation was spreading everywhere and yeah, if someone were to hack a political

00:14:06.230 --> 00:14:09.660
figure’s Twitter account, it could have some serious consequences.

00:14:09.660 --> 00:14:13.930
So, Victor was curious about the security of the Twitter accounts for the presidential

00:14:13.930 --> 00:14:15.050
candidates.

00:14:15.050 --> 00:14:17.680
He was looking at both their personal and official accounts.

00:14:17.680 --> 00:14:23.630
The personal ones are like, @JoeBiden, @Mike_Pence, @realDonaldTrump, and have blue check marks

00:14:23.630 --> 00:14:25.970
which means Twitter has verified these people.

00:14:25.970 --> 00:14:32.089
But then there’s official accounts like @POTUS and @VP, and these have little a American

00:14:32.089 --> 00:14:35.690
flag followed by US Government Account.

00:14:35.690 --> 00:14:39.149
So, how can you check the security of these accounts?

00:14:39.149 --> 00:14:44.089
Well, it turns out if you type in the username and just a bogus password, it’ll tell you

00:14:44.089 --> 00:14:48.910
two different messages depending on if you have two-factor authentication turned on or

00:14:48.910 --> 00:14:50.180
not.

00:14:50.180 --> 00:14:55.529
Victor figured out these error codes which meant he could see if somebody had two-factor

00:14:55.529 --> 00:14:57.160
authentication on or not.

00:14:57.160 --> 00:15:02.051
So, he went through a bunch of the presidential candidate Twitter accounts to see if they

00:15:02.051 --> 00:15:07.230
had extra security features turned on, like two-factor authentication.

00:15:07.230 --> 00:15:11.350
Since he already knew everyone’s username, he would just go to the Twitter login page,

00:15:11.350 --> 00:15:14.339
type in their username, and then some bogus password.

00:15:14.339 --> 00:15:15.870
VICTOR: Let’s try Biden.

00:15:15.870 --> 00:15:16.870
Well, okay.

00:15:16.870 --> 00:15:17.870
Let’s try Pence.

00:15:17.870 --> 00:15:18.870
Let’s try the VP account.

00:15:18.870 --> 00:15:22.690
JACK: If it told him the error message which indicated this had two-factor authentication

00:15:22.690 --> 00:15:25.130
turned on, he’d just move onto the next one.

00:15:25.130 --> 00:15:30.850
VICTOR: All those Twitter accounts are protected with extra security measures except Donald

00:15:30.850 --> 00:15:34.230
Trump. JACK: Wait, what?

00:15:34.230 --> 00:15:38.779
Donald Trump’s personal Twitter account didn’t have two-factor authentication turned

00:15:38.779 --> 00:15:43.490
on in 2020, as the sitting US president?

00:15:43.490 --> 00:15:47.699
After everything that happened four years ago, you would think that he would have two-factor

00:15:47.699 --> 00:15:49.420
authentication turned on, right?

00:15:49.420 --> 00:15:50.990
Well, he didn’t.

00:15:50.990 --> 00:15:55.201
The president of the US did not have two-factor authentication enabled on his Twitter account

00:15:55.201 --> 00:16:00.320
and when Victor typed in a bogus password, it just said that’s the wrong password which

00:16:00.320 --> 00:16:03.300
meant he could try again, and again, and again.

00:16:03.300 --> 00:16:06.370
Now, I only half-blame Trump here.

00:16:06.370 --> 00:16:11.930
With all the stink that the Grumpy Old Hackers made about this in 2016, Twitter should have

00:16:11.930 --> 00:16:16.780
absolutely required two-factor authentication for all major accounts.

00:16:16.780 --> 00:16:22.060
At least, the president of the US should have this required and enforced by Twitter, right?

00:16:22.060 --> 00:16:25.860
Maybe everyone with over a million followers should be required to have two-factor authentication

00:16:25.860 --> 00:16:30.269
enabled, or heck, you could even enforce everyone with a blue check mark to have it on, too.

00:16:30.269 --> 00:16:34.270
I’m just saying, any high-profile account is going to see attempts for people trying

00:16:34.270 --> 00:16:39.540
to login as them and this should warrant extra account security, right?

00:16:39.540 --> 00:16:43.540
I asked the CEO of Twitter about this but he didn’t respond.

00:16:43.540 --> 00:16:48.709
But actually, Twitter published a blog post a month before this which says quote, “We’re

00:16:48.709 --> 00:16:52.390
taking the additional step of proactively implementing account security measures for

00:16:52.390 --> 00:16:57.320
a designated group of high-profile election-related Twitter accounts in the US.

00:16:57.320 --> 00:17:01.339
Starting today, these accounts will be informed via an in-app notification from Twitter of

00:17:01.339 --> 00:17:05.660
some of the initial account security measures we will be requiring or strongly recommending

00:17:05.660 --> 00:17:06.730
going forward.”

00:17:06.730 --> 00:17:07.730
End quote.

00:17:07.730 --> 00:17:12.660
They go on to say that these designated groups are people in the US Executive Branch which

00:17:12.660 --> 00:17:17.559
would be the president as well as other members of government and political journalists, so

00:17:17.559 --> 00:17:22.490
it’s clear that Twitter did take the steps to make this happen, but something clearly

00:17:22.490 --> 00:17:23.970
wasn’t going as planned.

00:17:23.970 --> 00:17:27.650
Again, the CEO of Twitter never got back to me on why.

00:17:27.650 --> 00:17:30.180
VICTOR: This risk was there at that moment.

00:17:30.180 --> 00:17:32.180
Why? I don’t know.

00:17:32.180 --> 00:17:33.180
I would like to know.

00:17:33.180 --> 00:17:37.050
JACK: A couple weeks before all this, Trump had been in the hospital for covid-19.

00:17:37.050 --> 00:17:40.179
Maybe while he was there, a staffer was in charge of his Twitter and they just turned

00:17:40.179 --> 00:17:42.010
off two-factor authentication.

00:17:42.010 --> 00:17:45.280
Or maybe Trump turned it off because he was just tired of all these extra steps to get

00:17:45.280 --> 00:17:46.280
logged in.

00:17:46.280 --> 00:17:48.100
VICTOR: This guy is over seventy.

00:17:48.100 --> 00:17:49.460
He’s like, seventy-four.

00:17:49.460 --> 00:17:53.130
My mother is the same age and has the same security sense.

00:17:53.130 --> 00:17:57.450
She also keeps switching off two-factor authentication because it’s not convenient.

00:17:57.450 --> 00:17:59.190
It’s a hassle, it’s annoying.

00:17:59.190 --> 00:18:04.070
JACK: [MUSIC] Whatever the reason, two-factor authentication was definitely turned off on

00:18:04.070 --> 00:18:06.059
@realDonaldTrump’s account.

00:18:06.059 --> 00:18:10.220
This was a problem for Victor just like it was in 2016.

00:18:10.220 --> 00:18:16.460
This account was the mouthpiece of a powerful US president and should be locked down.

00:18:16.460 --> 00:18:19.429
Victor was worried that a hacker could get in and do some kind of damage.

00:18:19.429 --> 00:18:24.179
VICTOR: He can make a remark about an organization or a company that can influence the stock

00:18:24.179 --> 00:18:30.330
market or he could do damage from that because he has a lot of followers that will blindly

00:18:30.330 --> 00:18:32.659
believe anything that he writes.

00:18:32.659 --> 00:18:35.160
For Trump, his Twitter account is everything to him.

00:18:35.160 --> 00:18:41.309
That’s his way to communicate with people without being obstructed by mainstream media.

00:18:41.309 --> 00:18:46.380
JACK: It felt like a weird cycle, like 2016 repeating itself.

00:18:46.380 --> 00:18:50.409
At this point Victor could walk away from this whole thing because he’d submitted

00:18:50.409 --> 00:18:55.200
a responsible disclosure to Trump four years ago explaining this exact problem, and so

00:18:55.200 --> 00:18:57.870
it was up to Trump’s team to fix it and keep it fixed.

00:18:57.870 --> 00:19:02.670
[00:20:00] But obviously that wasn’t happening, and not only is it happening again; it’s

00:19:02.670 --> 00:19:07.690
worse because this is now the sitting US president and his account is vulnerable weeks before

00:19:07.690 --> 00:19:08.929
an election.

00:19:08.929 --> 00:19:10.970
This was ludicrous.

00:19:10.970 --> 00:19:12.740
Victor couldn’t let it go.

00:19:12.740 --> 00:19:16.980
He smelled the smoke but wanted to see if there was fire.

00:19:16.980 --> 00:19:30.100
Stay with us because after the break, he finds out.

00:19:30.100 --> 00:19:34.100
Victor decided to try to login as Donald Trump on Twitter.

00:19:34.100 --> 00:19:38.520
His first thought was to see if Trump’s password was the same from 2016.

00:19:38.520 --> 00:19:44.860
He sat down at his computer, closed his eyes, and typed in ‘yourefired’.

00:19:44.860 --> 00:19:46.299
It didn’t work.

00:19:46.299 --> 00:19:47.570
Wrong password.

00:19:47.570 --> 00:19:51.020
He took a break to think of another guess and glanced at his Twitter feed.

00:19:51.020 --> 00:19:53.040
VICTOR: I saw a tweet pass by.

00:19:53.040 --> 00:19:56.860
It was someone sharing the WiFi password of one of the Trump rallies.

00:19:56.860 --> 00:20:02.350
JACK: [MUSIC] The tweet was a picture of some WiFi login credentials for a Trump rally.

00:20:02.350 --> 00:20:07.240
The event had happened on October 13 in Johnstown, Pennsylvania.

00:20:07.240 --> 00:20:11.260
Trump’s team had set up a WiFi network at the rally.

00:20:11.260 --> 00:20:16.409
The photo in the tweet showed the network ID was Make America Great Again and the password

00:20:16.409 --> 00:20:17.520
was ‘maga2020!!’.

00:20:17.520 --> 00:20:20.250
VICTOR: That’s interesting.

00:20:20.250 --> 00:20:26.700
That was probably done by his – by Team Trump, you know, his support group.

00:20:26.700 --> 00:20:32.210
JACK: Victor thought this might be a good next guess for Trump’s Twitter account.

00:20:32.210 --> 00:20:37.559
If Trump’s people had a bunch of passwords to keep track of, they might reuse some or

00:20:37.559 --> 00:20:41.440
maybe they’d use slightly different versions of the same password.

00:20:41.440 --> 00:20:44.250
Victor gave this password a shot.

00:20:44.250 --> 00:20:45.250
No.

00:20:45.250 --> 00:20:48.090
He tried all lowercase; ‘maga2020’.

00:20:48.090 --> 00:20:49.299
No.

00:20:49.299 --> 00:20:53.100
He tried with an uppercase M. No.

00:20:53.100 --> 00:21:01.179
For his fifth guess he typed in all lowercase ‘maga2020!’ and pressed Enter.

00:21:01.179 --> 00:21:03.169
Twitter kind of hung there for a few seconds.

00:21:03.169 --> 00:21:05.980
VICTOR: This took like, four or five seconds.

00:21:05.980 --> 00:21:08.330
It was way longer – so I was like okay, great.

00:21:08.330 --> 00:21:12.850
I’m going to get the suspicious login error now because I’m locked out.

00:21:12.850 --> 00:21:16.460
JACK: Victor wasn’t locked out and no error message appeared.

00:21:16.460 --> 00:21:21.070
Instead, Trump’s Twitter account loaded up on Victor’s screen.

00:21:21.070 --> 00:21:28.960
VICTOR: It took me like, a few seconds to realize shit, it worked.

00:21:28.960 --> 00:21:35.880
JACK: [MUSIC] Victor was logged into Twitter as the president of the United States, with

00:21:35.880 --> 00:21:38.179
66 million followers.

00:21:38.179 --> 00:21:39.570
Whoa.

00:21:39.570 --> 00:21:41.620
He felt a surge of adrenaline.

00:21:41.620 --> 00:21:42.880
He was totally shocked.

00:21:42.880 --> 00:21:44.830
Was this actually happening?

00:21:44.830 --> 00:21:51.919
VICTOR: My eyes go to the left corner where I see his username instead of my own.

00:21:51.919 --> 00:21:55.520
JACK: Yes, this was happening again.

00:21:55.520 --> 00:21:58.380
This is the second time Victor got into Trump’s account.

00:21:58.380 --> 00:22:02.010
It’s like a bad dream, and it left him stunned.

00:22:02.010 --> 00:22:05.400
VICTOR: I think I sit still for at least twenty seconds.

00:22:05.400 --> 00:22:10.549
JACK: It was one of those ‘go stare out the window and contemplate life’ kinda moments.

00:22:10.549 --> 00:22:16.049
While it might seem like this could have been a victorious moment, it was less than ideal

00:22:16.049 --> 00:22:17.049
for Victor.

00:22:17.049 --> 00:22:20.970
VICTOR: Because of all the people that I wanted this to work, it would have been nice if it

00:22:20.970 --> 00:22:21.970
was someone else.

00:22:21.970 --> 00:22:27.890
I would have preferred if it was Biden but no, it was him.

00:22:27.890 --> 00:22:29.860
JACK: Which frustrated Victor.

00:22:29.860 --> 00:22:34.789
VICTOR: There’s a history; we had a history with this person where we reported something,

00:22:34.789 --> 00:22:40.419
we really saved his ass when it comes to reputation and we never, never got a thank you.

00:22:40.419 --> 00:22:45.130
Even from the most horrible organizations in the world where we reported things, we

00:22:45.130 --> 00:22:47.140
got an okay or a thank-you back.

00:22:47.140 --> 00:22:51.970
JACK: Not only was Victor salty about the way the 2016 disclosure went down, he was

00:22:51.970 --> 00:22:54.760
also in another ethical grey area now.

00:22:54.760 --> 00:22:57.909
Normally when he submitted a vulnerability disclosure, [00:25:00] he wouldn’t go back

00:22:57.909 --> 00:23:00.460
and test that vulnerability again.

00:23:00.460 --> 00:23:05.320
But he’d crossed that line all to make sure that this powerful Twitter account was secure.

00:23:05.320 --> 00:23:06.380
Victor felt uneasy.

00:23:06.380 --> 00:23:11.730
He didn’t want to mess anything up as he set about filing the second coordinated vulnerability

00:23:11.730 --> 00:23:12.730
disclosure.

00:23:12.730 --> 00:23:16.450
VICTOR: That pressure alone, even when I’m doing this for years is like oh, okay, I have

00:23:16.450 --> 00:23:17.610
to be very careful.

00:23:17.610 --> 00:23:18.610
Don’t do anything stupid.

00:23:18.610 --> 00:23:20.370
Do the right thing, you know?

00:23:20.370 --> 00:23:25.010
Not only for myself but also for everyone that does this kind of work or wants to do

00:23:25.010 --> 00:23:28.820
this or for the volunteers; if I do it wrong, that’s it.

00:23:28.820 --> 00:23:30.230
There’s no coming back.

00:23:30.230 --> 00:23:33.270
JACK: There were a lot of lines he wanted to make sure he didn’t cross.

00:23:33.270 --> 00:23:37.840
[MUSIC] For instance, sending any kind of tweet as Trump was definitely not going to

00:23:37.840 --> 00:23:38.840
happen.

00:23:38.840 --> 00:23:42.419
But also taking a peek at his messages was clearly unethical, too.

00:23:42.419 --> 00:23:46.370
Victor fell back on the muscle memory of all the other disclosures he’s done before and

00:23:46.370 --> 00:23:49.880
executed his next steps with extreme precision.

00:23:49.880 --> 00:23:53.690
He took a screenshot that he was logged in and then went to change the Twitter bio just

00:23:53.690 --> 00:23:57.679
to show he had access to be able to change the account details, then he checked the account’s

00:23:57.679 --> 00:24:02.630
security settings to confirm two-factor authentication was off and took a screenshot of that, too.

00:24:02.630 --> 00:24:06.790
In total, he was in the account for about ten minutes, then logged out.

00:24:06.790 --> 00:24:11.440
Then he sent an e-mail to Trump outlining the problem, showing screenshots, listing

00:24:11.440 --> 00:24:14.340
his password, and what to do to fix it.

00:24:14.340 --> 00:24:18.870
He didn’t hear anything back for a while, so he kept tabs on the account to see if someone

00:24:18.870 --> 00:24:20.049
updated the security.

00:24:20.049 --> 00:24:23.490
VICTOR: Every two hours going back, checking is it fixed?

00:24:23.490 --> 00:24:25.640
No, it’s not fixed. Okay.

00:24:25.640 --> 00:24:28.890
Maybe I should start calling him because his mobile number is in his account.

00:24:28.890 --> 00:24:29.970
Maybe I should call that.

00:24:29.970 --> 00:24:34.429
JACK: Victor could see in the account settings a mobile number and called it.

00:24:34.429 --> 00:24:36.669
It went directly to voicemail.

00:24:36.669 --> 00:24:39.880
He tried calling it again; same thing.

00:24:39.880 --> 00:24:43.850
He was desperate to get in touch with someone and to get this account fixed.

00:24:43.850 --> 00:24:47.640
What was your opening remark to him if he was to answer hey, this is Donny.

00:24:47.640 --> 00:24:48.929
What’s up?

00:24:48.929 --> 00:24:51.220
VICTOR: Oh, good evening, sir.

00:24:51.220 --> 00:24:54.640
I want to inform you that I tried to send you an e-mail with the subject regarding your

00:24:54.640 --> 00:24:58.429
Twitter account; can you please take a look at it?

00:24:58.429 --> 00:25:02.070
You or your staff please respond to it and have a nice day.

00:25:02.070 --> 00:25:06.630
JACK: Victor saved the number to his phone under Donald Trump and he tried calling it

00:25:06.630 --> 00:25:08.130
again, and again, and again.

00:25:08.130 --> 00:25:11.080
He called it five times but never got through.

00:25:11.080 --> 00:25:15.590
He also tried getting in touch with Trump through Twitter, Parler, LinkedIn, but no

00:25:15.590 --> 00:25:17.669
reply in any of these places.

00:25:17.669 --> 00:25:19.270
He wasn’t sure what to do next.

00:25:19.270 --> 00:25:23.070
He thought about reaching out to a tech journalist and sharing the login credentials.

00:25:23.070 --> 00:25:25.140
VICTOR: But that didn’t feel right, either.

00:25:25.140 --> 00:25:29.470
JACK: Remember, he doesn’t want to air dirty laundry on someone that has poor security.

00:25:29.470 --> 00:25:33.929
The ethical thing to do was to keep it quiet and to let Trump’s people take care of this,

00:25:33.929 --> 00:25:36.610
not to get it published in any news outlet.

00:25:36.610 --> 00:25:40.970
Trump was busy recovering from covid and strangely holding campaign rallies at the same time

00:25:40.970 --> 00:25:42.740
to try to get reelected.

00:25:42.740 --> 00:25:48.600
Victor watched online as Trump gave a speech at one rally in Prescott, Arizona.

00:25:48.600 --> 00:25:51.140
Suddenly, Trump started talking about hacking.

00:25:51.140 --> 00:25:53.120
TRUMP: Scully got hacked, right?

00:25:53.120 --> 00:25:54.179
Scully; he was a never-Trumper.

00:25:54.179 --> 00:25:55.460
He got hacked.

00:25:55.460 --> 00:25:59.480
JACK: Just to give some quick background here; Steve Scully was scheduled to moderate the

00:25:59.480 --> 00:26:03.480
second presidential debate which was just a few days away and he’s been with C-SPAN

00:26:03.480 --> 00:26:08.020
for like, thirty years but at some point he said publicly that he’d never vote for Trump

00:26:08.020 --> 00:26:09.020
himself.

00:26:09.020 --> 00:26:13.260
Well, this resulted in Trump talking about this with Fox News that same day.

00:26:13.260 --> 00:26:17.890
MARIA: The Commission on Presidential Debates announcing this morning that the second presidential

00:26:17.890 --> 00:26:18.929
debate will be virtual.

00:26:18.929 --> 00:26:20.870
Are you saying you are not gonna participate?

00:26:20.870 --> 00:26:23.690
TRUMP: No, I’m not gonna waste my time on a virtual debate.

00:26:23.690 --> 00:26:28.060
I have a host who I always felt was a nice guy but I see he’s a never-Trumper.

00:26:28.060 --> 00:26:32.100
We do have some of them Maria, believe it or not, because they don’t like to win.

00:26:32.100 --> 00:26:36.500
JACK: Trump said some other negative things towards Scully too, [MUSIC] and the next day

00:26:36.500 --> 00:26:43.080
Scully tweeted publicly at Anthony Scaramucci and it said ‘do you think I should respond

00:26:43.080 --> 00:26:44.080
to Trump?’

00:26:44.080 --> 00:26:47.450
It was very out of norm for Scully.

00:26:47.450 --> 00:26:52.320
It wasn’t anything a moderator should have probably tweeted, so he came under pressure

00:26:52.320 --> 00:26:53.820
for this tweet.

00:26:53.820 --> 00:26:59.600
Then Scully said his account was hacked and he didn’t actually tweet that.

00:26:59.600 --> 00:27:01.820
That’s what Trump is talking about here.

00:27:01.820 --> 00:27:02.900
So, let’s listen again.

00:27:02.900 --> 00:27:05.270
TRUMP: Scully got hacked, right; Scully.

00:27:05.270 --> 00:27:06.270
He was a never-Trumper.

00:27:06.270 --> 00:27:07.270
He got hacked.

00:27:07.270 --> 00:27:12.059
You know, I’ve never known a person that said he got hacked that got hacked.

00:27:12.059 --> 00:27:13.480
Nobody gets hacked.

00:27:13.480 --> 00:27:21.960
To get hacked you need somebody with 197 IQ and he needs about 15% of your password, right?

00:27:21.960 --> 00:27:22.960
Doesn’t happen.

00:27:22.960 --> 00:27:23.960
So, Scully got hacked.

00:27:23.960 --> 00:27:24.960
JACK: What, seriously?

00:27:24.960 --> 00:27:26.090
Nobody gets hacked?

00:27:26.090 --> 00:27:27.429
This triggered Victor.

00:27:27.429 --> 00:27:28.850
VICTOR: That was my snap moment.

00:27:28.850 --> 00:27:30.770
That was my moment of come on, you know?

00:27:30.770 --> 00:27:31.770
Enough is enough.

00:27:31.770 --> 00:27:35.930
I tried you, I tried your family, your staff, your government.

00:27:35.930 --> 00:27:41.130
Who do I have to ping across the ocean to get the message across?

00:27:41.130 --> 00:27:42.130
This is ridiculous.

00:27:42.130 --> 00:27:45.649
JACK: [MUSIC] Victor decided to go semi-public.

00:27:45.649 --> 00:27:49.340
He tweeted at Trump with a vague message which said something like…

00:27:49.340 --> 00:27:51.980
VICTOR: Do me a favor; respond to the e-mail.

00:27:51.980 --> 00:27:53.659
Get that issue fixed.

00:27:53.659 --> 00:27:59.111
JACK: A journalist saw this Tweet, and remembered that Victor had hacked Trumps account back

00:27:59.111 --> 00:28:02.280
in 2016, and decided to look into this.

00:28:02.280 --> 00:28:04.630
So journalists started questioning Victor and investigating.

00:28:04.630 --> 00:28:10.460
Oh and it’s interesting that second debate with Steve Scully was cancelled because Trump

00:28:10.460 --> 00:28:14.940
had covid and didn’t want to do a virtual debate.

00:28:14.940 --> 00:28:20.020
But it turned out Scully lied and changed his story saying his account wasn’t hacked

00:28:20.020 --> 00:28:25.070
and he just tweeted that in frustration but regretted it and tried to come up with a cover

00:28:25.070 --> 00:28:26.120
story.

00:28:26.120 --> 00:28:30.190
CSPAN actually suspended Scully for lying about that.

00:28:30.190 --> 00:28:33.400
Which mean’s Trump was right.

00:28:33.400 --> 00:28:34.669
Kinda.

00:28:34.669 --> 00:28:38.970
The mental calculus you have to do to understand what Trump is saying is dizzying.

00:28:38.970 --> 00:28:39.980
But remember he said

00:28:39.980 --> 00:28:41.440
TRUMP: Scully got hacked, right; Scully.

00:28:41.440 --> 00:28:46.320
You know, I’ve never known a person that said he got hacked that got hacked.

00:28:46.320 --> 00:28:47.320
Nobody gets hacked.

00:28:47.320 --> 00:28:49.880
JACK: And I mean, he has to know that’s not true.

00:28:49.880 --> 00:28:52.940
His own Twitter account was hacked 2 times before this.

00:28:52.940 --> 00:28:55.390
And the first one he did admit it was hacked.

00:28:55.390 --> 00:28:59.880
So by his own logic, maybe he lied about his account being hacked when someone posted lil

00:28:59.880 --> 00:29:01.679
Wayne lyrics on it.

00:29:01.679 --> 00:29:05.720
But I’ll give him the benefit of the doubt and assume he knows that, but was trying to

00:29:05.720 --> 00:29:08.520
say something else, and it just came out wrong.

00:29:08.520 --> 00:29:12.990
And so what I think he might be trying to say is that Steve Scully is a liar.

00:29:12.990 --> 00:29:16.289
Which was true, and at the time Scully was still holding on to the story that his account

00:29:16.289 --> 00:29:17.350
was hacked.

00:29:17.350 --> 00:29:20.740
So if that’s what Trump meant to say then he was right.

00:29:20.740 --> 00:29:21.780
Scully did lie about it.

00:29:21.780 --> 00:29:27.510
TRUMP: To get hacked you need somebody with 197 IQ and he needs about 15% of your password,

00:29:27.510 --> 00:29:29.510
right? Doesn’t happen.

00:29:29.510 --> 00:29:30.510
So, Scully got hacked.

00:29:30.510 --> 00:29:33.659
JACK: But what the heck is all this crap about IQ and 15% of a password.

00:29:33.659 --> 00:29:38.510
This makes no sense to me and this quote made quite the rounds in the Twitter security community

00:29:38.510 --> 00:29:39.510
too.

00:29:39.510 --> 00:29:43.440
This is a riduculous thing to say, and really does highlight how little the president knew

00:29:43.440 --> 00:29:46.180
about computers and cyber security.

00:29:46.180 --> 00:29:51.350
JACK: So anyway, journalists made some noise about Victor’s Tweet, which triggered a

00:29:51.350 --> 00:29:56.830
chain of events that ended with someone, from the Secret Service reaching out to Victor.

00:29:56.830 --> 00:30:00.929
VICTOR: Looking back, that was not the correct thing to do because normally we don’t do

00:30:00.929 --> 00:30:01.929
that.

00:30:01.929 --> 00:30:04.019
I should have kept my mouth shut but was it necessary?

00:30:04.019 --> 00:30:06.130
Yeah, there was no other way.

00:30:06.130 --> 00:30:10.940
JACK: On the phone with the Secret Service, Victor was flabbergasted to find out they

00:30:10.940 --> 00:30:14.549
weren’t aware of the 2016 Twitter hack he did on Trump.

00:30:14.549 --> 00:30:19.570
I guess in 2016 Trump wasn’t president yet, so he must have had a different group of people

00:30:19.570 --> 00:30:20.679
taking care of him then.

00:30:20.679 --> 00:30:22.150
I don’t know why they didn’t know.

00:30:22.150 --> 00:30:27.120
VICTOR: For me, that shows that even when you report things to our government, not everyone

00:30:27.120 --> 00:30:29.440
are always immediately aware of it.

00:30:29.440 --> 00:30:33.179
JACK: Which can lead to history repeating itself like it was right then.

00:30:33.179 --> 00:30:36.510
Victor forwarded his coordinated disclosure to the Secret Service.

00:30:36.510 --> 00:30:40.630
They said they’d investigate it and take care of things, and after he got off the phone,

00:30:40.630 --> 00:30:44.750
that was case closed for disclosure number 5,780.

00:30:44.750 --> 00:30:46.820
Victor hacked Trump a second time.

00:30:46.820 --> 00:30:50.730
He’d felt good that he’d gotten through to someone in authority and that somebody

00:30:50.730 --> 00:30:52.630
was doing something about this.

00:30:52.630 --> 00:30:57.519
But then, Twitter and the White House denied that all this happened.

00:30:57.519 --> 00:31:01.190
VICTOR: What Twitter says is we don’t see evidence in our log files.

00:31:01.190 --> 00:31:05.149
That’s not denying it didn’t happen if you take it very literally.

00:31:05.149 --> 00:31:09.279
The White House was very clear from – this absolutely isn’t true this never happened.

00:31:09.279 --> 00:31:12.970
JACK: Twitter did say in a statement that was widely circulated by news outlets that

00:31:12.970 --> 00:31:16.360
they hadn’t seen any evidence to corroborate the claim.

00:31:16.360 --> 00:31:20.870
They also added that they upped security for high-profile election-related Twitter accounts

00:31:20.870 --> 00:31:21.909
in the US.

00:31:21.909 --> 00:31:27.149
A quote from the White House Deputy Press Secretary Judd Deere also spread around.

00:31:27.149 --> 00:31:31.250
He denied the claim, saying it was quote, “absolutely not true.”

00:31:31.250 --> 00:31:32.250
End quote.

00:31:32.250 --> 00:31:37.440
But Victor had all this evidence and so, to see these denies was just flabbergasting to

00:31:37.440 --> 00:31:38.440
him.

00:31:38.440 --> 00:31:41.820
I guess with the election so near, the White House just didn’t want the bad press that

00:31:41.820 --> 00:31:45.360
Trump’s password was ‘maga2020!’

00:31:45.360 --> 00:31:48.730
But now Victor’s name was all over this news story.

00:31:48.730 --> 00:31:54.429
The wider world became aware of what he did and you might guess that not everyone thought

00:31:54.429 --> 00:31:55.429
he did the right thing.

00:31:55.429 --> 00:31:57.190
VICTOR: You should have seen the DMs that I got.

00:31:57.190 --> 00:31:58.190
Wow.

00:31:58.190 --> 00:31:59.539
JACK: [MUSIC] What were they?

00:31:59.539 --> 00:32:03.660
VICTOR: Most of them were very supportive but there were people that don’t know me

00:32:03.660 --> 00:32:09.010
personally or know the work that I do and they reacted like, from why you do this, you

00:32:09.010 --> 00:32:12.450
are a fraud, you do it for the money, that kind of remarks.

00:32:12.450 --> 00:32:15.950
Like okay, apparently you don’t know me at all.

00:32:15.950 --> 00:32:17.649
Fine; I respect your opinion.

00:32:17.649 --> 00:32:23.580
But looking back, if I could have done differently – if I could have done this quietly, yeah,

00:32:23.580 --> 00:32:27.330
that would have been better for all parties involved.

00:32:27.330 --> 00:32:32.769
JACK: Some people also called Victor out for doing unwanted pen tests against Trump, raising

00:32:32.769 --> 00:32:36.741
again the ethical question is it okay to test someone’s security if they didn’t ask

00:32:36.741 --> 00:32:37.741
for it?

00:32:37.741 --> 00:32:43.090
VICTOR: To verify that someone’s account or an election or a person itself is at risk,

00:32:43.090 --> 00:32:46.070
I don’t see how that’s an unwanted pen test.

00:32:46.070 --> 00:32:50.510
If you look technically too long, then you are accessing a system without permission,

00:32:50.510 --> 00:32:51.510
true.

00:32:51.510 --> 00:32:55.889
So, you’re breaking a rule but are you breaking a rule with the intention to do good?

00:32:55.889 --> 00:33:00.639
JACK: Victor believed what he was doing was for the greater good, to help secure the president’s

00:33:00.639 --> 00:33:02.000
Twitter account.

00:33:02.000 --> 00:33:07.360
He also said his definition of a pen test is to use any tool to get in and just stop

00:33:07.360 --> 00:33:08.429
at nothing.

00:33:08.429 --> 00:33:10.150
He says he didn’t do that.

00:33:10.150 --> 00:33:13.940
He saw the potential of a problem and took limited action to investigate.

00:33:13.940 --> 00:33:17.490
VICTOR: If the first try it would immediately give that error message, then I would have

00:33:17.490 --> 00:33:20.760
moved on and I would be busy doing something else.

00:33:20.760 --> 00:33:24.520
JACK: If Trump had two-factor authentication turned on, this would have never even been

00:33:24.520 --> 00:33:30.389
a story and looking back at busy doing something else sure is a nice thought, because Victor’s

00:33:30.389 --> 00:33:34.260
saga with Trump was about to take a turn for the worse.

00:33:34.260 --> 00:33:39.570
[MUSIC] It all started after US authorities reached out to the Dutch government and asked

00:33:39.570 --> 00:33:41.059
someone to take a look into Victor’s claims.

00:33:41.059 --> 00:33:48.190
VICTOR: I was asked to testify, to show the evidence that I have, the way that the responsible

00:33:48.190 --> 00:33:52.790
disclosure was done, the investigation, the handling of it, the communication.

00:33:52.790 --> 00:33:54.320
JACK: This was heavy.

00:33:54.320 --> 00:33:58.389
This was a criminal investigation which I don’t think the Dutch government took it

00:33:58.389 --> 00:33:59.389
upon themselves.

00:33:59.389 --> 00:34:04.980
It seems to me that the White House was pushing the Dutch government to conduct this investigation.

00:34:04.980 --> 00:34:07.399
For Victor, it wasn’t a good look.

00:34:07.399 --> 00:34:09.190
It was really stressful, too.

00:34:09.190 --> 00:34:15.520
Yeah, sure, he was getting weird DMs and getting called out online but now he was under a criminal

00:34:15.520 --> 00:34:18.090
investigation in his own country.

00:34:18.090 --> 00:34:20.099
There were major consequences for this.

00:34:20.099 --> 00:34:24.150
If the public prosecutor’s office decided he was [00:35:00] guilty, this could be big

00:34:24.150 --> 00:34:28.040
problems for him, especially if he were to get extradited to the US.

00:34:28.040 --> 00:34:30.200
VICTOR: I could lose my job.

00:34:30.200 --> 00:34:34.730
Even – they say if you’re guilty but you will not be punished, that will be enough

00:34:34.730 --> 00:34:40.252
for me to lose my job because a civil servant is not allowed to have a criminal record.

00:34:40.252 --> 00:34:43.940
When I cannot work for the government anymore, that means I have to stop my volunteer work

00:34:43.940 --> 00:34:46.829
that I do in my own free time, so I will lose everything.

00:34:46.829 --> 00:34:50.520
JACK: [MUSIC] Victor says his employer with the Dutch government was nervous, too.

00:34:50.520 --> 00:34:54.560
They knew Victor was passionate about cleaning up the internet, securing all those thousands

00:34:54.560 --> 00:35:00.020
of open ports and databases, but all this bad press about Trump was putting pressure

00:35:00.020 --> 00:35:05.089
on his employer, and sometimes that alone is enough to get you fired; simply that your

00:35:05.089 --> 00:35:08.461
employer doesn’t want to go through the stress of handling this incident, because

00:35:08.461 --> 00:35:11.220
what Victor did was making some pretty big news.

00:35:11.220 --> 00:35:14.910
VICTOR: When you enter the Twitter account of the president of the United States, that

00:35:14.910 --> 00:35:15.910
is something else.

00:35:15.910 --> 00:35:18.660
JACK: This was all turning into a nightmare.

00:35:18.660 --> 00:35:24.119
The pile-up of stress reminded Victor that just like in 2016, the timing of all this

00:35:24.119 --> 00:35:28.460
with the election just a few weeks away added extra stress to the situation.

00:35:28.460 --> 00:35:31.940
VICTOR: It was the most horrible timing if it comes to a case like this.

00:35:31.940 --> 00:35:37.310
JACK: When the Dutch High-Tech Crimes Unit came knocking, Victor spent hours answering

00:35:37.310 --> 00:35:39.760
their questions over the course of a day.

00:35:39.760 --> 00:35:43.643
VICTOR: They want to make sure that I did everything according to the book, with the

00:35:43.643 --> 00:35:45.430
best intentions, as I say so.

00:35:45.430 --> 00:35:48.420
I have to be able to prove that, of course.

00:35:48.420 --> 00:35:53.099
JACK: Victor showed them everything; screenshots, e-mails, phone logs.

00:35:53.099 --> 00:35:56.570
Everything that he showed was what he did, how he did it, and how he tried to get in

00:35:56.570 --> 00:35:59.670
touch with Trump, and he had to sign a witness statement.

00:35:59.670 --> 00:36:01.950
He felt solid about how he handled it, though.

00:36:01.950 --> 00:36:07.110
He had stuck to his strict code of conduct and hadn’t done anything evil while in Trump’s

00:36:07.110 --> 00:36:08.110
account.

00:36:08.110 --> 00:36:09.551
There were things he was careful not to do.

00:36:09.551 --> 00:36:14.400
VICTOR: Do not send DMs, do not put flags or tweet or anything else.

00:36:14.400 --> 00:36:17.830
Don’t do anything bad because that will be unexplainable.

00:36:17.830 --> 00:36:21.310
JACK: He also felt good about working with the High-Tech Crimes Unit.

00:36:21.310 --> 00:36:25.500
These aren’t technology amateurs; they’re experts too and have a good understanding

00:36:25.500 --> 00:36:26.500
of cyber-security.

00:36:26.500 --> 00:36:31.650
VICTOR: For me, it’s nice to know that someone is handling – looking at the case, knowing

00:36:31.650 --> 00:36:33.160
exactly what’s going on.

00:36:33.160 --> 00:36:37.240
JACK: Yeah, because if someone had investigated this case and didn’t understand the depth

00:36:37.240 --> 00:36:42.369
or nuances of the situation, this could have made Victor look like a criminal.

00:36:42.369 --> 00:36:46.560
But Victor would have to put those good vibes aside because the ultimate decision about

00:36:46.560 --> 00:36:51.360
whether or not he committed a crime was resting with the public prosecutor’s office.

00:36:51.360 --> 00:36:56.510
His professional life and non-profit work were left hanging in the balance for weeks.

00:36:56.510 --> 00:37:00.370
VICTOR: [MUSIC] There is no more ethical way to do this.

00:37:00.370 --> 00:37:04.750
If there’s a better way to do it, sure, the next time we’ll take certain steps,

00:37:04.750 --> 00:37:07.910
we’ll do it probably different or hopefully better.

00:37:07.910 --> 00:37:11.210
This was done in the best way possible at that moment.

00:37:11.210 --> 00:37:16.000
Still, if it was with the best intention, you’re breaking the law because of a very

00:37:16.000 --> 00:37:17.000
good reason.

00:37:17.000 --> 00:37:23.810
This case was on the line of okay, if you do this, then it’s acceptable; if you do

00:37:23.810 --> 00:37:25.500
that, then it’s not acceptable.

00:37:25.500 --> 00:37:26.869
Where is the line?

00:37:26.869 --> 00:37:31.829
JACK: What Victor did have going for him was his twenty-two-year history of ethical hacking

00:37:31.829 --> 00:37:33.950
and responsible disclosures.

00:37:33.950 --> 00:37:37.599
The moment someone starts investigating him, they’re gonna see his connection with the

00:37:37.599 --> 00:37:41.830
Dutch Institute for Vulnerability Disclosures and the GDI Foundation.

00:37:41.830 --> 00:37:45.650
Maybe an investigator will think if we dig further, something’s gotta come up.

00:37:45.650 --> 00:37:48.400
Yeah, that’s just not the case with Victor.

00:37:48.400 --> 00:37:51.320
He walks proudly on the ethical side of the line.

00:37:51.320 --> 00:37:56.930
VICTOR: The good thing is that if you start looking for my name, this is how I always

00:37:56.930 --> 00:37:59.560
work, so for that part I was not worried.

00:37:59.560 --> 00:38:03.099
JACK: After three weeks, the Dutch prosecutor made a decision.

00:38:03.099 --> 00:38:07.589
They said yes, gaining unauthorized access to someone else’s account is illegal in

00:38:07.589 --> 00:38:13.640
the Netherlands, but there’s a special circumstance that allows for it which is responsible disclosure,

00:38:13.640 --> 00:38:15.480
and it’s supported by case law.

00:38:15.480 --> 00:38:19.700
They confirmed that Victor had gotten into Trump’s Twitter but carefully considered

00:38:19.700 --> 00:38:20.869
his intentions.

00:38:20.869 --> 00:38:26.170
Their analysis revealed that Victor’s intentions were good and that he was free to go as an

00:38:26.170 --> 00:38:29.369
ethical hacker.

00:38:29.369 --> 00:38:30.369
What a relief.

00:38:30.369 --> 00:38:34.599
It’s been a long road for Victor and the other Grumps too, from back in 2016.

00:38:34.599 --> 00:38:38.691
They’ve been nervous about their 2016 hack, concerned that if they came to the US like

00:38:38.691 --> 00:38:43.260
for Defcon or something that they might get detained or that Trump might be out to get

00:38:43.260 --> 00:38:44.370
them.

00:38:44.370 --> 00:38:51.310
But then that nightmare went on repeat in 2020 and hung like a dark cloud over Victor’s

00:38:51.310 --> 00:38:52.310
head.

00:38:52.310 --> 00:38:56.780
But finally it was all over and he had an official ruling to back up that his actions

00:38:56.780 --> 00:38:57.780
were ethical.

00:38:57.780 --> 00:39:01.480
VICTOR: I am happy that this case got solved, that it got fixed.

00:39:01.480 --> 00:39:04.930
I don’t look at it as a successful, responsible disclosure.

00:39:04.930 --> 00:39:10.099
JACK: This doesn’t count towards one of the 5,789 responsible disclosures you have?

00:39:10.099 --> 00:39:11.630
VICTOR: Yeah, it counts as one.

00:39:11.630 --> 00:39:12.650
It is a case number.

00:39:12.650 --> 00:39:20.430
It is case number 5,780 but it was not successful because the person to which address did not

00:39:20.430 --> 00:39:21.430
accept the message.

00:39:21.430 --> 00:39:27.020
[00:40:00] I hope I will not find more Twitter accounts for US elections open anymore.

00:39:27.020 --> 00:39:33.339
I don’t think that – I think there is also a responsibility for platforms like Twitter,

00:39:33.339 --> 00:39:38.580
for everyone that has a verified account or a very important account should have two-factor

00:39:38.580 --> 00:39:41.020
authentication by default.

00:39:41.020 --> 00:39:45.100
There are some worries about if they actually learned something about it.

00:39:45.100 --> 00:39:50.210
What I do hope is that other peoples – read this story are like oh, I don’t have such

00:39:50.210 --> 00:39:53.180
a good password either or I reuse this password also.

00:39:53.180 --> 00:39:55.190
Maybe I should enable two-factor authentication.

00:39:55.190 --> 00:40:00.220
So, if that happens based on this story, then I will be happy with the output of that.

00:40:00.220 --> 00:40:01.349
I hope for the best.

00:40:01.349 --> 00:40:05.920
JACK: It’s hard to know what’s changed for sure over at Twitter since this incident.

00:40:05.920 --> 00:40:09.860
I guess Twitter banned Trump so that kinda fixes the problem, right?

00:40:09.860 --> 00:40:12.829
You can’t hack an account that doesn’t exist.

00:40:12.829 --> 00:40:17.470
But it’s not clear how much Twitter is enforcing this two-factor authentication requirement

00:40:17.470 --> 00:40:20.740
for political accounts or major influential accounts.

00:40:20.740 --> 00:40:25.609
However, Victor and I tried to do this again by looking for accounts that don’t have

00:40:25.609 --> 00:40:29.900
two-factor authentication turned on and we no longer see the message that used to be

00:40:29.900 --> 00:40:30.980
displayed.

00:40:30.980 --> 00:40:35.490
No matter if someone has two-factor authentication turned on or not, you get the same error message

00:40:35.490 --> 00:40:38.170
when putting in the wrong password which is good.

00:40:38.170 --> 00:40:42.920
It means if someone was going to be like Victor but had malicious intent, they’d have a

00:40:42.920 --> 00:40:46.070
harder time finding insecure accounts.

00:40:46.070 --> 00:40:48.600
Victor hasn’t slowed down since this incident.

00:40:48.600 --> 00:40:52.000
He’s still finding vulnerabilities and reporting them in a proper way.

00:40:52.000 --> 00:40:57.369
In fact, he’s launching the DIVD Academy soon which aims to teach young adults IT security

00:40:57.369 --> 00:41:00.660
and research skills that he thinks schools aren’t providing.

00:41:00.660 --> 00:41:05.109
Him and the Guild of the Grumpy Old Hackers want to keep an eye on the younger generation

00:41:05.109 --> 00:41:09.700
to help guide them and coach them to be safe and responsible in this digital age.

00:41:09.700 --> 00:41:15.800
They believe the youth are the future and want to help make the future a better place.

00:41:15.800 --> 00:41:25.930
(OUTRO): [OUTRO MUSIC] A big thank you to Victor for sharing your adventures with us.

00:41:25.930 --> 00:41:27.520
You can follow Victor on Twitter.

00:41:27.520 --> 00:41:33.020
His name there is @0xDUDE and you can find links to this story on darknetdiaries.com.

00:41:33.020 --> 00:41:37.020
The other day, someone told me they got into a rideshare and the driver was listening to

00:41:37.020 --> 00:41:40.980
Darknet Diaries when they got in, and the show was so interesting that they just made

00:41:40.980 --> 00:41:44.590
the driver keep driving around town until the episode was over.

00:41:44.590 --> 00:41:48.140
If you’re that kind of listener that gets hooked on this show and love it when new episodes

00:41:48.140 --> 00:41:52.000
come out, please consider donating to it to show your support through Patreon.

00:41:52.000 --> 00:41:56.640
By giving, it sets a new standard of how you support content that you like and want to

00:41:56.640 --> 00:41:57.640
see more of.

00:41:57.640 --> 00:42:01.380
Visit patreon.com/darknetdiaries to donate.

00:42:01.380 --> 00:42:02.380
Thank you.

00:42:02.380 --> 00:42:05.829
This show is made by me, the guy who’s been wearing a mask all his life and doesn’t

00:42:05.829 --> 00:42:08.720
even know how to take it off anymore, Jack Rhysider.

00:42:08.720 --> 00:42:11.740
This episode was produced by the font-conscious Charles Bolte.

00:42:11.740 --> 00:42:16.079
Original music and scoring for this episode was done by the melodic Garrett Tiedemann,

00:42:16.079 --> 00:42:19.971
editing help this episode by the true-type Damienne, and our theme music is done by the

00:42:19.971 --> 00:42:22.770
still-spinning Breakmaster Cylinder.

00:42:22.770 --> 00:42:27.850
Even though I’ve got nothing against bots; some of my best friends are bots, this is

00:42:27.850 --> 00:42:28.740
Darknet Diaries.