WEBVTT 00:00:00.690 --> 00:00:03.860 JACK: Poker is such an interesting game. 00:00:03.860 --> 00:00:08.470 Cards get dealt, money gets bet, and the winner is not the person with the best hand; it’s 00:00:08.470 --> 00:00:10.570 the person who plays the best. 00:00:10.570 --> 00:00:12.790 The game is to play the person, not the cards. 00:00:12.790 --> 00:00:15.900 In fact, some of the top poker players don’t even consider it gambling. 00:00:15.900 --> 00:00:18.520 Here, take this clip from the movie Rounders, for example. 00:00:18.520 --> 00:00:21.630 MIKE: Why does this still seem like gambling to you? 00:00:21.630 --> 00:00:24.779 I mean, why do you think the same five guys make it to the final table at the World Series 00:00:24.779 --> 00:00:26.450 of Poker every single year? 00:00:26.450 --> 00:00:28.539 What are they, the luckiest guys in Las Vegas? 00:00:28.539 --> 00:00:29.890 It’s a skill game, Joe. 00:00:29.890 --> 00:00:31.510 JACK: It’s a good point, right? 00:00:31.510 --> 00:00:36.420 There is a lot of skill in poker and with the right playstyle, you could do pretty well 00:00:36.420 --> 00:00:40.969 because when you play poker, you’re playing against another person, not against a casino 00:00:40.969 --> 00:00:41.969 or some machine. 00:00:41.969 --> 00:00:47.750 There’s another person sitting on the other end of the table and it’s you versus them. 00:00:47.750 --> 00:00:51.090 Can you make them believe you have a good hand when you don’t? 00:00:51.090 --> 00:00:53.910 Or can you call them out when they’re bluffing? 00:00:53.910 --> 00:00:56.399 Being able to read the person is critical. 00:00:56.399 --> 00:01:01.340 [MUSIC] But then there’s online poker, places that let you gamble for real money against 00:01:01.340 --> 00:01:03.010 real players on a computer. 00:01:03.010 --> 00:01:06.430 But it’s a lot harder to read the player when you can’t see them. 00:01:06.430 --> 00:01:10.950 When there’s a lot of money involved with something like this, people will go to extraordinary 00:01:10.950 --> 00:01:12.900 lengths to try to get an edge. 00:01:12.900 --> 00:01:15.189 Take the story of Darren Woods. 00:01:15.189 --> 00:01:20.990 In 2011, he won a World Series of Poker bracelet and he enjoyed playing online poker a lot, 00:01:20.990 --> 00:01:25.060 but his win rate on the online games were really high. 00:01:25.060 --> 00:01:29.290 The online poker community watched him play and meticulously took notes. 00:01:29.290 --> 00:01:35.390 They determined Darren had to have been cheating because he was winning some very strange hands. 00:01:35.390 --> 00:01:36.830 But how? 00:01:36.830 --> 00:01:42.860 Well, as it turned out, Darren had set up fifty different accounts at this online poker 00:01:42.860 --> 00:01:46.439 site and was playing multiple accounts at once. 00:01:46.439 --> 00:01:51.780 Basically, he could in fact see some of the other cards dealt on the table, since he controlled 00:01:51.780 --> 00:01:53.600 multiple seats on the table. 00:01:53.600 --> 00:01:56.270 How does this give you an advantage, you might ask? 00:01:56.270 --> 00:02:00.890 Well, we know there are four Aces in a deck of cards and if he had one Ace in his hand 00:02:00.890 --> 00:02:06.439 and there were two Aces on the board, and that last Ace was in one of his other player’s 00:02:06.439 --> 00:02:12.200 hands, then he knew for a fact his real opponents did not have another Ace. 00:02:12.200 --> 00:02:18.190 This is a small edge that he had on his opponents but it was enough for him to win pretty big. 00:02:18.190 --> 00:02:21.990 With the help of players reporting this, the poker website figured out what he was doing, 00:02:21.990 --> 00:02:24.410 banned him, and called the cops. 00:02:24.410 --> 00:02:29.170 Darren pled guilty to some of his charges and ended up being sentenced to fifteen months 00:02:29.170 --> 00:02:30.459 in prison over this. 00:02:30.459 --> 00:02:36.560 I say all this because I want to tell you about how someone tried to cheat at high stakes 00:02:36.560 --> 00:02:38.350 online poker. 00:02:38.350 --> 00:02:46.349 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:46.349 --> 00:02:51.519 I’m Jack Rhysider. 00:02:51.519 --> 00:02:55.220 This is Darknet Diaries. 00:02:55.220 --> 00:03:02.650 [INTRO MUSIC ENDS] 00:03:02.650 --> 00:03:12.830 JACK: There’s this poker player who lives in Finland named Jens Kyllönen, and for the 00:03:12.830 --> 00:03:15.830 last fifteen years or so, he’s been raking it in. 00:03:15.830 --> 00:03:18.880 He started playing poker with his friends back when he was a kid. 00:03:18.880 --> 00:03:20.940 Here’s an old interview of him of how he got started. 00:03:20.940 --> 00:03:24.280 JENS: I started with friends like, seventeen years old, I think. 00:03:24.280 --> 00:03:25.280 Just read some books and slowly started. 00:03:25.280 --> 00:03:39.540 In a year, I already played pretty high, like 5/10 No-Limit Hold’em, 10/20, and just pretty 00:03:39.540 --> 00:03:41.750 quickly – it’s always been a pretty quick move upwards. 00:03:41.750 --> 00:03:44.099 I played a free roll. 00:03:44.099 --> 00:03:55.954 I think I cashed in a free roll and from that I started just grinding, grinding my way up. 00:03:55.954 --> 00:03:57.390 JACK: [MUSIC] Grinding his way up he did. 00:03:57.390 --> 00:03:59.629 He was a really good poker player. 00:03:59.629 --> 00:04:03.439 He was getting [00:05:00] better and better at poker and playing bigger and bigger pots, 00:04:03.439 --> 00:04:05.379 and making pretty good money from it. 00:04:05.379 --> 00:04:11.129 In 2009, he played in the European poker tournament and took first place in the No-Limit Texas 00:04:11.129 --> 00:04:12.140 Hold’em event. 00:04:12.140 --> 00:04:16.160 The prize was 1.1 million US dollars. 00:04:16.160 --> 00:04:22.040 Around this time, Jens began playing a lot of high stakes online poker but still played 00:04:22.040 --> 00:04:24.130 in in-person tournaments, too. 00:04:24.130 --> 00:04:29.890 Here’s a clip of him getting into a tournament in 2012 which had a one million dollar buy-in. 00:04:29.890 --> 00:04:34.440 HOST1: The youngest player in the field, twenty-two-year-old Jens Kyllönen, decided to put up the entire 00:04:34.440 --> 00:04:35.440 million himself. 00:04:35.440 --> 00:04:40.080 JENS: I mean, I argued it’s more as kind of a gamble. 00:04:40.080 --> 00:04:44.389 It’s not how I normally would play, like with micromanagement anyway. 00:04:44.389 --> 00:04:50.770 It’s sort of like, I could either buy something nice like a nice car or a house or play this 00:04:50.770 --> 00:04:51.770 tournament. 00:04:51.770 --> 00:04:56.270 I just feel like I’m gonna get more out of playing this tournament than doing one 00:04:56.270 --> 00:04:57.270 of those other stuff. 00:04:57.270 --> 00:05:01.730 JACK: Wow, the fact that he could afford to put a million of his own dollars on the line 00:05:01.730 --> 00:05:06.979 for this tournament; he’s obviously doing pretty good to afford that. 00:05:06.979 --> 00:05:10.080 From what I could tell, I think he lost it all in that tournament. 00:05:10.080 --> 00:05:13.259 But that didn’t stop Jens from playing even higher stakes. 00:05:13.259 --> 00:05:17.550 Jens was really good at online poker at this point and would play in major online tournaments 00:05:17.550 --> 00:05:20.540 with millions of dollars as the grand prize. 00:05:20.540 --> 00:05:27.110 But then in 2013 came the European Poker Tournament in Barcelona, Spain. 00:05:27.110 --> 00:05:32.449 HOST2: [MUSIC] The PokerStars.Com European Poker Tour has hit its tenth season and it’s 00:05:32.449 --> 00:05:36.430 back where it all began; Barcelona. 00:05:36.430 --> 00:05:39.550 JACK: This tournament was held at the Arts Hotel in Barcelona. 00:05:39.550 --> 00:05:43.860 It’s a five-star luxury hotel which is right on the edge of the sea, too. 00:05:43.860 --> 00:05:47.490 The tournament was in one of the conference rooms and there’s a casino right next to 00:05:47.490 --> 00:05:48.490 it, too. 00:05:48.490 --> 00:05:49.490 This was a good-sized event. 00:05:49.490 --> 00:05:53.300 I looked at some video of it and I counted twenty full poker tables in the room during 00:05:53.300 --> 00:05:54.330 the tournament. 00:05:54.330 --> 00:06:00.120 Jens and his buddy Henri flew from Finland to Barcelona to participate in this tournament. 00:06:00.120 --> 00:06:04.380 They stayed in the same room together and I should quickly explain who Henri is. 00:06:04.380 --> 00:06:08.530 Henri lives in Finland, not far from where Jens lives, and they hang out at each other’s 00:06:08.530 --> 00:06:10.360 house sometimes and go on trips together. 00:06:10.360 --> 00:06:14.099 At one point, Henri and Jens took a two-month trip to South America. 00:06:14.099 --> 00:06:17.470 So, there’s a trusting bond between them. 00:06:17.470 --> 00:06:20.690 On day two of the tournament, Jens busts. 00:06:20.690 --> 00:06:21.920 He loses all his chips. 00:06:21.920 --> 00:06:22.920 He’s out of the running. 00:06:22.920 --> 00:06:28.470 Jens walks away from the poker table, looks around, and decides to go up to his room and 00:06:28.470 --> 00:06:31.729 surf the internet on his laptop which was in his room. 00:06:31.729 --> 00:06:35.160 [MUSIC] He goes up the elevator to his floor. 00:06:35.160 --> 00:06:36.729 He gets his room key out. 00:06:36.729 --> 00:06:39.960 It’s a little magstripe hotel key card. 00:06:39.960 --> 00:06:44.690 He swipes it into the lock [SWIPE, NEGATIVE BEEP] but the lock doesn’t open. 00:06:44.690 --> 00:06:48.550 A red light flashes, indicating it’s not the right key. 00:06:48.550 --> 00:06:49.550 Huh. 00:06:49.550 --> 00:06:52.449 He tries again, and again, and again. 00:06:52.449 --> 00:06:55.320 He can’t get the key to open the door. 00:06:55.320 --> 00:06:56.639 He goes down to the front desk. 00:06:56.639 --> 00:06:59.879 They re-sync his room key for him and tell him go on up, try again. 00:06:59.879 --> 00:07:00.879 It should work now. 00:07:00.879 --> 00:07:03.910 He goes up to his room, tries the key, and it works. 00:07:03.910 --> 00:07:06.330 [SWIPE, DOOR UNLOCKS] The door opens; he goes in. 00:07:06.330 --> 00:07:12.169 But as soon as he enters the room, he immediately notices something isn’t right. 00:07:12.169 --> 00:07:14.729 He knows exactly where he left his laptop that morning. 00:07:14.729 --> 00:07:16.500 It was on the desk. 00:07:16.500 --> 00:07:19.430 But his laptop was not there on the desk. 00:07:19.430 --> 00:07:24.599 His laptop charger was there, sitting in the exact spot where his laptop should have been, 00:07:24.599 --> 00:07:25.699 but no laptop. 00:07:25.699 --> 00:07:30.540 He looked around the room a little bit, but he couldn’t find the laptop anywhere in 00:07:30.540 --> 00:07:32.540 his room. Huh. 00:07:32.540 --> 00:07:37.030 He thought maybe Henri borrowed it or it was stolen. 00:07:37.030 --> 00:07:41.449 He goes down to the casino and finds Henri playing poker, and asks him. 00:07:41.449 --> 00:07:44.490 Henri says he hasn’t touched Jens’ laptop. 00:07:44.490 --> 00:07:49.010 But Henri says his room key wasn’t working that day, either. 00:07:49.010 --> 00:07:51.759 Huh, that is pretty strange. 00:07:51.759 --> 00:07:57.440 [MUISC] Jens goes back up to the room to search for his laptop some more but when he gets 00:07:57.440 --> 00:08:03.659 in the room, he sees the laptop is right there on the desk, exactly where he left it earlier 00:08:03.659 --> 00:08:06.099 that day. What? 00:08:06.099 --> 00:08:07.650 His mind starts racing. 00:08:07.650 --> 00:08:09.849 He’s questioning his sanity at this point. 00:08:09.849 --> 00:08:11.699 Was it really gone a minute ago? 00:08:11.699 --> 00:08:17.069 But he remembers clearly seeing the charger there on the table by itself without the laptop. 00:08:17.069 --> 00:08:19.729 Now, the laptop is there where the charger was. 00:08:19.729 --> 00:08:23.509 He remembers this clearly because it was just ten minutes ago. 00:08:23.509 --> 00:08:26.129 Jens starts to get scared. 00:08:26.129 --> 00:08:30.020 Someone had been in his room in the last ten minutes and they put his laptop in the exact 00:08:30.020 --> 00:08:31.670 place where he left it. 00:08:31.670 --> 00:08:36.410 He thinks the person might still be in the room right now, too, hiding in the bathroom 00:08:36.410 --> 00:08:37.410 or something. 00:08:37.410 --> 00:08:41.580 He darts out of there, gets into the elevator, goes down to reception, and talks with the 00:08:41.580 --> 00:08:46.820 guest relations supervisor, Leia. 00:08:46.820 --> 00:08:50.950 Leia listens to Jens’ story and does two things; first, she re-codes the lock on the 00:08:50.950 --> 00:08:54.510 door and re-codes both Henri and Jens’ hotel room keys. 00:08:54.510 --> 00:08:58.600 She says this way, if someone did have a duplicate key, the duplicate key would no longer be 00:08:58.600 --> 00:09:01.080 active because the code is changed on [00:10:00] the door. 00:09:01.080 --> 00:09:04.780 Second, she tells them she’ll work with security to look at the hallway cameras for 00:09:04.780 --> 00:09:06.010 that time. 00:09:06.010 --> 00:09:08.190 [MUSIC] Jens goes back up to his room. 00:09:08.190 --> 00:09:12.240 He opens the laptop and turns it on, but something’s wrong. 00:09:12.240 --> 00:09:16.981 It boots to a black screen which says ‘Windows failed to start. 00:09:16.981 --> 00:09:19.800 A recent hardware or software change may be the cause. 00:09:19.800 --> 00:09:22.350 Do you want to repair or start normally?’ 00:09:22.350 --> 00:09:23.350 Huh? 00:09:23.350 --> 00:09:26.580 Jens’ computer was working fine up until this point. 00:09:26.580 --> 00:09:28.450 Now it’s showing an error? 00:09:28.450 --> 00:09:31.190 When he gets past that screen, it gives another warning. 00:09:31.190 --> 00:09:33.900 ‘Do you want to restore your computer?’ 00:09:33.900 --> 00:09:35.040 What? 00:09:35.040 --> 00:09:37.000 This is super strange. 00:09:37.000 --> 00:09:40.520 Something went on here and it’s freaking him out. 00:09:40.520 --> 00:09:44.060 He goes down to meet with Leia again, the hotel supervisor. 00:09:44.060 --> 00:09:48.470 She tells him the cameras in that specific hallway, yeah, they haven’t been working 00:09:48.470 --> 00:09:54.829 for the last week, so they have no CCTV footage of whoever entered his room at that time. 00:09:54.829 --> 00:09:59.990 Leia doesn’t seem to be taking this matter seriously and says they’ll continue to investigate, 00:09:59.990 --> 00:10:02.080 but she doesn’t say how. 00:10:02.080 --> 00:10:04.360 Jens goes back up to his room. 00:10:04.360 --> 00:10:10.420 He swipes the room key card in the door, [SWIPE, NEGATIVE BEEP] and it’s not working again. 00:10:10.420 --> 00:10:15.540 No matter how many times he swipes or how he swipes, the door just doesn’t open. 00:10:15.540 --> 00:10:16.540 Huh? 00:10:16.540 --> 00:10:19.440 Jens runs back to reception, tells Leia. 00:10:19.440 --> 00:10:24.300 Leia re-syncs his card and then walks with him personally to his room to check on this 00:10:24.300 --> 00:10:25.300 lock. 00:10:25.300 --> 00:10:31.610 The card now opens the door just fine but as soon as they get in, Jens immediately sees 00:10:31.610 --> 00:10:35.700 that his laptop had gone missing again. 00:10:35.700 --> 00:10:38.890 [MUSIC] Jens is in complete shock. 00:10:38.890 --> 00:10:42.620 He doesn’t even know how to explain what’s happening. 00:10:42.620 --> 00:10:44.360 Leia calls hotel security. 00:10:44.360 --> 00:10:49.240 They apologize and agree to upgrade his room to a suite which is two floors up. 00:10:49.240 --> 00:10:53.620 Jens decides to go downstairs and look for some friends, and he asks them if he can use 00:10:53.620 --> 00:10:55.100 their laptop. 00:10:55.100 --> 00:11:00.000 He immediately goes to all his online poker accounts and shuts them all down, thinking 00:11:00.000 --> 00:11:03.300 someone must be trying to hack his accounts. 00:11:03.300 --> 00:11:05.310 After that, he goes to talk with Leia again. 00:11:05.310 --> 00:11:07.330 She’s on the phone talking in Spanish. 00:11:07.330 --> 00:11:09.730 She asked Jens, can you describe your laptop? 00:11:09.730 --> 00:11:13.290 He says it’s a heavy Fujitsu Celsius laptop. 00:11:13.290 --> 00:11:14.490 She says it’s been found. 00:11:14.490 --> 00:11:15.660 It’s in the lobby. 00:11:15.660 --> 00:11:16.660 Security has it. 00:11:16.660 --> 00:11:17.820 She tells him to wait a minute. 00:11:17.820 --> 00:11:19.930 She goes and gets it, brings it back to him. 00:11:19.930 --> 00:11:23.600 At this point Jens is on the verge of a panic attack. 00:11:23.600 --> 00:11:25.089 Who keeps stealing his laptop? 00:11:25.089 --> 00:11:28.649 Why does his key card keep getting deactivated? 00:11:28.649 --> 00:11:30.600 Why did the laptop show up in the lobby? 00:11:30.600 --> 00:11:34.399 If a thief took it and panicked, why not throw it in the sea? 00:11:34.399 --> 00:11:35.399 He opens it up. 00:11:35.399 --> 00:11:38.380 It boots up just fine, but something is different. 00:11:38.380 --> 00:11:43.790 Normally when it boots up, it’s password-protected and he has to enter his password to get in. 00:11:43.790 --> 00:11:49.709 But it’s no longer asking for the password and it’s just booting right up into Windows. 00:11:49.709 --> 00:11:53.980 Okay, so he definitely knows someone has hacked his computer. 00:11:53.980 --> 00:11:59.700 He takes the laptop to the poker tournament and starts telling their IT and security teams 00:11:59.700 --> 00:12:01.170 about this. 00:12:01.170 --> 00:12:02.850 Everyone there is pretty friendly and helpful. 00:12:02.850 --> 00:12:07.820 The poker tournament security team takes down all his information and begins to investigate. 00:12:07.820 --> 00:12:13.519 Jens and Henri go up to their new, upgraded suite and head to bed for the night, thinking 00:12:13.519 --> 00:12:17.959 there has to be some security camera footage somewhere of whoever did this. 00:12:17.959 --> 00:12:21.820 Now that two different security teams were looking into it, surely they’ll find out 00:12:21.820 --> 00:12:23.000 something by morning. 00:12:23.000 --> 00:12:27.250 They both rest their head down on their pillows for the night. 00:12:27.250 --> 00:12:28.529 But it’s hard to sleep. 00:12:28.529 --> 00:12:33.160 I mean, the day started with losing the tournament and ended with them getting their room broken 00:12:33.160 --> 00:12:36.620 into at least three times and his laptop hacked. 00:12:36.620 --> 00:12:39.470 When that happens to you, you can’t relax. 00:12:39.470 --> 00:12:44.769 The computer feels defiled and gross, and your sense of security is eroded. 00:12:44.769 --> 00:12:48.470 At this point of the story, I’m now wondering how can someone even get in their room like 00:12:48.470 --> 00:12:49.470 that? 00:12:49.470 --> 00:12:50.820 I have a few theories. 00:12:50.820 --> 00:12:54.470 [MUSIC] First, you might be thinking that someone might’ve just brushed up against 00:12:54.470 --> 00:12:56.339 them in the lobby and cloned his card. 00:12:56.339 --> 00:12:58.150 Yeah, I don’t think so. 00:12:58.150 --> 00:13:01.310 That typically works for RFID-type of cards. 00:13:01.310 --> 00:13:05.959 This was a magstripe card so in order to clone it, you would have to swipe the card through 00:13:05.959 --> 00:13:07.079 a machine. 00:13:07.079 --> 00:13:11.529 I guess it’s possible someone pickpocketed him, cloned the card, and then put it back 00:13:11.529 --> 00:13:17.699 in his pocket, but it just seems unlikely that that would happen twice in one day. 00:13:17.699 --> 00:13:21.949 But then you also have the problem of making both guest room keys invalid. 00:13:21.949 --> 00:13:23.560 How’s that happening? 00:13:23.560 --> 00:13:28.370 Well, because this is a magstripe card, it’s possible that a powerful magnet can be put 00:13:28.370 --> 00:13:33.589 next to or under the lock, and so when a card gets near the lock, the magnet screws up the 00:13:33.589 --> 00:13:35.870 data on the magstripe and ruins it. 00:13:35.870 --> 00:13:39.940 There’s two types of way magstripes work; LoCo and HiCo. 00:13:39.940 --> 00:13:45.760 This is low-coercivity and high-coercivity which pretty much means how well the magstripe 00:13:45.760 --> 00:13:47.720 will retain data on the card. 00:13:47.720 --> 00:13:51.370 Like, your credit card isn’t going to be reprogrammed anytime soon, so it needs to 00:13:51.370 --> 00:13:53.420 hold the data on there for years. 00:13:53.420 --> 00:13:54.949 So, it uses HiCo. 00:13:54.949 --> 00:14:00.500 But a hotel room key will have its data rewritten many times, maybe once a day, [00:15:00] so 00:14:00.500 --> 00:14:02.870 it uses LoCo. 00:14:02.870 --> 00:14:07.230 Because it uses LoCo, it’s easy for a magnet to screw up the card. 00:14:07.230 --> 00:14:11.839 If someone wanted to go in that room but did not want anyone coming in while they were 00:14:11.839 --> 00:14:17.410 there, they could put a magnet on the door which would ruin whatever card was swiped 00:14:17.410 --> 00:14:19.090 and stop them from entering. 00:14:19.090 --> 00:14:23.480 This would alert whoever’s in the room and also buy them a couple minutes to get out. 00:14:23.480 --> 00:14:27.970 As they’re leaving, they could remove the magnet from the lock and walk away. 00:14:27.970 --> 00:14:31.690 Okay, so that’s a good theory on how the cards got ruined. 00:14:31.690 --> 00:14:36.029 But still, how did someone get the key to get in? 00:14:36.029 --> 00:14:42.170 Maybe it was plucked from a cleaning cart or maybe someone went to the front lobby and 00:14:42.170 --> 00:14:46.480 posed as Jens, saying my key doesn’t work in my room. 00:14:46.480 --> 00:14:47.820 Can you reset it for me? 00:14:47.820 --> 00:14:49.810 Then they give Jens’ room number. 00:14:49.810 --> 00:14:55.889 Would the front desk check the ID before issuing a card to a guest like this? 00:14:55.889 --> 00:15:01.230 Is it possible to social engineer the front desk person to do it without checking ID? 00:15:01.230 --> 00:15:04.320 Yeah, that is possible. 00:15:04.320 --> 00:15:07.839 But then, the camera didn’t work in that specific hallway. 00:15:07.839 --> 00:15:11.760 Did someone know that and that’s why this room was targeted? 00:15:11.760 --> 00:15:13.740 Perhaps this was an inside job. 00:15:13.740 --> 00:15:19.329 Someone who worked at the hotel knew those cameras didn’t work and had access to reprogrammed 00:15:19.329 --> 00:15:23.129 key cards, they could certainly be in on this. 00:15:23.129 --> 00:15:28.170 This is the type of stuff that raced through Jens’ mind all night long as he tried to 00:15:28.170 --> 00:15:29.600 sleep. 00:15:29.600 --> 00:15:36.450 [MUSIC] [PHONE RINGS] 5:30 in the morning. 00:15:36.450 --> 00:15:37.450 Hello? 00:15:37.450 --> 00:15:40.519 Your taxi is ready. 00:15:40.519 --> 00:15:41.519 What taxi? 00:15:41.519 --> 00:15:44.130 The taxi to the airport. 00:15:44.130 --> 00:15:45.470 With whose name? 00:15:45.470 --> 00:15:48.839 No name; just the room number. 00:15:48.839 --> 00:15:54.029 Jens tells the person on the phone they didn’t order a taxi, and that person hung up. 00:15:54.029 --> 00:15:56.210 Was this a wrong number? 00:15:56.210 --> 00:15:58.089 A mind game of some kind? 00:15:58.089 --> 00:15:59.980 How strange. 00:15:59.980 --> 00:16:06.610 Jens lays awake for an hour thinking about this, but eventually falls back asleep. 00:16:06.610 --> 00:16:11.280 [PHONE RINGS] 9:30 in the morning. 00:16:11.280 --> 00:16:14.389 Jens wakes up. Hello? 00:16:14.389 --> 00:16:18.480 Do you want to make business? 00:16:18.480 --> 00:16:19.480 What? 00:16:19.480 --> 00:16:21.430 Do you want to make business? 00:16:21.430 --> 00:16:23.430 Huh? About what? 00:16:23.430 --> 00:16:25.430 About the woman. No. 00:16:25.430 --> 00:16:27.459 Jens hangs up the phone. 00:16:27.459 --> 00:16:30.570 Two phone calls in one morning for the wrong number? 00:16:30.570 --> 00:16:32.320 Or was it the wrong number? 00:16:32.320 --> 00:16:37.440 Were these calls just some strange attempt at checking to see if somebody was in the 00:16:37.440 --> 00:16:42.050 room or verifying where Jens was staying? 00:16:42.050 --> 00:16:46.550 Jens has a meeting with hotel security at noon, so he gets ready and goes downstairs 00:16:46.550 --> 00:16:48.339 to meet with Leia. 00:16:48.339 --> 00:16:51.990 She has an older guy with her who is the head of hotel security. 00:16:51.990 --> 00:16:54.740 He doesn’t seem interested in helping, though. 00:16:54.740 --> 00:16:58.940 He says well, look, we already upgraded your room to a suite and your laptop’s not missing 00:16:58.940 --> 00:17:03.160 now, and you said there’s nothing else missing, so there’s no problem, right? 00:17:03.160 --> 00:17:07.380 Jens can’t seem to explain to security the severity of this. 00:17:07.380 --> 00:17:10.270 Jens asked, how many cameras are broken in the hotel? 00:17:10.270 --> 00:17:12.290 The man says oh, only eight. 00:17:12.290 --> 00:17:14.880 Jens asked can you check the elevator cameras? 00:17:14.880 --> 00:17:18.410 The security guard says nah, there’s too many visitors and there’s too much footage 00:17:18.410 --> 00:17:19.600 to look through. 00:17:19.600 --> 00:17:23.780 Jens says, but we’ve narrowed it down to a ten-minute window. 00:17:23.780 --> 00:17:26.600 Security doesn’t seem interested in helping. 00:17:26.600 --> 00:17:28.890 They just want this problem to go away. 00:17:28.890 --> 00:17:32.740 His suspicion is growing that this might be an inside job. 00:17:32.740 --> 00:17:38.309 But before he leaves, security hands him a printout of the logs of what keycards opened 00:17:38.309 --> 00:17:40.980 his room for that previous day. 00:17:40.980 --> 00:17:44.270 It’s kind of hard to read and at this point, Jens is tilted. 00:17:44.270 --> 00:17:45.270 He’s crushed. 00:17:45.270 --> 00:17:48.049 So, he just puts the logs in his pocket and walks away. 00:17:48.049 --> 00:17:52.610 Jens felt like this meeting went terrible and now there’s no chance of figuring out 00:17:52.610 --> 00:17:54.309 who went into his room. 00:17:54.309 --> 00:17:56.920 He goes to meet with the poker tournament security. 00:17:56.920 --> 00:17:58.679 Maybe they have found something. 00:17:58.679 --> 00:18:03.409 But the poker tournament security team were trying to say that Henri might have done all 00:18:03.409 --> 00:18:04.409 this. 00:18:04.409 --> 00:18:05.750 But Jens wasn’t buying it. 00:18:05.750 --> 00:18:09.470 If Henri wanted to do this, he would have done it at Jens’ house if he wanted to. 00:18:09.470 --> 00:18:10.470 Why do it here? 00:18:10.470 --> 00:18:14.270 It made no sense and there was no help from this security team, either. 00:18:14.270 --> 00:18:15.510 Jens was crushed. 00:18:15.510 --> 00:18:19.880 He was so confused why nobody was taking him seriously and conducting a major investigation 00:18:19.880 --> 00:18:21.040 about this. 00:18:21.040 --> 00:18:25.840 He was so worried that his hands and legs were shaking, and he felt like he was gonna 00:18:25.840 --> 00:18:27.520 vomit at any moment. 00:18:27.520 --> 00:18:31.721 [MUSIC] He takes the room access logs out of his pocket and starts to look through it. 00:18:31.721 --> 00:18:35.169 It doesn’t make sense at first, but he studies it more. 00:18:35.169 --> 00:18:37.549 He’s able to connect some dots. 00:18:37.549 --> 00:18:41.670 It shows the exact time when the cleaning service came in, and the exact time when someone 00:18:41.670 --> 00:18:47.290 came to restock the mini-bar, and it also shows when each guest came in the room with 00:18:47.290 --> 00:18:49.660 the code from their key. 00:18:49.660 --> 00:18:53.179 This actually makes a perfect timeline of events. 00:18:53.179 --> 00:18:59.179 It shows when Jens and Henri visited the room and exactly when their cards stopped working. 00:18:59.179 --> 00:19:04.110 But in the logs, [00:20:00] it also showed there was a third guest key card that had 00:19:04.110 --> 00:19:06.000 opened the door. 00:19:06.000 --> 00:19:11.250 Just when Jens went downstairs to reception that first time to reprogram his card, someone 00:19:11.250 --> 00:19:16.909 with a third guest key card had entered the room exactly two minutes and forty-one seconds 00:19:16.909 --> 00:19:21.620 before Jens came in and found his laptop gone for the first time. 00:19:21.620 --> 00:19:25.460 Jeez, maybe they were hiding in the bathroom when he was in there. 00:19:25.460 --> 00:19:29.980 Jens was getting even more scared after looking at this, and even more angry that the hotel 00:19:29.980 --> 00:19:34.530 security didn’t see the same log entry just as alarming as him. 00:19:34.530 --> 00:19:38.929 Either security couldn’t read their own logs or they didn’t care or they were trying 00:19:38.929 --> 00:19:40.250 to cover something up. 00:19:40.250 --> 00:19:42.200 Jens couldn’t take this anymore. 00:19:42.200 --> 00:19:45.049 He started packing his bags to get out of there. 00:19:45.049 --> 00:19:47.309 He was going back home to Finland. 00:19:47.309 --> 00:19:51.960 This was no place for him now, and as he was going through the lobby, he ran into another 00:19:51.960 --> 00:19:53.760 player that knew him. 00:19:53.760 --> 00:19:59.070 He told that player his laptop was just stolen, and that player said the same thing happened 00:19:59.070 --> 00:20:00.330 to him. 00:20:00.330 --> 00:20:05.039 That player said the cameras were working on the floor where he was staying, so Jens 00:20:05.039 --> 00:20:08.770 took this player to hotel security and tried to explain look, the same thief who stole 00:20:08.770 --> 00:20:13.460 my laptop probably stole his laptop, and can you look at the cameras in that hallway? 00:20:13.460 --> 00:20:18.169 But security said oh, there’s nothing we can do right now, not until 8:00 a.m. tomorrow. 00:20:18.169 --> 00:20:25.010 Jens, all fed up, just left the hotel and left Barcelona, and flew back to Finland. 00:20:25.010 --> 00:20:27.530 Where does Jens go when he gets back home? 00:20:27.530 --> 00:20:29.830 Straight to Mikko. 00:20:29.830 --> 00:20:32.610 MIKKO: My name is Mikko Hyppönen. 00:20:32.610 --> 00:20:37.169 I am the chief research officer for F-Secure Corporation which is a security company headquartered 00:20:37.169 --> 00:20:38.430 in Helsinki, Finland. 00:20:38.430 --> 00:20:42.720 JACK: F-Secure is known for creating a pretty good antivirus tool and since it was right 00:20:42.720 --> 00:20:47.600 there in Finland, it made sense for Jens to bring his laptop to them for analysis. 00:20:47.600 --> 00:20:49.530 MIKKO: Well, he contacted us. 00:20:49.530 --> 00:20:53.250 He was looking for somebody to go through his laptop because he was suspecting that 00:20:53.250 --> 00:20:55.870 it wasn’t just about stealing the laptop. 00:20:55.870 --> 00:21:00.880 Maybe somebody was trying to put something on the laptop, so he brought it into our labs. 00:21:00.880 --> 00:21:06.820 He parked in our parking place with his Audi R8 and brought the laptop into our lab. 00:21:06.820 --> 00:21:09.800 JACK: [MUSIC] Mikko and his team took a look at the laptop. 00:21:09.800 --> 00:21:12.789 They scanned it and examined it for malware. 00:21:12.789 --> 00:21:16.549 MIKKO: Yeah, it was infected. 00:21:16.549 --> 00:21:23.630 The reason why all of this happened was that somebody had manually installed a Java Runtime 00:21:23.630 --> 00:21:29.760 and a Java-based remote access toolkit which would basically send a screenshot to a remote 00:21:29.760 --> 00:21:35.890 address every time the attacker requested, and that basically means you see the poker 00:21:35.890 --> 00:21:38.539 cards another person is holding. 00:21:38.539 --> 00:21:42.970 If you know anything about poker, well, then you know that if I know your cards, I’m 00:21:42.970 --> 00:21:45.170 going to win. JACK: A-ha. 00:21:45.170 --> 00:21:51.570 This was targeting Jens specifically, or at least a high-roller online poker player specifically. 00:21:51.570 --> 00:21:56.210 The malware would send screenshots of the laptop to someone who presumably would be 00:21:56.210 --> 00:21:59.510 at the same online poker table as Jens. 00:21:59.510 --> 00:22:00.510 How clever. 00:22:00.510 --> 00:22:05.440 MIKKO: Yeah, it’s kind of interesting when you think about the amount of money at stake 00:22:05.440 --> 00:22:07.650 here. 00:22:07.650 --> 00:22:12.830 These high-rollers who play poker online who are – who have been playing poker online 00:22:12.830 --> 00:22:18.320 for years, the potential of money you can steal from a player like this is hundreds 00:22:18.320 --> 00:22:21.530 of thousands of dollars or even millions of dollars. 00:22:21.530 --> 00:22:24.880 We’ve found several cases like this. 00:22:24.880 --> 00:22:28.330 It’s not always about a physical break-in. 00:22:28.330 --> 00:22:34.590 We had one high-roller we were working with, a famous poker player, who actually had been 00:22:34.590 --> 00:22:37.160 infected for almost a year. 00:22:37.160 --> 00:22:42.539 The reason why he started suspecting that there’s something weird was that he was 00:22:42.539 --> 00:22:46.870 keeping very close statistics about his winnings. 00:22:46.870 --> 00:22:51.830 Historically, he was making roughly the same rate of winnings in the real world, on real 00:22:51.830 --> 00:22:55.100 poker tables, and in the online poker tables. 00:22:55.100 --> 00:22:59.170 Then suddenly it started looking different and he was always losing in the long run. 00:22:59.170 --> 00:23:03.350 He was losing in the online games and he couldn’t figure it out. 00:23:03.350 --> 00:23:06.570 Eventually, he started suspecting that there’s something wrong with the laptop. 00:23:06.570 --> 00:23:08.070 He brought the laptop to us. 00:23:08.070 --> 00:23:15.550 We analyzed the laptop and yes, there was this tool for calculating pot odds which contained, 00:23:15.550 --> 00:23:18.190 again, a remote access Trojan. 00:23:18.190 --> 00:23:21.130 We discussed how did he get this tool on his laptop? 00:23:21.130 --> 00:23:22.760 He had installed it by himself. 00:23:22.760 --> 00:23:25.110 Why did you install this tool? 00:23:25.110 --> 00:23:31.940 Well, it was recommended to me by someone he plays against regularly in online tables. 00:23:31.940 --> 00:23:38.640 That someone had set everything up from the beginning; had this Trojanized pot odd calculator 00:23:38.640 --> 00:23:44.080 created, had it posted online on a download site, then just waited until a high-roller 00:23:44.080 --> 00:23:49.070 he would know would be downloading and installing it. 00:23:49.070 --> 00:23:55.240 The attacker was so clever because he wasn’t just immediately starting to wait for big 00:23:55.240 --> 00:23:59.279 hands and go all-in and steal the money. 00:23:59.279 --> 00:24:05.730 He was [00:25:00] carefully and slowly using this in online games for twelve months without 00:24:05.730 --> 00:24:11.370 – until it was – people started suspecting that something is wrong. 00:24:11.370 --> 00:24:18.630 He was able to make hundreds of thousands of dollars with this ongoing scam. 00:24:18.630 --> 00:24:25.660 This is a great lesson also for people who do important things with their computers. 00:24:25.660 --> 00:24:32.700 If you are a poker player and you use a laptop where hundreds of thousands of dollars go 00:24:32.700 --> 00:24:40.600 through the laptop, well, you should be keeping very safe – very close tabs on that laptop. 00:24:40.600 --> 00:24:43.190 You don’t install random junk on it. 00:24:43.190 --> 00:24:46.300 You don’t play Doom on it. 00:24:46.300 --> 00:24:48.370 You don’t watch porn on it. 00:24:48.370 --> 00:24:52.450 If you’re not with the laptop, you put the laptop in a safe. 00:24:52.450 --> 00:24:53.920 These guys are millionaires. 00:24:53.920 --> 00:24:56.789 If you want to do something else, buy another laptop. 00:24:56.789 --> 00:25:03.159 But this laptop is your tool and as a professional, you don’t fuck around with your tools. 00:25:03.159 --> 00:25:05.240 You keep good care of your tools. 00:25:05.240 --> 00:25:08.750 That’s what I told him, and I believe he believed me. 00:25:08.750 --> 00:25:17.120 JACK: But I can’t imagine a skilled high-roller poker player being able to write malware and 00:25:17.120 --> 00:25:19.940 then distribute that malware and get it going. 00:25:19.940 --> 00:25:23.450 There had to be another person involved to do that. 00:25:23.450 --> 00:25:24.909 MIKKO: That’s correct, that’s correct. 00:25:24.909 --> 00:25:28.870 These guys had outsourced the development of the malware to third parties. 00:25:28.870 --> 00:25:33.510 Basically, they were going to online programming sites for freelancers and had someone to write 00:25:33.510 --> 00:25:35.360 these programs for them. 00:25:35.360 --> 00:25:40.370 JACK: Mikko and his team at F-Secure, being the curious researchers they are, they began 00:25:40.370 --> 00:25:43.250 trying to figure out who was behind this. 00:25:43.250 --> 00:25:48.059 MIKKO: [MUSIC] Obviously, most malware writers don’t want to be caught, so they don’t 00:25:48.059 --> 00:25:52.260 leave clues about themselves within the virus code. 00:25:52.260 --> 00:25:57.450 But one of the most typical ways we have been able to figure out who’s involved with a 00:25:57.450 --> 00:26:00.710 piece of malware is WHOIS records. 00:26:00.710 --> 00:26:04.020 JACK: WHOIS record is a public record of who owns a domain name. 00:26:04.020 --> 00:26:08.010 Every domain name in the world is registered by someone, and sometimes whoever registered 00:26:08.010 --> 00:26:11.360 it has their information printed right there on it. 00:26:11.360 --> 00:26:15.029 Mikko checked the malware to see if any custom domains were used, and looked up the WHOIS 00:26:15.029 --> 00:26:17.000 record for those domains. 00:26:17.000 --> 00:26:22.250 But typically, cyber-criminals will register domains anonymously so you can’t see who 00:26:22.250 --> 00:26:23.250 owns it. 00:26:23.250 --> 00:26:26.900 But there are more techniques you can use; historical WHOIS records. 00:26:26.900 --> 00:26:30.710 Maybe at first, they didn’t register it anonymously and then switched to be anonymous 00:26:30.710 --> 00:26:31.950 at some point. 00:26:31.950 --> 00:26:35.760 Mikko and the team at F-Secure kept looking at the malware for clues. 00:26:35.760 --> 00:26:40.010 When Jens was in Barcelona, he wanted to call the police but the poker tournament people 00:26:40.010 --> 00:26:43.990 didn’t want him to because they said they’ll contact the police themselves. 00:26:43.990 --> 00:26:48.590 Jens followed up with the PokerStars staff to see what the update was, but they didn’t 00:26:48.590 --> 00:26:49.590 contact the police right away. 00:26:49.590 --> 00:26:53.750 In fact, it wasn’t until weeks later that they finally reported this to authorities. 00:26:53.750 --> 00:26:57.490 Jens was upset that the investigation was not acted on quicker. 00:26:57.490 --> 00:27:01.840 F-Secure was able to get some details to Jens about who they think did this, but it wasn’t 00:27:01.840 --> 00:27:03.200 the whole picture. 00:27:03.200 --> 00:27:07.590 F-Secure posted a blog post titling this type of attack an ‘evil maid attack’. 00:27:07.590 --> 00:27:11.899 This is where you trust the items that are in your hotel room are secure, but someone 00:27:11.899 --> 00:27:15.270 with access to your room could hack into your stuff. 00:27:15.270 --> 00:27:20.720 On top of that, F-Secure classified this not as a phishing attack or even a whaling attack, 00:27:20.720 --> 00:27:25.520 but a sharking attack because it targeted poker sharks. 00:27:25.520 --> 00:27:30.720 [MUSIC] At this point, the investigation totally stalled out. 00:27:30.720 --> 00:27:35.650 The PokerStars team wasn’t doing much, the hotel wasn’t doing anything, the authorities 00:27:35.650 --> 00:27:40.410 were quiet, and F-Secure concluded their investigation. 00:27:40.410 --> 00:27:47.270 So, I know this story because Jens wrote it all out the day after it happened on a poker 00:27:47.270 --> 00:27:48.350 forum. 00:27:48.350 --> 00:27:53.220 I tried many times to get Jens to come on this show and tell his story, but he declined 00:27:53.220 --> 00:27:58.260 all my invitations and said it’s too soon to tell the story, even though it happened 00:27:58.260 --> 00:27:59.779 seven years ago. 00:27:59.779 --> 00:28:05.220 So, that makes me think that either Jens felt threatened by whoever hacked him or he thinks 00:28:05.220 --> 00:28:08.510 it’s just not safe to talk about this for other reasons. 00:28:08.510 --> 00:28:13.280 Maybe he didn’t want to talk bad about PokerStars since he likes competing in their tournaments. 00:28:13.280 --> 00:28:18.400 I don’t know, but this forum post that Jens wrote blew up. 00:28:18.400 --> 00:28:23.890 It has over 1,300 replies at this point which is a lot for this poker forum. 00:28:23.890 --> 00:28:26.519 So, let’s read what everyone says. 00:28:26.519 --> 00:28:30.409 The first interesting post I see here is from Lee Jones, the head of communications for 00:28:30.409 --> 00:28:35.640 the tournament ran by PokerStars. Lee confirms Jens’ story is accurate and says they are 00:28:35.640 --> 00:28:37.760 doing what they can to investigate. 00:28:37.760 --> 00:28:39.720 But they’re limited in the authority that they have. 00:28:39.720 --> 00:28:42.870 Like, they can’t pull surveillance video or door logs. 00:28:42.870 --> 00:28:45.659 But he does say he was contacting the police about all this. 00:28:45.659 --> 00:28:50.980 Then there was another post further on down by a US poker player named Scott Seiver. 00:28:50.980 --> 00:28:56.690 He says the same thing happened to him in Berlin, and Jason Koon, too. 00:28:56.690 --> 00:28:58.710 PokerStars wouldn’t help either of them. 00:28:58.710 --> 00:29:02.549 He doesn’t go into detail about [00:30:00] what happened to him, but Scott Seiver has 00:29:02.549 --> 00:29:05.919 won three World Series of Poker tournament bracelets. 00:29:05.919 --> 00:29:08.690 I reached out to him, but no reply. 00:29:08.690 --> 00:29:13.080 He mentions that this happened to Jason Coon, too, which is another US high stakes poker 00:29:13.080 --> 00:29:14.080 player. 00:29:14.080 --> 00:29:18.039 But when I looked into Jason’s story, it has a different attack method; one where he 00:29:18.039 --> 00:29:22.690 was online playing against someone else, going head-to-head with another player, and he thought 00:29:22.690 --> 00:29:26.980 he was going to win that hand but then he got disconnected from the server, forcing 00:29:26.980 --> 00:29:28.659 him to fold. 00:29:28.659 --> 00:29:30.940 Okay, back to this forum post. 00:29:30.940 --> 00:29:35.150 Scrolling down, there’s another story from another high-roller named Ankush Mandavia. 00:29:35.150 --> 00:29:37.049 He’s also known as pistons87. 00:29:37.049 --> 00:29:41.890 He’s a US high stakes poker player and he says he was staying at the same hotel as Jens, 00:29:41.890 --> 00:29:46.990 at the same poker tournament, and Ankush also said he received a few mysterious phone calls, 00:29:46.990 --> 00:29:50.990 and multiple times he went up to his room but his key card wouldn’t work, either. 00:29:50.990 --> 00:29:54.910 He says his computer was crashing while in Barcelona, but he didn’t think anything 00:29:54.910 --> 00:30:00.030 of it until he read Jens’ post and it all became clear. 00:30:00.030 --> 00:30:05.230 When Ankush got home, his computer was no longer password-protected which was really 00:30:05.230 --> 00:30:08.750 weird because it always is password-protected. 00:30:08.750 --> 00:30:12.940 Every time he would try to boot it up, it would just crash and show a blue screen. 00:30:12.940 --> 00:30:15.720 The story does seem to match exactly. 00:30:15.720 --> 00:30:20.769 I reached out to Ankush but no response. 00:30:20.769 --> 00:30:26.850 That forum post alone seems to outline five major poker players who were victims to this 00:30:26.850 --> 00:30:31.490 attack; Jens, the guy Jens met at the hotel who said the same thing happened to him, David, 00:30:31.490 --> 00:30:32.529 Jason, and Ankush. 00:30:32.529 --> 00:30:38.460 On top of that, Mikko told me he helped removed malware on two more poker players’ computers. 00:30:38.460 --> 00:30:41.080 That’s seven victims that I count. 00:30:41.080 --> 00:30:44.380 Whoever this hacker was, was pretty busy. 00:30:44.380 --> 00:30:52.620 [MUSIC] Then, a year later in 2014, the Danish police issued a statement saying they are 00:30:52.620 --> 00:30:58.340 investigating a high stakes Danish poker player for allegedly planting Trojan viruses on other 00:30:58.340 --> 00:30:59.700 high-stake poker players. 00:30:59.700 --> 00:31:04.440 They say the software that was installed would allow the hacker to see the other player’s 00:31:04.440 --> 00:31:09.039 hole cards, or the ones that are facedown that are you aren’t supposed to see. 00:31:09.039 --> 00:31:14.450 This would allow the hacker to play on the same online table as his victims and make 00:31:14.450 --> 00:31:17.519 millions of dollars off them by cheating. 00:31:17.519 --> 00:31:21.590 The Danish police continued to say they interviewed a victim who claimed someone disabled the 00:31:21.590 --> 00:31:26.330 video surveillance of his house, then broke into the house, planted the malware on his 00:31:26.330 --> 00:31:27.730 laptop, and left. 00:31:27.730 --> 00:31:31.340 Whoa, I thought breaking into a hotel room was crazy. 00:31:31.340 --> 00:31:35.389 Now this hacker’s breaking into the homes of high stakes poker players? 00:31:35.389 --> 00:31:36.620 This is even crazier. 00:31:36.620 --> 00:31:40.380 But after that, silence. 00:31:40.380 --> 00:31:47.269 No more information from the Danish police for four more years. 00:31:47.269 --> 00:31:52.740 Then, in December 2019, the final card was dealt. 00:31:52.740 --> 00:31:57.900 The Danish police raided the home of a hacker and seized four million US dollars’ worth 00:31:57.900 --> 00:31:59.210 of Danish money. 00:31:59.210 --> 00:32:03.289 They had evidence that this was the hacker who had been planting Trojans on the poker 00:32:03.289 --> 00:32:04.420 players’ computers. 00:32:04.420 --> 00:32:08.139 The evidence they had was that one day, he was walking with another friend and told the 00:32:08.139 --> 00:32:09.610 story to him. 00:32:09.610 --> 00:32:11.149 That friend called the police. 00:32:11.149 --> 00:32:15.240 From there, they were able to find other evidence on his computer which showed he had access 00:32:15.240 --> 00:32:17.300 to other players’ cards. 00:32:17.300 --> 00:32:23.150 The Danish police gave him a 3.9 million dollar fine and sentenced him to two and a half years 00:32:23.150 --> 00:32:24.440 in prison. 00:32:24.440 --> 00:32:30.030 However, the Danish police refused to say the name of this person, so I went back to 00:32:30.030 --> 00:32:32.669 the poker forums to see what people were saying. 00:32:32.669 --> 00:32:35.710 Now, the Danish police described this man they arrested. 00:32:35.710 --> 00:32:38.270 He was thirty-two years old in 2014. 00:32:38.270 --> 00:32:43.470 He’s Danish and he won a European poker tournament once before. 00:32:43.470 --> 00:32:47.410 If you look up all the Danish poker players who have won European poker tournaments, it 00:32:47.410 --> 00:32:53.010 quickly boils down to one person; Peter Jepsen, sometimes known as Zupp. 00:32:53.010 --> 00:32:56.220 Now, I’m not saying Peter Jepsen is who did this. 00:32:56.220 --> 00:33:00.600 I want to be clear; this is speculation and if I get anything to counter this claim, I 00:33:00.600 --> 00:33:02.760 will update this audio here. 00:33:02.760 --> 00:33:06.679 But Peter Jepsen is no longer part of the poker team he was once on. 00:33:06.679 --> 00:33:10.960 They dropped him years ago and his blog has remained dormant for years. 00:33:10.960 --> 00:33:14.039 His social media accounts have been silent for a while, too. 00:33:14.039 --> 00:33:17.519 He’s gone completely quiet and appears to have stopped playing poker. 00:33:17.519 --> 00:33:20.169 I, at least, can’t find him. 00:33:20.169 --> 00:33:23.880 That might be because he might be in a Danish prison. 00:33:23.880 --> 00:33:29.240 Now, the Danish police say this hacker was planting Trojans on players between 2008 and 00:33:29.240 --> 00:33:34.390 2014, so I tried to find what Peter was up to before 2008. 00:33:34.390 --> 00:33:37.419 I found this amazing interview. 00:33:37.419 --> 00:33:43.440 HOST3: I’m sitting here with Peter Jepsen from Denmark who actually had a pretty scary 00:33:43.440 --> 00:33:46.200 scam coming to him through a mail the other day. 00:33:46.200 --> 00:33:47.960 Can you tell us about it, Peter? 00:33:47.960 --> 00:33:48.960 PETER: Yeah. 00:33:48.960 --> 00:33:53.570 What happened was that I was playing on a full till and I had been doing really well 00:33:53.570 --> 00:33:54.779 for that night. 00:33:54.779 --> 00:34:02.049 Just a couple of hours after my session ended, I received an e-mail in my [00:35:00] inbox. 00:34:02.049 --> 00:34:07.610 They wanted to tell me about a cash game that they were doing that they wanted to film with 00:34:07.610 --> 00:34:10.010 Scandinavian players. 00:34:10.010 --> 00:34:13.389 I think we wrote like, three or four e-mails back and forth. 00:34:13.389 --> 00:34:16.710 I asked about the buy-in and all kinds of stuff. 00:34:16.710 --> 00:34:19.970 In the end, he sent me an e-mail with a link. 00:34:19.970 --> 00:34:25.379 In link, there was a specific place at the homepage where I could download information 00:34:25.379 --> 00:34:29.139 about blinds and everything. 00:34:29.139 --> 00:34:33.990 Right when I was supposed to download it, I noticed that the file was supposed to be 00:34:33.990 --> 00:34:38.679 a PDF, an Acrobat Reader file, but it was actually an .exe file. 00:34:38.679 --> 00:34:41.169 I was like, that’s weird. 00:34:41.169 --> 00:34:49.210 I downloaded it anyways, but I did it into a secure folder that was monitored by my antivirus. 00:34:49.210 --> 00:34:55.609 Right away when I started downloading, it said that – wait, this is a Trojan horse. 00:34:55.609 --> 00:34:56.609 HOST3: Oh, my god. 00:34:56.609 --> 00:34:58.910 HOST4: This is a pretty advanced scam, isn’t it? 00:34:58.910 --> 00:35:00.670 PETER: Yeah, I’ve never seen anything like it. 00:35:00.670 --> 00:35:06.170 I’ve never heard – I mean, in the poker business, I’ve never heard of anything – I’ve 00:35:06.170 --> 00:35:10.270 never heard about anyone getting scammed that way. 00:35:10.270 --> 00:35:16.190 HOST3: I wouldn’t be surprised if we saw a couple other guys in your league, so to 00:35:16.190 --> 00:35:17.790 speak, that would get e-mails like this. 00:35:17.790 --> 00:35:18.790 PETER: Yeah, exactly. 00:35:18.790 --> 00:35:20.349 HOST3: You want to warn them about this, right? 00:35:20.349 --> 00:35:26.630 PETER: Yeah, I just think that if just a few people can avoid being scammed by people like 00:35:26.630 --> 00:35:28.050 that, that would be great. 00:35:28.050 --> 00:35:32.650 I think people should just generally be very careful when they – if they download stuff 00:35:32.650 --> 00:35:34.650 online. HOST3: Yeah. 00:35:34.650 --> 00:35:35.970 So, what do you think, is there any chance to get ahold of guys like this? 00:35:35.970 --> 00:35:36.980 I mean, could you… 00:35:36.980 --> 00:35:37.980 PETER: No. 00:35:37.980 --> 00:35:38.980 HOST3: …hunt them down? 00:35:38.980 --> 00:35:39.980 PETER: No. 00:35:39.980 --> 00:35:43.330 I don’t really know, but I would say that professional guys like these, they’re probably 00:35:43.330 --> 00:35:44.400 way over the mountains. 00:35:44.400 --> 00:35:47.690 HOST3: Yeah, yeah, of course, of course. 00:35:47.690 --> 00:35:50.720 PETER: It’s impossible to catch guys like that. 00:35:50.720 --> 00:35:54.260 They don’t even leave any electronic traces or anything. 00:35:54.260 --> 00:35:55.980 HOST3: No, no, no. 00:35:55.980 --> 00:36:01.440 JACK: Hm, a lot of hackers I talk to say they got into hacking because they got hacked, 00:36:01.440 --> 00:36:04.640 and it fascinated them to want to know everything about how to do it. 00:36:04.640 --> 00:36:08.850 Again, I don’t know whether Peter Jepsen is the hacker behind all this or not. 00:36:08.850 --> 00:36:12.869 The Danish police refused to give the name and I’ve only come to his name from my own 00:36:12.869 --> 00:36:13.869 deductions. 00:36:13.869 --> 00:36:17.760 But it’s possible that if he was hacked in 2008, this might have meant he was immediately 00:36:17.760 --> 00:36:21.790 fascinated with it to the point where he wanted to learn how it was done. 00:36:21.790 --> 00:36:27.560 But if Peter was hacked himself, then this means there was more than one hacker doing 00:36:27.560 --> 00:36:29.240 stuff like this. 00:36:29.240 --> 00:36:35.220 In fact, after news got out and it was suspected that Peter was behind this, Jens made a follow-up 00:36:35.220 --> 00:36:37.910 forum post with his thoughts. 00:36:37.910 --> 00:36:43.060 Jens said this is the first time to his knowledge that anyone has gone to prison for this type 00:36:43.060 --> 00:36:48.710 of hack, and that this problem has plagued Nordic poker players for quite some time. 00:36:48.710 --> 00:36:53.790 [MUISIC] He says the rumor is that there’s a Swedish gang involved with this, but they 00:36:53.790 --> 00:36:58.339 have strong connections to the underworld that nobody is brave enough to go up against 00:36:58.339 --> 00:37:00.050 and seek justice. 00:37:00.050 --> 00:37:03.270 Jens writes that Peter may have joined this gang. 00:37:03.270 --> 00:37:07.390 Jens doesn’t know if it was Peter who hacked him or someone else. 00:37:07.390 --> 00:37:13.530 So, once I read that, I immediately started to Google ‘Swedish gang hacking high-roller 00:37:13.530 --> 00:37:16.660 poker players’ and found some interesting stuff. 00:37:16.660 --> 00:37:21.940 There’s not a lot of evidence, but there is accusation there are three men from a Swedish 00:37:21.940 --> 00:37:25.670 biker gang who did try to hack high-roller players. 00:37:25.670 --> 00:37:29.120 The authorities are investigating this but that’s all I got. 00:37:29.120 --> 00:37:33.940 Honestly, when I look into the other crimes that this motorcycle gang was accused of, 00:37:33.940 --> 00:37:39.740 I kind of don’t want to dig any further because some suspect this biker gang murdered 00:37:39.740 --> 00:37:45.349 a Swedish guy who started an online poker news site. 00:37:45.349 --> 00:37:50.990 It sounds like while one hacker was arrested and put in prison, a few might still be on 00:37:50.990 --> 00:37:51.990 the loose. 00:37:51.990 --> 00:37:56.430 The mystery still remains as to who is behind this and how they did it all. 00:37:56.430 --> 00:38:00.490 Your hole card still might not be safe. 00:38:00.490 --> 00:38:05.500 But I find this story fascinating because of the extreme lengths that some hackers go 00:38:05.500 --> 00:38:10.329 to just to get an edge in online poker. 00:38:10.329 --> 00:38:13.040 There’s been an update to this story. 00:38:13.040 --> 00:38:18.310 In December 2020, the Eastern High Court of Denmark announced that they did arrest Peter 00:38:18.310 --> 00:38:21.859 Jepsen and put him on trial for hacking poker players. 00:38:21.859 --> 00:38:25.740 He was found guilty and was sentenced to 3 years in prison. 00:38:25.740 --> 00:38:30.400 The police also confiscated 3.6 million dollars. 00:38:30.400 --> 00:38:35.359 And he must pay $144,000 to a victim. 00:38:35.359 --> 00:38:39.530 [00:40:00] Oh, so back to Mikko. 00:38:39.530 --> 00:38:43.480 One of the things I like doing on this show is introducing you to people who are legends 00:38:43.480 --> 00:38:46.400 in the cyber-security space, and Mikko is a legend. 00:38:46.400 --> 00:38:51.619 I mean, he’s got 200,000 followers on Twitter at this point and is known worldwide as an 00:38:51.619 --> 00:38:53.380 information security expert. 00:38:53.380 --> 00:38:57.000 So, while we have him here, let’s get to know him. 00:38:57.000 --> 00:39:01.900 You’re almost born in connection with the internet, right? 00:39:01.900 --> 00:39:05.880 You were born, what, on the day ARPANET was created or something? 00:39:05.880 --> 00:39:06.940 MIKKO: Close. 00:39:06.940 --> 00:39:16.800 I was born in late 1969, and TCPIP – well, the TCPIP protocol comes from the innovations 00:39:16.800 --> 00:39:24.370 which were done in California in October 1969, or maybe November 1969. 00:39:24.370 --> 00:39:30.640 Basically, I’m as old as the internet but of course, that doesn’t mean anything. 00:39:30.640 --> 00:39:37.990 Most people had no idea about ARPANET or internet or any of that until 1990 is when the web 00:39:37.990 --> 00:39:41.079 made the internet something people actually were aware of. 00:39:41.079 --> 00:39:43.079 JACK: Yeah, yeah. 00:39:43.079 --> 00:39:48.400 Then you pretty much spent your whole life focusing on the internet ever since you were 00:39:48.400 --> 00:39:49.400 able to. 00:39:49.400 --> 00:39:55.770 MIKKO: I started programming at the age of fourteen, in 1984. 00:39:55.770 --> 00:40:02.090 That was because we got a Commodore 64 into our family and that happened because my mother, 00:40:02.090 --> 00:40:08.780 my late mother Rauha bought us a computer from her work which was the State Computing 00:40:08.780 --> 00:40:09.780 Center. 00:40:09.780 --> 00:40:11.460 I guess it runs in the family. 00:40:11.460 --> 00:40:15.660 My mother spent all her life working with the State Computing Center. 00:40:15.660 --> 00:40:19.900 She wasn’t a programmer but of course, she did understand the importance of technology 00:40:19.900 --> 00:40:22.250 and computers. 00:40:22.250 --> 00:40:26.120 That got me into programming at an early age. 00:40:26.120 --> 00:40:30.869 By the time I was sixteen, I was – I had already sold my first programs. 00:40:30.869 --> 00:40:32.170 I was writing utilities. 00:40:32.170 --> 00:40:34.090 Of course, I was writing games as well. 00:40:34.090 --> 00:40:37.089 That’s where I started with computers. 00:40:37.089 --> 00:40:39.490 JACK: Let me do the math, here. 00:40:39.490 --> 00:40:43.600 You’ve been at the same company for almost thirty years now. 00:40:43.600 --> 00:40:45.180 MIKKO: That is correct. 00:40:45.180 --> 00:40:51.430 I joined a company called Data Fellows in 1991 as employee number six. 00:40:51.430 --> 00:40:56.450 The company was established in 1988 and I’m still there today. 00:40:56.450 --> 00:41:02.720 The company isn’t called Data Fellows anymore because we renamed the company to F-Secure 00:41:02.720 --> 00:41:05.350 in 1999 when the company went public. 00:41:05.350 --> 00:41:07.240 But yeah, it is the same company. 00:41:07.240 --> 00:41:09.310 I’ve been working there all my life. 00:41:09.310 --> 00:41:16.599 I guess if you would be employee number six in a Silicon Valley company for thirty years 00:41:16.599 --> 00:41:20.950 and the company grows big and grows public while you’re there, you would end up to 00:41:20.950 --> 00:41:24.510 be a very wealthy individual. 00:41:24.510 --> 00:41:30.090 It doesn’t work exactly like that over here in Finland but I’m still at the same company 00:41:30.090 --> 00:41:33.079 and I gotta tell you, it’s been a wild ride. 00:41:33.079 --> 00:41:38.480 I’ve seen a company change from a small startup to a player which works all over the 00:41:38.480 --> 00:41:39.480 world. 00:41:39.480 --> 00:41:41.600 We now have offices in twenty-nine countries around the world. 00:41:41.600 --> 00:41:48.360 JACK: In June 1991, Mikko started working at F-Secure doing security-type work. 00:41:48.360 --> 00:41:51.650 Because of all this, he’s a bit of a malware historian. 00:41:51.650 --> 00:41:55.849 I took this chance to talk with him about some of the early malware we ever saw, like 00:41:55.849 --> 00:41:56.849 Brain. 00:41:56.849 --> 00:42:02.010 MIKKO: [MUSIC] Brain was found in 1986 which means I wasn’t in the industry yet. 00:42:02.010 --> 00:42:08.790 But I did end up analyzing Brain by the time I started doing malware analyzes professionally 00:42:08.790 --> 00:42:12.599 because I wanted to analyze every single virus there was. 00:42:12.599 --> 00:42:17.599 When I started doing virus analyzes in the early days, there were very few viruses. 00:42:17.599 --> 00:42:21.690 We weren’t receiving thousands of new samples every day. 00:42:21.690 --> 00:42:27.140 We would get a new malware sample in the mail, on a floppy maybe once a week. 00:42:27.140 --> 00:42:32.890 I did go through the Brain.A code as well when I started professionally doing malware 00:42:32.890 --> 00:42:33.890 analyzes. 00:42:33.890 --> 00:42:37.980 JACK: Brain is actually how I first learned who Mikko was because of a video he made about 00:42:37.980 --> 00:42:38.980 it. 00:42:38.980 --> 00:42:43.859 MIKKO: Brain.A is such an important piece of malware history because it was the first 00:42:43.859 --> 00:42:45.910 PC virus ever. 00:42:45.910 --> 00:42:53.770 Now, we had – there was some specific malware cases before Brain on other platforms, for 00:42:53.770 --> 00:43:00.119 example on Amiga and Apple II, but the first PC virus is important because we’re still 00:43:00.119 --> 00:43:02.000 fighting PC viruses today. 00:43:02.000 --> 00:43:05.060 That’s basically where it started from. 00:43:05.060 --> 00:43:14.740 I [00:45:00] revisited the Brain code in 2011, on the 25th anniversary of Brain, basically 00:43:14.740 --> 00:43:19.430 because our marketing people and sales people asked me that, you know, it’s gonna be the 00:43:19.430 --> 00:43:21.590 25th anniversary of the first PC virus. 00:43:21.590 --> 00:43:26.880 Would you like to say something on this, or should we do something about this? 00:43:26.880 --> 00:43:32.450 We had a meeting about it and they suggested we would build some kind of an awareness campaign 00:43:32.450 --> 00:43:34.990 on malware or whatever, something boring. 00:43:34.990 --> 00:43:37.960 I just told them that, you know, that’s a bad idea. 00:43:37.960 --> 00:43:43.860 Why don’t we instead put me in a plane and I go and try to find the guys who wrote the 00:43:43.860 --> 00:43:46.660 first PC virus twenty-five years ago? 00:43:46.660 --> 00:43:48.270 That’s what we did. 00:43:48.270 --> 00:43:52.059 Of course, I said that because I knew there was a lead. 00:43:52.059 --> 00:43:58.790 Because in the code of Brain.A virus, there is a street address, an address which points 00:43:58.790 --> 00:44:03.200 to a street in the city of Lahore which is a city in Pakistan. 00:44:03.200 --> 00:44:09.530 In 2011, I went to Lahore to look for the guys who wrote the Brain virus. 00:44:09.530 --> 00:44:11.950 We did a video about this; you can watch the video on YouTube. 00:44:11.950 --> 00:44:13.820 JACK: There’s a link to that video in the show notes. 00:44:13.820 --> 00:44:15.359 You really should check it out. 00:44:15.359 --> 00:44:16.359 It’s awesome. 00:44:16.359 --> 00:44:20.760 But malware made in 1986 is very different than the malware today. 00:44:20.760 --> 00:44:26.500 MIKKO: Back then, first of all, writing viruses was not illegal. 00:44:26.500 --> 00:44:31.329 If you wrote a piece of malware and you infected the whole world, you didn’t break a single 00:44:31.329 --> 00:44:32.329 law. 00:44:32.329 --> 00:44:37.400 The laws in any of the countries at the time didn’t take crime like this into account 00:44:37.400 --> 00:44:38.980 at all. 00:44:38.980 --> 00:44:46.380 Second of all, the early malware writers didn’t have – they didn’t have motives. 00:44:46.380 --> 00:44:51.360 They didn’t really gain anything by writing these early viruses which were spreading on 00:44:51.360 --> 00:44:56.840 floppy discs or over early networks. 00:44:56.840 --> 00:45:02.630 They basically got just chuckles out of the idea that their malware was spreading around 00:45:02.630 --> 00:45:04.240 the world. 00:45:04.240 --> 00:45:08.119 It is interesting because I’ve met – during the early days, I’ve met some of the early 00:45:08.119 --> 00:45:09.119 virus writers. 00:45:09.119 --> 00:45:16.859 In particular I remember this one kid, sixteen-year-old kid, who was from Finland. 00:45:16.859 --> 00:45:18.250 I found him. 00:45:18.250 --> 00:45:22.660 He was spreading some of his malware in BBS systems of the time where it was being spread 00:45:22.660 --> 00:45:26.470 over modems from one computer to another. 00:45:26.470 --> 00:45:29.090 I spoke with him on the phone and I spoke with his parents. 00:45:29.090 --> 00:45:36.710 It was fairly eye-opening because he told me that he’s living in this small, rural 00:45:36.710 --> 00:45:40.390 town in central Finland in the middle of nowhere. 00:45:40.390 --> 00:45:41.490 There’s nothing. 00:45:41.490 --> 00:45:43.140 There’s no neighbors. 00:45:43.140 --> 00:45:45.790 There’s just snow, basically. 00:45:45.790 --> 00:45:48.400 He’s bored out of his mind. 00:45:48.400 --> 00:45:49.650 He can’t escape. 00:45:49.650 --> 00:45:54.880 He’s with his mother and father in the middle of nowhere but he does have a computer and 00:45:54.880 --> 00:45:57.680 he does have a modem, and he wrote this virus. 00:45:57.680 --> 00:46:00.240 He called the virus Cinderella. 00:46:00.240 --> 00:46:07.309 Then when he saw that the virus was spreading from one computer to another – and eventually 00:46:07.309 --> 00:46:11.660 he saw that the virus spread to California. 00:46:11.660 --> 00:46:16.700 He somehow felt that he couldn’t escape but his virus could. 00:46:16.700 --> 00:46:22.160 That was his motive for writing viruses back then, years and years ago. 00:46:22.160 --> 00:46:25.200 The motives of the virus writers have completely changed. 00:46:25.200 --> 00:46:31.220 If you talk to current online criminals, nobody’s writing malware for fun. 00:46:31.220 --> 00:46:33.290 Nobody’s doing it for anything like that. 00:46:33.290 --> 00:46:34.530 It’s all about money. 00:46:34.530 --> 00:46:39.290 It’s all about organized crime trying to make money with ransomware and botnets or 00:46:39.290 --> 00:46:43.230 it’s governmental activity or spying. 00:46:43.230 --> 00:46:48.099 The good old days of happy hackers is long gone. 00:46:48.099 --> 00:46:53.400 JACK: Yeah, but I’m also thinking when a virus hits today, it’s got a plan. 00:46:53.400 --> 00:46:59.420 Like, it’s gonna take my contacts list or spread an e-mail or try to find something 00:46:59.420 --> 00:47:02.470 internal or take control. 00:47:02.470 --> 00:47:08.670 These viruses back in the 80s and 90s weren’t doing stuff that sinister, were they? 00:47:08.670 --> 00:47:15.700 MIKKO: Most of the early viruses either did nothing except spread further or they might 00:47:15.700 --> 00:47:17.300 be destructive. 00:47:17.300 --> 00:47:22.470 We saw surprisingly many examples of malware which would just overwrite hard drives on 00:47:22.470 --> 00:47:26.190 certain dates or things like that. 00:47:26.190 --> 00:47:31.230 Or they would do something visible; they would play music, they would show you animations, 00:47:31.230 --> 00:47:34.030 they would play games with the user. 00:47:34.030 --> 00:47:40.089 I’ve always found that part of malware or early viruses very interesting. 00:47:40.089 --> 00:47:45.190 Many of them look, actually, pretty nice when you look at them with today’s eyes and you 00:47:45.190 --> 00:47:52.300 sort of respect the art in the early viruses when you look at it today. 00:47:52.300 --> 00:47:56.750 I definitely wasn’t respecting that back then when I was fighting these viruses. 00:47:56.750 --> 00:48:02.240 But this is one of the reasons why I’ve been volunteering at the internet archive 00:48:02.240 --> 00:48:07.790 and curating a collection of old viruses which you can now [00:50:00] run safely in your 00:48:07.790 --> 00:48:12.920 browser by executing the original code of viruses from the 1980s and 1990s, especially 00:48:12.920 --> 00:48:18.819 the kind of viruses which actually show you stuff, show you animations or maybe play music 00:48:18.819 --> 00:48:19.930 on your computer. 00:48:19.930 --> 00:48:24.440 That’s something you can all check out by visiting the Malware Museum at the internet 00:48:24.440 --> 00:48:25.440 archive. 00:48:25.440 --> 00:48:28.330 JACK: If you ever get bored, this is an interesting site to explore. 00:48:28.330 --> 00:48:32.210 Some of this malware just has a message display like this one. 00:48:32.210 --> 00:48:35.980 [BEEPING] It just prints out a note on the screen which says ‘Terminator message. 00:48:35.980 --> 00:48:37.670 Don’t be afraid. 00:48:37.670 --> 00:48:39.640 I am a kind virus. 00:48:39.640 --> 00:48:41.700 Have a nice day. Goodbye. 00:48:41.700 --> 00:48:43.220 Press any key to continue.’ 00:48:43.220 --> 00:48:44.220 Then just quits. 00:48:44.220 --> 00:48:45.220 That’s it. 00:48:45.220 --> 00:48:49.210 No damage; it just infects your computer to say hi, then it moves on. 00:48:49.210 --> 00:48:53.079 [MUSIC] Then there’s other ones that display weird graphics or they make the screen look 00:48:53.079 --> 00:48:54.079 glitchy. 00:48:54.079 --> 00:48:56.160 But that’s just it, graphics and sounds. 00:48:56.160 --> 00:48:57.200 Nothing more. 00:48:57.200 --> 00:48:59.090 That’s the virus. 00:48:59.090 --> 00:49:04.609 I guess what makes it a virus is that somehow these programs were installed and ran on your 00:49:04.609 --> 00:49:08.260 computer without your consent or your doing. 00:49:08.260 --> 00:49:12.700 Mikko’s favorite malware of all time is the Whale virus. 00:49:12.700 --> 00:49:18.339 MIKKO: Whale was found in 1990 and it’s one of the big mysteries we still don’t 00:49:18.339 --> 00:49:22.869 understand in the early days of malware. 00:49:22.869 --> 00:49:26.140 Early viruses started to get more and more complicated. 00:49:26.140 --> 00:49:31.619 They started to use encryption because they were being fought by antivirus software such 00:49:31.619 --> 00:49:34.049 as the software we were writing back then. 00:49:34.049 --> 00:49:36.790 Another early software which still exists today is MacAfee. 00:49:36.790 --> 00:49:40.109 MacAfee is actually older by one year than F-Secure. 00:49:40.109 --> 00:49:43.140 Obviously, MacAfee is still around. 00:49:43.140 --> 00:49:47.330 An easy way to evade detection was to use encryption. 00:49:47.330 --> 00:49:53.609 You would just encrypt the code of the malware and the antivirus guys like me, we couldn’t 00:49:53.609 --> 00:49:56.520 find a way to detect the malware because it’s encrypted. 00:49:56.520 --> 00:50:00.079 You could change the key for every sample and all that. 00:50:00.079 --> 00:50:06.460 However, the weak point of that technique is that we can pick up a detection signature 00:50:06.460 --> 00:50:08.809 from the decryption loop. 00:50:08.809 --> 00:50:16.339 This is when we started finding viruses which would use metamorphic or polymorphic algorithms, 00:50:16.339 --> 00:50:18.020 including Whale. 00:50:18.020 --> 00:50:24.710 Every time the Whale malware would replicate to a new file, it would rewrite itself. 00:50:24.710 --> 00:50:27.040 It would basically recompile the binary. 00:50:27.040 --> 00:50:31.150 It would look different every time. 00:50:31.150 --> 00:50:34.160 This was really groundbreaking at the time. 00:50:34.160 --> 00:50:40.780 There were plenty of mysterious messages left inside of the malware, and plenty of early 00:50:40.780 --> 00:50:45.640 researchers spent a lot of time trying to figure out what was the motive of Whale? 00:50:45.640 --> 00:50:47.059 Where did it come from? 00:50:47.059 --> 00:50:48.619 Who wrote it? 00:50:48.619 --> 00:50:51.299 We still don’t know that. 00:50:51.299 --> 00:51:00.280 These techniques of hiding malware under polymorphic encryption got – it became accessible to 00:51:00.280 --> 00:51:01.280 anybody. 00:51:01.280 --> 00:51:07.359 Anybody was writing viruses around two years later when a Bulgarian virus writer called 00:51:07.359 --> 00:51:12.790 Dark Avenger released a toolkit called MTE, Mutation Engine. 00:51:12.790 --> 00:51:19.790 This was basically a toolkit you could use to wrap any program inside a layer of polymorphic 00:51:19.790 --> 00:51:20.790 encryption. 00:51:20.790 --> 00:51:22.400 This was really complicated. 00:51:22.400 --> 00:51:25.820 You would replicate the sample twice. 00:51:25.820 --> 00:51:30.859 There wouldn’t be a single byte which would be constant in these two samples, so detection 00:51:30.859 --> 00:51:33.230 was a nightmare. 00:51:33.230 --> 00:51:38.840 However, at that time we were working closely with a researcher called Fridrik Skulason 00:51:38.840 --> 00:51:40.240 from Reykjavik. 00:51:40.240 --> 00:51:47.670 He came up with this clever idea that instead of trying to detect malware with static signatures 00:51:47.670 --> 00:51:53.920 or looking for certain bytes in certain offsets, what we would start doing is that we would 00:51:53.920 --> 00:51:56.970 simply execute the malware in a virtual machine. 00:51:56.970 --> 00:52:04.650 Basically, let the malware run safely as long as it needs to run so it decrypts the stuff 00:52:04.650 --> 00:52:07.720 that’s hidden by the layer of polymorphic encryption. 00:52:07.720 --> 00:52:12.730 We would basically let the malware decrypt itself for us. 00:52:12.730 --> 00:52:17.619 The virus writers of the time couldn’t figure this out for years. 00:52:17.619 --> 00:52:23.720 I mean, they just couldn’t understand that no matter how well they were trying to hide 00:52:23.720 --> 00:52:29.030 the payload, no matter how many layers of encryption they would add, we would still 00:52:29.030 --> 00:52:34.280 find it because the encryption layers they were adding meant nothing. 00:52:34.280 --> 00:52:40.220 They would, in the end, end up decrypting the hidden stuff underneath for us and we 00:52:40.220 --> 00:52:42.920 could detect it just like there wouldn’t be encryption at all. 00:52:42.920 --> 00:52:47.770 JACK: Keep in mind, up until this point, this malware which was targeting PCs was just for 00:52:47.770 --> 00:52:48.770 DoS. 00:52:48.770 --> 00:52:49.900 Windows wasn’t even out yet. 00:52:49.900 --> 00:52:54.859 At this time in the 90s when Mikko was researching this stuff, people would send him this malware 00:52:54.859 --> 00:52:56.460 in the mail on floppy discs. 00:52:56.460 --> 00:52:58.660 It was a weird time for malware. 00:52:58.660 --> 00:53:04.869 MIKKO: Viruses were really slow to make the jump from MS DoS to MS Windows. 00:53:04.869 --> 00:53:06.520 MS Windows started to [00:55:00] get traction. 00:53:06.520 --> 00:53:11.510 I mean, Windows 3.0 was the first success story and then 3.1 and then 3.11. 00:53:11.510 --> 00:53:16.830 It became bigger and bigger, but all the malware we were analyzing were still running on MS 00:53:16.830 --> 00:53:17.830 DoS. 00:53:17.830 --> 00:53:21.580 Of course, Windows systems at the time were running on top of MS DoS, so this malware 00:53:21.580 --> 00:53:27.240 was still partially functional until we then found the very first Windows virus. 00:53:27.240 --> 00:53:33.849 I remember this very, very well because it really changed our contacts within the industry. 00:53:33.849 --> 00:53:41.380 This was 1992 and we found a sample that we believed to be a Windows virus from Sweden. 00:53:41.380 --> 00:53:47.050 It was very hard to analyze because it was the first Windows virus, and Windows at the 00:53:47.050 --> 00:53:56.119 time wasn’t as accessible as you might think to debug or reverse engineer. 00:53:56.119 --> 00:54:00.930 But me and Ismo, one of our coders at the time, spent a couple of days trying to figure 00:54:00.930 --> 00:54:02.140 out this sample. 00:54:02.140 --> 00:54:06.170 It turned out to be the very first Windows virus in history. 00:54:06.170 --> 00:54:08.210 Well, we named it. 00:54:08.210 --> 00:54:12.970 The finder names the virus so we called it Winvir, like ‘Windows virus’. 00:54:12.970 --> 00:54:14.819 We wrote a description about it. 00:54:14.819 --> 00:54:16.350 We had a detection for it. 00:54:16.350 --> 00:54:22.270 We were all done, but then we realized that holy hell, this is news. 00:54:22.270 --> 00:54:23.710 Right, this has to be news. 00:54:23.710 --> 00:54:27.480 I mean, the first Windows virus in history. 00:54:27.480 --> 00:54:28.480 What should we do? 00:54:28.480 --> 00:54:30.450 Should we do a press release? 00:54:30.450 --> 00:54:34.790 Well, the company had never done a press release so we had no idea how to do a press release, 00:54:34.790 --> 00:54:41.339 but we had seen press releases so we just copied the format; date, location, Data Fellows 00:54:41.339 --> 00:54:46.430 has today announced the discovery of the first Windows virus, and then go through the technical 00:54:46.430 --> 00:54:47.640 details. 00:54:47.640 --> 00:54:52.380 Very important detail; when we wrote this press release, the first press release in 00:54:52.380 --> 00:54:56.700 the history of the company, we wrote it in English, not in Finnish. 00:54:56.700 --> 00:54:58.500 We were headquartered in Helsinki. 00:54:58.500 --> 00:55:03.160 All of our clients were in Finland, but we automatically assumed that this is an international 00:55:03.160 --> 00:55:04.160 news item. 00:55:04.160 --> 00:55:05.180 We have to tell the world. 00:55:05.180 --> 00:55:09.890 Then when we had the press release ready, we printed it out, we had it in our hands. 00:55:09.890 --> 00:55:11.099 Then, what do you do? 00:55:11.099 --> 00:55:12.530 Well, we had no idea. 00:55:12.530 --> 00:55:16.400 We faxed it to Reuters in London. 00:55:16.400 --> 00:55:17.880 Reuters picked it up. 00:55:17.880 --> 00:55:19.849 They wrote a Wire article about it. 00:55:19.849 --> 00:55:20.920 They ran with the story. 00:55:20.920 --> 00:55:23.920 It became a news item all over the world. 00:55:23.920 --> 00:55:26.930 New York Times ran the Reuters story. 00:55:26.930 --> 00:55:31.859 The next day, we started getting phone calls from research labs all over the world. 00:55:31.859 --> 00:55:36.059 Especially, I remember picking up the phone and it’s coming from New Jersey. 00:55:36.059 --> 00:55:39.640 It’s from the TJ Watson Research Center of IBM. 00:55:39.640 --> 00:55:43.240 They were very interested about our discovery. 00:55:43.240 --> 00:55:49.359 They wanted to initiate an official malware sample exchange between IBM and we. 00:55:49.359 --> 00:55:52.230 We were like okay, now we are in the big boys’ league. 00:55:52.230 --> 00:55:54.180 Now, we’ve really made it. 00:55:54.180 --> 00:55:59.770 That’s how we started the international contacts with other research labs. 00:55:59.770 --> 00:56:02.970 Of course, that was very important in the early days for the company. 00:56:02.970 --> 00:56:06.110 JACK: Viruses continued to mutate all through the 90s. 00:56:06.110 --> 00:56:10.869 Mikko was developing new ways of detecting malware and implementing that into the F-Secure 00:56:10.869 --> 00:56:12.020 antivirus software. 00:56:12.020 --> 00:56:16.200 He was also working with software companies to get them to fix the bugs which allowed 00:56:16.200 --> 00:56:18.580 this virus to run in the first place. 00:56:18.580 --> 00:56:22.680 But in the year 2000, e-mail began picking up in popularity. 00:56:22.680 --> 00:56:28.980 MIKKO: When e-mail became commonplace in offices, malware started spreading more and more over 00:56:28.980 --> 00:56:32.160 e-mail attachments instead of floppies. 00:56:32.160 --> 00:56:36.799 That’s when the era of e-mail worms started. 00:56:36.799 --> 00:56:40.190 We saw so many – so fast outbreaks. 00:56:40.190 --> 00:56:45.970 First with Happy99, then with Melissa, and then the biggest of them all at the time, 00:56:45.970 --> 00:56:48.289 Love Letter in May, 2000. 00:56:48.289 --> 00:56:54.599 JACK: [MUSIC] Now, this Love Letter virus, or sometimes known as Love Bug or ILOVEYOU, 00:56:54.599 --> 00:57:00.270 it would send an e-mail to thousands of people with this message, ‘Kindly check the attached 00:57:00.270 --> 00:57:02.000 love letter.’ 00:57:02.000 --> 00:57:04.200 Then there was an attachment named LOVE-LETTER-FOR-YOU.txt.vbs. 00:57:04.200 --> 00:57:12.109 It’s kind of easy to see this is a phishing attempt now but in 2000, we weren’t getting 00:57:12.109 --> 00:57:16.829 phishing e-mails very much and we wanted to see who sent us this love letter. 00:57:16.829 --> 00:57:21.869 While this file looks like a text file, it’s actually a visual basic script. 00:57:21.869 --> 00:57:26.000 Often, Windows will hide the extension, so for a lot of people it just looked okay, like 00:57:26.000 --> 00:57:27.000 a text file. 00:57:27.000 --> 00:57:30.690 But when you opened it, Windows knows how to execute the commands in the script and 00:57:30.690 --> 00:57:31.740 runs them. 00:57:31.740 --> 00:57:34.100 What’s Love Letter do when you open the file? 00:57:34.100 --> 00:57:38.340 Well, it first propagates itself and sends an e-mail to everyone that’s in your address 00:57:38.340 --> 00:57:39.340 book. 00:57:39.340 --> 00:57:43.900 Then it proceeds to overwrite and corrupt random files on your computer. 00:57:43.900 --> 00:57:48.270 Office documents, images, and songs essentially get ruined which are the most valuable files 00:57:48.270 --> 00:57:50.040 on your computer. 00:57:50.040 --> 00:57:53.400 Because it would send e-mails to everyone in the victim’s address book, this made 00:57:53.400 --> 00:57:58.940 the Love Letter virus a worm because it could self-propagate, which made it one of the fastest-growing 00:57:58.940 --> 00:58:00.570 viruses of all time. 00:58:00.570 --> 00:58:06.210 Now, when something like this hits the world and a major virus is spreading, causing destruction, 00:58:06.210 --> 00:58:09.660 [01:00:00] what’s an antivirus company like F-Secure do? 00:58:09.660 --> 00:58:10.730 They get right to work. 00:58:10.730 --> 00:58:14.490 MIKKO: [MUSIC] It was sort of really exciting back then because you would typically get 00:58:14.490 --> 00:58:17.559 woken up at 3:00 a.m. and there’s a massive outbreak going on. 00:58:17.559 --> 00:58:25.230 We get the sample, we decode it, we pick a search string or build a detection. 00:58:25.230 --> 00:58:29.840 We test it, we name them while we rewrite the description, we test the detection, we 00:58:29.840 --> 00:58:33.110 ship the detection, and we just saved the world. 00:58:33.110 --> 00:58:38.079 Very, very exciting times. 00:58:38.079 --> 00:58:43.320 Except then, it happens again two days later, and again a day later, and again. 00:58:43.320 --> 00:58:48.450 JACK: Wow, that does sound exciting; to save the world by writing antivirus updates. 00:58:48.450 --> 00:58:50.910 But yeah, it must be exhausting, too. 00:58:50.910 --> 00:58:56.670 In fact, the most exhausting time for Mikko was the summer of 2003 when his team went 00:58:56.670 --> 00:58:59.599 to do battle against the botnet called Sobig. 00:58:59.599 --> 00:59:05.700 MIKKO: [MUSIC] We saw a massively large run for the first version. 00:59:05.700 --> 00:59:12.900 That’s Sobig.A and this was so huge – outbreak from the beginning because they were using 00:59:12.900 --> 00:59:18.360 an existing botnet to kickstart the e-mail sending. 00:59:18.360 --> 00:59:23.539 The e-mail Sobig was using to fool people into opening up the attachment were pretty 00:59:23.539 --> 00:59:24.539 clever. 00:59:24.539 --> 00:59:30.030 They looked like e-mails coming in from Microsoft and they were speaking about an update for 00:59:30.030 --> 00:59:32.490 security vulnerabilities in your system. 00:59:32.490 --> 00:59:37.730 This is still the time before Windows Update even existed, so people were still downloading 00:59:37.730 --> 00:59:39.599 updates manually from microsoft.com. 00:59:39.599 --> 00:59:45.670 Well, in this case, you’d get this prompt for updates for this month, and it would actually 00:59:45.670 --> 00:59:47.470 automatically change the month. 00:59:47.470 --> 00:59:54.250 So, if you would receive Sobig mail today, it would speak about year 2020 at the current 00:59:54.250 --> 00:59:55.780 month which is a neat trick. 00:59:55.780 --> 01:00:00.420 It actually makes the malware live much longer. 01:00:00.420 --> 01:00:07.770 When we were fighting through Sobig.A, we then found Sobig.B and C and D, and then F. 01:00:07.770 --> 01:00:11.440 F, the fifth version, was the largest of the outbreaks. 01:00:11.440 --> 01:00:17.069 JACK: By the time the Sobig.F variant showed up, it had infected millions of computers 01:00:17.069 --> 01:00:18.230 worldwide. 01:00:18.230 --> 01:00:19.839 But what did this malware do? 01:00:19.839 --> 01:00:26.150 Well, it’s a botnet, so all these millions of computers were under the control of someone. 01:00:26.150 --> 01:00:30.590 That person could instruct these computers to do something like send an e-mail to millions 01:00:30.590 --> 01:00:32.859 of people or attack a system. 01:00:32.859 --> 01:00:37.280 But in order to do that, each of the computers had to reach out to a central command and 01:00:37.280 --> 01:00:41.569 control computer to get instructions on what it should do. 01:00:41.569 --> 01:00:45.900 Some machines were seeing a proxy server getting installed which meant the hackers could funnel 01:00:45.900 --> 01:00:49.390 their traffic through these botnet computers in order to disguise where they’re coming 01:00:49.390 --> 01:00:50.390 from. 01:00:50.390 --> 01:00:54.570 Regardless of what it was doing, this was now a big problem for companies all over the 01:00:54.570 --> 01:00:55.570 world. 01:00:55.570 --> 01:01:01.240 They would ultimately spend billions of dollars cleaning up Sobig from infected computers. 01:01:01.240 --> 01:01:06.250 Now, when a computer gets infected, it has that code on the computer. 01:01:06.250 --> 01:01:10.950 Somewhere in that code is instructions of what the botnet should do. 01:01:10.950 --> 01:01:15.119 This is great for antivirus companies to look at to try to stop or reverse engineer the 01:01:15.119 --> 01:01:16.369 virus. 01:01:16.369 --> 01:01:19.190 But there was a problem with this code. 01:01:19.190 --> 01:01:26.780 MIKKO: [MUSIC] Sobig.F had this encrypted code in it which was a mystery for us. 01:01:26.780 --> 01:01:30.440 We couldn’t crack the encryption and figure out exactly what it was supposed to do. 01:01:30.440 --> 01:01:36.579 JACK: The team at F-Secure began trying to crack the encryption of this code which is 01:01:36.579 --> 01:01:37.820 interesting to think about, right? 01:01:37.820 --> 01:01:40.920 F-Secure is supposed to defend computers from viruses. 01:01:40.920 --> 01:01:46.809 But here they are trying to use offensive tools to break and hack and crack the code 01:01:46.809 --> 01:01:50.039 of this malware which was left on the computer. 01:01:50.039 --> 01:01:52.859 This was hard because good encryption is hard to break. 01:01:52.859 --> 01:01:59.119 MIKKO: But then one of our Hungarian coders figured out how the Runtime encryption works, 01:01:59.119 --> 01:02:06.700 and we found this code which basically said that on Friday of that week, every single 01:02:06.700 --> 01:02:10.940 infected computer would contact ten different servers. 01:02:10.940 --> 01:02:14.980 These would be command and control servers controlled by the malware author. 01:02:14.980 --> 01:02:19.300 JACK: They cracked this code on Tuesday and the code said that on Friday, it would reach 01:02:19.300 --> 01:02:23.210 out to command and control servers for instructions on what to do. 01:02:23.210 --> 01:02:28.650 MIKKO: [MUSIC] This left us for four days to contact authorities or contact internet 01:02:28.650 --> 01:02:34.540 operators or contact CERTs and work together to take down these servers before Friday. 01:02:34.540 --> 01:02:41.570 There’s actually a timestamp; Friday evening, 10:00 p.m. is when the activity would start. 01:02:41.570 --> 01:02:47.079 We got most of the servers down fairly quickly by just calling up the operators and telling 01:02:47.079 --> 01:02:52.109 them what was going on, but some of these were taking none of our words for granted. 01:02:52.109 --> 01:02:57.330 This funny company from Finland is calling them and asking them to shut down the server. 01:02:57.330 --> 01:03:00.109 Why would they do that? 01:03:00.109 --> 01:03:04.260 Then we were working together with the FBI, and then we were calling my contact at the 01:03:04.260 --> 01:03:07.089 Microsoft headquarters to get [01:05:00] something happening. 01:03:07.089 --> 01:03:14.900 It was already Friday, early hours of Friday, when we had four servers left. 01:03:14.900 --> 01:03:22.460 I remember at some stage, we wanted to get the support of the global CERT community and 01:03:22.460 --> 01:03:29.750 I tried e-mailing a list of the IP addresses we had decoded from the body of the malware 01:03:29.750 --> 01:03:30.779 to CERT, Finland. 01:03:30.779 --> 01:03:37.839 I e-mailed them, then I called them like two hours later to ask what’s happening. 01:03:37.839 --> 01:03:41.069 They told me that they never got my mail. 01:03:41.069 --> 01:03:43.730 I was surprised about that. 01:03:43.730 --> 01:03:48.340 They told me that well, actually, they have massive problems with their e-mail servers 01:03:48.340 --> 01:03:56.160 because of Sobig.F. Sobig.F outbreak was still so massively spreading that e-mail wasn’t 01:03:56.160 --> 01:03:58.079 functioning as well as you were hoping for. 01:03:58.079 --> 01:04:01.890 They asked me if I could fax them the list and of course, we didn’t have a fax anymore 01:04:01.890 --> 01:04:07.700 because we were considering ourselves to be modern companies, so I printed the list on 01:04:07.700 --> 01:04:12.130 a piece of paper and I gave it to a friend of mine, Jusu, who worked in the lab, and 01:04:12.130 --> 01:04:20.349 I told him to go and drive to the CERT headquarters and just deliver it by hand. 01:04:20.349 --> 01:04:25.630 He jumped into the car and started driving there, and then got stuck in a traffic jam. 01:04:25.630 --> 01:04:27.619 We never really have traffic jams in Helsinki. 01:04:27.619 --> 01:04:31.640 It’s not a big city but there was an accident, so he was stuck. 01:04:31.640 --> 01:04:39.140 He abandoned his car and ran all the way to the CERT headquarters to deliver the piece 01:04:39.140 --> 01:04:41.339 of paper hand-to-hand. 01:04:41.339 --> 01:04:46.100 I still remember how desperate we were. 01:04:46.100 --> 01:04:52.670 But in the end, we were able to shut down all of the servers except the two last ones. 01:04:52.670 --> 01:04:59.250 When the threshold date and time came, there were so many thousands of infected machines 01:04:59.250 --> 01:05:03.690 all over the world that they all tried connecting these two servers. 01:05:03.690 --> 01:05:09.809 There was just so much traffic, these both servers just crashed under the load which 01:05:09.809 --> 01:05:13.329 means nothing happened, which means we were successful. 01:05:13.329 --> 01:05:18.400 JACK: Taking down a global threat like a botnet is a great feeling. 01:05:18.400 --> 01:05:21.799 Mikko has gone to battle and brought down a few botnets. 01:05:21.799 --> 01:05:24.430 He has a few different methods for taking them down. 01:05:24.430 --> 01:05:29.130 MIKKO: If you are able to do this right, the whole botnet dies immediately. 01:05:29.130 --> 01:05:32.290 That’s the best feeling in the world. 01:05:32.290 --> 01:05:35.390 We’re trying to save the users. 01:05:35.390 --> 01:05:37.930 We’re trying to defend people’s security. 01:05:37.930 --> 01:05:43.770 We’re trying to defend their computers and of course, we are doing this for our clients, 01:05:43.770 --> 01:05:49.390 but when you do something like this, you’re not only protecting your clients and customers. 01:05:49.390 --> 01:05:51.539 You’re actually protecting the whole world. 01:05:51.539 --> 01:05:55.980 The whole world is safer because of what you just did. 01:05:55.980 --> 01:05:57.079 That feels great. 01:05:57.079 --> 01:06:02.130 That’s one of the things that keeps me running and keeps me in the industry year after year, 01:06:02.130 --> 01:06:05.480 the feeling that you’re actually able to make a difference, the feeling that you’re 01:06:05.480 --> 01:06:07.790 actually able to defend the users. 01:06:07.790 --> 01:06:12.109 JACK: In fact, when they took down Sobig, they had a bit of a celebration after. 01:06:12.109 --> 01:06:16.390 MIKKO: Yeah, when we felt that we’ve just saved the world, we did go and have a party. 01:06:16.390 --> 01:06:19.730 I guess that just goes with the culture. 01:06:19.730 --> 01:06:24.630 Since, well, since I was working in Finland, that always meant going to sauna. 01:06:24.630 --> 01:06:26.680 In Finland, every house has a sauna. 01:06:26.680 --> 01:06:28.310 Every office has a sauna. 01:06:28.310 --> 01:06:33.430 Every single F-Secure office I’ve – well, the very first office did not have a sauna 01:06:33.430 --> 01:06:36.690 but our headquarters today has a sauna floor. 01:06:36.690 --> 01:06:38.470 It goes with the culture. 01:06:38.470 --> 01:06:43.280 Yeah, we would be in a sauna having a beer and we would be looking at the news and chuckling 01:06:43.280 --> 01:06:47.369 on ourselves about how they got the details wrong because we knew exactly what the malware 01:06:47.369 --> 01:06:50.029 was doing because we had decoded it a couple of hours earlier. 01:06:50.029 --> 01:06:52.650 JACK: Okay, so this one I have to ask about. 01:06:52.650 --> 01:06:55.210 There’s a law named after you. 01:06:55.210 --> 01:06:57.380 What is the Hyppönen’s Law? 01:06:57.380 --> 01:07:02.700 MIKKO: Yeah, I didn’t really coin it as a law in the beginning but someone picked 01:07:02.700 --> 01:07:07.280 it up and now there’s a Wikipedia page for the Hyppönen Law which is the Hyppönen Law 01:07:07.280 --> 01:07:10.160 on IOT security. 01:07:10.160 --> 01:07:17.289 In a nutshell it just says that if something is smart, what it really is, is vulnerable. 01:07:17.289 --> 01:07:22.250 This is a very pessimistic law but it’s also true. 01:07:22.250 --> 01:07:28.400 The more functionality and connectivity we add to things, the more vulnerable they become. 01:07:28.400 --> 01:07:31.500 My favorite example is a wristwatch. 01:07:31.500 --> 01:07:38.380 If you have a traditional old, cool wristwatch that you have to wind, it’s unhackable. 01:07:38.380 --> 01:07:40.569 How do you hack a windup old wristwatch? 01:07:40.569 --> 01:07:41.750 Well, you don’t. 01:07:41.750 --> 01:07:47.030 Then if you take a modern smart watch with internet connectivity, it might be hard to 01:07:47.030 --> 01:07:49.680 hack, but of course it is hackable. 01:07:49.680 --> 01:07:56.500 If it’s smart, it’s hackable, including our smart cars, smart houses, smart cities, 01:07:56.500 --> 01:07:59.120 smart grids, it’s all hackable. 01:07:59.120 --> 01:08:03.110 JACK: What’s kept you on the good side all this time instead of taking your knowledge 01:08:03.110 --> 01:08:05.380 and saying you know what? 01:08:05.380 --> 01:08:09.140 I know exactly [01:10:00] what these cyber-criminals do and I see that they’re making much more 01:08:09.140 --> 01:08:15.530 than I am, and I know how to hide myself – you ever think about that? 01:08:15.530 --> 01:08:22.790 MIKKO: Well, Jack, if I would have gone to the dark side, how would you know? 01:08:22.790 --> 01:08:24.750 JACK: [LAUGHS] 01:08:24.750 --> 01:08:30.960 MIKKO: If you look at my Twitter bio, it says I’m a supervillain. 01:08:30.960 --> 01:08:34.500 JACK: Oh, yes. 01:08:34.500 --> 01:08:43.900 (OUTRO): [OUTRO MUSIC] A big thank you to Mikko Hyppönen for coming on the show, sharing 01:08:43.900 --> 01:08:46.489 your stories, and teaching us more about malware. 01:08:46.489 --> 01:08:48.259 You can follow Mikko on Twitter. 01:08:48.259 --> 01:08:51.480 His name there is just Mikko; M-I-K-K-O. 01:08:51.480 --> 01:08:54.960 He tells me he’s writing a book about all this, so hopefully that’ll come out soon, 01:08:54.960 --> 01:08:57.069 and I’m sure it’ll be super fascinating. 01:08:57.069 --> 01:09:01.529 If you like this show and it brings value to you, consider donating some money through 01:09:01.529 --> 01:09:02.609 Patreon. 01:09:02.609 --> 01:09:05.880 By directly supporting the show, it helps keep ads at a minimum. 01:09:05.880 --> 01:09:09.810 It also allows me to get more people to help make the show and it tells me you want more 01:09:09.810 --> 01:09:10.810 of it. 01:09:10.810 --> 01:09:15.840 Please visit patreon.com/darknetdiaries and consider supporting the show. 01:09:15.840 --> 01:09:16.840 Thank you. 01:09:16.840 --> 01:09:20.060 This show is made by me, the never-bluffing Jack Rhysider. 01:09:20.060 --> 01:09:24.730 Sound design and original music was created by Andrew Meriwether who swears he dreams 01:09:24.730 --> 01:09:25.730 in color. 01:09:25.730 --> 01:09:30.250 Editing help this episode is by the heat-syncing Damienne, and our theme music is by the botnet 01:09:30.250 --> 01:09:32.900 blocker, Breakmaster Cylinder. 01:09:32.900 --> 01:09:37.940 Even though some people still insist on pushing code to production on a Friday afternoon and 01:09:37.940 --> 01:09:43.420 that’s really a bad idea, this is Darknet Diaries.