WEBVTT

00:00:00.014 --> 00:00:04.740
JACK: Remember when Donald Trump had a Twitter account? He actually had two for a while;

00:00:04.740 --> 00:00:09.060
one called @POTUS and the other called @realDonaldTrump. He used

00:00:09.060 --> 00:00:11.400
his personal one a lot while he was president.

00:00:11.400 --> 00:00:13.560
TRUMP: I pick up – I’m picking up – now, I think I

00:00:13.560 --> 00:00:19.320
picked up yesterday 100,000 people. It’s a modern form of communication.

00:00:19.320 --> 00:00:23.400
JACK: Of course, that was before his account got banned. [MUSIC] He sent

00:00:23.400 --> 00:00:28.800
thousands of tweets while in office. He had over 80 million followers and that put him as

00:00:28.800 --> 00:00:33.300
the seventh on the list of the most-followed Twitter accounts, sandwiched between Lady

00:00:33.300 --> 00:00:39.420
Gaga and Taylor Swift. But he’s tweeted tens of thousands of times more than both of them

00:00:39.420 --> 00:00:45.320
and he tweets more than anyone in the top ten. Twitter was his mouthpiece for so many things.

00:00:45.320 --> 00:00:48.660
HOST1: Secretary of state Rex Tillerson learned

00:00:48.660 --> 00:00:54.219
he was fired at the same time the rest of the world did; on Twitter.

00:00:54.219 --> 00:00:58.080
HOST2: The president issuing this tweet suggesting that he is ready to leave Walter

00:00:58.080 --> 00:01:03.120
Reed this evening. He’s feeling much better and ready to go back to the White House.

00:01:03.120 --> 00:01:08.340
The president has a habit; when he sees his advisors and cabinet secretaries even saying

00:01:08.340 --> 00:01:11.960
something in public that he doesn’t like, he has a habit of rebuking them over Twitter.

00:01:11.960 --> 00:01:17.940
TRUMP: Social media is the way to go. I’ve got over 100 million people watching

00:01:17.940 --> 00:01:23.400
and social media to me is the way to go. It’s a fast way of getting the word out.

00:01:23.400 --> 00:01:30.480
JACK: With all that power and influence, I sure hope he practices good security so that

00:01:30.480 --> 00:01:35.400
his Twitter account doesn’t get hacked, especially after saying things like this.

00:01:35.400 --> 00:01:39.960
TRUMP: Nobody gets hacked. To get hacked you need somebody with 197

00:01:39.960 --> 00:01:43.920
IQ and he needs about 15% of your password, right?

00:01:43.920 --> 00:01:49.860
JACK: That statement is actually pretty ironic because Trump’s Twitter account

00:01:49.860 --> 00:01:52.980
was hacked into three times that we know of,

00:01:52.980 --> 00:01:57.960
and in this episode we’ll hear from the guys behind one of those hacks.

00:01:57.960 --> 00:02:03.000
(INTRO): [INTRO MUSIC] These are

00:02:03.000 --> 00:02:09.180
true stories from the dark side of the internet.

00:02:09.180 --> 00:02:19.080
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:19.080 --> 00:02:28.740
JACK: [MUSIC]

00:02:28.740 --> 00:02:33.540
The first time that we know of Trump’s Twitter account getting hacked was in 2013. Someone got

00:02:33.540 --> 00:02:38.880
in and tweeted out some Lil Wayne lyrics. They posted quote, “These hoes think they classy. Well,

00:02:38.880 --> 00:02:43.440
that’s the class I’m skipping.” End quote. Within minutes it was deleted and then Trump

00:02:43.440 --> 00:02:48.420
tweeted ‘My Twitter has been seriously hacked and we’re looking into the perpetrators.’

00:02:48.420 --> 00:02:53.160
As far as I know, they never caught the person who did that. Keep in mind, that was 2013,

00:02:53.160 --> 00:02:57.480
long before Trump even began running for president, so maybe securing his account

00:02:57.480 --> 00:03:01.680
wasn’t the highest priority at the time since he wasn’t president. But you would

00:03:01.680 --> 00:03:08.460
think a self-proclaimed billionaire would take his digital security seriously. Well, maybe he didn’t.

00:03:08.460 --> 00:03:14.700
This all reminds me of another person who got their account hacked into, a woman who was also

00:03:14.700 --> 00:03:23.280
running in a presidential election. She got her e-mails hacked into and no, not those e-mails.

00:03:23.280 --> 00:03:29.340
I’m talking about Sarah Palin. She was running for vice president in 2008 and got her Yahoo account

00:03:29.340 --> 00:03:35.400
hacked into. How though? Russian hackers, you guess? No, it was a twenty-year-old guy on 4chan.

00:03:35.400 --> 00:03:42.060
Her e-mail address was gov.palin@yahoo.com which was not that hard to figure out, so he went to

00:03:42.060 --> 00:03:47.100
Yahoo and typed in her e-mail address, then he clicked I Forgot My Password. Yahoo said okay,

00:03:47.100 --> 00:03:51.240
no problem; just answer these questions and we’ll reset your password. Question number one; what is

00:03:51.240 --> 00:03:55.980
your birth date? Well, the hacker just went to Wikipedia and found that right away. Yahoo’s

00:03:55.980 --> 00:04:00.600
website said okay, great. One more question; what high school did you go to? Well, Sarah Palin was

00:04:00.600 --> 00:04:05.880
not shy about talking about her hometown of Wasilla, Alaska on TV in so many interviews,

00:04:05.880 --> 00:04:11.340
so practically everyone knew she graduated from Wasilla High School. But besides that,

00:04:11.340 --> 00:04:17.820
it was also listed on her Wikipedia page, too. After the hacker typed that in, bingo. Yahoo

00:04:17.820 --> 00:04:23.760
let him reset the password and he was able to get into her account and see her e-mails. The

00:04:23.760 --> 00:04:28.440
hacker posted screenshots of e-mails to 4chan and he caused a riot in the media.

00:04:28.440 --> 00:04:32.280
He was later arrested and sentenced to one-and-a-half years in prison for gaining

00:04:32.280 --> 00:04:38.640
unauthorized access to Sarah Palin’s account. Sadly, the hacker who did this, David Kernell,

00:04:38.640 --> 00:04:43.680
was diagnosed with multiple sclerosis and died in 2018 at thirty years old.

00:04:43.680 --> 00:04:51.480
But this raises my first ethical question; personal identifiable information or PII is

00:04:51.480 --> 00:04:56.580
the stuff the public isn’t supposed to know about. Your birth date and where you went to

00:04:56.580 --> 00:05:01.560
high school shouldn’t be just sitting out there in the public, but Sarah [00:05:00] Palin’s PII

00:05:01.560 --> 00:05:07.080
is right there on Wikipedia. So the question is, if I go onto Wikipedia and look at this,

00:05:07.080 --> 00:05:13.980
would you say I committed identity theft? [MUSIC] Well, the judge said yes, this hacker did commit

00:05:13.980 --> 00:05:19.800
identity theft by using the information that was posted on Wikipedia. But anyway, back to Trump.

00:05:19.800 --> 00:05:25.800
The second time his Twitter account got hacked was in 2016, the year he was running for president,

00:05:25.800 --> 00:05:33.600
and it was done by some grumpy old hackers. Okay, I’ll click it one more time. Ah, it’s working now.

00:05:33.600 --> 00:05:34.710
MATT: Yes, it’s recording.

00:05:34.710 --> 00:05:35.340
VICTOR: Yeah.

00:05:35.340 --> 00:05:35.714
JACK: Jeez, this…

00:05:35.714 --> 00:05:35.855
VICTOR: How many hackers does it take to click on one button, right?

00:05:35.855 --> 00:05:45.600
JACK: Yeah. I called up the three guys that in 2016 hacked Donald Trump’s Twitter account.

00:05:45.600 --> 00:05:51.450
They’re Dutch and part of a hacking club in the Netherlands. So, collectively you’re called what?

00:05:51.450 --> 00:05:53.790
MATT: The Guild of the Grumpy Old Hackers.

00:05:53.790 --> 00:05:55.380
VICTOR: Because we are grumpy.

00:05:55.380 --> 00:05:57.120
EDWIN: We’re grumpy and old.

00:05:57.120 --> 00:05:58.500
VICTOR: Very grumpy and old.

00:05:58.500 --> 00:06:00.120
MATT: Not as old as Edwin.

00:06:00.120 --> 00:06:01.920
EDWIN: [MUSIC] Oh, thank you.

00:06:01.920 --> 00:06:08.100
JACK: So, the grumpy old hackers are a few friends that are also IT professionals. Edwin, who I met

00:06:08.100 --> 00:06:13.860
at Defcon once, has grey hair and a big grey beard. He seems like an elder statesman to me.

00:06:13.860 --> 00:06:21.600
EDWIN: I’m Edwin. I’m old. I’m like, almost fifty. Hacked since I was a kid. Started on

00:06:21.600 --> 00:06:27.420
old computers my dad brought in, grew up from there, met a lot of hackers around the world in

00:06:27.420 --> 00:06:34.140
the years after. The thing I love is combining all the hackers together. So, we are also The

00:06:34.140 --> 00:06:39.540
Guild of the Grumpies. It’s like a combination of yeah, mostly elderly hackers just having fun

00:06:39.540 --> 00:06:45.000
and trying to do stuff which is always on the edge because that’s mostly the fun there is.

00:06:45.000 --> 00:06:46.440
JACK: Also on the call is Matt.

00:06:46.440 --> 00:06:56.280
MATT: My name is Matt and I spent a twenty-year professional computer security career

00:06:56.280 --> 00:07:00.840
both in the offensive and as well as the defensive side.

00:07:00.840 --> 00:07:07.320
I developed a special interest in process automation and industrial systems. I’ve tinkered

00:07:07.320 --> 00:07:14.700
with a lot of nice devices over the years and found there was a couple vulnerabilities in them.

00:07:14.700 --> 00:07:16.320
JACK: Then there’s Victor.

00:07:16.320 --> 00:07:21.300
VICTOR: My name is Victor. I’m a security researcher. I’ve been doing

00:07:21.300 --> 00:07:25.320
responsible disclosures, so I like to find problems, vulnerabilities,

00:07:25.320 --> 00:07:30.240
configuration errors in systems and then try to track the owner of the system or

00:07:30.240 --> 00:07:36.060
the organization and then notify them. It’s grown from a little hobby into almost an entire day job.

00:07:36.060 --> 00:07:39.720
JACK: Victor works with the Dutch Institute of Vulnerability Disclosure,

00:07:39.720 --> 00:07:43.920
something Edwin and Matt help out with, too. Together, they like to find vulnerabilities

00:07:43.920 --> 00:07:49.920
in things and report that to the people who can fix them. Someone once described these guys as…

00:07:49.920 --> 00:07:57.120
EDWIN: The guys who inform you that your zipper is open just before you go onstage, you know? That’s

00:07:57.120 --> 00:08:03.600
basically us. We whisper in your ear; sorry man, your password is out there. That’s the idea. We

00:08:03.600 --> 00:08:10.320
try to help people. Yeah, we don’t need people to be embarrassed or whatever, you know? We love

00:08:10.320 --> 00:08:17.700
finding stuff. We love finding leaks in systems, in servers, in doors, in lock-picking stuff. We

00:08:17.700 --> 00:08:22.440
love all those puzzles. That’s for us and if we find something, yeah, we will tell you about it.

00:08:22.440 --> 00:08:26.280
JACK: The Grumps find problems and then tell whoever is in charge of

00:08:26.280 --> 00:08:30.060
that and get them to fix it. Maybe they’ll respond by saying thank you,

00:08:30.060 --> 00:08:34.560
because they want stuff to get fixed so the internet can be a safer place.

00:08:34.560 --> 00:08:39.240
Another important thing that the Grumps do which Edwin is known most for is mentoring

00:08:39.240 --> 00:08:42.780
the next generation of hackers, especially those that could get into trouble with the

00:08:42.780 --> 00:08:47.760
law or already have. They work with Hack_Right, a Dutch law enforcement program that helps put

00:08:47.760 --> 00:08:52.440
young offenders back on track. The goal is to recalibrate their skills for ethical hacking.

00:08:52.440 --> 00:08:56.880
EDWIN: We see a lot of kids who go in the wrong side when they, for instance, find a database

00:08:56.880 --> 00:09:03.060
of credit card information or something and try to tell people about it. When we hear about it,

00:09:03.060 --> 00:09:08.460
we try to steer them in the right direction, so, do a vulnerability disclosure to the company.

00:09:08.460 --> 00:09:12.780
JACK: Like, if you stumble onto a database, don’t sell it on the dark web. Instead,

00:09:12.780 --> 00:09:16.440
let that company know that there’s a problem with their security and keep it between you

00:09:16.440 --> 00:09:21.960
and them. That’s the Grumpy way. But the Grumpy way and ethical hacking can have

00:09:21.960 --> 00:09:27.360
some grey areas. [MUSIC] Here’s a question for you, my listener; suppose these Grumpy hackers

00:09:27.360 --> 00:09:33.660
find your password out there. Should they test it first to see if it’s valid before telling you it’s

00:09:33.660 --> 00:09:40.260
out there or just tell you that they found it? Or here’s another one; should they test it on other

00:09:40.260 --> 00:09:46.140
accounts that you also have too to let you know that hey, not only did we find your password but

00:09:46.140 --> 00:09:53.340
we know for sure it works on these four accounts? It seems wrong for them to test all this, right?

00:09:53.340 --> 00:09:58.260
I mean, how dare they try my password on all these accounts. But let’s remember what their intention

00:09:58.260 --> 00:10:05.160
is. It’s to help [00:10:00] people be more secure. They just want to do it in a responsible way.

00:10:05.160 --> 00:10:12.840
So, I just wonder if it’s possible to trespass responsibly. Yes, there are bug bounty programs

00:10:12.840 --> 00:10:17.460
out there that openly say if you can hack me, we’ll give you a reward. But what about all

00:10:17.460 --> 00:10:22.080
the places out there that don’t have bug bounty programs? Do you have a bug bounty program for

00:10:22.080 --> 00:10:27.000
your own personal life? A lot of places don’t because either they can’t afford it or it’s

00:10:27.000 --> 00:10:31.620
like a school or charity or they don’t even know that’s a thing. If you try to e-mail a

00:10:31.620 --> 00:10:36.240
charity and ask them hey, would you like a free penetration test? Chances are they’ll tell you

00:10:36.240 --> 00:10:40.920
to take a hike. I suppose there’s an argument that could depend on who you’re trying to hack,

00:10:40.920 --> 00:10:46.920
too. If it’s someone important like the president, it might be good to test their security for the

00:10:46.920 --> 00:10:56.580
good of democracy. That’s an ethical dilemma which The Grumpy Old Hackers were facing back in 2016.

00:10:56.580 --> 00:11:00.180
It all started when they got together and went to a security conference.

00:11:00.180 --> 00:11:04.140
EDWIN: [MUSIC] We were at a conference called BruCON in Belgium.

00:11:04.140 --> 00:11:09.360
JACK: BruCON is an annual meetup for hackers and security professionals. Now, shenanigans certainly

00:11:09.360 --> 00:11:13.260
happen at these kind of gatherings. In fact, when you go to a security conference like this,

00:11:13.260 --> 00:11:19.020
you’ll see tables of people all sitting around using their computers obsessively; not going to

00:11:19.020 --> 00:11:24.120
any talks or workshops, just using their computer like, the whole time. It’s kind of weird at first.

00:11:24.120 --> 00:11:28.680
Like, isn’t a conference supposed to be for socializing and getting to know others? Why

00:11:28.680 --> 00:11:32.340
are people just huddling around their computers, seemingly isolating themselves from the whole

00:11:32.340 --> 00:11:37.200
event? Well, there’s a lot of reasons. Sometimes there’s hacking contests going on and you just

00:11:37.200 --> 00:11:41.520
need a place to work on it, and sometimes people are learning new hacking methods and testing them

00:11:41.520 --> 00:11:46.680
out and teaching each other. Sometimes people are up to no good and just try to hack the hackers.

00:11:46.680 --> 00:11:52.020
Edwin, Victor, and Matt all head up to their hotel room after the conference to chill out

00:11:52.020 --> 00:11:57.960
and unwind for the day. But during that day, Edwin got access to the LinkedIn database from

00:11:57.960 --> 00:12:03.120
2012. If you’re unfamiliar with this, check out the episode just before this one. Basically,

00:12:03.120 --> 00:12:07.680
back in 2012, LinkedIn’s website was breached and over 100 million e-mails

00:12:07.680 --> 00:12:11.640
and passwords were stolen. The database was sold on the dark web for a while but

00:12:11.640 --> 00:12:17.100
kept mostly hidden. But in 2016, the database started making its way around the internet,

00:12:17.100 --> 00:12:22.800
getting passed around freely. So for the first time, security researchers were seeing exactly

00:12:22.800 --> 00:12:28.260
what was in the database dump. That’s when Edwin saw a link on Facebook which was the

00:12:28.260 --> 00:12:35.400
LinkedIn database. He downloaded the over 100 million user details and showed it to Matt

00:12:35.400 --> 00:12:41.340
and Victor. Together in their hotel room that night, they explored what was there.

00:12:41.340 --> 00:12:46.920
EDWIN: [MUSIC] We would never buy a database. We don’t do stuff like that but now it’s available

00:12:46.920 --> 00:12:52.460
for free, so we can download it and we can look at it and yeah, that’s what we did.

00:12:52.460 --> 00:12:57.900
JACK: It was the evening of October 27th, just about a week before the

00:12:57.900 --> 00:13:02.340
2016 US presidential election. Sitting around in a hotel room,

00:13:02.340 --> 00:13:06.540
The Grumpy Old Hackers started looking through the database. At first, they were just looking

00:13:06.540 --> 00:13:10.080
around for their own names to see if it was in this database and if the password

00:13:10.080 --> 00:13:14.880
was cracked or accurate or what. Then they started looking for other people they knew.

00:13:14.880 --> 00:13:20.880
EDWIN: We saw a lot of people we know in there so we tried to warn them, call them,

00:13:20.880 --> 00:13:27.180
send them messages; you know, your password is in there. Change it immediately. If you don’t,

00:13:27.180 --> 00:13:27.834
et cetera, et cetera.

00:13:27.834 --> 00:13:31.620
JACK: Okay, so the data stolen from the LinkedIn breach was usernames,

00:13:31.620 --> 00:13:35.040
e-mail addresses, and SHA-1 hashed passwords. Now,

00:13:35.040 --> 00:13:39.060
hashed passwords aren’t passwords. It’s what the password looks like after it goes through

00:13:39.060 --> 00:13:43.920
an algorithm. It takes some footwork to figure out what these passwords were. Unfortunately,

00:13:43.920 --> 00:13:48.240
LinkedIn wasn’t salting their passwords which is a way to make cracking passwords harder,

00:13:48.240 --> 00:13:54.420
so someone tried their best at cracking the 100 million credentials in this breach. Some reports

00:13:54.420 --> 00:14:00.060
say that they were able to crack 60% of the passwords. The document that Edwin downloaded

00:14:00.060 --> 00:14:05.820
from Facebook simply contained the e-mail address and the cracked clear text password. So,

00:14:05.820 --> 00:14:09.600
if they were to look in this database for their friend’s name and there was a hit, they would see

00:14:09.600 --> 00:14:18.060
that friend’s password that they were using on LinkedIn in 2012, four years earlier than this.

00:14:18.060 --> 00:14:22.980
As you might have guessed, many users weren’t picking strong passwords. Over 700,000

00:14:22.980 --> 00:14:30.900
users just had the password ‘123456’, and 170,000 people just had ‘LinkedIn’ as their LinkedIn

00:14:30.900 --> 00:14:36.540
password. Of course, the third most-popular password was just ‘password’. Those are bad

00:14:36.540 --> 00:14:41.280
passwords and these grumpy geeks were taking upon themselves to educate everyone they knew

00:14:41.280 --> 00:14:46.680
about what they were seeing in this database dump. So, they sent out e-mails to friends and family,

00:14:46.680 --> 00:14:50.220
showing them that their password from four years ago is now visible for

00:14:50.220 --> 00:14:53.520
everyone in the world. Because if they were using that password anywhere else,

00:14:53.520 --> 00:14:57.900
it should also be changed. They expanded their search to just people they knew of.

00:14:57.900 --> 00:15:03.240
EDWIN: [MUSIC] [00:15:00] We did it to just warn the people we know and

00:15:03.240 --> 00:15:06.180
there were a lot of people from the government, the Netherlands,

00:15:06.180 --> 00:15:11.760
in there from police and a lot of big companies were in there. We just tried to warn them.

00:15:11.760 --> 00:15:16.440
JACK: The messaging was like this; hey, look, we see your e-mail and password is in the LinkedIn

00:15:16.440 --> 00:15:20.940
database dump which is getting passed around freely now. If you have any login accounts which

00:15:20.940 --> 00:15:26.460
use this same password, it’s a good idea to change it. Victor says people were glad to hear from him.

00:15:26.460 --> 00:15:33.000
VICTOR: Most were very grateful because credential stuffing was not such a big topic in 2016 but it

00:15:33.000 --> 00:15:39.240
was going on. The problem with passwords is that even though we know that we should take

00:15:39.240 --> 00:15:45.060
good passwords and we should have good password hygiene, in 2016 no one was actually practicing.

00:15:45.060 --> 00:15:51.780
If you look at the entire database and the passwords that it contained, it’s very clear

00:15:51.780 --> 00:15:53.460
that almost no one had a good password.

00:15:53.460 --> 00:15:58.380
JACK: Victor says they dug around the database and reached out to people for hours. After that,

00:15:58.380 --> 00:16:02.026
they were wrapping up and picking a place to go eat dinner. But then…

00:16:02.026 --> 00:16:05.880
MATT: [MUSIC] Donald Trump passed on the television because it was, of course, it was

00:16:05.880 --> 00:16:10.200
election year and he just – you know what I mean? He was just on the television, so that was the

00:16:10.200 --> 00:16:17.300
cue for Mattijs, for – let’s see if he’s in there, you know? Or how many Trumps are in there anyway?

00:16:17.300 --> 00:16:22.170
JACK: Matt checked for Donald Trump in the LinkedIn database.

00:16:22.170 --> 00:16:30.980
MATT: Literally grepped the donaldtrump.com domain and I said hey, Trump is in here as well.

00:16:30.980 --> 00:16:35.700
JACK: Okay, so they grepped or searched this text file for anything that matched

00:16:35.700 --> 00:16:41.760
trump.com and there were a lot of hits. The first name on the list was an employee

00:16:41.760 --> 00:16:47.100
at marina.trump.com. This was a casino that Donald Trump owns in New Jersey,

00:16:47.100 --> 00:16:54.780
but it racked up more debts than profits and Trump sold it in 2011 for a significant loss. The next

00:16:54.780 --> 00:17:00.960
hit was for a person with a plaza.trump.com e-mail address. The Trump Plaza was another

00:17:00.960 --> 00:17:06.120
casino in New Jersey that totally closed down due to losses, leaving 1,300 employees out of

00:17:06.120 --> 00:17:11.880
work. Then there were a lot of hits in the database for taj.trump.com. Once again,

00:17:11.880 --> 00:17:17.760
this was for employees who worked at Trump’s Taj Mahal, another casino in New Jersey.

00:17:17.760 --> 00:17:22.260
What’s interesting about that casino is that it was found guilty of money laundering and fined

00:17:22.260 --> 00:17:25.920
by the government and was the highest fine ever levied by the US government

00:17:25.920 --> 00:17:31.920
against a casino. Yeah, that casino was also shut down. But the Hard Rock Cafe

00:17:31.920 --> 00:17:36.360
bought it and remodeled it and reopened it. So, there were a lot of names in

00:17:36.360 --> 00:17:41.880
this database who worked at defunct Trump casinos. But as they kept scrolling through,

00:17:41.880 --> 00:17:50.160
they found the Donald. In the LinkedIn database, standing there in the crowd was an e-mail address,

00:17:50.160 --> 00:17:57.840
donaldtrump@trump.com. This was Donald’s e-mail address. They immediately looked at his password.

00:17:57.840 --> 00:17:59.880
MATT: The password was already cracked,

00:17:59.880 --> 00:18:06.420
that one. But yeah, it was so obvious so we thought yeah, this cannot be true.

00:18:06.420 --> 00:18:12.660
JACK: Trump’s password was so blatantly simple. It left them kind of giddy in disbelief.

00:18:12.660 --> 00:18:15.180
EDWIN: Then I probably said what’s his password?

00:18:15.180 --> 00:18:19.800
MATT: You’re never gonna – you’re never gonna guess. It’s ‘yourefired’.

00:18:19.800 --> 00:18:21.320
EDWIN: What?

00:18:21.320 --> 00:18:29.340
JACK: Trump’s LinkedIn password in 2012 was ‘yourefired’, all lowercase, no spaces, no special

00:18:29.340 --> 00:18:35.340
characters. ‘You’re fired’ was the catchphrase he used on his reality TV show The Apprentice.

00:18:35.340 --> 00:18:40.260
TRUMP: Jennifer, this is really easy. You’re fired. Chris, you’re fired. Maria,

00:18:40.260 --> 00:18:43.560
you’re fired. You’re fired. You’re fired. You’re fired.

00:18:43.560 --> 00:18:49.680
JACK: It became a very popular thing for him to say on the show, so it was shocking to these

00:18:49.680 --> 00:18:55.320
Grumpy hackers to see such an obvious and basic password that he was using to get into LinkedIn

00:18:55.320 --> 00:19:00.720
in 2012. Now, at first I questioned whether Donald Trump even had a LinkedIn account in

00:19:00.720 --> 00:19:04.920
2012 because I just can’t even imagine a billionaire caring about having an account

00:19:04.920 --> 00:19:09.840
on LinkedIn. I just went there and typed in a bunch of billionaire names and most don’t have

00:19:09.840 --> 00:19:15.600
accounts there. People go on LinkedIn to network and to look for jobs. Donald Trump doesn’t need

00:19:15.600 --> 00:19:21.420
to network or look for jobs but this account was his, and he also had a Twitter account and

00:19:21.420 --> 00:19:27.000
Facebook account at the time. Maybe he was just interested in social media and wanted accounts in

00:19:27.000 --> 00:19:32.100
top places like everyone else had. I mean, Obama had an account on LinkedIn at the same time, too.

00:19:32.100 --> 00:19:35.280
Now, his credentials could have been simple for a couple of reasons.

00:19:35.280 --> 00:19:39.360
To start, I’m guessing that Trump isn’t all that tech-savvy and he’s very busy,

00:19:39.360 --> 00:19:43.440
so he probably didn’t even set up his own LinkedIn account. He probably didn’t huddle

00:19:43.440 --> 00:19:47.760
over his computer for hours like everyone else, writing out a description of himself and his

00:19:47.760 --> 00:19:52.680
accomplishments and following all his friends, so it’s possible that whoever set this account

00:19:52.680 --> 00:19:58.380
up just wanted to give him an easy password that he’ll remember. Or maybe multiple people needed

00:19:58.380 --> 00:20:02.160
access to his account because they’re [00:20:00] social media managers; they manage his account

00:20:02.160 --> 00:20:07.800
for him, so they just picked an easy-to-remember password. In 2012, it wasn’t easy to share long,

00:20:07.800 --> 00:20:14.040
complex passwords securely. Nonetheless, for a celebrity self-proclaimed billionaire, this was

00:20:14.040 --> 00:20:20.760
bad practice. This left the Grumps wondering just how poor Trump’s password hygiene was. He wouldn’t

00:20:20.760 --> 00:20:28.486
reuse this same password on other accounts, would he? And definitely not four years later, right?

00:20:28.486 --> 00:20:33.960
MATT: [MUSIC] We were just joking around. Would he be so stupid

00:20:33.960 --> 00:20:38.160
to use – to reuse his password for his Twitter accounts? No, that cannot be true.

00:20:38.160 --> 00:20:41.100
JACK: If it were true, it would be straightforward

00:20:41.100 --> 00:20:44.160
for the Grumps to log into Trump’s Twitter account.

00:20:44.160 --> 00:20:49.500
They, like everyone else, knew the correct username, @realDonaldTrump, and now they had

00:20:49.500 --> 00:20:53.760
a password to try. So, the group started thinking about what they could do with Trump’s password.

00:20:53.760 --> 00:20:58.500
EDWIN: I just typed it in while the other guys were still mesmerized and then they

00:20:58.500 --> 00:21:02.760
said maybe we should try it. I think Victor even said no, that’s dangerous.

00:21:02.760 --> 00:21:03.780
VICTOR: Don’t do it.

00:21:03.780 --> 00:21:06.480
EDWIN: Yeah, don’t do it. Then I said uh-oh.

00:21:06.480 --> 00:21:08.420
VICTOR: Too late.

00:21:08.420 --> 00:21:12.720
JACK: Edwin was just too curious. He went straightaway to twitter.com,

00:21:12.720 --> 00:21:17.880
typed in the username @realDonaldTrump and typed in the password ‘yourefired’.

00:21:17.880 --> 00:21:23.280
It worked to a degree. Twitter didn’t just let him in right away but it also didn’t

00:21:23.280 --> 00:21:29.280
say Incorrect Password. Instead, it asked Edwin to confirm the e-mail address for the account.

00:21:29.280 --> 00:21:35.520
VICTOR: So, we got the extra check for his e-mail address but at that time,

00:21:35.520 --> 00:21:39.120
we knew of course hey, the password is correct.

00:21:39.120 --> 00:21:43.980
JACK: It’s true; the fact that they got asked to confirm the e-mail means the password was correct.

00:21:43.980 --> 00:21:51.660
Donald Trump was still using ‘yourefired’ as his Twitter password in 2016 while he

00:21:51.660 --> 00:21:57.420
was running for president just weeks before the election. The e-mail check was an extra layer of

00:21:57.420 --> 00:22:02.700
security since the attempt came from a hotel room in Belgium, not wherever the real Donald

00:22:02.700 --> 00:22:08.460
Trump was. Twitter’s website did this extra check to make sure the login was valid but

00:22:08.460 --> 00:22:14.580
this was an incredible moment. [MUSIC] Trump’s years-old ridiculous password was still valid,

00:22:14.580 --> 00:22:18.540
but the Grumps quickly shook off their disbelief because they realized they had

00:22:18.540 --> 00:22:22.980
a new problem. Matt says Edwin hadn’t done anything to cover his tracks.

00:22:22.980 --> 00:22:27.540
MATT: If it not had been correct, we would have moved on but now we knew okay,

00:22:27.540 --> 00:22:33.720
we logged in with the correct password. What will happen? We didn’t use any VPN or anything,

00:22:33.720 --> 00:22:37.800
so it would trace back to the hotel and eventually to us.

00:22:37.800 --> 00:22:42.060
JACK: But have they done anything wrong yet? They didn’t fully login. They just

00:22:42.060 --> 00:22:47.160
tried one password one time to see if it was valid and it worked. To them,

00:22:47.160 --> 00:22:51.300
it didn’t matter because their fingerprints were now on Trump’s Twitter account.

00:22:51.300 --> 00:22:58.800
MATT: Imagine if you login with a known password. What would happen if someone else would do the

00:22:58.800 --> 00:23:05.340
same and would pursue and would do some nasty things? The first traces would be to us,

00:23:05.340 --> 00:23:12.840
so we would be screwed. So, we needed to have this fixed as fast as possible.

00:23:12.840 --> 00:23:18.480
JACK: Ah-ha, interesting. The stakes were suddenly raised. If something went bad with

00:23:18.480 --> 00:23:24.240
Trump’s Twitter account, they could wind up being blamed. Looking at the logs in Twitter,

00:23:24.240 --> 00:23:28.440
they would see that Edwin successfully logged into his account and this

00:23:28.440 --> 00:23:32.730
could come back to bite him, which could lead to legal repercussions.

00:23:32.730 --> 00:23:34.680
EDWIN: We were in panic, of course,

00:23:34.680 --> 00:23:39.360
and then we discussed okay, we should go on because otherwise we might be in trouble.

00:23:39.360 --> 00:23:45.000
JACK: Going on meant logging into Trump’s Twitter account all the way but sticking with

00:23:45.000 --> 00:23:49.500
the Grumps’ own ethical standards by submitting a responsible disclosure to Trump. Essentially,

00:23:49.500 --> 00:23:54.480
they’d be doing Trump a favor by showing how easy it is to access his account. So,

00:23:54.480 --> 00:24:00.060
stay with us because after the break, they go all in. The Grumpy Old Hackers were determined

00:24:00.060 --> 00:24:04.020
to hack into Trump’s Twitter account. Victor, who’s found thousands of vulnerabilities,

00:24:04.020 --> 00:24:08.384
says responsible disclosure is only good if the hack actually works.

00:24:08.384 --> 00:24:13.680
VICTOR: [MUSIC] When you engage with a target or any investigation and you start your engagement,

00:24:13.680 --> 00:24:20.040
after that, if you don’t use VPN or any other protective measures to hide your identity,

00:24:20.040 --> 00:24:24.120
then you have to go through. The problem is, you cannot contact Donald Trump to say hey,

00:24:24.120 --> 00:24:29.520
we found your password in this database. By the way, this is your password; we tried it but it

00:24:29.520 --> 00:24:33.780
didn’t work. Responsible disclosure doesn’t work like that. You cannot warn someone,

00:24:33.780 --> 00:24:38.520
say hey, we found your password; this is it but it didn’t work and we couldn’t log in.

00:24:38.520 --> 00:24:41.100
So then, you have to continue. You have to finish the job.

00:24:41.100 --> 00:24:44.760
JACK: So now their dinner plans were canceled. They were on a mission to find the e-mail address

00:24:44.760 --> 00:24:50.340
connected to Trump’s Twitter account and hack into his account. The e-mail tied to his LinkedIn

00:24:50.340 --> 00:24:59.580
account was donaldtrump@trump.com, so they tried that but it didn’t work. Hm, so what

00:24:59.580 --> 00:25:04.740
else could it be? [00:25:00] They started doing some OSINT, open-source intelligence-gathering to

00:25:04.740 --> 00:25:10.020
try to figure out what other e-mail addresses he uses. They were able to find a few other e-mail

00:25:10.020 --> 00:25:14.940
addresses. They didn’t want to try to brute force this, like just trying one e-mail address after

00:25:14.940 --> 00:25:18.690
another until they got in because that would be sloppy and possibly trigger some alerts.

00:25:18.690 --> 00:25:24.240
VICTOR: If you start attacking Twitter, then you come to a very grey area. That would be a bridge

00:25:24.240 --> 00:25:31.860
too far for us. We acted on OSINT. We acted on publicly available information and the only thing

00:25:31.860 --> 00:25:38.506
that we had to do was to bypass the last hurdle to make the report valuable for Donald Trump.

00:25:38.506 --> 00:25:42.240
JACK: [MUSIC] So they took their eyes off Twitter for a moment and started poking at

00:25:42.240 --> 00:25:49.020
the trump.com domain. They also found another domain; donaldjtrump.com. They

00:25:49.020 --> 00:25:53.520
wanted to figure out all the valid e-mail addresses that existed with these domains.

00:25:53.520 --> 00:25:59.280
VICTOR: We had to enumerate it to find which new e-mail address he was using.

00:25:59.280 --> 00:26:02.790
So, we used SMTP enumeration on his domains, over the e-mail domains.

00:26:02.790 --> 00:26:09.000
JACK: So, that’s what SMTP enumeration is. SMTP is the e-mail protocol and enumeration just means

00:26:09.000 --> 00:26:13.680
you’re trying to count how many there are and step through all of them one by one. This is a

00:26:13.680 --> 00:26:18.000
fancy way of saying they wanted to find all the valid e-mail addresses associated with

00:26:18.000 --> 00:26:25.380
Trump’s domains. Now, SMTP or e-mail works over port 25, so one way to do this is to connect to

00:26:25.380 --> 00:26:33.360
donaldjtrump.com on port 25 and you can verify if an e-mail is valid by using the VRFY command,

00:26:33.360 --> 00:26:40.860
which is verify, to connect and then say verify jack@donaldjtrump.com. If that’s a valid e-mail,

00:26:40.860 --> 00:26:45.900
it’ll say yep, that’s valid, or no, that e-mail address doesn’t exist here. One

00:26:45.900 --> 00:26:49.860
way they can enumerate this is just to pick a whole bunch of random names or words and then

00:26:49.860 --> 00:26:54.300
type them in over and over and over until they have a nice list of e-mail addresses.

00:26:54.300 --> 00:26:58.500
[MUSIC] But there’s a tool that can speed things along. It’s called Metasploit

00:26:58.500 --> 00:27:02.340
and Metasploit can do a lot of things. It’s a hacking framework but one thing

00:27:02.340 --> 00:27:07.620
it can do is SMTP enumeration which does the exact same thing as I just explained but it

00:27:07.620 --> 00:27:13.620
uses a big word list to try thousands of names and words to try to find all the valid e-mail

00:27:13.620 --> 00:27:19.380
addresses on that domain. It’ll try Adam, Bob, Chris, David, and so on and when it’s done,

00:27:19.380 --> 00:27:23.760
it’ll just tell you what e-mail addresses are valid. So, they begin the process,

00:27:23.760 --> 00:27:30.180
asking the donaldjtrump.com mail server what are the valid e-mail addresses, one by one.

00:27:30.180 --> 00:27:34.920
MATT: The biggest rate limiter was actually the hotel’s WiFi, the internet connection,

00:27:34.920 --> 00:27:41.040
because like every five, six minutes I get kicked out and you had to reconnect.

00:27:41.040 --> 00:27:46.200
Sometimes the reconnection didn’t work, so imagine that you want to do enumeration or

00:27:46.200 --> 00:27:51.600
you want to do some tests online to see if those e-mail addresses work and you have a

00:27:51.600 --> 00:27:55.740
very bad internet connection. I think that was for us the limiting factor.

00:27:55.740 --> 00:28:00.300
JACK: Man, that’s frustrating. They’re trying to help save the president’s Twitter account here

00:28:00.300 --> 00:28:05.460
but they have crappy WiFi and it’s slowing them down. My guess is that since it was at a hacking

00:28:05.460 --> 00:28:10.440
conference that the hackers in another hotel room were just attacking the hotel WiFi. But

00:28:10.440 --> 00:28:14.700
after a few hours of enumerating the mail server, they looked at a list of passwords

00:28:14.700 --> 00:28:23.400
and one jumped off the page at them. It was twitter@donaldjtrump.com. This looked like it

00:28:23.400 --> 00:28:28.200
had the potential of being the e-mail address tied to real Donald Trump’s Twitter account.

00:28:28.200 --> 00:28:31.920
VICTOR: It took a little bit of time. You go through the procedures that we already know.

00:28:31.920 --> 00:28:37.920
We know how to enumerate e-mails. We know how to validate them online, so that part of the

00:28:37.920 --> 00:28:43.740
process was okay. The big unknown was how is Twitter security working because once again,

00:28:43.740 --> 00:28:49.560
this is not my – not the normal work that I do. I hunt for open database. I’m not

00:28:49.560 --> 00:28:56.460
into breaking into security systems, so for – yeah, it took us some time to figure out okay,

00:28:56.460 --> 00:29:03.840
why he got the challenge on the mobile phone when – as we tried to login, what it was doing there.

00:29:03.840 --> 00:29:09.120
JACK: [MUSIC] Yeah, that was Twitter’s security policy for logins. If Donald Trump had an active

00:29:09.120 --> 00:29:14.760
login in New York and then another one came in from Belgium, would Twitter care and flag this

00:29:14.760 --> 00:29:19.980
as bad? Also, what kind of phone was Trump logged into Twitter with? Did Twitter know

00:29:19.980 --> 00:29:25.920
that too and consider it at all when a new person logged in as Donald Trump? If these

00:29:25.920 --> 00:29:31.260
things are taken into account, how hard is it to impersonate the same phone as Trump and look like

00:29:31.260 --> 00:29:36.120
you’re coming from the same geographical region as Trump? This was now part of the challenge.

00:29:36.120 --> 00:29:39.300
VICTOR: You had to start messing with your user agent because you know that

00:29:39.300 --> 00:29:42.780
he’s using a very old Android phone, insecure Android phone.

00:29:42.780 --> 00:29:50.100
JACK: In 2017, Trump switched to using iPhone but Android Central deduced that in 2016, Trump was

00:29:50.100 --> 00:29:57.600
using the Samsung Galaxy S3. That phone originally came out in 2012 and got its last software update

00:29:57.600 --> 00:30:03.180
in 2015, so yeah, in addition [00:30:00] to Trump’s poor passwords, his phone was also a

00:30:03.180 --> 00:30:08.220
security risk. But the Grumps weren’t interested in hacking his phone. They just needed to mimic

00:30:08.220 --> 00:30:14.460
it, so they switched their user agent to look like Trump’s Samsung S3. Then there was one more step.

00:30:14.460 --> 00:30:20.640
MATT: We have to find out how this geofencing part of Twitter works, you know? How does it

00:30:20.640 --> 00:30:27.240
know that – which is the real user based on geolocation and maybe device or something else?

00:30:27.240 --> 00:30:31.080
JACK: The Grumps needed to look like they were somewhere where Trump would normally

00:30:31.080 --> 00:30:35.760
sign in from. So, they used an open HTTP proxy in New York to

00:30:35.760 --> 00:30:39.120
route their traffic through that to log into Twitter. These hurdles had

00:30:39.120 --> 00:30:42.480
taken some time but they felt like they had everything figured out now.

00:30:42.480 --> 00:30:48.180
MATT: All those stats, that took a good one hour – two hours I think approximately, to get there.

00:30:48.180 --> 00:30:52.680
EDWIN: I remember I was bored at some point already, so it took some time.

00:30:52.680 --> 00:30:54.780
JACK: You took a nap for a while.

00:30:54.780 --> 00:30:58.860
EDWIN: Yeah. I’m the lazy one of the three so I find something,

00:30:58.860 --> 00:31:01.124
I make a mess, and then they start fixing it.

00:31:01.124 --> 00:31:03.120
VICTOR: [MUSIC] Well, everyone was all right, okay.

00:31:03.120 --> 00:31:08.520
JACK: At this point they just ordered dinner up to the room and they’ve been hacking through the

00:31:08.520 --> 00:31:13.440
wee hours of the morning, but now they were ready. They had tweaked the user agent to

00:31:13.440 --> 00:31:18.420
mimic a Samsung Galaxy S3. Their traffic was now coming through New York and they had a username,

00:31:18.420 --> 00:31:24.840
@realDonaldTrump, the password ‘yourefired’, and the e-mail address twitter@donaldjtrump.com.

00:31:24.840 --> 00:31:29.940
They typed it all in, hit Enter, and they were in. I want to know

00:31:29.940 --> 00:31:34.260
that feeling of hitting Enter and it says ‘Welcome to your account.’

00:31:34.260 --> 00:31:36.900
VICTOR: I can describe the feeling – is always the

00:31:36.900 --> 00:31:40.080
same. We are doing this work for more than twenty years.

00:31:40.080 --> 00:31:48.480
Getting access to a system even today gives the same woo, nice, it worked. You solved a problem.

00:31:48.480 --> 00:31:49.620
EDWIN: Wow, we’re in.

00:31:49.620 --> 00:31:50.940
VICTOR: Yeah, wow, we’re in. Yeah.

00:31:50.940 --> 00:31:52.350
EDWIN: You solved the puzzle.

00:31:52.350 --> 00:31:53.580
VICTOR: We solved the puzzle.

00:31:53.580 --> 00:31:59.280
JACK: They had full access to real Donald Trump’s Twitter account. If they wanted,

00:31:59.280 --> 00:32:04.980
they could post as him or read his direct messages. They could even change his password

00:32:04.980 --> 00:32:09.660
and e-mail if they wanted. Surely if that happened, Twitter would recover it but this

00:32:09.660 --> 00:32:15.660
is the level of access they now had. They owned Trump’s Twitter account. They cleared the biggest

00:32:15.660 --> 00:32:21.360
obstacle and hindsight being 20/20, it didn’t seem that hard to pull off. The Grumps had a

00:32:21.360 --> 00:32:25.740
mishap and in a matter of hours figured out Trump’s credentials and tricked Twitter. Now

00:32:25.740 --> 00:32:30.720
that the hack was complete, they could file a comprehensive, coordinated disclosure with

00:32:30.720 --> 00:32:34.860
Trump. That would theoretically protect them from legal trouble. Here’s Victor.

00:32:34.860 --> 00:32:40.800
VICTOR: Now comes the responsible task of documenting everything, [MUSIC] writing

00:32:40.800 --> 00:32:46.500
the responsible disclosure e-mail, explaining to someone with hardly no experience with computers

00:32:46.500 --> 00:32:52.980
or security, explaining what the issue is, what he can do about it, what has to be checked, what

00:32:52.980 --> 00:32:58.800
has to be changed. You cannot say hey, we – this is your password, everyone can log in; goodbye,

00:32:58.800 --> 00:33:04.560
because that’s not very helpful. You need to – if you write a report you have to explain what the

00:33:04.560 --> 00:33:10.620
issue is, how it can be prevented, and some extra tips for making sure it doesn’t – happens again.

00:33:10.620 --> 00:33:15.000
JACK: There were some clear things Trump could do better. He could use a longer,

00:33:15.000 --> 00:33:19.920
more complex password with special characters and of course turn two-factor authentication on.

00:33:19.920 --> 00:33:22.860
VICTOR: The things that we described, they’re technically not so difficult

00:33:22.860 --> 00:33:27.300
and you can imagine that in those times, state-sponsored actors were of course

00:33:27.300 --> 00:33:32.220
already busy trying to get access to god knows what systems. So, actually,

00:33:32.220 --> 00:33:38.460
there’s – I think we were just in time finding this because it could have been anyone else in

00:33:38.460 --> 00:33:43.860
that time period who will find the same way in and do something not so pleasant with that account.

00:33:43.860 --> 00:33:48.180
JACK: The Grumps could have been those bad actors but that was never their intent.

00:33:48.180 --> 00:33:52.560
They didn’t look at any private messages. They didn’t post any tweets. In the end,

00:33:52.560 --> 00:33:58.440
they only took screenshots to prove they got in. Going further, Victor says that’s a no-go area.

00:33:58.440 --> 00:34:02.340
VICTOR: That’s what we teach the young hackers. You know, please – if you do things like this,

00:34:02.340 --> 00:34:06.660
logging into an account from someone without their permission is already

00:34:06.660 --> 00:34:10.920
a very grey area. There must be a very, very good reason to do that,

00:34:10.920 --> 00:34:16.680
to go – to cross that border. For us there was a good reason because, well, his Twitter account is

00:34:16.680 --> 00:34:22.860
at risk. The risk that someone else would do it is very much likely there, so to make the

00:34:22.860 --> 00:34:28.726
report strong enough, available enough for Trump to do something with it, we had to go that far.

00:34:28.726 --> 00:34:33.240
JACK: [MUSIC] Victor says going this far to get into someone’s account was something

00:34:33.240 --> 00:34:38.160
they’d normally advise against. Trying to log into Trump’s Twitter account was an unusual situation

00:34:38.160 --> 00:34:43.560
even by the Grumpy standards. The payout though was that they discovered the person running for

00:34:43.560 --> 00:34:50.160
the US presidency had a vulnerable Twitter account and they were going to help make it more secure.

00:34:50.160 --> 00:34:54.240
The Grumps put their findings and suggestions into an e-mail and sent it over to Trump.

00:34:54.240 --> 00:34:58.800
In the e-mail, they explained step-by-step how they got access to the Twitter account

00:34:58.800 --> 00:35:02.520
with screenshots of everything. [00:35:00] They even suggested a more secure password

00:35:02.520 --> 00:35:10.680
which was ‘!IwillmakeAmericagreatagainin2016!’ They CC’d the Department of Homeland Security

00:35:10.680 --> 00:35:16.080
and the US Computer Emergency Readiness Team or CERT in case Trump ignored them.

00:35:16.080 --> 00:35:22.320
On all these e-mails, they signed it as The Guild of the Grumpy Old Hackers, with all three of their

00:35:22.320 --> 00:35:27.000
full names. They were eager to hear something back but it’s stressful when you send an e-mail

00:35:27.000 --> 00:35:31.560
like this, essentially saying that you hacked into someone’s stuff, because you don’t know

00:35:31.560 --> 00:35:36.180
what the reaction will be from it. You’re hoping that you get an e-mail back immediately thanking

00:35:36.180 --> 00:35:40.680
you for pointing out this glaring problem and that we’ll address it right away, but whatever

00:35:40.680 --> 00:35:47.280
hope they had for immediate gratification didn’t pan out. No one was getting back to them. Edwin

00:35:47.280 --> 00:35:51.540
says they forwarded the report to the other Trump e-mail address that they found earlier.

00:35:51.540 --> 00:35:57.240
EDWIN: A couple of hours later when we had no response, we sent them to campaign@donaldtrump

00:35:57.240 --> 00:36:01.980
and some other e-mails we found and that’s good for us because in the end it turned

00:36:01.980 --> 00:36:07.080
out evidence was of course hard, and we got a bounce-back from one of the e-mail addresses.

00:36:07.080 --> 00:36:09.720
VICTOR: That was good for us because you need to – you know,

00:36:09.720 --> 00:36:12.840
you can say that you’re sending an e-mail but if you have a bounce at least back from

00:36:12.840 --> 00:36:15.720
one of those e-mail addresses, that – so it was nice to have.

00:36:15.720 --> 00:36:21.540
JACK: [MUSIC] They felt like this bounced e-mail was their one shred of proof that they tried to

00:36:21.540 --> 00:36:25.440
do the right thing but even still, they’re concerned that CERT didn’t write back yet.

00:36:25.440 --> 00:36:30.420
They dealt with them before and knew the routine. Matt says things were different this time around.

00:36:30.420 --> 00:36:34.380
MATT: Normally you get a ticket number but this time we got no

00:36:34.380 --> 00:36:37.620
response at all. That’s where we started sweating.

00:36:37.620 --> 00:36:44.160
EDWIN: That’s when we got a bit scared. Like, why don’t we get responses? Is it because US

00:36:44.160 --> 00:36:51.000
CERT says okay, he’s not the president yet; he’s an individual, we don’t do anything about it? Or

00:36:51.000 --> 00:36:57.420
is it because we already know that this is his password for three years and we actively using it,

00:36:57.420 --> 00:37:02.820
so shit, why did these guys find it, you know? All things go to your head. You don’t know.

00:37:02.820 --> 00:37:08.160
JACK: Jokes aside, the next day there was still no answer from anyone and their minds were racing.

00:37:08.160 --> 00:37:12.960
They were almost freaking out. It didn’t help that they thought Trump was a vindictive person.

00:37:12.960 --> 00:37:19.440
EDWIN: We were getting more and more anxious because we didn’t know

00:37:19.440 --> 00:37:22.440
– we know he’s vengeful so we were a bit scared.

00:37:22.440 --> 00:37:25.920
JACK: Victor points out the situation was the result of an unfortunate

00:37:25.920 --> 00:37:29.760
coincidence. They hadn’t planned to hack Trump; it just sort of happened.

00:37:29.760 --> 00:37:34.200
MATT: The past would have been no different. If, for example, if Mark Zuckerberg will be

00:37:34.200 --> 00:37:38.520
on the television at that moment, we should have looked for Zuckerberg. We could have missed this

00:37:38.520 --> 00:37:44.220
completely. It was just random – it had to be like that. Also had to be him. I don’t know why.

00:37:44.220 --> 00:37:49.200
JACK: As Edwin puts it, if Trump was better with his passwords, they wouldn’t be in this mess.

00:37:49.200 --> 00:37:54.600
EDWIN: It’s so stupid because I think he was already hacked on Twitter in 2013. Well,

00:37:54.600 --> 00:38:01.680
probably. He had the same password, so he must have changed it then. Why is it now, again in

00:38:01.680 --> 00:38:07.320
2016, the same password? Is it coincidence? Did he just do that because he was campaigning and

00:38:07.320 --> 00:38:14.580
somebody else needed to go into his Twitter account or is he so, well, lazy that the new

00:38:14.580 --> 00:38:19.020
password he had was too difficult so he put it back to his old one? You know, you never know.

00:38:19.020 --> 00:38:23.266
The fact of the matter is, that was the password, so yeah, we were in trouble.

00:38:23.266 --> 00:38:27.780
JACK: [MUSIC] The next day, impatient from the lack of response from people in the US,

00:38:27.780 --> 00:38:30.960
they reached out to the Dutch National Cyber Security Center.

00:38:30.960 --> 00:38:36.780
They worked with the NCSC in the past and knew they had contacts with US agencies.

00:38:36.780 --> 00:38:42.960
EDWIN: From them, we got a response and they said that they would take it up. From there on,

00:38:42.960 --> 00:38:47.100
we had active conversation with them and they sent us e-mails I think every five,

00:38:47.100 --> 00:38:51.720
six hours or something. Yeah, we sent it, we’re trying to reach people in the US,

00:38:51.720 --> 00:38:56.663
we’re trying to reach our liaisons at Homeland, et cetera, et cetera.

00:38:56.663 --> 00:38:59.700
JACK: Finally, about a week after they hacked Trump,

00:38:59.700 --> 00:39:01.740
they got a response that they were waiting for.

00:39:01.740 --> 00:39:06.960
EDWIN: We finally got a e-mail back from the Dutch government saying it’s been addressed.

00:39:06.960 --> 00:39:12.060
We don’t know how but we got word from our US counterparts that it’s addressed, so for

00:39:12.060 --> 00:39:17.100
us it’s case closed. Then it was case closed for us as well. That’s the last thing we hear.

00:39:17.100 --> 00:39:24.420
JACK: So, Victor sent his responsible disclosure e-mails on October 28th, 2016. It was November

00:39:24.420 --> 00:39:30.060
2nd when the US CERT confirmed that they were taking action on this. The election was to be

00:39:30.060 --> 00:39:35.580
held on November 9th, less than a week away. On November 6th, the New York Times reported that

00:39:35.580 --> 00:39:42.540
Trump’s campaign aids revoked Trump’s Twitter access. [MUSIC] They didn’t say why or how,

00:39:42.540 --> 00:39:48.360
only that Trump no longer could use Twitter. My theory was that it was because of this hack.

00:39:48.360 --> 00:39:52.440
EDWIN: For us, the big reward was when we saw Obama about a

00:39:52.440 --> 00:39:57.540
week later talking about the fact that Trump’s Twitter was taken away from him.

00:39:57.540 --> 00:40:00.660
Then we were immediately thinking that it was us. We [00:40:00] don’t know.

00:40:00.660 --> 00:40:05.160
JACK: This did actually happen at a rally in Florida. Obama was

00:40:05.160 --> 00:40:10.200
campaigning for Hillary on November 6th and saw this news, and had this to say.

00:40:10.200 --> 00:40:17.460
OBAMA: Now, you may have heard that – this was just announced. I just read it so I can’t confirm

00:40:17.460 --> 00:40:27.240
it’s true but apparently his campaign has taken away his Twitter, and that in the last two days,

00:40:27.240 --> 00:40:36.000
they had so little confidence in his self-control they said we’re just gonna take away your Twitter.

00:40:36.000 --> 00:40:45.020
Now, if somebody can’t handle a Twitter account, they can’t handle the nuclear codes.

00:40:45.020 --> 00:40:48.180
JACK: It sounds like it was from you guys.

00:40:48.180 --> 00:40:53.820
EDWIN: Probably, but we don’t know for sure. There are of course a lot of people who don’t

00:40:53.820 --> 00:41:00.480
believe this story, you know? For us to see Obama laughing about it on TV and telling him

00:41:00.480 --> 00:41:06.540
that if you can’t handle Twitter, you can’t handle nuclear codes, yeah, for us that was a bit of a

00:41:06.540 --> 00:41:07.860
appreciation moment.

00:41:07.860 --> 00:41:15.360
JACK: They never did hear anything from Trump or the US CERT directly from this event. They

00:41:15.360 --> 00:41:20.400
didn’t hear anything from Twitter, either. Victor had some suggestions for Twitter about

00:41:20.400 --> 00:41:24.960
this. He tweeted that verified Twitter accounts should have better security.

00:41:24.960 --> 00:41:27.780
MATT: We start asking also to Twitter; Twitter, please,

00:41:27.780 --> 00:41:33.720
for verified accounts or for US officials that are running an election, those Twitter accounts

00:41:33.720 --> 00:41:38.520
need to be protected standard with two-factor authentication, you know, and other things.

00:41:38.520 --> 00:41:41.040
JACK: Other things like password reset protection.

00:41:41.040 --> 00:41:44.280
Edwin agrees that influential accounts need good security.

00:41:44.280 --> 00:41:47.940
EDWIN: People with a blue checkmark behind their box are people that

00:41:47.940 --> 00:41:50.820
a lot of people listen to or look up to, [MUSIC] so if their account

00:41:50.820 --> 00:41:55.080
got hacked and it’s being used for misinformation or whatever,

00:41:55.080 --> 00:42:02.220
it shouldn’t be possible. You must enforce some stricter security on those accounts if you can.

00:42:02.220 --> 00:42:06.000
JACK: That’s what it’s all about for the Grumps, securing the internet to block

00:42:06.000 --> 00:42:11.100
digital abuse. They’ll never really know if Twitter specifically responded to the

00:42:11.100 --> 00:42:17.340
Trump hack or took heed to Victor’s tweets. It’s just been a one-way conversation so far.

00:42:17.340 --> 00:42:19.920
VICTOR: It’s always old men shouting at the clouds.

00:42:19.920 --> 00:42:21.120
EDWIN: Grumpy old men.

00:42:21.120 --> 00:42:25.860
VICTOR: Yeah, grumpy old people shouting at the cloud. Sometimes it work. There’s

00:42:25.860 --> 00:42:30.000
one thing you need to understand; if you do respond to disclosures on this kind of level,

00:42:30.000 --> 00:42:34.860
it is very common that they will use your signal or they will see your notification

00:42:34.860 --> 00:42:37.620
and they will do something about it and they will not mention you.

00:42:37.620 --> 00:42:43.080
JACK: Leading up to the 2020 US election, Twitter said in a September blog post that

00:42:43.080 --> 00:42:48.240
they were now forcing election-related accounts with weak passwords to switch to stronger ones.

00:42:48.240 --> 00:42:53.520
This meant at least ten characters and a mix of letters and symbols. Twitter also made password

00:42:53.520 --> 00:42:58.140
reset protection a default setting. This meant that a password reset would require

00:42:58.140 --> 00:43:03.180
someone to confirm the account’s e-mail or phone number. They encouraged but didn’t

00:43:03.180 --> 00:43:08.280
actually require two-factor authentication leading up to the 2020 presidential election.

00:43:08.280 --> 00:43:12.360
VICTOR: I think it’s a good thing that Twitter made their – put their security

00:43:12.360 --> 00:43:16.380
levels a little bit higher, protecting the people that are now running for the elections.

00:43:16.380 --> 00:43:20.820
It’s a good thing. It sometimes takes a little bit of time for organizations to

00:43:20.820 --> 00:43:27.780
adapt or to make it better and more secure for the users, but overall it will happen.

00:43:27.780 --> 00:43:33.300
JACK: [MUSIC] Whether you’re the average user or the president of the United States,

00:43:33.300 --> 00:43:36.900
you don’t have to wait for Twitter or anyone else to do something more. You

00:43:36.900 --> 00:43:42.120
can turn on two-factor authentication and use a strong password now. The Grumps’

00:43:42.120 --> 00:43:46.560
hack of Trump started out by accident but the relative ease at which they pulled it

00:43:46.560 --> 00:43:53.520
off is amazing and alarming. Someone with worse intentions could have replicated their methods

00:43:53.520 --> 00:43:58.740
but fortunately the Grumps got there first. In the end, they helped secure a presidential

00:43:58.740 --> 00:44:03.960
candidate’s vulnerable account days before an election. To the Grumps, that was worth it.

00:44:03.960 --> 00:44:08.220
EDWIN: People don’t believe that we did it, don’t believe that Trump’s

00:44:08.220 --> 00:44:13.800
password was ‘yourefired’. Well, we’ve got the evidence. We’ve got, you know,

00:44:13.800 --> 00:44:18.840
we showed it and we were in his Twitter account a couple of days before the election.

00:44:18.840 --> 00:44:25.500
VICTOR: I think he knows. If you read the e-mail, it’s very clear. It’s going to be helpful just to

00:44:25.500 --> 00:44:29.760
prevent other people to do something bad with it. I think we did the right thing.

00:44:29.760 --> 00:44:34.620
JACK: Did they do the right thing, though? Was this really ethical? Trump did not give them

00:44:34.620 --> 00:44:40.680
permission so that did cross a line, but then their intentions mattered and their intentions

00:44:40.680 --> 00:44:46.020
were to contact the proper authorities to resolve this privately and as quickly as possible. They

00:44:46.020 --> 00:44:50.280
clearly stood out in the open and took credit for this. [MUSIC] They didn’t try to hide from

00:44:50.280 --> 00:44:55.620
anything or anyone. I guess part of the reason they never got in any trouble was because they

00:44:55.620 --> 00:45:00.000
were transparent and reported everything they had done in their disclosure. I’ve

00:45:00.000 --> 00:45:05.340
met [00:45:00] Edwin in person in Las Vegas in 2019. All these guys had their real names

00:45:05.340 --> 00:45:10.020
and contact information all over the reports they submitted. Because they’ve been in the

00:45:10.020 --> 00:45:14.880
US since then, it would have been easy for them to be arrested if they were actually criminals.

00:45:14.880 --> 00:45:20.820
But nobody did arrest them which tells me they did do the right thing.

00:45:20.820 --> 00:45:25.500
I want to turn around and take one last look at what happened here. LinkedIn was breached

00:45:25.500 --> 00:45:32.280
in 2012. The database dump was posted publicly for anyone in 2016. That’s where Trump’s password

00:45:32.280 --> 00:45:38.040
was but the first time Trump’s Twitter was hacked was in 2013, a year after the

00:45:38.040 --> 00:45:42.840
LinkedIn breach. I just wonder if someone saw his password in that breach and that’s how they

00:45:42.840 --> 00:45:49.260
logged into Twitter then. If so, why didn’t he change his password in 2013? But either way,

00:45:49.260 --> 00:45:54.780
this is just the story of one person who was hacked due to the LinkedIn database dump.

00:45:54.780 --> 00:45:59.700
I know for certain there were other people who were victims too. I mean, there were millions of

00:45:59.700 --> 00:46:04.380
people in that database dump and most of their stories probably didn’t have happy endings.

00:46:04.380 --> 00:46:09.960
Like, how many people also had PayPal logins with the same e-mail address and password? It’s nice

00:46:09.960 --> 00:46:15.660
that The Guild of the Grumpy Old Hackers were willing to help. But Victor here; Victor really

00:46:15.660 --> 00:46:22.800
sparks my curiosity because his Twitter bio says he’s done 5,789 responsible disclosures,

00:46:22.800 --> 00:46:27.060
or as they’re calling them now, coordinated vulnerability disclosures. Specifically,

00:46:27.060 --> 00:46:34.320
disclosure number 5,780 is a doozy, so crazy that it started an international investigation

00:46:34.320 --> 00:46:40.020
where Victor was the person of interest. You’ve gotta hear that story but we’re out of time,

00:46:40.020 --> 00:46:45.360
so this is where we’ll pick up in the next episode. See you in two weeks.

00:46:45.360 --> 00:46:55.620
(OUTRO): [OUTRO MUSIC] A big thank-you to Edwin, Matt, and Victor for sharing your adventures with

00:46:55.620 --> 00:46:59.700
us. You can find links to all these people in the show notes or at darknetdiaries.com.

00:46:59.700 --> 00:47:05.100
I bring this show to you every two weeks. Do you like it and want to hear more episodes? A great

00:47:05.100 --> 00:47:09.480
way to show your support is to help fund the show through Patreon. As a thank-you, when you become

00:47:09.480 --> 00:47:16.680
a member you get access to an ad-free feed and bonus episodes. Visit patreon.com/darknetdiaries

00:47:16.680 --> 00:47:22.200
to donate. Thank you. This show is made by me, the pie guy, Jack Rhysider. This episode

00:47:22.200 --> 00:47:26.700
was produced by the cloud-watcher Charles Bolte. Editing help this episode by Thing 3,

00:47:26.700 --> 00:47:31.560
Damienne. Original music and sound design by the cyber-monster Garrett Tiedemann and our theme

00:47:31.560 --> 00:47:37.260
music is by the half-full Breakmaster Cylinder. Even though if you put a million monkeys in

00:47:37.260 --> 00:47:43.920
front of a million keyboards, one will eventually write a Python program, this is Darknet Diaries.