Get Technology with text stuff from Stam. Hey there, and welcome to tex Stuff. I'm your host, Jonathan Strickland, and today joining me virtually in the studio is a dear friend of mine and awesome YouTuber and amazing podcaster, someone I genuinely admire and who gives amazing hugs. Shannon Morris. Thank you for coming back to the show. Hi. How are you, Jonathan? I'm doing great. How are you? I'm awesome? Yeah,
thank you so much for having me on. This is a great show and I love listening to it, so I'm super happy to be on. Yeah. Excellent. Now this is, of course the second time we've had you on, so I will work very hard to to increase that number. I want to at least get us up to double digits. But I got Shannon on the show specifically to talk about an area that she talks about a lot, the realm of hacking, and specifically I wanted to do kind of an episode about how do hacker? How do you
make money? How do you make a career out of hacking? And uh, and really to frame this conversation, I think one of the most important things to do is to sort of define your terms and as it turns out, the term hacker is actually a very broad term that can apply to a lot of different things, and not all of them are that nefarious, evil infiltrated system and steal all the corporate secrets kind of approach to hacking
that Hollywood often presents right right exactly. I actually asked this question to a lot of people, especially when I first meet them. Since I'm so closely affiliated with a lot of the info set community, I want to surround myself with positive people. So you'll notice with the hacker definition, you can either get a very negative vibe from somebody
or a very positive vibe. Oftentimes, with the negative vibe, you'll get somebody who says, oh, that's the person who stole my credit card data when I went to a restaurant the other day. But on the positive side, you'll get somebody that says, oh, they're the kind of people that will like break something apart and then put it back together in a way that it wasn't supposed to be put back together to make it do something cool, and that's a hack in in mainstream. Uh So that's
the way I see it. I see hackers as being people who um reverse engineer different software, different hardware. It could just be a bicycle, for example, and put it back together in a way to make it harder, better, faster, and stronger. Nice the old daft punk approach, of course, Yeah, I agree entirely. Uh. The the original term hacker was really all about people who have almost an insatiable curiosity to learn how stuff works. Oddly enough, I share that quality,
having worked at how stuff works for a decade. Uh. But yeah, to understand how it works, and then to make stuff do things it wasn't necessarily intended to do. Not for nefarious purposes necessarily, although that could clearly be an application, but just for curiosity's sake. Can can I take these elements that are meant to do this one thing and do something completely transformative with it, whether it is hardware or software. And we've seen some really cool
stuff come out of that. I mean, I would argue that a lot of the things you see in the cosplay world, in the steampunk world, those are all taking elements of hacking. Maker Fair is really just a hacker's paradise when you get down to it, especially for hardware hacks. Absolutely, I'm kind of sad. I'm gonna miss maker Fair this year. I haven't been to one yet. I've been to a small one here in Atlanta, very a very modest maker Fair.
Everyone there was great and passionate and intelligent, but it was, you know, a much smaller scale than something you would see in the Bay Area. But but that's the kind
of thing that hacker means to me. Now that being said, in this episode, we're really going to be focusing on on sort of the computer oriented, really the software side of hacking um and a large part of it's going to be on the bad guy, the naughty bits as I call it in our notes about hacking, simply to talk about what are the ways that hackers cause or the malicious hackers cause problems, how do they expect to
profit from that? And also that well, we'll look at ways that hackers who don't follow that path, who are looking to help people, not hurt people, how do they make a living? Because it's one of those things where you kind of take it for granted when you see the Hollywood depiction of a hacker, the person sitting down, usually they're sitting at a keyboard and for some reason, their monitor only is monochromatic. Green. You know, they're using
the old Apple to E terminals. Terminals are actually written and green oftentimes, but you can change the colors to rainbow colors if you choose. That is a hack. It's a real life hack. Yeah, Yeah, And usually you see them sitting down and then they cause some sort of miss you sometimes bordering on sabotage. But then you when you think about it outside the context of that scene, you think, how did they expect to profit from this?
So that's kind of what we're looking at. Yeah, because it's always important to me to reiterate to that there are always going to be two sides of a coin to everything in life. Of course, there are going to be bad guys in the real in the world who do nefarious hacks, but there's also a lot of good guys too, And personally, for me, the reason why I'm so interested in researching this is because it has made
me a much more privacy and security guarded person. I've gotten a lot better at my own protections online, and I feel like if somebody else can understand what a hacker does on the bad side as well as the good side, they can better protect themselves too, And that's what I've always tried to teach people. Yeah, I think all you have to really do is attend one def
con and really have that driven home. I have not yet gone to a def con, mostly because I don't know that I could part with my smartphone for that long and I certainly wouldn't take it with me. Bring a burner phone, you'll be fine. Burn Yeah, that that's me Jonathan, the guy which carries the burner. Uh, it
makes sense, I mean when you're doing something like that. So, for those who don't know, def Con is a large hacker based conference largely looking at the realm of information security UM and often they will you'll have entire presentations dedicated to showing off vulnerabilities and security. Again not necessarily so that people can take advantage of them, but rather to raise awareness and to kind of force the hands of the parties that are responsible for that software to
take action and fix a problem. Right Like that was what we saw with the hack about remotely taking control of a person's vehicle. Uh, specifically Jeep was really having that issue. Those one of those things where the researchers were saying, look, we're bringing this to light, not so that we can create an era where people are terrified of their vehicles that someone's going to take remote control
of their car. But rather to really drive home the fact that the information security is now, it's important everywhere. It's not just your phone, it's not just your computer.
As the Internet of Things continues to blossom, it's everything. Yes, I agree, And in that sense, those researchers were trying to use something the old school term is called responsible disclosure, where they explain some kind of vulnerability that they found to the company in hopes that the company will fix this problem before it becomes mainstream and before it gets out into the wild. In the case of Jeep, I believe, if my memory serves me right, that Jeep did not
necessarily release a patch for this vulnerability. So then the researchers decided to go out publicly about the information that they found, and then Jeep decided to fix it once everybody else knew about it, right, And and sometimes that's what it takes. And then and I've had the same discussion offline with a mutual friend of ours, Brian Brushwood. Brian is a stage magician. He has a show called
Scam School. It's all about social engineering. One of the things I have talked about with Brian is that his show, he often shows how to do certain types of scams or tricks, but they're mostly in the bar bet world, right, Like, not stuff that you would do to ruin someone's life, but something that you know you might want to you
might win a free beer that way. Yeah, And he showed off he had an episode where he showed off this guy who had had was demonstrating a well known vulnerability of a popular bike lock that has been off the market for a couple of years because of this vulnerability. But that particular vulnerability meant that you could use a regular plastic pen, remove the pen part of the pen, use the casing, and jam that into the lock and
pop the lock open. Right. And so people were complaining in the comments, they were saying, you're you're you're publicizing this vulnerability. And I said, guess what the bad guys already know about this vulnerability. What they're doing is publicizing it to a public that might be still vulnerable to it so that they don't fall victim. And that to me is a very important part of hackers across the board. They they serve very important purpose to alert folks to
potential dangers before it gets too late. Yeah. Absolutely, And and you're those hackers are the people that are generally working to make a better world for consumers, a better a better private and secure world for consumers. But then, of course, on the other hand, are the batties. Yeah, let's talk about some of them. So I kind of gave some weird little titles for this when I was typing it up, because in the middle of a week,
I get bored. Shannon has to be honest, and so when I was making an outline kind of for us to work from, I started coming up with goofy subtitles. So this whole section is titled the Naughty Bits in our Notes, And the first one is malware moo law, as in people who make money through the development or
distribution of malware and malware. As I've said on this show many times in order to define it, it's really software that is intended to do something that is ultimately harmful to the person who runs that software on their machine.
It covers a wide array of different subcategories like, uh, you know, this is the sort of term that we normally would have in the old days just called a computer virus, but computer virus is a very specific thing, and malware covers more stuff than just viruses, also worms and all sorts of stuff. Yeah, there's there's malware for Java and Flash. If you still have Flash installed, I highly recommend that you uninstall it if you don't need it.
There's malware for browsers. There's malware for advertisements online for sponsors that you'll see like on on different websites. That was a very recent problem that a lot of news publications had with Yeah, big name news public Yeah, so that was a big one. But you'll see maw. We're all over the place. And luckily we do have anti mauware software that we can use to protect our computers from it, and we can also block certain ports on
the routers that can hopefully protect you from MAUER. But there's also a lot of cases where maure is distributed and built so quickly that a lot of those anti Mauer software are not updated quick enough. So in that case, we need to do the best that we can to protect ourselves and keep MAUER from getting out from the
deep web. Yeah. You know, it used to be, uh that you really all you needed to worry about was just don't go to the more seedy elements of the web, and you were generally all right, right, Yeah, it's kind of like avoiding a bad neighborhood. Like, obviously, if you don't want to get robbed, there's certain neighborhoods that you should probably shouldn't walk around in by yourself at night. And this is kind of similar in that case where you avoid the deep web unless you really want to
be on somebody's like hit list or something like that. Yeah. Yeah, if you're if you suddenly think that you want to come across as a big shot, look if you're not a big shot, don't do that. It's kind of like kind of like walking up to someone who works in a carnival and claiming that you're with it and for it. If you don't know what that means, you do not say that. Okay, I think I just gave terrible advice
to an entire population of listeners. Um, don't don't. Don't talk to Carney's unless you are one, alright, so uh and I love you Carney's. I love you all. So. The the thing that we're getting across, though, is that today that's not as big a guarantee as it used to be right, like ten years ago, you'd say, look, just be careful. Don't download unusual files, don't don't run a file that's linked in your email without checking it out first. Don't don't you know, be careful opening up
emails from things that you don't recognize. Be careful with PDF files. Be careful with stuff that especially unsolicited stuff that has com to you, because that raises the chances that something hinky is going on. It doesn't necessarily mean it's definitely a problem, but it's potentially a problem, and it's better to be safe than sorry. Make sure you have good and uh anti virus software on your computer. Make sure you have a nice strong firewall. All of
these kind of things. Those used to be pretty good at keeping of the malware away from you, if you were being a fairly responsible Nedicin these days, they definitely help. These days, these days, the attacks are are sometimes getting like in the case of the advertisements on news sites. These are attacks that are going through avenues that you
want at one point would have considered perfectly safe. Not that it's happening all the time, but the fact that it can happen tells you that it requires an extra level of vigilance beyond what we used to say was was sufficient. Yeah. Absolutely, a data collection for a lot of this malware is extremely Uh, it's high sensitive in the fact that a user's data can get so much money on the on the deep web, so much money really, particularly a collection of user data. That's where the big
money is, right. I did an episode once where we tried to break down how much is your personal information worth? And yeah, it really depends. It depends upon what information you're talking about, Like how extensive is that profile on a person? But yeah, it's not much in the grand scheme of things. Like to you, it's worth a lot, right you as a person, Shannon, You as a person, that information is worth a lot of money to you
because it's who you are. To someone else, it's worth pennies on the dollar really, depending upon depending upon the amount of information. But the smellware often is giving hackers access to massive amounts of info about a huge number of people, and a number is there is more value and that's where they will sell that. Sometimes they sell it to companies that are just interested in getting information
so that they can do targeted advertising. So it might be that the ultimate use of your information isn't as bad as it could be. It just means you're going to get some adsum but still not fun to think about and to think that you know, now these companies have access to information about you that you probably would rather they not have, particularly in targeted advertising. The famous story about Target when they started sending ads to a young lady that were related to pregnancy, and then her
dad got really really ticked off about it. But it turned out that little girl was pregnant, yeah, and that it was it was because the algorithms had picked up through her search habits that she was pregnant based upon the search terms she was putting in, and so they proactively sent her some coupons for pregnancy related items. The dad got very upset. Then the dad ended up apologizing to Target, saying that he was unaware at the time of the full situation. Well, in that case, it was
search algorithms. It wasn't a hacker who had gained access to stuff and then sold it. But there are other cases where that does happen, where you know, just a database of info, and a lot of times they will release this malware in something that's called an exploit kit.
So generally, these exploit kits are like a batch of similar malware that will work across several different platforms, so that whether that's several different types of software like job and flash, or several different browsers, it could be several different operating systems too, So you might see an exploit kit that works on Linux four four but also works
on Windows XP up through eight or something like that. Right, And what's crazy is that when you start looking at I mean, this is one of the things that hackers do, right, They'll look at operating systems and what the market penetration is for those systems because that that's that shows you
where your target rich environment is. Right, So if you have Windows seven, guess what you are prime target for for malware because that is by far the largest UM that that has the greatest market share of any operating system right now, Windows XP still it's number three, number three, and it has not been supported by Window formed by Microsoft for two years. This, by the way, bad thing.
If you want to be really secure with your your computer information, you don't want to be using and operate system that no longer gets support from the company that made it. UM because because that means no vulnerabilities will be patched. From that moment forward, you're pretty much on your own. You have gone into the dark forest, and you forgot to bring your flashlight. It's pretty dangerous. Um. One of the things that you kind of uh that that I think leads in from what you were saying
before with these exploit kits. One of the most terrifying aspects of this type of malware and and the fact that that people can use it for nefarious purposes and monetary gain, is that you also have a population of people who don't even understand how the malware works. They don't even Script kitties is what I'm getting at. Script kitties, that's the term we use for people who are, uh, they're benefiting from the the work that hackers have done.
Hackers are the ones who are actually putting together the software. They're the ones who have identified the vulnerability and then exploited it in some way. Script kitties are the ones who essentially they're given a set of skeleton keys, and they didn't make the skeleton keys, they're just using them. UM. And it's scary because you don't need a level of expertise. You might think, oh, well, I'm kind of safe from hackers because how many people are actually hackers? How many
people really know how this system works. Well, you don't have to really know how the system works if you have a tool that exploits a vulnerability. Oh absolutely. Although I really hate the words of Katie, I will put it out there because I feel like if you're interested in information security, and if you're interested in becoming a good hacker, then you do start somewhere, and everybody is going to start with the easy tools that are out
there and that are available for free. For example, one thing that I learned how to use a couple of years back was this tool called wire shark. It easily lets you see everything that's happening on your wireless network, or you can use it for um, any computers that are on your on your network, like behind your router, so you can see everything that's going on and you don't necessarily have to learn or understand what's going on behind it to be able to read what's on your
screen happening right in front of you. I think it's really important though, for people who might be called script kitties to look at as being beneficial and that they can grow from that process. They can start from being a beginner and say, okay, well I need to understand the theory. Now I can move on from being a script kittie quote unquote to becoming somebody who is an expert in some kind of information security out there. Yeah.
I when I think of the term script kitty, in my mind, it's a very it's a subset of the people that typically get labeled as such. That subset being people who have little to no interest in actually learning how to hack or program. Uh, people who want a very very fast track way to gain either a reputation by being the person who took down a system by whatever means, or by making a whole lot of money
really fast for relatively little effort. Those are the ones I specifically think of when I think of script kitty. But you are absolutely right, you have to start somewhere if you're interested in this is I'm kind of defensive with that because I I was called a script kitty when I first started up started off learning about hacking and information security. People would be like, Oh, she's just a script kitty, and I'd be like, I actually want
to understand the theory. I want to learn how to program. I want to learn how to code. I'm no longer called that because I have learned how to write certain kinds of code. I have learned how to program. I can make my r doin no, do whatever I want. So at this point in my stage, I've surpassed that moment of being a nube and I've gone on to learning things and being able to understand specific tests and get them to do what I want them to do without finding tutorials online. Yea, so now I make my
own tutorials. Seeing Now that's nice because when I started at how Stuff Works, they call me that weird bald guy, and today they still do. So some labels just stick, is what I'm saying. So yeah, So, so that kind of covers the malware approach. People can make money through malware, either by selling your information UM, they might do so by another method, which kind of leads into this idea
of ransomware. So this would be malware specific type of malware that UM locks down your machine in some way so that you can no longer access it, and then you essentially get a message saying, hey, if you want, if you want your data back, if you want access to your data. If you want to be able to do all this stuff and you want our hands out of your business, then you've got to pay us some
moolah money. Yeah. So basically what happens with ransomware is, uh, it is just like you said, a type of aware that gets distributed in one way, shape or form onto somebody's computer and it ends up encrypting their data. It could be a whole hard drive, it could be a folder of data. It's some kind of important data that
they have sitting on their computer. Uh. And in many cases, a thief the hacker will ask them in an email or maybe an encrypted text document that's now surreptitiously on their computer out of nowhere, to send them a certain amount of bitcoins, and they tell them how to set up a bitcoin wallets so that they can send the bitcoins to them for them to get a pass code to unlock their encrypted data. Now, the weird part is they already owned this data. It's on their own hard drive.
It could be anything from like kids photos, it could be tax documents. But in any case, it's going to be some kind of important information that people don't want to lose because it might be years and years of information that's just on that computer. So of course people are going to send them bitcoins, and I think last I checked, a bitcoin was a few hundred bucks, so it ends up being quite a bit of money that they have to send to get their information unlocked. Yeah,
and this is this is the type of malware. When we were talking about the the advertising that was targeting people through massive news sites. If I'm not mistaken, it was specifically ransomware. It was the kind of stuff that was encrypting users. Uh yeah, yeah, so it wasn't just malware. It was ransomware that was infecting computers. Because malaware can do other stuff too, right, it can It can create
something like a backdoor access. So yeah, hackers can take control of your machine or just monitor what you're doing. Even if they don't want to take control, they can put in key loggers so they can see what all your passwords are. Um, so you might want to think about using things like a really good password manager. UM that's what I use and and I love mine. Uh yeah, So the things where you don't have to type the password in so you don't have to worry about key
loggers picking up on that. Kind of stuff. Um. But we'll talk more about that in just a second. So one of the other ones I wanted to talk about, this one is kind of a gray area because, uh, this is this. I titled this section spies like us um, and by this I meant state sponsored hackers. People who are hacking on behalf of a specific state or nation or government. Um. Sometimes they may be doing so not with the uh what should I say, Like, not with
the express permission of the nation. It may turn out that the state says, Hey, we didn't tell them to do this. They're just doing it because they love us so much and they hate and they hate you guys, and that's why they're doing it. Um. Whether that's true or not depends upon the situation. I would I would think that if I were running a government and I had employed a bunch of hackers to infiltrate or sabotage another nation's systems, I also would like some plausible deniability
in there. Hey, I didn't tell him to do it. I just said, man, it's it's kind of like there's there's a story that a king of England once he yelled out, who will rid me of this meddlesome priest, and then a couple of nights went off and ridded him of his of that meddlesome priest, and it turned out that he was he was just mad and just talking out loud. And then one of his dearest friends ended up being murdered by a couple of nights because they heard the guy talking and said, hey, we should
get rid of them. We'll get rewarded. That's what the States argue. I don't know that that's always the case. Also, by the way, for you listeners out there who recognize who I'm talking about, send me an email and prove it, because I'm a medievalist and I love that stuff. Um. But yeah, this is something that we see. You know, you often will hear stories about Chinese hackers or Russian hackers.
There was a story UH several years ago about how UH information security experts were noticing some artifacts in our power grid system that were indicative of UH people who had infiltrated that system and planted some stuff in there so that they could monitor things or perhaps even jump back into the power grid system should UH push come to shove in some sort of political situation. They had
traced it back to either China or Russia. It's pretty tricky to actually figure out where attacks ultimately originate from, because if you're really good, you can cover your tracks pretty well. Um, but the United States has done it too.
You might have heard about Stuck's Net. That was the That was the computer virus that was designed to um to to spin a centrifuge in a nuclear facility at a speed greater than what it was supposed to spend at And originally I think the hope was that it would cause a catastrophic failure and perhaps perhaps even destroy the facility. As it turned out, it caused a failure,
but not at that level. But that those are examples of something that's technically legal within the country because it's it's endorsed or at least permitted by a government, but you don't want it out there because it seems pretty darn shady to anybody else. Yeah. Yeah, So state sponsored hacks are more worrisome to me because they oftentimes have
much larger targets. For example, they might target a large government facility like I don't know, the Pentagon, So I worry about those because those kind of servers have a lot of information on the citizens of any sort of country. So anytime you see these in the news, it's it's always like, oh, well, this this hack was done by Chinese state sponsored hackers, or Russian state sponsored hackers, or American state sponsored hackers in these North Korea. North Korea
would be another big one. Yeah, yeah, So so they are either it might be a tinam of hackers that are kind of comprised together in a illegitimate company, who are hired by a government or like you say, where they may not necessarily have any affiliation quote unquote with the government, but the government ends them paying them in some way, shape or form for their infiltration because it ends up helping the government in some way or another.
And so it's it's a very sticky scenario when you start dealing with these state sponsored hackers, because it's it's hard to understand, Um, how are we going to, you know, penalize them? Who do we penalize? Do we penalize government or the hackers themselves? Are both like who was actually involved? It might end up being how do we address the underlying situation that led to the employment of hackers in the first play? Um, which can get pretty pretty delicate.
Another great example, or not too long ago, or at least one that may or may not have been involved in my may or may not have involved a state sponsored hacker I'm still somewhat skeptical of that, would be the Sony hack. Because the Sony hack, the US government essentially was pointing fingers to North Korea, saying the hackers
must have come from North Korea. Look at this IP address, which we don't even need to go into detail right now, except to say that an IP address does not proof make but at any rate, they're they're pointing over at North Korea saying, we think the attacks came from there. The attack appears to be politically motivated North Korea, for its part, the government, which, by the way, North Korea not shy about taking credit for stuff, but they said, no, no,
we didn't. We we didn't ask for this, but we're totally cool with it happening. Um, So you know, it's one of those It's also very muddy because obviously, when you're talking about things like espionage or Sava Taj or any of those things, uh, you don't you don't come out and talk more about it, you don't. That ends
up being closed away. In fact, I should, I should really throw that over to the stuff they don't want you to know guys, and have them do an episode on it, because that would be a lot of fun. And then we've got got the the traditional at least, I would argue the traditional concept of a hacker from the Hollywood perspective. The black hats, the ones they are wearing the hoodies and they're sitting at a keyboard and they're typing really fast on a green and black screen.
Over They've got like got some junk food food around them. Yeah, mail, and they have a ton of different windows popping up on their computer really really fast. You can't make out anything that's happening. It's entirely not true. That's not how it works. It's actually a somewhat slow process to get um basically, to get reconnaissance and to get into any kind of network. Uh. The only things I've done, of course, are completely legal. I've sure authorization by everybody who I
have tested my my abilities on. Right. Yeah, so black hats. That's that's another awkward definition because it's not one that I like to use all the time, because black hat hacker means that there's it makes hackers have more of a negative appeal to a lot of people, So I
always just call them black hat thiefs. Yeah. Now that's a great way of putting it, because, Uh, typically you'll see things like, um, uh, the idea of infiltrating a system in order to steal information, perhaps to sell it to someone else, or to hold it against the party that you've stolen it from. Um, you know, so it might be extortion as opposed to h to stealing and selling. Uh. Also, we should go ahead and point out something else that I'll talk about in a future episode, but I've mentioned
it in previous ones too. Um. Hackers don't necessarily just sit at a keyboard and type in strings of letters and numbers. They also do a lot of social engineering where or they can do a lot of social engineering where they attempt to gain access to systems, either by physically gaining access to a system, which makes it way easier than remotely doing it, or even easier than that manipulating someone who does have access to a system, and
then you get it that way. Um, And it's surprisingly easy to do if employees have not been educated on how to spot that and avoid it. Yeah, properly training your your your employees at your place of work is really important when it comes to social engineering. And it is incredibly easy to do social engineering, especially when you're a female, I would imagine. So it turns out also if you are dressed as the stereotypical I T. Guy and you are there to quote unquote upgrade someone's machine,
really easy to get access to that machine. People are so eager. Yeah. Yeah. And obviously, like social engineering completely depends upon identifying and then exploiting a person's vulnerability and typically speaking like greed lust, those are two big ones that are exploitable and that the people who are really good at social engineering know that, and they're very good
at that leveraging that. Just as knowing what sort of vulnerabilities typically show up within code, within within programs, you need to know what vulnerabilities show up in people. Um. And I also I had a little thing on here about botan net masters. Really what in this I was thinking about the people who are using malware to get that back door access to machines, to get uh, to get that administrative control over a wide array. Sometimes we
call it a botan net. Sometimes we call it a zombie army of of user computers and then utilizing that to do stuff like uh uh distributed denial of service attacks or de DOS attacks, where you are uh directing an army essentially to coordinate an attack against an identified target. Sometimes this is done just to cause problems. I mean, obviously if you've ever had issues logging into like a
gaming network. Xbox Live has had this happen, PlayStation has had this happen where people who are disenchanted with the service for one reason or another, or they just want to do it for the lulls. Uh. Specifically around holiday times, that's a big that's a big target time to attack something like Xbox Live. They'll direct a ton of traffic to break down servers, so servers can't respond to legitimate traffic because they're too busy responding to a bunch of
fake traffic. Essentially, I'm oversimplifying, but this is a basic DETOS attack. It is. It's such a mean thing to do to those little kids during Christmas time. Just turn off their xboxes so that they can log in and they can't play their games, so they just go on. Yeah yeah, I think, break my heart. Gosh, it's it's a jerk move. It's a jerk move, don't do it. I love the definition, or I love the term zombie
for botton nets, because that's exactly what it is. Where you have a you have a zero, a patient zero, and that would be the first computer. They end up biting a few more computers, and those ones end up getting infected with the same exact infection that patient zero had, and then those ones end up biting ten each, So you end up with thousands upon thousands of these computers that each have the same exact infection, and they all end up perpetrating the same exact vulnerability on whatever their
target might be. Yeah, and then ultimately you end up with a situation where Nagan is standing there with a baseball bat and you don't know whose head he's gonna cave in. I might have taken that metaphor a little too far. But one of the things that boughton net controllers might do, and in fact, this has happened on multiple occasions, it's similar to ransomware, is they'll send a message to an identified target and say, hey, we we got your number. We're gonna come after you unless you
pay us a certain amount of money. Um, we will unleash the dogs of war on your servers, and you will be unable to do business. And there have been cases where businesses have folded to this kind of pressure, where they have in fact paid to do this because hospital. Yes, yes it was. Yeah. I've seen a few cases of
particularly malicious and odious acts against things like hospitals. There was one year when I was participating in a charity for children's hospitals and the charity was targeted in the middle of the event and for about three hours they were offline trying to deal with that. Um, yeah, it's and in that case, it wasn't a it wasn't an attack in an effort to get money. I don't think. I think it was just someone being truly an awful human being. Uh. But we have seen cases of people
trying to do this in order to extort money. So you're probably noticing some trends here extortion, stealing, uh, you know, holding things for ransom, this idea of making sure that that people are spending money for out of fear or out of a need to get back uh, and and have access to something that belongs to them. These are all terrible, terrible motivations to make money and as such
as such terrible motivations. You might think, well, wait a minute, how are they actually like, how are they getting paid? How is this money transfer happening? Because you would think anything that would be traceable would end up being somewhat problematic. You've got a trail that leads back to you as a person, then pretty soon law enforcement's going to get involved, or at least the I R S. So, so, how
Shannon do hackers? How do they get the money? So there's probably some ways that I don't even know about yet, but the ones that I can think of would be trading of high value data. So that's a pretty big one where uh say a hacker collects a whole bunch of really really high value data like your SOLL security number, your credit card accounts, your banking account, tons of information, and they decided to go on to a deep web forum sell it, and then or trade it for something
else of high value, for example, a gift card. They could ask for people to give them a ton of gift cards that are, like you, twenty five or fifty dollars each, and then use those gift cards at a retailer who is easily vulnerable to some kind of gift card scam, and in that sense they would be able to make some kind of money back through those gift cards and that trade of that high value uh data that they stole from whoever it might be, whatever company.
Another way would be bitcoins. Now that's probably the most obvious one, of course, because bitcoins are very very hard to track. Yes, they are traceable in some circumstances, depending on what kind of wallet you use, but in a lot of circumstances, the bitcoins will trade wallets so many times that it will be somewhat impossible to find out where it actually came from, where it actually started. Yeah, it's kind of interesting because every single bitcoin contains with
it a record of every transaction. But that does not mean that the parties involved are actually identifiable. Yeah, it really is. Um it's it's actually data that's used in order to allow for the mining of further bitcoins. It's
a really fascinating process. But but one of the things that attracts people to bitcoins is this idea of being able to spend them anonymously and be able to purchase things, uh, whether legal or illegal, without it being traced back to that person you often will hear about things like, you know, the old Silk Road, where you could purchase all sources of stuff, including illegal drugs or other materials, sometimes weapons, that kind of stuff, um, and you could do it
through bitcoins, and people felt a high level of confidence because it was not a state backed currency. It was this independent cryptocurrency that allowed them that that freedom and had real value because people want the bitcoins. If no one wanted the bitcoins, they wouldn't be worth anything, right, And bitcoins have actually been pretty steady last time I checked, so their value has been pretty decent in late days, in recent days, So I completely understand why hacker would
want to be paid in bitcoins. It makes sense. Yeah. Yeah. There's also the old, the old deal of putting the money into the the washing machine. Right, that's how money laundering works, right, Yes, money laundering. So that was something that I learned about way back in the day when I worked at a bank of all places, which also got me really interested in security before I started podcasting.
But money laundering, it's very easy for somebody to go online be able to sell this high value d to get some bitcoins, or it might be some other form of currency and then be able to resell that money or be able to trade a product to get real money, real cash at one point or another. But basically it's it's um exchanging the hands that hold that money so many times that again it's very hard to trace. Yeah, and it's it's hard to determine that the the original
source of that money was anything remotely illegal. And then depending on again, if you're if you're a state sponsored hacker, you're probably just drawing a salary or doing contract work. So you're actually getting paid a check. Yeah, Yeah, you got money withdrawn from your paycheck to handle to support the government while you are subverting other governments. And then it looks completely legitimate. So that's a really easy way
for somebody to do something that might be very very bad. Yeah, because they are they do have to pay the I R S, they do get a tax refund every year, they do have an employer, so it looks completely normal for them to be receiving a paycheck for whatever work this might be. Yeah. So the nice thing is there aren't just quote unquote bad guys out there doing all this kind of of work with computers, with a hacking,
with discovering vulnerabilities. There are plenty of people, as as you mentioned earlier, Shannon, who are doing this in order to help others, either to make systems more secure or to inform people of how these kind of attacks happen so that they can be better prepared to defend themselves. So let's talk about some of them. Uh. Of course, if you have black hat hackers, right, you got the bad guys, you gotta have, you gotta hat white hack hackers.
These are the These are the the noble bounty hunter characters of those westerns, the ones who you know they've seen things, but deep down they have a heart of gold. Well, not all of them, but a lot of a lot of my friends are considered white hat hackers. They're the people who either they work for a company that specializes insecurity.
So a lot of my friends work for these companies who will be contracted with big brands, go into their networks and then find out what the vulnerabilities are and fix them, or they will give them a report and tell them how to fix that fix it in the future. They make a lot of money. A lot of them don't like it because they have specific amounts of vulnerabilities or specific time frame set that they have to get this work done, and a lot of times, hacking takes
a lot of time. It takes a lot of information reconnaissance. So a lot of my friends don't necessarily appreciate having to be under these time constraints with these big brands, well particular Relea, since you figure the bad guys aren't under any particular time constraints exactly. So the bad guys have tons of time to find these vulnerabilities, while the white hacks are under the stress of these time constraints to get the work done so that they make their
bosses happy. In this sense, a lot of my a lot of people that I know, have created their own security companies because of this fault in the generic nature of having these security companies. So they said, you know, I'm tired of having to deal with these constraints that my boss has given me. Just gonna open my own security company, and we're going to do it even better
because we won't give ourselves those time constraints. Will give us ourselves several months to find all the vulnerabilities that we absolutely can and then we'll write a report and we'll fix it. And uh, those are the ones that I would definitely work with if I had to hire a security company. Yeah, because they're the ones who are going to use the exact same kind of methodologies that
bad guys are going to use. And if if you want to really be secure, you want the people to throw everything they can at your system so that you can find out are you actually secure? If you're not, what do you need to do to address it? Um. If you want to see a movie that that does a very fantasy version of this very idea, there's a film that I always think back to, Sneakers had Robert Redford and dan Ackroyd, who plays a character named mother Ben Kingsley is in it Um. A ton of folks.
River Phoenix was in it Um, and it's a It's a movie about a group of kind of almost like outcasts who have grouped together to form a company that they specifically do this. They try to infiltrate a company in order to test its security, not to exploit it, but rather to tell the company, hey, here's how we got in, here's how someone else could get in, So you need to plug this vulnerability. That kind of thing um. And then of course they get involved in all sorts
of shenanigans. And in case you are interested in the methodology, I actually find it very very interesting how they get their work done, because of course they have to go through the tennis match of back and forth with a brand name company, whatever it might be. So they'll have
to get a purchase order. They'll do a little bit of negotiation for an amount that they'll do the work for, and then they'll go in and they'll gather information on the network and they'll capture traffic, and they'll try to find any kind of vulnerabilities that are on that network, even with the people too. For example, they could use social engineering to get into the server rack uh physically, or they could get into a network that doesn't necessarily
have a very good password on it. UH. They could email clients that work there that are employed at the brand name company with I don't know malware written PDFs for example, and they could use wireless attacks. They could do war driving from the parking lot if they wanted to. And then what they'll do, it's right, a very very long report so that the brand name company can see exactly what happens on their network and exactly what they were able to do. From from whatever back door they
were able to get into. It's really interesting how how well they're able to put everything together in in turn hopefully save this company in the long run thousands and thousands of dollars. Yeah, yeah, I mean this is the whole Security has always been a tick talk approach. Right. You've got the tick, which is where someone has identified a way of exploiting a system, and then the talk is where you find a way to correct that that vulnerability.
The tick is the next time someone's found of vulnerability. Uh, you're always going to have that, right unless someone somehow designs the absolute perfect system, which as far as we know is an impossibility. Yeah. That's yeah, because for one thing, if people are involved, there's no such thing as a perfect system. It's always a battle. And I love my
video games, so I love a battle. But it also drives other other industries though, because we'll see things like the artificial intelligence industry improve as a result of this security battle between hackers and uh, the infosec experts who are trying to make sure that their protecting systems. And as a result, we're we're getting information that can be used in other areas, which is phenomenal, Like I remember, here's a simple one. It's it's as far as security goes.
This is as low level as it gets. But the capture system. So when cap when capture was implemented, even the people who were writing capture at the time, we're not really thinking of it as being some sort of full proof security system to make sure that bots don't get into a system, right. They weren't thinking, oh, now
only human beings can get access. And if you don't know what a capture is, anytime you get your filling out a thing and you get a little picture of something and it says, uh, tell, you know, write down the word or numbers that are in the picture, or even to a point of identify the pictures in this sequence that have this particular feature, like identify all the pictures that have a lake in it or something like that.
That's a simply that's simply a version of capture. Um. The people who made it, they actually said, our goal was really to help push artificial intelligence, because we created a system where programmers or hackers had to start coming up with uh, computer programs that could identify the same things that we humans can identify, and in turn that
means now we've got software that pushes forward artificial intelligence. Now, granted, that also means you have to improve the system you had designed to keep bots out in the first place. So again it goes to that TikTok. But there's an added benefit beyond someone being able to to automatically access systems and build you know, dozens and dozens of fake profiles on Facebook or whatever it might be, whatever that
might be. Yeah, yeah, And and keep in mind, like like we've been saying here, I mean, any any system, security is only as strong as its weakest link. That weak is pretty much always people. That's the big one, right. But I mean I've I've read stories about hacker gaining access to a system because there was an overall security system that was really robust for the main company, but then they had a little branch office and the branch office didn't have that crazy amount of security but was
still on the same network. I think I read about that story too, So I mean, these are these are things like if you identify a potential point of weakness that's now suddenly the you know, it's it's like a bank vault. If the bank vault has an enormous door with huge locks on it that you have to get through. Oh, but it also has a backdoor. Just for convenience sake, you're gonna aim for the back door. So, but there are other ways that that hackers can can make a
legitimate living that don't even involve testing security systems. It might involve education. Yeah, absolutely so education is I guess what you would say, I fall into that kind of category. And while I I don't necessarily like to call myself a hacker because I know so many experts in the field who are much more knowledgeable than I am. I'm quite a intermediate, I would say, but I love to teach and I love to give tutorials online, so I
give tutorials on YouTube. But I also know a lot of people who have either written books about hacking UH, and they could do either specifics about penetration testing or they get to make it a very very wide based book where they explain everything that you would have to do as a penetration tester. And a penetration tester is basically one of those guys that would go into a company and UH find all the vulnerabilities and report on it.
You would also have companies that administer certifications. So a lot of I'm sure a lot of your your UM listeners probably know that you have to get certifications to get a lot of uh A, to get into a lot of the fields with computer security and even just you know, computer networking too. There's a lot of searts for those and they're very, very expensive. So a lot of companies just administer their certifications or they'll will have you take classes for a period of time until you
actually take the test and get certified. But that ends up being a really good thing to put on your resume for a lot of companies whenever you do intend to get a job in network security. And then lastly,
we have the publishers. So that's the YouTubers, the that's the people that make podcast That's the people that UM might be creating other forms of entertainment that not only educate but also entertain their users and their listeners so that they get excited about being a part of information security. Uh And that's what I like to do. I like to teach people in a way that makes it exciting.
So I do a lot of hands on stuff. I I make, I make jokes, and I explain things in a very natural light, and it helps, it helps again foster that desire to learn how things work. Right. That does so again that that same fascination, Like if you were ever a kid that took apart a watch or a radio or some other piece of equipment, because you really want to know what's the magic that makes this
thing do what it does? Uh, hackers have that. I mean, that's the that's that's the defining quality in my mind of a hacker is ultimately it's someone who is fascinated with the way something works. Uh. We've largely been focusing on software, but that is just as legitimate as any hardware hack. It's the idea of how does this It might not even just be the software, might be a full system, like how does this system work? What are all the interlocking parts? How do they communicate with each other?
I just had a random memory from when I was younger and in school. I took apart my first iPod because I had no clue how it worked, and I was very curious about what what the interior of it was. So I just I took it apart. I could have put it back together, So I was not hacker in any sense. We um we for for an article I was writing. We got a first edition launch day Nintendo three D s and it was my job to disassemble
it and take photos of all the pieces. So first I took a picture of it whole and shared it online on Twitter and said look what I have, and everyone got excited. And then by the end of it, I had a little had a little black cauldron at my desk that was left over from a Halloween thing, and then I put all the different pieces because there was no way this thing was going back together after
I took it apart. For one thing, Nintendo is pretty careful about sealing stuff in such a way that it's not meant to come amart so um, so you have to hear. It was a little force in some cases in order to get to stuff. And then I showed a picture. I'm like, I'm like, look what I did to the thing. I made the entire internet cry. Yeah, although ultimately I think the three DS most people are like, oh whatever, But at the time when it was brand new,
people were freaking out. And of course there's there's also another role for for hackers out there. It may not be a steady gig, but we are seeing more and more of the Hollywood productions out there actually talk with people in the industry so that the depictions that we're
getting are more accurately reflecting what really happens. Mr. Robot is probably the example that immediately leaps to my mind, and that it's it's a show that tries very hard to take a more realistic approach to the world of hacking, as opposed to um you type in three passwords, the third one gets you in, and then you're navigating through a vector graphics three D dungeon and you encounter a
skull and cross bones. That's not how hacking works. It sounds like you were talking about hackers hacked the planet might have been. I should mention too, with education, just to bring it back a bit. Professors. I didn't leave you guys out. I'm sorry. I love you guys. You are the reason why I'm here now. If I didn't take my computer courses in college with my professors, I
would not be doing what I'm doing now. So professors are like at the top of that education list because and you can take a lot of computer security courses in college and sometimes in high schools if you're lucky. But yeah, technical assistance. So technical assistance are people that will come on board with a Hollywood movie or a TV show or what have you, and they will explain
to the network how the hacking actually happens. So I know a few uh they will They'll come to some of their hacker friends or they will be a hacker themselves and they will say, okay, uh in this season, I know that they want to do X, Y and Z on camera, and I need to make it look legitimate, so they will come up with the script. They will come up with the hack and the actual keyboard commands that the actor has to type in on camera so
that they are actually doing legitimate hacks. So that way they're not only making it look cool for a wider audience because an audience is actually going to see how a hack works, but they're also getting that credibility with the info set community too. So Mr Robot is huge with the infoset community because it is legitimate. Like I've watched several of those episodes and I've seen a lot
of the hacks that they do. They've even used some of our Hack five products on the show, and they're actually using legit hacks and it is so much fun to see it on TV and see them get so many good reviews from a wider consumer audience, because it makes me feel like many more people are getting interested in info sex because they see what's happening on camera and they see that this is actually how you do it. Yeah,
it's nice to see it go beyond. Uh. The the niche that I would argue in po sak and hacking has largely inhabited for the past three decades, right, the people who have been interested. When it first started, it was essentially your hobbyists, and often those hobbyists were isolated individuals. Uh. You got to the phone freaking days where there was a little bit of a small subculture of people who were interested in hacking the telephone system using all sorts
of stuff, including a whistle from Captain Crunch. Uh. You had you had the the early hack days where people were just trying to create interesting programs for their computers or to see how some of the programs that were coming out, how did those work? Um, But it was largely a tiny slice of the folks who were even aware of personal computers, and and even that group was
still a tiny slice of the overall population. We're seeing that tiny slice grow over time, and largely because so many of us are so dependent upon computers these days that it benefits us to have an aware is to make sure that we remain safe, but also because of things like Mr Robot showing how this works and sparking the imagination of people who perhaps before they saw that, never thought, yeah, it's kind of cool. I would love to be able to manipulate code in such a way
that I could do something new or unexpected or help people. Uh. And it's really encouraging to see that kind of thing happen right now. I kind of wish it had happened ten years ago, but I love seeing it happen now. Same. I actually feel like there was a little bit of negativity in in the aspect that we we used to have all these really fancy graphics happening on in these Hollywood movies and these TV shows, and now they're actually seeing the reality that is hacking, and it is not
super colorful. It's not super quick, fast paced and exciting like it looks like it is on those old school shows. So I'm hoping that now that they're actually seeing it, people will try it too. Like if they see, um, the main actor on Mr Robot do a specific command line option, they'll go to their computer and try it themselves and see that it actually does work, and then they'll be like, oh, I really want to try some new stuff too, so they'll start googling in and see
what else they can find out. That's the kind of inspiration that I wish happened thirty years ago, and it didn't, So I want to see more of that now, and I'm really happy that, for example, Mr Robot has done a great job with it. Yeah, it's it's and you not to not to poop all over Hollywood because I
do loves mo Hollywood's but but it is. And to understand where they were coming from, they were trying to find a way to create an exciting visual depiction of something that doesn't necessarily necessarily lend itself to that in order for to create a dramatic effect. So I get it.
It's very similar to the way Hollywood per trade virtual reality back in the nineties, way before virtual reality was ready for public consumption, and it's what largely killed VR for a decade before the various video game systems started to make the very the components cheap enough for people to play in that space again, and now we're on the verge of another VR revolution. The same sort of thing is true of hacking, Like, how do you show hacking in a way that gets across what is happening
to an audience and makes it interesting? I think largely you have to do that through really good writing of your characters, and once you do that, then everything else follows. I think if if you can show that the characters in a movie or in a TV show are actually real people that have real relationships, they have real jobs and real lives, and they have hobbies outside of just hacking, you can really you can start to relate to that character in a very real sense in the fact that, hey,
they are humans too, because hackers are people too. That was actually a documentary nice. Yeah, because again, when when you're when you're thinking about it in the abstract, you're really it becomes that us versus them mentality, where by by its very nature, it's dehumanizing. But that's probably a topic for a show that's not about technology, So I will just leave it be. Shannon Morse, thank you so much for joining me today. Please let everyone know where
they can find all of your stuff. Jonathan Strickland, thank you. So it was a little, it was a little, it was a little laden. Yeah. Yeah, I've been watching Star Trek lately, way way too much Start Trek, so you can find me. Um, the most direct path is on Twitter. I'm at snubs and that's s n U b S and then my shows, specifically Our Tech Thing over at t e K thing dot com and Hack five over at h K five dot org. Yeah, so go check those shows out. They are awesome. Shannon and her co
hosts are all awesome. I gotta get I gotta get Darren on the show. Yeah, no, you are cooler, but someday I gotta get Darren on the show. Um. I don't think Darren and I have ever I think we may have been on one of tom Merritt's shows at the same time, but otherwise I don't think we've ever done a show together at any rate. Yeah. I know, it's crazy, right, I've known forever happen. Let's let's do that.
Let's do that. So, guys, if you have any thoughts on this subject, or you have any requests for future episodes, or you have questions comments that kind of thing let me know, send me an email that address is tech stuff at how stuff works dot com, or dropped me a line on social media. You can find me on Twitter and Facebook with the handle text stuff h s W. Thank you so much for joining us, and I'll talk
to you again really soon. For more on this and bathands of other topics of how stuff works dot com