RERUN: Hacking for Dollars

money and both in in legal and nefarious ways. And this is going to be the last of our classic episodes covering my vacation time, I will be back in the studio recording brand new episodes. So I thank you very much for your patience. I hope you guys have enjoyed this look back on some past episodes of tech Stuff. Let's join past Jonathan and Shannon right now. Hi, how are you Jonathan, I'm doing great. How are you? I'm awesome. Yeah,

thank you so much for having me on. This is a great show and I love listening to it, so I'm super happy to be on. Yeah, excellent. Now, this is of course the second time we've had you on, so I will work very hard to to increase that number. I want to at least get us up to double digits with that. But I got Shannon on the show specifically to talk about an area that she talks about a lot, the realm of hacking, and specifically I wanted to do kind of an episode about how do hacker,

how do you make money? How do you make a career out of hacking? And uh and really to frame this conversation, I think one of the most important things to do is to sort of define your terms. And as it turns out, the term hacker is is actually a very broad term that can apply to a lot of different things, and not all of them are that nefarious evil infiltrate a system and steal all the corporate secrets kind of approach to hacking that Hollywood often presents

right right exactly. I actually asked this question to a lot of people, especially when I first meet them. Since I'm so closely affiliated with a lot of the info set community, I want to surround myself with positive people. So you'll notice with the hacker definition, you can either get a very negative vibe from somebody or a very

positive vibe. Oftentimes, with the negative vibe, you'll get somebody who says, oh, that's the person who stole my credit card data when I went to a restaurant the other day. But on the positive side, you'll get somebody that says, oh, they're the kind of people that will like break something apart and then put it back together in a way that it wasn't supposed to be put back together to make it do something cool. And that's a hack in in mainstream. Uh So that's the way I see it.

I see hackers as being people who um reverse engineer different software, different hardware. It could just be a bicycle, for example, and put it back together in a way to make it harder, better, faster, and stronger. Nice the old daft punk approach, of course, Yeah, I agree entirely. Uh. The the original term hacker was really all about people who have almost an insatiable curiosity to learn how stuff works. Oddly enough, I share that quality, having worked at how

stuff works for a decade. Uh. But yeah, to understand how it works and then to make stuff do things it wasn't necessarily intended to do. Not for nefarious purposes necessarily, although that could clearly be an application, but just for curiosity's sake. Can can I take these elements that are meant to do this one thing and do something completely transformative with it, whether it is hardware or software. And we've seen some really cool stuff come out of that.

I mean, I would argue that a lot of the things you see in the cosplay world and the steampunk world, those are all taking elements of hacking. Maker Fair is really just a hacker's paradise when you get down to it, especially for hardware hacks. Absolutely, I'm kind of sad I'm gonna miss Make Her Fair this year. I haven't been to one yet. I've been to a small one here

in Atlanta, very very modest maker Fair. Everyone there was great and passionate and intelligent, but it was, you know, a much smaller scale than something you would see in the Bay Area. But but that's the kind of thing that hacker means to me. Now that being said, in this episode, we're really going to be focusing on on sort of the computer oriented, really the software side of hacking.

Uh And a large part of it's going to be on the the the bad guy, the naughty bits as I call it in our notes about hacking, simply to talk about what are the ways that hackers cause or the malicious hackers cause problems? How do they expect to profit from that? And also that, well, we'll look at ways that hackers who don't follow that path, who are looking to help people, not hurt people, how do they

make a living? Because it's one of those things where you kind of take it for granted when you see the Hollywood depiction of a hacker, the person sitting down. Usually they're sitting at a keyboard and for some reason they're monitor only is monochromatic green. Yes, that's so true. Well, they're using the old Apple to E terminals. Terminals are actually written and green oftentimes, but you can change the colors to rainbow colors if you choose. That is a hack,

it's a real life hack. Yeah, yeah, And usually you see them sitting down and then they cause some sort of mischief, sometimes bordering on sabotage. But then you when you think about it outside the context of that scene, you think, how did they expect to profit from this? So that's kind of what we're looking at. Yeah, Because it's always important to me to reiterate to that there are always going to be two sides of a coin.

To everything in life. Of course, there are going to be bad guys in the realm in the world who do nefarious hacks, but there's also a lot of good guys too, And personally, for me, the reason why I'm so interested in researching this is because it has made

me a much more privacy and security guard person. I've gotten a lot better at my own protections online, and I feel like if somebody else can understand what a hacker does on the bad side as well as the good side, they can better protect themselves too, And that's what I've always tried to teach people. Yeah, I think all you have to really do is attend one def

con and really have that driven home. I have not yet gone to a def con, mostly because I don't know that I could part with my smartphone for that long and I certainly wouldn't take it with me. Bring a burner phone, you'll be fine. Yeah, that that's me Jonathan, the guy who carries the burner. Uh. It makes sense,

I mean, when you're doing something like that. So, for those who don't know, def Con is a large hacker based conference largely looking at the realm of information security UM and often they will you'll have entire presentations dedicated to showing off vulnerabilities and security, again not necessarily so that people can take advantage of them, but rather to raise awareness and to kind of force the hands of the parties that are responsible for that software to take

action and fix a problem. Right Like, that was what we saw with the hack about remotely taking control of a person's vehicle. Uh specifically Jeep was really having that issue. Those one of those things where the researchers were saying, look, we're bringing this to light, not so that we can create an era where people are terrified of their vehicles that someone's going to take remote control of their car, but rather to really drive home the fact that the

information security is now it's important everywhere. It's not just your phone, it's not just your computer. As the Internet of Things continues to blossom, it's everything. Yes, I agree, And in that sense, those researchers were trying to use something the old school term is called responsible disclosure, where they explain some kind of vulnerability that they found to the company in hopes that the company will fix this problem before it becomes mainstream and before it gets out

into the wild. In the case of Jeep. I believe, if my memory serves me right, that Jeep did not necessarily release a patch for this vulnerability. So then the researchers decided to go out publicly about the information that they found, and then Jeep decided to fix it once everybody else knew about it, right, And then sometimes that's what it takes. And then and I've had the same discussion offline with a mutual friend of ours, Brian Brushwood. Brian is a stage magician. He has a show called

Scam School. It's all about social engineering. One of the things I have talked about with Brian is that his show, he often shows how to do certain types of scams or tricks, but they're mostly in the bar bet world, right, Like, not stuff that you would do to ruin someone's life, but something that you know you might want to you might win a free beer that way. Totally use some

of those myself. Yeah, And he showed off. He had an episode where he showed off this guy who had was demonstrating a well known vulnerableity of a popular bike lock that has been off the market for a couple of years because of this vulnerability. But that particular vulnerability meant that you could use a regular plastic pen, remove the pen part of the pen, use the casing, and jam them into the lock and pop the lock open hole. Right.

And so people were complaining in the comments. They were saying, you're you're, you're publicizing this vulnerability. And I said, guess what, the bad guys already know about this vulnerability. What they're doing is publicizing it to a public that might be still vulnerable to it so that they don't fall victim. And that, to me is a very important part of hackers across the board. They they serve a very important purpose to alert folks to potential dangers before it gets

too late. Yeah. Absolutely, And and you're those hackers are the people that are generally working to make a better world for consumers, a better about a private and secure world for consumers. But then, of course, on the other hand, are the batties. Yeah, let's talk about some of them. So I kind of gave some weird little titles for this when I was typing it up, because in the

middle of a week, I get bored. Shannon has to be honest, And so when I was making an outline kind of for us to work from, I started coming up with goofy subtitles. So this whole section is titled the Naughty Bits in our Notes, and the first one is malware moo law as in people who make money

through the development or distribution of malware. And malware, as I've said on this show many times in order to define it, it's really software that is intended to do something that is ultimately harmful to the person who runs that software on their machine. It covers a wide array of different sub categories, like, uh, you know, this is the sort of term that we normally would have in the old days just called a computer virus, But computer virus is a very specific thing, and malware covers more

stuff than just viruses, also worms and all sorts of stuff. Yeah, there's there's malware for Java and Flash. If you still have Flash installed, I highly recommend that you uninstall it if you don't need it. There's malware for browsers. There's malware for advertisements online for sponsors that you'll see like on on different websites. That was a very recent problem that a lot of news publications had with yeah, big name news publicly. Yeah, so that was a big one.

But you'll see maw'd all over the place, and luckily we do have anti malware software that we can use to protect our computers from it, and we can also block certain ports on the routers that can hopefully protect you from Mauer. But there's also a lot of cases where maware is distributed and built so quickly that a lot of those anti Mauer software are not updated quick enough. So in that case, we need to do the best that we can to protect ourselves and keep Mauer from

getting out from the deep web. Yeah, you know, it used to be, uh that you really all you needed to worry about was just don't go to the more seedy elements of the web, and you were generally all right, right, Yeah,

It's kind of like avoiding a bad neighborhood. Like, obviously, if you don't want to get robbed, there's certain neighborhoods that you should probably shouldn't walk around in by yourself at night, right, And this is kind of similar in that case where you avoid the deep web unless you really want to be on somebody's like hit list or something like that. Yeah. Yeah, if you're if you suddenly think that you want to come across as a big shot. Look,

if you're not a big shot. Don't do that. It's kind of like, kind of like walking up to someone who works in a carnival and claiming that you're with it and for it. If you don't know what that means, you do not say that. Okay, I think I just gave terrible advice to an entire population of listeners. Don't don't. Don't talk to Carney's unless you are one. Alright, so, uh,

and I love you Carney's, I love you all. So. The the thing that we're getting across, though, is that today that's not as big a guarantee as it used to be. Right like ten years ago, you'd say, look, just be careful. Don't download unusual files. Don't don't run a file that's linked in your email without checking it out first. Don't don't, you know, be careful opening up emails from things that you don't recognize. Be careful with

PDF files. Be careful with stuff, especially unsolicited stuff that has come to you, because that raises the chances that's something hinky is going on. It doesn't necessarily mean it's definitely a problem, but it's potentially a problem, and it's better to be safe than sorry. Make sure you have good and uh anti virus software on your computer, make sure you have a nice strong firewall, all of these

kind of things. Those used to be pretty good at keeping of the malware away from you if you were being a fairly responsible ned is in these days, they definitely help these days. These days, the attacks are sometimes getting like in the case of the advertise eismans on news sites. These are attacks that are going through avenues that you want at one point would have considered perfectly safe.

Not that it's happening all the time, but the fact that it can happen tells you that it requires an extra level of vigilance beyond what we used to say was was sufficient. Yeah. Absolutely, A data collection for a lot of this matare is extremely Uh. It's high sensitive in the fact that a user's data can get so much money on the on the deep web, so much money really, particularly a collection of user data. That's where

the big money is, right. I did an episode once where we tried to break down how much is your personal information worth? Yeah, it really depends. It depends upon what information you're talking about, Like how extensive is that profile on a person? But yeah, it's not much in the grand scheme of things like, to you, it's worth a lot right you a person, Shannon, you as a person, that information is worth a lot of money to you

because it's who you are. To someone else, it's worth pennies on the dollar, really, depending upon depending upon the amount of information. But the smellware often is giving hackers access to massive amounts of info about a huge number of people, and in numbers there is more value, and that's where they will sell that. Sometimes they sell it to companies that are just interested in getting information so

that they can do targeted advertising. So it might be that the ultimate use of your information isn't as bad as it could be. It just means you're going to get some ads, but still not fun to think about and to think that you know, now these companies have access to information about you that you probably would rather they not have, particularly in targeted advertising. The famous story about target when they started sending ads to a young lady that were related to pregnancy, and then her dad

got really really ticked off about it. But it turned out that little girl was pregnant, yeah, and that it was it was because the algorithms had picked up through her search habits that she was pregnant based upon the search terms she was putting in, and so they proactively sent her some coupons for pregnancy related items. The dad got very upset. Then the dad ended up apologizing to Targets, saying that he was unaware at the time of the

full situation. Well, in that case, it was search algorithms. It wasn't a hacker who had gained access to stuff and then sold it. But there are other cases where that does happen, where you know, just a database of info, and a lot of times they will release this malware in something that's called an exploit kit. So generally, these exploit kits are like a batch of similar malware that

will work across several different platforms. So that whether that's several different types of software like job and flash, or several different browsers. It could be several different operating systems too, So you might see an exploit kit that works on Lenox four but also works on Windows XP up through

eight or something like that. Right, And what's crazy is that when you start looking at I mean, this is one of the things that hackers do, right, They'll look at operating systems and what the market penetration is for those systems because that that's that shows you where your

target rich environment is. Right, So if you have Windows seven, guess what you are prime target for for malware because that is by far the largest um that that has the greatest market share of any operating system right now, Windows XP still it's number three, number three, and it has not been supported by Window formed by Microsoft for

two years. This, by the way, bad thing. If you want to be really secure with your your computer information, you don't want to be using and operate system that no longer gets support from the company that made it, because because that means no vulnerabilities will be patched. From that moment forward, you're pretty much on your own. You have gone into the dark forest, and you forgot to

bring your flashlight. It's pretty dangerous. UM. One of the things that you kind of uh that that I think it leads in from what you were saying before with these exploit kits. One of the most terrifying aspects of this type of malware and and the fact that that people can use it for nefarious purposes and monetary gain, is that you also have a population of people who don't even understand how the malware works. They don't even

Script kitties is what I'm getting at. Script kitties, that's the term we use for people who are, uh, they're benefiting from the the work that hackers have done. Hackers are the ones who are actually putting together the software. They're the ones who have identified the vulnerability and then exploited it in some way. Script kitties are the ones who essentially they're given a set of skeleton keys, and

they didn't make the skeleton keys, they're just using them. Um. And it's scary because you don't need a level of expertise. You might think, oh, well, I'm kind of safe from hackers because how many people are actually hackers? How many people really know how this system works. Well, you don't have to really know how the system works. If you

have a tool that exploits a vulnerability. Oh absolutely. Although I really hate the word script kittie, I will put it out there because I feel like if you're interested in information security, and if you're interested in becoming a good hacker, then you do start somewhere. And everybody is going to start with the easy tools that are out there and that are available for free. For example, one thing that I learned how to use a couple of

years back was this tool called wire shark. It easily lets you see everything that's happening on your wireless network, or you can use it for um, any computers that are on your on your network, like behind your router, so you can see everything that's going on and you don't necessarily have to learn or understand what's going on behind it to be able to read what's on your

screen happening right in front of you. I think it's really important though, for people who might be called script kitties to look at as being beneficial and that they can grow from that process. They can start from being a beginner and say, okay, well I need to understand the theory. Now I can move on from being a script kittie quote unquote to becoming somebody who is an expert in some kind of information security out there. Yeah.

I when I think of the term script kitty, in my mind, it's a very it's a subset of the people that typically get labeled as such. That subset being people who have little to no interest in actually learning how to hack or program. Uh, people who want a very very fast track way to gain either a reputation by being the person who took down a system by whatever means, or by making a whole lot of money

really fast for relatively little effort. Those are the ones I specifically think of when I think of script kitty. But you are absolutely right, you have to start somewhere if you're interested in that is. I'm kind of defensive with that because I I was called a script katie when I first started up started off learning about hacking and information security. People would be like, oh, she's just a script katty, and I'd be like, well, I actually want to understand the theory. I want to learn how

to program. I want to learn how to code. I'm no longer called that because I have learned how to write certain kinds of code. I have learned how to program. I can make my r do we know, do whatever I want. So at this point in my stage, I've surpassed that moment of being a nube and I've gone on to learning things and being able to understand specific tests and get them to do what I want them to do without finding tutorials online. Yea, so now I

make my own tutorials. Seeing Now that's nice because when I started at how stuff works. They call me that weird bald guy, and today they still do. So some labels just stick, is what I'm saying. So yeah, so, so that kind of covers the malware approach. People can make money through malware, either by selling your information UM, they might do so by another method, which kind of

leads into this idea of ransomware. So this would be malware specific type of malware that UM locks down your machine in some way so that you can no longer access it, and then you essentially get a message saying, hey, if you want if you want your data back, if you want access to your data, if you want to be able to do all this stuff, and you want our hands out of your business, then you've got to

pay us some moolah, some money. Shannon and I will have more to say about how hackers make all the dollar dollar bills y'all in just a moment, but first let's take a quick break. Yeah. So, basically what happens with ransomware is, uh, it is just like you said, a type of aware that gets distributed in one way, shape or form onto somebody's computer and it ends up encrypting their data. It could be a whole hard drive. It could be a folder of data. It's some kind

of important data that they have sitting on their computer. Uh. And in many cases, a thief the hacker will ask them in an email or maybe an encrypted text document that's now surreptitiously on their computer out of nowhere, to send them a certain amount of bitcoins, and they tell them how to set up a bitcoin wallets so that they can send the bitcoins to them for them to get a pass code to unlock their encrypted data. Now, the weird part is they already own this data is

on their own hard drive. It could be anything from like kids photos, it could be tax documents. But in any case, it's going to be some kind of important information that people don't want to lose because it might be years and years of information that's just on that computer. So of course people are going to send them bitcoins. And I think last night Act to Bitcoin was a few hundred bucks, so it ends up being quite a bit of money that they have to send to get

their information unlocked. Yeah, and this is this is the type of malware. When we were talking about the advertising that was targeting people through massive news sites. If I'm not mistaken. It was specifically ransomware. It was the kind of stuff that was encrypting users. Uh yeah, yeah, so it wasn't just malware. It was ransomware that was infecting computers. Because malware can do other stuff too, right, it can

It can create something like a backdoor access. So yeah, hackers can take control of your machine or just monitor what you're doing. Even if they don't want to take control. They can put in key loggers so they can see what all your passwords are. Um, so you might want to think about using things like a really good password manager. UM that's what I use and and I love mine.

Uh yeah, so the things where you don't have to type the password and so you don't have to worry about key loggers picking up on that kind of stuff. But we'll talk more about that in just a second. So one of the other ones I wanted to talk about, This one is kind of a gray area because, uh, this is this. I titled this section spies like us um, and by this I meant state sponsored hackers. People who are hacking on behalf of a specific state or nation

or government. Um. Sometimes they may be doing so not with the Uh why should I say like, not with the express permission of the nation. It may turn out that the state says, hey, we didn't tell them to do this. They're just doing it because they love us so much and they hate and they hate you guys, and that's why they're doing it. Um. Whether that's true

or not depends upon the situation. I would I would think that if I were running a government and I had employed a bunch of hackers to infiltrate or sabotage another nations systems, I also would like some plausible deniability in their Hey, I didn't tell him to do it. I just said, man, it's It's kind of like there's there's a story that a king of England once yelled out,

who will rid me of this meddlesome priest? And then a couple of nights went often ridded him of his that meddlesome priest, and it turned out that he was he was just mad and just talking out loud. And then one of his dearest friends ended up being murdered by a couple of nights because they heard the guy talking and said, hey, we should get rid of them. We'll get rewarded. Um. That's why the states argue, I

don't know that that's always the case. Also, by the way, for you listeners out there who recognize who I'm talking about, send me an email and prove it, because I'm a medievalist and I love that stuff. Um. But yeah, this is something that we see. You know, you often will

hear stories about Chinese hackers or Russian hackers. There was a story, UH several years ago about how UH information security experts were noticing some artifacts in our power grid system that were indicative of UH people who had infiltrated that system and planted some stuff in there so that they could monitor things or perhaps even jump back into the power grid system should UH push come to shove in some sort of political situation. They had traced it

back to either China or Russia. It's pretty tricky to actually figure out where attacks ultimately originate from, because if you're really good, you can cover your tracks pretty well. Um. But the United States has done it too. You might

have heard about Stuck's Net. That was the that was the computer virus that was designed to um to to spin a centrifuge in a nuclear facility at a speed greater than what it was supposed to spin at, and originally I think the hope was that it would cause a catastrophic failure and perhaps perhaps even destroy the facility. As it turned out, it caused a failure, but not

at that level. But that those are examples of something that's technically legal within the country because it's it's endorsed or at least permitted by a government, but you don't want it out there because it seems pretty darn shady to anybody else. Yeah. Yeah, So state sponsored hacks are more worrisome to me because they oftentimes have much larger targets.

For example, they might target a large government facility, like I don't know, the Pentagon, So I worried about those because those kind of servers have a lot of information on the citizens of any sort of country. Uh So, anytime you see these in the news, it's it's always like, oh, well, this this hack was done by Chinese state sponsored hackers, or Russian state sponsored hackers, or American state sponsored hackers,

and these are Korea. North Korea would be another big one. Yeah. Yeah, So so they are either it might be a tinam of hackers that are kind of comprised together in a illegitimate company who are hired by a government or like you say, where they may not necessarily have any affiliation quote unquote with the government, but the government ends them paying them in some way, shape or form for their infiltration because it ends up helping the government in some

way or another. And so it's it's a very sticky scenario when you start dealing with these state sponsored hackers, because it's it's hard to understand, Um, how are we going to, you know, penalize them? Who do we penalize Do we penalize government or the hackers themselves? Are both? Like who was actually involved? It might end up being how do we address the underlying situation that led to the employment of hackers in the first place? Um, which

can get pretty pretty delicate. Another great example or him not too long ago, or at least one that may or may not have been involved in may or may not have involved a state sponsored hacker I'm still somewhat skeptical of that would be the Sony hack. Oh yeah, because the Sony hack, the Wes government essentially was pointing fingers to North Korea, saying the hackers must have come

from North Korea. Look at this IP address, which we don't even need to go into detail right now, except to say that an IP address does not proof make But at any rate, they're they're pointing over at North Korea saying, we think the attacks came from there. The attack appears to be politically motivated North Korea for its part, the government, which, by the way, North Korea not shy about taking credit for stuff. But they said, no, no, we didn't. We we didn't ask for this, but we're

totally cool with it happening. Um, So you know, it's one of those. It's also very muddy because obviously when you're talking about things like espionage or sabotage or any of those things, Uh, you don't. You don't come out and talk more about it, you don't. That ends up being closed away. Um. In fact, I should, I should really throw that over to the stuff they don't want you to know guys and have them do an episode

on it, because I would be a lot of fun. Uh. And then we've got got the the traditional at least, I would argue the traditional concept of a hacker from the Hollywood perspective. The black hats, the ones that are wearing the hoodies and they're sitting at a keyboard and they're typing really fast on a green and black screen over. Yes, they've got got some junk food snail and they have a ton of different windows popping up on their computer

really really fast. You can't make out anything that's happening. It's entirely not true. That's not how it works. It's actually a somewhat slow process to get um basically, to get reconnaissance and to get into any kind of network. Uh. The only things I've done, of course, are completely legal. I've had an authorization by everybody who I have tested

my my abilities on. Right. Yeah, so black hats, that's that's another awkward definition because it's not one that I like to use all the time because black hat hacker means that there's it makes hackers have more of a negative appeal to a lot of people. So I always

just call them black hat thiefs. Yeah. No, that's a great way of putting it, because, uh, typically you'll see things like um uh, the idea of infiltrating a system in order to steal information, perhaps to sell it to someone else, or to hold it against the party that you've stolen it from. Um, you know, so it might be extortion as opposed to uh to stealing and selling. Uh. Also, we should go ahead and point out something else that I'll talk about in a future episode, but I've mentioned

it in previous ones too. Um. Hackers don't necessarily just sit at a keyboard and type in strings of letters and numbers. They also do a lot of social engineering where or they can do a lot of social engineering where they attempt to gain access to systems, either by physically gaining access to a system, which makes it way easier than remotely doing it um, or even easier than that manipulating someone who does have access to a system,

and then you get it that way. Um. And it's surprisingly easy to do if employees have not been educated on how to spot that and avoid it. Yeah, properly training your your your employees at your place of work is really important when it comes to social engineering. And it is incredibly easy to do social engineering, especially when you're a female, I would imagine. So it turns out also if you are dressed as the stereotypical I T guy and you are there to quote unquote upgrade someone's machine,

really easy to get access to that machine. People are so eager. Yeah, and obviously, like social engineering, completely depends upon identifying and then exploiting a person's vulnerability and typically speaking like greed lust, those are two big ones that are exploitable, and that the people who are really good at social engineering know that, and they're very good at

that leveraging that. Just as knowing what sort of vulnerabilities typically show up within code, within within programs, you need to know what vulnerabilities show up in people. UM And I also I had a little thing on here about botan net masters. Really what in this I was thinking about the people who are using malware to get that back door access to machines, to get UH, to get that administrative control over a wide array. Sometimes we call

it a boton net. Sometimes we call it a zombie army of of user computers, and then utilizing that to do stuff like UH distributed denial of service attacks or de DOS attacks, where you are UH directing an army essentially to coordinate an attack against an identified target. Sometimes

this is done just to cause problems. I mean, obviously, if you've ever had issues logging into like a gaming network, Xbox Live has had this happen, PlayStation has had this happen where people who are disenchanted with the service for one reason or another, or they just want to do it for the lulls. Uh, specifically around holiday times. That's a big that's a big target time to attack something

like Xbox Live. They'll direct a ton of traffic to break down servers, so servers can't respond to legitimate traffic because they're too busy responding to a bunch of fake traffic. Essentially, I'm oversimplifying, but this is a basic detos attack. It is. It's such a mean thing to do to those little kids during Christmas times, turn off their xboxes so that they can't log in and they can't play their games, so they just go on Yeah, yeah, I think, break

my heart. Gosh, it's it's a jerk move. It's a jerk move. Don't do it. I love the definition or I love the term zombie for bot nuts, because that's exactly what it is. Where you have a you have a zero, a patient zero, and that would be the

first computer. They end up biting a few more computers, and those ones end up getting infected with the same exact infection that patient zero had, and then those ones end up biting ten each so you end up with thousands upon thousands of these computers that each have the same exact infection, and they all end up perpetrating the

same exact vulnerability on whatever their target might be. Yeah, and then ultimately you end up with a situation where Nagan is standing there with a baseball bat and you don't know whose head he's gonna cave in. I might have taken that metaphor a little too far. But one of the things that Boughton net controllers might do, and in fact, this has happened on multiple occasions. It's similar to ransomware is they'll send a message to an identified

target and say, hey, we we got your number. We're gonna come after you unless you pay us a certain amount of money. Um, we will unleash the dogs of war on your servers and you will be unable to do business. And there have been cases where businesses have folded to this kind of pressure, where they have in fact paid to do this because the hospital ended up doing that. Yes, yes it was. Yeah, I've seen a few cases of particularly malicious and odious acts against things

like hospitals. There was one year when I was participating in a charity for children's hospitals and the charity was targeted in the middle of the event and for about three hours they were offline trying to deal with that. Um, yeah, it's and in that case, it wasn't a it wasn't an attack in an effort to get money. I don't think I think it was just someone being truly an awful human being. But we have seen cases of people

trying to do this in order to extort money. So you're probably noticing some trends here extortion, stealing, uh, you know, holding things for ransom, this idea of making sure that that people are spending money for out of fear or out of a need to get back and and have access to something that belongs to them. These are all terrible, terrible motivations to make money, and as such, as such terrible motivations, you might think, well, wait a minute, how

are they actually like, how are they getting paid? How is this money transfer happening? Because you would think anything that would be traceable would end up being somewhat problematic. You've got a trail that leads back to you as a person, then pretty soon law enforcement's going to get involved, or at least the I R S. So so how Shannon do hackers? How do they get the money? So there's probably some ways that I don't even know about yet, but the ones that I can think of would be

treating of high value data. So that's a pretty big one where uh saya hacker collects a whole bunch of really really high value data like your SO security number, your credit card accounts, your banking account, tons of information, and they decided to go on to a deep forum sell it, and then or trade it for something else

of high value, for example, a gift card. They could ask for people to give them a ton of gift cards that are like, you know, twenty five or fifty dollars each, and then use those gift cards at a retailer who is easily vulnerable to some kind of gift card scam, and in that sense they would be able to make some kind of money back through those gift cards and that trade of that high value UH data that they stole from whoever it might be, whatever company.

Another way would be bitcoins. Now that's probably the most obvious one, of course, because bitcoins are very very hard to track. Yes, they are traceable in some circumstances, depending on what kind of wallet you use, but in a lot of circumstances, the bitcoins will trade wallets so many times that it will be somewhat impossible to find out where it actually came from, where it actually started. Yeah, it's kind of interesting because every single bitcoin contains with

it a record of every transaction. But that does not mean that the parties involved are actually identifiable. It really is um. It's it's actually data that's used in order to allow for the mining of further bitcoins. It's a really fascinating process. But but one of the things that attracts people to bitcoins is this idea of being able to spend them anonymously and be able to purchase things, uh, whether legal or illegal, without it being traced back to

that person. You often will hear about things like, you know, the old Silk Road, where you could purchase all sources of stuff, including illegal drugs or other materials, sometimes weapons, that kind of stuff, um, and you could do it through bitcoins, and people felt a high level of confidence because it was not a state backed currency. It was this independent cryptocurrency that allowed them that that freedom and

had real value because people want the bitcoins. If no one wanted the bitcoins, they wouldn't be worth anything, right, and bitcoins have actually been pretty steady last time I checked, so their value has been pretty decent in late days, in recent days, So so I completely understand why hacker would want to be paid in bitcoins. It makes sense. Yeah. Yeah, there's also the old, the old deal of putting the money into the the washing machine, right, that's how money

laundering work, right, Yes, money laundering. So that was something that I learned about way back in the day when I worked at a bank of all places, which also got me really interested in security before I started podcasting. But money laundering, it's very easy for somebody to go online, be able to sell this high value data, get some bitcoins or it might be some other form of currency, and then be able to resell that money or be able to trade a product to get real money, real

cash at one point or another. But basically it's it's um exchanging the hands that hold that money so many times that again it's very hard to trace. Yeah, and it's it's hard to determine that the original source of that money was anything remotely illegal. And then depending on again, if you're if you're a state sponsored hacker, you're probably just drawing a salary or doing contract work, so you're

actually getting paid. You get a pay check. Yeah. Yeah, so you've got money withdrawn from your paycheck to handle to support the government while you are subverting other governments. And then it looks completely legitimate. So that's a really easy way for somebody to do something that might be very, very bad. Yeah, because they are, They do have to pay the I R S, they do get a tax refund every year, they do have an employer, so it looks completely normal for them to be receiving a paycheck

for whatever work this might be. Yeah, we've got a little bit more to say about how hackers make money, but first let's take another quick break to thank our sponsor. So the nice thing is there aren't just quote unquote bad guys out there doing all this kind of of

work with computers, with a hacking, with discovering vulnerabilities. There are plenty of people, as as you mentioned earlier, Shannon, who are doing this in order to help others, either to make systems more secure or to inform people of how these kind of attacks happen so that they can be better prepared to defend themselves. So let's talk about some of them. Um, of course, if you have black hat hackers, right, you got the bad guys, you gotta have,

you gotta the white hack hackers. These are the These are the the noble bounty hunter characters of those westerns, the ones who you know they've seen things but deep down and they have a heart of gold. Well, not all of them, but a lot of a lot of my friends are considered white hat hackers. They're the people who either they work for a company that specializes insecurity.

So a lot of my friends work for these companies who will be contracted with big brands, go into their networks and then find out what the vulnerabilities are and fix them, or they will give them a report and tell them how to fix that fix it in the future. They make a lot of money. A lot of them don't like it because they have specific amounts of vulnerabilities or specific time frame set that they have to get this work done, and a lot of times hacking takes

a lot of time. It takes a lot of information reconnaissance. So a lot of my friends don't necessarily appreciate having to be under these time constraints with these big brands. Well, particularly since you figure the bad guys aren't under any particular time constraints exactly, So the bad guys have tons of time to find these vulnerabilities, while the white hacks are under the stress of these time constraints to get the work done so that they make their bosses happy.

In this sense, a lot of my a lot of people that I know, have created their own security companies because of this fault in the generic nature of having these security companies. So they said, you know, I'm tired of having to deal with these constraints that my boss has given me. Just gonna open my own security company, and we're going to do it even better because we

won't give ourselves those time constraints. Will give us ourselves several months to find all the vulnerabilities that we absolutely can and then we'll write a report and we'll fix it. And uh, those are the ones that I would definitely work with if I had to hire a security company. Yeah, because they're the ones who are going to use the exact same kind of methodologies that bad guys are going to use. And if if you want to really be secure, you want the people to throw everything they can at

your system. So that you can find out are you actually secure? If you're what do you need to do to address it? Um? If you want to see a movie that that does a very fantasy version of this very idea, there's a film that I always think back to, Sneakers had Robert Redford and Dan Ackroyd, who plays a character named mother. Ben Kingsley is in it Um. A ton of folks. River Phoenix was in it Um, and it's a It's a movie about a group of kind of almost like outcasts who have grouped together to form

a company that they specifically do this. They try to infiltrate a company in order to test its security, not to exploit it, but rather to tell the company, hey, here's how we got in, here's how someone else could get in, So you need to plug this vulnerability, that kind of thing um. And then of course they get

involved in all sorts of shenanigans. And in case you are interested in the methodology, I actually find it very very interesting how they get their work done, because of course they have to go through the tennis match of back and forth with a brand name company, whatever it might be, So they'll have to get a purchase order, they'll do a little bit of negotiation for an amount that they'll do the work for, and then they'll go in and they'll gather information on the network and they'll

capture traffic, and they'll try to find any kind of vulnerabilities that are on that network, even with the people too. For example, they could use social engineering to get into the server rack uh physically, or they could get into a network that doesn't necessarily have a very good password on it. Uh. They could email clients that work there that are employed at the brand name company with I don't know malware written PDFs for example, and they could

use wireless attacks. They could do war driving from the parking lot if they wanted to. And then what they'll do is write a very very long report so that the brand name company can see exactly what happened is on their network and exactly what they were able to do from from whatever back door they were able to get into. It's really interesting how how well they're able to put everything together in in turn hopefully save this

company in the long run thousands and thousands of dollars. Yeah, yeah, I mean this is the whole Security has always been a tick talk approach, right, You've got the tick, which is where someone has identified a way of exploiting a system, and then the talk is where you find a way to correct that that vulnerability. The tick is the next time someone's found a vulnerability. Uh, you're always going to have that, right unless someone somehow designs the absolute perfect system,

which as far as we know, is an impossibility. Yeah, that's impossible. Yeah, because for one thing, if people are involved, there's no such thing as a perfect system. It's always a battle. And I love my video games, so I love a battle. But also it also drives other other industries though, because we'll see things like the artificial intelligence industry improve as a result of this security battle between hackers and uh, the infosec experts who are trying to

make sure that their protecting systems. And as a result, we're we're getting information that can be used in other areas, which is phenomenal. Like I remember, here's a simple one. It's it's as far as security goes. This is as low level as it gets. But the capture system, so when cap when capture was implemented, even the people who were writing capture at the time, we're not really thinking of it as being some sort of full proof security

system to make sure that bots don't get into a system. Right, they weren't thinking, oh, now only human beings can get access. And if you don't know what a capture is, anytime you get your filling out a thing and you get a little picture of something and it says, uh, tell you know, write down the word or numbers that are in this picture, or even to a point of identify the pictures in this sequence that have this particular feature, like deify all the pictures that have a lake in

it or something like that. That's a simply that's simply a version of capture. Um. The people who made it, they actually said, our goal was really to help push artificial intelligence because we created a system where programmers or hackers had to start coming up with uh, computer programs that could identify the same things that we humans can identify. And in turn, that means now we've got software that

pushes forward artificial intelligence. Now, granted, that also means you have to improve the system you had designed to keep bots out in the first place. So again it goes to that TikTok. But there's an added benefit beyond someone being able to to automatically access systems and build you know, dozens and dozens of fake profiles on Facebook or whatever

it might be, whatever that might be. Yeah, yeah, and then keep in mind, like like we've been saying here, I mean, any any systems security is only as strong as its weakest link. That we cat is pretty much

always people. That's the big one, right. But I mean, I've I've read stories about hacker gaining access to a system because there was an overall security system that was really robust for the main company, but then they had a little branch office and the branch office didn't have that crazy amount of security but was still on the same network. I think I read about that story too, So I mean, these are these are things like if you identify a potential point of weakness that's now suddenly

the you know, it's it's like a bank vault. If the bank vault has an enormous door with huge locks on it that you have to get through. Oh, but it also has a backdoor just for convenience sake, you're gonna aim for the back door. So but there are other ways that that hackers can can make a legitimate living that don't even involve testing security systems. It might involve education. Yeah, absolutely so education is I guess what you would say, I fall into that kind of comory.

And while I I don't necessarily like to call myself a hacker because I know so many experts in the field who are much more knowledgeable than I am. I'm quite a intermediate, I would say, but I love to teach, and I love to give tutorials online, so I give

tutorials on YouTube. But I also know a lot of people who have either written books about hacking UH, and they could do either specifics about penetration testing or they get to make it a very very wide based book where they explain everything that you would have to do as a penetration tester. And a penetration tester is basically one of those guys that would go into a company and UH find all the vulnerabilities and report on it.

You would also have companies that administer certifications, so a lot of I'm sure a lot of your your UM listeners probably know that you have to get certifications to get a lot of UH to get into a lot of the fields with computer security and even just you know, computer networking too. Sure a lot of searts for those and they're very, very expensive. So a lot of companies just administer their certifications or they will have you take classes for a period of time until you actually take

the test and get certified. But that ends up being a really good thing to put on your resume for a lot of companies whenever you do intend to get a job in network security. And then lastly, we have the publishers. So that's the YouTubers, the that's the people that make podcast That's the people that um might be creating other forms of entertainment that not only educate but also entertain their users and their listeners so that they get excited about being a part of information security. Uh.

And that's what I like to do. I like to teach people in a way that makes it exciting. So I do a lot of hands on stuff. I I make, I make jokes, and I explain things in a very natural light and it helps it helps again foster that desire to learn how things work right. That does so again that that same fascination, like if you were ever a kid that took apart a watch or a radio or some other piece of equipment, because you really want to know what's the magic that makes this thing do

what it does? Uh, hackers have that, I mean, that's the that's that's the defining quality in my mind of a hacker is ultimately it's someone who is fascinated with the way something works. Uh. We've largely been focusing on software, but that is just as legitimate as any hardware hack. It's the idea of how does this It might not even just be the software, might be a full system, like how does the system work? What are all the

interlocking parts? How do they communicate with each other. I just had a random memory from when I was younger and in school. I took apart my first iPod because I had no clue how it worked, and I was very curious about what what the interior of it was. So I just I took it apart. I couldn't put it back together, So I was not hacker in any sense. We um we for for an article I was writing, We've got a first edition Launch Day Nintendo three D s and it was my job to disassemble it and

take photos of all the pieces. So first I took a picture of it whole and shared it online on Twitter and said look what I have, and everyone got excited and then by the end of it, I had a little had a little black cauldron at my desk that was left over from a Halloween thing, and then I put all the different pieces because there was no way this thing was going back together after I took

it apart. For one thing, Nintendo is pretty careful about sealing stuff in such a way that's not meant to come aboard, so um, so you have to have he was a little force in some cases in order to get to stuff. And then I showed a picture. I'm like, I'm like, look what I did to the thing. I made the entire Internet cry. Yeah, although ultimately I think the three DS most people are like, oh whatever. But at the time when it was brand new, people were

freaking out. And of course there's there's also another role for for hackers out there. It may not be a steady gig, but we are seeing more and more of the Hollywood productions out there actually talk with people in the industry so that the depictions that we're getting are more accurately reflecting what really happens. Mr Robot is probably the example that immediately leaps to my mind, and that it's it's a show that tries very hard to take a more realistic approach to the world of hacking as

opposed to um. You type in three passwords, the third one gets you in, and then you're navigating through a vector graphics three D dungeon and you encounter a skull and cross bones. That's not how hacking works. It sounds like you were talking about hackers hack the planet. I might have been education. Just bring it back. But professors, I didn't leave you guys out. I'm sorry. I love you guys. You are the reason why I'm here now.

If I didn't take my computer courses in college with my professors, I would not be doing what I'm doing now. So professors are like at the top of that education list because and you can take a lot of computer security courses in college and sometimes in high schools if you're lucky. But yeah, technical assistance. So technical assistance are people that will come on board with a Hollywood movie or a TV show or what have you, and they will explain to the network how the hacking actually happens.

So I know a few, uh, they will They'll come to some of their hacker friends or they will be a hacker themselves and they will say okay uh. In this season, I know that they want to do X, Y and Z on camera, and I need to make it look legitimate, so they will come up with the script. They will come up with the hack and the actual keyboard commands that the actor has to type in on

camera so that they are actually doing legitimate hacks. So that way, they're not only making it look cool for a wider audience because an audience is actually going to see how a hack works, but they're also getting that credibility with the info set community too. So Mr Robot is huge with the infoset community because it is legitimate. Like I've watched several of those episodes and I've seen a lot of the hacks that they do. They've even used some of our hack fi products on the show,

and they're actually using legit hacks. And it is so much fun to see it on TV and see them get so many good reviews from a wider consumer audience, because it makes me feel like many more people are getting interested in info sex because they see what's happening on camera and they see that this is actually how you do it. Yeah, it's nice to see it go beyond uh. The the niche that I would argue, info sec and hacking has largely inhabited for the past three decades,

right the people who have been interested. When it's first started, it was essentially your hobbyists, and often those hobbyists were isolated individuals. Uh. You got to the phone freaking days where there was a little bit of a small subculture of people who were interested in hacking the telephone system

using all sorts of stuff, including a whistle from Captain Crunch. Uh. You had you had the the early hack days where people were just trying to create interesting programs for their computers or to see how some of the programs that were coming out, how did those work? Um, but it was largely a tiny slice of the folks who were even aware of personal computers, and and even that group

was still a tiny slice of the overall population. We're seeing that tiny slice grow over time, and largely because so many of us are so dependent upon computers these days that it benefits us to have an awareness to make sure that we remain safe. But also because of things like Mr Robot showing how this wre x and sparking the imagination of people who perhaps before they saw

that never thought, Yeah, it's kind of cool. I would love to be able to manipulate code in such a way that I could do something new or unexpected or help people. Uh. And it's really encouraging to see that kind of thing happen right now. I kind of wish it had happened ten years ago, but I love seeing

it happen now. Same. I actually feel like there was a little bit of negativity in in the aspect that we we used to have all these really fancy graphics happening on in these Hollywood movies and these TV shows, and now they're actually seeing the reality that is hacking, and it is not super colorful. It's not super quick, fast paced and exciting like it looks like it is

on those old school shows. So I'm hoping that now that they're actually seeing it, people will try it to Like if they see um, the main actor on Mr. Robot do a specific command line option, they'll go to their computer and try it themselves and see that it actually does work, and then they'll be like, oh, I really want to try some new stuff too, so they'll start googling and see what else they can find out.

That's the kind of inspiration that I wish happened thirty years ago, and it didn't, so I want to see more of that now, and I'm really happy that, for example, Mr Robot has done a great job with it. Yeah, it's it's and you not to not to poop all over Hollywood because I do loves mo Hollywood's but but

it is. And to understand where they were coming from, they were trying to find a way to create an exciting visual depiction of something that doesn't necessarily necessarily lend itself to that in order for to create a dramatic effect.

So I get it. It's very similar to the way Hollywood portrayed virtual reality back in the nineties, way before virtual reality was ready for public consumption, and it's what largely killed VR for a decade before the various video game systems started to make the very the components cheap enough for people to play in that space again, and

now we're on the verge of another VR revolution. The same sort of thing is true of hacking, Like how do you show hacking in a way that gets across what is happening to an audience and makes it interesting? I think largely you have to do that through really good writing of your characters, and once you do that,

then everything else follows. I think if if you can show that the characters in a movie or in a TV show are actually real people that have real relationships, they have real jobs and real lives, and they have hobbies outside of just hacking, you can really you can start to relate to that character in a very real sense in the fact that hey, they are humans too,

because here's our people too. That was actually a documentary. Nice. Yeah, because again, when when you're when you're thinking about in the abstract, you're really it becomes that us versus them mentality, where by by its very nature, it's dehumanizing. But that's probably a topic for a show that's not about technology, So I will just leave it be. Shannon Morse, thank you so much for joining me today. Please let everyone know where they can find all of your stuff. Jonathan Strickland,

thank you. So it was a little it was a little, it was a little laden. Yeah. Yeah, I've been watching Star Trek lately, way way too much Star Trek. So you can find me. Um. The most direct path is on Twitter. I'm at snubs and that's s n U b S. And then my shows specifically our Tech Thing over at t e k thing dot com and Hack five over at h K five dot org. Yeah, so go check those shows out. They are awesome. Shannon and her co hosts are all awesome. I gotta get Corn.

I gotta get Darren on this. Yeah, no, you are cooler, but someday I gotta get Darren on the show. Um. I don't think Darren and I have ever I think we may have been on one of Tom Merritt's shows at the same time, but otherwise I don't think we've ever done a show together at any rate. Yeah, I know, it's crazy, right that happen. Let's let's do that. Let's do that. And that wraps up this classic episode of

tech Stuff. I hope you guys enjoyed this look back on some of the episodes that I've done over the past couple of years. These are more recent than some of our other classic episodes. We've been running on Fridays, and like I said before, I should be back in the office recording brand new stuff. You're gonna hear a whole arc of episodes about our relationship with media and how media has changed over time, how the business of media has changed, how our consumption of media has changed.

It's a huge, huge topic and it spans multiple episodes, so I hope you enjoy that. It's been fascinating for me to jump into that research and kind of break this out, and um, it was actually I didn't know how big a bite I was taking at the time when I started. And uh, I hope you you enjoy it when you start hearing those episodes. If you have any suggestions for future episodes of tech Stuff, send me a message. The email address is tech stuff at how

stuff works dot com. Drop on by our website that's tech stuff podcast dot com. There you'll find an archive of all of our episodes. You'll find links to our social media presence, and you'll find a link to our online store, where every purchasing make goes to help the show. And we greatly appreciate it. And I'll talk to you again really soon for more on this and thousands of other topics. Is it how stuff works dot com.