TechStuff Classic: Hacking for Dollars

unfamiliar with her work. She's great. And on this episode we talked about hacking for dollars, the various ways that hackers make money by being you know, hackers, and this episode public on Star Wars Day back in twenty sixteen. That of course is May the fourth on twenty sixteen.

Sit back and enjoy. The term hacker is actually a very broad term that can apply to a lot of different things, and not all of them are that nefarious evil infiltrate a system and steal all the corporate secrets kind of approach to hacking that Hollywood often presents right right exactly. I actually ask this question to a lot of people, especially when I first meet them. Since I'm so closely affiliated with a lot of the infoset community,

I want to surround myself with positive people. So you'll notice with the hacker definition, you can either get a very negative vibe from somebody or a very positive vibe. Oftentimes, with the negative vibe, you'll get somebody who says, oh, that's the person who stole my credit card data when

I went to a restaurant the other day. But on the positive side, you'll get somebody that says, oh, they're the kind of people that will break something apart and then put it back together in a way that it wasn't supposed to be put back together to make it do something cool. And that's a hack in mainstream. So that's the way I see it. I see hackers as

being people who reverse engineer different software, different hardware. It could just be a bicycle, for example, and put it back together in a way to make it harder, better, faster, and stronger. Nice the old daft punk approach. Of course, Yeah, I agree entirely. The original term hacker was really all about people who have almost an insatiable curiosity to learn

how stuff works. Oddly enough, I share that quality having worked at how stuff works for a decade, but yeah, to understand how it works and then to make stuff do things it wasn't necessarily intended to do. Not for nefarious purposes necessarily, although that could clearly be an application, but just for curiosity's sake. Can I take these elements that are meant to do this one thing and do something completely transformative with it, whether it is hardware or software.

And we've seen some really cool stuff come out of that. I mean, I would argue that a lot of the things you see in the cosplay world and the steampunk world, those are all taking elements of hacking. Maker Fair is really just a hacker's paradise when you get down to it, especially for hardware hacks. Absolutely, I'm kind of sad I'm going to miss maker Fair this year. I haven't been to one yet. I've been to a small one here

in Atlanta, a very modest maker Fair. Everyone there was great and passionate and intelligent, but it was, you know, a much smaller scale than something you would see in the Bay Area. Yeah, but that's the kind of thing

that hacker means to me. Now that being said, in this episode, we're really going to be focusing on sort of the computer oriented, really the software side of hacking, and a large part of it's going to be on the bad guy, the naughty bits, as I call it in our notes about simply to talk about what are the ways that hackers cause or the malicious hackers cause problems,

how do they expect to profit from that? And also we'll look at ways that hackers who don't follow that path, who are looking to help people, not hurt people, how do they make a living Because it's one of those things where you kind of take it for granted when you see the Hollywood depiction of a hacker, the person sitting down. Usually they're sitting at a keyboard and for some reason, their monitor only is monochromatic green. Yes, that's

so true. Well, yeah, they're using the old Apple to ems terminals are actually written and green oftentimes, but you can change the colors to rainbow colors if you choose. That is a hack, it's a real life hack. Yeah, yeah, And usually you see them sitting down and then they cause some sort of mischief, sometimes bordering on sabotage. But then you when you think about it outside of the context of that scene, you think, Oh, how did they expect to profit from this? Yeah, so that's kind of

what we're looking at. Yeah, because it's always important to me to reiterate too that there are always going to be two sides of a coin to everything in life. Of course, there are going to be bad guys in the in the world who do nefarious hacks, but there's also a lot of good guys too, And personally, for me, the reason why I'm so interested in researching this is because it has made me a much more privacy and

security guarded person. I've gotten a lot better at my own protections online, and I feel like if somebody else can understand what a hacker does on the bad side as well as the good side, they can better protect themselves too, And that's what I've always tried to teach people. Yeah, I think all you have to really do is attend

one def con and really have that driven home. I have not yet gone to a def con, mostly because I don't know that I could part with my smartphone for that long and I certainly wouldn't take it with me. Bring a burner phone, you'll be fine. Yeah, that's me Jonathan, the guy which carries the burner. It makes sense, I

mean when you're doing something like that. So for those who don't know, Defcon is a large hacker based conference largely looking at the realm of information security, and often they will you'll have entire presentations dedicated to showing off vulnerabilities and security, again not necessarily so that people can take advantage of them, but rather to raise awareness and to kind of force the hands of the parties that are responsible for that software to take action and fix

a problem. Right like that was what we saw with the hack about remotely taking control of a person's vehicle, specifically Jeep was really having that issue. Those one of those things where the researchers were saying, look, we're bringing this to light, not so that we can create an era where people are terrified of their vehicles that someone's going to take remote control of their car, but rather to really drive home the act that the information security

is now it's important everywhere. It's not just your phone, it's not just your computer. As the Internet of Things continues to blossom, it's everything. Yes, I agree, And in that sense, those researchers were trying to use something the old school term is called responsible disclosure where they explain some kind of vulnerability that they found to the company in hopes that the company will fix this problem before it becomes mainstream and before it gets out into the wild.

In the case of Jeep, I believe, if my memory serves me right, that Jeep did not necessarily release a patch for this vulnerability. So then the researchers decided to go out publicly about the information that they found, and then Jeep decided to fix it once everybody else knew about it, right, And sometimes that's what it takes. And I've had the same discussion offline with a mutual friend of ours, Brian Brushwood. Brian is a stage magician. He

has a show called Scam School. It's all about social engineering. One of the things I have talked about with Brian is that his show, he often shows how to do certain types of scams or tricks, but they're mostly in the barbet world, right, Like, not stuff that you would do to ruin someone's life, but something that you know you might want to you might win a free beer

that way. Yeah, And he showed off He had an episode where he showed off this guy who had was demonstrating a well known vulnerability of a popular bike lock that has been off the market for a couple of years because of this vulnerability. But that particular vulnerability meant that you could use a regular plastic pen, remove the pen part of the pen, use the casing, and jam

that into the lock and pop the lock open. Oh that's horrible, right, And so people were complaining in the comments, they were saying, you're you're, you're publicizing this vulnerability, And I said, guess what, the bad guys already know about this vulnerability. What they're doing is publicizing it to a public that might be still vulnerable to it so that they don't fall victim. And that, to me is a

very important part of hackers across the board. They serve very important purpose to alert folks to potential dangers before it gets too late. Yeah. Absolutely, And you're those hackers are the people that are generally working to make a better world for consumers at about a private and secure world for consumers. But then, of course, on the other hand, are the batties. Yeah, let's talk about some of them.

So I kind of gave some weird little titles for this when I was typing it up, because in the middle of the week. I get bored, Shannon. Let's to be honest, and so when I was making an outline kind of for us to work from, I started coming up with goofy subtitles. So this whole section is titled the Naughty Bits in our Notes, and the first one is malware moolaw as in people who make money through

the development or distribution of malware. And malware, as I've said on this show many times in order to define it, it's really software that is intended to do something that is ultimately harmful to the person who runs that software

on their machine. It covers a wide array of different subcategories, like, uh, you know, this is the sort of term that we normally would have in the old days just called a computer virus, But computer virus is a very specific thing, and malware covers more stuff than just viruses, also worms and all sorts of stuff. Yeah, there's there's malware for Java and Flash. If you still have Flash, install it, I highly recommend that you uninstall it if you don't

need it. There's malware for browsers. There's malware for advertisements online for sponsors that you'll see like on different websites that was a very recent problem that a lot of news publications had with yeah, big name news publication, but yeah,

so that was a big one. But you'll see malware all over the place, and luckily we do have anti mal where software that we can use to protect our computers from it, and we can also block certain ports on or routers that can hopefully protect you from MAUER. But there's also a lot of cases where Mauer is distributed and built so quickly that a lot of those

anti Mauer software are not updated quick enough. So in that case, we need to do the best that we can to protect ourselves and keep MAUER from getting out

from the deep web. Yeah, you know, it used to be that you really all you needed to worry about was just don't go to the more seedy elements of the web, and you were generally all right, right, Yeah, It's kind of like avoiding a bad neighborhood, Like, yeah, obviously, if you don't want to get robbed, there are certain neighborhoods that you should probably shouldn't walk around in by yourself at night, right, And this is kind of similar in that case where you avoid the deep web unless

you really want to be on somebody's like hit list or something like that. Yeah. Yeah, if you suddenly think that you want to come across as a big shot, look if you're not a big shot, don't do that. It's kind of like, kind of like walking up to someone who works in a carnival and claiming that you're with it and for it. If you don't know what that means, you do not say that. Okay, I think I just gave terrible advice to an entire population of listeners. Yeah, don't, don't.

Don't talk to Carney's unless you are one, all right, so, uh and I love you Carney's, I love you all So. The the thing that we're getting across, though, is that today that's not as big a guarantee as it used to be. Right like ten years ago, you'd say, look, just be careful. Don't download unusual files. Don't don't run a file that's linked in your email without checking it out first, don't. Don't, you know, be careful opening up

emails from things that you don't recognize. Be careful with PDF files, Be careful with stuff, especially unsolicited stuff that has come to you, because that raises the chances that something hinky is going on. It doesn't necessarily mean it's definitely a problem, but it's potentially a problem, and it's better to be safe than sorry. Make sure you have good antivirus software on your computer, make sure you have a nice strong firewall. All of these kind of things.

Those used to be pretty good at keeping nine of the malware away from you if you were being a fairly responsible Netaicin these days, they definitely help. These days, these days, the attacks are sometimes getting like in the case of the advertisements on news sites. These are attacks that are going through avenues that you want at one

point would have considered perfectly safe. Right, Not that it's happening all the time, but the fact that it can happen tells you that it requires an extra level of vigilance beyond what we used to say was sufficient. Yeah. Absolutely, A data collection for a lot of this malware is extremely It's high sensitive in the fact that a user's data can get so much money on the on the deep web, so much money, really, particularly a collection of

user data, that's where the big money is, right. I did an episode once where we tried to break down how much is your personal information worth? It? Really bucks? Yeah, it really depends. It depends upon what information you're talking about, Like how extensive is that profile on a person? But yeah,

it's not much in the grand scheme of things. Like to you, it's worth a lot, right you as a person, Shannon, Right, you as a person, that information is worth a lot of money to you, Yeah, because it's who you are. To someone else, it's worth pennies on the dollar, really

depending up, depending upon the amount of information. But the malware often is giving hackers access to massive amounts of info about a huge number of people, and in numbers there is more value, and that's where they will sell that. Sometimes they sell it to companies that are just interested and getting information so that they can do targeted advertising. So it might be that the ultimate use of your

information isn't as bad as it could be. It just means you're going to get some ads, but still not fun to think about and to think that you know, now these companies have access to information about you that you probably would rather they not have, particularly in targeted advertising. The famous story about target when they started sending ads to a young lady that were related to pregnancy yep, and then her dad got really really ticked off. About it.

But it turned out that little girl was pregnant, yeah, and that it was because the algorithms had picked up through her search habits that she was pregnant based upon the search terms she was putting in, and so they proactively sent her some coupons for pregnancy related items. The dad got very upset. Then the dad ended up apologizing to Target, saying that he was unaware at the time of the full situation. Well, in that case, it was search algorithm, wasn't a hacker who had gained access to

stuff and then sold it. But there are other cases where that does happen, Yeah, where you know, just a database of info and a lot of times they will release this malware in something that's called an exploit kit. So generally, these exploit kits are like a batch of similar malware that will work across several different platforms, So that whether that's several different types of software like job

and flash, or several different browsers. It could be several different operating systems too, So you might see an exploit kit that works on Linux fourteen O four but also works on Windows XP up through eight or something like that. Right, And what's crazy is that when you start looking at I mean, this is one of the things that hackers do, right, They'll look at operating systems and what the market penetration is for those systems, because that's that shows you where

your target rich environment is. Right. So if you have Windows seven, guess what you are prime target for malware because that is by far the largest that has the greatest market share of any operating system right now. Ye, Windows XP Still it's number three, number three, and it has not been supported by wind formed by Microsoft for

two years. This, by the way, bad thing. If you want to be really secure with your your computer information, you don't want to be using an operating system that no longer gets support from the company that made it, because because that means no vulnerabilities will be patched. From that moment forward, you're pretty much on your own. You have gone into the dark forest, and you forgot to bring your flashlight. It's pretty dangerous. One of the things that you kind of I think leads in from what

you were saying before with these exploit kits. One of the most terrifying aspects of this type of malware and and the fact that that people can use it for nefarious purposes and monetary gain. Is that you also have a population of people who don't even understand how the malware works. They don't even Script kitties is what I'm getting at. Script kitties, that's the term we use for people who are they're benefiting from the work that hackers

have done. Hackers are the ones who are actually putting together the software. They're the ones who have identified the vulnerability and then exploited it in some way. Script kitties are the ones who essentially they're given a set of skeleton keys, and they didn't make the skeleton keys, they're just using them. And it's scary because you don't need a level of expertise. You might think, oh, well, I'm kind of safe from hackers because how many people are

actually hackers? How many people really know how this system works. Well, you don't have to really know how the system works. If you have a tool that exploits a vulnerability, oh absolutely. Although I really hate the word script kitty, I will put it out there because I feel like if you're interested in information security, and if you're interested in becoming a good hacker, then you do start somewhere and everybody is going to start with the easy tools that are

out there and that are available for free. For example, one thing that I learned how to use a couple years back was this tool called wire shark. It easily lets you see everything that's happening on your wireless network, or you can use it for any computers that are on your network, like behind your router, so you can see everything that's going on and you don't necessarily have to learn or understand what's going on behind it to be able to read what's on your screen happening right

in front of you. I think it's really important though, for people who might be called script kitties to look at as being beneficial and that they can grow from that process. They can start from being a beginner and say, okay, well I need to understand the theory. Now I can move on from being a script kittie quote unquote to becoming somebody who is an expert in some kind of information security out there. Yeah. When I think of the term script kitty, in my mind, it's a it's a

subset of the people that typically get labeled as such. Yeah, that subset being people who have little to no interest in actually learning how to hack or program people who want a very very fast track way to gain either a reputation by being the person who took down a system by whatever means, or by making a whole lot of money really fast for relatively little effort. Those are the ones I specifically think of when I think of script kitty. But you are absolutely right, you have to

start somewhere if you're interesting it is. I'm kind of defensive with that because I was called a script kitty when I first started up started off learning about hacking and information security. People would be like, Osh, she's just a script kitty, and I'd be like, well, I actually want to understand the theory. I want to learn how to program. I want to learn how right code. I'm no longer called that because I have learned how to certain kinds of code. I have learned how to program.

I can make my Arduino do whatever I want. So at this point in my stage, I've surpassed that moment of being a nube, and I've gone on to learning things and being able to understand specific tasks and get them to do what I want them to do without finding tutorials online. Yeah, so now I make my own tutorials. Seeing that's nice because when I started at How Stuff Works, they call me that weird bald guy, and today they

still do. Shannon and I will be back to talk more about hacking for dollars in just a moment, but first let's take this quick break so that kind of covers the malware approach. People can make money through malware, either by selling your information, they might do so by another method, which kind of leads into this idea of ransomware.

So this would be malware specific type of malware that locks down your machine in some way so that you can no longer access it, and then you essentially get a message saying, hey, if you want if you want your data back, if you want access to your data, if you want to be able to do all this stuff, and you want our hands out of your business, then

you've got to pay us some mulah. Yeah. So basically what happens with ransomware is it is, just like you said, a type of malware that gets distributed in one way, shape or form onto somebody's computer and it ends up encrypting their data. It could be a whole hard drive, it could be a folder of data. It's some kind of important data that they have sitting on their computer.

And in many cases, a thief the hacker will ask them in an email or maybe an unencrypted text document that's now surreptitiously on their computer out of nowhere, to send them a certain amount of bitcoins, and they tell them how to set up a bitcoin wallet so that they can send the bitcoins to them for them to get a pass code to unlock their encrypted data. Now, the weird part is they already owned this data. It's on their own hard drive. It could be anything from

like kids photos, it could be tax documents. But in any case, it's going to be some kind of important information that people don't want to lose because it might be years and years of information that's just on that computer. So of course people are going to send them bitcoins. And I think last I checked, a bitcoin was a few hundred bucks, so it ends up being quite a bit of money that they have to send to get their information unlocked. Yeah, and this is this is the

type of malware. When we were talking about the advertising that was targeting people through massive news sites, if I'm not mistaken, it was specifically ransomware. It was the kind of stuff that was encrypting users. Yeah. Yeah, so it wasn't just malware. It was ransomware that was infecting computers. Because malware can do other stuff too, right, it can It can create something like a backdoor access Oh yeah, yeah, can take control of your machine or just monitor what

you're doing. Even if they don't want to take control, they can put in key loggers so they can see what all your passwords are. So you might want to think about using things like a really good password manager. Yeah, that's what I use and I love mine. Yeah, so the things where you don't have to type the password in so you don't have to worry about key loggers picking up on that kind of stuff. But we'll talk more about that in just a second. So one of

the other ones I wanted to talk about. This one's kind of a gray area because this is this I titled this section spies like Us, and by this I meant state sponsored hackers. People who are hacking on behalf of a specific state or nation or government. Sometimes they may be doing so not with the what should I say, like, not with the express permission of the nation. It may turn out that the state says, hey, we didn't tell

them to do this. They're just doing it because they love us so much and they hate and they hate you guys. Yea, and that's why they're doing it. Whether that's true or not depends upon the situation. I would I would think that if I were running a government and I had employed a bunch of hackers to infiltrate or sabotage another nation's systems, I also would like some plausible deniability in there. Hey, I didn't tell him to

do it. I just said, man, it's kind of like there's there's a story that a king of England once yelled out, who will rid me of this meddlesome priest? And then a couple of nights went off and ridded him of that meddlesome priest and it turned out that he was he was just mad and just talking out loud. And then one of his dearest friends ended up being murdered by a couple of nights because they heard the guy talking and said, hey, we should get rid of them.

We'll get rewarded. That's why the States argue, I don't know that that's always the case. Also, by the way, are you listeners out there who recognize who I'm talking about send me an email and prove it because I'm a medievalist and I love that stuff. But yeah, this is something that we see. You know, you often will

hear stories about Chinese hackers or Russian hackers. There was a story several years ago about how information security experts were noticing some artifacts in our power grid system that were indicative of people who had infiltrated that system and planted some stuff in there so that they could monitor things or perhaps even jump back into the power grid system should push come to shove in some sort of political situation. They had traced it back to either China

or Russia. It's pretty tricky to actually figure out where attacks ultimately originate from, because if you're really good, you can cover your tracks pretty well. But the United States has done it too. You might have heard about Stuck's Net. That was the that was the computer virus that was designed to to spin a centrifuge and nuclear facility at a speed greater than what it was supposed to spin at.

And originally I think the hope was that it would cause a catastrophic failure and perhaps even destroy the facility. As it turned out, it caused a failure, but not at that level, but that those are examples of something that's technically legal within the country because it's it's endorsed or at least permitted by a government, but you don't want it out there because it seems pretty darn shady

to anybody else. Yeah. Yeah, So state sponsored hacks are more worrisome to me because they oftentimes have much larger targets. For example, they might target a large government facility, like I don't know, the Pentagon, So I worry about those because those kind of servers have a lot of information

on the citizens of any sort of country. So many time you see these in the news, it's always like, oh, well, this this hack was done by Chinese state sponsored hackers, or Russian state sponsored hackers, or American state sponsored hackers,

and these are North Korea would be another big one. Yeah. Yeah, So so they are either it might be a Tinama hackers that are kind of comprised together in a illegitimate company who are hired by a government, or like you say, where they may not necessarily have any affiliation quote unquote with the government, but the government ends them paying them in some way, shape or form for their infiltration because it ends up helping the government in some way or another.

So it's it's a very sticky scenario when you start dealing with these state sponsored hackers, because it's it's hard to understand, how are we going to, you know, penalize them. Who do we penalize? Do we penalize government or the hackers themselves? Are both like who was actually involved? It might end up being how do we address the un d lying situation that led to the employment of hackers in the first place, which can get pretty pretty delicate.

Another great example not too long ago, or at least one that may or may not have been involved in may or may not have involved a state sponsored hacker I'm still somewhat skeptical of that would be the Sony hack. Oh yeah, because the Sony hack, the US government essentially was pointing fingers to North Korea, saying the hackers must

have come from North Korea. Look at this IP address, which we don't even need to go into detail right now, except to say that an IP address does not proof make but at any rate, they're pointing over at North Korea saying we think the attacks came from there. The attack appears to be politically motivated North Korea for its part, the government, which, by the way, North Korea not shy about taking credit for stuff, but they said, no, no, we didn't, we didn't ask for this, but we're totally

cool with it happening. So you know, it's one of those. It's also very muddy because obviously when you're talking about things like espionage or sabotage or any of those things, you don't you don't come out and talk more about it, you don't. That ends up being closed away. Yeah, in fact, I should, I should really throw that over to the stuff they don't want you to know guys and have them do an episode on it, because that would be

a lot of fun. And then we've got got the the traditional at least, I would argue the traditional concept of a hacker from the Hollywood perspective. The black hats, the ones that they are wearing the hoodies, and they're sitting at a keyboard and they're typing really fast on a green and black screen over Yes, they got like, got some junk food food around them. Yeah, mail, and they have a ton of different windows popping up on their computer. Really, you're really fast, so you can't make

out anything that's happening. It's entirely not true. That's not how it works. It's actually a somewhat slow process to get UM basically, to get reconnaissance and to get into any kind of net work. The only things I've done, of course, are completely legal. I've had an authorization by everybody who I have tested my abilities on. Right. Yeah,

so black hats. That's That's another awkward definition because it's not one that I like to use all the time because black hat hacker means that there's it makes hackers have more of a negative appeal to a lot of people. So I always just call them black hat thieves. Yeah. Now, that's a great way of putting it, because typically you'll see things like um uh, the idea of infiltrating a system in order to steal information, perhaps to sell it to someone else, or to hold it against the party

that you've stolen it from. Um, you know, so it might be extortion as opposed to to stealing and selling. Also, we should go ahead and point out something else that I'll talk about it in a future episode, but I've mentioned it in previous ones too. Hackers don't necessarily just sit at a keyboard in type and strings of letters

and numbers. They also do a lot of social engineering where or they can do a lot of social engineering where they attempt to gain access to systems, either by physically gaining access to a system, which makes it way easier than remotely doing it, or even easier than that manipulating someone who does have access to a system, and then you get it that way, and it's surprisingly easy to do if employees have not been educated on how

to spot that and avoid it. Yeah, properly training your employees at your place of work is really important when it comes to social engineering. And it is incredibly easy to do social engineering, especially when you're a female, I would imagine. So it turns out also if you are dressed as the stereotypical it guy and you are there too. Yeah, quote unquote upgrade someone's machine. Really easy to get access

to that machine. Yeah, people are so eager. Yeah. And obviously, like social engineering completely depends upon identifying and then exploiting a person's vulnerability and typically speaking like greed lust, those are two big ones that are exploitable and that the people who are really good at social engineering know that,

and they're very good at that leveraging that. Just as knowing what sort of vulnerabilities typically show up within code within programs, you need to know what vulnerabilities show up in people. And I also I had a little thing on here about botnet masters. Really what in this I was thinking about the people who are using malware to get that backdoor access to machines, to get to get

that administrative control over a wide array. Sometimes we call it a botnet, sometimes we call it a zombie army of user computers, and then utilizing that to do stuff like distributed denial of service attacks so our de dos attacks where you are directing an army essentially to coordinate an attack against an identified target. Sometimes this is done just to cause problems. I mean obviously if you've ever

had issues logging into like a gaming network. Xbox Live has had this happen, PlayStation has had this happen, where people who are disenchanted with the service for one reason or another, or they just want to do it for the lulls, specifically around holiday times. That's a big that's a big target time to attack something like Xbox Live. They'll direct a ton of traffic to break down servers, so servers can't respond to legitimate traffic because they're too

busy responding to a bunch of fake traffic. Essentially, I'm oversimplifying, but this is a basic detos attack. It is. It's such a mean thing to do to those little kids during Christmas time, just turn off their xboxes so that they can't log in and they can't play their games, so they just go on. Yeah, yeah, I think, break my heart. Gosh, it's a move. It's a jerk move. Don't do it. Yeah. I love the definition, or I love the term zombie for botnets, because that's exactly what

it is. Where you have a you have a zero, a patient zero, and that would be the first computer. They end up biting a few more computers, and those ones end up getting infected with the same exact infection that patient zero had, and then those ones end up biting ten each, So you end up with thousands upon thousands of these computers that each have the same exact infection, and they all end up perpetrating the same exact vulnerability

on whatever their target might be. Yeah, and then ultimately you end up with a situation where Nagan is standing there with a baseball bat and you don't know whose head he's gonna cave in. I might have taken that metaphor a little too far. But one of the things that botnet controllers might do, and in fact, this has happened on multiple occasions. It's similar to ransomware is they'll send a message to an identified target and say, hey, we we got your number. We're going to come after you.

Unless you pay us a certain amount of money, we will unleash the dogs of war on your servers and you will be unable to do business. And there have been cases where businesses have folded to this kind of pressure, where they have in fact paid to do this because the hospital. Yes, yes, it was. Yeah, I've seen a few cases of particularly malicious and odious acts against things

like hospitals. There was one year when I was participating in a charity for children's hospitals and the charity was targeted in the middle of the event and for about three hours they were offline trying to deal with that. Yeah, it's and in that case it wasn't. It wasn't an attack in an effort to get money. I don't think. I think it was just someone being truly an awful human being. But we have seen cases of people trying

to do this in order to extort money. So you're probably noticing some trends here extortion, stealing, you know, holding things for a ransom, this idea of making sure that people are spending money out of fear or out of a need to get back and have access to something that belongs to them. These are all terrible, terrible motivations to make money, and as such, as such terrible motivations, you might think, well, wait a minute, how are they actually like, how are they getting paid? How is this

money transfer happening? Because you would think anything that would be traceable would end up being somewhat problematic. You've got a trail that leads back to you as a person, then pretty soon law enforcement's going to get involved, or at least the irs. So how Shannon do hackers? How do they get the money? So there's probably some ways that I don't even know about yet, but the ones that I can think of would be trading of high

value data. So that's a pretty big one, where say a hacker collects a whole bunch of really really high value data like your SO security number, your credit card accounts, your banking account tons of information and they decide to go on to a deep web forum sell it, and then or trade it for something else of high value,

for example, a gift card. They could ask for people to give them a ton of gift cards that are, like you, twenty five or fifty dollars each, and then use those gift cards at a retailer who is easily vulnerable to some kind of gift card scam, and in that sense they would be able to make some kind of money back through those gift cards and that trade of that high value data that they stole from whoever it might be, whatever company. Another way would be bitcoins.

Now that's probably the most obvious one, of course, because bitcoins are very very hard to track. Yes, they are traceable in some circumstances, depending on what kind of wallet you use, but in a lot of circumstances, the bitcoins will trade wallets so many times that it'll be somewhat impossible to find out where it actually came from, where

it actually started. Yeah, it's kind of interesting because every single bitcoin contains with it a record of every transaction, but that does not mean that the parties involved are actually identifiable. Yeah, exactly. It really is. It's actually data that's used in order to allow for the mining of

further bitcoins. It's a really fascinating process. But one of the things that attracts people to bitcoins is this idea of being able to spend them anonymously and be able to purchase things, whether legal or illegal, without it being

traced back to that person. You often will hear about things like, you know, the old Silk Road, where you could purchase all sources of stuff, including illegal drugs or other materials, sometimes weapons, that kind of stuff, and you could do it through bitcoins, and people felt a high level of confidence because it was not a state backed currency. It was this independent cryptocurrency that allowed them that freedom

and had real value because people want the bitcoins. If no one wanted the bitcoins, they wouldn't be worth anything, right, And bitcoins have actually been pretty steady last time I checked, so their value has been pretty decent in late days, in recent days, So I completely understand why hacker would want to be paid in bitcoins. It makes sense. Yeah. Yeah, there's also the old, the old deal of putting the money into the washing machine. Right, that's how money laundering works, right, Yes,

money laundering. So that was something that I learned about way back in the day when I worked at a bank of all places, which also got me really interested in security before I started podcasting. But money laundering, it's very easy for somebody to go online, be able to sell this high value data, get some bitcoins or it might be some other form of currency, and then be able to resell that money or be able to trade a product to get real money, real cash at one

point or another. But basically it's it's um exchanging the hands that hold that money so many times that again it's very hard to trace, yeah, and it's it's hard to determine that the original source of that money was anything remotely illegal. And then depending on again, if you're if you're a state sponsored hacker, you're probably just drawing a salary or doing contract work, so you're actually getting paid.

You get a pay check, yeah, yeah, so you got money withdrawn from your paycheck to handle to support the government while you are subverting other governments, and then it looks completely legitimate. So that's a really easy way for somebody to do something that might be very very bad. Yeah, because they are they do have to pay the I rs. They do get a tax refund every year, they do have an employer, so it looks completely normal for them

to be receiving a paycheck for whatever work this might be. Yeah, So the nice thing is there aren't just quote unquote bad guys out there doing all this kind of work with computers, with a hacking, with discovering vulnerabilities. There are plenty of people, as as you mentioned earlier, Shannon, who are doing this in order to help others, either to make systems more secure or to inform people of how these kind of attacks happen so that they can be

better prepared to defend themselves. So let's talk about some of them. Of course, if you have black hat hackers, right, you got the bad guys you gotta have, you gotta have the white white hat white hack hackers. These these are the noble bounty hunter characters of those westerns, the ones who you know they've seen things, but deep down they have a heart of gold. Well, not all of them, but a lot of my friends are considered white hat hackers.

They're the people who either they work for a company that specializes insecurity. So a lot of my friends work for these companies who will be contracted with big brands, go into their networks and then find out what the vulnerabilities are and fix them, or they will give them a report and tell them how to fix them fix it in the future. They make a lot of money.

A lot of them don't like it because they have specific amounts of vulnerabilities or specific timeframe set that they have to get this work done, and a lot of times hacking takes a lot of time. It takes a lot of information reconnaissance. So a lot of my friends don't necessarily appreciate having to be under these time constraints with these big brands well, particularly since you figure the

bad guys aren't under any particular time constraints exactly. So the bad guys have tons of time to find these vulnerabilities, while the white hacks are under the stress of these time constraints to get the work done so that they make their bosses happy. In this sense, a lot of a lot of people that I know have created their own security companies because of this fault in the generic

nature of having these security companies. So they said, you know, I'm tired of having to deal with these constraints that my boss has given me. Just going to open my own security company, and we're going to do it even better because we won't give ourselves those time constraints. We'll give us ourselves several months to find all the vulnerabilities that we absolutely can and then we'll write a report and we'll fix it. And those are the ones that I would definitely work with if I had to hire

a security company. Yeah, because they're the ones who are going to use the exact same kind of methodologies, right the bad guys are going to use. And if if you want to really be secure, you want the people to throw everything they can at your system so that you can find out are you actually secure? If you're not, what do you need to do to address it? If you want to see a movie that does a very fantasy version of this very idea, there's a nineteen ninety

two film that I always think back to. Sneakers had Robert Redford and Dan Ackroyd, who plays a character named mother. Ben Kingsley is in it, a ton of folks, River Phoenix was in it, and it's a It's a movie about a group of kind of almost like outcasts who have grouped together to form a company that they specifically

do this. They try to infiltrate a company in order to test its security, not to exploit it, but rather to tell the company, hey, here's how we got in, here's how someone else could get in, so you need to plug this vulnerability that kind of thing. And then of course they get involved in all sorts of shenanigans.

And in case you are interested in the methodology, I actually find it very very interesting how they get their work done, because of course they have to go through the tennis match of back and forth with a brand

name company, whatever it might be. So they'll have to get a purchase order, they'll do a little bit of negotiation for an amount that they'll do the work for, and then they'll go in and they'll gather information on the network, and they'll capture traffic, and they'll try to find any kind of vulnerabilities that are on that network,

even with the people too. For example, they could use social engineering to get into the server rack physically, or they could get into a network that doesn't necessarily have a very good password on it. They could email clients that work there, that are employed at the brand name company with I don't know malware written PDFs for example, and they can use why list attacks. They could do war driving from the parking lot if they wanted to.

And then what they'll do is write a very very long report so that the brand name company can see exactly what happens on their network and exactly what they were able to do from whatever back door they were able to get into. It's really interesting how well they're able to put everything together in turn hopefully save this company in the long run thousands and thousands of dollars. We will be back to talk a little bit more about hacking for that cold hard cash after we take

another quick break. Security has always been a tick talk approach, Right, You've got the tick, which is where someone has identified a way of exploiting a system, and then the talk is where you find a way to correct that vulnerability. The tick is the next time someone's found of vulnerability, you're always going to have that, right unless someone somehow designs the absolute perfect system, which as far as we know, is an impossibility. Yeah. Yeah, because for one thing, if

people are involved, there's no such thing as a perfect system. Yeah, it's always a battle, and I love my video game, so I love a battle. But yeah, it also drives other other industries though, because we'll see things like the artificial intelligence industry improve as a result of this security battle between hackers and the infosec experts who are trying to make sure to their protecting systems. And as a result, we're getting information that can be used in other areas,

which is phenomenal. Like I remember, here's the simple one. It's as far as security goes, This is as low level as it gets. But the capture system. So when capture was implemented, even the people who were writing capture at the time, we're not really thinking of it as being some sort of full proof security system to make sure that bots don't get into a system, right. They weren't thinking, oh, now only human beings can get access.

And if you don't know what a capture is, anytime you get you're filling out a thing and you get a little picture of something and it says tell you write down the word or numbers that are in this picture, or even to a point of identify the pictures in this sequence that have this particular feature, like identify all the pictures that have a lake in it or something like that. That's simply that's simply a version of capture.

The people who made it, they actually said, our goal was really to help push artificial intelligence, because we created a system where programmers or hackers had to start coming up with computer programs that could identify the same things that we humans can identify. And in turn, that means now we've got software that pushes forward artificial intelligence. Now, granted, that also means you have to improve the system you had designed to keep bots out in the first place.

So again it goes to that TikTok, But there's an added benefit beyond someone being able to to automatically access systems and build, you know, dozens and dozens of fake profiles on Facebook or whatever it might be, whatever that might be. Yeah, yeah, And and keep in mind, like like we've been saying here, I mean, any any systems security is only as strong as its weakest link. That weakest link is pretty much always people. That's the big one, right.

But I mean, I've I've read stories about a hacker gaining access to a system because there was an overall security system that was really robust for the main company, but then they had a little branch office, and the branch office didn't have that crazy amount of security but was still on the same network. I think I read about that story too, So I mean, these are these are things like if you identify a potential point of weakness that's now suddenly the you know it's it's like

a bank vault. If the bank vault hasn't enormous door with huge locks on it that you have to get through. Oh, but it also has a backdoor. Just for convenience sake, You're going to aim for the backdoor. But there are other ways that hackers can make a legitimate living that don't even involve testing security systems. It might involve education. Yeah, absolutely so education is I guess what you would say,

I fall into that kind of category. And while I don't necessarily like to call myself a hacker because I know so many experts in the field who are much more knowledgeable than I am, I'm quite a intermediate, i would say. But I love to teach, and I love to give tutorials online, so I give tutorials on YouTube.

But I also know a lot of people who have either written books about hacking, and they could do either specifics about penetration testing, or they get to make it a very very wide based book where they explain everything that you would have to do as a penetration tester, and a penetration tester is basically one of those guys that would go into a company and find all the

vulnerabilities and report on it. You would also have companies that administer certifications, so a lot of I'm sure a lot of your listeners probably know that you have to get certifications to get a lot to get into a lot of the fields with computer security and even just you know, computer networking too. There's a lot of searts

for those and they're very, very expensive. So a lot of companies just administer their certifications or they'll will have you take classes for a period of time until you actually take the test and get certified. But that ends up being a really good thing to put on your resume for a lot of companies whenever you do intend to get a job in network security. And then lastly,

we have the publishers. So that's the YouTubers, that's the people that made podcasts, That's the people that might be creating other forms of entertaining mint that not only educate but also entertain their users and their listeners so that they get excited about being a part of information security. And that's what I like to do. I like to teach people in a way that makes it exciting. So I do a lot of hands on stuff. I make, I make jokes, and I explain things in a very

natural light and it helps. It helps, again foster that desire to learn how things work. Yeah, right, that does so again that that same fascination, Like if you were ever a kid that took apart a watch or a radio or some other piece of equipment, because you really want to know what's the magic that makes this thing do what it does. Hackers have that, I mean, that's the that's that's the defining quality in my mind of a hacker is ultimately it's someone who is fascinated with

the way something works. We've largely been focusing on software, but that is just as legitimate as any hardware hack. It's the idea of how does this It might not even just be the software, It might be a full system, like how does this system work? What are all the interlocking parts? How do they communicate with each other? I just had a random memory from when I was younger and in school, I took apart my first iPod because I had no clue how it worked, and I was

very curious about what the interior of it was. Yeah, so I just I took it apart. I could have put it back together, So I was not hacker in any sense. For an article I was writing, we got a first edition Launch Day Nintendo three DS, and it was my job to disassemble it and take photos of all the pieces. So first I took a picture of it whole and shared it online on Twitter and said

look what I have, and everyone got excited. And then by the end of it, I had a little had a little black cauldron at my desk that was leftover from a Halloween thing. And then I put all the different pieces because there was no way this thing was going back together after I took it apart. For one thing, Nintendo is pretty careful about sealing stuff in such a way that it's not meant to come apart, so so you have to have it was a little force in some cases in order to get to stuff. And then

I showed a picture. I'm like, I'm like, look what I did to the thing. The entire internet cry. Yeah, although ultimately I think the three DS most people were like, oh whatever, But at the time when it was brand new, people were freaking out. And of course there's there's also another role for hackers out there. It may not be a steady gig, but we are seeing more and more of the Hollywood productions out there actually talk with people in the industry so that the depictions that we're getting

are more accurately reflecting what really happens. Mister Robot is probably the example that immediately leaps to my mind, and that it's it's a show. It tries very hard to take a more realistic approach to the world of hacking, as opposed to you type in three passwords, the third one gets you in, and then you're navigating through a vector graphics three D dungeon and you encounter a skull and cross bones. That's not how hacking works. Sounds like

you were talking about hackers hack the planet. I might have been. I mentioned too with education, Just to bring it back a bit, professors, I didn't leave you guys out. I'm sorry. I love you guys. You are the reason why I'm here now. If I didn't take my computer courses in college with my professors, I would not be doing what I'm doing now. So professors are like at the top of that educational list because oh sure, and you can take a lot of computer security courses in

college and sometimes in high schools if you're lucky. But yeah, technical assistance. So technical assistance are people that will come on board with a Hollywood movie or a TV show or what have you, and they will explain to the network how the hacking actually happens. So I know a

few they will. They'll come to some of their hacker friends or they will be a hacker themselves and they will say, Okay, in this season, I know that they want to do X, Y and Z on camera, and I need to make it look legitimate, so they will come up with the script. They will come up with the hack and the actual keyboard commands that the actor has to type in on camera so that they are

actually doing legitimate hacks. So that way, they're not only making it look cool for a wider audience because an audience is actually going to see how a hack works, but they're also getting that credibility with the infoset community too. So mister Robot is huge with the infoset community because it is legitimate. Like I've watched several of those episodes, and I've seen a lot of the hacks that they do.

They've even used some of our hack fi products on the show, and they're actually using legit hacks, And it is so much fun to see it ont be and see them get so many good reviews from a wider consumer audience, because it makes me feel like many more people are getting interested in info sex because they see what's happening on camera and they see that this is

actually how you do it. Yeah, it's nice to see it go beyond the niche that I would argue info SEC and hacking has largely inhabited for the past three decades. Right the people who had been interested when it's first started, it was essentially your hobbyists, and often those hobbyists were

isolated individuals. You got to the phone freaking days where there was a little bit of a small subculture of people who were interested in hacking the telephone system using all sorts of stuff, including a whistle from Captain Crunch. You had the early hack days where people were just trying to create interesting programs for their computers or to see how some of the programs that were coming out,

how did those work? But it was largely a tiny slice of the folks who were even aware of personal computers, and even that group was still a tiny slice of

the overall population. We're seeing that tiny slice grow over time, and largely because so many of us are so dependent upon computers these days that it benefits us to have an awareness to make sure that we remain safe, but also because of things like mister Robot showing how this works and sparking the imagination of people who perhaps before they saw that, never thought, yeah, it's kind of cool. I would love to be able to manipulate code in such a way that I could do something new or

unexpected or help people. And it's really encouraging to see that kind of thing happen right now. I kind of wish it had happened ten years ago, but I love seeing it happen now same. I actually feel like there was a little bit of negativity in the aspect that we used to have all these really fancy graphics happening in these Hollywood movies and these TV shows, and now they're actually seeing the reality that is hacking, and it

is not super colorful. It's not super quick, fast paced and exciting, like it looks like it is on those old school shows, So I'm hoping that now that they're actually seeing it, people will try it too. Like if they seem the main actor on Mister Robot do a specific command line option, they'll go to their computer and try it themselves and see that it actually does work, and then they'll be like, oh, I really want to try some new stuff too, so they'll start googling it

and see what else they can find out. That's the kind of inspiration that I wish happened thirty years ago, and it didn't, So I want to see more of that now, and I'm really happy that, for example, mister Robot has done a great job with it. Yeah it's it's and you not to poop all over Hollywood, because I do lovesm hollywoods, but but it is to understand

where they were coming from. They were trying to find a way to create an exciting visual depiction of something that doesn't necessarily necessarily lend itself to that in order

to create a dramatic effect. So I get it. It's very similar to the way Hollywood portrayed virtual reality back in the nineties, way before virtual reality was ready for public consumption and it's what largely killed VR for a decade before the various video game systems started to make the components cheap enough for people to play in that space again, and now we're on the verge of another

VR revolution. The same sort of thing is true of hacking, Like, how do you show hacking in a way that gets across what is happening to an audience and makes it interesting. I think largely you have to do that through really good writing of your characters. And once you do that,

then everything else follows. I think if you can show that the characters in a movie or in a TV show are actually real people that have real relationships, they have real jobs and real lives, and they have hobbies outside of just hacking, you can really you can start to relate to that character in a very real sense in the fact that, hey, they are humans too, because

here's our people too. That was actually a documentary nice. Yeah, because again, when when you're when you're thinking about it in the abstract, you're really it becomes that us versus them mentality, where by its very nature it's dehumanizing. But that's probably a topic for a show that's not about technology. So I will just leave it be. Shannon Morse, thank you so much for joining me today. Please let everyone know where they can find all of your stuff. Jonathan Strickland,

thank you. So yeah, it was a little it was a little curt it was a little laden. Yeah. Yeah, I've been watching Startrek lately. Way wait too much starts Trek, So you can find me. The most direct path is on Twitter. I'm at snubs and that's snubs and then my shows, specifically Our tech Thing over at tek thing dot com and Hack five over at HK five dot org. Well that wraps up this classic episode of tech Stuff. Hope you enjoyed it. It was great having Shannon on

the show. I've had her on a few times over the years, and I would actually I would love to have her on again. There's always an open invitation to Shannon. She is a very busy woman. She's got a lot going on. So if I can find a time to schedule her so that we can have her on and share her expertise, that would be wonderful because she's got a deep and practical knowledge in fields where I just have kind of a general awareness. So she's always great

to have on the show. If you have suggestions for topics I should cover in future episodes of tech Stuff, Please reach out to me and let me know what those are. One way to do that at is to download the iHeartRadio app. It's free to download, it's free to use. He can navigate over to the tech Stuff part by just putting tech Stuff into that little search bar. It'll take you to the podcast page and you'll see

a little microphone icon. If you click on that microphone icon, you can leave me a voice message up to thirty seconds in length and let me know what you would like to hear in the future, or if you prefer, you can go on over to Twitter and send me a tweet. The handle for the show is tech Stuff HSWU and I'll talk to you again really soon. Tech

Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.