Lex Fridman Podcast

Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266

Nicole Perlroth is a cybersecurity journalist and author. Please support this podcast by checking out our sponsors: - Linode: https://linode.com/lex to get $100 free credit - InsideTracker: https://insidetracker.com/lex and use code Lex25 to get 25% off - Onnit: https://lexfridman.com/onnit to get up to 10% off - ROKA: https://roka.com/ and use code LEX to get 20% off your first order - Indeed: https://indeed.com/lex to get $75 credit EPISODE LINKS: Nicole's Twitter: https://twitter.com/nicoleperlroth Nicole's Website: https://nytimes.com/by/nicole-perlroth Nicole's Book: https://amzn.to/3sOQjrs PODCAST INFO: Podcast website: https://lexfridman.com/podcast Apple Podcasts: https://apple.co/2lwqZIr Spotify: https://spoti.fi/2nEwCF8 RSS: https://lexfridman.com/feed/podcast/ Full episodes playlist: https://www.youtube.com/playlist?list=PLrAXtmErZgOdP_8GztsuKi9nrraNbKKp4 Clips playlist: https://www.youtube.com/playlist?list=PLrAXtmErZgOeciFP3CBCIEElOJeitOr41 OUTLINE: 0:00 - Introduction 0:55 - Zero-day vulnerability 6:56 - History of hackers 21:48 - Interviewing hackers 25:50 - Ransomware attack 38:34 - Cyberwar 51:42 - Cybersecurity 1:00:49 - Social engineering 1:17:42 - Snowden and whistleblowers 1:27:12 - NSA 1:36:59 - Fear for cyberattacks 1:44:30 - Self-censorship 1:48:51 - Advice for young people 1:54:08 - Hope for the future SOCIAL: - Twitter: https://twitter.com/lexfridman - LinkedIn: https://www.linkedin.com/in/lexfridman - Facebook: https://www.facebook.com/lexfridman - Instagram: https://www.instagram.com/lexfridman - Medium: https://medium.com/@lexfridman - Reddit: https://reddit.com/r/lexfridman - Support on Patreon: https://www.patreon.com/lexfridman

LFLex FridmanhostNPNicole Perlrothguest

Feb 20, 2022·2h 1m·Watch on YouTube ↗

📖 CHAPTERS

1. 1
   0:00 – 1:04

   Mutually assured digital destruction & what zero-days enable

   Lex and Nicole open with the idea that cyber conflict has created a new kind of deterrence: one side’s compromise can cascade into massive real-world disruption. Nicole frames why invisible surveillance and sabotage capabilities make cyber weapons uniquely destabilizing.

   • •Cyber escalation risk: if one side is hacked, retaliation can “unleash hell”
   • •Mutually assured digital destruction as an emerging global condition
   • •Remote compromise enables location tracking, call recording, camera access
   • •Zero-days as high-value capabilities with geopolitical consequences
2. 2
   1:04 – 6:56

   Zero-day vulnerabilities, exploits, pricing, and who gets targeted

   Nicole defines zero-day vulnerabilities and zero-day exploits, then explains why remote/zero-click phone exploits are so prized. They discuss shifting market prices (iOS vs Android), who buys these tools, and how targeting ranges from individuals to whole populations.

   • •Zero-day = unknown bug; exploit = code that weaponizes it
   • •Remote/zero-click phone exploits enable stealthy full-device surveillance
   • •Market dynamics: Android vs iOS pricing shifts; scarcity and market share
   • •Buyers include deep-pocketed states (e.g., Gulf governments)
   • •Targeting can be urgent/individual (terror cases) or broad (e.g., Uighur watering-hole)
3. 3
   6:56 – 11:25

   From hobbyist hackers to a government-backed exploit marketplace

   Nicole traces the hacker culture of the 80s/90s: curiosity-driven discovery, hostile responses from tech companies, and the resulting disclosure wars. That tension created the conditions for governments and contractors to quietly buy vulnerabilities—and later use them not just for spying, but for sabotage planning.

   • •Early hackers tried responsible disclosure; companies often threatened them legally
   • •Disclosure debates: publish bugs vs risk widespread misuse
   • •Governments/contractors exploited hacker resentment to buy bugs quietly
   • •Six-figure payments helped professionalize the underground market
   • •As critical infrastructure went online, the same bugs became sabotage tools
4. 4
   11:25 – 21:48

   Ethics, incentives, and the rise of bug bounties (and brokers)

   They unpack why some hackers refuse to sell exploits while others justify it as tech companies’ responsibility. Nicole explains how bug bounty programs and intermediaries (HackerOne, Bugcrowd, Synack) changed incentives—but still can’t fully compete with state-aligned buyers.

   • •Ethical split: ‘sleep at night’ vs ‘not my problem’ arguments
   • •Bug bounties as ‘paid QA’ and a partial counterweight to brokers
   • •Intermediaries translate between hacker culture and corporate needs
   • •Perverse incentives if vendors match broker/government pricing
   • •Non-monetary incentives: credit, reputation, and being able to talk about discoveries
5. 5
   21:48 – 25:50

   Reporting in the shadows: sourcing, opsec, and why hackers won’t talk on camera

   Lex asks how to interview people in a world that punishes publicity. Nicole describes why she prefers print, how anonymity is maintained, and why public exposure can end careers—illustrated by the case of The Grugq.

   • •Public visibility is dangerous in the exploit market; secrecy is a core rule
   • •Typical on-camera interviews require heavy anonymization
   • •The Grugq as a cautionary tale: publicity can destroy business and increase targeting
   • •Operational security becomes existential if others know you hold zero-days
   • •Journalism’s role: synthesize truth while protecting sources
6. 6
   25:50 – 34:57

   Lex’s ransomware incident: Deadbolt, zero-days, and the ‘to pay or not to pay’ dilemma

   Lex recounts being hit by the Deadbolt ransomware on QNAP devices and reads the attacker’s ransom note, including claims of a zero-day. Nicole explains why zero-day-based ransomware is a major escalation, and why the payment decision is often economically and operationally complex.

   • •Deadbolt ransomware encrypts NAS files; victims face individual ransom demands
   • •Attackers pressure vendors too (pay to reveal bug or provide master key)
   • •Zero-day ransomware complicates recovery: defenders may not know what to fix
   • •Most ransomware still exploits basics (MFA absent, weak passwords), but this is evolving
   • •Paying vs not paying: practical realities for businesses and governments
7. 7
   34:57 – 38:34

   Real-world harm: hospitals, supply chains, NotPetya, and ‘intentional’ spillover

   Nicole details how ransomware and wiper-style attacks can directly endanger lives and paralyze essential services. They discuss NotPetya’s global blast radius and debate whether the worldwide impact was collateral damage or a deliberate signal to anyone connected to Ukraine.

   • •Hospitals disrupted: chemo protocols inaccessible; patient care degraded
   • •Reported links between ransomware and deaths (e.g., infant death attribution)
   • •NotPetya spread via supplier software, impacting Maersk, Merck, FedEx, Pfizer
   • •Merck’s vaccine production disruption illustrates national/global health stakes
   • •Reframing ‘collateral damage’ as potentially intentional strategic messaging
8. 8
   38:34 – 45:58

   Cyberwar as the new constant in geopolitics (pipelines, Taiwan, private infrastructure)

   The conversation shifts to nation-state conflict: why every future geopolitical crisis will have a cyber component. Nicole emphasizes the U.S. ‘soft underbelly’—privately owned critical infrastructure, weak reporting requirements, and insufficient baseline standards.

   • •China allegedly positioning inside U.S. pipelines for contingency conflict scenarios
   • •Cyber elements are expected in flashpoints (Taiwan, Ukraine, India-Pakistan)
   • •U.S. critical infrastructure is mostly private, with limited mandated standards
   • •Lack of breach reporting keeps government and public blind to compromises
   • •Zero-day attacks rising sharply; offense investments track geopolitical hotspots
9. 9
   45:58 – 51:34

   Deterrence, attribution games, and the limits of a ‘digital Geneva Convention’

   Lex raises cyber deterrence analogies to nuclear MAD; Nicole explains why they break down due to low barriers to entry and murky attribution. They discuss how states manipulate attribution, the U.S. signaling posture (e.g., grid access), proportional response norms, and the difficulty of enforcing international cyber agreements when criminals and proxies blur lines.

   • •Nuclear comparisons fail: no fissile material needed; laptops and skill suffice
   • •Attribution is hard and sometimes intentionally manipulated by states
   • •U.S. signaling: publicizing grid implants to deter adversaries
   • •‘Proportional response’ exists rhetorically but is ambiguous in practice
   • •Digital Geneva Convention faces enforcement problems with proxies and cybercriminal outsourcing
10. 10
    51:34 – 1:00:50

    The single biggest fix: multi-factor authentication and the basics that still matter

    Asked what she’d change with a snap of a finger, Nicole chooses MFA as the highest-impact defense. They define MFA, discuss hardware keys, why passwords get reused, and how usability friction keeps society stuck with insecure defaults.

    • •MFA prevents many intrusions even when passwords are stolen
    • •Colonial Pipeline example: old account + no MFA contributed to major disruption
    • •Hardware keys (FIDO) as stronger second factors than SMS
    • •Security goal is risk reduction, not perfection; raise attacker cost
    • •Usability matters: friction leads users to disable protections; desire to ‘kill the password’
11. 11
    1:00:50 – 1:17:27

    Social engineering, insider threats, and securing identity in a more virtual world

    Nicole argues social engineering and insider access are the hardest problems, worsened by remote work and identity ambiguity. They extend this to the metaverse and broader internet identity: how bots, manipulation, and surveillance intersect with future digital life—and what tokenized identity models could look like.

    • •Remote work increases exposure to impersonation and insider access attacks
    • •Examples: alleged planted insiders; Saudi spying inside Twitter
    • •Risk of xenophobia and false accusations in insider-threat hunting
    • •Metaverse concerns: verifying humans vs bots; manipulation at scale
    • •Tokenized identity and ‘vaulted’ PII as a path away from pervasive data collection
12. 12
    1:17:27 – 1:26:51

    Snowden, transparency, and the problem of leaks without context

    Nicole explains her nuanced view of Edward Snowden: neither hero nor villain. She values the surveillance debate he sparked, but critiques the volume and context-free nature of many releases and the reputational damage to the U.S. amid broader ‘spy-eat-spy’ realities.

    • •Transparency enabled overdue debates on privacy and surveillance limits
    • •Some revelations aligned with expected spy-agency behavior (e.g., leader targeting)
    • •Context often missing: adversary operations and abuses weren’t foregrounded enough
    • •Reputational and diplomatic fallout for the U.S.
    • •Concern about indiscriminate volume of documents and unnecessary exposure
13. 13
    1:26:51 – 1:36:56

    Intelligence agencies: competence, abuses, and where ‘evil’ begins

    Lex probes whether intelligence agencies are competent or malevolent, and Nicole answers with complexity: agencies differ, missions vary, and rules/oversight matter. She contrasts Western constraints with authoritarian surveillance and repression, highlighting how surveillance becomes ‘evil’ when used for censorship and crushing dissent.

    • •Competence varies; operations range from counterterrorism to covert action
    • •Bureaucracy and oversight can constrain abuse, but exceptions occur (e.g., LOVIN)
    • •Authoritarian surveillance (e.g., China/Uyghurs) as an unconstrained ‘test kitchen’
    • •Red lines: censorship, repression, and targeting dissidents/journalists
    • •Examples of digital repression in Gulf states and consequences for critics
14. 14
    1:36:56 – 1:48:27

    Fear, personal security, and the creativity cost of living under surveillance

    Nicole describes moments of real danger and paranoia, then offers a pragmatic security mindset: identify and protect your ‘crown jewels’ without going full off-grid. The discussion broadens to how pervasive monitoring drives self-censorship and can stifle creativity, even when public authenticity can reduce blackmail leverage.

    • •Threats to journalists: dark web bounties, suspicious incidents, and opsec tradeoffs
    • •‘Crown jewels’ approach: focus protections where stakes are highest (sources, family)
    • •Khashoggi as a turning point in perceived safety for journalists
    • •Self-censorship as a subtle but powerful harm to innovation and free thought
    • •Authenticity as partial defense against blackmail, but not a full solution
15. 15
    1:48:27 – 2:01:34

    Career advice: become a hacker for defense—and reasons for hope

    Nicole urges young people to learn hacking skills and apply them to defense, noting massive global job shortages and the societal value of securing critical systems. They close with cautious optimism: people are fundamentally good, generational смена can reset broken incentives, and authenticity plus forgiveness may help society adapt to life lived online.

    • •‘Be a hacker’—but prioritize defense over ‘sexy’ offensive roles
    • •3.5M+ unfilled cybersecurity jobs; strong long-term job security
    • •Private sector often sees the most advanced attacks and can make outsized impact
    • •Hope rooted in offline human goodness, generational change, and new leadership
    • •Future culture shift: more forgiveness for online mistakes; authenticity as a stabilizer

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.

iOSAndroidClaudeChrome