Skip to content
Lex Fridman PodcastLex Fridman Podcast

Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266

Nicole Perlroth is a cybersecurity journalist and author. Please support this podcast by checking out our sponsors: - Linode: https://linode.com/lex to get $100 free credit - InsideTracker: https://insidetracker.com/lex and use code Lex25 to get 25% off - Onnit: https://lexfridman.com/onnit to get up to 10% off - ROKA: https://roka.com/ and use code LEX to get 20% off your first order - Indeed: https://indeed.com/lex to get $75 credit EPISODE LINKS: Nicole's Twitter: https://twitter.com/nicoleperlroth Nicole's Website: https://nytimes.com/by/nicole-perlroth Nicole's Book: https://amzn.to/3sOQjrs PODCAST INFO: Podcast website: https://lexfridman.com/podcast Apple Podcasts: https://apple.co/2lwqZIr Spotify: https://spoti.fi/2nEwCF8 RSS: https://lexfridman.com/feed/podcast/ Full episodes playlist: https://www.youtube.com/playlist?list=PLrAXtmErZgOdP_8GztsuKi9nrraNbKKp4 Clips playlist: https://www.youtube.com/playlist?list=PLrAXtmErZgOeciFP3CBCIEElOJeitOr41 OUTLINE: 0:00 - Introduction 0:55 - Zero-day vulnerability 6:56 - History of hackers 21:48 - Interviewing hackers 25:50 - Ransomware attack 38:34 - Cyberwar 51:42 - Cybersecurity 1:00:49 - Social engineering 1:17:42 - Snowden and whistleblowers 1:27:12 - NSA 1:36:59 - Fear for cyberattacks 1:44:30 - Self-censorship 1:48:51 - Advice for young people 1:54:08 - Hope for the future SOCIAL: - Twitter: https://twitter.com/lexfridman - LinkedIn: https://www.linkedin.com/in/lexfridman - Facebook: https://www.facebook.com/lexfridman - Instagram: https://www.instagram.com/lexfridman - Medium: https://medium.com/@lexfridman - Reddit: https://reddit.com/r/lexfridman - Support on Patreon: https://www.patreon.com/lexfridman

Lex FridmanhostNicole Perlrothguest
Feb 20, 20222h 1mWatch on YouTube ↗

EVERY SPOKEN WORD

  1. 0:000:55

    Introduction

    1. LF

      If one side is hacked, you can just unleash all hell.

    2. NP

      We have stumbled into this new era of mutually assured digital destruction.

    3. LF

      How far are people willing to go?

    4. NP

      You can capture their location. You can capture their contacts that record their telephone calls, record their camera without them knowing about it. Basically, you can put an invisible ankle bracelet on someone without them knowing. You could sell that to a zero-day broker for $2 million.

    5. LF

      The following is a conversation with Nicole Perlroth, cybersecurity journalist and author of This Is How They Tell Me The World Ends: The Cyber Weapons Arm Race. This is the Lex Fridman Podcast. To support it, please check out our sponsors in the description. And now, dear friends, here's Nicole Perlroth.

  2. 0:556:56

    Zero-day vulnerability

    1. LF

      You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer scientists, government officials, forensic investigators, and, uh, mercenaries. So let's talk about cybersecurity and cyberwar. Start with the basics. What is a zero-day vulnerability and then, um, a zero-day exploit or attack?

    2. NP

      So (sighs) at the most basic level, let's say I'm a hacker and I find a bug in your iPhone iOS software that no one else knows about, especially Apple. That's called a zero-day because the minute it's discovered, engineers have had zero days to fix it. If I can study that zero-day, I could potentially write a program to exploit it, and that program would be called a zero-day exploit. And for iOS, the dream is that you craft a zero-day exploit that can remotely exploit someone else's iPhone without them ever knowing about it, and you can capture their location. You can capture their contacts that record their telephone calls, record their camera without them knowing about it. Basically, you can put an invisible ankle bracelet on someone without them knowing, and you can see why that capability, that zero-day exploit, would have immense value for a spy agency or a government that wants to monitor its critics or dissidents. And so there's a very lucrative market now for zero-day exploits.

    3. LF

      So you said a few things there. One is iOS. Why iOS? Why- which operating system? Which one is the sexier thing to try to get to or the most impactful thing? And, uh, the other thing you mentioned is remote versus, like, having to actually come in physical contact with it, though. Is that the distinction?

    4. NP

      So iPhone exploits have just been a government's number one priority. Recently, actually, the price of an Android remote zero-day exploit, something that can get you into Android phones, is actually higher. The value of that is now higher on this underground market for zero-day exploits than an iPhone iOS exploit. So things are changing.

    5. LF

      So the- there's probably more Android devices, so that's why it's better, but then the iPhone side, if I- so I'm an Android person because I'm a man of the people, but it seems like all the elites use iPhone, all the people at nice dinner parties. So, uh, is that, is that the reason that, like, the more powerful people use iPhones? Is that why?

    6. NP

      I don't think so. I actually- so it was about two years ago that the prices flipped. It used to be that if you could craft a remote zero-click exploit for iOS, then that was about as good as it gets. You could sell that to a zero-day broker for $2 million. The caveat is you can never tell anyone about it because the minute you tell someone about it, Apple learns about it, they patch it, and that $2.5 million investment that that zero-day broker just made goes to dust. So a couple years ago, and don't quote me on the prices, but an Android zero-click (laughs) remote exploit for the first time topped the iOS. And actually, a lot of people's read on that was that it might be, um, a sign that Apple's security was falling and that it might actually be easier to find an iOS zero-day exploit than find an Android zero-day exploit. The other thing is market share. There are just more people around the world that use Android. And a lot of governments that are paying top dollar for zero-day exploits these days are deep-pocketed governments in the Gulf that want to use these exploits to monitor their own citizens, monitor their critics. And so it's not necessarily that they're trying to find elites, uh, it's that they want to find out who these people are that are criticizing them or perhaps planning the next Arab Spring.

    7. LF

      So in your experience, are most of these attack targeted to cover a large population, or is there attacks that are targeted toward specific individuals?

    8. NP

      So I think it's both. Some of the zero-day exploits that have fetched top dollar that I've heard of in my reporting in the United States were highly targeted.

    9. LF

      Mm-hmm.

    10. NP

      You know, there was a potential terrorist attack. They wanted to get into this person's phone. It had to be done in the next 24 hours. They approached hackers and say, "We'll pay you, you know, X millions of dollars if you can do this." But then you look at when we've discovered iOS zero-day exploits in the wild...Some of them have been targeting large populations like Uighurs. So a couple years ago, there was a, a watering hole attack. Okay, what's a watering hole attack? There's a website. It was, actually, it had information aimed at Uighurs, and you could access it all over the world, and if you visited this website, it would drop an iOS zero-day exploit onto your phone. And so anyone that visited this website that was about Uighurs, anywhere, I mean, Uighurs, Uighurs living abroad, basically the Uighur diaspora, would have gotten infected with this zero-day exploit.

    11. LF

      Wow.

    12. NP

      So in that case, you know, they were targeting huge swaths of this one population, or people interested in this one population, basically in real time.

  3. 6:5621:48

    History of hackers

    1. LF

      (inhales) (exhales) Who are these attackers? From the individual level to the group level, psychologically speaking, what's their motivation? Is it purely money? Is it the challenge? Are they malevolent? Is it power? These are big, philosophical human questions, I guess.

    2. NP

      So these are the questions I set out to answer for my book. I wanted to know, are these people that are just after money? You know, if they're just after money, how do they sleep at night not knowing whether that zero-day exploit they just sold to a broker is being used to basically make someone's life a living hell? And what I found was there's kind of this long sordid history to this question. You know, it started out in the '80s and '90s when hackers were just finding holes and bugs in software for curiosity's sake, really as a hobby, and some of them would go to the tech companies, like Microsoft, or Sun Microsystems at the time, or Oracle, and they'd say, "Hey, I just found this zero-day in your software, and I can use it to break into NASA." And the general response at the time wasn't, "Thank you so much for pointing out this flaw in our software. We'll get it fixed as soon as possible." (laughs) It was, "Don't ever poke around our software ever again, or we'll stick our general counsel on you." And that was really sort of the common thread for years, and so hackers who set out to do the right thing were basically told to, "Shut up and stop doing what you're doing." And what happened next was they basically started trading this information online. Now, when you go back and interview people from those early days, they all tell a very similar story, which is, they're curious, they're tinkerers. You know, they remind me of, like, the kid down the block that was constantly poking around the hood of his dad's car.

    3. LF

      Mm-hmm.

    4. NP

      You know, they just couldn't help themselves. They wanted to figure out how a system is designed and how they could potentially exploit it for some other purpose. It doesn't have to be good or bad. But they were basically kind of beat down (laughs) for so long by these big tech companies that they started just silently trading them with other hackers, and that's how you got these, um, you know, really heated debates in the '90s about disclosure. Should you just dump these things online? Because any script kitty can pick 'em up and use it for all kinds of mischief. Um, but, you know, don't you want to just stick a middle finger to all these companies that are basically threatening you all the time? So there was this really interesting dynamic at play, and what I learned in the course of doing my book was that government agencies and their contractors sort of tapped into that frustration and that resentment, and they started quietly reaching out to hackers on these forums, and they said, "Hey, you know that zero-day you just dropped online? Could you, could you come up with something custom for me? And I'll pay you six figures for it, so long as you shut up and never tell anyone that we, that I paid you for this." And that's what happened. So throughout the '90s, there was a bunch of boutique contractors that started reaching out to hackers on these forums and saying, "Hey, I'll pay you six figures for that bug you were trying to get Microsoft to fix for free." And sort of so began, or so catalyzed this market where governments and their intermediaries started reaching out to these hackers and buying their bugs for free. And in those early days, I think a lot of it was just for quiet counterintelligence, traditional espionage. But as we started baking the software, Windows software, Schneider Electric, Siemens industrial software, into our nuclear plants and our factories and our power grid and our petrochemical facilities and our pipelines, those same zero-days came to be just as valuable for sabotage and war planning.

    5. LF

      Does the fact that the market sprung up and you can now make a lot of money change the nature of the attackers that came to the table? Or, uh, or grow the number of attackers? I mean, what is, I guess, you told the psychology of the hackers, uh, in the '90s. What is the culture today? And where is it heading?

    6. NP

      So I think there are people who will tell you they would never sell a zero-day to a zero-day broker or a government. One, because they don't know how it's gonna get used when they throw it over the fence. You know, most of these get rolled into classified programs, and you don't know how they get used. Um, if you sell it to a zero-day broker, you don't even know which nation state might use it.... um, or potentially which criminal group might use it, if you sell it on the dark web. The other thing that they say is that they want to be able to sleep at night. (laughs)

    7. LF

      Right.

    8. NP

      And they loo- they'd lose a lot of sleep if they found out their zero-day was being used to, you know, make a dissident's life living hell. Um, but there are a lot of people, good people, who also say, "No, this is not my problem. This is the technology company's problem. If they weren't writing new bugs into their software every day, then there wouldn't be a market, you know? Then there wouldn't be a problem. But they continue to write bugs into their software all the time, and they continue to profit off that software, so why shouldn't I profit off my labor too?" And one of the things that has happened, which is, I think, a positive development over the last 10 years, are bug bounty programs. You know, companies like Google and Facebook and then Microsoft and finally Apple, which resisted it for a really long time, have said, "Okay. We are going to shift our perspective about hackers. We're no longer going to treat them as the enemy here. We're going to start paying them for what is essentially free quality assurance, and we're gonna pay them good money in some cases. You know, six figures in some cases. We're never gonna be able to bid against a zero-day broker who sells to government agencies, but we can reward them and hopefully get that, to that bug earlier, where we can neutralize it, so that they don't have to spend another year developing the zero-day exploit. And in that way, we can keep our software more secure." But every week, I get messages from some hacker that says, you know, "I tried to... This, see this zero-day exploit that was just found in the wild, you know, being used by this nation state? I tried to tell Microsoft about this two years ago, and they were gonna pay me peanuts, so it never got fixed." You know, there are all sorts of those stories that con- continue on. And, you know, I think, just generally, (laughs) hackers are not very good at diplomacy, you know? They tend to be a pretty snipey, technical crowd, um, and very philosophical, in my experience, but-

    9. LF

      Mm-hmm.

    10. NP

      ... you know, diplomacy is not their strong suit. (laughs)

    11. LF

      Well, there almost has to be a broker between companies and hackers, where you can translate effectively, just like you have a zero-day broker between governments and hackers.

    12. NP

      Yeah.

    13. LF

      Because you have to speak their language.

    14. NP

      Yeah, and there have been some of those companies who've risen up to meet that demand. And HackerOne is one of them. Bugcrowd is another. Synack has an interesting model. So, that's a company that you pay for a private bug bounty program, essentially. So, you pay this company. They tap hackers all over the world-

    15. LF

      Mm.

    16. NP

      ... to come hack your software or hack your system, and then they'll quietly tell you what they found. Um, and I think that's a really positive development. And actually, the Department of Defense hired all three of those, uh, companies I just mentioned to help secure their systems. Now, I think they're still a little timid in terms of letting those hackers into the really sensitive, high-side classified stuff, but, you know, baby steps. (laughs)

    17. LF

      Just to understand what you were saying, you think it's im- impossible for companies to financially compete with the zero-day brokers, with governments. So, like, the defense can't outpay the, um, the hackers?

    18. NP

      Well, it's interesting. You know, they, they shouldn't outpay them, because what would happen if they started offering $2.5 million at Apple-

    19. LF

      Yeah.

    20. NP

      ... for any, you know, zero-day exploit, that governments would pay that much for, is their own engineers would say, "Why the hell am I working, you know, for less than that and, and g- doing my nine-to-five every day?" So, you would create a perverse incentive, and I didn't, I didn't think about that-

    21. LF

      Hmm.

    22. NP

      ... until I started this research and I realized, "Okay, yeah, that makes sense. You don't want to incentivize offense so much that it's to your own detriment." And so, I think what they have, though, what the companies have on government agencies, is if they pay you, you get to talk about it, you know? You get the street cred.

    23. LF

      Yes.

    24. NP

      You get to brag about the fact you just found that $2.5 million, you know, iOS zero-day that no one else did. And if you sell it to a broker, you never get to talk about it, and I think that really does eat at people.

    25. LF

      Can I ask you a big philosophical question about human nature here?

    26. NP

      (laughs)

    27. LF

      So, if you have... I mean, what you've seen, if a human being has a zero-day, they foun- found a zero-day vulnerability that can, um, hack into, I don't know, what's the worst thing you can hack into? Something that could launch nuclear weapons. Well, which percentage of the people in the world that have the skill would not share that with anyone, uh, with any bad party? I guess, how many people are completely devoid of ethical concerns, in, in your s- in, in your sense? So, my- my belief is, all the ultra-competent people, or very, very high percentage of ultra-competent people, are also ethical people. That's been my experience. But then, again, my experience is narrow.

    28. NP

      Mm-hmm.

    29. LF

      What's, what's y- what's your experience been like?

    30. NP

      So, this was another question I wanted to answer. You know, who are these people who would sell a zero-day exploit that would neutralize a Schneider Electric safety lock at a, at a petrochemical plant? Basically, the last thing you would need to neutralize before you trigger some kind of explosion. Who would sell that? Um, and I got my answer...Well, the answer was different. A lot of people said, "I would never even look there, 'cause I don't even want to know. I don't even want to have that capability. I don't, like, I don't even want to have to make that decision about whether I'm going to profit off of that knowledge." I went down to Argentina, and this whole kind of moral calculus I had in my head was completely flipped around. So just to back up for a moment. So Argentina actually is a real hacker's paradise (laughs) . People grow up in Argentina, and, you know, I went down there, I guess, I was there around 2015, 2016, but you still couldn't get an iPhone.

  4. 21:4825:50

    Interviewing hackers

    1. NP

      .

    2. LF

      Can I add a small tangent and ask you by way of advice, you must have done some incredible interviews, and, uh, you've also spoken about how serious you take protecting your sources. If you were to give me advice for interviewing when you're recording on mic with a video camera, how is it possible to get into this world? Like, uh, is it basically impossible? So you've, you've spoken with a few people, uh, what is it? Like the godfather of, uh, cyberwar, cybersecurity. So people that are already out, and they still have to be pretty brave to speak publicly (laughs) . Um, but is it virtually impossible to really talk to anybody who's a current hacker? Are you always like 10, 20 years behind?

    3. NP

      It's a good question, and this is why I'm a print journalist (laughs) . But, you know, a lot, when I've seen people do it, it's always the guy who's behind the shadows, whose voice has been altered. You know, when they've gotten someone on camera, that's usually how they do it. Um, you know, very, very few people talk in this space, and there's actually a pretty well known case study in why you don't talk publicly in this space and you don't get photographed, and that's The Grugq. So, you know, The Grugq is or was this zero-day broker, South African guy, lives in Thailand, and right when I was starting on this subject at the New York Times, he'd given an interview to Forbes. And he talked about being a zero-day broker, and he even posed next to this giant duffel bag filled with cash, ostensibly. And later, he would say he was speaking off the record, he didn't understand the rules of the game, but what I heard from people who did business with him was that the minute that that story came out, he became PNG'd (laughs) .

    4. LF

      Hmm.

    5. NP

      No one did business with him. You know, his business plummeted by at least half. No one wants to do business with anyone who's going to get on camera and talk about how they're selling zero-days to governments, you know?

    6. LF

      (inhales)

    7. NP

      It's, it, it puts you at danger, and, and I did hear that he got some visits from some security folks. And, you know, it's another thing for these people to consider, you know? If they have those zero-day exploits at their disposal, they become a huge target for nation states all over the world. You know, talk about having perfect opsec. You know, you better have some perfect opsec (laughs) if people know that you have access to those zero-day exploits.

    8. LF

      Which sucks because, um...I mean, transparency here would, um, be really powerful for educating the world, and also inspiring other engineers to do good. It just feels like when you operate in the shadows, um, it doesn't help us move in the positive direction in terms of, like, getting more people on the defense side versus on the attack side.

    9. NP

      Right.

    10. LF

      But, of course, what, what can you do? I mean, the best you can possibly do is have great journalists, uh, inte- just like you did, interview and write books about it. And integrate the information you get while hiding the sources.

    11. NP

      Yeah. And I think, you know, what HackerOne has told me was, "Okay, let's just put away the people that are finding and developing zero-day exploits all day long. Let's put that aside. What about the, you know, however many millions of programmers all over the world who've never even heard of a zero-day exploit? Why not tap into them and say, 'Hey, we'll start paying you if you can find a bug in United Airlines software or in Schneider Electric or in Ford or Tesla?" And I think that is a really smart approach. Let's go find this untapped army of programmers to neutralize these bugs before the people who will continue to sell these to governments can find them and exploit

  5. 25:5038:34

    Ransomware attack

    1. NP

      them.

    2. LF

      Okay, I have to ask you about this, uh, from a personal side of... (laughs) It's funny enough. After we agreed to, to, to talk, I've gotten, for the first time in my life, was a victim of a cyberattack. Um, so this is ransomware. It's called Deadbolt. People can look it up. Uh, I have a QNAP device for basically kind of cold-ish storage. So it's, uh, about 60 terabytes with 50 terabytes of data on it in RAID 5, and apparently, about 4,000 to 5,000 QNAP devices were, um, hacked and taken over with this ransomware. And what, what ransomware does there is it goes file by file, almost all the files on the QNAP storage device, and encrypts them. And then there's this very eloquently and politely written page that pops up. Uh, you know, it describes what happened. "All your files have been encrypted. This includes, but is not limited to, photos, documents, and spreadsheets." "Why me?" (laughs) This is, uh, p- a lot of people commented about how friendly and eloquent this is written.

    3. NP

      (laughs)

    4. LF

      And I have to commend them. It is, and it's pretty user-friendly. (laughs) Uh, "Why me? This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor, QNAP. What now? You can make a payment of exactly .03 Bitcoin," which is about $1,000, "to the following address. Once the payment has been made, we'll follow up with transaction to the same address," blah, blah, blah. They give you instructions of, uh, what happens next and they'll give you a decryption key that you could then use. And then there's another message for QNAP that says, um, "All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this and future damage. One, make a Bitcoin payment of five Bitcoin to the following address and that will reveal to QNAP the, uh," I'm summarizing things here, "the, what, what the actual vulnerability is. Or you can make a Bitcoin payment of 50 Bitcoin to get a master decryption key for all your customers." 50 Bitcoins is about $1.8 million. Okay. So first of all, on a personal level, this one hurt for me. Um, there's... I mean, I learned a lot 'cause I wasn't, for the most part, backing up much of that data because I thought I can afford to lose that data. It, it's not, like, horrible. That mean- I think you've spoken about, uh, you know, the crown jewels, like making sure there's things you really protect.

    5. NP

      Right.

    6. LF

      And I have thing, I have m- m- you know, I'm very conscious security-wise on the crown jewels. But there's a bunch of stuff, like, you know, personal videos that are not, like, I don't have anything creepy but just, like, fun things I did that because they're very large or 4K or something like that, I kept them on there thinking RAID 5 will protect it. You know, just I lost a bunch of stuff.

    7. NP

      Yeah.

    8. LF

      Including, uh, raw, um, footage from interviews and all that kinda stuff. Uh, so it's painful, and I'm sure there's a lot of painful stuff like that for the 4,000 to 5,000 people that use QNAP.

    9. NP

      Yeah.

    10. LF

      Uh, and there's a lot of interesting ethical questions here. Do you pay them? Does QNAP pay them? Uh, do the individuals pay them? Especially when you don't know if it's going to work or not.

    11. NP

      Mm-hmm.

    12. LF

      Uh, do you wait? So QNAP said that, "Please don't pay them."

    13. NP

      Mm-hmm.

    14. LF

      "We're, we're working very hard day and night to solve this."

    15. NP

      Mm-hmm.

    16. LF

      Um, it's so philosophically interesting to me because I also project onto them thinking, "What is their motivation?" Because the way they phrased it on purpose perhaps, but I'm not sure if that actually reflects their real motivation, is, um, maybe they're trying to help themselves sleep at night basically saying, "This is not about you. This is about the company-"

    17. NP

      Mm-hmm.

    18. LF

      "... with the vulnerabilities." Just like you mentioned, this is the justification they have.

    19. NP

      Mm-hmm.

    20. LF

      But they're hurting real people.

    21. NP

      Mm-hmm.

    22. LF

      Uh, they hurt me, but I'm sure there's a few others that are really hurt.

    23. NP

      Mm-hmm. And the zero-day factor is a big one. You know, that, they are p- QNAP right now is trying to figure out what the hell is wrong with their system that would let this in. And even if they pay, if they still don't know where the zero day is, what's to say that they won't just hit them again and hit you again? So that really complicates thing and, and things, and that is a huge advancement for ransomware. It's really only been, I think, in the last 18 months that we've ever really seen ransomware exploit zero-days....to pull these off. Usually, 80% of them, uh, I think the data shows 80% of them come down to a lack of two-factor authentication. You know, so when someone gets hit by a, by a ransomware attack, they don't have two-factor authentication on, you know, their employees were using stupid passwords, like, you can mitigate that in the future. This one, they don't know. They, they probably don't know.

    24. LF

      Yeah. And it was, uh, I guess it's zero-click, 'cause I didn't have to do anything.

    25. NP

      Mm-hmm.

    26. LF

      The only thing I, I'm... Well, you know. Here's the thing. (sighs) I did, you know, basics of... You know, I put it behind a firewall. I followed the instructions.

    27. NP

      Mm-hmm.

    28. LF

      But, like, I wasn't... I didn't really pay attention, so maybe there's like... Maybe there's a misconfiguration of some sort that's easy to make.

    29. NP

      Mm-hmm.

    30. LF

      I mean, it's v- It's difficult when you have a personal NAS on... I, so I don't... I, I'm not willing to sort of, uh, say that I did everything I possibly could.

  6. 38:3451:42

    Cyberwar

    1. NP

    2. LF

      So how much of this between states is going to be a part of war, this kind of, these kinds of attacks on Ukraine, between Russia and US, Russia and China, China and US?

    3. NP

      Mm-hmm.

    4. LF

      Let's look at China and US. Do you think China and US are going to, um, escalate a si- something that would be called a war purely in the space of cyber?

    5. NP

      I believe any geopolitical conflict from now on (laughs) is guaranteed to have some cyber element to it. The Department of Justice recently declassified a report that said China's been hacking into our pipelines, and it's not for intellectual property theft. It's to get a foothold so that if things escalate in Taiwan, for example, they are where they need to be to shut our pipelines down. And we just got a little glimpse of what that looked like with Colonial Pipeline and the panic buying and the jet fuel shortages, and that assessment I just mentioned about the diesel. So they're there. You know, they've, they've gotten there. Um, any time I read a report about new aggression from fighter jets, Chinese fighter jets in Taiwan, or what's happening right now with Russia's buildup on the Ukraine border, or India-Pakistan, I'm always looking at it through a cyber lens, and it really bothers me that other people aren't (laughs) . Because there is no way that these governments and these nation states are not going to use their access to gain some advantage, uh, in those conflicts. And, you know, I am now in a position where I'm a, an advisor to the Cybersecurity, uh, Infrastructure Security Agency at the, at DHS, so I'm not saying anything classified here. But I just think that it's really important to understand just generally what the collateral damage could be for American businesses and critical infrastructure in any of these escalated conflicts around the world. Because just generally, our adversaries have learned that they might never be able to match us in terms of our traditional military spending on traditional weapons and fighter jets. But we have a very soft underbelly when it comes to cyber. 80% or more of America's critical infrastructure, so pipelines, power grid, nuclear plants, water systems, is owned and operated by the private sector. And for the most part, there is nothing out there legislating that those companies share the fact they've been breached. They don't even have to tell the government they've been hit. There's nothing mandating that they even meet a bare minimum standard of cybersecurity. Um, and that's it. So even when there are these attacks, most of the time we don't even know about it. So that is, you know, if you were gonna design a system to be as blind and vulnerable as possible, that's as, that's as pretty, pretty good. (laughs) That's what it looks like, is what we have here in the United States. And everyone here is just operating like, "Let's just keep hooking up everything for convenience." You know, software eats the world. Um, let's just keep going for cost, for convenience sake, just because we can. And when you study these issues and you study these attacks and you study the advancement and the, the uptick in frequency and the, the lower barrier to entry that we see every single year, you realize just how dumb (laughs) software eats world is. And no one has ever stopped to pause and think, "Should we be hooking up these systems to the internet?" They've just been saying, "Can we? Let's do it." And that's a real problem. And this, and just in the last year, you know, we've seen a record number of zero-day attacks. I think there were 80 last year, which is probably more than double what it was in 2019. Um, a lot of those were nation states.Uh, you know, we live in a world with a lot of geopolitical hot points right now. And where those geopolitical hot points are, are places where countries have been investing heavily in offensive cyber tools.

    6. LF

      If you're a nation state, the goal would be to maximize the footprint of zero-day, like super secret zero-day that nobody's aware of. And whenever war is initiated, the huge negative effects of shutting down infrastructure, any kind of zero-day, is the chaos it creates. So if you just ... There's a certain threshold when you create the chaos that the markets plummet. Just everything goes, goes to hell. (sighs) So there-

    7. NP

      I mean, it's not just zero-days. You know, we make it so easy for, for threat actors. I mean, we're not using two-factor authentication. We're not patching. Um, there was the Shellshock vulnerability that was discovered a couple years ago. It's still being exploited no- because so many people haven't fixed it. Um, so you know, the zero-days are really the sexy stuff, and what really got, drew me to the zero-day market was the moral calculus we talked about. Um, particularly from, you know, the US government's point of view. How do they justify leaving these systems so vulnerable when we use them here, and we're baking more of our critical infrastructure with this vulnerable software? You know, it's not like we're using one set of technology and Russia's using another and China's using this. We're all using the same technology, so when you find a zero-day in Windows, you know, you're not just leaving it open so you can spy on Russia or implant yourself in the Russian grid. You're leaving Americans vulnerable too. But you know, z- but zero-days are like, that is the secret sauce, you know? That's the, that's the superpower, you know? And I, and I always say, like every country now, with the exception of Antarctica, someone added the Vatican to my list-

    8. LF

      (laughs)

    9. NP

      ... is trying to find, uh, offensive hacking tools and zero-days to make them work. And those that don't have the skills now have this market that they can tap into where, you know, $2.5 million, that's chump change for a lot of these nation states. It's a, it's a hell of a lot less than (laughs) trying to build the next fighter jet. Um, but yeah, the goal is chaos. I mean, why did Russia turn off the lights twice in Ukraine, you know? I think part of it is chaos. I think part of it is to s- to sow the seeds of doubt in their current government.

    10. LF

      Mm-hmm.

    11. NP

      Your government can't even keep your lights on. Why are you sticking with them, you know? Come over here, and we'll keep your lights on at least. You know, there's like a little bit of that.

    12. LF

      Nuclear weapons seems to have helped prevent nuclear war. Is it possible that we have so many vulnerabilities and so many attack vectors on each other that you'll kind of, uh, achieve the same kind of equilibrium, like mutually assured destruction? (laughs)

    13. NP

      Yeah.

    14. LF

      That's, that's one hopeful solution to this. Do you have any hope for this particular solution?

    15. NP

      You know, nuclear analogies always tend to fall apart when it comes to cyber, mainly because you don't need fissile material, you know? You just need a laptop and the skills, and you're in the game. So it's a really low barrier to entry. Um, the other thing is attribution's harder, and we've seen countries muck around with attribution. We've seen, you know, nation states piggyback on other countries' spy operations and just sit there and siphon out whatever they're getting. Um, we learned some of that from the Snowden documents. We've seen Russia hack into Iran's command and control attack servers. Uh, we've seen them hit a Saudi petrochemical plant where they did neutralize the safety locks at the plant, and everyone assumed that it was Iran given Iran had been targeting Saudi oil companies forever. But nope, it turned out that it was a graduate research institute outside Moscow. So, you see countries kind of playing around with attribution. Why? I think because they think, "Okay, if I do this, like how am I gonna cover up that it came from me because I don't want to risk the response?" So, people are sort of dancing around this. It's just in a very different way, and you know, at The Times, I'd covered the Chinese hacks of infrastructure companies like pipelines. I'd covered the Russian probes of nuclear plants. I'd covered, covered the Russian attacks on, on the Ukraine grid, and then in 2018, my colleague David Sanger and I covered the fact that US Cyber Command had been hacking into the Russian grid and making a pretty loud show of it. And when we went to the National Security Council, because that's what journalists do before they publish a story, they give the other side a chance to respond, I assumed we would be in for that really awkward, painful conversation (laughs) where they would say, "You will have blood on your hands if you publish this story." And instead, they, they gave us the opposite answer. They said, "We have no problem with you publishing this story." Why? Well, they didn't say it out loud, but it, it was pretty obvious they wanted Russia to know that we're hacking into their power grid too, and they better think twice before they do to us what they had done to Ukraine. So yeah, you know, we have stumbled-

    16. LF

      Mm-hmm.

    17. NP

      ... into this new era of mutually assured digital destruction. Um, I think another sort of quasi-norm we've, we've, uh, stumbled into is proportional responses. You know, there's this idea that if you get hit, you're allowed to respond proportionally at a time and place of your choosing, you know? That is how the, the language always goes. That's what Obama...... said after North Korea hit Sony, "We will respond at a time and place of our choosing." Um, but no one really knows, like, what that response looks like. And so what you see a lot of the time are just these, like, just short of war attacks.

    18. LF

      Mm-hmm.

    19. NP

      You know, Russia turned off the power in Ukraine, but it wasn't like it stayed off for a week.

    20. LF

      Mm-hmm.

    21. NP

      It stayed off for a number of hours. Um, you know, NotPetya hit those companies pretty hard, um, but no one died, you know? And it, the question is, what's gonna happen when someone dies? And can a nation state masquerade as a cyber criminal group, as a ransomware group? And that's what really complicates coming to some sort of digital Geneva Convention. Like, there's been, there's been a push from Brad Smith at Microsoft. We need a digital Geneva Convention. And on its face, it sounds like a no-brainer. Yeah, why wouldn't we all agree to stop hacking into each other's civilian hospital systems, elections, power grid, uh, pipelines? But when you talk to people in the West, officials in the West, they'll say, "We would never. We'd love to agree to it, but we'd never do it when you're dealing with Xi or Putin or Kim Jong-un." Because a lot of times, they outsource these operations to cyber criminals. In China, we see a lot of these attacks come from this loose satellite network of private citizens that work at the behest of the Ministry of State Security. So, how do you come to some sort of state-to-state agreement when you're dealing with transnational actors and cyber criminals, where it's really hard to pin down whether that person was acting alone or whether they were acting at the behest of the MSS or the FSB? And, you know, a couple years ago, I remember, can't remember if it was before or after NotPetya, but Putin said, "Hackers are like artists who wake up in the morning in a good mood and start painting." You know, in other words, "I have no say over what they do or don't do." So, how do you, how do you come to some kind of norm when that's, that's how he's talking about these issues, and he's just decimated Merck and, you know, Pfizer and another, you know, however many thousand companies?

    22. LF

      That is the fundamental difference between nuclear weapons and, and cyber attacks is the attribution, or one of the fundamental differences.

  7. 51:421:00:49

    Cybersecurity

    1. LF

      If you can fix one thing in the world, in terms of cybersecurity, that would make the world a better place, what would you fix?

    2. NP

      Mm-hmm.

    3. LF

      So, you're not allowed to fix, like, authoritarian regimes and... (laughs)

    4. NP

      Right.

    5. LF

      You have to, you have to keep that. You have to keep human nature as it is.

    6. NP

      Mm-hmm.

    7. LF

      In terms of on the security side, technologically speaking, uh, you mentioned there's no regulation on companies in the United States. Um, what, what, uh, if you could just, uh, fix with the snap of a finger, what would you fix?

    8. NP

      Two-factor authentication. Multi-factor authentication. It's, it, it's ridiculous how many of these attacks come in because someone didn't turn on multi-factor authentication. I mean, Colonial Pipeline, okay? They took down the biggest conduit for gas, jet fuel, and diesel to the East Coast of the United States of America. How? Because they forgot to deactivate an old employee account whose password had been traded on the dark web, and they'd never turned on two-factor authentication. This water treatment facility outside Florida was hacked last year. How did it happen? They were using Windows XP from like a decade ago that can't even get patches if you want it to. And they didn't have two-factor authentication. Time and time again, if they just switched on two-factor (laughs) authentication, some of these attacks wouldn't have been possible. Now, if I could snap my fingers, that's a thing I would do right now. But of course, you know, this is a cat and mouse game, and then the attacker's onto the next thing. But I think right now, that is like bar none, that is just, that is the easiest, simplest way to deflect the most attacks. And you know, the name of the game right now isn't perfect security. Perfect security is impossible. They will always find a way in. The name of the game right now is make yourself a little bit harder to attack than your competitor, than anyone else out there, so that they just give up and move along. And, you know, maybe if you are a target for an advanced nation state or y- you know, the SVR, you know, you're gonna get hacked no matter what. But you can make cyber criminal groups' deadbolt, is it? You can make their jobs a lot harder, um, simply by doing the bare basics. And the other thing is stop reusing your passwords. But if I only got one, then two-factor authentication.

    9. LF

      So what is two-factor authentication? Factor one is what, logging in with a password? And factor two is like have another device or another channel through which you can confirm, "Yeah, that's me."

    10. NP

      Yes. You know, usually this happens through some kind of text. You know, you get your one-time code from Bank of America or from Google. Um, better way to do it is spend $20 buying yourself a FIDO key on Amazon. That's a hardware device. And then if you don't have that hardware device with you, then you're not gonna get in. And the whole goal is, I mean, basically, you know, my first half of my decade at the Times was spent covering like the cop beat (laughs) . It was like Home Depot got breached. News at 11:00. You know, Target, Neiman Marcus. Like, who wasn't hacked over the course of those five years? And a lot of those companies that got hacked-What did hackers take? They took the credentials. They took the passwords. They can make a, a pretty penny selling them on the dark web, and people reuse their passwords. So, you get one from, you know, God knows who, I don't know, LastPass-

    11. LF

      Mm-hmm.

    12. NP

      ... worst case example actually, LastPass-

    13. LF

      (laughs) .

    14. NP

      ... but you get one, and then you go test it on their email account, and you go test it on their brokerage account, and you test it on their cold storage account.

    15. LF

      Yeah.

    16. NP

      You know, that's how it works. But if you have multi-factor authentication, then they can't get in, because they might have your password, but they don't have your phone, they don't have your FIDO key, you know? And, and so you keep them out. And, you know, I get a lot of alerts (laughs) that tell me someone is trying to get into your Instagram account, or your Twitter account, or your email account. And I don't worry, because I use multi-factor authentication. They can try all day. Um, okay, I worry a little bit, but-

    17. LF

      Mm-hmm.

    18. NP

      ... you know? There, it's, it's the simplest thing to do, and we don't even do it.

    19. LF

      Well, there's an interface aspect to it, 'cause it's pretty annoying if it's implemented poorly.

    20. NP

      Yeah, true.

    21. LF

      So, uh, so actually, bad implementation of two-factor authentication, not just bad, but just something that adds friction, is a security vulnerability, I guess, because it's really annoying. Like, uh, I think MIT for a while had two-factor authentication, and it was really annoying. And just, it, like the, the ti- the number of times it pings you, like, uh, it re- it asks to reauthenticate across multiple subdomains, like, it just feels like a pain. Um, I don't know what the right balance there?

    22. NP

      Yeah.

    23. LF

      ... to-

    24. NP

      It feels like friction, in our frictionless society.

    25. LF

      Yeah.

    26. NP

      It feels like friction. It's annoying. That's security's biggest problem. It's annoying. You know, we need the Steve Jobs of security to come along, and we need to make it painless. And actually, you know, on that point, Apple has probably done more for security than anyone else simply by introducing biometric authentication, first with the fingerprint and then with Face ID. And it's not perfect, but, you know, if you think just eight years ago, everyone was running around with either no passcode, an optional passcode, or a four-digit passcode on their phone that anyone... You know, think of what you can get when you get someone's iPhone, if you steal someone's iPhone. And, you know, props to them for introducing the fingerprint and Face ID. And, and again, it wasn't perfect, but it was a huge step forward. Now, it's time to make another (laughs) huge step forward. Um, I want to see the password die. I mean, (laughs) it's gotten us as far as it was ever gonna get us, and I hope whatever we come up with next is not gonna be annoying, is gonna be seamless.

    27. LF

      When I was at Google, that's what we worked on is, I mean, there's a lot of ways to call this, active authentication, passive authentication. So, basically you use biometric data, not just like a fingerprint, but everything from your body to identify who you are, like movement patterns. So, you basically create a lot of layers of protection where it's very difficult to fake-

    28. NP

      Yeah.

    29. LF

      ... including, um, like face unlock, checking that it's your actual face, like the liveness tests, so like from video, so unlocking it with video-

    30. NP

      Yeah.

  8. 1:00:491:17:42

    Social engineering

    1. NP

    2. LF

      What about social engineering? Do you worry about this sort of hacking people?

    3. NP

      Yes. I mean, this is the worst nightmare of every chief information security officer out there.... um, you know, social engineering. We work from home now. (laughs) I saw this, this, uh, woman posted online about how her husband ... It went viral today, but it was her husband had this problem at work. They hired a guy named John, and now the guy that shows up for work every day doesn't act like John. (laughs) I mean, think about that.

    4. LF

      Yeah.

    5. NP

      Like think about the potential for social engineering in that context. You know, you apply for a job and you put on a pretty face, you hire an actor or something, and then you just get inside the organization and get access to all that organization's data. You know, a couple of years ago, Saudi Arabia planted spies inside Twitter. You know why probably? Because they were trying to figure out who these people were who were criticizing the regime on Twitter. You know, they couldn't do it with a hack from the outside, so why not plant people on the inside? And that's like the worst nightmare. And it also, unfortunately, creates all kinds of xenophobia at a lot of these organizations. I mean, if you're gonna have to take that into consideration, then organizations are gonna start looking really skeptically and suspiciously at someone who applies for that job from China. Um, and we've seen that go really badly at places like the Department of Commerce, where they basically accuse people of being spies that aren't spies. So, it is the hardest problem to solve, and it's never been harder to solve than right at this very moment when there's so much pressure for companies to let people work remotely.

    6. LF

      That's actually why I'm single. I'm suspicious-

    7. NP

      (laughs)

    8. LF

      ... Ch- China and Russia, every time I meet somebody, are trying to plant, uh, and get insider information, so I'm very, very suspicious. I, I keep, uh, putting the Turing test in front ... No. Um-

    9. NP

      No, I have a friend who worked inside NSA and was one of their top hackers-

    10. LF

      Right.

    11. NP

      ... and he's like, "Every time I go to Russia, I get hit on by these 10s."

    12. LF

      Yeah.

    13. NP

      "And I come home, my friends are like, 'I'm sorry, you're not a 10.'"

    14. LF

      Yeah.

    15. NP

      Like ... (laughs)

    16. LF

      Yeah, yeah, yeah.

    17. NP

      It's a common story.

    18. LF

      It's ... I mean, it, it's difficult to trust, (laughs) to, to trust humans in this day and age online, you know, 'cause, so we're working remotely, that's one thing, but just interacting with people on, on the internet. It sounds, sounds ridiculous, but, you know, I've, uh, because of this podcast in part, I've gotten to meet some incredible people, but it, you know, it makes you nervous to trust folks, and I don't know how to solve that problem, so I'm, uh, talking with Mark Zuckerberg, who dreams about creating the metaverse. What do you do about that world where more and more our lives is in a digital sphere? Like, um, one way to phrase it is, most of our meaningful experiences, at some point, will be online, like falling in love, getting a job, or experiencing a moment of happiness with a friend, with a new friend made online. All of those things. Like more and more, the fun we do-

    19. NP

      Mm-hmm.

    20. LF

      ... the things that make us love life will happen online, and if those things have an avatar-

    21. NP

      Mm-hmm.

    22. LF

      ... that's digital, that's like a way to hack into people's minds-

    23. NP

      Mm-hmm.

    24. LF

      ... whether it's with AI, AI or kind of troll farms or something like that. I don't know if there's a way to protect against that. That, that, uh, that might fundamentally rely on our faith in, in how good human nature is. So, if most people are good, we're going to be okay, but if people will turn towards manipulation and, um, malevolent behavior in search of power, then we're screwed. (laughs) So, uh, I don't know if you can comment on how to keep the metaverse secure. (laughs)

    25. NP

      Yeah, I mean, I ... All I thought about when you were talking just now is my three-year-old son.

    26. LF

      Yeah.

    27. NP

      (laughs) You know, he, he asked me the other day, "What's the internet, Mom?" And I just almost wanted to cry. (laughs) You know, uh, I don't want that for him. I don't want all of his most meaningful experiences to be online. You know, by the time that happens, um, how do you know that person's human? He- that avatar is human. You know, I believe in free speech. I don't believe in free speech for robots and bots, and like look what just happened over the last six years. You know, we had bots pretending to be Black Lives Matter activists just to sow some division, or, you know, Texas secessionists, or, um, you know, organizing anti-Hillary protests, or just to sow more division, to tie us up in our own politics so that we're so paralyzed we can't get anything done. We can't make any progress, and we definitely can't handle our adversaries and their long-term thinking. Um, it really scares me, and here's where I just come back to, just because we can create the metaverse, you know, just because it sounds like the next logical step in our digital revolution, uh, do I really want my, my child's most significant moments to be online? They weren't for me, you know? So, maybe I'm just stuck in that old school thinking, or maybe I've seen too much (laughs) and, um, I'm really sick of being the guinea pig parent generation (laughs) for these things. I mean, it's hard enough with screen time. Like thinking about how to manage...... the metaverse as a parent to a young boy, like, I can't even let my head go there. That's so terrifying for me. But we've never stopped any new technology just because it introduces risks. We've always said, "Okay, the promise of this technology means we should keep going, keep pressing ahead. We just need to figure out new ways to manage that risk." And you know, that is, that's, that's the blockchain right now. Like, when I was covering all of these ransomware attacks, I thought, "Okay, this is gonna be it for cryptocurrency. You know, governments are gonna put the kibosh down. They're gonna put the hammer down and say, 'Enough is enough.'" Like, we have to put this genie back in the bottle because it's enabled ransomware. I mean, five years ago, they would hijack your PC and they'd say, "Go to the local pharmacy, get a e-gift card, and tell us what the PIN is, and then we'll get your $200."

    28. LF

      Yeah.

    29. NP

      Now, it's, "Pay us, you know, five Bitcoin." Um, and so there's no doubt cryptocurrencies enabled ransomware attacks, but after the Colonial Pipeline ransom was seized, because if you remember, the FBI was actually able to go in and claw some of it back from DarkSide, which was the ransomware group that hit it. And I spoke to these guys at TRM Labs. So they're, they're one of these blockchain intelligence companies. And a lot of people that work there used to work at the Treasury. And what they said to me was, "Yeah, cryptocurrency has enabled ransomware, but to track down that ransom payment would have taken, you know, if we were dealing in, with fiat currency, would have taken us years to get to that one bank account at the, or belonging to that one front company in the Seychelles. And now thanks to blockchain, we can track the movement of those funds in real time. And you know what? You know, these payments are not as anonymous as people think. Like, we still can use our old hacking ways and zero days and, you know, old-school intelligence methods to find out who owns that private wallet and how to get to it." So it's a, it's a curse in some ways, in that it's an enabler, but it's also a blessing. And they said that same thing to me that I just said to you. They said, "We've never shut down a promising new technology because it introduced risk. We just figured out how to manage that risk."

    30. LF

      And I think that's where the conversation unfortunately has to go is, uh, how do we, in the metaverse, use technology to, uh, to fix things? So maybe we'll finally be able to, not finally, but figure out a way to solve the identity problem on the internet, meaning like a blue check mark for actual human, and connect it to identity, uh, like a fingerprint so you can prove you're you, and yet do it in a way that doesn't involve the company having all your data. So giving you, allowing you to maintain control over your data, or if you don't, then there's complete transparency of how that data is being used, all those kinds of things. And, and maybe as you educate more and more people, they would demand in a capitalist society that the companies that they give their data to will-

  9. 1:17:421:27:12

    Snowden and whistleblowers

    1. LF

      You mentioned Snowden. You've talked about looking through the, uh, NSA documents he leaked and doing the hard work of that. What do you, uh, make of Edward Snowden? What have you learned from those documents? What do you think of him?

    2. NP

      Hmm.

    3. LF

      Is, um... In the long arc of history, is Edward Snowden a hero or a villain?

    4. NP

      I think he's neither. I have really complicated feelings about Edward Snowden. Um, on the one hand, I'm a journalist at heart, and more transparency is good. And I'm grateful for the conversations that we had in the post-Snowden era about the limits to surveillance and how critical privacy is. And when you have no transparency and you don't really know, in that case what our secret courts were doing, um, how can you truly believe that our country is taking our civil liberties seriously? Um, so on one- on the one hand I'm grateful that he cracked open these debates. On the other hand, when I walked into the storage closet (laughs) of classified NSA secrets, I had just spent two years covering Chinese cyber espionage almost every day, and this sort of advancement of Russian attacks......they were just getting worse and worse, and more destructive. And there were no limits to Chinese cyber espionage and Chinese surveillance of its own citizens, and there seemed to be no limit to what Russia was willing to do, um, in terms of cyber attacks, and also, in some cases, assassinating journalists. So when I walked into that room, there was a part of me, quite honestly, that was relieved to know that the NSA was as good as I hoped they were. And we weren't using that knowledge to, as far as I know, assassinate journalists. Uh, we weren't using our access to, you know, take out, uh, pharmaceutical companies. For the most part, we were using it for traditional espionage. Now, that set of documents also sent me on the journey of my book, because to me, the American people's reaction to the Snowden documents was a little bit misplaced. You know, they were upset about the phone call metadata collection program. Angela Merkel, I think rightfully, was upset that we were hacking her cell phone. Um, but in sort of the spy-eat-spy world, hacking world leaders' cell phones is pretty much what most spy agencies do. And there wasn't a lot that I saw in those documents that was beyond what I thought a spy agency does. And I think if there was another 9/11 tomorrow, God forbid, we would all say, "How did the NSA miss this? Why weren't they spying on those terrorists? Why weren't they spying on those world leaders?" You know, there's some of that too. But I think that there was great damage done to, um, the US's reputation. Um, I think we, we really lost our halo-

    5. LF

      Hmm.

    6. NP

      ...um, in terms of a, uh, protector of civil liberties, um, and I think a lot of what was reported was unfortunately reported in a vacuum. That was my biggest gripe, that we were always reporting, "The NSA has this program and here's what it does," and, "The NSA is in Angela Merkel's cell phone, and the NSA can do this." And, uh, no one was saying, "And by the way, (laughs) China has been hacking into our pipelines and they've been making off with all of our intellectual property, and Russia's been hacking into our energy infrastructure, and they've been using the same methods to spy on track, and in many cases, kill their own journalists, and the Saudis have been doing this to their own critics and dissidents." And so you can't talk about any of these countries in isolation. It is really like spy-eat-spy out there. (laughs) And, uh, so I just have complicated feelings, you know? And the other thing is, and I'm sorry this is a little bit of a tangent, but the amount of documents that we had, like thousands of documents, most of which were just crap, but had people's names on them.

    7. LF

      Yeah.

    8. NP

      You know, part of me wishes that those documents had been released in a much more targeted, limited way. It's just, a lot of it just felt like a PowerPoint that was taken out of context, um, and you just sort of wish that there had been a little bit more thought into what was released. Because I think a lot of the impact from Snowden was just the volume of the reporting. But I, but I think, you know, based on what I saw personally, um, there was a lot of stuff that I just, I don't know why that, that particular thing got released.

    9. LF

      As a whistleblower, what's the better way to do it? 'Cause, I mean, there's fear, there's ... (sighs) It takes a lot of effort to do a more targeted release, you know? If there's proper channels, you're afraid that those channels would be manipulated. Like, who do you trust?

    10. NP

      Mm-hmm.

    11. LF

      What's a better way to do this, do you think? As a journalist ... This is almost like a journalistic question. Reveal some fundamental flaw in the system without destroying the system? I, I bring up, you know, again, Mark Zuckerberg and Meta. There was a whistleblower that came out about Instagram internal studies, and I also am torn about how to feel about that whistleblower-

    12. NP

      Hmm.

    13. LF

      ...because from a company perspective that's an open culture, how can you operate successfully if you have an open culture where any one whistleblower can come out, out of context, take a study, whether it represents a larger context or not, and, uh, the press eats it up? And then that creates a narrative that is f- j- just like with the NSA you said, it's out of context, very targeted to where, "Well, Facebook is evil clearly, because of this one leak." It's really hard to know what to do there, 'cause we're now in a society that's deeply distrust institutions, and so narratives by whistleblowers make that whistleblower and their forthcoming book very popular. And so there's a huge incentive to take stuff out of context and to tell stories that don't represent the full context, the full truth. It's hard t- to know what to do with that, 'cause then, um, that forces Facebook, Meta, and governments to be much more conservative, much more secretive. It's like a race to the bo- (laughs) bottom. I, I don't know. I don't know if you can comment on any of that, how to be a whistleblower ethically and properly.

    14. NP

      I don't know. I mean, these are hard questions. And, you know, even for myself, like in some ways, I think of my book as sort of blowing the whistle on the underground zero-day market. But, you know, it's not like I was in the market myself. It's not like I had access to classified data when I was reporting out that book. You know, as I say in the book, like, listen, I'm just trying to scrape the surface here (laughs) so we can have these conversations before it's too late. And, um, you know, I'm sure there's plenty in there that someone who's, you know, a US intelligence agency's preeminent zero-day broker probably has some voodoo doll of me out there. (laughs) And, you know, you never, you're never gonna get it 100%. Um, but I really applaud whistleblowers like, you know, the whistleblower who, who blew the whistle on the Trump call with Zelenskyy. I mean, people needed to know about that, that we were basically, in some ways, blackmailing an ally to try to influence an election. I mean, they went through the proper channels. They weren't trying to profit off of it, right? There was no book that came out afterwards from that whistleblower. Um, that whistleblower's not like... They, they went through the channels. They're not living in Moscow, you know? Let's put it that way.

    15. LF

      Can I ask you a question? You mentioned NSA. One of the things it showed is they're pretty good at what they do. Again, this is, uh, a touchy subject, I suppose, but there's a lot of conspiracy theories about intelligence agencies. From your understanding of intelligence agencies, the CIA,

  10. 1:27:121:36:59

    NSA

    1. LF

      NSA, and the equivalent of, in other countries, are they... One question. This could be a dangerous question.

    2. NP

      (laughs)

    3. LF

      Are they competent? Are they good at what they do? And two, are they malevolent in any way? Sort of, um, I recently had a conversation about, uh, tobacco companies that kind of see their customers as dupes. Like, they can just play games with, with people.

    4. NP

      Mm-hmm.

    5. LF

      Conspiracy theories tell that similar story about intelligence agencies, that they're interested in, in manipulating the populous for whatever ends the powerful in dark rooms, cigarette smoke, cigar f- smoke-filled rooms. What, what's your sense? Do these conspiracy theories have kind of any truth to them? Um, or are intelligence agencies, for the most part, good for society?

    6. NP

      Okay. Well, that's an easy one. (laughs)

    7. LF

      Is it?

    8. NP

      No.

    9. LF

      (laughs)

    10. NP

      I think, you know, it depends which intelligence agency. Think about the Mossad, you know? They're killing every, um, Iranian nuclear scientist they can over the years, you know? But have they delayed the time horizon before Iran gets the bomb? Yeah. Um, have they probably staved off terror attacks on their own citizens? Yeah. Um, you know, none of these... I- intelli- Intelligence is intelligence, you know? You can't just say, like, they're malevolent or they're heroes, you know? Everyone I have met in this space is not like, the pound-your-chest patriot that you see on, you know, the beach on the 4th of July. A lot of them have complicated feelings about their former employers. Well, at least at the NSA, it reminded me, to do what we were accused of doing after Snowden, to spy on Americans, you have no idea the amount of red tape and paperwork and bureaucracy it would have taken to do what everyone thinks that we were supposedly doing.

    11. LF

      Yeah.

    12. NP

      Um, but then, you know, we find out in the course of the Snowden reporting about a program called LOVIN, where a couple of the NSA analysts were using their access to spy on their ex-girlfriends. (laughs) So, you know, there's an exception to every case. Um, generally, I will probably get, you know, accused of my Western bias here again, but I think you can, you can almost barely compare, um, some of these Western intelligence agencies to China, for instance. And the surveillance that they're deploying on the Uyghurs, to the level they're deploying it, and the surveillance they're starting to export abroad with some of the programs, like the watering hole attack I mentioned earlier, where it's not just hitting the Uyghurs inside China, it's hitting anyone interested in the Uyghur plight outside China. I mean, it could, it could be an American high school student writing a paper on the Uyghurs. They wanna spy on that person too. You know, there's no rules in China really limiting the extent of that surveillance. And we all better be a- pay (laughs) attention to what's happening with the Uyghurs, because just as Ukraine has been to Russia in terms of a test kitchen for its cyberattacks, the Uyghurs are China's test kitchen for surveillance. And there's no doubt in my mind that they're testing them on the Uyghurs. Uyghurs are their petri dish, and eventually they will export that level of surveillance overseas. I mean, in 2015...... Obama and X- and Xi Jingping reached a deal where basically the White House said, "You better cut it out on intellectual property theft." And so they made this agreement that they would not hack each other for commercial benefit. And for a period of about 18 months, we saw this huge drop-off in, in Chinese cyber attacks on American companies. But some of them continued. Where did they continue? They continued on, uh, aviation companies, on hospitality companies like Marriott. Uh, why? Because that was still considered fair game to China. It wasn't IP theft they were after. They wanted to know who was staying in this city at this time when Chinese citizens were staying there so they could cross-match for counterintelligence, who might be a likely Chinese spy. I'm sure we're doing some of that too. Counterintelligence is counterintelligence. It's considered fair game. Um, but where I think it gets evil is when you use it for censorship, you know, s- to suppress any dissent, um, to do what I've seen the UAE do to its citizens where people who've gone on Twitter just to advocate for better voting rights, more enfranchisement, suddenly find their passports confiscated. Uh, you know, I talked to one critic, Ahmed Mansoor, and he told me, you know, "You might find yourself a terrorist- labeled a terrorist one day, and you don't even know how to operate a gun." I mean, he had been beaten up every time he tried to go somewhere. His passport had been confiscated. By that point, it turned out they'd already hacked into his phone, so they were listening to us talking. They'd hacked into his baby monitor, so they're spying on his child. Um, and they stole his car. (laughs) And then they created a new law that you couldn't criticize the, the ruling family or the ruling party on Twitter. And he's been in solitary confinement every day, um, since on hunger strike. So, that's evil. You know, that's evil. And we still, we don't do that here. You know, we, we have rules here. We don't cross that line. Um, so yeah. In some cases, like, I won't go to Dubai. You know, I won't go to Abu Dhabi. If I ever wanna go to the Maldives, like, too bad. Like, most of the flights go through Dubai.

    13. LF

      So there's some lines we're not willing to cross. But then again, just like you said, there's individuals within NSA, within CIA, and they may have a power. And to me, there's levels of evil. To me personally, this is the stuff of conspiracy theories, is, um, the things you've mentioned as evil are more direct attacks. But there's also psychological warfare, so blackmail. So w- what does, um, what does spying allow you to do? It allow you to collect information if you have something that's embarrassing, or if you have, like Jeffrey Epstein conspiracy theories, active, what is it? Manufacture of embarrassing things, and then use blackmail to manipulate the population or all the powerful people involved. It troubles me deeply that MIT allowed somebody like Jeffrey Epstein in their midst, especially some of the, uh, scientists I admire, that they would hang out with that person at all. And so, you know, I'll talk about it sometimes, and then a lot of people tell me, "Well, obviously Jeffrey Epstein is a front for intelligence." And I just, um, I struggle to see that level of competence and malevolence. Um, but, you know, who the hell am I? And I, I guess... I w- I was trying to get to that point. You said that there is bureaucracy and so on which makes some of these things very difficult. I wonder how much malevolence, how much competence there is in these institutions, like how far... This takes us back to the hacking question. How far are people willing to go if they have the power? This has to do with social engineering. This has to do with hacking. This has to do with manipulating people, attacking people, doing evil onto people, psychological warfare and stuff like that. I don't know. I believe that most people are good. And, um, I don't think that's possible in a free society. There's something that happens when you have a centralized government where power corrupts over time and you start, um, you know, surveillance programs kind of, um... It's like a slippery slope that over time starts to, to, uh, both use fear and direct manipulation to control the populace. But in a free society, I just, um... it's difficult for me to imagine that you can have, like, somebody like a Jeffrey Epstein a front for intelligence. I don't know what I'm asking you, but I'm just, um... (sighs) I have a hope that for the most part, intelligence agencies are trying to do good and are actually doing good for the world when you view it in the full context of the complexities of the world. (sighs) But then again, if they're not, would we know? That's why Edward Snowden might be a good thing. Let me ask you on

  11. 1:36:591:44:30

    Fear for cyberattacks

    1. LF

      a personal question. You have investigated some of the most powerful organizations and people in the world of cyber warfare, cybersecurity. Are you ever afraid for your own life, your own well-being, digital or physical?

Episode duration: 2:01:34

Install uListen for AI-powered chat & search across the full episode — Get Full Transcript

Transcript of episode hy2G3PhGm-g

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.

Add to Chrome