Kevin Mitnick, the infamous hacker turned security expert, reveals his early exploits—dumpster-diving for Pacific Bell’s Cosmos system credentials and phishing a teacher’s password via acoustic modems—before detailing his 1989 arrest, three-year fugitive stint, and prison escapes through social engineering. Now leading ethical penetration tests with near-perfect success rates, he debunks Sony’s North Korea hack claim, citing weak passwords like "ML3," and warns of Dark Web risks, including Silk Road’s Ross Ulbricht takedown. Mitnick dismisses infrastructure "fire sales" as unlikely but highlights real threats like the OPM breach, stressing secure backups and hardened OS options like SELinux. His advice: hands-on learning with tools like Metasploit trumps costly education, while offshoring risks lax security. Concludes by promoting The Art of Invisibility, his guide to evading digital surveillance for everyday users. [Automatically generated summary]
No bad language and no using the restroom during the show.
Now, the second rule is actually only one call per show.
Those are just listener checks.
All right, first thing I want to do tonight is correct my email.
I said last night that you could email me ideas for tomorrow night's open lines session where anything goes.
And I mean ideas about, you know, what special line we could have that would be really fun.
And I gave you the wrong email address.
So let me correct that tonight.
If you would like to email me a suggestion that you think would be fun to explore with people on the air, you know, just use as a special line.
I mean, it's going to be open lines, right?
But special lines are fun.
The correct email is artbell at knye.com.
That's kilowattnancyyokohama easy.
Artbell at knye.com.
Sorry about that.
I'm sure a lot of you had bounced emails.
All right.
I do want to give a little news here because I'm afraid there is news.
It's never good.
Confronting insurmountable obstacles, he said, the majority leader, Kevin McCarthy, suddenly withdrew from the contest for Speaker of the U.S. House on Thursday, shocking everybody just before the vote and producing an ever deeper chaos for divided Congress.
Said he, we need a new face.
Now, people were looking at him in disbelief, and, you know, nobody can know what happened on TV.
You know, I watch a lot of political-type shows, right?
Somebody would have handed him a slim 10 by 10, 10 by 11 manila envelope, and he would have opened it.
His face would have blanched, and he would say, okay, I'm out.
That'd be how it would happen on TV.
I'm not saying that happened here.
But there was shock.
Russia continues to help us to death in Syria.
Clashes intensified sharply on Thursday between Syrian troops and insurgents in central and northwestern Syria.
Part of what a top general called a clearing operation near government strongholds on the coast.
This is really getting serious.
They fired 26 long-range missiles into Syria.
Well, actually, four of them did not make it into Syria and exploded instead in Iran.
Turkey is getting involved.
Now, look, I don't want to scare anybody, but we did a show not long ago on nuclear war that I would recommend to you.
Go back in the archives.
If you're a time traveler and you can hear the older shows, it was, what, about a week ago or so?
We did a show on nuclear war, what World War III would be like.
And again, I don't want to scare anybody, but U.S. and Russian jets are brushing wingtips up there, so to speak.
That's metaphor.
They're not really brushing wings.
But you don't need to, with modern jets, you can shoot somebody down at 30 or 40 miles away.
This is really, really getting serious.
Allies are becoming involved, enemies more involved, big enemies even more involved.
Could it lead to World War III?
Well, I have friends in high places, three-lettered places, and they're beginning to worry.
And if they worry, we should worry.
I'm not saying that World War III is right around the corner, but yeah, but it could be.
This really is scary stuff.
You see Russia and the U.S. beginning to mix it up in the skies, bombing different targets with different things in mind over the same country in the Middle East or that area, and you just know it's going to be trouble.
When President Obama arrives in Oregon on Friday, he's going to find a timber town still in mourning over the shooting that killed eight community college students and a teacher, but he will also find a deeply held emotion, Something like anger seething over his calls for new gun restrictions.
People don't like that.
I don't like that.
We have the right to bear arms.
And what's wrong, I will say it a million times if I must, is it's a mental health problem, not a gun problem.
The president himself actually made a small reference to a mental health problem the other day during his speech, the emotional speech after the shooting.
Now, this is shocking and interesting at the same time.
Dr. Alan Stern, you may have heard, sparked absolutely frenzied speculation that the space agency NASA was about to announce a groundbreaking discovery after saying scientists had found something amazing on the icy planet.
That's like saying something wonderful.
He also referred to the planet as alive during a speech to students.
And so everybody went berserk.
Even Richard last night was going, oh, my God, what could it be?
What could it be?
He even was quoted as telling a meeting, NASA won't let me tell you what we're going to tell you on Thursday.
But with so many NASA announcements, this one, there was huge disappointment when he took to a social media, the social media, to squash all this, saying, well, he had no idea how the remarks had been misinterpreted using the handle at New Horizons 2015 sent a series of tweets in which he then retreated from his own personal account,
debunking the idea, even the idea of an imminent announcement, much less something amazing.
He wrote, there is a false rumor going around there's going to be a big New Horizons science announcement tomorrow, completely false.
Asked by a fellow user whether he had been misquoted, he replied, I have no idea how it was misinterpreted, but it was.
So that's one you've got to wonder about, too.
I mean, do you suppose that the torsion field was bearing down on him from above, but that he decided he can't release the information?
I don't know any more than I know about the speaker thing.
All right, so coming up after the break, we have somebody special tonight.
We have Kevin Hacker Extraordinaire.
Kevin is simply the world's most famous hacker, once one of the FBI's most wanted because, well, he hacked into 40 major corporations just for the challenge.
And they sent him to jail just for the challenge.
Kevin is now a trusted security consultant to the Fortune 500 and governments worldwide.
Kevin and the Global Ghost Team, how's that for a name, now maintain 100% successful track records in being able to penetrate the security of any system they're paid to hack into using a combination of technical exploits and social engineering.
And he will also be here in a moment to tell you how he and Tommy Chung alone, instead of the whole Chinese government, hacked successfully into Sony.
We'll tell you all about that.
Stay right where you are.
This is midnight in the desert.
I'm Art Bell.
unidentified
We came from somewhere back in a long ago.
He said that the fool don't see time and hard to recreate what had yet to be created.
Well, actually, like how I got started with computer hacking was for my love of magic.
So when I was a young boy, around 10 years old, I used to ride my bicycle over to the magic store, and I always wanted to know how the magicians, or it actually, or the magicians or kind of sales magicians, would actually do their magic tricks.
And I just love doing this stuff and amazing my friends.
And when I was in high school, I met this other kid in high school who could actually work magic with a telephone.
And he could do all these tricks, like he could get my unlisted number.
He could add what they called custom calling features to my phone.
And back in those days, it was like freeway calling, call waiting, call forwarding.
He could just do anything.
And I was just wowed.
And I just wanted to learn how I can do what he did because it was so cool at the time.
And this was what they called phone freaking.
And this is kind of the predecessor to hacking.
And not only was I involved in this, but if you recall, Steve Jobs and Steve Wozniak back in the mid-70s were also involved in phone freaking a little bit differently.
They built these boxes called blue boxes.
One blue box is just a device that emits a certain frequency tones called multi-frequency.
And 2,600 hertz was the initial tone that you would use before you used a blue box.
No, so in any event, so Jobs had the idea, hey, let's sell these at Berkeley's campus and make some money.
And that was the actual initial funding for the Apple One board.
So kind of Apple computers started from dabbling in phone freaking, if you will.
So it's quite an interesting story.
In fact, there's going to be a new Steve Jobs movie, I think, out Friday here in the States.
So I'm excited to see it.
Oh, really?
But in any event, so I was just like so fascinated with this phone freaking stuff, I just wanted to learn all about it.
I remember when I was a kid, I would go on these dumpster diving missions at the phone company.
And what dumpster diving is is when you're looking in the trash for discarded manuals and information and inter-company directories.
And I remember at one time we found a bag of trash, you know, a small little bag, and somebody had gone to the trouble of ripping up this document and, you know, tiny bits of paper.
Social engineering is kind of more manipulating a target.
But we actually took these bits of paper and put it together at the local Winchell's Donut House in L.A., and it was the entire username and password list to the system called Cosmos.
And with Cosmos, you could actually create telephone service.
Or if you have, you could basically do anything at the time, and it gave you all this power over the phone company.
Yeah, yeah, for, yeah, for quite some time, you know, I think at least over a decade.
So in any event, so I was so amazed with this phone freaking stuff that I just delved into this, even to the point where I would be staying up late, you know, talking to other people with similar interests, and I'd always be late for school.
So it kind of overtook my life for a little bit.
And then I met this other kid in high school that knew about all the things I could do with the phone.
And I was also in amateur radio at the time.
So when I was like 13 years old, I passed my general test, and I was always fascinated with the ability to use a thing called an auto patch.
Oh, well, when you were talking about radio, you know, when they tried to take my hand ticket, you know, I am glad they didn't know about something that I did in my younger years, because remember, I got my amateur radio license about 13, is I used to have so much fun when I was about 16 years old.
I guess I was a junior in high school, taking over McDonald's drive-up windows.
So I remember the frequency was 154.6 megahertz, and I forgot the PL, the sub-audible tone, but what you could do is when somebody would drive up to make an order, I'd be using like a 5-watt handheld, which would overpower their small little transceivers they'd wear on their head.
And when customers would drive up, I'd get to take their order.
And, you know, Kevin taking their order is a lot more entertaining than McDonald's taking the order.
You know, in Walmart, they all have headphones and little radios in Walmart.
And so I was thinking, how fun would it be to drive into the Walmart parking lot, announce yourself as the president of Walmart International Visiting, and the first, oh, I don't know, 35 employees to make it out the front door into the parking lot, get $1,000 each.
And then the other student goes, hey, show Mr. Chris what you can do with the telephone.
And then it was like watching a guy watching David Copperfield perform.
I mean, the guy was just like, oh, my God.
And immediately says, I'm letting you into class.
And once you know, like the first assignment, this was a programming class, Fortran.
The first programming assignment was to write a Fortran program to find the first 100 Fibonacci numbers.
And at the time, I thought that was the most boring application of writing a Fortran program that they could think of.
So instead, I thought, hey, it would be cool to write a program to steal the teacher's password.
You know, at least that had some utility to it.
So I didn't know anything about coding.
And I just read, read, and read.
And at the time, I read a lot about the operating system they used in high school at the time.
And I actually wrote this program that was a login simulator.
Kind of today they call it phishing.
And what we used in the time, if you remember this, we had these old Olivetti terminals.
They had acoustic coupler modems that would go 110 ba.
That's about 10 characters a second, if you could imagine.
And they would never, the instructor, when he would log onto the computer, you know, in the Los Angeles Unified School District, he would always stay dialed in and never hang up the phone to re-log in.
So basically what my program did was it simulated the login process.
So I was able to steal his password.
He never knew about it.
And so it came around time to turn in the assignment.
And he came up to me and goes, where's your Fibonacci assignment, Mr. Mitnick?
And I, hey, I didn't do it.
I'm sorry.
I was busy.
And he goes, wait a second.
I stuck my neck out to let you into class, even though you didn't have the prerequisites, and you're going to embarrass me by not even doing the work.
And I said, well, I wrote a different program.
It's in Fortran.
It was a little bit more complex.
You might like it.
And he goes, what is it?
I said, the one to steal your password, isn't it?
Blah, blah, blah, blah.
unidentified
You're the birth and nurturing of what grow up to be.
We were talking about when I was in high school, and I wrote that, and the computer instructor allowed me in the class, and he gave me an assignment to write the first, to find the first 100 Fibonacci numbers using Fortran.
Instead, I wrote a program to steal his password.
That's what we're talking about.
So when I showed him the program, I mean, first of all, he was like shocked that I had his password all this time.
But he actually, you know, took the program, put it up on the chalkboard, and showed all the other students and gave me a whole bunch of attaboys that this was the coolest program that he's seen.
So back when I was in high school, the ethics taught, at least to me and to others, was hacking was a cool thing.
There were no laws against it.
And that's kind of how I started on my path into this hacking endeavors.
Well, you know, I started more hacking into the phone company because at the time I was definitely interested in phone freaking.
Then I took the ability of learning about computer systems to breach Pacific Bell and general telephones computer networks and gain control of what phone company switches, if you will.
basically had the ability to do anything with anybody's phone service in California at the time, California, Nevada.
And that's kind of what It was more for pulling pranks, like changing what they called a line class code in a switch on a phone number.
What that did is change the type of service.
So we'd go in and change our friends' home phones to pay phones.
So every time they'd make a call, say, please deposit 25 cents to the point of changing their service to a prison phone so they could only make collect calls.
So we'd constantly be betting against each other to see who could do the better hacking.
And the bet was always $150.
Dinner for two at Spagos, we figured out $150.
And I kept winning.
And then he got upset about it and said, well, I'm not going to pay you.
And I said, oh, yeah, you're not.
Even though we have this bet going.
He goes, no, I'm not paying you.
I said, okay.
Then I figured I'd just kind of play a joke on him.
And so what I did is on a Friday when he was getting paid, I called up the company and represented eyes with the Internal Revenue Service and that we're faxing over our garnishment order.
So please do not give him his check.
And the whole idea was just to inconvenience him for the weekend.
It was like a joke, a practical joke, but he got really, really angry over the whole thing and then went to his boss and told him all the hacking we were doing.
And then they both called the FBI together.
So that's basically how I got caught was, you know, other people knew what I was doing and informed on me.
So I ended up in court, in federal court, and I was arrested on a Friday, and I end up in custody at Terminal Island Federal Prison for the weekend, which wasn't fun at all.
And I end up in court, and I'm positive I'm going to get bailed out.
It just matters how much is the bail going to be.
So I end up in federal court, and I walk in, and this attorney walks in that's going to immediately represent me, a federal public defender.
He goes, have you ever been outside the country?
I go, no.
Have you ever had a passport?
No.
And we go into court, and the federal prosecutor starts telling this judge, not only do we have to hold Mr. Mitnick without bond because he's such a danger to the community, we have to make sure he can't get access to a telephone.
And then he goes on to say if Mr. Mitnick gets access to a telephone, even a payphone in custody, he could dial up to the modem at NORAD and he could whistle into the modem and communicate with the modem and instruct it to pass the launch codes to the ICBMs and start a nuclear war.
So I had access codes to be able to dial into MCI, which was a long-distance carrier, and then hacking into DEC, Digital Equipment Corporation, and getting access to source code of one of their security tools that acted as an automated hacker.
So, in any event, later on, after about a year, I was able to get out of there because before we even leave this, what's it like to spend a year in solitary?
It was pretty tough.
Can you imagine all your listeners going into their bathroom in their home and shutting the door behind them and not leaving for a year?
Now, mind you, they allowed you to shower for three times a week.
They let you go into this recreational area that wasn't so much bigger, you know, one hour a day.
But I'm telling you, I mean, it was pretty horrific.
And I wonder how that actually affected me today.
But the idea that you're just locked in this cell 23 out of 24 hours a day for a year is like, it was just an incredible amount of like, how, you know, I asked myself today, how did I get through such an ordeal?
So anyway, the judge made a special order that I was only allowed to call five people at the time, and that was my mother, my grandmother, my attorney, my father.
Like I had five people on the list that I could call.
And so imagine I'm in solitary confinement, and at the time I was married, and I could only call my wife's phone number at the time.
And she was always at work.
And funny enough, she worked at General Telephone in Thousand Oaks.
Yeah, so that was pretty funny.
But in any event, so when they would allow me to make a phone call, it was always during the day.
So the guard would shackle my hands, shackle my feet, walk me over to this room that had three payphones.
And the payphones had, the handset cords were quite long.
And then the guard would take out this logbook.
He'd say, who do you want to call?
And I'd tell me what I want to call.
He would dial the number with a zero in front of it because it always had to be collect.
And he'd hand me the phone.
and he'd sit in the chair watching every move I made.
But, you know, it got even better than this because I figured I had nothing to lose.
What else could they do to me?
I'm in solitary confinement in a federal prison.
It can't get any worse.
So I figured, okay, I'm going to try to beat their system.
So what I did is I would, you know, I pace back and forth when I was on the phone.
I'd be scratching my back.
I'd be rubbing my back against the payphone, you know, facing the guard.
And then I thought, okay, I'm going to give this a shot.
I really wanted to talk to my wife at the time who was actually at work.
And her number wasn't on the list.
The work number wasn't on there.
So basically, I put my hand behind my back, and I hung up the switch hook.
And I knew, then I put my hand in front of me and just acted like I was rubbing my back against the phone again.
And I knew I had 18 seconds before it would start going to what they call a reorder, like a fast busy tone.
And I would hear it.
And then I reached back at me and acted like I was scratching my back.
And I dial zero plus the work number.
And I was pretty good with using a touchstone pad.
It wasn't that hard.
And as I was walking, I act like I was in conversation because the operator was going to come on and say, who's the clutch called from?
So I'd say, oh, you know, tell Uncle Mitchell that Kevin said hi.
And when I said the word Kevin, that's when the operator's asking who the clutch calls from.
And I was able to do this, right, to call anybody that I wanted for like, you know, three to four weeks.
And then one morning, about six in the morning, my cell door opens, and it's the executives of the prison, the associate warden, like two of them, the captain.
You know, I thought that, you know, maybe a family member had died.
Something really serious was going on.
So they brought me into this room and they sat me down.
And then the captain, he's the head of security, goes, Mitnik, how are you doing it?
And I go, excuse me, how am I doing what?
He says, well, we're monitoring your phone calls downstairs.
We're actually recording all of them.
You know, you do have notice about this.
And somehow our officer is watching you every second.
And you're somehow redialing the phone.
How are you doing it?
And then I remarked to him, I said, I don't know what you're talking about.
Then I was out on supervised release and I'm trying to make a long story short and what had happened is I kind of got out of hacking at the time.
I got into being a gym rat, so I'd be working out all the time.
I kind of moved my interest into working out and stuff like that and moving away from the hacking.
And then all of a sudden I had a horrific experience happen in my family.
My brother, my half-brother, he was found dead in his car on the passenger side in a bad area of Los Angeles.
So then I go, then I knew the cops weren't interested in really investigating this, that he would just be some sort of statistic.
And I was pretty close to my brother at the time, and I just had to find out what was going on.
So I started getting back into hacking to get into the systems to find out, to look at phone records that might help me identify or figure out what actually happened to my half-brother.
We had somebody else in the family, actually, an uncle, who was heavy into using heroin.
And I immediately thought, well, maybe my brother hooked up with my uncle and something was going on there.
So the first thing I did was get what they called the call detail records of my uncle, my uncle's cell phone at the time, to get his location where he physically was during the last 48 hours and anybody that he called.
So I was kind of becoming like a somewhat of a private investigator to figure out what had happened to my brother.
Yes, unfortunately, I found out my initial instinct was correct because my half-brother's, well, my uncle's former wife had, when he passed away, had come clean with the story that he was definitely the guy behind it and told me the entire story.
So unfortunately, my hacking skills then helped me uncover that it was him at the time, but I found out later that I was absolutely 100% spot on.
You know, I was kind of explaining it before we went to break.
And so what had happened is we already talked about number one.
Then number two was a much longer and complicated story that started with me getting back into the hacking, you know, to investigate why my brother was found dead in a car.
And I remember that the government at the time had sent this guy, a guy named Justin Peterson, his name was also known as fake name was Eric Hines.
They sent this guy who had been involved in credit card fraud and other activity to see what I was up to because they told him there would be a real fetter in your cap if you can get some evidence that Kevin Mitnick is doing something wrong.
I kind of figured it out kind of quickly, and then I started investigating the FBI and trying to figure out what they were doing to the point where I hacked into a Patel Cellular in Los Angeles, because back in those days...
Now, I don't know whether you're speaking loudly and far from the mic or you need to adjust the volume or something, but this time you began to get a little distorted, like you were hitting it too hard.
So what had happened is I kind of figured out what was going on kind of quickly.
And to fast forward a little bit, I decided, well, I'm going to find out who's investigating me and why they're doing it.
So what I ended up doing is I hacked into Pacific Bell Cellular.
And back in those days, there was only two cell phone providers in Los Angeles, LA Cellular and Pactel Cellular.
And I was able to successfully get in.
And the first thing I was looking at was the call detail records, that's the real-time billing records to try to identify who has a cell phone that's provided by their services provided by Pactel that calls this informant guy because I was able to figure out his home phone number.
And that's another story in itself.
And then I was able to identify these five to six phone numbers that were calling him quite frequently.
And then I looked at their billing records and saw that they were calling internal numbers at the FBI.
So it wasn't hard to figure out that the cell phone numbers of the team of FBI agents that were working with this guy.
So I set up this early warning system.
I was working as a private investigator in Calabasas, which is a suburb of L.A. And I set up this early warning system that basically using a device like a radio scanner and using a particular software, I was able to monitor the cell site in Calabasas over radio to determine whether or not any of these cell phone numbers registered, which means that they're physically in the same location.
So I set up this early warning system for the FBI, and nothing had happened.
I kind of forgot about it.
And about three weeks later, I walked into the office and I heard this loud beeping coming from my office as I walked into it.
And I go like, what's going on?
This is weird.
And I looked at the computer and the early warning system had been tripped.
And I go, oh, my God.
You know, one of the numbers came up.
And I knew who had the number because what these agents would do is they'd call their voicemail all the time.
So I'd see this number that was constantly repeating.
And so I called the voicemail and then it would say, hello, you know, this is Ken Maguire with FBI squad three or whatever.
And then I knew the names that were attached to the cell phone numbers.
So this guy, Ken, the guy who was the lead guy that was kind of my hand ratty and catch me if you can.
So this guy was the lead guy trying to capture me or catch me doing something wrong.
And so at the time, I looked at this capture, and two hours earlier, when I was sound asleep, this guy, Ken, had called a payphone across the street from my apartment at the market.
And I'm going, and I'm thinking to myself, that doesn't make any sense.
Like, why is he calling a payphone?
He's at my apartment complex.
Two hours, and I'm sleeping.
They know where I live.
Why didn't they knock on the door?
What are they doing?
They're not there to arrest me.
So then immediately I realized what was going on is they were there to get a description of my apartment premises for a search warrant.
And I go, oh, so that's what they're doing.
So, of course, I immediately went home.
I cleaned out anything that would be interesting to the government, anything electronic.
I put it over at a friend's house.
And then because I was such a smart ass at the time, I decided to go over to the local donut shop.
And I bought an assorted dozen donuts.
And I wrote with a Sharpie on the box, FBI donuts.
I stick it in the refrigerator.
And then on a piece of paper outside the refrigerator with a magnet, I put FBI donuts inside, like with the Intel logo, how I used to say Intel inside, or whatever.
I made an FBI donuts inside.
So they actually raided me the next morning at 6 a.m.
At 6 a.m., they were trying the key into my door, but I opened it, and all these federal agents are storming into my apartment, in my small one-bedroom apartment, and the only thing they found were the FBI donuts.
They were pretty pissed.
So this is another reason why the government, I think, came down on me quite hard is because I was such a smartass and I mean, okay, so they obviously, or did they arrest you on the spot?
Well, what had happened is I routinely used to check to see if I was being wiretapped.
If you'd believe it.
I do.
And what I used to do is use what we call a social engineering attack.
I'd call the central office and I'd impersonate security or something.
And I would try to find out if they had certain types of devices in the central office.
And then if they did, I'd have the frame tech technician go ahead and trace out the connections and give me the data.
So basically, I was able to call the central office to find out if the phone company had any active wiretaps going at the time.
So what I did is I called the Calabasa Central Office.
I acted like I was with security.
My con was, was, hey, I'm with the PacPell security, and we have an ongoing case in Canoga Park, and we need to know if we have any of our boxes over there, because we're going to have to move them to Canoga Park for this investigation.
So the FrameTech goes offline, and he says, oh, yeah, we have three.
And I go, oh, my God, because at the time I was staying at my dad's apartment and he had three phone lines.
So, what had happened is I had the frame tech trace these connections out and I realized the wiretaps weren't on me, they were on this private investigation company called Teltech Investigations.
And so, I was so ecstatic because I was so worried that I was being wiretapped, but it turned out to be on some other target.
So I went home that night and I told my dad we're having dinner, and I said, hey, dad, I was checking to see if we had any wiretaps on the line, you know, over normal conversation over dinner.
And my dad looks at me like I'm some nut, like I'm living in some spy novel.
None of this is true.
unidentified
It's like a figment of my imagination that was quite funny.
So they wanted me to figure out what was going on.
And I said, hey, that would be kind of interesting.
And so when I was doing this, I did kind of cool favors for this guy.
I added special custom calling features you couldn't get at the time, like caller ID.
They didn't even have caller ID tariffed in California.
And I added it to this guy's line.
And so when the phone company, when they figured out what was going on later, what the violation of probation was, was I was able to find out the phone number of the law enforcement officer.
It was a sheriff, a guy named David Simon, who was working the case against Teltech.
And what I did is I hacked into this guy's voicemail.
So basically I could find out the status of the investigation.
So anyway, so I was working in a law firm in Denver, and I remember one of my jobs was, well, one of my duties in the law firm as a system admin was actually, you know how lawyers are, they'll bill you for using a paperclip.
So basically, they put me in charge of, you know, maintaining the phone system to make sure that all the attorney calls were billed to the right attorney-client matter.
So basically, what I did is I added my own covert code in the system that if anybody in the law firm had called the FBI in Denver or Los Angeles or the U.S. Attorney's Office in Denver or Los Angeles, they would send me a page to my pager.
And it actually tripped a couple times, but I got really nervous, but it turned out that it had nothing to do with me.
It was the U.S. Attorney's Office in L.A., but their civil division.
So I used to set up all these early warning system type schemes, if you will, to basically protect myself when I was on the run.
Well, basically, we hacked in, me and this other guy in Israel hacked into this guy, Satomo Shimamura.
And this guy was a security researcher that worked out of UC San Diego.
And we thought, you know, at the time, we were very interested in the source code to the firmware on cellular phones.
And what these were were trophies.
So I hacked into many of the major cell phone companies to get the source code to the cell phone.
And it wasn't that I was trying to sell it or trying to do anything.
I wasn't giving it away or publicizing it.
It was simply as a trophy.
So we thought that this guy Shimamura, who had the source code to the Oki 900, which was a model of cell phone.
So we went and came up with a novel way to break into his system.
And nobody knew it at the time.
It was using what we call, well, it was manipulating how TCPIP worked with sequence numbers.
And I'm not going to get into the tech behind it.
So basically, using this novel attack, we're able to hack this guy.
And right away, I was like suspect number one.
So Shimamura went on kind of like a vigilante mission to help the FBI capture me as, you know, because, of course, I drew first blood.
And basically, what had happened, if you fast forward, is they were able to identify a cell phone number I was using in Raleigh, North Carolina, and run out with radio direction finding equipment to basically nab me.
And mind you, when I was on the run, I always, the first thing I would do is compromise the local telephone provider's infrastructure.
So, imagine I go to Raleigh, I already had control of all the phones in Raleigh.
And what I did is I set up the cell phone number that I was using so you couldn't trace it back.
So, basically, it would loop in the switch.
They had these switches with DMS-100 switches.
And I basically said if they tried to trace the call, a tech at the phone company, they couldn't do it.
But Shiva Moore was actually pretty smart.
He did a thing.
He basically said, well, we know Kevin is dialing into this internet service provider called Netcom, which was a popular internet service provider back in the dial-up days.
So why don't we search the call detail records, kind of like what I did with the FBI a couple years earlier, and see if any cell phones in Raleigh are calling the dial-up numbers.
So that's how they were able to identify the phone I was using, because I used to change my cell phone number every day.
So that's how they were able to go about that.
Then we went out with radio direction finding gear and found the apartment where I was living under a cover identity.
And they couldn't trace what apartment it was.
So around, again, I was a gym rat at the time, so I used to go working out at night all the time.
So I arrived home about 12.30, 1 a.m.
And immediately I went online to start my hacking stuff.
And I just had a weird gut feeling in my stomach that something was seriously wrong.
Yeah, yeah, just like something really bad's going to happen.
So I walk outside my apartment, and I could see the parking lot, and I scan the cars in the parking lot because I just have this overwhelming fear.
And then I go back in the apartment.
Well, it turned out that when they traced the radio signals, I went to the other side of the apartment.
But because I went outside and it looked suspicious at 1.30 in the morning that some guy is looking at the cars in the parking lot and goes back in his apartment, that's how the U.S. Marshal that was on the team to apprehend me actually saw me, and that's how they were able to nab me.
One of them was to go through a CIA debriefing because the government had thought, again, that I somehow hacked into CIA systems.
And when I agreed to do the debriefing, basically on my own activities, they basically never did it.
What I learned is the CIA used to have computers supplied by Digital Equipment Corporation.
And since I had thoroughly compromised DEC's internal network and had access to everything, they were afraid that I was going to put some code into the operating system to gain access to intelligence computer systems.
So I never did that, never was planning on it, but that was the fear.
So basically, I ended up in custody.
I was hacking.
I was breaking the law.
I thought it was a little bit overboard, some of the, you know, like holding me in solitary confinement for potentially launching nuclear weapons.
But, you know, but I'm so happy that I'm able to put all this stuff behind me.
I mean, you know, this was like, you know, I look at this as all this is behind me, and I get to kind of do the same thing.
No, I actually, yeah, it's kind of like Pablo Escobar becoming a pharmacist, right?
So basically, companies hire me and my team to basically compromise their physical security, their technical security, basically everything's security to find whether or not they're vulnerable so they could shore up their defenses so they could resist a real bad guy coming along later and protect themselves that way.
I watched it on YouTube, but I kind of skeptical of whether it was really North Korea because I really believe that Sony, you know, they have so much internet properties, if you will, that it really wouldn't be that hard to hack into their network.
Well, every time you hear about a hack on a national security issue, it's always China or North Korea.
It's gotten to the point that every unsolved hack has to be China.
Now, mind you, I don't have access to the information the NSA has, so they might have access to certain information or knowledge that they have that squarely places the blame on North Korea.
But personally, I haven't seen anything through any transparency on the government's part to actually prove that's the case.
Again, I'm skeptical because I know how easy it would probably be to hack into Sony.
And in fact, when the hackers did this doxing, what doxing is where they hack into a target and just expose all their internal information, there were some documents in there that show that Sony's internal security wasn't really up to par.
And mind you, the CEO, Michael Linton of Sony Pictures, his domain password to get his email remotely, I can give it to you, it's changed.
It was Sony, S-O-N-Y, M-L, which is his initials, followed by a three.
unidentified
So you kind of wonder, like, how can this guy pick such a stupid password?
All right, so I keep getting these calls, and so it's got to be one of the latest things from Microsoft.
Hello, an Indian voice says to me, I'm from Microsoft, and the last time your computer booted up, we detected a virus.
And then they would have you go to your computer and go through all kinds of gyrations, which lead inevitably to something horrible.
Now, I never let it go that long.
My friend Paul, he gets these calls as well.
And he took one of the guys and he kept him going, I think, for about an hour, maybe an hour and 10 minutes, you know, playing dumb, like, would you please go to run?
I had the same thing happen, and I actually posted the audio to my website where this guy from the support, I think he called it the Windows Support Center.
Paul did that, but after an hour and 10 minutes, he told the guy, oh, I've got Apple.
What happened is the guy called him back and called him every name in English that he could think of and his family and everything else and then every Indian curse word he could hurl at him.
I think called him twice.
He was so angry.
Oh, well, if you go along with this and you do as they say, they're going to inject a virus into your system, and it's probably a pretty serious one.
Is that the one where you've got to pay to get your computer back?
So what these guys will do is they'll use a program.
They'll have you install a program so they can connect to your computer.
Yes.
And then what they'll do is they'll go ahead and, you know, right in front of you, download some malicious software to your computer and basically then try to sell you a product that cleans up the infection.
So it's basically a money-making scam, and it's been going on for quite some time.
Ransomware is different, is this is a type of malware that will encrypt your files or will pretend to encrypt your files and it will require you to pay a ransom to unlock your files using cryptography, if you will.
They'll encrypt the files.
And if you don't do it, you don't get access to your files.
There's even one case where there was a police department, I forgot exactly where in the United States, that actually was hit with this ransomware.
Is it actually so serious, Kevin, or is there if you get hit with this ransomware thing, is there a way around it, or is it so tight you've got to actually pay?
Well, you have to think about how do you get hit with this stuff.
And usually the way you get hit with it is the bad guys are using typical social engineering, which is using spear phishing attacks or phishing attacks.
So what they do is they trick you as the user into doing something like opening up a file that sends in an email that contains the infection or clicking on a hyperlink.
If people don't do this, they're not going to get infected.
Well, I actually had a client call me that was infected with malware and infected with this ransomware.
And what the ransom was was $500.
So I told the client, I said, it's much cheaper just to pay the ransom.
And that's exactly what they did.
They got all their files back.
You know, in some cases, it depends on how much the ransom is.
And what people really need to do is start backing up their data.
I mean, if they back it up and, you know, and secure that backup, then even if they get infected with the ransomware, they could just restore the files and be done with it.
So I actually think, you know, doing, you know, some of the stuff they're doing is kind of a bad idea because It actually doesn't, you know, they get a little bit of PR.
So if they hack into some police department and expose the officers' home addresses, for example, they get the PR, but they are never able to use that to get what they want.
In other words, they just never advance their agenda.
So, you know, the Dark Web, it's kind of like, you know, it's like these hidden services through Tor.
And there's a lot of, you know, illegal activity that occurs in these services, like with these services, like selling stuff that is illegal, you know, fake identities, for example, drugs.
If you recall, the guy that was running Silk Road was a dread pirate, Roberts, Ross Ulbritt.
He was actually caught even though he was using a Tor hidden service.
So there's a lot of services and information that you can buy on the dark web that is stolen data.
Okay, well, if you look up a darknet in search of information on the net, interestingly, one of the responses you get is the darknet is full of criminals and government agents.
I mean, in the case of the Silk Road investigation, apparently Ross Ubert had an administrator that was part of administrating Silk Road, and he was actually an undercover DEA agent.
So how do you really vet somebody's identity on the Internet?
I think it's far-fetched because the attackers would have to compromise such a great deal of a number of systems and remain undetected.
Now, mind you, remember when I, in the back of the 80s and 90s, when I compromised a lot of the telephone companies around the United States, I had complete control of a lot of switches at the time, but each set of prefixes required compromising a different switch and doing it and staying undetected and something like that.
But not only that, what the attackers were able to get, and this is allegedly China, was access to people's tops, when people go for a secret clearance, right?
They get all their psych backgrounds, their family backgrounds.
So the social security number is really easy to get.
I can look up anyone's social security number in 60 seconds on the internet.
But the attack on OPM was much, much more, much more personal data that was compromised and actually could be leveraged by a foreign national.
No, I think PGP is definitely a tool that people could use.
It's ordinarily used obviously to secure your email.
The problem is in configuration, normally the average person on the street can easily configure setting up what they call a private key and a public key.
And then they have to get the person that they're communicating with to do the exact same.
And there's actually a free version of PGP called GPG that anybody can download.
And it actually is a good way to definitely secure your email.
Now, mind you, when you send an email to somebody, you have to have their public key.
Well, one thing you have to make sure is that when you're sending, like if I'm sending an email to Art Bell, that I really have your public key, that it's not somebody else impersonating you.
I don't know of any known attacks that the NSA is using, at least according to the Snowden revelations, where they were able to crack PGP encrypted email.
I mean, some documents that Snowden released, I remember there were some communications between GCHQ and NSA that they couldn't decrypt information that was protected using PGP.
Oh, I would definitely advise Ed Snowden that it would probably be a serious mistake to come back to the United States.
I think if he did, no matter what the U.S. government would promise him, right, that they would actually put him in the ADX Florence, which is a, it's like the most secure federal prison in Florence, Colorado, and he would sit there, you know, in solitary confinement for the rest of his life.
I wouldn't trust that they would really make any real deal with him.
I think they would actually lie to him to get him back to the U.S. unless he had access to some information that the government doesn't want made public that he could use as leverage.
Otherwise, I don't see any leverage he really has in that regard.
So I think if he's captured or voluntarily returns back to the United States, I can't really imagine that he wouldn't be locked up in a, again, an ADX Florence for a very long time.
Public opinion doesn't matter with respect to Snowden because even in my case, they have this big free Kevin campaign about all the crazy things that were happening in my case.
And it didn't, I mean, it raised awareness with the public, but the courts don't care.
The U.S. Department of Justice doesn't care.
But it would be nice if he can come back into the United States and they could pardon him, grant him a presidential pardon.
That would be nice.
But I can't imagine that the Department of Justice would simply just cut him a deal.
Well, I'm actually happy about, you know, I view him as a hero, that he was, you know, exposed, that the intelligence agencies in the United States were eavesdropping on us without a court order, without a warrant, and basically analyzing all communications.
I don't think, though, he should have revealed our operations against foreign governments.
I think he should have kept that secret and kept it to himself.
But I don't view him as a traitor.
I view him more as a whistleblower hero type than anything else.
I mean, I kind of seen how the government works firsthand, you know, dealing with them for a number of years.
And I wouldn't trust it, you know.
And, you know, I think, you know, because of the information that, you know, he exposed that they would probably do any – The president of Bolivia was flying through European airspace, I don't know if it was a year ago or I don't remember the exact date.
And they forced him to land in Austria just because they thought Snowden was on the plane.
Now, if you would like to speak to Kevin, if you've got a question for Kevin about perhaps your computer privacy, or maybe you've got a question about, I don't know, just about your computer, or if you've got a company, maybe you would like to hire Kevin to try and Break in.
I mean, that is what they do after all, and that is what Kevin does now.
He's on the right side of the law, and he identifies vulnerabilities, you know, in people's business systems, and this is their livelihood, so it's very, very important stuff.
If you would like to call, our public number is one Area Code 952-225-5278.
I'll give that to you again.
Area code 952-225-5278.
Now, there is another way to call.
It's called Skype.
If you have, I don't know, an iPhone, an Android, whatever, a pad, put Skype on it.
And once you've done that, oh, it's so easy.
Go to add a contact, little plus sign in Skype, and add us.
If you're in North America, America or Canada, add M-I-T-D 51, M-I-T-D 51.
If you are outside of the United States, we can accommodate you as well.
It's MITD55 or Midnight in the Desert, M-I-T-D55.
All right, here once again is Kevin.
And Kevin, before we take calls, I do want to ask this.
Is it safe and are you hidden sufficiently if you use what's called a proxy?
No, because the service you're using, the proxy service, they have your IP address.
Now, if you could connect to the initial connection to the internet per se, if you could conceal or disconnect that IP address from being associated with you, for example, by using a neighbor's Wi-Fi access point, then it probably is a lot safer.
But if you just simply use a proxy, it's not going to really law enforcement could subpoena the logs and find out where you are.
The same thing is with VPN.
I hear a lot about VPN providers that say, we keep no logs.
Even if we're subpoenaed by federal law enforcement agencies, we can't tell them anything about you.
I think that's 100% BS because working in the IT industry, you always need to have logs when you're troubleshooting problems.
And I can't imagine that these big-name VPN providers actually really turn it off.
So again, to really get a good level of privacy, you might think about, well, getting a burner device, like a cell phone or a burner wireless access point, and then not using that near your normal home or work if you really want to maintain your anonymity.
But then how do you go about buying it?
Do you walk into Verizon or T-Mobile and go buy that device?
No, because you're on camera.
You have to actually think about every step of the way.
Do you use Uber to go over to Walmart to buy it?
No, because your movements are tracked.
Do you use a rent-a-car?
No, because they have GPS.
So you have to really think about how are you getting the device you're using?
Is it truly a safe way of obtaining it?
Or is it really traceable?
And then where do you actually use that device?
And talking about a device to connect to the internet, like a prepaid wireless phone or a prepaid hotbot.
How do you acquire it and where do you use it from?
And then how do you use it?
Do you access, like if you're doing stuff, you want to maintain your anonymity, are you crossing that with the stuff that you're doing in real life, like checking your email, checking your Twitter account, going onto Facebook?
And there's so many ways people could make a mistake and get caught up and their real identity be identified, you know, their real identity be explained.
You're hearing about vulnerabilities identified in Android all the time.
Then again, you hear about jailbreaks, jailbreaks that are identified in iOS.
So both operating systems have their share of security vulnerabilities, but I do like the iOS model better.
For example, if I'm installing an app, and an Android will ask you, do you want to give this app all these permissions?
And then once you do it, it never asks you again.
When you do that with an iPhone or an iPad, every time you're doing that function, like it wants your location, it's going to ask for your permission every time.
Well, I haven't actually used Apple Pay personally, but I've read documents on it, and it seems reasonably secure of how they use their protocol, if you will.
But I actually haven't tried to attack Apple Pay yet.
And I'm curious of whether there's room to do, if they tokenize the information so you're predatory number.
You have this ghost team, right, that claims to have a 100% success rate of being able to penetrate any system using technology and any social engineering.
Well, basically, there's different types of security tests that companies have us do.
There's network testing to look at what network services they're exposing to the Internet that could possibly be attacked.
A company could have web applications like when you log on to Bank of America, for example, you're using a web application.
So there's different types of security issues.
When clients allow us to use social engineering, that means when we could try manipulating the humans that actually operate the computers and con them into doing something or exploit them that way, our success rate's 100%.
And it has been since we started with the company.
Now, mind you, if a client wants us to test a web app, we don't have 100% success rate at compromising a web app.
We have a high success rate.
But always when we're allowed to use social engineering, we always get it.
Well, basically, what I had to do is first get a target list.
Who in the company would I be targeting with this attack?
I might move over to LinkedIn.
A lot of business people use LinkedIn, the social network, LinkedIn, and you can kind of identify the individuals that work at companies, their titles and positions.
You could use Salesforce has data.com, which gives you another way of getting that type of information.
So you're basically kind of building your target list.
And then what I would do is look at, well, what does this business do?
Who are their customers?
Who are their suppliers?
Who are their partners?
And then come up with an attack, come up with a situation that I would manufacture to get somebody on the inside to comply with a request, for example, to open up.
Imagine that I'm a new client or that I'm going to hire a law firm, for example.
The law firm is the target.
And I know that the attorney will want to read some documents about the issue or about the case.
What if I could send a booby-trapped PDF file to a partner at the law firm?
And as soon as they open up that PDF file, it exploits a problem with Adobe Acrobat.
And then I have full access to that lawyer's system.
So that's like one simple way that social engineering could be used to attack a system.
But if somebody is saying, hey, test our wireless network and they've deployed it properly, they're using proper security technologies, then we might not get in.
Or if they're having us look at what network services are being exposed by their servers to the internet, if they're not exposing certain types of applications, if you will, that we could possibly exploit, then we're not going to get in.
Well, you know, what we actually look for is when people are interested in working with security is what's their experience, like for example, as a developer?
Like if we're looking for somebody that's going to assess the security of web applications, what's their development experience and what technologies, .NET, Java, what background do they have in systems and network administration and working as a DBA, actually working as a full-time job, but actually have knowledge in these areas of how things work.
And then looking to, there's a lot of universities that offer security degrees.
I know you already said you're not interested in going the university route.
I'm kind of self-taught myself from being a hacker back in the day.
But there's lots of good resources out there on the Internet you might want to look at.
There's a lot of, I remember there was some best-selling book on beginning penetration testing on Amazon.
I didn't actually look at the book myself, but I actually looked at the reviews, and the reviews were pretty high.
You might want to consider looking at that and downloading tools like Metasploit.
Metasploit is a very common penetration testing framework, if you will.
And becoming familiar with a lot of the tools like Metasploit and Nmap and kind of going around to different sites on the internet and learning a lot about security and looking at what tools and what techniques and processes you go through to actually test security controls on various operating systems, devices, and so on and so forth.
Either all of that color or if you want to impress Kevin, spend a year in your bathroom without coming out.
unidentified
All right.
Well, fair enough.
One other quick question, if I may.
Do you happen to have any of this sort of information, these recommendations, listed anywhere online, or would it be all right if I went through your company and sent an email asking for such recommendations?
I haven't taken the courses personally, but I have some friends that are security experts that have and say that they're very well done.
So you might want to look at taking some of these online courses that help you get familiar with how to, for example, doing an external perimeter test against a network, trying to learn more about how to exploit wireless networks or applications.
So there's definitely a lot of resources out there.
No, we were actually, I was working with this guy, JSZ.
It's actually detailed in Ghost in the Wires.
And we were talking about this method of exploitation.
And JSZ and I think two other individuals actually coded the attack.
I didn't actually code it, but I was discussing it and discussing the technique prior to the implementation of the code because we were trying to compromise Shimon Morris.
unidentified
And it may go down in history as one of the greatest attacks of all time.
Well, you know, I prefer, I like the area of security testing.
That's kind of what I focus on.
But I mean, there's different areas of security like doing forensics, you know, security implementation, you know, working with, you know, being a sales engineer, you know, for a company that's selling security products or actually building products.
I mean, there's so many areas of information security that, you know, what is your interest?
What do you like to do?
And give me some more information about that.
unidentified
I have a pretty wide background in the field of security, and I actually was just interested in areas of emerging software or companies that you feel have the biggest area for potential growth.
I was wondering for your actual security system of choice, why you prefer that one the most out of all the other ones like Linux and all the popular ones, obviously.
One is with the shift from analog to digital telephony, how has that expanded or contracted phone freaking?
And the other thing is there's concern about smart TVs snooping on people.
And the governor here in California recently signed legislation concerning that.
But I'm thinking that might not be a bad thing because given the state of TV programming these days, it might be more entertained by me than I'm being entertained by it.
Well, you know, back in the day when we're dealing with analog, we could use multi-frequency tones because it was in-band signaling per se and monkey with the phone network.
Today, that's all changed.
Now it's out-of-band signaling.
In fact, nowadays, anyone could go to the Apple App Store and download a Blue Box app, which would have been a felony to have back in the probably the 80s or the 90s.
As far as the smart TV stuff, that's definitely concerning from a privacy perspective.
There's already been hacks that I heard about about people that have the built-in webcam on their television about being able to enable that webcam and get access, obviously, to spy on somebody if they're on the same local network as the TV is on.
But also, a lot of this new technology, this new emerging technology, actually allows you to wake it up by speaking to it, like some of the gaming systems.
So you could actually talk to it, and it will wake up when you talk.
And then you have to wonder, where's that, what you're saying, that audio, where's that being sent?
Is it being sent to Microsoft?
Does Microsoft basically store that information somewhere, even though you're not actually commanding the actual device, but you have some device in your home that's actually intercepting your audio and passing it to some third party?
That's kind of scary.
unidentified
Well, I'm in trouble now because I've been talking back to my TV for years.
And Kevin, he sounded like he was on a cell phone.
How long and when is it going to take, what is it going to take, for cell companies to begin to devote just a little more bandwidth so they don't sound like Bigfoot scat?
I mean, really, it's got to get better because it can't get worse.
Yeah, in fact, I remember that my friends, you know, Steve Wozniak, right when they had digital and analog devices, you know, still had analog, he always used analog phones because they sounded much better.
Well, I mean, if some attacker has a key logger on your system, they obviously could do much more than just simply key logging.
So they could probably just open up the file.
I think it's a bad idea to simply have an Excel spreadsheet or a text file and cut and paste.
Let me finish.
The other issue is I think it's much better rather than you choosing your own passwords that you use a password manager.
There's free ones like KeyPass and PasswordSafe, for example.
And that way you randomly generate passwords for all the different sites that you're visiting, for example, and then you protect that with a master password.
But again, if there's malware that ends up on your machine, the attacker could steal the database, keylog your master password, and it's game over.
So there you go.
unidentified
Well, thank you.
The second question is: Has anybody, either maliciously or trying to impress you, tried to hack you or your company?
Well, they actually successfully hacked our web server that was managed by a third-party company.
Back in the day, we were paying like 50 bucks a month to this third-party company where we hosted our web server, and it was completely separate from our network.
And we didn't even have root administrative access to the web server.
We were able to upload and download files through FTP.
And this third-party company kept getting compromised.
And I think one of the reasons they kept getting compromised is because they handled our web server.
So after dealing with that a couple times, what we decided to do is we moved over to Firehost, which is now called Armour.
And they've done a really stellar job at making sure at least they're not going to get hacked, so we end up getting hacked after.
unidentified
Well, thank you very much, and glad to have you back, Art.
You're welcome to join us via phone line, standard or otherwise.
And, of course, on Skype.
Remember, we are MITD51 in North America, MITD55 out there in the rest of the world.
And here once again is Kevin.
And one more thing I want to bring up with you before we proceed, and that is this.
I have noticed, Kevin, that my bank, which I won't name, and my credit card company, which I also won't name, both have astoundingly good algorithms in place.
And in each case where I've had a problem lately, they have caught it bam, like that.
I mean, their computer algorithms must be so, so good because they know if that's me or somebody else doing it either by geolocation or by my buying habits or whatever it is, each time the bank or the credit card company has caught it, boom, like that.
Anyway, when I think about financial security, people that want to protect their bank accounts from getting hacked, I think a very simple solution, people will spend $100 a year for their antivirus software.
Imagine if you just double it.
You just go buy a Google Chromebook and you use the Google Chromebook, you use the browser in what they call guest mode, so it doesn't save anything on the Chromebook.
And you only use that to log on to your credit card company, log on to your bank account, log on to your brokerage account at Morgan Stanley or Schwab, and you never keep any passwords, of course, on the computer you use for everyday use.
That's going to really make it really difficult for somebody to compromise you.
Got a source fire certifications and blah, blah, blah, all that stuff.
Been doing it for a while.
And one thing that I'm noticing, well, first of all, one of my specialties is definitely penetration testing for internal organizations that I work for.
And ironically, I like magic too, which is really cool.
One of the things that I've noticed here that seems to be trending, Gardner put out a study here a while back about bimodal application development.
And of course, everybody who's anybody is using agile type management to where they're creating code and just dumping it in.
And I'll tell you, I will put out study after study, report after report, looking for internal vulnerabilities, external vulnerabilities in company systems, and they're paying big money for that stuff.
However, what I find out is this newer trend, it seems newer to me, in taking an offshoring, especially web app code, and they're having this stuff done like by India and resources and whatnot.
And I find out that companies seem to be pretty lax about giving some company that they don't even know the people who are working there access directly into their systems to write, test, debug, and produce this code.
And then, of course, the company puts it in production and they're saying, okay, well, it's good and it's safe.
No, I completely agree with what you're saying, that you definitely should be concerned about where you're outsourcing your development.
But more importantly, no matter if it's India, China, or Indonesia, it doesn't matter as long as you're going through some processes that's actually going, you know, somebody, some team that's quite knowledgeable is going to actually analyze the code and look for potential security vulnerabilities in the code before it's actually deployed.
And what you just mentioned, that seemed to be a huge missing step in the process that basically web app has developed and deployed, and that's it.
But there needs to be some sort of security development lifecycle there of where any code, even updates to existing code, goes through some processes where that code is evaluated by security knowledgeable people to try to mitigate the chances that they're going to obviously introduce newer vulnerabilities.
I wanted to ask him, just today it was announced here in Phoenix that T-Mobile was hacked, about a million customers, all their information, everything about everybody.
I mean, they just could have used a neighbor's wireless access point, for example.
It really depends on the sophistication of the people doing it.
But then again, people make stupid mistakes.
Like apparently, I read in the news today that the CTO of Uber's, you know, their major, their competitor had hacked into Uber from his home, and they were able to trace back the IP address, which I thought was, I thought that was like pretty insane for somebody.
Rule number one, like a fight club, or rule number one of hacking is you never do it from home or work.
I guess rule number one of fight club, because you don't talk about fight club, but with the hacking, you know, if anyone is going to do this from work or home, that's pretty careless behavior.
So this guy who recently allegedly hacked into Uber has indeed done it from home.
My name is Stan, and I'm interested in knowing if he could tell me if Snort is effective in deterring any type of infection, or what would he recommend?
Well, Snort is good for, you know, basically Snort is like an intrusion detection system.
You know, it's essentially free, I believe, open source.
And it basically is a signature-based system.
So basically, if you're running SNORT on a network, you could detect when any of the signatures that are currently being used are triggered as some sort of attack.
But that's not going to really problem.
unidentified
One problem is that I try to get information from all types of sources.
And say, for instance, like Geek Squad tells me that you have to go out and try to find the tech, and you're not going to be able to do that, they tell me.
Well, I can't walk you through how to installing Snort is actually quite easy.
I mean, if you're running a Linux-based operating system, you could just, well, depending on which one, you could use Apt, Aptitude, or YAM, right, to install it.
But then you have to configure it, and you have to configure the different rule sets to detect certain attack signatures that might end up being used over your network.
It hopefully will be out in under a year, and it's going to basically teach people that aren't so technically astute how to protect their communications, their email, their text messages, their voice calls, how to kind of get off the grid so your nosy neighbor, your significant other, your boss, your parents, or law enforcement or the NSA can't easily monitor your communications.