All Episodes
Dec. 16, 2018 - The Unexplained - Howard Hughes
01:04:13
Edition 374 - Gregg Housh

A return visit with reformed "hacker" Gregg Housh - We talk about online threats in 2018 and into 2019...

| Copy link to current segment

Time Text
Across the UK, across continental North America, and around the world on the internet, by webcast and by podcast, my name is Howard Hughes, and this is The Unexplained.
Well, we're very nearly at the end of 2018.
And as my grandmother used to say, and my parents as well, what happened to this year?
Just seems to have gone so fast, doesn't it?
And the nice thing is that at the moment, after days and days and days of grey skies, it is crispy cold, and there's a clear blue sky now that I'm looking at, and not even a jet plane in the air to interrupt the continuous view of the blue, as they say.
I'm rhyming today.
Thank you very much for all of your emails.
I want to address a couple of points before we get into the guest this time.
Greg Hausch, reformed hacker, looking back at 2018 in hacking and forward to what we might do and what we might experience in 2019.
But a couple of points.
Rebecca Roth, I knew would bring in a lot of email.
A lot of people saying really enjoyed that.
Thank you very much.
One listener describing it as dynamite.
One listener saying that they completely agreed with Rebecca Roth there was more to 9-11 than we were told.
And others saying, absolutely wrong that you have Rebecca Roth on this show.
And one listener, Ed, longtime listener, says that he's very, very annoyed at Rebecca Roth.
And I also think with me for putting that on.
Now, the only thing that I would say is that I think that by hearing different views, even if we really disagree with them, we learn.
And that's what I've always done in my life.
Okay, I've been a journalist for most of it, so that's been my job, kind of.
But I've always thought that some of the guests I used to hear on the Art Bell show that I used to think were ridiculous or stupid or completely ill-motivated, I still listened to them because I came out having learned something, or at least having my own views of the world reinforced.
If you don't listen to other people's views, then I think you wall yourself off to possible opportunities.
I understand what Ed was saying, but, you know, I don't think we can say that because I put somebody on my show, I necessarily agree with every word that they say, because that's not how this works.
The idea is to drill down into the views of the people who come on here, and sometimes I will be more successful at doing that than others.
I've never thought that I am God's gift to broadcasting.
Absolutely not.
I know that.
But that's why I do it.
One very poignant email that I got, and thank you very much to the person who sent this.
I won't give your name.
This person said that her partner was a firefighter at the Pentagon on 9-11 and found the remnants, the remains of bodies, people who had been on board the plane, and also things that indicated there was a plane, which some of the conspiracy theorists claim there was not.
Things like seat back covers and that sort of thing.
And I'm very grateful to you for adding that perspective to my understanding.
And thank you very, very much for telling me.
It must have been an horrendous experience.
I did meet a couple of the rescuers when I went to the first and second anniversaries of 9-11.
And I realized the incredible sacrifice and the great feats that they attained on that day trying to rescue people and bring them out of that alive.
So I totally understand.
So I hope that that kind of deals with that.
The last edition about the possessed or haunted house in West Wales brought in some people saying, I believe the guest, and other people saying, I don't believe the guest.
And I think that's how the emails boiled down on that one.
Please keep your emails coming, though.
They help me to plan and create shows here.
So you can always go to the website, theunexplained.tv, designed and created by Adam, my webmaster from Creative Hotspot in Liverpool.
And you can send me your views and thoughts and guest suggestions there by email.
And if you've made a donation recently through the website, thank you very much indeed.
Your donations, gratefully and vitally needed, gratefully received, vitally needed.
I think is what I'm trying to say here.
Let's get to the guest on this edition then.
And after a year when we've had some remarkable wide-scale and damaging hacks and security breaches reported, where exactly do we stand?
Well, I thought a good person to ask and bring back on the show on this topic is Boston-based Greg Hausch, reformed hacker.
As a young man, he went to prison for this and came out reformed and changed and now wants to help, as you will hear.
So let's talk about that now with past guest and returning guest, Greg Haus in Boston, USA.
Greg, thank you for coming back on my show.
Glad to be here.
How's Boston?
Cold.
Yes, but lovely.
When I was last there, they were working on the roads.
You know, that major road recreation project that they had that went on for years.
I'm guessing it's finished now.
You know, the big dig is basically done.
You know, they've called it done, but there's still lots of little bits of construction kind of all over the place.
But yeah, it's a major improvement.
Although, I mean, I had my most fun with the big dig, actually just kind of social engineering my way onto the construction sites and looking at all the stuff when I wasn't supposed to be there.
There was a lot to see.
When I was there, and admittedly, when I saw this, it was probably about 2005 or 2006.
So it was just at the beginning of this adventure.
But I was surprised at the way that they had ripped everything apart.
And you could look beneath to see the foundations.
And you could see old Boston, old Boston underneath there.
Yeah, you know, if you went through a lot of the dig sites, you know, before they actually got any more than just the structural stuff to keep the ceiling up in place, you could definitely see how they've built buildings on top of buildings on top of buildings.
And then, of course, there's always legal seafoods where you can get lobster.
How do they say it?
Labster from the harbor.
Yeah.
They've lost their R's here.
But I loved it, and I love the people.
Anyway, enough of the people, my listeners are going to be saying, what are you going on about?
We just wanted to establish where Greg is.
How's your life been then since we last spoke?
It's been all right.
I've had a lot of fun.
I've gotten into a lot of activism on the ground, a lot more outside, a lot less on the computer these days.
So you hear about all the major events here in America where the protests and rallies keep turning into brawls.
I've been at most of them and right in the center of it for the last few months.
And it's interesting.
Okay, well, it's all above my pay grade.
It's a level of politics that I'm not totally aware of over here, but I hear what you say.
Now, Greg, I'm going to talk about you.
Just to introduce you to listeners who may not have heard you either on my radio show or on the podcast that we did a few years back.
According to your biography, which you're going to tell me in a moment is all wrong, Greg Hausch, a sometimes member of the anonymous hacktivist group, founded a website called Rebel News, according to the Boston Globe.
And it talks about that site.
The Globe says about you, at 38, which you would have been when they wrote this, Greg Hausch insists that he's no longer the amoral mischief maker who used to pirate software just to feel an adrenaline rush.
In fact, he's become a popular authority on cybercrime since pleading guilty to conspiracy to violate copyright laws back in 2005.
I think from what I remember of you, what I've just said is substantially correct.
Yeah, yeah, that's not too far off.
I very much started off everything in the computer world as a criminal.
And, you know, in the mid-2000s, went to prison, reformed.
Surprisingly, the prison system doesn't usually help people reform too much over here, but it got me and came out and helped to start Anonymous and head off down the activist and kind of political career.
We used to read an awful lot about Anonymous over here, and they were seen as being people who countered some of the bad stuff online.
And, you know, they just appeared like the Lone Ranger and then sidled on out of town.
We don't read very much about them now.
Are they still around?
You know, it's an idea that anyone can use.
So, yes, you know, there's no real members, but it's just out there.
Anyone can stand up today and say they are anonymous and go do a thing and use the mask and the logo and the kind of ominous nature of our press releases we used to put out and everything.
So it still gets used.
Surprisingly, though, the largest community right now is in Brazil.
So you'll still see every day news coverage of stuff in Portuguese-Brazilian wearing the masks and whatnot.
And a lot less of it in places in Europe and a lot less of it in America these days.
But it's still getting used.
It's still out there.
And, you know, I think it's one of those things where every time I start getting asked these questions about, you know, is it still around?
Hasn't done anything for a while, suddenly it kind of rises back up and something huge happens.
So I always like getting these questions because it usually is a sign of something about to happen.
Really?
I've no idea of my role in history.
One of the things, though, that they were last reported doing, certainly here in Europe, was they were trying to hack into ISIS and their communications.
Yeah, and they did a lot.
They broke into a lot of ISIS systems.
I helped with some of the anti-ISIS stuff.
I mean, Anonymous felt somewhat responsible for ISIS's online presence and felt the need to do something about it because of that.
And what sorts of things, when you're dealing with a group like ISIS, and we all know what they have done and we don't know what they're going to do, because they too are an amorphous thing and you're not aware of them until they appear, what sorts of disruption are you able to effect?
How could if somebody was setting out to hack their systems, find out what they were saying, find out what they were about to do and stop them doing it, how do you, without going into technical details, what's the principle of doing it?
How do you do it?
Well, you know, you, I mean, for the ISIS stuff specifically, people made fake accounts and slowly built them up in those areas where ISIS might appear.
So when they got there, it would look like these people were from that area and then started talking like they were and started interacting with actual ISIS agents online and, you know, doing what we consider social engineering, you know, not a technical hack, but using all of our technical ability to really make someone look like they're there and then interacting with them to extract information.
So that was one of the big plays.
But, you know, ISIS and Anonymous have a much stranger connection through a person called Juniid Hussein, who's actually from London.
He is, or what was, a Muslim man from London who was a hacker.
And he kind of grew up around Anonymous and around other hacker groups.
This one called Team Poison was the one that he associated with online.
But there's videos of him, like, you know, even on YouTube rapping a cool rap he had made about Anonymous in like 2008.
And when he was in his late teens there, he decided to flee Europe for ISIS, went down there, and they didn't have an internet presence or remote recruiting or anything until he showed up.
He joined ISIS and taught them how to hack, taught them how to manage thousands of Twitter accounts and Facebook accounts at once, taught them how to utilize the internet to recruit remotely.
So a lot of the recruitment you saw where kids in other nations were crossing the border and going to ISIS was all a juniid's work.
And Anonymous and other hacktists really felt like they had helped to create this person.
And now he was down there doing that with our knowledge.
And in the end, a bunch of hackers got together and worked with the U.S. government to successfully identify his exact location at an exact time.
And by that point, he was number three on the U.S.'s international kill list of there's no catching this person.
Kill him as fast as you can.
Most countries have some kind of a list like that at their higher intelligence levels.
And he Was number three when he got identified, funny enough, at a party at DEF CON, the big hacker conference in Vegas, is where they actually identified his exact location.
And a drone strike hit him and took him out.
And so there's a very weird connection between the hacktivists and ISIS at that point.
And it really felt like we needed to go do something about it.
And so that's when all the hacktivists really started fighting back against ISIS.
Of course, this does not come without risk.
That means that the people involved in this, even though they are, you know, the name says it, they're anonymous, it nevertheless makes them marked men and women.
If anybody ever finds out from the other side who those people were, they're in danger, aren't they?
They are.
I mean, it depends a lot on location, on ability, on how big of a target they are.
There are a few people in the movement that if they were identified, have been really the strongest, most outspoken people against ISIS online and really the organizational types who have been able to pull together a lot of the manpower that has been being used against them.
So I'm sure if ISIS found them, they'd, you know, probably not survive.
But for the most part, you know, ISIS is feeling a little penned in and a little too much pressure from actual guns on the ground to really be focusing on the internet anymore.
And most of their internet kind of savvy team who really, really understood how to do all that type of work died in that drone strike.
So that really did curtail their abilities to find these people.
I mean, it is a dark and scary place, you know, for most of us who live our suburban lives.
Thinking about this is chilling and it's worrying.
You're more aware of it all than I am, but, you know, it's clearly very real to you.
To me, it almost seems like something from a John Le Carre novel, but I know it's real and the consequences are all too obvious.
What I wanted to talk with you about, really, as part of catching up with you, Greg, is where we're at in 2018.
Because your story is somebody who is effectively a reformed hacker.
I can't think of a better way of putting that.
If there's a better phrase, then please give it to me.
You know, you're using the skills that you learned, hacking, for good.
And I don't have those skills and most people don't.
So we need this.
Because the nature and scale of the threat, it seems to me, to everything that we do, which is increasingly becoming centralized to being online, everything, the nature and scale of that threat in 2018 has ramped up a great deal.
I was looking at some of the major hacks of this last year, and there'd be more than this, and I'm sure you'll tell me about them.
But look, last year, 2017, our National Health Service, you talked with me on the radio about this, suffered from a hack, from an attack, a cyber attack, and had very serious problems.
This year, June, an organization called Dixon's Carphone, they effectively sell cell phones, one of the biggest suppliers, if not the biggest in the country, they were hit by a cyber attack that left millions of customers' details exposed.
September, there was British Airways.
They had to launch an urgent investigation, and they told the police after hundreds of thousands of customers' personal and financial details went.
I'm reading something from a paper here.
I think it was the Daily Telegraph.
The early airline said the hack continued for about two weeks between August 21 and September 5th.
380,000 payments compromised.
They said stolen information did not include travel or passport details, thankfully.
Most recently, we had the Marriott Starwood Division hack, which was of an enormous scale, and so it goes on.
So I don't think I'd be wrong in saying that 2018 was a year in which the hackers were in danger of winning versus the good guys.
No, you're not wrong at all.
I think the one thing that we kind of have to notice here is that it's not that these hacks are new.
It's that they're finally getting caught.
They're finally getting reported.
Laws are finally being passed making companies responsible to actually tell their customers, their clients, that this has happened.
All the way up through the 90s and the early 2000s, if a company got hacked like this, they would just hide it.
They wouldn't tell anyone.
They didn't want the legal exposure that it gives them.
And honestly, the calculations about how much actual exposure is there is really different.
So what we have now is the calculation has changed.
Now it's going to cost them more if it comes out later if they hadn't told anyone.
And so we're just kind of learning about it.
The Starwood one is interesting, the Marriott one, because they were actually hacked before Marriott bought them.
And now they're part of Marriott, which brought in a lot more hotel brands.
And I'm wondering what the fallout will be in terms of the purchase of Starwood.
Like, does some of that money return back to the people who bought Startwood now knowing that they bought a compromised company?
I think it is an astonishing story, isn't it?
It's a fair way to look at it, but that's a thing.
It is an astonishing story because one of the things I immediately thought was, well, if they'd been through this acquisition process, surely, at least at that point, this would have been picked up.
But what I'm being told is that once a hacker gets in, this is the way it works, apparently, these days, once a hacker gets in, if you don't spot them at the point they get in, they will cover their tracks.
So they become, as time goes by, and this went on for a long period, as time goes by, they're going to be harder, not easier to find.
They are, but at the same time, we have a lot of new technologies that exist to figure this stuff out.
The one thing that I think is finally starting to happen that is the most important subject in terms of security of big companies these days is lateral movement.
You're never going to stop the hackers getting into the network.
They're going to get in.
I mean, it's just the state of security currently today is you can block 99.9% of them, but that one or two who are really good hackers, if you've got data that's valuable, they're going to get in.
You have to put up with that.
So, if you can put up with that, if you can say, I believe that, then the next thing that you need to do is work about: well, if they get in, wherever they got in should be the only place they get in.
Such as you're working at, you know, a giant corporation.
Let's say you're at the BBC, right?
And you bring in your laptop, which is hacked.
Well, by putting that laptop on their network, I, as the hacker who currently own your computer, shouldn't be able to then move out onto the greater BBC network and start moving around.
That's called lateral movement.
And it's been ignored for a long time because people really just focused on the external aspects, stopping the hacker from getting into the network in the first place, right?
And there's a lot of new software in this space, Darktrace, Carbon.
There's lots of good tools in the space to work on that now.
And I think that's where the focus has to be.
But there are two aspects in this.
The companies have to be savvy and know that these things are available and be willing to implement them.
And also they've got to be willing to spend the money.
I get the impression, and maybe I'm completely wrong, that some companies do a sort of cost-benefit analysis to these things.
They will allow for a certain amount of loss because the cost of preventing the particular issues that might cost them that money is higher.
In other words, they do a trade-off.
They'll accept a certain amount of it, know that they'll have to pay out, and know it'll do them some reputational damage.
We're not talking about any specific company here, but just in general.
And it's only an impression, and I might be wrong, that they allow for a certain amount of loss, so they don't always invest in what is state-of-the-art.
You're 100% right.
I mean, if you don't mind, I will name a company and give a small scenario.
So as long as they're not going to sue.
I don't think they would.
But Sony, you know, got hacked a few times.
And, you know, first their PlayStation network went down, and then there was the Sony Entertainment hack where all their emails were dumped on the internet, which led to a lot of problems for them.
In both scenarios, both groups had actually interviewed with security people and gotten quotes for the types of solutions that would have made this much harder on the hackers, possibly even stopped the hackers that did it.
Having had conversations with the hackers that did it, I'm pretty positive some of this would have stopped them.
But the lawyers for those companies did the calculation of we think we're going to be hit for this much in damages if we do get hacked, and you're charging us this much for the security, and the damages is lower than that, so we're not paying it.
They were wrong in both cases, and the damages were far higher, and they should have paid for the security.
This all harks back to things that I will remember when I was a little boy, and maybe you might go back that far too.
When you get car companies who would keep things quiet, you know, flaws perhaps with the vehicle, because it was cheaper to maybe have a few claims against them than to wholesale recall the whole fleet of cars.
I mean, this is in an era before we had the sort of legislation we have now.
You know, cheaper than recalling all the cars and having to admit to it and fix everything.
You know, just accept that you're going to get a few claims and pay them.
Yeah, absolutely.
It's literally the exact same thing.
It's just corporations looking at the bottom line and not looking at the actual real damage being done.
And again, we have to be very careful about naming names here.
And I know you get to hear things, but we can talk around the subject.
Anecdotally here, I'm getting the impression that more and more people are losing sums from their bank accounts.
And the banks, you phone them up and you tell them about it.
And, you know, it's just, it's another day at the office.
It's, yeah, we know this happens.
I know somebody, you know, in my own circle who lost recently £7,000 in dollars.
With the state of the pound these days, that's almost $7,000.
But I think it's about $9,000 or so now, maybe, maybe 10.
That's a lot of money to lose.
I'm hearing these stories all the time.
So I'm thinking that the banks, even the banks who we trust with all of our money, are vulnerable now in a way perhaps that they were not 10 years ago.
You know, you're right in one respect, but I mean, I don't think it's their security.
You know, they have the best security of pretty much any group out there, but they are insured.
So, you know, they have that aspect of not caring as much as I think they should because the insurance helps.
But what actually is going on is there are entire countries who aren't prosecuting people for doing this type of crime because they actually like all of that money entering their local economy.
And so they're sort of looking the other way.
Some of them are non-extradition countries.
A good example is Moldova.
It does so much work in and out of Russia and Europe, being a former Soviet nation there, that it's non-extradition to America.
They aren't in a treaty with us.
So a lot of hackers are there right now doing a lot of financial crime.
And the state itself is not doing anything about it because they honestly need all that money coming into their country.
But I would presume all of these countries, though, all of these non-extradition countries, they're the sorts of places that need international support, whether it's educational support, financial support.
You know, they need the European Union to give them some bucks, America to step in and give them some expertise.
So, you know, there is a certain amount of leverage that we could use if we wanted to.
They just aren't yet.
They haven't done anything about it yet.
The system is, it's really interesting how they get away with all this, too.
It's all in bulk.
So they don't usually target any one individual.
Let's say they pack one big company and they get a list of a million credit cards, right?
They're not looking through those one at a time.
They'll take some other company that they packed and they'll take the merchant account, which is how you do things with a credit card.
You run it through a merchant account.
You either charge it or you check its balances or any of the other fun stuff.
And they'll run it through a stolen merchant account, which will get that merchant account destroyed.
It'll be disabled within a day.
But what they'll do is they'll check them all and they'll try and do $10,000.
Any of them that don't do $10,000, they just delete.
They take all the ones that would take a $10,000 charge, they send them off to one of their Russian friends over in Moldova, and then they run it through a completely different set of stolen merchant accounts.
And then they empty those bank accounts because they broke into that company's financial officer's computer and took the passwords to get into their bank.
And they wire transfer it out the next day.
And since they're just doing this in bulk and it's all automated, they're just feeding the data through the system.
They don't care about any one person and they're getting away with millions daily.
It's a very well, you can even rent these now where you can take your list and give it to them and they'll take 25% to feed it through their network of all of that stuff I just described.
How terrible and how frightening.
There is a great fear that some people have over here, I think including me, that we're about to see a firestorm of people paying the financial price of hacking.
Because there have been a number of high-profile hacks and others that perhaps we don't know about.
The way that this is supposed to work in the criminal fraternity is that these days what they do is they put together a patchwork of information.
So one hack may not get all the details on Greg Hausch or whoever.
I'm sure you've got so many firewalls around you that nobody will get anything out of you.
But, you know, one hack gets one lot of details and on their own, they're no good.
But another hack and another intrusion will get a few more details.
You put those together and suddenly you have a kit of parts that can be used for nefarious purposes, getting loans or worse, you know, all sorts of things that go on.
We read about it all the time.
And with the scale of hacking that has been going on, I suspect and I fear that we're going to see an absolute firestorm of this quite soon, perhaps in 2019.
Yeah, you know, what's really interesting is people have been fighting against corporations who gather that amount of data on you for years.
And there's these marketing firms you can go to and just give an identity and they'll give you everything.
You know, if I have your phone number and part of your home address, they'll give me the rest of your home address, your job and your salary and 50 other things because their databases are so complete on every human being, right?
Well, with all of these big hacks that the hacking groups, especially in a lot of the former Soviet republics, have built a database like that that they rent access to other hackers too.
And every time a giant exploit happens where millions more people's data comes out, they bring it in there, match it up with those other records and attach it as more detail.
And in the same way a U.S. company might buy a marketing list, a hacker can buy a list out of them.
And we have to accept that most people, maybe not most people, but an awful lot of people in the world are on those lists.
Yeah.
I mean, you know, you can download, there's a compilation called Breach Comp, and it's someone who's taken as many of these as he could get his hands on through going through a lot of forums, foreign forums, and everything, and finding them all.
And he's put together a list of just email address and password for everyone that's ever been in one of these breaches.
And it's got 1.7 billion people's email address and at least at one time what the password was to log into that email.
Of course, most of us write a bit for it.
You know, most of us have had another year of changing passwords at regular intervals.
And most people I know are savvy enough to do that.
But I still know people who use obvious passwords and haven't changed them in years.
Yeah, there's still a top 20 list and it hasn't changed much in 20 years.
I love you, password, one, two, three, four, five, six.
I mean, these passwords are used by so many people.
If you look at the breaches, out of every million, there's 500,000 at least that are using one of five passwords.
Do you think that the internet as we know it, and it's a question that I've asked lots of times of lots of people, is going to become untenable?
Tim Berners-Lee created a great thing, but it's coming back to bite us on the backside now, and it's becoming uncontrollable, it seems to me.
Are we going to get to the stage where we're going to have to invent internet too?
Something more secure, something where we go back to basics and start again?
You know, I mean, the problem isn't the technology.
The problem is the human beings.
I've had to help my mom out of the fact that she clicked on the wrong link and when it came up, sure looked like her bank and she typed in her details that she should not have.
You know, the problem isn't the technology.
It's that we're humans, that, you know, so many people don't understand what they're looking at on their screen that they are the ones giving up the information.
More money is taken out of people's accounts through phishing than it is through direct tax right now.
So, I mean, to build out an internet that doesn't have these problems would kind of require an amount of education of the public that I don't think they'll take.
You don't think they'll take?
In other words, even if we were to put education programs out there, and that's what I was just about to say to you, well, this is all down to education.
Even if we did that, if we spent millions of dollars educating people, the people wouldn't be willing to spend the time to learn what they have to learn.
You know, if you ask anyone in marketing what the biggest problem with any new product is, it's always the same answer, education.
If your product requires education, you don't have a market.
And so I think it's similar here.
I've tried to lead people to simple tutorials, simple explanations to solve some of their issues, to teach them.
And it's, you know, one out of 10 might actually do it.
And the rest get bored and walk away and say it isn't a big enough problem.
The other thing that it's doing is it's making us an untrusting society.
You know, I don't, if I get phone calls here on my landline, I just don't trust anybody, whoever they say they're from, even if they say they're from a company that I deal with, I don't trust them because, you know, like most people in this country, I went through a spate of getting calls from people saying, I am your internet provider.
And I had one of them about a year or two years ago call and say, this is an urgent call from your internet provider.
There's been a security breach.
I said, okay, who is my internet provider?
And he said, well, he said, well, I am your internet provider.
I said, which company then am I with?
And I forced him to say one company that I'm not with.
And I said, I'm not with them.
Thank you very much.
Have a nice day.
Goodbye.
And I've had a few conversations like that.
So now, other than friends that I know who are calling for social purposes, I don't take calls.
That's the way we're at now.
That's where we are.
Yeah, it really is.
I mean, I think putting people on their guard is honestly better for us.
I mean, let's talk about it at a higher level.
As a species, I think actually watching your back and making sure that you're not getting taken advantage of is something that we should always be doing.
You know, always be on your game.
So maybe it's helping a little.
Who's going to fight for us then?
The ordinary poor people who don't understand nearly enough.
And these days, a lot of us are overworked and underpaid.
We just don't have time.
For all the things that we're supposed to be doing, a lot of us don't have time to be doing those things.
So I can understand why some people don't get themselves educated and they don't have the savvy and they don't have the smarts to do it because they're busy.
You know, they're trying to live their way through this life.
Who's going to be there?
Who's got our back, Greg?
Well, obviously, you know, there are those hackers out there trying to fight the good fight on this stuff.
There's lots of interesting people, you know, taking up where government has left off.
I think of someone like Troy Hunt.
He runs a website named Have I Been Pwned?
And this website, he gets access to all of the big breaches that happen a lot of times before the company even knows it's happened.
And he provides a service of letting you know that you've been in one of these breaches for free.
Just goodness of his heart.
He's trying to, you know, get this information out there and trying to help people.
And I've gotten like three of his notifications just this year that I was in some company's hack.
The Marriott one actually got me as I travel a lot.
And I think it's going to be down to people like him, people like a lot of the people who came out of Anonymous with this mindset that where the government isn't doing something, it's on us to do it.
I think that's going to be where it lands, you know.
And if people, of course, can find ways to monetize that, all the better.
But for them, you know, I'm for that simply because I think, you know, to keep those types of services running at any scale necessary takes money.
You know, I think Troy does need to find a way to better monetize what he's doing.
But that's only because I want it to stay around, not because I, you know, love to see him get rich, right?
Yeah, no.
You could be talking about my podcast.
It's a debate that I have with listeners all the time.
I get people emailing me saying, why don't you monetize that thing?
And, you know, I had a dream that I, I had a dream.
I had a dream that I wanted to make something that was for all the people.
But that comes with a financial consequence.
And, you know, the financial consequence is that basically I am poor.
So it's something that even in the sphere that you're in, people are having to face.
Look, give me a profile, if you know it now, of your average hacker, because I suspect that person is a different person that he or she may have been 10 years ago.
You know, I suspect that there are different kinds of people doing this now.
Yeah.
I mean, you look back in the late 90s, early 2000s even, and there were very few people you would call a hacker using kind of today's definition of the word that were doing anything good.
Slowly over time, you ran into groups in Germany, surprisingly, who were really strong on the idea of using hacking for forms of protest, but that lasted all of about a year and disappeared.
At that point, it was a lot, you know, the younger male just learning to use the computer good.
Most of them still living at home.
You know, the stereotype did come from somewhere, right?
And, you know, these days, it's anyone.
I mean, the last kind of meetup event where I met a bunch of hackers I knew was representative of nearly every race I could name, religious, you know, people, atheists, male, female, the mix was really good, near 50-50.
You know, you never know at this point.
Probably one of the best hackers I know is this 19-year-old Japanese girl who just moved to Boston a couple years ago, and she is surprisingly good, you know.
And when you look at her out on town and whatnot, she's very much like a fashionista type.
So she really dresses well.
You look at her, it's not what you're going to expect.
You won't expect her to be going home and, you know, firing up the computer and doing better than anyone I've ever seen, you know?
When you said you went to a hackers convention, are these people on the good side, all of them?
All of them, no, but a fair amount of them.
When you go to DEF CON, you go to Hope, you're going to find a lot of people working for good, for the greater good, at least what they believe it to be.
And I think that's important for the future.
And I think the groups like Anonymous and the other groups that happened in the late 2000s and into the early 2010s there really did a good job of getting a lot of young people to think along the lines of my computer skills can be used for good instead of my computer skills might get me a programming job down the line.
And I think it was really important to kind of infect an entire generation of kids with that idea.
So some of this is down to education, but education in a different way.
We need to almost be telling the young, bright beneficiaries of this technology.
And I know people who've done incredibly well out of it.
And I wish that that had been me.
But I was maybe a little too soon.
I was a generation before that.
So I found another way to do things.
And I'm running in their footsteps now.
But we need to be educating young people coming up.
And maybe we need to be making corporations that deploy this kind of technology more socially responsible so that everybody takes on board the fact that the responsibility for trying to stop and head off this stuff is down to all of us.
It really is.
Again, I mean, the easiest hacks today are, like you said, even ones done on the telephone.
They are social hacks.
They are simply done by talking to people.
So education is the strongest thing we have to offer.
And somehow finding a way to make this type of education something that people will actually pay attention to, whoever wins that wins.
I mean, that's really whoever solves that problem is my new hero.
Companies, when they get hacked, deploy their PR machine and their press officers who get paid a lot of money to do this and to feel the flack and to use forms of words that will make it seem not quite as bad as it might be.
Do you fear, because of the scale of hacking that we've seen in 2018 and the big celebrated cases, the notable cases that we've seen, that in 2019 and without naming any particular companies, we might see something really huge on a scale that, I mean, the ones that we've seen this year have been pretty breathtaking, but on a scale that would absolutely root people to the spot.
In other words, is there a big one coming down the track?
You know, that's tough because some of those companies, I mean, so we saw Facebook had been hacked for a few years and they knew about it and didn't tell anyone out of fear what it would do and some kind of arrogance, you know, that led them to believe they could actually cover it up.
We learned about that this year.
I think what we're going to learn about is more companies having done that, that specific calculation of I think we can hide this one.
Who knows how big they are?
I mean, some of the better targets aren't actually that large.
You know, a lot of times the hacks are monetary in nature.
So they're going to go after the richer, more luxurious types of organizations.
And those don't have 100 million people buying their products.
Those have a million people buying those products.
But that million people are rich, are influential.
And I think we're going to start hearing more about those.
Right.
So even this kind of crime is going up market.
It really is.
Yeah.
Wow.
Let's flip the coin and talk about cyber warfare.
And that's cyber warfare perhaps waged by governments.
And I suspect they all do it.
The big ones certainly do it.
And also criminal and terrorist organizations.
You know, the idea that you don't have to invest in missiles anymore and submarines and that kind of thing.
You can simply aim to take down the power supply for a country.
Yeah.
You don't have to invest in those anyways.
I mean, at least the design of them anymore.
You just have to hack a U.S. company and steal our currently classified designs and then use those to build your own.
I mean, that's what China's been doing for decades.
Well, they used to say when I studied China, and I have a great interest in China.
I think it's a remarkable country.
But when I was learning about China, we used to be taught about how they would buy a tractor, you know, from the West, from one of the big companies in America or the UK, and, you know, carefully unpick the design, see how it worked, and then come out with their own.
Yeah.
And at this point, instead of that, they're literally downloading the CAD drawings and the programming code for all of our high-level military industrial complex products just straight from their servers.
I came across a server in China in 2009 that was full of folders that were literally named Northrop Drummond, Lockheed, Raytheon.
And inside of them were files that were no more than a month old and were all classified projects.
And I did what I thought at the time was the right thing.
And we've definitely had arguments in the kind of hacker scene because, you know, a lot of people are of the mindset of never talk to the cops.
But I sent in that server's login credentials as a tip to the CIA and said, you might want to go get these files off of that server.
And did they go from there?
The server was down an hour after I sent that in, so I'm guessing.
Right.
So maybe it's going to become like mutually assured destruction.
You know, the old nuclear deterrent theory that still persists today, the fact that you've got 17 missiles that can take out cities of 20 million people, but so is your opponent.
So neither of you is going to use them.
If government X has the capacity to take down the power grid or the water supply of one country, but so does government Y, then it's pretty safe to assume that neither will use that ultimate sanction against the other.
I, you know, I really wish it was safe to assume that.
But you're right that those technologies exist, that the hacking talents exist to do that, and that governments have been taking people with those skills and building teams capable of doing it.
Whether they understand the full capability of the other countries to do the same back to them is where I fear we're still a little off.
Our government, I think, honestly still is under the assumption that it's not as bad as it looks.
And that's just not true.
There are foreign governments right now that could turn off most of our power grid and initiate shutdowns of nuclear plants.
I had a friend who, I mean, a former friend, he's currently in prison, who was arrested and he was found to have had access to almost every nuclear facility, a nuclear power plant in America.
He was just some kid at home playing around looking at their networks for fun, but he had complete access to them.
And if some kid with no budget just playing around in a basement can pull that off, imagine what a fully funded North Korean or Chinese or Russian group is going to have access to.
I mean, they've obviously got better access than he did.
So if you're saying there are states, and perhaps some of those states are not the big states, they may be the rogue states as we call them, have this kind of capacity.
Why have we not seen this used?
I'm not saying that we want to see it used, but why has it not been deployed already?
It's all about showing your hand.
In the hacking world, if I use a specific attack against you and you might not be protected against that attack, but you might be protected in a different way where you capture the attack, where you see how I did it.
you don't want to give that up.
Imagine if flying your brand new jet, like the Joint Strike Fighter over Chinese airspace, also somehow gave them the blueprint to it.
You wouldn't want to fly it over there until you had to fly it over there, right?
In a lot of hacks, just by doing it, you've shown how to do it.
So once deployed, it's no longer useful to you.
You've lost the ability to do that in the future because the other side will patch against it and will possibly be able to use it against you very quickly because maybe your hacking team has access to it, but your infrastructure team didn't know they could do that because different confidentiality reasons, need to know reasons.
And so you used it against us.
Oh, let's see if it works on you.
And the next day, all of yours is attacked too.
So the second that you use one of these types of hacks, the other government not only has the ability to fix it, but they also have the ability to use it on other people now that you've shown them its possibilities.
And so I think when it gets used, when one of these really gets used, it's going to be one of those big moments where it's on, where war has been declared.
I mean, I suspect that if Saddam Hussein had had access to this kind of thing, and it was all in its infancy then when he was around, he'd have used it.
Oh, probably.
And then we'd have had to do something about it.
But up to now, we haven't seen this particular chess game played out for the reasons that you've just explained.
Yeah.
No one wants to show their hand.
Boy.
Okay, public information bit now then.
Let's try and do a bit of good.
For your average Joe, who's got a job, works hard, has a bank account, has a mortgage, what's the best way or what are the best ways to protect yourself from being a victim?
I mean, the best way is obviously to use secure passwords that never get reused, only one at a time per site.
And, you know, human beings aren't going to be able to do that on their own.
So I recommend using a tool like OnePassword or LastPass or TPass.
These will integrate on your computer, on your phones with a way where they generate secure passwords and then they also fill them out for you using biometric data.
You know, like on my phone, I have one where I just have to give it my thumb and it puts in the secure password.
But it's such a big, long, complicated password that it's going to be hard for them to crack if they get a downloaded, you know, data set from some company.
It's going to be hard for anyone to remember.
It's just, you have to secure your passwords as step one.
And being humans, you're not going to remember the 5,000 passwords you need to remember.
So you need software to help with that.
And I would say that's step one.
Step one is using one of those tools.
There's a bit of a battle going on, I think.
And it's not just a generational thing.
There are people who will not do, for example, online banking because they don't trust it.
So the industry has got a job on its hands.
It's got to convince those people that it's safe.
But in the meantime, the hackers are getting smarter and showing that maybe it's not all that safe.
It's a hard game that's being played out there.
It really is.
I mean, when I hear that from people who tell me they don't, the first thing I do is I'll show them YouTube videos of skimmers.
The little things you can put on the front of an ATM that makes the ATM look normal.
You can't tell it's there, but when you slide your card in, it's reading it and sending it to the hackers.
It doesn't just happen online anymore.
Hackers are all out there in the real world and hiding from the online implementations of this stuff isn't going to make you any safer.
And police and security agencies have terrorism to deal with and all sorts of other threats.
And the explosion in crime, we've had an explosion in knife crime in London this year.
The police are stretched as it is.
So to expect the police, who have people who specialize in this sort of thing, to step up and ramp it up, society's not going to be willing or able to pay for that.
It's a real problem.
I mean, a lot of it comes down to budgets, right?
You know, if you want them to be able to actually help here, they're going to need to be able to hire people.
We run into an interesting side point there, though, that if you go to conferences like, say, DEF CON or Hope, the best hackers I know would never take a government job.
And that leads to a serious talent problem.
You know, that the hacker that taught themselves, the one that grew up on a computer and was playing with this stuff and breaking into systems by the time they were 13, is always going to be a better hacker than the guy who decided at 18 he wanted a job, went to college, did his four years to learn, you know, in air quotes, computer security, and now works for the government.
The kid who learned on his own is the one who had the passion, the knowledge, the drive.
That kid's going to always be the better hacker.
And I don't know many of those kids who would take a government job.
So they need to solve that too.
How do you begin to do that?
I suppose you've got to start recruiting people, which I thought they were.
You've got to start recruiting people at universities.
Sure.
I mean, you know, the bigger problem is down to government actions.
I mean, the reason a lot of these people won't take those jobs is they don't agree with, you know, how the government does many things.
So you look at like the Black Lives Matter movement right here in America, you know, and the problems with police overly, you know, in terms of the numbers and the metrics, shooting people of color and, you know, and the over-imprisonment of people of color compared to, say, white people.
And that right there is an example of something that, you know, the hacker scene really doesn't like.
And so you're not going to get them to go work for these cops because they don't agree with half of what the police are out there doing.
While they believe we need police forces, they don't believe for a minute that I should go help these people do all the bad things that I think they're doing.
whoever they are and wherever they're from, and do the right thing.
So maybe that's not entirely fair to, but how would I persuade the hackers to think this way?
You know, maybe that's not an entirely fair view for them to have.
This is where you lose them, though, because while I agree with that, and I believe most of them do, the problem over here is down to the whole Blue Lives issue, where there might be one bad apple at a police station who's doing the worst of the worst things that we don't like, but none of the other cops are speaking out against him.
He's not getting prosecuted.
He's not seeing jail time for the laws he's breaking.
If police would police police the same way they police the public, that would solve a lot of that problem.
Well, I know that what you just said is going to be controversial, but I'll let you feel the emails on that one because there are all kinds of views.
And I get people, if I get into anything that is remotely political in the United States, and I'm here in the UK, I get people saying to me, you know, you've got no right to be going into these areas.
There are areas.
So, you know, let's talk technology.
That's what we're here to do right now.
But it's a difficult situation if you cannot recruit the most skillful, let's use that word, hackers, to work on the side of the good guys.
What the hell are you going to do?
I mean, at that point, you have to do what they've done.
You know, down at West Point, you know, which you'll know is one of our big training facilities for the military here in America, they've actually set up a cybersecurity division there that is training them as young recruits on what we need.
Finally, I think they're 20 years too late to get started, but at least they started.
Right.
So we're going into a world, we're in a world already, let's not kid ourselves, where big corporations have way too much information on us, bad guys have way too much information on us, and governments have way too much information on us.
Those three things make me feel really uneasy.
They should.
And who knows if we've passed a point of no return on that for the people whose information is already out there.
I would say if you want to look at an interesting project coming at some of these problems, you mentioned them earlier, but Tim Berners-Lee, the inventor of the World Wide Web, for all intents and purposes, has started a new project called Solid.
And the goal of SOLID is to reinvent the web in a system where you own your data and there's programmed in from the beginning a privacy layer that would stop a lot of what's been upsetting everyone.
And you can actually see it at solid.mit.edu, where he talks about it.
And it's a really interesting thing.
There's a huge team of developers.
GitHub's already up and running.
There's some test environments.
I talked about it on my radio show.
It's very hard to get people to talk about this.
I didn't realize it was so advanced.
Yeah, it's, you know, it's an interesting idea.
Other people have had ideas like this before, and they haven't gone that far, but other people weren't Tim Berners-Lee.
So I want to see where this goes.
Yeah, because the way that it was being reported here, and I don't think the papers and the media did nearly enough about this at the time.
And the story came in the news cycle about a month ago, and then it went away.
It might reappear if something else happens about this, but we need to be talking more about this.
It was portrayed as a kind of people's internet.
Yeah, I mean, the idea being that you own yourself.
It's much, very much like people's movements where, you know, individual liberty is very important.
And it's a modular design.
It's built in a way where you give permission for anyone that has access to any real data about you at every time.
And it just, it hands control back to the people.
So it'll be really interesting to see if they can pull this off, both programmatically and at any scale that people actually want to use.
But rather like the mythical car that runs on water or fresh air, isn't somebody going to, who's making money out of the system as it is now going to want to, you know, going to be very happy if that gets stopped somehow?
Of course.
You know, the entrenched powers that be are the powers that be because the current system is working for them.
So they're never going to like any kind of revolutionary change in this space.
But you've got to find the people who already have theirs and have changed their mind.
And there are a few people at that state in life where they're sitting there as multi-millionaires and billionaires who are now trying to do good with what they have.
And hopefully there's enough of them to fight back.
You've got a long hacking track record.
When you were on the other side, you went to jail for it.
We talked about that in our last conversation.
The stuff that we've been talking about just at the end of our conversation now, Greg, does any of it scare you?
Do you lose sleep over any of it?
No.
I've sort of resigned myself to living in a world where all those problems exist, and I just accept it at this point.
That's a very depressing view, though, isn't it?
That really we're spiraling into a situation that there is a possibility, unless Tim Berners-Lee comes up with this new more secure people's internet, and let's hope he does, we're heading into a future that we just can't control.
I mean, at that point, you know, there's all kinds of reasons to feel sort of despondent about it.
I mean, when I talked earlier about the real problem being educational in the security space for the general public and the general public not paying attention, that more speaks to human nature and the human condition being the problem itself.
And so that's sort of upsetting too.
I mean, there's a hundred reasons to be upset here about the current state of things, but there's such large problems that we really do need large solutions.
And hopefully Tim has something here.
We'll see.
I think it's going to take years for it to actually get off the ground, though.
Okay, this can be my last question then.
When there's a big hack on a corporation, with the state of hacking and hacking on the good side knowledge that exists now, how quick and easy is it, if it is quick and easy, to be able to trace back the people who did it?
That is entirely down to how good that hacker was.
As I always like to say, I wasn't actually caught for what I was doing.
I was caught by a snitch, a human being telling them who I was, right?
It's quite easy to hide online if you know what you're doing.
It's, you know, not allowing laziness to trip you up.
And that's most people get caught through sheer laziness.
And look at Ross Ulbricht from the Silk Road, the underground marketplace.
He was initially identified by an old Gmail address that he decided to reuse.
He could have taken 20 minutes and made a new Gmail address, but he didn't.
And that level of laziness right there, that type of action is what usually gets a hacker caught, not any skill set on the side of the people looking for them.
So it goes back to a very old-fashioned and human thing then.
In the days of bank robbers, bank robbers would become very successful.
But in the end, they get caught because they go to a gas station and buy a pair of gloves and be on CCTV or be recognized by the person behind the counter in the days before CCTV.
In other words, even in this day and age, such people will always make a mistake.
Yeah, I mean, the biggest thing right now is, you know, bragging, right?
I mean, you want to tell someone what you've done, and that's just another piece of human nature.
And yeah, that gets people caught more than anything else at this point.
When you were doing what you were doing, did you brag about it?
You were young.
No.
No, I was enjoying it too much to really care what other people thought about it.
But I mean, I was playing a little different game.
You know, I was doing it for the adrenaline, for the rush, for the fun of it.
It was enough for me.
Wow.
I know people who I regard as being incredibly computer and internet savvy.
And they tell me, and some of these people are like in their mid-20s, that there's, you know, the young guys know much more than they know.
This knowledge resides still in the very young, doesn't it?
It does.
You know, education is always easier at a younger age.
Look at people learning languages.
If you can start teaching a child at two, three different languages, they're going to pick it up a lot easier than a 40-year-old trying to learn three different languages, right?
So it's easier to take in, to understand, and to kind of build your life around at a younger age.
And the information itself has become so much more democratized.
You can learn a lot of the basic computer security and hacking skills on YouTube at this point.
Something you couldn't do when I was trying to get into it in the late 80s, early 90s.
You had to make personal friends of local hackers who took years to convince you weren't someone trying to get them in trouble before they would even tell you they had skill sets.
Now you can go on YouTube and learn half of it in one day.
Do you think the big monolithic corporations, without having a go at any of them specifically, but who are making vast, ridiculous, eye-watering sums of money out of their businesses, need to be investing some of those profits instead of paying themselves huge fat salaries and arguably not paying enough tax in various countries and employing smart lawyers to make sure that they don't have to.
Do you think that they should have more social responsibility and use some of this money to help the fight to keep things secure for us?
I think that'd be really interesting.
We've got groups like code.org, right?
And that's kind of a conglomeration of a few of those large companies you're mentioning there coming together to help teach programming in a more accessible, easy way.
For them, that's a way to continue building a generation of people they can hire to actually do the work they need done.
But if we could see a similar project for the security field, that would be amazing.
Absolutely amazing.
Well, let's see if that emerges during 2019, Greg Hausch.
Always fascinating to talk with you and thank you for making time for me.
Absolutely.
Glad to help.
And listen, next time you walk across that bridge that takes you across the river on a sunny day towards Cambridge, just think of me because I used to love that walk.
It's amazing.
Thanks very much, Greg.
Take care.
All right.
Goodbye.
Greg Hausch, returning to the unexplained with some food for thought as we enter 2019.
What will this new year bring?
I think you know that I've always thought it's better not to speculate, really.
But we'll talk to Greg again about all of this, maybe at the end of 2019.
Who knows?
Thank you very much for all of your feedback.
Please keep that coming.
Go to my website, theunexplained.tv.
And whatever you do, please put a hit on the website.
Very, very important that you do that.
More great guests coming up here.
Of course, 2019, the 15th anniversary of The Unexplained.
Boy, where did that time go?
Thank you very much for being so supportive to me during that time.
And, you know, I always take on board your comments and your criticisms and whatever you have to say about the show.
No show can be perfect.
No show can be designed specifically for one person.
You know, if I tailored the show to one person's needs, then somebody else would say, I hate that show.
It's not for me.
So I have to walk a bit of a line here, as anybody who does anything like this has to do.
And some of them will be right on target for you, and some of them just won't.
Okay, more great guests, like I say, in the pipeline coming soon.
So until next week, meet, my name is Howard Hughes.
I am in London, and please stay safe, stay calm.
Above all, please stay in touch.
Thank you very much.
Take care.
Export Selection