Kind: captions
Language: en
if one site is hacked you can just
unleash all health we have stumbled
into this new era of mutually assured
digital destruction how far are people
willing to go you can capture their
location you can capture
their contacts that record their
telephone calls record their camera
without them knowing about it
basically you can put an invisible ankle
bracelet
on someone without them knowing you
could sell that
to a zero-day broker for two million
dollars
the following is a conversation with
nicole pearl roth cyber security
journalist and author of this is how
they tell me the world ends the cyber
weapons arm race
this is the lex friedman podcast to
support it please check out our sponsors
in the description and now dear friends
here's nicole paul roth
you've interviewed hundreds of cyber
security hackers activists dissidents
computer scientists government officials
forensic investigators
and uh mercenaries so let's talk about
cyber security and
cyber war start with the basics what is
a zero day vulnerability
and then
a zero day exploit or attack
so
at the most basic level let's say i'm a
hacker and i find a bug in your iphone
ios software that no one else knows
about especially apple
that's called a zero day because the
minute it's discovered engineers have
had zero days to fix it
if i
can study that zero day i could
potentially write a program to exploit
it
and that program would be called a zero
day exploit
and for ios the dream
is that you craft a zero day exploit
that can remotely exploit someone else's
iphone without them ever knowing about
it
and you can capture their location you
can capture
their contacts that record their
telephone calls record their camera
without them knowing about it basically
you can put an invisible ankle bracelet
on someone without them knowing and you
can see why that capability that zero
day exploit would have immense value
for a spy agency or a government that
wants to monitor its critics
or dissidents
and so there's a very lucrative market
now for zero day exploits so you said a
few things there one is ios why ios
which operating system which one is the
sexier thing to try to get to or the
most impactful thing
and uh the other thing you mentioned is
remote
versus like having to actually come in
physical contact with it is that the
distinction
so
iphone
exploits have just been a government's
number one
priority
recently actually the price of an
android remote zero day exploit
something that can get you into android
phones
is actually higher the value of that is
now higher on this underground market
for zero day exploits
than an iphone ios exploit so things are
changing so the
there's probably more android devices so
that's why it's better
but then the iphone side
if i so i'm an android person
because i'm a man of the people
but it seems like all the elites use
iphone all the people at nice dinner
parties so
uh is that is that the reason that like
the more powerful people use iphones is
that why i don't think so i actually so
it was about two years ago that the
prices flipped it used to be
that if you could craft a remote
zero click
exploit for ios
then that was about as good as it gets
you could sell that
to a zero day broker
for two million dollars
the caveat is you can never tell anyone
about it because the minute you tell
someone about it apple learns about it
they patch it and that 2.5 million
dollar investment that that zero day
broker just made goes to dust
so a couple years ago
and don't quote me on the prices but
an android zero click
remote exploit for the first time topped
the ios and actually a lot of people's
read on that
was that it might be
a sign that apple security
was falling
and that it might actually be easier
to find
an ios zero-day exploit than find an
android zero-day exploit the other thing
is market share
there are just more people around the
world that use android
and a lot of governments that are paying
top dollar for zero day exploits these
days
are deep pocketed governments in the
gulf
that want to use these exploits to
monitor their own citizens monitor their
critics
and so it's not necessarily that they're
trying to find elites
it's that they want to find out who
these people are that are criticizing
them or perhaps planning the next arab
spring
so in your experience are most of these
attack targeted to cover a large
population or is there
attacks that are targeted towards
specific individuals
so i think it's both
some of the zero day exploits that have
fetched top dollar
that i've heard of in my reporting in
the united states were highly targeted
you know there was a potential terrorist
attack they wanted to get into this
person's phone it had to be done in the
next 24 hours they approached hackers
and say we'll pay you
x millions of dollars if you can do this
but then you look at
when we've discovered ios zero day
exploits in the wild
some of them have been targeting large
populations like uyghurs
so a couple years ago there was a
watering hole attack okay it's a
watering hole attack there's a website
it was actually it had information
aimed at uyghurs
and you could access it all over the
world
and if you visited this website
it would drop an ios zero to exploit
onto your phone
and so anyone that visited this website
that was about uyghurs anywhere i mean
uyghurs
uyghurs living abroad basically the
uyghur diaspora
would have gotten infected with this
zero-day exploit so in that case you
know they were
targeting huge swaths of this one
population or people interested in this
one population basically in real time
who are these attackers
from the individual level to the group
level
psychologically speaking what's their
motivation is it purely money
is it the challenge
are they malevolent is it power
these are big philosophical human
questions i guess
so these are the questions i set out to
answer for my book
i wanted to know
are these people that are just after
money
if they're just after money how do they
sleep at night not knowing whether that
zero day exploit they just sold to a
broker is being used to basically make
someone's life a living hell
and what i found was there's kind of
this long sordid history to this
question
you know it started out
in the 80s and 90s when hackers
were just finding holes and bugs and
software for curiosity's sake really as
a hobby
and some of them would go to the tech
companies like microsoft or sun
microsystems at the time
or oracle
and they'd say hey i just found this
zero day in your software and i can use
it to break into nasa
and the general response at the time
wasn't thank you so much for pointing
out this flaw and our software we'll get
it fixed as soon as possible
it was
don't ever poke around our software ever
again or we'll stick our general counsel
on you
and
that was really sort of the common
thread for years
and so hackers who set out to do the
right thing
were basically told to
shut up and stop doing what you're doing
and what happened next was
they basically started trading this
information online now when you go back
and interview people from those early
days
they all tell a very similar story which
is they're curious they're tinkers you
know they remind me of like the kid down
the block that was constantly poking
around the hood of his dad's car
you know they just couldn't help
themselves they wanted to figure out how
a system is designed
and how they could potentially exploit
it for some other purpose it doesn't
have to be good or bad
but they were basically kind of beat
down for so long
by these big tech companies
that they started just
silently trading them with other hackers
and that's how you got these
really heated debates in the 90s about
disclosure
should you just dump these things online
because any script kitty can pick them
up and use it for all kinds of mischief
but you know don't you want to just
stick a middle finger to all these
companies that are basically threatening
you all the time so there was this
really interesting dynamic at play
and
what i learned in the course of doing my
book was that
government agencies and their
contractors sort of tapped into
that frustration and that resentment
and they started quietly reaching out to
hackers on these forums
and they said hey you know that zero day
you just dropped online could you could
you come up with something custom for me
and i'll pay you six figures for it so
long as you shut up and never tell
anyone that we that i paid you for this
and that's what happened
so throughout the 90s there was a bunch
of boutique contractors that started
reaching out to hackers on these forums
and saying hey i'll pay you six figures
for that bug you were trying to get
microsoft to fix for free
and sort of so began or so catalyzed
this market
where governments and their
intermediaries started reaching out to
these hackers and buying their bugs for
free
and in those early days i think a lot of
it was just for quiet
counterintelligence traditional
espionage but as we started baking
the software
windows software schneider electric
siemens industrial software
into our nuclear plants
and our factories and our power grid and
our petrochemical facilities and our
pipelines
those same zero days came to be just as
valuable for sabotage and war planning
does the fact that the market sprung up
and you cannot make a lot of money
change the nature of the attackers that
came to the table
or grow the number of attackers
i mean what is i guess you told the
psychology of the hackers
uh in the 90s what is the culture today
and where is it heading so i think there
are people who will tell you they would
never sell a zero day to a zero day
broker or a government
one because they don't know how it's
going to get used when they throw it
over the fence you know most of these
get rolled into classified programs and
you don't know how they get used
if you sell it to a zero day broker you
don't even know which nation state might
use it
or potentially which criminal group
might use it if you sell it on the dark
web
the other thing that they say is
that
they want to be able to sleep at night
and they lose a lot of sleep if they
found out their zero day was being used
to you know make a dissidence life
living hell
but there are a lot of people good
people who also say
no this is not my problem
this is the technology company's problem
if they weren't writing new bugs into
their software every day
then there wouldn't be a market you know
then there wouldn't be a problem
but they continue to write bugs into
their software all the time and they
continue to profit off that software so
why shouldn't i
profit off my
labor too
and one of the things that has happened
which is i think a positive development
over the last 10 years
are bug bounty programs
you know companies like google and
facebook and then microsoft and finally
apple which resisted it for a really
long time
i've said okay
we are going to shift our perspective
about hackers we're no longer going to
treat them as the enemy here we're going
to start paying them for what it's
essentially free quality assurance
and we're going to pay them good money
in some cases you know six figures in
some cases we're never going to be able
to bid against a zero-day broker who
sells to government agencies
but we can reward them and hopefully get
that to that bug earlier where we can
neutralize it
so that they don't have to spend another
year developing the zero day exploit and
in that way we can keep our software
more secure but every week i get
messages from some hacker that says
you know i tried to
see this zero day exploit that was just
found in the wild you know being used by
this nation state i tried to tell
microsoft about this
two years ago and they were gonna pay me
peanuts so
it never got fixed you know there are
all sorts of those stories that can
continue on
and
you know i think just generally
hackers are not very good at diplomacy
you know they tend to be pretty snipey
technical
crowd
um and very philosophical in my
experience but you know diplomacy is not
their strong suit
well there almost has to be a broker
between companies and hackers
where you can translate effectively just
like you have a zero-day broker between
governments and hackers yes you have to
speak their language yeah and there have
been some of those companies who've
risen up to meet that demand and
hacker one is one of them bug crowd is
another
synac has an interesting model so that's
a company that
you pay for a private bug bounty program
essentially so you pay this company they
tap hackers
all over the world to come hack your
software hack your system
and then they'll quietly tell you what
they found
and i think that's a really positive
development and actually the department
of defense hired all three of those uh
companies i just mentioned to help
secure their systems now i think they're
still a little timid
in terms of letting those hackers into
the really sensitive
high side classified stuff
but you know baby steps
just to understand what you were saying
you think it's some impossible for
companies to financially compete with
the zero day brokers with governments
so like the defense can't outpay
the um the hackers it's interesting you
know they
they shouldn't out pay them because what
would happen if they started offering
2.5 million dollars at apple
for any you know zero day exploit that
governments would pay that much for
is their own engineers would say why the
hell am i working you know for less than
that
and and doing my nine to five every day
so you would create a perverse incentive
and i didn't i didn't think about that
until i started this research and i
realized okay yeah that makes sense you
don't want to incentivize offense so
much that it's to your own detriment
and so i think what they have though
what the companies have on government
agencies
is
if they pay you you get to talk about it
you know you get the street cred you get
to brag about the fact you just found
that 2.5 million dollar
you know ios zero day that no one else
did
and if you sell it to a broker you never
get to talk about it and i think that
really does eat at people
can i see a big philosophical question
about human nature here
so if you have
in what you've seen
if a human being
has a zero day they've found a zero day
vulnerability
that can um
hack into i don't know what's the worst
thing you can hack into something that
could launch nuclear weapons
which percentage of the people in the
world that have the skill would not
share that with anyone um with any
bad party
i guess how many people
are completely devoid of ethical
concerns in your
in your sense so my my belief is
all the ultra competent people or very
very high percentage of ultra competent
people are also ethical people
that's been my experience but then again
my experience is narrow
what's what's what's your experience
been like so
this was another question i wanted to
answer you know
who are these people who would sell
a zero day exploit that would neutralize
a schneider electric safety lock at a
petrochemical plant basically the last
thing you would need to neutralize
before you trigger some kind of
explosion
who would sell that
um
and
i got my answer
well the answer was different a lot of
people said
i would never even look there because i
don't even want to know i don't even
want to have that capability i don't
like i don't even want to have to make
that decision
about whether i'm going to profit off of
that knowledge
i went down to argentina and
this whole kind of moral calculus i had
in my head was completely flipped around
so
just to back up for a moment so
argentina actually
is a real hacker's paradise
people grew up in argentina and you know
i went down there i guess i was there
around
2015 2016 but
you still couldn't get an iphone
you know you they didn't have amazon
prime you couldn't get access to any of
the apps we all take for granted
to get those things in argentina as a
kid you have to find a way to hack them
you know and it's the whole culture is
really like a hacker culture
they say like it's really like a
macgyver culture you know you have to
figure out how to break into something
with wire and tape
and that
means that there are a lot of really
good hackers in argentina who are who
specialize in developing zero day
exploits
and i went down to this argentina
conference called echo party
and
i asked the organizer okay can you
introduce me to someone who's selling
zero-day exploits to governments
and he was like just throw a stone
[Laughter]
at throw stone anywhere and you're gonna
hit someone
and all over this conference you saw
these guys who were clearly from these
gulf states who only spoke arabic you
know what are they doing
at a young hacking conference in buenos
aires
and so i went out to lunch with kind of
this godfather of the hacking scene
there and i asked this really dumb
question and i'm still embarrassed about
how i phrased it
but i said so you know will these guys
only sell these zero-day exploits to
good western governments
and he said nicole last time i checked
the united states wasn't a good western
government you know the last country
that bombed another country into
oblivion wasn't china or iran it was the
united states so if we're going to go by
your whole moral calculus you know just
know that we have a very different
calculus down here and we'd actually
rather sell
to iran or russia or china maybe than
the united states
and that just blew me away
like wow you know he's like we'll just
sell to whoever brings us the biggest
bag of cash have you checked into our
inflation
situation recently
so you know i had some some of those
like reality checks along the way you
know we tend to think of things as is
this moral you know is this ethical
especially as journalists you know we
kind of sit on our high horse sometimes
and
um write about a lot of things that seem
to push the moral bounds but in this
market which is essentially an
underground market that you know the one
rule is like fight club you know no one
talks about fight club first rule of the
zero day market nobody talks about the
zero-day market on both sides
because the hacker doesn't want to lose
their 2.5 million dollar bounty
and governments roll these into
classified programs and they don't want
anyone to know what they have so no one
talks about this thing and when you're
operating in the dark like that it's
really easy to put aside your morals
sometimes
can i a small tangent ask you by way of
advice you must have done some
incredible interviews
and you've also spoken about how serious
you take protecting your sources
if you were to give me advice for
interviewing when you're recording on
mic
with a video camera
how is it possible to get into this
world
like uh is it basically impossible so
you've you've spoken with a few people
uh what is it like the godfather of uh
cyber war cyber security so people that
are already out
and they still have to be pretty brave
to speak
publicly
um but is it virtually impossible to
really talk to anybody who's a
current hacker you're always like 10 20
years behind
it's a good question and this is why i'm
a print journalist
but you know a lot when i've seen people
do it
it's always the guy who's behind the
shadows whose voice has been altered you
know when they've gotten someone on
camera that's usually how they do it
you know very very few people talk in
the space and there's actually
a pretty well-known case study and why
you don't talk publicly in the space and
you don't get photographed and that's
the gruck
so you know the gruck is or was this
zero day broker south african guy lives
in thailand
and
right when i was starting on this
subject at the new york times he'd given
an interview to forbes
and he talked about being a zero day
broker and he even posed next to this
giant
duffle bag filled with cash ostensibly
and later he would say he was speaking
off the record he didn't understand the
rules of the game
but what i heard from people who did
business with him was that the minute
that that story came out he became png'd
no one did business with him you know
his business plummeted by at least half
no one wants to do business with anyone
who's gonna get on camera and talk about
how they're selling zero days to
governments you know it's
it puts you at danger and i did hear
that he got some visits from some
security folks and you know it's another
thing for these people to consider you
know if they have
those zero-day exploits at their
disposal
they become a huge target for
nation-states all over the world you
know talk about having perfect opsec you
know you better have some perfect opsec
if people know that you have access to
those zero-day exploits
which sucks because um
i mean transparency here
would um be really powerful for
educating the world and also inspiring
other engineers to do good
it just feels like when you operate in
the shadows um
it doesn't help us move in the positive
direction in terms of like getting more
people on the defense side versus on the
attack side right but of course what can
you do i mean the best you can possibly
do is have great journalists
uh
just like you did interview and write
books about it and integrate the
information you get while hiring the
sources yeah and i think you know what
hacker one has told me was
okay let's just put away the people that
are
finding and developing zero day exploits
all day long let's put that aside
what about the you know however many
millions of programmers all over the
world who've never even heard of a zero
to exploit why not tap into them
and say hey we'll start paying you if
you can find a bug in
united airlines software or in schneider
electric or in ford or tesla
and i think that is a really smart
approach let's go find this untapped
army of programmers to neutralize these
bugs before the people who will continue
to sell these to governments can find
them and exploit them okay i have to ask
you about this uh from a personal side
of
it's funny enough after we agreed to to
talk
i've gotten for the first time in my
life was a victim of a cyber attack
um
so this is ransomware it's called
deadbolt people can look it up i have a
qnap device for
basically
kind of coldish storage so it's about 60
terabytes with 50 terabytes of data on
it
in raid 5 and apparently about four to
five thousand qnap devices
were
hacked and taken over with this
ransomware and what what ransomware does
there is
it goes file by file almost all the
files on the qnap storage device and
encrypts them and then there's this
very eloquently and politely written
page that pops up
you know it describes what happened all
your files have been encrypted this
includes but is not limited to photos
documents and spreadsheets
why me
this is uh a lot of people commented
about how friendly and eloquent this is
and i have to commend them it is and
it's pretty user friendly
uh why me this is not a personal attack
you have been targeted because of the
inadequate security provided by your
vendor
qnap
what now
you can make a payment of exactly 0.03
bitcoin which is about a thousand
dollars to the following address
once the payment has been made we'll
follow up with transaction to the same
address blah blah blah they give you
instructions of uh what happens next and
they'll give you a decryption key that
you can then use
and then there's another message for
qnap that says
all your affected customers have been
targeted using a zero-day vulnerability
in your product we offer you two options
to mitigate this and future damage one
make a bitcoin payment of five bitcoin
to the following address and that will
reveal to qnap the uh i'm summarizing
things here
what what the actual vulnerability is or
you can make a bitcoin payment of
50 bitcoin to get a master decryption
key for your customers 50 bitcoins about
1.8 million dollars
okay
so first of all on a personal level
this one hurt for me
um
there's
i mean i learned a lot because i wasn't
for the most part
backing up
much of that data because i thought
i can afford to lose that data
it's not like horrible i mean i think
you've spoken about
uh the crown jewels like making sure
there's things you really protect and i
have thing i have
you know i'm very conscious security
wise on the crown jewels
but there's a bunch of stuff like
you know personal videos they're not
like i don't know anything creepy but
just like fun things i did that because
they're very large or 4k or something
like that i kept them on there thinking
raid 5 will protect it
you know just i lost a bunch of stuff
including raw
um footage from interviews and all that
kind of stuff
so it's painful and i'm sure there's a
lot of painful stuff like that for the
four to five thousand people that use
qnap
and there's a lot of interesting ethical
questions here do you pay them
does qnap pay them
do the individuals pay them
especially when you don't know if it's
going to work or not
do you wait so qnap
said that please don't pay them
we're working very hard day and night to
solve this mm-hmm
it's so philosophically interesting to
me because i also project onto them
thinking what is their motivation
because the way they phrased it on
purpose perhaps but i'm not sure if that
actually reflects their real motivation
is
um maybe they're trying to help
themselves sleep at night basically
saying this is not about you this is
about the company with the
vulnerabilities just like you mentioned
this is the justification they have
but they're hurting real people
they hurt me but i'm sure there's a few
others that are really hurt
and the zero day factor is a big one you
know that their qnap right now is trying
to figure out what the hell is wrong
with their system that would let this in
and
even if they pay
if they still don't know where the zero
day is what's to say that they won't
just hit them again and hit you again
so that really complicates thing and
things and that is a huge advancement
for ransomware it's really only been i
think in the last 18 months that we've
ever really seen ransomware exploit zero
days
to pull these off usually 80 of them
i think the data shows 80 of them come
down to a lack of two-factor
authentication
you know so when someone gets hit by it
by a ransomware attack they don't have
two-factor authentication on you know
their employees were using stupid
passwords like you can mitigate that in
the future this one they don't know they
probably don't know yeah and it was uh i
guess it's zero click because i didn't
have to do anything
the only thing i i'm
well you know here's the thing
i did you know basics of you know i put
it behind a firewall
i follow the instructions
but like i wasn't i didn't really pay
attention so maybe there's like maybe
there's a misconfiguration of some sort
that's easy to make
it's it's difficult when you have a
personal
nas on i so i don't i i'm not willing to
sort of uh say that i did everything i
possibly could um but i did
a lot of reasonable stuff and they still
hit it with zero clicks i didn't have to
do anything yeah well it's like a zero
day and it's a supply chain attack
you know you're getting hit from your
supplier you're you're getting hit
because of your vendor and it's also a
new thing for ransomware groups to go to
the individuals to pressure them to pay
there was this really interesting case
i think it was in norway
where there was a mental health clinic
that got hit
and the cyber criminals were going to
the patients themselves to say pay this
or we're going to release
your psychiatric records i mean talk
about hell
um in terms of whether to pay you know
that is on the cheaper end of the
spectrum from the individual from the
company both you know we've seen
uh for instance there was an apple
supplier in taiwan
they got hit and the ransom demand was
50 million
you know i'm surprised it's only 1.8
million i'm sure it's gonna go up
um and it's hard you know there's
obviously governments and maybe in this
case the company are going to tell you
we recommend you don't pay or please
don't pay
but the reality on the ground is that
some businesses can't operate
some countries can't function i mean
the under-reported
storyline of colonial pipeline
was
after the
company got hit and took the pre-emptive
step of shutting down the pipeline
because they their billing systems were
frozen they couldn't charge customers
downstream
my colleague david sanger and i got our
hands on a classified assessment
that said that as a country
we could have only afforded two to three
more days of colonial pipeline being
down
and it was really interesting i thought
it was the gas and the jet fuel but it
wasn't you know we were sort of prepared
for that it was the diesel
without the diesel the refineries
couldn't function and it would have
totally screwed up the economy and so
there was almost this
like national security
economic
impetus for them to pay this ransom
and the other one i always think about
is baltimore you know when the city of
baltimore got hit i think the initial
ransom demand was something around 76
000 it may have even started smaller
than that
and baltimore stood its ground and
didn't pay but ultimately the cost to
remediate was 18 million dollars it's a
lot for the city of baltimore that's
money that could have gone to public
school education and roads and
you know public health and instead it
just went to rebuilding these systems
from scratch and so a lot of residents
in baltimore were like why the hell
didn't you pay the 76 000
so it's not obvious you know it's easy
to say don't pay because why you're
funding their rnd for the next go round
um
but
it's too often it's too complicated so
on the individual level just like you
know the way i feel personally from this
attack have you talked to people that
were kind of victims in the same way i
was but maybe more dramatic ways or so
on
you know the same way that violence
hurts people
yeah how much does this hurt people in
your sense in the way you researched it
the worst
ransomware attack
i've covered on a personal level
was an attack on a hospital in vermont
and you know you think of this as like
okay it's hitting their i.t networks
they should still be able to treat
patients
but it turns out that
cancer patients couldn't get their chemo
anymore because the protocol of who gets
what is very complicated and without it
the nurses and doctors couldn't access
it so they were turning
chemo
patients away cancer patients away
one nurse told us
i don't know why people aren't screaming
about this the only thing i've seen that
even compares to what we're seeing at
this hospital right now
was when i worked in the burn unit
after the boston marathon bombing you
know they really put it in these super
dramatic terms and
last year there was a report in the wall
street journal where they attributed an
infant death
to a ransomware attack because
a mom came in
and whatever device they were using to
monitor the fetus
wasn't working because of the ransomware
attack and so they attributed this
infant death um to the ransomware attack
now on a bigger
scale but less personal
when there was the not pecha attack so
this was an attack
by russia on ukraine
um that came at them through a supplier
attacks
uh software company in that case
that didn't just hit any um
government agency or business in ukraine
that used this tax software it actually
hit any business all over the world that
had even a single employee
working remotely in ukraine
so it hit maersk the shipping company
but hit pfizer hit fedex but the one i
will never forget is merck
it
paralyzed merck's factories i mean it
really created an existential crisis for
the company
merck had to tap into the cdc's
emergency supplies of the gardasil
vaccine
that year because their whole vaccine
production line had been paralyzed in
that attack
imagine
if that was going to happen right now to
pfizer or madarina or johnson and
johnson you know imagine
i mean that would really create
a global
cyber terrorist attack essentially and
that's almost unintentional i thought
for a long time i always labeled it as
collateral damage
but actually just today there was a
really impressive threat researcher
at cisco
which has this threat intelligence
division called talos who said stop
calling it
collateral damage
they could see
who was going to get hit
before they deployed
that malware
it wasn't collateral damage it was
intentional they meant to hit any
business that did business with ukraine
it was it was to send a message to them
too
so i don't know if that's accurate
i i always thought of it as sort of the
sloppy collateral damage but it
definitely made me think
so how much of this between states is
going to be a part of
war
this kind of these kinds of attacks on
ukraine
between russia and u.s russia and china
china and us
let's look at china and u.s
do you think
china and u.s
are going to
escalate
something that would be called the war
purely in the space of cyber
i believe
any
geopolitical conflict
from now on
is guaranteed to have some cyber element
to it
the department of justice recently
declassified a report that said china's
been hacking into our pipelines and it's
not for intellectual property theft
it's to get a foothold
so that if things escalate in taiwan for
example
they are where they need to be to shut
our pipelines down and we just got a
little glimpse of what that looked like
with colonial pipeline
and the panic buying and the jet fuel
shortages and that assessment i just
mentioned about the diesel
so
they're there you know they've got in
there
anytime i read a report about new
aggression from fighter jets chinese
fighter jets in taiwan
or what's happening right now with
russia's buildup on the ukraine border
or india pakistan
i'm always looking at it through a cyber
lens and it really bothers me that other
people aren't
because there is no way
that these governments in these nation
states are not going to use their access
to gain some advantage
in those conflicts
and
you know i'm now in a position where i'm
an advisor to the cyber security
uh infrastructure security agency at the
dhs so
i'm not saying anything classified here
but i just think that
it's really important to understand just
generally
what the collateral damage could be for
american businesses and critical
infrastructure in any of these escalated
conflicts around the world
because just generally
our adversaries have learned
that
they might never be able to match us in
terms of our traditional military
spending on traditional weapons and
fighter jets
but we have a very soft underbelly when
it comes to cyber
80 percent or more of america's critical
infrastructure so
pipelines power grid nuclear plants
water systems
is owned and operated by the private
sector
and for the most part there is nothing
out there
legislating that those companies
share the fact they've been breached
they don't even have to tell the
government they've been hit
there's nothing mandating that they even
meet a bare minimum standard of cyber
security
and that's it
so
even when there are these attacks most
of the time we don't even know about it
so that is you know if you were going to
design a system to be as
blind and vulnerable as possible that's
that is pretty pretty good
that's what it looks like is what we
have here in the united states
and
everyone here is just operating like
let's just keep hooking up everything
for convenience you know software eats
the world
um let's just keep going for cost for
convenience sake just because we can
and when you study these issues and you
study these attacks and you study
the advancement and the the uptick in
frequency and the the lower barrier to
entry that we see every single year
you realize just how dumb
software eats world is
and no one has ever stopped to pause and
think
should we be hooking up these systems to
the internet
they've just been saying can we let's do
it
and that's a real problem and this and
just in the last year you know we've
seen a record number of zero-day attacks
i think there were 80 last year
which is probably more than double what
it was in 2019.
[Music]
a lot of those were nation states
you know we live in a world with a lot
of geopolitical hot points right now
and
where those geopolitical hot points are
are places where
countries have been investing heavily in
offensive cyber tools
if you're a nation state
the goal would be to maximize the
footprint of zero day like super secret
zero day that nobody's aware of
and whenever
war is initiated the huge negative
effects of shutting down infrastructure
or any kind of zero day is the chaos it
creates
so if you just there's a certain
threshold when you create the chaos
the the markets plummet just everything
goes it goes to hell
so it's not just zero days you know we
make it so easy
for for threat actors i mean
we're not using two-factor
authentication we're not patching
um there was the shell shock
vulnerability that was discovered
a couple years ago it's still being
exploited no because so many people
haven't fixed it
um
so you know the zero days are really the
sexy stuff and what really got drew me
to the zero day market was the moral
calculus we talked about
particularly from you know the u.s
government's point of view how do they
justify
leaving these systems so vulnerable
when we use them here and we're baking
more of our critical infrastructure with
this vulnerable software you know it's
not like we're using one set of
technology and russia's using another
and china's using this we're all using
the same technology
so when you find a zero day in windows
you know you're not just leaving it open
so you can spy on russia or implant
yourself in the russian grid you're
leaving americans vulnerable too
but
you know but zero days are like that is
the secret sauce you know that's the
that's the super power you know and i
and i always say like every country now
with the exception of antarctica someone
added the vatican to my list
is trying to find
uh offensive hacking tools and zero days
to make them work and
those that don't have the skills now
have this market that they can tap into
where you know 2.5 million dollars
that's chump change for a lot of these
nation states it's a hell of a lot less
than trying to build the next fighter
jet
um but yeah the goal is chaos i mean why
did russia turn off the lights twice in
ukraine
you know i think
part of it is chaos i think part of it
is to to sow the seeds of doubt in their
current government
your government can't even keep your
lights on why are you sticking with them
you know come over here and we'll keep
your lights on at least you know there's
like a little bit of that
nuclear weapons seems to have helped
prevent nuclear war
is it possible that we have so many
vulnerabilities and so many attack
vectors on each other
that it will
kind of uh achieve the same kind of
equilibrium like mutually shared
destruction
yeah
that's one hopeful solution to this do
you have any hope for this particular
solution
you know nuclear analogies always tend
to fall apart when it comes to cyber
mainly because
you don't need fissile material you know
you just need a laptop and the skills
and you're in the game so it's a really
low barrier to entry
the other thing is attribution's harder
and we've seen countries muck around
with attribution
we've seen you know nation states
piggyback on other countries spy
operations and just sit there and siphon
out whatever they're getting
we learned some of that from the snowden
documents we've seen russia hack into
iran's command and control attack
servers
we've seen them hit
a saudi petrochemical plant where they
did neutralize the safety locks at the
plan and everyone assumed that it was
iran given iran had been targeting saudi
oil companies forever but nope it turned
out that it was a graduate research
institute outside moscow so you see
countries kind of playing around with
attribution why
i think because they think okay if i do
this like how am i going to cover up
that it came for me because i don't want
to risk the response
so people are sort of dancing around
this it's just in a very different way
and
you know at the times i'd covered the
chinese hacks of
infrastructure companies like pipelines
i'd covered the russian probes of
nuclear plants i'd covered covered the
russian attacks on on the ukraine grid
and then in
2018 my colleague david sanger and i
covered the fact that u.s cyber command
had been hacking into the russian grid
and making a pretty loud show of it
and when we went to the national
security council because that's what
journalists do before they publish a
story they give the other side a chance
to respond
i assumed we would be in for that really
awkward painful conversation
where they would say you will have blood
on your hands if you publish this story
and instead they gave us the opposite
answer they said we have no problem
with you publishing this story
why well they didn't say it out loud but
it was pretty obvious they wanted russia
to know that we're hacking into their
power grid too and they better think
twice before they do to us what they've
done to ukraine so yeah you know we have
stumbled
into this new era of mutually assured
digital destruction
um i think another sort of
quasi norm we've we've stumbled into is
proportional responses you know there's
this idea that if you get hit you're
allowed to respond proportionally
at a time and place of your choosing you
know that is how the language always
goes that's what obama
said after north korea hit sony we will
respond at a time and place of our
choosing um but no one really knows
like what that response looks like and
so what you see a lot of the time are
just these like
just short of war
attacks you know russia turned off the
power in ukraine but it wasn't like it
stayed off for a week
you know it stayed off for a number of
hours
um you know not pecha
hit those companies pretty hard
um but no one died you know and the
question is what's going to happen when
someone dies
and
can a nation state masquerade as a cyber
criminal group as a ransomware group
and that's what really complicates
coming to some sort of digital geneva
convention
like there's been there's been a push
from brad smith at microsoft we need a
digital geneva convention
and on its face it sounds like a
no-brainer yeah why wouldn't we all
agree to stop hacking into each other's
civilian hospital systems elections
power grid
uh pipelines
but when you talk to
people in the west officials in the west
they'll say we would never
we'd love to agree to it but we'd never
do it when you're dealing with she or
putin or kim jong-un
because a lot of times
they outsource these operations to cyber
criminals
in china we see a lot of these attacks
come from this loose satellite network
of private citizens that work at the
behest of the ministry of state security
so how do you come to some sort of state
to state agreement
when you're dealing with
transnational actors and cyber criminals
where it's really hard to pin down
whether that person was acting alone or
whether they were acting at the behest
of the mss or the fsb
and you know a couple years ago i
remember
i can't remember if it was before or
after not pecha but putin said
hackers are like artists who wake up in
the morning in a good mood and start
painting in other words i have no say
over what they do or don't do so how do
you how do you come to some kind of norm
when that's that's how he's talking
about these issues and he's just
decimated merck
and you know pfizer and another you know
however many thousand companies that is
the fundamental difference between
nuclear weapons and and cyber attacks is
the attribution or one of the
fundamental differences if you can fix
one thing in the world in terms of cyber
security
that would make the world a better place
what would you fix
so you're not allowed to fix like
authoritarian regimes and you can't
right
you have to you have to keep that you
have to keep human nature as it is
in terms of on the security side
technologically speaking
you mentioned there's no regulation on
companies
united states
um what if you could just
uh fix with the snap of a finger what
would you fix two-factor authentication
multi-factor authentication
it's
it's ridiculous
how many of these attacks come in
because someone didn't turn on
multi-factor authentication i mean
colonial pipeline okay
they took down
the biggest conduit for gas jet fuel and
diesel to the east coast of the united
states of america how
because they forgot to deactivate an old
employee account whose password had been
traded on the dark web and they'd never
turned on two-factor authentication
this water treatment facility outside
florida was hacked last year
how did it happen
they were using windows xp from like a
decade ago that can't even get patches
if you wanted to and they didn't have
two-factor authentication time and time
again if they just switched on
two-factor authentication some of these
attacks wouldn't have been possible now
if i could snap my fingers that's the
thing i would do right now but of course
you know this is a cat and mouse game
and then the attackers on to the next
thing but i think right now
that is like
bar none that is just that is the
easiest simplest way to deflect the most
attacks and
you know the name of the game right now
isn't perfect security perfect security
is impossible
they will always find a way in the name
of the game right now is make yourself a
little bit harder to attack than your
competitor than anyone else out there so
that they just
give up and move along and you know
maybe if you are a target for an
advanced nation state or the svr
you know you're going to get hacked no
matter what
but you can make cyber criminal groups
deadbolt is it you can make their jobs a
lot harder
um simply by doing the bare basics and
the other thing is stop reusing your
passwords but if i only get one then
two-factor authentication so what is
two-factor authentication factor one is
what logging in with a password and
factor two is like have another device
or another channel through which you can
confirm yeah that's me yes you know
usually this happens through some kind
of text you know you get your one-time
code from bank of america or from google
and the better way to do it is spend
twenty dollars buying yourself a fido
key
on amazon that's a hardware device
and if you don't have that hardware
device with you
then you're not going to get in
and the whole goal is i mean basically
you know my first half of my decade at
the times was spent covering like the
cop beat it was like home depot got
breached news at 11 you know target
neiman marcus like who wasn't hacked
over the course of those five years and
a lot of those companies that got hacked
what did hackers take they took the
credentials they took the passwords they
can make a pretty penny selling them on
the dark web and people reuse their
passwords so you get one from you know
god knows who i don't know lastpass
the worst case example actually lastpass
but you get one and then you go test it
on their email account and you go test
it on their brokerage account and you
test it on their cold storage account
yeah you know that's how it works but if
you have multi-factor authentication
then they can't get in because they
might have your password but they don't
have your phone they don't have your
fido key
you know and and so you keep them out
and you know i get a lot of alerts
that tell me someone is trying to get
into your instagram account or your
twitter account or your email account
and i don't worry because i use
multi-factor authentication they can try
all day
um okay i worry a little bit but you
know there it's
it's the simplest thing to do and we
don't even do it well there's an
interface aspect to it because it's
pretty annoying if it's implemented
poorly yeah so uh so actually bad
implementation of two-factor
authentication
not just bad but just
something that adds friction is a
security vulnerability i guess because
it's really annoying like uh i think mit
for a while had
two-factor authentication it was really
annoying i just like though the time the
number of times it pings you
like uh
it re it asks to re-authenticate across
multiple sub-domains like it just feels
like a pain
i don't know what the right balance
there yeah it feels like friction
in our frictionless society it feels
like friction it's annoying that's
security's biggest problem it's annoying
you know we need the steve jobs of
security to come along and we need to
make it painless
and actually you know on that point
apple
has probably done more for security than
anyone else simply by introducing
biometric authentication first with the
fingerprint and then with face id it's
not perfect
but you know if you think just eight
years ago everyone was running around
with either no passcode an optional
passcode or four-digit passcode on their
phone that anyone you know think of what
you can get when you get someone's
iphone if you steal someone's iphone and
you know props to them for introducing
the fingerprint and face id and again it
wasn't perfect but it was a huge step
forward now it's time to make another
huge step forward um i want to see the
password die i mean
it's gotten us as far as it was ever
going to get us and i hope whatever we
come up with next is not going to be
annoying is going to be seamless when i
was at google that's what we worked on
is
and there's a lot of ways to call this
active authentication or passive
authentication so basically use
biometric data
not just like a fingerprint but
everything from your body to identify
who you are like movement patterns
so basically create a lot of layers of
protection where
it's very difficult to fake including um
like face unlock
checking that it's your actual face like
the liveness tests so like from video so
unlocking it with video yeah voice the
way you move the the the phone um the
way you take it out of the pocket that
kind of thing all of those factors
it's a really hard problem though yeah
and
ultimately
it's very difficult to beat the password
in terms of security
well there's a company that i actually
will call out and that's abnormal
security so they work on email
attacks and
it was started by a couple guys who
were doing i think ad tech at twitter
so you know ad technology now like it's
a joke how much they know about us you
know you always hear the conspiracy
theories that you know you saw someone's
shoes and next thing you know it's on
your phone
it's amazing what they know about you
um
and they're basically taking that
and they're applying it to attacks so
they're saying
okay you know if you're this is what
your email patterns are it might be
different for you and me because we're
emailing strangers all the time
um but for most people their email
patterns are pretty predictable
and if something strays from that
pattern
that's abnormal and they'll block it
they'll investigate it you know and and
that's great you know let's start using
that kind of targeted
ad technology
to protect people
and yeah i mean it's not going to get us
away from the password and using
multi-factor authentication but
you know the technology is out there and
we just have to figure out how to use it
in a really seamless way because
it doesn't matter if you have the
perfect security solution if no one uses
it i mean when i started at the times
when i was trying to be really good
about
protecting sources i was trying to use
pgp encryption and it's like it didn't
work you know the number of mistakes i
would probably make just trying to email
someone with pgp just wasn't worth it
um and then signal came along and and
signal made it wicker you know they made
it a lot easier to send someone an
encrypted text message so we we we have
to start investing in
creative minds
um in good security design you know i
really think that's the hack that's
going to get us out of where we are
today
what about social engineering
do you worry about this
sort of hacking
people
yes i mean this is the worst nightmare
of every chief information security
officer out there
um
you know social engineering we work from
home
now i saw this this
woman posted online about how her
husband
it went viral today but it was her
husband had this problem at work they
hired a guy named john
and now the guy that shows up for work
every day
doesn't act like john
[Laughter]
i mean think about that like think about
the potential for social engineering in
that context you know you apply for a
job
and you put on a pretty face you hire an
actor or something and then you just get
inside the organization and get access
to all that organization's data
a couple years ago
saudi arabia planted spies inside
twitter
you know why probably because they were
trying to figure out who these people
were who were criticizing the regime on
twitter you know they couldn't do it
with a hack from the outside so why not
plant people on the inside
and that's like the worst nightmare and
also
unfortunately creates all kinds of
xenophobia
at a lot of these organizations i mean
if you're going to have to take that
into consideration
then organizations are going to start
looking really skeptically and
suspiciously at someone who applies for
that job from china
and we've seen that go really badly at
places like the department of commerce
where they basically accuse people of
being spies that aren't spies so it is
the hardest problem
to solve and it's never been harder to
solve than right at this very moment
when there's so much pressure for
companies to let people work remotely
that's actually why i'm single i'm
suspicious china and russia every time i
meet somebody are trying to plant uh and
get insider information so i'm very very
suspicious i keep
putting the touring test in front no um
no i have a friend who
worked inside nsa and was one of their
top hackers and
he's like every time i go to russia
i get hit on by these tens yeah and i
come home my friends are like i'm sorry
you're not a 10. like yeah
yeah the common story i mean it's
difficult to trust
to trust humans in this day and age
online you know because so we're working
remotely
that's one thing
but just interacting with people
on on the internet it sounds ridiculous
but you know i've because of this
podcast in part i've gotten to meet some
incredible people
but it
you know it makes you nervous to trust
folks
and i don't know
how to solve that problem
so i'm
uh
talking with mark zuckerberg who dreams
about creating the metaverse
what do you do about that world where
more and more our lives is
in the digital
sphere like um
one way to phrase it is
most of our meaningful experiences
at some point will be online
like falling in love
getting a job
or experiencing a moment of happiness
with a friend with a new friend made
online all of those things like more and
more the fun we do the things that make
us love life will happen online and if
those things have an avatar
that's digital that's like a way to hack
into people's minds whether it's with
aiai or
kind of troll farms or something like
that
i don't know if there's a way to protect
against that
that that uh that might fundamentally
rely
on our faith
in you know how good human nature is so
if most people are good we're going to
be okay
but if people will tend towards
manipulation
and
malevolent behavior in search of power
then we're screwed
so i i don't know if you can comment on
how to keep the metaverse secure yeah i
mean i
all i thought about when you were
talking just now is my three-year-old
son yeah
you know he asked me the other day
what's the internet mom
and
i just almost wanted to cry
you know
i don't want that for him
i don't want all of his most meaningful
experiences to be online you know by the
time that happens
um
how do you know that person's human
that avatar is human
you know i believe in free speech i
don't believe in free speech for robots
and bots
and like look what just happened over
the last
six years
you know we had bots pretending to be
black lives matter activists just to sew
some division
or you know texas secessionists or
um you know organizing anti-hillary
protests or just to sew more division to
tie us up in our own
politics
so that we're so paralyzed we can't get
anything done we can't make any progress
and we definitely can't handle our
adversaries and their long-term thinking
um
it really scares me
and here's where i just come back to
just because
we can create the metaverse you know
just because it sounds like the next
logical step in our digital
revolution i do i really want my my
child's most significant moments to be
online
they weren't for me
you know so maybe i'm just stuck in that
old school thinking
or maybe i've seen too much
and
i'm really sick of being the guinea pig
parent generation for these things i
mean it's hard enough with screen time
like thinking about how to manage
the metaverse as a parent
to a young boy like i can't even let my
head go there that's so terrifying
for me but we've never stopped any new
technology
just because it introduces risks
we've always said okay the promise of
this technology means we should
keep going keep pressing ahead we just
need to figure out new ways to manage
that risk
and you know that is that's
that's the blockchain right now
like
when i was covering all of these
ransomware attacks
i thought okay this is gonna be it for
cryptocurrency you know governments are
gonna put the kibosh down they're gonna
put the hammer down and say enough is
enough
like we have to put this genie back in
the bottle because it's enabled
ransomware i mean
five years ago they would hijack your pc
and they'd say go to the local
pharmacy get a e-gift card and tell us
what the pin is and then we'll get your
two hundred dollars now it's pay us you
know five bitcoin
um and so there's no doubt
cryptocurrencies enabled ransomware
attacks but
after the colonial pipeline ransom was
seized because if you remember the fbi
was actually able to go in
and claw some of it back from dark side
which was the ransomware group that hit
it
and i spoke to these guys at trm labs so
they're they're one of these blockchain
intelligence companies and a lot of
people that work there used to work at
the treasury
and what they said to me was yeah
cryptocurrency has enabled ransomware
but
to track down
that ransom payment
would have taken you know if we were
dealing with fiat currency would have
taken us years to get to that one bank
account or belonging to that one front
company in the seychelles
and now thanks to the blockchain
we can track the movement of those funds
in real time
and you know what you know these
payments are not as anonymous as people
think like we still can use our old
hacking ways and zero days and you know
old school intelligence methods to find
out who owns that private wallet and how
to get to it
so it's a it's a curse in some ways and
that it's an enabler but it's also a
blessing and they said that same thing
to me that i just said to you they said
we've never shut down
a promising new technology because it
introduced risk we just figured out how
to manage that risk
and i think that's where the
conversation unfortunately has to go is
how do we
in the metaverse
use technology to uh to fix things
so maybe we'll finally be able to not
finally but figure out a way
to solve the identity problem on the
internet meaning like a blue check mark
for actual human
and connect it to identity
like a fingerprint so you can prove your
you
and yet
do it in a way that doesn't involve the
company having all your data
so giving you
allowing you to maintain control over
your data or if you don't
then there's a complete transparency of
how that data is being used all those
kinds of things and
maybe as you educate more and more
people
they would demand
in a capitalist society that the
companies that they give their data to
will
respect that data
yeah i mean there is
this company and i hope they succeed
their names
p i i know piano
and they want to create a vault for your
personal information inside every
organization
and ultimately if i'm going to call
delta airlines to book a flight
they don't need to know my my social
security number they don't need to know
my birth date
they're just gonna send me a one-time
token to my phone my phone's gonna say
or my you know fido key is going to say
yep it's it's her
and then we're going to talk about my
identity like a token you know some
random token they don't need to know
exactly who i am they just need to know
i am you know the system trusts that i
am who i say i am but they don't get
access
to my pii data they don't get access to
my social security number my location
um or the fact i'm a times journalist
you know i think that's the way the
world's gonna go we have enough is
enough
sort of losing our personal information
everywhere um letting data marketing
companies track
our every move
you know they don't need to know who i
am you know okay i get it you know we're
stuck in this world where
the internet runs on ads
so ads are not going to go away
but they don't need to know i'm nicole
perlera
they can they can know that i am token
number you know
x x 5 6 7. and they can let you know
what they know and give you control
about removing the things they know yeah
right to be forgotten to me you should
be able to walk away with a single press
of a button
and i also believe that most people
given the choice to walk away won't walk
away they'll just feel better
about having the option to walk away
when they understand the trade-offs if
you walk away you're not going to get
some of the personalized experiences
that you would otherwise get like a
personalized feed and all those kinds of
things
but the freedom to walk away is is um
i think really powerful and obviously
what you're saying it's definitely
there's all these html forms where you
have to enter your phone number and
email and private information from delta
every single airline
new york times
i have so many opinions on this
just the friction and the sign up and
all those kinds of things i should be
able to this has to do with everything
this has to do with payment too
as the payment should be trivial it
should be one click and and one click to
unsubscribe and subscribe
and one click to provide all of your
information that's necessary for the
subscription service for the transaction
service whatever that is getting a
ticket as opposed to i have all these
fake phone numbers and emails that i use
not to sign up because you know you
never know
if one site is hacked
then it's just going to
propagate to everything else yeah
and you know there's low-hanging fruit
and i hope congress
does something and frankly i think it's
negligent they haven't on
the fact that elderly people
are getting spammed to death on their
phones these days with fake car warranty
scams and i mean my dad was in the
hospital last year and i was in the
hospital room and his phone kept buzzing
and i look at it
and it's just
spam attack after spam attack people
non-stop calling about his freaking car
warranty
why they're trying to get a social
security number they're trying to get us
pii they're trying to get this
information
we need to figure out how to put those
people
in jail for life
and we need to figure out why in the
hell we are being required or asked to
hand over
our social security number and our home
address
and our passport you know all of that
information to every retailer who asks i
mean that's that's insanity
um and there's no question they're not
protecting it
uh because it keeps showing up in you
know spam or
identity theft or credit cards
afterwards
well spam is getting better and maybe uh
i need to as a side note make a public
announcement please clip this out
which is um
if you get an email or a message from
lex friedman saying how much
i lex you know appreciate you and love
you and so on and please connect with me
on my whatsapp number and i will give
you bitcoin or something like that
please do not click
and i
i'm aware that there's a lot of this
going on a very large amount i can't do
anything about it this is on every
single platform it's happening more and
more and more
uh which i've been recently informed
that they're not emailing so it's
cross-platform
they're taking people's they're somehow
this is fascinating to me because
they are
taking people who comment on various
social platforms
and they somehow reverse engineer they
figure out what their email is and they
send an email to that person
saying from lex friedman and it's like a
heartfelt email with links it's
fascinating because it's cross-platform
now it's not just a spam
bot that's messaging us and a comment
that in a reply they are saying okay
this person cares about this other
person on social media so i'm going to
find another channel which
in their mind probably increases and
then does the likelihood
that they'll get uh the people to click
and they do i don't know what to do
about that it makes me really really sad
especially with podcasting there's an
intimacy
that people feel connected and they get
really excited oh okay cool like let's i
want to talk to lex
and they click
and
like
i
i get angry at the people that do this i
mean you're um
it's like the john that gets hired uh
the fake employee i mean i don't know
what to do about that i mean i suppose
that's the i suppose the solution is
education it's
telling people to be skeptical on stuff
they click
uh it's that's that balance with the
technology solution of creating a um
maybe like two-factor authentication and
maybe helping identify things that are
likely to be spam i don't know
but then the machine learning there is
tricky because you don't want to add a
lot of extra friction
that just annoys people because they'll
turn it off because you have the accept
cookies thing right
that everybody has to click on now so
now they completely ignore they accept
cookies this is very difficult
um
to find that frictionless security
you mentioned snowden you talked about
looking through
the nsa documents he leaked and doing
the hard work of that
what do you make of edward snowden what
did you learn from those documents what
do you think of him
in the long arc of history is edward
snowden a hero or a villain
i think he's neither
i have really complicated feelings about
edward snowden um
on the one hand i'm a journalist at
heart and
more transparency is good and i'm
grateful for the conversations that we
had
in the post-snowden era about the limits
to surveillance
and
how critical privacy is
and when you have no transparency and
you don't really know
in that case what our secret courts were
doing
how can you truly
believe that our country is taking our
civil liberties seriously
um so on one on the one hand i'm
grateful that he cracked open
these debates
on the other hand
when i walked into
this storage closet
of classified nsa secrets
i had just spent
two years
covering
chinese cyber espionage almost every day
and
this sort of advancement
of russian attacks
they were just getting worse and worse
and more destructive and there were no
limits
to chinese cyber espionage and chinese
surveillance of its own citizens and
there seemed to be no limit to what
russia was willing to do
in terms of cyber attacks and also in
some cases assassinating
journalists
so when i walked into that room
there was a part of me quite honestly
that was relieved
to know that the nsa was as good as i
hoped they were
and
we weren't using
that knowledge to as far as i know
assassinate journalists
uh we weren't using
our access to you know take out
pharmaceutical companies for the most
part we were using it for traditional
espionage
now
that set of documents also set me on the
journey of my book because to me
the american people's reaction to the
snowden documents was a little bit
misplaced
you know they were upset about the phone
call metadata collection program
angela merkel i think rightfully was
upset that we were hacking her cell
phone
um but
in sort of the spy eat spy world hacking
world leaders cell phones is pretty much
what most spy agencies do
and there wasn't a lot that i saw in
those documents
that was beyond what i thought a spy
agency
does
and
i think if there was another 9 11
tomorrow god forbid
we would all say how did the nsa miss
this
why weren't they spying on those
terrorists why weren't they spying on
those world leaders
you know there's some of that too
but i think that
there was great damage done to
um the us's reputation
um i think we really lost our halo
in terms of a protector of civil
liberties
um and i think a lot of what was
reported was unfortunately reported in a
vacuum
that was my biggest gripe
that we were always reporting the nsa
has this program and here's what it does
and the nsa is in angela merkel's cell
phone and the nsa can do this
and
uh no one was saying
and by the way
china has been hacking into our
pipelines and they've been making off
with all of our intellectual property
and russia's been hacking into our
energy infrastructure and they've been
using the same methods to spy on track
and in many cases kill their own
journalists
and the saudis have been doing this to
their own critics and dissidents and so
you can't talk about any of these
countries in isolation
it is really like spite spy out there
and uh so i just have complicated
feelings you know and the other thing is
and i'm sorry it's a little bit of a
tangent but
the amount of documents that we had
like thousands of documents most of
which were just crap
but had
people's names on them
you know part of me wishes that those
documents had been released
in a much more targeted limited way it's
just a lot of it just felt like a
powerpoint that was taken out of context
um
and
you just sort of wish that there had
been a little bit more thought
into what was released because i think a
lot of the impact from sewing was just
the volume
of the reporting but i but i think you
know based on what i saw personally
um
there was a lot of stuff that i just i
don't know why that that particular
thing got released as a whistleblower
what's the better way to do it because i
mean there's fear there's
it takes a lot of effort to do a more
targeted release
you know if there's proper channels
you're afraid that those channels will
be manipulated like who do you trust
what's a better way to do this do you
think as a journalist this almost like a
journalistic question
reveal some fundamental flaw in the
system without destroying the system i i
bring up you know
again mark zuckerberg and meta there was
a whistleblower
that came out about
instagram internal studies and i also
torn about how to feel about that
whistleblower
because from a company perspective
that's an open culture
how can you operate successfully if you
have an open culture where any one
whistleblower can come out out of
context take a study whether it
represents a larger context or not
and the press eats it up and then that
creates a narrative
that is
just like with the nsa you said it's out
of context very targeted
to where while facebook is evil clearly
because of this one leak
it's really hard to know what to do
there because we're now in a society
that's deeply distrust institutions
and so
narratives by whistleblowers make that
whistleblower and their forthcoming book
very popular
and so there's a huge incentive to take
stuff out of context and to tell stories
that don't represent the full
context the full truth
it's hard to know what to do with that
because then um that forces facebook and
meta and governments to be much more
conservative much more secretive
it's like a race to the the
bottom i
i don't know i don't know if you can
comment on any of that how to be a
whistleblower ethically and properly
i don't know i mean these are hard
questions and you know even for myself
like in some ways
i think of my book as
sort of
blowing the whistle on the underground
zero day market
but
you know it's not like i was in the
market myself
it's not like i had access to classified
data when i was reporting out that book
you know as i say in the book like
listen i'm just trying to scrape the
surface here
so we can have these conversations
before it's too late and um you know i'm
sure there's plenty in there that
someone who's you know the
u.s intelligence agency's preeminent
zero day broker probably has some voodoo
doll of me out there
and you know you never you're never
gonna get it 100
um
but i really applaud whistleblowers like
you know the whistleblower who who blew
the whistle on the trump call with
zelensky
i mean
people needed to know about that that we
were basically
in some ways blackmailing
an ally
to try to influence an election
i mean
they went through the proper channels
they weren't trying to profit off of it
right there was no book that came out
afterwards from that whistleblower um
that whistleblower's not like
they went through the channels they're
not living in moscow you know let's put
it that way
i can ask you a question you mentioned
nsa one of the things that showed
is they're pretty good at what they do
again this is a
touchy subject i suppose but
there's a lot of conspiracy theories
about intelligence agencies from your
understanding of intelligence agencies
cie nsa and the equivalent of in other
countries
are they one question this could be a
dangerous question are they competent
are they good at what they do
and two are they
malevolent in any way
sort of i recently had a conversation
about uh tobacco companies
that kind of see their
customers as dupes
like they can just play games with with
people
conspiracy theories tell that similar
story about
intelligence agencies that they're
interested in manipulating the populace
for whatever ends the powerful
in dark rooms
cigarettes smoke cigar
smoke filled rooms
what what's your sense do these
conspiracy theories have kind of
any truth to them
or are intelligence agencies for the
most part
good for society okay well that's an
easy one
is it no
i think you know depends which
intelligence agency think about the
mossad you know they're
killing every um
iranian nuclear scientist they can
over the years
you know but
have they delayed the time horizon
before iran gets the bomb yeah
um
have they probably staved off
terror attacks on their own citizens
yeah
um you know none of these
intelli intelligence is intelligence you
know you can't just say like they're
malevolent or
they're heroes
you know
everyone i have met in this space
is not like the pound your chest patriot
that you see on you know the beach on
the 4th of july
a lot of them have complicated feelings
about their former employers
well at least at the nsa reminded me
to do
what
we were accused of doing after snowden
to spy on americans
you have no idea
the amount of red tape and paperwork and
bureaucracy
it would have taken to do what everyone
thinks that we were supposedly doing
um
but then
you know we find out in the course of
the snowden reporting about a program
called loven
where a couple of the nsa analysts were
using their access to spy on their
ex-girlfriends
so
you know there's an exception to every
case
um generally
i
will probably get you know accused of my
western bias here again but
i think
you can you can almost barely compare
um
some of these western intelligence
agencies to china for instance and
the surveillance that they're deploying
on the uyghurs
to the level they're deploying it
and the surveillance they're starting to
export abroad with some of the programs
like the watering hole attack i
mentioned earlier where it's not just
hitting
the uyghurs inside china it's hitting
anyone interested in the uyghur plight
outside china i mean it could be an
american high school student writing a
paper on the uyghurs they want to spy on
that person too
you know there's no
rules in china really limiting
the extent of that surveillance
and we all better be pay attention to
what's happening with the uyghurs
because
just as ukraine has been to russia in
terms of a test kitchen for its cyber
attacks
the uyghurs are china's test kitchen for
surveillance
and there's no doubt in my mind
that they're testing them on the uyghurs
uyghurs or their petri dish and
eventually they will export that level
of surveillance overseas i mean
in 2015
[Music]
obama and
xi jinping reached a deal
where
basically the white house said you
better cut it out on intellectual
property theft
and so they made this agreement that
they would not hack each other for
commercial benefit
and for a period of about 18 months we
saw this huge drop off in in chinese
cyber attacks on american companies
but some of them continued
where did they continue they continued
on
aviation companies on hospitality
companies like marriott
uh why because that was still considered
fair game to china it wasn't ip theft
they were after they wanted to know who
was staying in this city
at this time when chinese citizens were
staying there so they could cross match
for counterintelligence who might be a
likely chinese spy
i'm sure we're doing some of that too
counterintelligence is
counterintelligence it's considered fair
game
but where i think it gets evil
is when you use it for censorship
you know to suppress any descent
to do what i've seen the uae do to its
citizens where people who've gone on
twitter
just to advocate for better voting
rights more enfranchisement
suddenly find their passports
confiscated
you know i talked to
one critic ahmed mansoor and he told me
you know you might find yourself a
terrorist labeled a terrorist one day
and you don't even know how to operate a
gun i mean he had been beaten up
every time he tried to go somewhere his
passport had been confiscated by that
point it turned out they'd already
hacked into his phone so they were
listening to us talking they'd hacked
into his baby monitor so they're spying
on his child
um and
they stole his car and then they created
a new law that you couldn't criticize
the the ruling family or the ruling
party on twitter and he's been in
solitary confinement every day um since
on hunger strike
so that's evil you know that's evil
and we still we don't do that here you
know we we have rules here we don't
cross that line
um so yeah in some cases like i won't go
to dubai
you know i won't go to abu dhabi if i
ever want to go to the maldives like too
bad like most of the flights go through
dubai
so there's some lines we're not willing
to cross but then again just like you
said there's individuals within nsa
within cia
and they may have
power and to me there's levels of evil
to me personally this is the stuff of
conspiracy theories
is um the things you've mentioned as
evil are more direct attacks
but there's also psychological warfare
so blackmail so what is um
what does spying allow you to do allow
you to collect information if you have
something that's embarrassing
or if you have like jeffrey epstein
conspiracy theories
active what is it manufacturer of
embarrassing things and then use
blackmail to manipulate the population
or all the powerful people involved it
troubles me deeply that mit allowed
somebody like jeffrey epstein in their
midst
especially some of the uh
scientists i admire that they would hang
out with that person at all
and so
you know i'll talk about it sometimes
and then a lot of people tell me well
obviously jeffrey epstein is the front
for intelligence
and i just um i struggle to see that
level of competence and malevolence
but you know
who the hell am i
and
i i guess
i was trying to get to that point you
said that there's bureaucracy and so on
which makes some of these things very
difficult
i wonder how much malevolence how much
competence
there is in these institutions like how
far this takes us back to the hacking
question how far are people willing to
go
if they have the power this has to do
with social engineering this has to do
with hacking this has to do with
manipulating people attacking people
doing evil onto people psychological
warfare and stuff like that
i don't know
i believe that most people are good
and um i don't think that's possible
in a free society there's something that
happens when you have a centralized
government where power corrupts
over time and you start
you know surveillance programs kind of
um it's like a slippery slope that over
time starts to
to uh both use fear
and direct manipulation to control the
populace but in a free society i just um
it's difficult for me to imagine you can
have like
something like a jeffrey epstein a front
for intelligence i don't know what i'm
asking you but i'm just
i have a hope that for the most part
intelligence agencies are trying to do
good and are actually doing good for the
world
when you view it in the full context of
the complexities of the world
but then again
if they're not would we know
that's why edward snowden might be a
good thing
let me ask you on a personal question
you have investigated some of the most
powerful organizations and people in the
world of cyber warfare cyber security
are you ever afraid for your own life
your own well-being
digital or physical i mean i've had my
moments
you know i've had
um our security team at the times called
me at one point and said someone's on
the dark web
offering you know good money to anyone
who can hack your your phone or your
laptop
um i describe in my book how
when i was at that hacking conference in
argentina i came back and
i brought a burner
laptop with me but i'd kept it in the
safe anyway and it didn't have anything
on it but someone had broken in and it
was moved
um you know i've had
als all sorts of sort of scary moments
um and then i've had moments where i
think i went
just
way too far into the paranoid side i
mean
i remember
writing about the times hack by china
and i just covered a number of chinese
cyber attacks where they'd gotten into
the thermostat
at someone's corporate apartment and
um
you know they've gotten into all sorts
of stuff and i was living by myself i
was single in san francisco
and
my cable box on my television started
making some weird noises in the middle
of the night
and i got up and i ripped it out of the
wall and i think i said something like
embarrassing like fuck you china you
know
[Laughter]
and
then i went back to bed and i woke up
and like this like beautiful morning
like i mean i'll never forget it like
this is like glimmering morning light
shining on my cable box which has now
been ripped out and is sitting on my
floor in like the morning light and
i was just like no no no like i'm not
going down that road like you basically
i i came to
to a you know a
fork in the road
where i could either go full tinfoil hat
go live off the grid
never have a car with navigation never
use google maps never own an iphone
never order diapers off amazon
you know create an alias um
or
i could just do the best i can
and
live in this new digital world we're
living in and what does that look like
for me i mean
what what are my crown jewels this is
what i tell people what are your crown
jewels because just focus on that you
can't protect everything but you can
protect your crown jewels for me for the
longest time my crown jewels were
my sources
i was nothing without my sources
so i had some sources i would meet
the same dim sum place or maybe it was a
different restaurant on the same date
you know every quarter
um and we would never drive there
we would never uber there we wouldn't
bring any devices i could bring a pencil
and a notepad
and if someone wasn't in town like there
were a couple times where i'd show up
and the source never came
but we never communicated digitally
and those were the lengths i was willing
to go to protect that source but you
can't do it for everyone so for everyone
else you know it signal using two-factor
authentication you know keeping my
devices up to date not clicking on
phishing emails using a password manager
all the things that you know
we know we're supposed to do
and that's what i tell everyone like
don't go crazy because then that's like
the ultimate hack then they've hacked
your mind
whoever they is for you
um but just do the best you can now
my whole risk model changed when i had a
kid you know now it's
oh god you know if anyone
threatened my family
god help them
but it's uh
it it changes you and
you know unfortunately
there are some things like i was really
scared to go deep on
like russian cyber crime you know like
putin himself you know and and it's
interesting like i have a mentor who's
an incredible person
who was the times moscow bureau chief
during the cold war
and after i wrote a series of stories
about chinese cyber espionage he took me
out to lunch
and he told me that when he was living
in moscow he would drop his kids off at
preschool when they were my son's age
now
and the kgb would follow him
and they would make a really like loud
show of it um you know they'd tail them
they'd you know
honk they'd just be a wreck make a
ruckus and he said you know what they
never actually did anything but they
wanted me to know that they were
following me and i operated accordingly
and he says that's how you should
operate in
in the digital world
know that there are probably people
following you
sometimes they'll make a little bit of
noise but
one thing you need to know is that while
you're at the new york times you have a
little bit of an invisible shield on you
you know if something were to happen to
you
that would be a really big deal that
would be an international incident so i
kind of carried that invisible shield
with me for years
and then uh jamal khashoggi happened
and that destroyed my vision of my
invisible shield you know
sure you know he was a saudi but he was
a washington post columnist
you know for the most part he was living
in the united states he was a journalist
and for them to do what they did to him
pretty much in the
open and get away with it
um and for for the united states to let
them get away with it because we wanted
to preserve diplomatic relations with
the saudis
that really threw my world view upside
down
and
you know i think that sent a message to
a lot of countries
that
it was sort of open season on
journalists and
to me that was one of the most
destructive things that happened
under the previous administration
and
you know i don't i don't really know
what to think of my invisible shield
anymore like you said that really
worries me on the journalism side that
people would be afraid to dig deep on
fascinating topics
and
you know i have my own that's
part of the reason that i i would love
to have kids i would love to have a
family
part of the reason
i'm a little bit afraid
there's many ways to phrase this but the
loss of freedom
in the way of
doing all the crazy shit that i
naturally do which i would say
the ethic of journalism is kind of not
is doing crazy shit without really
thinking about it this is letting your
curiosity
really
allow you to be free and explore
it's i mean whether it's stupidity or
fearlessness whatever it is that's what
great journalism is
and
all the concerns about security risks
have made me like become a better person
the way i approach it is uh
just make sure you don't have anything
to hide i know this is not a thing this
is not a this is not an approach to
security i'm just this is like a
motivational speech or something
it's just like if you can lose you can
be hacked at any moment just don't be a
douchebag secretly
just be be like a good person because
then i i see this actually with social
media in general
uh just
present yourself in the most authentic
way possible meaning be the same person
online as you are privately have nothing
to hide that's one not the only but one
of the ways
to achieve security
i maybe i'm totally wrong on this but
don't be um
secretly weird if you're weird be
publicly weird so it's impossible to
blackmail you
that's my approach to yeah well they
call it the new york times front page
uh phenomenon you know don't put
anything in email or i guess social
media these days that
um you wouldn't want to read on the
front page of the new york times
and that works but you know
sometimes i even get carrie i mean i i
have
i don't know not as many followers as
you but a lot of followers and sometimes
even i get carried away to be emotional
yeah yeah i mean just the cortisol
um
response on twitter you know twitter is
basically like designed to elicit those
responses i mean
every day i turn on my computer i look
at my phone i look at what's trending on
twitter and it's like what are the
topics that are gonna make people the
most angry today
[Laughter]
and
you know it's easy to get carried away
but it's also just
that sucks too that you have to be
constantly censoring yourself and maybe
it's for the better maybe you can't be a
secret asshole
and we can put that in the good bucket
but
at the same time you know there is a
danger
to
that other voice
to creativity you know to being weird
there is a danger to that little
whispered voice that was that's like
well how would people read that you know
how could that be manipulated how could
that be used against you
and that stifles
creativity and innovation and three free
thought
and um you know that's that that is on a
very micro level um
and that's something i think about a lot
and that's actually something that tim
cook um has talked about a lot
and why he has
you know said he goes full force on
privacy is
it's just that little voice
that is at some level censoring you
and what what is sort of the long-term
impact of that little voice over time
i think there's a ways i think that
self-censorship
is an attack factory that there are
solutions to the way i'm really inspired
by elon musk the solution to that is
just
be privately and publicly the same
person and be ridiculous embrace the
full weirdness and show it more and more
so it you know that's that's memes that
has like ridiculous humor and
i think
uh and if there is something you really
want to hide deeply consider
if that you want to be that
like why are you hiding it what exactly
are you afraid of because i think my
hopeful vision for the internet is the
internet loves authenticity they want to
see you weird
so be that
and like live that fully because i think
that gray area where you're kind of
censoring yourself
that
that's where the destruction is you have
to go all the way step over
be weird be weird and then
it feels it can be painful because
people can attack you and so on but just
ride it i mean that's just like a skill
on the social psychological level that
ends up being a um
an approach to security which is like
remove the attack vector of having
private information by being your full
weird self publicly
what um
what advice would you give to young
folks today you know operating in um
in this complicated space
about how to have a successful life a
life they can be proud of a career they
can be proud of
maybe somebody in high school and
college thinking about what they're
going to do
be a hacker
you know if you have any interest become
a hacker
and apply yourself to defense
you know every time like we do have
these these amazing scholarship programs
for instance where
you know they find you early they'll pay
your college as long as you
commit to some kind of federal
commitment to sort of help federal
agencies with cyber security and where
does everyone want to go every year from
the scholarship program they want to go
work at the nsa or cyber command you
know they want to go work on offense
they want to go do the sexy stuff it's
really hard to get people to work on
defense it's just it's always been more
fun to be a pirate than being the coast
guard you know and so
we have a huge deficit when it comes to
filling those roles there's 3.5 million
unfilled
cybersecurity positions around the world
i mean talk about job security like be a
hacker and work on cyber security you
will always have a job
and we're actually at a huge deficit
and disadvantage as a free market
economy
because we can't match
cyber security salaries at palantir or
facebook or google or microsoft and so
it's really hard for the united states
to fill those roles um
and you know other countries have had
this workaround where they basically
have forced conscription on some level
you know china tells people
like you do whatever you're gonna do
during the day work at alibaba you know
if you need to do some ransomware okay
but the minute we tap you on the
shoulder and ask you to come do this
sensitive operation for us the answer is
yes
um you know same with russia you know a
couple years ago when yahoo was hacked
and they laid it all out in an
indictment it came down to two cyber
criminals and two guys from the fsb
cyber criminals were allowed to have
their fun
but the minute they came across the
username and password for someone's
personal yahoo account that worked at
the white house or the state department
or military they were expected to pass
that over to the fsb
so we don't do that here and it's it's
even worse on defense we really can't
fill these positions
so you know be if if you are a hacker if
you're interested in code if you're a
tinkerer
you know learn how to hack
um
there are all sorts of amazing hacking
competitions you can do through
the sans org for example
s-a-n-s uh and then use those skills for
good you know neuter the bugs in that
code that get used by autocratic regimes
to make people's life you know a living
prison
um you know plug those holes you know
defend industrial systems defend our
water treatment facilities from hacks
where people are trying to come in and
poison the water
you know that i think is just an amazing
um
it's an amazing job on so many levels
it's
intellectually stimulating
you can tell yourself you're serving
your country
you can tell yourself you're saving
lives and keeping people safe and you'll
always have amazing job security and if
you need to go get that job that pays
you you know two million bucks a year
you can do that too and you can have a
public profile more so of a public
profile you could be a public rock star
i mean it's the same thing as uh
sort of the military and there's a lot
of
um
there's a lot of uh well-known sort of
people commenting on the fact that
veterans are not treated as well as they
should be but it's still the fact that
soldiers are deeply respected for for uh
defending the country the freedoms the
the ideals that we stand for and in the
same way
i mean in some ways the the cyber
security defense are the soldiers of the
future yeah and you know it's
interesting i mean in cyber security the
difference is oftentimes you see the
more interesting threats in the private
sector because that's where the attacks
come you know when when cyber criminals
and nation-state adversaries come for
the united states they don't go directly
for cyber command or the nsa
no they go for banks they go for google
they go for microsoft they go for
critical infrastructure and so those
companies those private sector companies
get to see some of the most advanced
sophisticated
attacks
out there and you know if you're working
at fireeye and you're calling out the
solarwinds attack for instance i mean
you just saved
god knows how many systems from you know
that compromise turning into something
that more closely resembles sabotage
um
so you know go go be a hacker
and or go be a journalist
[Laughter]
so uh you wrote the book this is how
they tell me the world ends as we've
been talking about
of course referring to cyber war cyber
security
uh what gives you hope about the future
of our world if it doesn't end how will
it not end
that's a good question i mean i have to
have hope right because i have a kid and
i'm another on the way and
if i didn't have hope i wouldn't be
having kids
um but it's a scary time to be
having kids
and and now it's like pandemic climate
change
disinformation
increasingly
advanced perhaps deadly cyber attacks
what gives me hope is that i share your
world view that i think people are
fundamentally good
and sometimes and this is why the
metaverse scares me to death but
when i'm reminded of that is not online
like online i get the opposite you know
you start to lose hope and humanity when
you're on twitter half your day
um it's like when i go to the grocery
store or i go on a hike or like someone
smiles at me
or you know or someone just says
something nice
um you know people are fundamentally
good we just don't hear from those
people enough
and my hope is
you know i just think our our current
political climate like we've hit rock
bottom you know this is as bad as it
gets we can't do anything don't jinx it
well
but i think it's a generational thing
you know i think baby boomers like it's
time to move along
i think it's it's time for a new
generation to come in and i actually
have
a lot of hope when i look at
you know i'm sort of like this
i guess they call it me a geriatric
millennial or a young gen x
but like we have this unique
responsibility
because i grew up without without the
internet
and without social media but i'm native
to it
so i know the good
and i know the bad
and that's true on so many different
things you know i grew up without
climate change anxiety
and now i'm feeling it and i know it's
not a given we don't have to just resign
ourselves to climate change
um you know same with disinformation and
i think a lot of the problems we face
today
have just exposed the sort of inertia
that there's been on so many of these
issues and i really think it's a
generational
shift that has to happen
and i think this next generation is
gonna come in and say like we're not
doing business like you guys did it
anymore you know we're not just gonna
like rape and pillage the earth and try
and turn everyone against each other and
play dirty tricks and let lobbyists
dictate you know what what we do or
don't do as a country anymore
and that's really where i see the hope
it feels like there's a lot of
low-hanging fruit
for uh young minds to step up and create
solutions and lead so i whenever like uh
politicians or leaders
that are older
like you said are acting shitty i see
that as a positive they're inspiring
a large number of young people to
replace them yeah and so it's
i think you're right there's going to be
it's almost like you need people to act
shitty to remind them oh wow we need
good leaders we need great creators and
builders and entrepreneurs and
scientists and engineers and journalists
yeah you know all the discussions about
how the journalism is quote unquote
broken and so on that's just an
inspiration for new institutions to rise
up that do journalism better new
journalists to step up and do journalism
better so i
and i've been constantly when i talk to
young people i'm constantly impressed
um by
uh the ones that dream to build
solutions
and so that's that's that's ultimately
why i um
i put the hope but the world is a messy
place like we've been talking about it's
a scary place
yeah and i think you hit something hit
on something earlier which is
authenticity
like no one is going to rise above
that is plastic
anymore
you know people are craving authenticity
you know the benefit of the internet is
it's really hard to hide who you are on
every single platform you know on some
level it's gonna come out who you really
are
and so you hope that
um you know by the time my kids are
grown like no one's gonna care um if
they made one mistake online so long as
they're authentic
you know and and i i used to worry about
this
my nephew was born the day i graduated
from college
and i just always that you know he's
like born into to facebook and
just think like how is a kid like that
ever gonna be president of the united
states of america because
if facebook had been around when i was
in college you know like jesus um you
know what how is how are those kids
gonna ever be present there's gonna be
some photo of them at some point making
some mistake
and that's gonna be all over for them
and now i take that back now it's like
no
everyone's going to make mistakes
there's going to be a picture for
everyone
and we're all going to have to come and
grow up
to the view that as humans we're going
to make huge mistakes and hopefully
they're not so big that they're going to
ruin the rest of your life
but we're going to have to come around
to this view that we're all human
and we're going to have to be a little
bit more forgiving
and a little bit more tolerant when
people mess up and we're going to have
to be a little bit more humble when we
do
and like keep moving forward otherwise
you can't like cancel everyone
uh nicole this was an incredible hopeful
conversation
also
um
one that reveals
that in the shadows there's a lot of
challenges to be solved so i really
appreciate that you took on this really
difficult subject with your book that's
journalism is best so i'm really
grateful that you did that you took the
risk that you took that on and that you
plug the cable box back in that means
you have hope
um and thank you so much for spending
your valuable time with me today thank
you thanks for having me
thanks for listening to this
conversation with nicole pearl roth to
support this podcast please check out
our sponsors in the description
and now let me leave you with some words
from nicole herself
here we are entrusting our entire
digital lives
passwords texts love letters banking
records health records credit cards
sources and deepest thoughts to this
mystery box
whose inner circuitry most of us would
never vet
run by code written in a language most
of us will never fully understand
thank you for listening and hope to see
you next time