If one site is hacked, you can just unleash all health.
We have stumbled into this new era of mutually assured digital distraction.
How far are people willing to go?
And you can capture their location, you can capture their contacts that record their
telephone calls, record their camera without them knowing about it.
Basically, you can put an invisible ankle bracelet on someone without them knowing.
You could sell that to a zero day broker for two million dollars.
The following is a conversation with Nicole Pearlroth,
cybersecurity journalist and author of This Is How They Tell Me The World Ends,
The Cyber Weapons Arm Race.
This is the Lex Friedman podcast.
To support it, please check out our sponsors in the description.
And now, dear friends, here's Nicole Pearlroth.
You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer
scientists, government officials, forensic investigators, and mercenaries.
So let's talk about cybersecurity and cyber war.
Start with the basics.
What is a zero day vulnerability and then a zero day exploit or attack?
So, at the most basic level, let's say I'm a hacker and I find a bug in your iPhone iOS
software that no one else knows about, especially Apple.
That's called a zero day because the minute it's discovered,
engineers have had zero days to fix it.
If I can study that zero day, I could potentially write a program to exploit it.
And that program would be called a zero day exploit.
And for iOS, the dream is that you craft a zero day exploit that can remotely exploit
someone else's iPhone without them ever knowing about it.
And you can capture their location.
You can capture their contacts that record their telephone calls, record their camera
without them knowing about it.
Basically, you can put an invisible ankle bracelet on someone with a
phone without them knowing.
And you can see why that capability, that zero day exploit would have immense value
for a spy agency or a government that wants to monitor its critics or dissidents.
And so there's a very lucrative market now for zero day exploits.
So you said a few things there.
One is iOS.
Why iOS?
Which operating system?
Which one is the sexier thing to try to get to or the most impactful thing?
And the other thing you mentioned is remote versus like having to
actually come in physical contact with it.
Is that the distinction?
So iPhone exploits have just been a government's number one priority.
Recently, actually the price of an Android remote zero day exploit,
something that can get you into Android phones, is actually higher.
The value of that is now higher on this underground market for zero day exploits
than an iPhone iOS exploit.
So things are changing.
So there's probably more Android devices.
So that's why it's better.
But then the iPhone side, I'm an Android person because I'm a man of the people.
But it seems like all the elites use iPhone, all the people at nice dinner parties.
So is that the reason that the more powerful people use iPhones?
Is that why?
I don't think so.
I actually, so it was about two years ago that the price has flipped.
It used to be that if you could craft a remote zero click exploit for iOS,
then that was about as good as it gets.
You could sell that to a zero day broker for $2 million.
The caveat is you can never tell anyone about it because the minute you tell someone about it,
Apple learns about it, they patch it in that $2.5 million investment that that zero day broker
just made goes to dust.
So a couple of years ago, and don't quote me on the prices, but an Android zero click
remote exploit for the first time topped the iOS.
And actually a lot of people's read on that was that it might be a sign that Apple security
was falling and that it might actually be easier to find an iOS zero day exploit than
find an Android zero day exploit.
The other thing is market share.
There are just more people around the world that use Android and a lot of governments
that are paying top dollar for zero day exploits these days are deep pocketed governments in the
Gulf that want to use these exploits to monitor their own citizens, monitor their critics.
And so it's not necessarily that they're trying to find elites, it's that they want to find out
who these people are that are criticizing them or perhaps planning the next Arab Spring.
So in your experience, are most of these attacks targeted to cover a large population
or is there attacks that are targeted towards specific individuals?
So I think it's both.
Some of the zero day exploits that have fetched top dollar that I've heard of in my reporting in
the United States were highly targeted.
There was a potential terrorist attack.
They wanted to get into this person's phone.
It had to be done in the next 24 hours.
They approached hackers and say, we'll pay you X millions of dollars if you can do this.
But then you look at when we've discovered IOS zero day exploits in the wild,
some of them have been targeting large populations like Uighurs.
So a couple of years ago, there was a watering hole attack.
Okay, what's a watering hole attack?
There's a website.
It was actually had information aimed at Uighurs and you could access it all over the world.
And if you visited this website, it would drop an IOS zero day exploit onto your phone.
And so anyone that visited this website that was about Uighurs, anywhere,
I mean Uighurs, Uighurs living abroad, basically the Uighur diaspora would have got
an infected with this zero day exploit.
So in that case, they were targeting huge swaths of this one population or people
interested in this one population basically in real time.
Who are these attackers from the individual level to the group level?
Psychologically speaking, what's their motivation?
Is it purely money?
Is it the challenge?
Are they malevolent?
Is it power?
Or these are big philosophical human questions, I guess.
So these are the questions I set out to answer for my book.
I wanted to know, are these people that are just after money?
If they're just after money, how do they sleep at night?
Not knowing whether that zero day exploit they just sold to a broker is being used
to basically make someone's life a living hell.
And what I found was there's kind of this long sorted history to this question.
It started out in the 80s and 90s when hackers were just finding holes and bugs in software
for curiosity's sake, really as a hobby.
And some of them would go to the tech companies like Microsoft or Sun Microsystems at the time
or Oracle.
And they'd say, hey, I just found this zero day in your software and I can use it to break in
a NASA.
And the general response at the time wasn't, thank you so much for pointing out this flaw
and our software will get it fixed as soon as possible.
It was, don't ever poke around our software ever again or we'll stick our general counsel on you.
And that was really sort of the common thread for years.
And so hackers who set out to do the right thing were basically told to shut up and stop
doing what you're doing.
And what happened next was they basically started trading this information online.
Now, when you go back and interview people from those early days, they all tell a very
similar story, which is they're curious, they're tinkers.
You know, they remind me of like the kid down the block that was constantly poking around the
hood of his dad's car, you know, they just couldn't help themselves.
They wanted to figure out how a system is designed and how they could potentially
exploit it for some other purpose.
It doesn't have to be good or bad.
But they were basically kind of beat down for so long by these big tech companies that they
started just silently trading them with other hackers.
And that's how you got these really heated debates in the 90s about disclosure.
Should you just dump these things online because any script kitty can pick them up and use it
for all kinds of mischief.
But, you know, don't you want to just stick a middle finger to all these companies that are
basically threatening you all the time.
So there was this really interesting dynamic at play, and what I learned in the course of
doing my book was that government agencies and their contractors sort of tapped into
that frustration and that resentment, and they started quietly reaching out to hackers on
these forums.
And they said, Hey, you know, that zero day you just dropped online, could you could you
come up with something custom for me?
And I'll pay you six figures for it so long as you shut up and never tell anyone that
we that I paid you for this.
And that's what happened.
So throughout the 90s, there was a bunch of boutique contractors that started reaching
out to hackers on these forums and saying, Hey, I'll pay you six figures for that bug.
You were trying to get Microsoft to fix for free and sort of so began or so catalyzed
this market where governments and their intermediaries started reaching out to these hackers and
buying their bugs for free.
And in those early days, I think a lot of it was just for quiet counterintelligence,
traditional espionage.
But as we started baking the software, Windows software, Schneider Electric,
Siemens industrial software into our nuclear plants and our factories and our power grid
and our petrochemical facilities and our pipelines, those same zero days came to be
just as valuable for sabotage and war planning.
Does the fact that the market sprung up and you cannot make a lot of money change the
nature of the attackers that came to the table or grow the number of attackers?
I mean, what is, I guess you told the psychology of the hackers in the 90s, what is the culture
today and where is it heading?
So I think there are people who will tell you they would never sell a zero day to a
zero day broker or a government.
One, because they don't know how it's going to get used when they throw it over the fence.
You know, most of these get rolled into classified programs and you don't know how they get
used.
If you sell it to a zero day broker, you don't even know which nation state might use it
or potentially which criminal group might use it if you sell it on the dark web.
The other thing that they say is that they want to be able to sleep at night and they
lose a lot of sleep if they found out their zero day was being used to, you know, make
a dissident's life, living hell.
But there are a lot of people, good people, who are not going to be able to make a
goal, who also say, no, this is not my problem.
This is the technology company's problem.
If they weren't writing new bugs into their software every day, then there wouldn't be
a market, you know, then there wouldn't be a problem.
But they continue to write bugs into their software all the time and they continue to
profit off that software.
So why shouldn't I profit off my labor too?
And one of the things that has happened, which is I think a positive development over the last
10 years are bug bounty programs, you know, companies like Google and Facebook and then
Microsoft and finally Apple, which resisted it for a really long time, have said, okay,
we are going to shift our perspective about hackers.
We're no longer going to treat them as the enemy here.
We're going to start paying them for what it's essentially free quality assurance.
And we're going to pay them good money in some cases, you know, six figures in some cases.
We're never going to be able to bid against a zero day broker who sells to government
agencies, but we can reward them and hopefully get that to that bug earlier where we can
neutralize it so that they don't have to spend another year developing the zero day exploit.
And in that way, we can keep our software more secure.
But every week I get messages from some hacker that says, you know, I tried to see this zero
day exploit that was just found in the wild, you know, being used by this nation state.
I tried to tell Microsoft about this two years ago and they were going to pay me peanuts.
So it never got fixed, you know, there are all sorts of those stories that can continue on.
And, you know, I think just generally hackers are not very good at diplomacy, you know,
they tend to be pretty snipey, technical crowd and very philosophical in my experience.
But, you know, diplomacy is not their strong suit.
Well, there almost has to be a broker between companies and hackers.
We can translate effectively just like you have a zero day broker between governments and hackers.
Yeah.
Because you have to speak their language.
Yeah.
And there have been some of those companies who've risen up to meet that demand.
And Hacker One is one of them.
Bug Crowd is another.
CINAC has an interesting model.
So that's a company that you pay for a private bug bounty program essentially.
So you pay this company, they tap hackers all over the world to come hack your software,
hack your system, and then they'll quietly tell you what they found.
And I think that's a really positive development.
And actually, the Department of Defense hired all three of those companies,
I just mentioned, to help secure their systems.
Now, I think they're still a little timid in terms of letting those hackers into the really
sensitive, high side classified stuff, but, you know, baby steps.
Just to understand what you were saying, you think it's impossible for companies to
financially compete with the zero day brokers with governments,
so like the defense can't outpay the hackers?
It's interesting.
You know, they shouldn't outpay them because what would happen if they started offering
$2.5 million at Apple for any zero day exploit that governments would pay that much for
is their own engineers would say, why the hell am I working for less than that
and doing my nine to five every day?
So you would create a perverse incentive.
And I didn't think about that until I started this research and I realized,
okay, yeah, that makes sense.
You don't want to incentivize offense so much that it's to your own detriment.
And so I think what they have though, what the companies have on government agencies
is if they pay you, you get to talk about it.
You know, you get the street cred.
You get to brag about the fact you just found that $2.5 million, you know,
iOS zero day that no one else did.
And if you sell it to a broker, you never get to talk about it.
And I think that really does eat at people.
Can I ask you a big philosophical question about human nature here?
So if you have in what you've seen, if a human being has a zero day,
they found a zero day vulnerability that can hack into, I don't know,
what's the worst thing you can hack into something that could launch nuclear weapons.
Which percentage of the people in the world that have the skill would not share that with
anyone with any bad party.
I guess how many people are completely devoid of ethical concerns in your sense?
So my belief is all the ultra competent people or very, very high percentage of
ultra competent people are also ethical people.
That's been my experience.
But then again, my experience is narrow.
What's your experience been like?
So this was another question I wanted to answer.
Who are these people who would sell a zero day exploit that would neutralize
a Schneider electric safety lock at a petrochemical plant?
Basically the last thing you would need to neutralize before you trigger some kind of explosion.
Who would sell that?
And I got my answer.
Well, the answer was different.
A lot of people said, I would never even look there because I don't even want to know.
I don't even want to have that capability.
I don't even want to have to make that decision about whether I'm going to profit off of that knowledge.
I went down to Argentina and this whole kind of moral calculus I had in my head was completely
flipped around.
So just a backup for a moment.
So Argentina actually is a real hacker's paradise.
People grew up in Argentina and I went down there.
I guess I was there around 2015, 2016, but you still couldn't get an iPhone.
They didn't have Amazon Prime.
You couldn't get access to any of the apps we all take for granted.
To get those things in Argentina as a kid, you have to find a way to hack them.
And the whole culture is really like a hacker culture.
They say it's really like a MacGyver culture.
You have to figure out how to break into something with wire and tape.
And that means that there are a lot of really good hackers in Argentina who specialize in
developing zero-day exploits.
And I went down to this Argentina conference called Echo Party.
And I asked the organizer, okay, can you introduce me to someone who's selling zero-day exploits
to governments?
And he was like, just throw a stone, throw a stone anywhere and you're going to hit someone.
And all over this conference, you saw these guys who were clearly from these Gulf States
who only spoke Arabic.
What are they doing at a young hacking conference in Buenos Aires?
Oh boy.
Buenos Aires. And so I went out to lunch with kind of this godfather of the hacking scene
there.
And I asked this really dumb question and I'm still embarrassed about how I phrased it.
But I said, so, well, these guys only sell these zero-day exploits to good Western governments.
And he said, Nicole, last time I checked, the United States wasn't a good Western government.
You know, the last country that bombed another country into oblivion wasn't China or Iran.
It was the United States.
So if we're going to go by your whole moral calculus, you know, just know that we have
a very different calculus down here.
And we'd actually rather sell to Iran or Russia or China, maybe, than the United States.
And that just blew me away.
Like, wow.
You know, he's like, we'll just sell to whoever brings us the biggest bag of cash.
Have you checked into our inflation situation recently?
So, you know, I had some of those like reality checks along the way.
You know, we tend to think of things as, is this moral, you know, is this ethical,
especially as journalists, you know, we kind of sit on our high horse sometimes and
write about a lot of things that seem to push the moral bounds.
But in this market, which is essentially an underground market that, you know,
the one rule is like fight club, you know, no one talks about fight club.
First rule of the zero day market.
Nobody talks about the zero day market on both sides,
because the hacker doesn't want to lose their $2.5 million bounty and governments roll
these into classified programs and they don't want anyone to know what they have.
So no one talks about this thing.
And when you're operating in the dark like that, it's really easy to put aside your morals sometimes.
Can I, as a small tangent, ask you by way of advice, you must have done some incredible interviews.
And you've also spoken about how serious you take protecting your sources.
If you were to give me advice for interviewing when you're recording on mic with a video camera,
how is it possible to get into this world?
Like, is it basically impossible?
So you've spoken with a few people.
What is it like the godfather of cyber war, cyber security?
So people that are already out.
And they still have to be pretty brave to speak publicly.
But is it virtually impossible to really talk to anybody who's a current hacker?
You're always like 10, 20 years behind.
It's a good question.
And this is why I'm a print journalist.
But when I've seen people do it, it's always the guy who's behind the shadows,
whose voice has been altered.
When they've gotten someone on camera, that's usually how they do it.
Very, very few people talk in this space.
And there's actually a pretty well-known case study in why you don't talk publicly in this space
and you don't get photographed.
And that's the gruck.
So, you know, the gruck is or was this zero-day broker, South African guy lives in Thailand.
And right when I was starting on this subject at the New York Times,
he'd given an interview to Forbes and he talked about being a zero-day broker.
And he even posed next to this giant defil bag filled with cash ostensibly.
And later he would say he was speaking off the record.
He didn't understand the rules of the game.
But what I heard from people who did business with him was that the minute that that story
came out, he became PNG'd.
No one did business with him.
His business plummeted by at least half.
No one wants to do business with anyone who's going to get on camera
and talk about how they're selling zero-days to governments.
It puts you at danger.
And I did hear that he got some visits from some security folks.
And, you know, that's another thing for these people to consider.
You know, if they have those zero-day exploits at their disposal,
they become a huge target for nation-states all over the world.
You know, talk about having perfect opsec.
You know, you better have some perfect opsec if people know that you have access to those zero-day exploits.
Which sucks because, I mean, transparency here.
Would be really powerful for educating the world and also inspiring other engineers to do good.
It just feels like when you operate in the shadows, it doesn't help us move in the positive
direction in terms of, like, getting more people on the defense side versus on the attack side.
Right.
But of course, what can you do?
I mean, the best you can possibly do is have great journalists just like you did interview
and write books about it and integrate the information you get while hiding.
Yeah, and I think, you know, what hacker one has told me was,
okay, let's just put away the people that are finding and developing zero-day exploits
all day long.
Let's put that aside.
What about the, you know, however many millions of programmers all over the world who've never
even heard of a zero-day exploit?
Why not tap into them and say, hey, we'll start paying you if you can find a bug in
United Airlines software or in Schneider Electric or in Ford or Tesla.
And I think that is a really smart approach.
Let's go find this untapped army of programmers to neutralize these bugs before the people who
will continue to sell these to governments can find them and exploit them.
Okay, I have to ask you about this from a personal side.
It's funny enough, after we agreed to talk, I've gotten for the first time in my life
was a victim of a cyber attack.
So this is ransomware.
It's called Deadbolt.
People can look it up.
I have a QNAP device for basically kind of coldish storage.
So it's about 60 terabytes with 50 terabytes of data on it in RAID 5.
And apparently about 4,000 to 5,000 QNAP devices were hacked and taken over with this ransomware.
And what ransomware does there is it goes file by file almost all the files on the QNAP
storage device and encrypts them.
And then there's this very eloquently and politely written page that pops up.
You know, it describes what happened.
All your files have been encrypted.
This includes but is not limited to photos, documents and spreadsheets.
Why me?
This is a lot of people commented about how friendly and eloquent this is.
And I have to commend them.
It is and it's pretty user friendly.
Why me?
This is not a personal attack.
You have been targeted because of the inadequate security provided by your vendor QNAP.
What now?
You can make a payment of exactly 0.03 Bitcoin, which is about $1,000 to the following address.
Once the payment has been made, we'll follow up with transaction to the same address, blah,
blah, blah.
They give you instructions of what happens next and they'll give you a decryption key
that you can then use.
And then there's another message for QNAP that says all your affected customers have
been targeted using a zero day vulnerability in your product.
We offer you two options to mitigate this and future damage.
One, make a Bitcoin payment of five Bitcoin to the following address and that will reveal
to QNAP the, I'm summarizing things here, what the actual vulnerability is.
Or you can make a Bitcoin payment of 50 Bitcoin to get a master decryption key for all your
customers.
50 Bitcoin is about $1.8 million.
Okay.
Okay. So first of all, on a personal level, this one hurt for me.
There's, I mean, I learned a lot because I wasn't, for the most part, backing up much
of that data because I thought I can afford to lose that data.
It's not like horrible.
I mean, I think you've spoken about the crown jewels, like making sure there's things you
really protect and I have things, I have, you know, I'm very conscious security-wise
on the crown jewels, but there's a bunch of stuff like, you know, personal videos.
They're not like, I don't know anything creepy, but just like fun things I did that because
they're very large or 4k or something like that, I kept them on there.
Thinking raid five will protect it.
You know, just I lost a bunch of stuff, including raw footage from interviews and all that kind
of stuff. So it's painful.
And I'm sure there's a lot of painful stuff like that for the 4,000 to 5,000 people that
use QNAP. And there's a lot of interesting ethical questions here.
Do you pay them? Does QNAP pay them? Do the individuals pay them?
Especially when you don't know if it's going to work or not.
Do you wait? So QNAP said that, please don't pay them.
We're working very hard day and night to solve this.
It's so philosophically interesting to me because I also project on to them thinking,
what is their motivation? Because the way they phrase that on purpose, perhaps,
but I'm not sure if that actually reflects their real motivation is maybe they're trying
to help themselves sleep at night, basically saying, this is not about you.
This is about the company with the vulnerability. It's just like you mentioned,
this is the justification they have, but they're hurting real people.
They hurt me, but I'm sure there's a few others that are really hurt.
And the zero day factor is a big one. That their QNAP right now is trying to figure out
what the hell is wrong with their system that would let this in. And even if they pay,
if they still don't know where the zero day is, what's to say that they won't just hit
them again and hit you again. So that really complicates things. And that is a huge advancement
for ransomware. It's really only been, I think, in the last 18 months that we've ever really seen
ransomware exploit zero days to pull these off. Usually 80% of them, I think the data shows,
80% of them come down to a lack of two factor authentication. So when someone gets hit by
a ransomware attack, they don't have two factor authentication on,
their employees were using stupid passwords. You can mitigate that in the future.
This one, they don't know. They probably don't know.
Yeah. And it was, I guess it's zero click because I didn't have to do anything.
The only thing I, well, you know, here's the thing. I did, you know, basics of, you know,
I put it behind a firewall, I follow the instructions, but like I wasn't, I didn't
really pay attention. So maybe there's like, maybe there's a misconfiguration of some sort
that's easy to make. It's difficult. We have a personal NAS. So I don't, I'm not willing to sort
of say that I did everything I possibly could. But I did a lot of reasonable stuff and they
still hit it with zero clicks. I didn't have to do anything.
Yeah. Well, it's like a zero day and it's a supply chain attack. You know, you're getting hit
from your supplier. You're getting hit because of your vendor. And it's also a new thing for
ransomware groups to go to the individuals to pressure them to pay. There was this really
interesting case. I think it was in Norway where there was a mental health clinic that got hit.
And the cyber criminals were going to the patients themselves to say, pay this, or we're going to
release your psychiatric records. I mean, talk about hell. In terms of whether to pay, you know,
that is on the cheaper end of the spectrum. From the individual or from the company?
Both. You know, we've seen, for instance, there was an Apple supplier in Taiwan.
They got hit and the ransom demand was 50 million. You know, I'm surprised it's only 1.8 million.
I'm sure it's going to go up. And it's hard. You know, there's obviously governments and
maybe in this case, the company are going to tell you, we recommend you don't pay or please don't pay.
But the reality on the ground is that some businesses can't operate. Some countries can't
function. I mean, the under reported storyline of colonial pipeline was after the company got hit
and took the preemptive step of shutting down the pipeline because they're billing systems
were frozen. They couldn't charge customers downstream. My colleague, David Zanger, and I
got our hands on a classified assessment that said that as a country, we could have only afforded
two to three more days of colonial pipeline being down. And it was really interesting.
I thought it was the gas and the jet fuel, but it wasn't. You know, we were sort of prepared for that.
It was the diesel. Without the diesel, the refineries couldn't function. And it would have
totally screwed up the economy. And so there was almost this like national security, economic
impetus for them to pay this ransom. And the other one I always think about is Baltimore.
You know, when the city of Baltimore got hit, I think the initial ransom demand was something
around 76,000. It may have even started smaller than that. And Baltimore stood its ground and didn't
pay. But ultimately, the cost to remediate was $18 million. It's a lot for the city of Baltimore.
That's money that could have gone to public school education and roads and public health. And instead,
it just went to rebuilding the systems from scratch. And so a lot of residents in Baltimore
were like, why the hell didn't you pay the $76,000? So it's not obvious. It's easy to say,
don't pay because why you're funding their R&D for the next go round. But it's too often,
it's too complicated. So on the individual level, just like, you know, the way I feel personally
from this attack, have you talked to people that were kind of victims in the same way I was,
but maybe more dramatic ways or so on, you know, in the same way that violence
hurts people? Yeah. How much does this hurt people in your sense and the way you researched it?
The worst ransomware attack I've covered on a personal level was an attack on a hospital in
Vermont. And, you know, you think of this as like, okay, it's hitting their IT networks,
they should still be able to treat patients. But it turns out that cancer patients couldn't get
their chemo anymore, because the protocol of who gets what is very complicated and without it,
the nurses and doctors couldn't access it. So they were turning chemo patients away, cancer
patients away. One nurse told us, I don't know why people aren't screaming about this, that the only
thing I've seen that even compares to what we're seeing at this hospital right now was when I
worked in the burn unit after the Boston Marathon bombing. You know, they really put it in these
super dramatic terms. And last year, there was a report in the Wall Street Journal where they
attributed an infant death to a ransomware attack because a mom came in and whatever device they
were using to monitor the fetus wasn't working because of the ransomware attack. And so they
attributed this infant death to the ransomware attack. Now, on a bigger scale, but less personal,
when there was the not-pecha attack, so this was an attack by Russia on Ukraine that came at them
through a supplier attacks software company in that case, that didn't just hit any government
agency or business in Ukraine that use this tax software, it actually hit any business all over
the world that had even a single employee working remotely in Ukraine. So it hit Marist, the shipping
company, but hit Pfizer, hit FedEx, but the one I will never forget is Merck. It paralyzed Merck's
factories. I mean, it really created an existential crisis for the company. Merck had to tap into the
CDC's emergency supplies of the Gardasil vaccine that year because their whole vaccine production
line had been paralyzed in that attack. Imagine if that was going to happen right now to Pfizer or
Moderna or Johnson & Johnson. Imagine. I mean, that would really create a global cyber-terrorist
attack essentially. And that's almost unintentional. I thought for a long time, I always labeled it as
collateral damage. But actually, just today, there was a really impressive threat researcher
at Cisco, which has the threat intelligence division called TALOS, who said, stop calling it
collateral damage. They could see who was going to get hit before they deployed that malware.
It wasn't collateral damage. It was intentional. They meant to hit any business that did business
with Ukraine. It was to send a message to them, too. So I don't know if that's accurate. I always
thought of it as sort of the sloppy collateral damage, but it definitely made me think.
So how much of this between states is going to be a part of war, these kinds of attacks on
Ukraine, between Russia and US, Russia and China, China and US? Let's look at China and US. Do you
think China and US are going to escalate something that would be called a war purely in the space
of cyber? I believe any geopolitical conflict from now on is guaranteed to have some cyber element
to it. The Department of Justice recently declassified a report that said China's been hacking
into our pipelines, and it's not for intellectual property theft. It's to get a foothold so that
if things escalate in Taiwan, for example, they are where they need to be to shut our pipelines
down, and we just got a little glimpse of what that looked like with colonial pipeline and the
panic buying and the jet fuel shortages and that assessment I just mentioned about the diesel.
So they're there. They've got in there. Anytime I read a report about new aggression
from fighter jets, Chinese fighter jets in Taiwan, or what's happening right now with
Russia's buildup on the Ukraine border, or India, Pakistan, I'm always looking at it through a
cyber lens, and it really bothers me that other people aren't because there is no way that these
governments and these nation states are not going to use their access to gain some advantage
in those conflicts. And I'm now in a position where I'm an advisor to the cybersecurity
infrastructure security agency at DHS. So I'm not saying anything classified here, but I just think
that it's really important to understand just generally what the collateral damage could be
for American businesses and critical infrastructure in any of these escalated conflicts around the
world. Because just generally, our adversaries have learned that they might never be able to
match us in terms of our traditional military spending on traditional weapons and fighter jets.
But we have a very soft underbelly when it comes to cyber. 80% or more of America's
critical infrastructure. So pipelines, power grid, nuclear plants, water systems
is owned and operated by the private sector. And for the most part, there is nothing out there
legislating that those companies share the fact they've been breached. They don't even have to
tell the government they've been hit. There's nothing mandating that they even meet a bare
minimum standard of cybersecurity. And that's it. So even when there are these attacks most
the time, we don't even know about it. So that is, if you were going to design a system to be as
blind and vulnerable as possible, that's pretty good. That's what it looks like
is what we have here in the United States. And everyone here is just operating like,
let's just keep hooking up everything for convenience. Software eats the world.
Let's just keep going for cost, for convenience sake, just because we can. And when you study
these issues and you study these attacks and you study the advancement and the uptick in
frequency and the lower barrier to entry that we see every single year, you realize just how dumb
software eats world is. And no one has ever stopped to pause and think,
should we be hooking up these systems to the internet?
They've just been saying, can we? Let's do it. And that's a real problem. And this,
and just in the last year, you know, we've seen a record number of zero day attacks. I think there
were 80 last year, which is probably more than double what it was in 2019. A lot of those were
nation states. You know, we live in a world with a lot of geopolitical hot points right now.
And where those geopolitical hot points are are places where countries have been investing heavily
in offensive cyber tools. If you're a nation state, the goal would be to maximize the footprint of
zero day, like super secret zero day that nobody's aware of. And whenever war is initiated, the huge
negative effects of shutting down infrastructure or any kind of zero day is the chaos it creates.
So if you just, there's a certain threshold when you create the chaos, the market's plummeted,
just everything goes, goes to hell. So it's not just zero days, you know, we make it so easy
for, for threat actors. I mean, we're not using two factor authentication. We're not patching.
There was the shell shock vulnerability that was discovered a couple years ago. It's still
being exploited because so many people haven't fixed it. So, you know, the zero days are really
the sexy stuff. And what really got drew me to the zero day market was the moral calculus we
talked about. Particularly from, you know, the US government's point of view, how do they justify
leaving these systems so vulnerable when we use them here? And we're baking more of our critical
infrastructure with this vulnerable software. You know, it's not like we're using one set of
technology and Russia is using another and China is using this, we're all using the same technology.
So when you find a zero day in Windows, you know, you're not just leaving it open so you can spy on
Russia or implant yourself in the Russian grid, you're leaving Americans vulnerable too. But,
you know, but zero days are like, that is the secret sauce, you know, that's the, that's the
superpower. You know, and I, and I always say like every country now with the exception of
Antarctica, someone added the Vatican to my list is trying to find offensive hacking tools and
zero days to make them work. And those that don't have the skills now have this market that they
can tap into where, you know, $2.5 million that's chump change for a lot of these nation states.
It's a hell of a lot less than trying to build the next fighter jet. But yeah, the goal is chaos.
I mean, why did Russia turn off the lights twice in Ukraine? You know, I think part of it is chaos.
I think part of it is to, to sow the seeds of doubt in their current government. Your government
can't even keep your lights on. Why are you sticking with them? You know, come over here
and we'll keep your lights on at least. You know, there's like a little bit of that.
Nuclear weapons seems to have helped prevent nuclear war. Is it possible that we have so
many vulnerabilities and so many attack vectors on each other that it will kind of achieve the same
kind of equilibrium like mutually assured destruction? Yeah, that's one hopeful solution
to this. Do you have any hope for this particular solution? You know, nuclear analogies always
tend to fall apart when it comes to cyber, mainly because you don't need fissile material. You know,
you just need a laptop and the skills and you're in the game. So it's a really low barrier to entry.
The other thing is attributions harder. And we've seen countries muck around with attribution.
We've seen, you know, nation states piggyback on other countries by operations and just sit there
and siphon out whatever they're getting. We learned some of that from the Snowden documents.
We've seen Russia hack into Iran's command and control attack servers. We've seen them hit
a Saudi petrochemical plant where they did neutralize the safety locks at the plant and
everyone assumed that it was Iran, given Iran had been targeting Saudi oil companies forever.
But nope, it turned out that it was a graduate research institute outside Moscow. So you see
countries kind of playing around with attribution. Why? I think because they think, okay, if I do
this, like, how am I going to cover up that it came from me because I don't want to risk the
response? So people are sort of dancing around this. It's just in a very different way. And
you know, at the times I'd covered the Chinese hacks of infrastructure companies like pipelines.
I'd covered the Russian probes of nuclear plants. I'd covered the Russian attacks on the Ukraine
grid. And then in 2018, my colleague David Sanger and I covered the fact that U.S. Cyber Command
had been hacking into the Russian grid and making a pretty loud show of it. And when we went to the
National Security Council, because that's what journalists do before they publish a story,
they give the other side a chance to respond, I assumed we would be in for that really awkward,
painful conversation where they would say, you will have blood on your hands if you publish this
story. And instead, they gave us the opposite answer. They said, we have no problem with you
publishing this story. Why? Well, they didn't say it out loud, but it was pretty obvious they wanted
Russia to know that we're hacking into their power grid too. And they better think twice
before they do to us what they had done to Ukraine. So yeah, you know, we have stumbled
into this new era of mutually assured digital destruction. I think another sort of
quasi norm we've stumbled into is proportional responses. You know, there's this idea that
if you get hit, you're allowed to respond proportionally at a time and place of your
choosing. You know, that is how the language always goes. That's what Obama said after North
Korea hit Sony. We will respond at a time and place of our choosing. But no one really knows
like what that response looks like. And so what you see a lot of the time are just these like,
just short of war attacks. You know, Russia turned off the power in Ukraine, but it wasn't like it
stayed off for a week. It stayed off for a number of hours. You know, not Petya hit those companies
pretty hard, but no one died. You know, and the question is what's going to happen when someone
dies? And can a nation state masquerade as a cyber criminal group as a ransomware group?
And that's what really complicates coming to some sort of digital Geneva convention.
Like there's been, there's been a push from Brad Smith at Microsoft. We need a digital Geneva
convention. And on its face, it sounds like a no brainer. Yeah. Why wouldn't we all agree to stop
hacking into each other's civilian hospital systems, elections, power grid, pipelines?
But when you talk to people in the West, officials in the West, they'll say, we would never,
we'd love to agree to it, but we'd never do it when you're dealing with she or Putin or Kim Jong
Un, because a lot of times they outsource these operations to cyber criminals. In China, we see
a lot of these attacks come from this loose satellite network of private citizens that work at the
behest of the Ministry of State Security. So how do you come to some sort of state to state agreement
when you're dealing with transnational actors and cyber criminals where it's really hard to pin
down whether that person was acting alone or whether they were acting at the behest of the
MSS or the FSB? And, you know, a couple of years ago, I remember, can't remember if it was before
or after not pet you, but Putin said, hackers are like artists who wake up in the morning
in a good mood and start painting. In other words, I have no say over what they do or don't do.
So how do you come to some kind of norm when that's how he's talking about these issues and
he's just decimated Merck and Pfizer and another, however many thousand companies?
That is the fundamental difference between nuclear weapons and cyber attacks is the
attribution or one of the fundamental differences. If you can fix one thing in the world in terms
of cybersecurity, that would make the world a better place. What would you fix? So you're not
allowed to fix like authoritarian regimes and you have to keep that. You have to keep human nature
as it is. In terms of on the security side, technologically speaking, you mentioned there's
no regulation on companies in the United States. What if you could just fix the snap of a finger?
What would you fix? Two-factor authentication, multi-factor authentication. It's ridiculous
how many of these attacks come in because someone didn't turn on multi-factor authentication.
I mean, colonial pipeline, okay? They took down the biggest conduit for gas, jet fuel,
and diesel to the east coast of the United States of America. How? Because they forgot to deactivate
an old employee account whose password had been traded on the dark web and they'd never turned
on two-factor authentication. This water treatment facility outside Florida was hacked last year.
How did it happen? They were using Windows XP from like a decade ago that can't even get patches
if you want it to and they didn't have two-factor authentication. Time and time again, if they
just switched on two-factor authentication, some of these attacks wouldn't have been possible.
Now, if I could snap my fingers, that's a thing I would do right now. But of course,
this is a cat and mouse game and then the attacker's on to the next thing. But I think right now,
that is like bar none. That is the easiest, simplest way to deflect the most attacks.
And the name of the game right now isn't perfect security. Perfect security is impossible. They
will always find a way in. The name of the game right now is make yourself a little bit harder
to attack than your competitor than anyone else out there, so that they just give up and move
along. And maybe if you are a target for an advanced nation state or the SVR, you're going to get
hacked no matter what. But you can make cyber criminal groups deadbolt, is it? You can make
their jobs a lot harder simply by doing the bare basics. And the other thing is stop reusing your
passwords. But if I only get one, then two-factor authentication. So what is two-factor authentication?
Factor one is what logging in with a password. And factor two is like have another device
or another channel through which you can confirm, yeah, that's me. Yes. Usually this happens through
some kind of text. You get your one-time code from Bank of America or from Google. The better way to
do it is spend $20 buying yourself a Fido key on Amazon. That's a hardware device. And if you
don't have that hardware device with you, then you're not going to get in. And the whole goal is,
I mean, basically, my first half of my decade at the times was spent covering the copy. It was like
Home Depot got breached, News at 11, Target, Neiman Marcus, who wasn't hacked over the course
of those five years. And a lot of those companies that got hacked, what did hackers take? They took
the credentials. They took the passwords. They can make a pretty penny selling them on the dark
web. And people reuse their passwords. So you get one from God knows who. I don't know. Last pass.
Worst case example, actually last pass. But you get one, and then you go test it on their email
account, and you go test it on their brokerage account, and you test it on their cold storage
account. That's how it works. But if you have multi-factor authentication, then they can't get
in because they might have your password, but they don't have your phone. They don't have your Fido
key. And so you keep them out. And I get a lot of alerts that tell me someone is trying to get
into your Instagram account or your Twitter account or your email account. And I don't worry
because I use multi-factor authentication. They can try all day. Okay, worry a little bit. But
it's the simplest thing to do, and we don't even do it.
Well, there's an interface aspect to it because it's pretty annoying if it's implemented poorly.
Yeah. So actually bad implementation of two-factor authentication,
not just bad, but just something that adds friction is a security vulnerability, I guess,
because it's really annoying. I think MIT for a while had two-factor authentication. It was
really annoying. The number of times it pings you, it asks to re-authenticate across multiple
subdomains. It just feels like a pain. I don't know what the right balance there.
It feels like friction in our frictionless society. It feels like friction. It's annoying.
That's security's biggest problem. It's annoying. We need the Steve Jobs of security to come along
and we need to make it painless. And actually, on that point, Apple has probably done more
for security than anyone else simply by introducing biometric authentication, first with the
fingerprint and then with face ID. And it's not perfect, but if you think just eight years ago,
everyone was running around with either no passcode, an optional passcode, or four-digit
passcode on their phone that anyone, think of what you can get when you get someone's iPhone,
if you steal someone's iPhone. And props to them for introducing the fingerprint and face ID.
And again, it wasn't perfect, but it was a huge step forward. Now it's time to make another huge
step forward. I want to see the password die. I mean, it's gotten us as far as it was ever
going to get us. And I hope whatever we come up with next is not going to be annoying,
is going to be seamless. When I was at Google, that's what we worked on is,
and there's a lot of ways to call it, active authentication, passive authentication. So
basically use biometric data, not just like a fingerprint, but everything from your body
to identify who you are, like movement patterns. So it basically creates a lot of layers of protection
where it's very difficult to fake, including face unlock, checking that it's your actual face,
like the liveness tests. So from video, so unlocking it with video, voice, the way you
move the phone, the way you take it out of the pocket, that kind of thing, all of those factors.
It's a really hard problem though. And ultimately, it's very difficult to beat the password
to have a security. Well, there's a company that I actually will call out and that's abnormal
security. So they work on email attacks. And it was started by a couple guys who were doing,
I think, ad tech at Twitter. So ad technology now, it's a joke how much they know about us.
You always hear the conspiracy theories that you saw someone's shoes and next thing you know,
it's on your phone. It's amazing what they know about you. And they're basically taking that
and they're applying it to attacks. So they're saying, okay, this is what your email patterns are.
It might be different for you and me because we're emailing strangers all the time.
But for most people, their email patterns are pretty predictable. And if something
strays from that pattern, that's abnormal. And they'll block it, they'll investigate it.
And that's great. Let's start using that kind of targeted ad technology to protect people.
And yeah, I mean, it's not going to get us away from the password and using multi-factor
authentication, but the technology is out there. And we just have to figure out how to use it in
a really seamless way because it doesn't matter if you have the perfect security solution,
if no one uses it. I mean, when I started at the times, when I was trying to be really good about
protecting sources, I was trying to use PGP encryption. And it's like, it didn't work.
You know, the number of mistakes I would probably make just trying to email someone
with PGP just wasn't worth it. And then Signal came along. And Signal made it a wicker.
You know, they made it a lot easier to send someone an encrypted text message. So we have
to start investing in creative minds in good security design. You know, I really think that's
the hack that's going to get us out of where we are today.
What about social engineering? Do you worry about this sort of hacking people?
Yes. I mean, this is the worst nightmare of every chief information security officer out there.
You know, social engineering, we work from home now. I saw this woman posted online about how
her husband, it went viral today, but it was her husband had this problem at work. They hired a guy
named John. And now the guy that shows up for work every day doesn't act like John.
I mean, think about that. Like think about the potential for social engineering in that context.
You know, you apply for a job, and you put on a pretty face, you hire an actor or something,
and then you just get inside the organization and get access to all that organization's data.
You know, a couple of years ago, Saudi Arabia planted spies inside Twitter. You know, why?
Probably because they were trying to figure out who these people were who were criticizing
the regime on Twitter. You know, they couldn't do it with a hack from the outside. So why not
plant people on the inside? And that's like the worst nightmare. And it also, unfortunately,
it creates all kinds of xenophobia at a lot of these organizations. I mean, if you're going to
have to take that into consideration, then organizations are going to start looking really
skeptically and suspiciously at someone who applies for that job from China. And we've seen that go
really badly at places like the Department of Commerce, where they basically accuse people
of being spies that aren't spies. So it is the hardest problem to solve. And it's never been
harder to solve than right at this very moment, when there's so much pressure for companies to
let people work remotely. That's actually why I'm single. I'm suspicious that China and Russia,
every time I meet somebody, are trying to plant and get insider information. So I'm very, very
suspicious. I keep putting the Turing test in front. No, I have a friend who worked inside NSA
and was one of their top hackers. And he's like, every time I go to Russia, I get hit on by these
10s. And I come home, my friends are like, I'm sorry, you're not a 10. The common story.
I mean, it's difficult to trust humans in this day and age online. Because so we're working
remotely. That's one thing. But just interacting with people on the internet. It sounds ridiculous.
But because of this podcast in part, I've gotten to meet some incredible people. But it
you know, it makes you nervous to trust folks. And I don't know how to solve that problem.
So I'm talking with Mark Zuckerberg who dreams about creating the metaverse.
What do you do about that world where more and more our lives is in the digital sphere? Like
one way to phrase it is most of our meaningful experiences at some point will be online. Like
falling in love, getting a job, or experiencing a moment of happiness with a friend, with a new
friend made online, all of those things, like more and more, the fun we do, the things that make us
love life will happen online. And if those things have an avatar that's digital, that's like a way
to hack into people's minds, whether it's with AI or kind of troll farms or something like that.
I don't know if there's a way to protect against that. That might fundamentally rely
on our faith in how good human nature is. So if most people are good, we're going to be okay.
But if people will tend towards manipulation and unlevelment behavior in search of power,
then we're screwed. So I don't know if you can comment on how to keep the metaverse secure.
Yeah. I mean, all I thought about when you were talking just now is my three-year-old son.
Yeah. He asked me the other day, what's the internet, mom? And I just almost wanted to cry.
I don't want that for him. I don't want all of his most meaningful experiences to be online.
By the time that happens, how do you know that person's human, that avatar's human?
I believe in free speech. I don't believe in free speech for robots and bots.
Look what just happened over the last six years. We had bots pretending to be
Black Lives Matter activists just to sow some division, or Texas secessionists, or organizing
anti-Hillary protests, or just to sow more division, to tie us up in our own politics,
so that we're so paralyzed. We can't get anything done. We can't make any progress.
And we definitely can't handle our adversaries and their long-term thinking. It really scares me.
And here's where I just come back to just because we can create the metaverse,
you know, just because it sounds like the next logical step in our digital revolution.
Do I really want my child's most significant moments to be online? They weren't for me,
you know? So maybe I'm just stuck in that old school thinking, or maybe I've seen too much.
And I'm really sick of being the guinea pig parent generation for these things.
I mean, it's hard enough with screen time. Thinking about how to manage the metaverse
as a parent to a young boy, I can't even let my head go there. That's so terrifying for me.
But we've never stopped any new technology just because it introduces risks.
We've always said, okay, the promise of this technology means we should keep going,
keep pressing ahead. We just need to figure out new ways to manage that risk.
And, you know, that's the blockchain right now. Like, when I was covering all of these ransomware
attacks, I thought, okay, this is going to be it for cryptocurrency. You know, governments are
going to put the kibosh down. They're going to put the hammer down and say, enough is enough.
Like, we have to put this genie back in the bottle because it's enabled ransomware. I mean,
five years ago, they would hijack your PC and they'd say, go to the local pharmacy, get a e-gift
card and tell us what the pin is, and then we'll get your $200. Now it's pay us, you know, five
Bitcoin. And so there's no doubt cryptocurrencies enabled ransomware attacks. But after the colonial
pipeline ransom was seized, because if you remember, the FBI was actually able to go in
and claw some of it back from dark side, which was the ransomware group that hit it.
And I spoke to these guys at TRM Labs. So they're one of these blockchain intelligence companies.
And a lot of people that work there used to work at the Treasury. And what they said to me was,
yeah, cryptocurrency has enabled ransomware. But to track down that ransom payment would have
taken, you know, if we were dealing with fiat currency, would have taken us years to get to that
one bank account or belonging to that one front company in the Seychelles. And now, thanks to
the blockchain, we can track the movement of those funds in real time. And you know what?
You know, these payments are not as anonymous as people think. Like, we still can use our old
hacking ways in zero days and, you know, old school intelligence methods to find out who
owns that private wallet and how to get to it. So it's a, it's a curse in some ways, and that
it's an enabler, but it's also a blessing. And they said that same thing to me that I just said
to you, they said, we've never shut down a promising new technology because it introduced
risk. We just figured out how to manage that risk. And I think that's where the conversation,
unfortunately, has to go is how do we, in the metaverse use technology to, to fix things.
So maybe we'll finally be able to not finally, but figure out a way to solve the identity
problem on the internet, meaning like a blue checkmark for actual human and connected to identity,
like a fingerprint. So you can prove your you, and yet do it in a way that doesn't involve the
company having all your data. So giving you, allowing you to maintain control over your data,
or if you don't, then there's a complete transparency of how that data is being used,
all those kinds of things. And maybe as you educate more and more people,
they would demand in a capitalist society that the companies that they give their data to
will respect that data. Yeah. I mean, there is this company, and I hope they succeed,
their name's PIIano, Piano. And they want to create a vault for your personal information
inside every organization. And ultimately, if I'm going to call Delta Airlines to book a flight,
they don't need to know my social security number. They don't need to know my birth date.
They're just going to send me a one-time token to my phone. My phone's going to say,
or my Fido key is going to say, yep, it's her. And then we're going to talk about my identity
like a token, you know, some random token, they don't need to know exactly who I am. They just
need to know I am the system trust that I am who I say I am, but they don't get access to my PII data.
They don't get access to my social security number, my location, or the fact I'm a Times
journalist. I think that's the way the world's going to go. We have enough is enough on sort of
losing our personal information everywhere, letting data marketing companies track our every move.
They don't need to know who I am. Okay, I get it. We're stuck in this world where
the internet runs on ads. So ads are not going to go away, but they don't need to know I'm Nicole
Perlera. They can know that I am token number, you know, X567.
And they can let you know what they know and give you control about removing the things they know.
Yeah, right to be forgotten.
To me, you should be able to walk away with a single press of a button.
And I also believe that most people, given the choice to walk away, won't walk away.
They'll just feel better about having the option to walk away when they understand the trade-offs.
If you walk away, you're not going to get some of the personalized experiences that you would
otherwise get, like a personalized feed and all those kinds of things. But the freedom to walk away
is, I think, really powerful. And obviously, what you're saying, there's all of these HTML forms
where you have to enter your phone number and email and private information from Delta, every
single airline. New York Times. I have so many opinions on this. Just the friction and the sign
up and all of those kinds of things. I should be able to, this has to do with everything.
This has to do with payment too. Payment should be trivial. It should be one click
and one click to unsubscribe and subscribe and one click to provide all of your information
that's necessary for the subscription service, for the transaction service, whatever that is
getting a ticket, as opposed to, I have all these fake phone numbers and emails that I use in
Delta sign up because you never know if one site is hacked, then it's just going to propagate
to everything else. Yeah. And there's low hanging fruit and I hope Congress
does something. And frankly, I think it's negligent they haven't on the fact that elderly people
are getting spammed to death on their phones these days with fake car warranty scams.
And I mean, my dad was in the hospital last year and I was in the hospital room and his phone kept
buzzing and I look at it and it's just spam attack after spam attack, people nonstop calling about
his freaking car warranty, why they're trying to get his social security number. They're trying to
get his PII. They're trying to get this information. We need to figure out how to put those people
in jail for life. And we need to figure out why in the hell we are being required or asked to
hand over our social security number and our home address and our password, all of that information
to every retailer who asks. I mean, that's insanity. And there's no question they're not
protecting it because it keeps showing up in spam or identity theft or credit card theft afterwards.
Well, spam is getting better. And maybe I need to, as a side note, make a public announcement,
please clip this out, which is if you get an email or a message from Lex Friedman saying,
how much I, Lex, appreciate you and love you and so on. And please connect with me on my WhatsApp
number and I will give you Bitcoin or something like that. Please do not click. And I'm aware
that there's a lot of this going on, a very large amount. I can't do anything about it. This is on
every single platform. It's happening more and more and more, which I've been recently informed
that they're not emailing. So it's cross-platform. They're taking people's, they're somehow,
this is fascinating to me because they are taking people who comment on various social platforms
and they somehow reverse engineer, they figure out what their email is and they send an email to
that person saying from Lex Friedman and it's like a heartfelt email with links. It's fascinating
because it's cross-platform now. It's not just a spam bot that's messaging and a comment that's in
reply. They are saying, okay, this person cares about this other person on social media. So I'm
going to find another channel, which in their mind probably increases and it does the likelihood
that they'll get the people to click and they do. I don't know what to do about that. It makes me
really, really sad, especially with podcasting. There's an intimacy that people feel connected
and they get really excited. Okay, cool. I want to talk to Lex and they click and I get angry at
the people that do this. It's like the John that gets hired, the fake employee. I don't know what
to do about that. I suppose the solution is education. It's telling people to be skeptical
and stuff they click. That's the balance for the technology solution of creating a
maybe like two-factor authentication and maybe helping identify things that are likely to be
spam. I don't know, but then the machine learning there is tricky because you don't want to add a
lot of extra friction that just annoys people because they'll turn it off because you have the
accept cookies thing, right? That everybody has to click on us and now they completely ignore
the accept cookies. This is very difficult to find that frictionless security. You mentioned
Snowden. You've talked about looking through the NSA documents he leaked and doing the hard work of
that. What do you make of Edward Snowden? What have you learned from those documents? What do you
think of him? In the long arc of history, is Edward Snowden a hero or a villain?
I think he's neither. I have really complicated feelings about Edward Snowden. On the one end,
I'm a journalist at heart and more transparency is good. I'm grateful for the conversations that we
had in the post-Snowden era about the limits to surveillance and how critical privacy is.
When you have no transparency and you don't really know in that case what our secret courts were doing,
how can you truly believe that our country is taking our civil liberties seriously?
On the one hand, I'm grateful that he cracked open these debates. On the other hand,
when I walked into the storage closet of classified NSA secrets, I had just spent
two years covering Chinese cyber espionage almost every day and the advancement of Russian attacks
that were just getting worse and worse and more destructive. There were no limits to
Chinese cyber espionage and Chinese surveillance of its own citizens. There seemed to be no limit
to what Russia was willing to do in terms of cyber attacks and also, in some cases,
assassinating journalists. When I walked into that room, there was a part of me, quite honestly,
that was relieved to know that the NSA was as good as I hoped they were. We weren't using
that knowledge to, as far as I know, assassinate journalists. We weren't using our access to
take out pharmaceutical companies. For the most part, we were using it for traditional espionage.
Now, that set of documents also set me on the journey of my book because, to me,
the American people's reaction to the Snowden documents was a little bit misplaced. They were
upset about the phone call metadata collection program. Angela Merkel, I think, rightfully was
upset that we were hacking her cell phone, but in the spy eat spy world, hacking world
leader's cell phones is pretty much what most spy agencies do. There wasn't a lot that I saw
in those documents that was beyond what I thought a spy agency does. I think if there was another
9-11 tomorrow, God forbid, we would all say, how did the NSA miss this? Why weren't they spying on
those terrorists? Why weren't they spying on those world leaders? There's some of that too.
But I think that there was great damage done to the US's reputation. I think we really lost our
halo in terms of a protector of civil liberties. I think a lot of what was reported was, unfortunately,
reported in a vacuum. That was my biggest gripe, that we were always reporting, the NSA has this
program and here's what it does. The NSA is in Angela Merkel's cell phone and the NSA can do this
and no one was saying, and by the way, China has been hacking into our pipelines and they've been
making off with all of our intellectual property and Russia's been hacking into our energy infrastructure
and they've been using the same methods to spy on track and in many cases kill their own journalists
and the Saudis have been doing this to their own critics and dissidents. You can't talk about any
of these countries in isolation. It is really like spy eat spy out there. I just have complicated
feelings. The other thing is, and I'm sorry this is a little bit of a tangent, but the amount of
documents that we had, like thousands of documents, most of which were just crap but had people's
names on them, part of me wishes that those documents had been released in a much more
targeted, limited way. A lot of it just felt like a PowerPoint that was taken out of context.
You just wish that there had been a little bit more thought into what was released because I
think a lot of the impact from someone was just the volume of the reporting, but I think based
on what I saw personally, there was a lot of stuff that I don't know why that particular thing got
released. As a whistleblower, what's the better way to do it? There's fear. It takes a lot of effort
to do a more targeted release. If there's proper channels, you're afraid that those channels would
be manipulated like who do you trust. What's the better way to do this, do you think? As a
journalist, this is almost like a journalistic question. Reveal some fundamental flaw in the
system without destroying the system. I bring up, again, Mark Zuckerberg and Metta, there was a
whistleblower that came out about Instagram internal studies. I also torn about how to feel
about that whistleblower because from a company perspective that's an open culture,
how can you operate successfully if you have an open culture where any one whistleblower can come
out out of context, take a study, whether it represents a larger context or not. The press
eats it up and then that creates a narrative that is just like with the NSA. You said it's
out of context very targeted to wear while Facebook is evil, clearly, because of this one leak.
It's really hard to know what to do there because we're now in a society that's deeply distressed
institutions. Narratives by whistleblowers make that whistleblower and their forthcoming book
very popular. There's a huge incentive to take stuff out of context and to tell stories that
don't represent the full context, the full truth. It's hard to know what to do with that because
then that forces Facebook, Metta, and governments to be much more conservative, much more secretive.
It's like a race to the bottom. I don't know if you can comment on any of that,
how to be a whistleblower ethically and properly. I don't know. These are hard questions. Even for
myself, in some ways, I think of my book as blowing the whistle on the underground zero-day
market. It's not like I was in the market myself. It's not like I had access to classified data
when I was reporting out that book. As I say in the book, listen, I'm just trying to scrape the
surface here so we can have these conversations before it's too late. I'm sure there's plenty in
there that someone who's US intelligence agency's preeminent zero-day broker probably
has some voodoo doll of me out there. You're never going to get it 100%.
But I really applaud whistleblowers like the whistleblower who blew the whistle on the
Trump call with Zelensky. People needed to know about that, that we were basically,
in some ways, blackmailing an ally to try to influence an election. They went through the
proper channels. They weren't trying to profit off of it. There was no book that came out afterwards
from that whistleblower. They went through the channels. They're not living in Moscow. Let's
put it that way. Can I ask you a question? You mentioned NSA. One of the things it showed
is they're pretty good at what they do. Again, this is a touchy subject, I suppose, but
there's a lot of conspiracy theories about intelligence agencies from your understanding
of intelligence agencies, CIA, NSA, and the equivalent of in other countries.
Are they one question? This could be a dangerous question. Are they competent?
Are they good at what they do? And two, are they malevolent in any way?
Sort of a recent conversation about tobacco companies that kind of see their customers as
dupes. They can just play games with people. Conspiracy theories tell that similar story about
intelligence agencies that they're interested in manipulating the populace for whatever ends the
powerful in dark rooms, cigarette smoke, cigar smoke-filled rooms. What's your sense? Do these
conspiracy theories have any truth to them or are intelligence agencies for the most part
good for society? Okay, well, that's an easy one. Is it? No. I think it depends which intelligence
agency. Think about the Mossad. They're killing every Iranian nuclear scientist they can over
the years, but have they delayed the time horizon before Iran gets the bomb? Yeah.
Have they probably staved off terror attacks on their own citizens? Yeah.
None of these, intelligence is intelligence. You can't just say they're malevolent or
they're heroes. Everyone I have met in this space is not like the pound your chest patriot
that you see on the beach on the 4th of July. A lot of them have complicated feelings about
their former employers. Well, at least at the NSA reminded me to do what we were accused of
doing after Snowden, to spy on Americans. You have no idea the amount of red tape and paperwork
and bureaucracy it would have taken to do whatever one thinks that we were supposedly doing.
But then we find out in the course of the Snowden reporting about a program called Love-In
where a couple of the NSA analysts were using their access to spy on their ex-girlfriends.
So there's an exception to every case. Generally, I will probably get accused of
my Western bias here again, but I think you can almost barely compare
some of these Western intelligence agencies to China, for instance. And the surveillance that
they're deploying on the Uighurs to the level they're deploying it and the surveillance they're
starting to export abroad with some of the programs like the watering hole attack I mentioned earlier
where it's not just hitting the Uighurs inside China, it's hitting anyone interested in the Uighur
plight outside China. I mean, it could be an American high school student writing a paper on
the Uighurs. They want to spy on that person too. There's no rules in China really limiting the extent
of that surveillance. And we all better pay attention to what's happening with the Uighurs,
because just as Ukraine has been to Russia in terms of a test kitchen for cyber attacks,
the Uighurs are China's test kitchen for surveillance. And there's no doubt in my mind
that they're testing them on the Uighurs. Uighurs are their petri dish, and eventually they will
export that level of surveillance overseas. I mean, in 2015, Obama and Xi Jinping reached a deal
where basically the White House said you better cut it out on intellectual property theft. And so
they made this agreement that they would not hack each other for commercial benefit. And for a period
of about 18 months, we saw this huge drop off in Chinese cyber attacks on American companies. But
some of them continued. Where do they continue? They continued on aviation companies, on hospitality
companies like Marriott. Why? Because that was still considered fair game to China. It wasn't IP
theft. They were after it. They wanted to know who was staying in this city at this time when Chinese
citizens were staying there so they could cross match for counterintelligence who might be a likely
Chinese spy. I'm sure we're doing some of that too. Counterintelligence is counterintelligence.
It's considered fair game. But where I think it gets evil is when you use it for censorship,
to suppress any dissent, to do what I've seen the UAE do to its citizens, where people who've
gone on Twitter just to advocate for better voting rights, more enfranchisement, suddenly find their
passports confiscated. I talked to one critic Ahmed Mansour and he told me, you might find
yourself a terrorist, labeled a terrorist one day and you don't even know how to operate a gun.
He'd been beaten up every time he tried to go somewhere. His passport had been confiscated.
By that point, it turned out they'd already hacked into his phone. So they were listening to us
talking. They'd hacked into his baby monitor. So they're spying on his child and they stole his car.
And then they created a new law that you couldn't criticize the ruling family or the ruling party
on Twitter. And he's been in solitary confinement every day since on hunger strike. So that's
evil. That's evil. And we don't do that here. We have rules here. We don't cross
that line. So yeah, in some cases, I won't go to Dubai. I won't go to Abu Dhabi. If I ever
want to go to the Maldives, too bad, most of the flights go through Dubai.
So there's some lines we're not willing to cross. But then again, just like you said,
there's individuals within NSA, within CIA, and they may have power. And to me, there's levels
of evil. To me personally, this is the stuff of conspiracy theories is the things you've
mentioned as evil are more direct attacks. But there's also psychological warfare. So blackmail.
So what is spying allow you to do? Allow you to collect information if you have something
that's embarrassing? Or if you have like Jeffrey Epstein conspiracy theories, active, what is it,
manufacture of embarrassing things, and then use blackmail to manipulate the population,
or all the powerful people involved. It troubles me deeply that MIT allowed somebody like Jeffrey
Epstein in their midst, especially some of the scientists I admire that they would hang out
with that person at all. And so I'll talk about it sometimes. And then a lot of people tell me,
well, obviously, Jeffrey Epstein is a front for intelligence. And I just, I struggle to see that
level of competence and malevolence. But you know, who the hell am I? And I guess I was trying to get
to that point, you said that there's bureaucracy and so on, which makes some of these things very
difficult. I wonder how much malevolence, how much competence there is in these institutions,
like how far this takes us back to the hacking question. How far are people willing to go
if they have the power? This has to do with social engineering, this has to do with hacking,
this has to do with manipulating people, attacking people, doing evil onto people,
psychological warfare and stuff like that. I don't know. I believe that most people are good.
And I don't think that's possible in a free society. There's something that happens when you
have a centralized government where power corrupts over time and you start, you know,
surveillance programs kind of, it's like a slippery slope that over time starts to both use fear and
direct manipulation to control the populace. But in a free society, I just, it's difficult for me
to imagine that you can have like somebody like a Jeffrey Epps in the front for intelligence.
I don't know what I'm asking you, but I'm just, I have a hope that for the most part,
intelligence agencies are trying to do good and are actually doing good for the world.
When you view it in the full context of the complexities of the world.
But then again, if they're not, would we know? That's why Edwin Snowden might be a good thing.
Let me ask you on a personal question. You have investigated some of the most powerful
organizations and people in the world of cyber warfare, cyber security. Are you ever afraid
for your own life, your own well being digital or physical? I mean, I've had my moments.
You know, I've had our security team at the times called me at one point and said someone's
on the dark web offering good money to anyone who can hack your, your phone or your laptop.
And I described in my book how when I was at that hacking conference in Argentina,
I came back and I'd brought a burner laptop with me, but I'd kept it in the safe anyway.
And it didn't have anything on it, but someone had broken in and it was moved.
You know, I've had all sorts of sort of scary moments. And then I've had moments where I think
I went just way too far into the paranoid side. I mean, I remember writing about the
Times hack by China and I just covered a number of Chinese cyber attacks where they'd gotten into
the thermostat at someone's corporate apartment and, you know, they've gotten into all sorts of
stuff. And I was living by myself. I was single in San Francisco and my cable box on my television
started making some weird noises in the middle of the night. And I got up and I ripped it out of
the wall. And I think I said something like embarrassing like, fuck you, China. And then
I went back to bed and I woke up and like, it's like beautiful morning light. I mean,
I'll never forget it. Like this is like glimmering morning light is shining on my cable box, which
has now been ripped out and is sitting on my floor and like the morning light. And I was just like,
no, no, no, like I'm not going down that road. Like you basically, I came to a fork in the road
where I could either go full tinfoil hat, go live off the grid, never have a car with navigation,
never use Google Maps, never own an iPhone, never order diapers off Amazon, you know,
create an alias or I could just do the best I can and live in this new digital world we're living
in. And what does that look like for me? I mean, what are my crown jewels? This is what I tell
people, what are your crown jewels? Because just focus on that. You can't protect everything,
but you can protect your crown jewels. For me, for the longest time, my crown jewels were my sources.
I was nothing without my sources. So I had some sources, I would meet the same dim someplace or
maybe it was a different restaurant on the same date, you know, every quarter. And we would never
drive there. We would never Uber there. We wouldn't bring any devices. I could bring a pencil and a
notepad. And if someone wasn't in town, like there were a couple of times where I'd show up and the
source never came. But we never communicated digitally. And those were the lengths I was willing
to go to protect that source, but you can't do it for everyone. So for everyone else, you know,
it was signal using two factor authentication, you know, keeping my devices up to date, not clicking
on phishing emails, using a password manager, all the things that, you know, we know we're supposed
to do. And that's what I tell everyone, like, don't go crazy, because then that's like the ultimate
hack. Then they've hacked your mind, whoever they is for you. But just do the best you can. Now,
my whole risk model changed when I had a kid, you know, now it's, oh, God, you know, if anyone
threatened my family, God help them. But it's, it changes you. And, you know, unfortunately,
there are some things like I was really scared to go deep on, like Russian cybercrime, you know,
like Putin himself, you know, and, and it's interesting, like, I have a mentor who's an
incredible person who was the Times Moscow bureau chief during the Cold War. And after I wrote a
series of stories about Chinese cyber espionage, he took me out to lunch. And he told me that when
he was living in Moscow, he would drop his kids off at preschool when they were my son's age now.
And the KGB would follow him. And they would make a really like loud show of it. You know,
they'd tail him, they'd, you know, honk, they'd just be a ruckus, make a ruckus. And he said,
you know what, they never actually did anything. But they wanted me to know that they were following
me. And I operated accordingly. And he says, that's how you should operate in, in the digital world.
Know that there are probably people following you. Sometimes they'll make a little bit of noise.
But one thing you need to know is that while you're at the New York Times, you have a little bit
of an invisible shield on you. You know, if something were to happen to you, that would be a
really big deal. That would be an international incident. So I kind of carried that invisible
shield with me for years. And then Jamal Khashoggi happened. And that destroyed my vision of my
invisible shield. You know, sure, you know, he was a Saudi, but he was a Washington Post columnist.
You know, for the most part, he was living in the United States, he was a journalist. And for them
to do what they did to him, pretty much in the open and get away with it. And for the United States
to let them get away with it, because we wanted to preserve diplomatic relations with the Saudis,
that really threw my worldview upside down. And, you know, I think that sent a message to a lot
of countries that it was sort of open season on journalists. And to me, that was one of the most
destructive things that happened under the previous administration. And, you know,
I don't really know what to think of my invisible shield anymore.
Like you said, that really worries me on the journalism side that people will be afraid to
dig deep on fascinating topics. And, you know, I have my own, that's part of the reason I would
love to have kids, I would love to have a family. Part of the reason I'm a little bit afraid,
there's many ways to phrase this, but the loss of freedom in the way of doing all the crazy
shit that I naturally do, which I would say the ethic of journalism is kind of not is doing
crazy shit without really thinking about it. This is letting your curiosity really allow you to be
free and explore. It's, I mean, whether it's stupidity or fearlessness, whatever it is,
that's what great journalism is. And all the concerns about security risks have made me like
become a better person. The way I approach it is just make sure you don't have anything to hide.
I know this is not a thing, this is not a, this is not an approach to security. I'm just,
this is like a motivational speech or something. It's just like, if you can lose, you can be
hacked at any moment. Just don't be a douchebag secretly. Just be like a good person. Because
then I see this actually with social media in general, just present yourself in the most
authentic way possible, meaning be the same person online as you are privately, have nothing to hide.
That's one, not the only, but one of the ways to achieve security. Maybe I'm totally wrong on this,
but don't be secretly weird. If you're weird, be publicly weird, so it's impossible to blackmail
you. That's my approach to security. Yeah. Well, they call it the New York Times front page
phenomenon. Don't put anything in email or I guess social media these days that
you wouldn't want to read on the front page of the New York Times. And that works, but
sometimes I even get carried. I mean, I have not as many followers as you, but a lot of
followers and sometimes even I get carried away. To be emotional and stuff and say something.
Yeah. Yeah. I mean, just the cortisol response on Twitter. Twitter is basically designed to
elicit those responses. I mean, every day I turn on my computer, I look at my phone,
I look at what's trending on Twitter and it's like, what are the topics that are going to
make people the most angry today? And it's easy to get carried away, but it's also just,
that sucks too, that you have to be constantly censoring yourself. And maybe it's for the
better. Maybe you can't be a secret asshole. We can put that in the good bucket, but at the same
time, there is a danger to that other voice, to creativity, to being weird. There's a danger to
that little whispered voice that's like, well, how would people read that? How could that be
manipulated? How could that be used against you? And that stifles creativity and innovation and
free thought. And that's on a very micro level. And that's something I think about a lot.
And that's actually something that Tim Cook has talked about a lot. And why he has said he goes
full force on privacy is it's just that little voice that is at some level censoring you.
And what is sort of the long-term impact of that little voice over time?
I think there's a ways, I think that self-censorship is an attack factor that there are solutions to.
The way I'm really inspired by Elon Musk, the solution to that is just be privately and publicly
the same person and be ridiculous. Embrace the full weirdness and show it more and more.
So that's memes that has like ridiculous humor. And I think, and if there is something you really
want to hide, deeply consider if that you want to be that. Why are you hiding it? What exactly are
you afraid of? Because I think my hopeful vision for the internet is the internet loves authenticity.
They want to see you weird. So be that and live that fully. Because I think that gray area where
you're kind of censoring yourself, that's where the destruction is. You have to go all the way.
Step over. Be weird. Be weird. And then it feels it can be painful because people can attack you
and so on, but just ride it. I mean, that's just like a skill on the social psychological level
that ends up being an approach to security, which is like remove the attack vector of
having private information by being your full weird self publicly. What advice would you give
to young folks today operating in this complicated space about how to have a successful life,
a life they can be proud of, a career they can be proud of, maybe somebody in high school
and college thinking about what they're going to do. Be a hacker. If you have any interest,
become a hacker and apply yourself to defense. Every time, we do have these amazing scholarship
programs, for instance, where they find you early, they'll pay your college as long as you
commit to some kind of federal commitment to sort of help federal agencies with cybersecurity.
And where does everyone want to go every year from the scholarship program? They want to go work
at the NSA or Cyber Command. They want to go work on offense. They want to go do the sexy stuff.
It's really hard to get people to work on defense. It's always been more fun to be a pirate than
be in the Coast Guard. And so we have a huge deficit when it comes to filling those roles.
There's 3.5 million unfilled cybersecurity positions around the world. I mean, talk about
job security. Be a hacker and work on cybersecurity. You will always have a job.
And we're actually had a huge deficit and disadvantage as a free market economy
because we can't match cybersecurity salaries at Palantir or Facebook or Google or Microsoft.
And so it's really hard for the United States to fill those roles. And other countries have had this
work around where they basically have forced conscription on some level. China tells people
like, you do whatever you're going to do during the day, work at Alibaba. If you need to do some
rent somewhere, okay. But the minute we tap you on the shoulder and ask you to come do this sensitive
operation for us, the answer is yes. You know, same with Russia, you know, a couple years ago
when Yahoo was hacked and they laid it all out in an indictment, it came down to two cyber criminals
and two guys from the FSB. Cyber criminals were allowed to have their fun. But the minute they
came across the username and password for someone's personal Yahoo account that worked at the White
House or the State Department or military, they were expected to pass that over to the FSB.
So we don't do that here. And it's even worse on defense. We really can't fill these positions.
So, you know, if you are a hacker, if you're interested in code, if you're a tinker,
you know, learn how to hack, there are all sorts of amazing hacking competitions you can do through
the SANS org, for example, S-A-N-S. And then use those skills for good, you know, neuter the bugs
in that code that get used by autocratic regimes to make people's life, you know, a living prison,
you know, plug those holes, you know, defend industrial systems, defend our water treatment
facilities from hacks where people are trying to come in and poison the water. You know,
that I think is just an amazing job on so many levels. It's intellectually stimulating. You can
tell yourself you're serving your country. You can tell yourself you're saving lives and keeping
people safe. And you'll always have amazing job security. And if you need to go get that job
that pays you, you know, 2 million bucks a year, you can do that too. And you can have a public
profile, more so of a public profile, you can be a public rock star. I mean, it's the same thing as
sort of the military. There's a lot of, there's a lot of well-known sort of people commenting on
the fact that veterans are not treated as well as they should be. But it's still the fact that
soldiers are deeply respected for defending the country, the freedoms, the ideals that we stand
for. And in the same way, I mean, in some ways, the cyber security defense are the soldiers of
the future. Yeah. And you know what's interesting? I mean, in cybersecurity, the difference is,
oftentimes you see the more interesting threats in the private sector, because that's where the
attacks come. You know, when cyber criminals and nation state adversaries come for the United
States, they don't go directly for cyber command or the NSA. No, they go for banks. They go for
Google. They go for Microsoft. They go for critical infrastructure. And so those companies,
those private sector companies, get to see some of the most advanced sophisticated attacks
out there. And you know, if you're working at FireEye and you're calling out the SolarWinds
attack, for instance, I mean, you just saved, God knows how many systems from, you know,
that compromise turning into something that more closely resembles sabotage. So, you know,
go be a hacker or go be a journalist. So you wrote the book, this is how they tell me the
world ends, as we've been talking about, of course, referring to cyber war, cyber security.
What gives you hope about the future of our world? If it doesn't end, how will it not end?
That's a good question. I mean, I have to have hope, right? Because I have a kid
and I'm another on the way. And if I didn't have hope, I wouldn't be having kids.
But it's a scary time to be having kids. And, you know, it's like pandemic, climate change,
disinformation, increasingly advanced, perhaps deadly cyber attacks. What gives me hope is that
I share your worldview that I think people are fundamentally good. And sometimes, and this is
why the metaverse scares me to death, but when I'm reminded of that is not online. Like online,
I get the opposite, you know, you start to lose hope in humanity when you're on Twitter half your
day. It's like when I go to the grocery store, or I go on a hike, or like someone smiles at me,
you know, or someone just says something nice. You know, people are fundamentally good. We just
don't hear from those people enough. And my hope is, you know, I just think our current political
climate, like we've hit rock bottom. This is as bad as it gets. We can't do anything.
Don't jinx it.
Well, but I think it's a generational thing. You know, I think baby boomers, like it's time to
move along. I think it's time for a new generation to come in. And I actually have a lot of hope
when I look at, you know, I'm sort of like this, I guess they call it me a geriatric millennial,
or a young gen X. But like we have this unique responsibility because I grew up without the
internet and without social media, but I'm native to it. So I know the good. And I know the
good. And I know the bad. And that's true on so many different things. You know, I grew up without
climate change anxiety. And now I'm feeling it. And I know it's not a given. We don't have to
just resign ourselves to climate change. You know, same with disinformation. And I think
a lot of the problems we face today have just exposed the sort of inertia that there has been
on so many of these issues. And I really think it's a generational shift that has to happen.
And I think this next generation is going to come in and say, like, we're not doing business like
you guys did it anymore. You know, we're not just going to like rape and pillage the earth
and try and turn everyone against each other and play dirty tricks and let lobbyists dictate,
you know, what we do or don't do as a country anymore. And that's really where I see the hope.
It feels like there's a lot of low hanging fruit for young minds to step up and create solutions
and lead. So whenever like, politicians or leaders that are older, like you said, are acting shitty,
I see that as a positive, they're inspiring a large number of young people to replace them.
Yeah. And so it's, I think you're right, there's going to be it's almost like,
you need people to act shitty to remind them, oh, wow, we need good leaders. We need great
creators and builders and entrepreneurs and scientists and engineers and journalists.
You know, all the discussions about how the journalism is quote unquote broken and so on,
that's just an inspiration for new institutions to rise up that do journalism better,
new journalists to step up and do journalism better. So I, and I've been constantly when I
talked to young people, I'm constantly impressed by the ones that dream to build solutions.
And so that's, that's, that's ultimately why I put the hope, but the world is a messy place.
Like we've been talking about the scary place. Yeah. And I think you hit something,
hit on something earlier, which is authenticity. Like no one is going to rise above
that is plastic anymore. You know, people are craving authenticity, you know,
the benefit of the internet is it's really hard to hide who you are on every single platform,
you know, on some level, it's going to come out who you really are. And so you hope that,
you know, by the time my kids are grown, like no one's going to care if they made one mistake
online. So long as they're authentic, you know, and, and I, I used to worry about this.
My nephew was born the day I graduated from college. And I just always, you know, he's like
born into, to Facebook. And just think like, how is a kid like that ever going to be president of
the United States of America? Because if Facebook had been around when I was in college, you know,
like Jesus, you know, what, how is, how are those kids are going to ever be president? There's going
to be some photo of them at some point making some mistake. And that's going to be all over for them.
And now I take that back. Now it's like, no, everyone's going to make mistakes. There's going
to be a picture for everyone. And we're all going to have to come and grow up to the view that as
humans, we're going to make huge mistakes. And hopefully they're not so big that they're going
to ruin the rest of your life. But we're going to have to come around to this view that we're all
human. And we're going to have to be a little bit more forgiving and a little bit more tolerant when
people mess up. And we're going to have to be a little bit more humble when we do. And like,
keep moving forward. Otherwise, you can't like cancel everyone.
You know, Nicole, this is an incredible, hopeful conversation. Also, one that reveals
that in the shadows, there's a lot of challenges to be solved. So I really appreciate that you
took on this really difficult subject with your book. That's journalism is best. So I'm really
grateful that you did the, that you took the risk that you took that on and that you plugged the
cable box back in. That means you have hope. And thank you so much for spending your valuable time
with me today. Thank you. Thanks for having me. Thanks for listening to this conversation with
Nicole Perleroth. To support this podcast, please check out our sponsors in the description. And
now let me leave you with some words from Nicole herself. Here we are, entrusting our entire digital
lives, passwords, texts, love letters, banking records, health records, credit card sources,
and deepest thoughts to this mystery box, whose inner circuitry most of us would never vet run
by code written in a language most of us will never fully understand. Thank you for listening
and hope to see you next time.