Saying Goodbye To The Kojo Nnamdi Show
On this last episode, we look back on 23 years of joyous, difficult and always informative conversation.
“Hacktivists” across the web have tried to make political statements by tampering with corporate web sites. A group known as ‘Anonymous’, which already claims to have disrupted MasterCard and PayPal, was marked as an early suspect in the massive data breach of Sony’s Playstation Network. We explore the rise of “hacktivism” and what it means for data security.
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. Some people like to call the Internet the Wild West of the business world. So what then are we supposed to call the hackers who often disrupt life within that universe? Some of them have earned Billy the Kid kind of reputations for picking fights with powerful businesses, even governments, hacktivists who make political statements by waging cyber warfare. One loosely organized group of hackers which calls itself Anonymous recently took credit for disrupting MasterCard, PayPal and others as a means of scoring payback against those they felt were working against the website WikiLeaks.
MR. KOJO NNAMDIBut one man's hacktivist is another man's cyber outlaw, and online stunts are anything but victimless affairs. A recent attack on Sony's PlayStation Network potentially exposed sensitive information on millions of customers and credit card users, and reports have surfaced that Sony is considering putting a bounty on those responsible for that breach. All of which are adding to the reasons why some are calling for a new federal data sheriff to police the Web. Joining us now from studios in New York is Nick Bilton. He is a reporter for The New York Times where he's the lead technology writer for the newspaper's "Bits Blog." Nick Bilton, thank you for joining us.
MR. NICK BILTONThanks for having me on the show.
NNAMDIAnd joining us by telephone from Chicago is Nate Anderson, senior editor at the technology news website Ars Technica. Nate Anderson, thank you for joining us.
MR. NATE ANDERSONThanks for having me.
NNAMDIIt's a conversation we invite our listeners to join by calling 800-433-8850 or by going to our website, kojoshow.org, and joining the conversation there. You can send us a tweet, @kojoshow, or send e-mail to kojo@wamu.org. At what point do you think cyber franks cross the line and become cybercrimes? That's 800-433-8850. Nick Bilton, let's stick with the Wild West metaphor for a minute, because if the online world were a Western movie, last month's data breach at Sony's PlayStation Network was the equivalent of a massive bank robbery or a train heist. What exactly happened in that attack, and just how much was at stake?
BILTONWell, there was about 77 million users who are registered on the PlayStation Network and the Curiosity Network, which is used for gaming and for streaming video and audio. And hackers managed to somehow get into the network and get behind the company's servers and actually took some of this data. There was also 12 million credit cards within there. When Sony found out, they shut the entire system down, and it's been down ever since. It's almost a month now since this happened. And it's -- we're unsure how much information was stolen, but there were reports on some underground hacker forums where people buy and sell credit card information that the hackers managed to get two million credit cards.
BILTONThere was other reports that they had gained 12 million people's personal information, and we're not really sure what they took, but we know they have managed to get in there and get access to a treasure trove of personal information and credit card information.
NNAMDIYou wrote on your blog last week that this data breach at Sony has a lot of people scared, including other hackers. Why?
BILTONWell, there's this really interesting underground world right now that's taken place with the rise of people registering on websites and putting their credit card information. I mean, it's essentially an economy that's based around selling stolen information and stolen credit cards. And as in any economy, when the market gets flooded with a tremendous amount of information or product, the cost goes down. So, you know, a credit card online can sell in an underground forum for anywhere between two and $10, depending on how much personal information comes with it and what the limits are in the card and so on.
BILTONAnd so if two million credit cards then dumped into the market, the cost will drop to well below a dollar, so a lot of hackers were worried that if this really did happen -- they did get these millions of credit cards -- that their business would be affected too.
NNAMDINick, what sense does Sony have for the techniques hackers use to penetrate its system, and what are the kinds of techniques that are typically responsible for this kind of breach?
BILTONWith the Sony situation, Sony hasn't said how they got in or anything, but there have been a lot of reports. There was a congressional hearing last week asking what had happened. And there was a professor who had -- who's a security expert, who had said that every one in the security world knew that Sony had outdated servers and that their protection wasn't up to the par that it should have been. What's believed that happened the way the hackers got in is that they actually used the PlayStation, the gaming console...
NNAMDIYup.
BILTON...and they tunneled in through that and then used their computers to access all this information.
NNAMDIWhat does a denial-of-service attack involve, Nick?
BILTONA denial-of-service attack is essentially when you hammer a website or a server so that it doesn't work anymore. So if you imagine filling up a glass of water with one faucet and the way a denial-of-service attack works is this -- you're essentially filling up that glass of water with a fire hose and you just -- it just can't handle it, and that’s essentially what happened. So what a lot of these hacktivists do when they do denial-of-service attacks on, you know, MasterCard or Sony or whatever is that they take over a number of computers and they hammer these sites repeatedly so that they essentially -- the servers crash and they go offline.
NNAMDIYou're listening to a Tech Tuesday conversation about the phenomenon of so-called hacktivism. Nick Bilton is a reporter for The New York Times. He's the lead technology writer for the newspaper's "Bits Blog." He joins us from studios in New York. Joining us by phone from Chicago is Nate Anderson, senior editor at the technology news website Ars Technica. You can call us, 800-433-8850. What concerns do you have about your own private information in the wake of those massive data breaches at places like the PlayStation Network? 800-433-8850. Nate Anderson, a lot of people started to point the finger pretty quickly at the group Anonymous as a party that might be responsible for the Sony breach. You've written about Anonymous quite a bit. Who is Anonymous?
ANDERSONWell, Anonymous is anyone. It is a group, a very loose confederation of hackers. Some of them share the same goals. There is no membership. There's no requirement to join. Anybody is considered a part of Anonymous by simply participating in some of their operations. So it's a very amorphous group. One that's very difficult to get a handle on. And that also makes it difficult to say whether Anonymous sort of as a group had anything to do with any particular attack. But certainly in this case, they were organizing denial-of-service attacks on Sony that were on going when this data breach took place.
NNAMDIAt what point did Anonymous evolve from a group of tech savvy kids with mischievous tendencies to one that was willing to pick fights with powerful entities to make political points?
ANDERSONWell, I think it always started with quite a bit of that. One of the first things they were involved in back in 2006 and 2007, when the group was really getting going, was a set of attacks, both virtual and then real world, protests against the Church of Scientology, which can be a very powerful enemy, and several members of Anonymous were sent to jail over some of the attacks involved in that. So that sort of tweaking of authority structures goes back to the very beginning of the group.
NNAMDIAnd, Nick Bilton, to what extent did Anonymous gain a greater degree of either fame or notoriety depending on how you look at it because of WikiLeaks?
BILTONWell, they -- one of the things that's interesting about Anonymous is that, you know, I think there's several members of the group that are just out to cause trouble and, you know, have fun. And then, there are also a number of members that are really out there to try to make a difference, and that was evident with WikiLeaks when the U.S. government went after WikiLeaks and, you know, asked MasterCard and PayPal and other sites like that to stop allowing people to donate money to WikiLeaks. Anonymous didn't agree with that, and so they decided they were going to defend WikiLeaks, and they attacked all of these large entities that the government had asked to stop cooperating with WikiLeaks and other entities like that.
NNAMDIPayPal, MasterCard just to name two, correct?
BILTONYup.
NNAMDIHere is...
BILTONAh...
NNAMDIOh, go ahead, please, Nick.
BILTONWell, it's interesting. They also -- when the government tried to take the WikiLeaks' site down, there were also people on Anonymous that tried to set up mirror sites of WikiLeaks where all the information was still available to people that -- no matter what happened.
NNAMDIHere is Jordan in Washington D.C. Jordan, you're on the air. Go ahead, please.
JORDANHi. I was just calling because I wanted to make a distinction between the hacktivists who did the denial-of-service attacks on the MasterCard site and the people who hacked the Sony network. It seems to me that the people that hacked the Sony network were only after financial gain, and there's no indication that they had any sort of political goal behind it. So it's -- to me, it seems to call them hacktivists (unintelligible) or hackers. And I'll take my answer off the air. Thank you very much.
NNAMDINick Bilton, incorrect to characterize the people who hacked Sony PlayStation as hacktivists?
BILTONNo. It's absolutely correct. I mean, I think that, you know, when this first happened, Sony had said that they believe that it was Anonymous because Anonymous in the past had done denial-of-service attacks on Sony's website. And as soon as that happened, the Anonymous folks said, "We didn't do this. You know, we're not about stealing credit cards. We’re not about stealing personal information. We're about, you know, hacktivism essentially." And it's kind of been a back and forth between the company and Anonymous to say whether they were involved or they weren't.
NNAMDIBut we got an e-mail from Andy who says, "Can you please ask your guests why Sony was targeted? It's my understanding it was mainly for their prosecution of a PS3 hacker. Any information about that at all?" But in -- Andy also asks, "And why Anonymous as a whole is in no ways taking credit nor do they condone what happened, Nate Anderson?
ANDERSONYeah. That's right. Anonymous started this attack on Sony with denial-of-service attacks against many of the company's websites because they were upset that Sony had filed a lawsuit, a federal lawsuit against a young man named George Hotz, who had cracked some of the PlayStation 3's security. This would have allowed the system to do things like play copied games, but it also had other uses. And the members of Anonymous were very upset about this prosecution, and so that was the initial impetus for their attacks. So I think you can make the case that this started out as an act of hacktivism, if you want to call it that, and then, this data breach came alongside. It was obviously something very different.
NNAMDINate, you reported yesterday that Anonymous itself or the servers that it uses has been hacked and that it exposed warring factions within the group. What happened, and what did you learn from it?
ANDERSONWell, I think it reinforces that the group is a pretty chaotic entity. What happened yesterday and over the weekend was that the main communications network that Anonymous uses to plan their operations and even to coordinate many of the denial-of-service attacks was essentially taken over by what some members of the group called a rouge administrator. But looking into the story, it turns out there are just different factions within the group who have different ideas about how it should be led, if at all, how anarchic it should be, should there be anyone in control, should there be secret channels in which some of these operations are kind of plotted essentially behind closed doors. Those were the issues that led to this sort of inter-Anonymous warfare.
NNAMDINate, you added in your report that Anonymous has also been busy plotting schemes against Iranian websites, the New Zealand Parliament, the government of Norway and AT&T, and that these plots are more in the classic anon style. How so?
ANDERSONWell, in the sense that they're organizing these distributed denial of service attacks. They're trying to recruit people from all over the world who will volunteer to donate their computers and their Internet bandwidths to these attacks, and they attempt to create, you know, such a massive data flood that these sites go down under the traffic and this serves as a form of protest. The group is involved though -- it's also classic in the sense that there -- it's almost sheer chaos. Nobody is really organizing this.
ANDERSONIf people come up with ideas, they put them out there. If enough other people join in with your idea, then it's considered a, you know, a quasi-official Anonymous operation. So it's a very bottom up sort of system. And I think you can just look at their chat rooms and see the amount of things that are percolating to get a sense of how chaotic this is, which can be both fruitful but also rather uncontrolled.
NNAMDII'm glad you talked about looking at the chat rooms because I'm curious. As a reporter, how do you gather information about what these groups look like from the inside?
ANDERSONWell, Anonymous is a funny group because it is very open about most of what it does. You can join their chat rooms and watch many of them at work, until this weekend when those chat rooms were taken down. So you can see them plotting these attacks, talking about all sorts of things they wanted to do. And they're very open about most of those activities. And, in fact, that's one of the things that Anonymous pointed to when Sony accused it of being involved in this data breach was, look, we are an ironically open organization.
ANDERSONYou can come look at what we're doing. You know, people are not doing these kinds of things. So they sort of tout their own openness and transparency as a good thing and as something that you could look at and just see that they were not involved in the Sony data breach.
NNAMDII know you got to go, but before you do, I'd like you to tell us one more story about Anonymous and then, later, I'll have Nick Bilton comment on the whole media fascination with Anonymous. But a part of how this Anonymous legend has been built has to do with what's known as the HBGary hack. Nate, could you tell us about that?
ANDERSONYeah...
BILTONYeah. This -- oh, Nate.
NNAMDIOh, well, either Nate or Nick could start.
BILTONNate, after you.
ANDERSONSure. So earlier -- well, late last year, a security firm called HBGary Federal had its CEO trying to unmask the people who he believed were the leaders of Anonymous, and he named three different people. And he thought that, in some of these cases, he had been able to link their online identities with real world people. He then told this information to a newspaper, and it also came out that he was soon gonna have a meeting with the FBI, which he was going to offer up some of this information.
ANDERSONThis sort of violates the basic mythos of Anonymous, which is anonymity, that we cannot be found, you cannot stop us. And so, attempts to do that are treated very harshly. And members of Anonymous quickly broke in to the HBGary Federal website and retrieved a huge cache of personal emails from the executives of that company then released them to the world, and those emails showed all sorts of crazy scheming that had been going on involving WikiLeaks and other things that generated massive media attention and even some congressional attention.
NNAMDIAnd, Nick Bilton, that added to the legend. But how much of the Anonymous story at this point has been conflated by a fascination that the news media seems to have with Anonymous? This is for you, Nick Bilton.
BILTONWell, I think that it's not necessarily just a fascination with Anonymous but it's the stories that are -- that they are related to. So, you know, a couple of months ago, WikiLeaks was the huge media story. And when Anonymous jumped in and became a part of that story, they were also brought to the forefront. You know, recently, the Sony hacking, it's one of the biggest, you know, potentially personal identification information that has been stolen with 77 million users. So it's been a big, big deal in the news media and also, you know, drawing congressional hearings and so on.
BILTONAnd Anonymous has been brought into that because Sony accused them and they defended themselves and so on. And I think that they -- I'm not quite sure -- maybe Nate can answer this, but I'm not quite sure if they go after the stories that are at the forefront of the media or of it just so happens that they are involved in the story as they get dragged into the forefront.
NNAMDIWhat do you think, Nate?
ANDERSONWell, it really seems to be driven by the various interests of, you know, various Anonymous members. When all these uprisings were going on across the Middle East, that appealed to many members of Anonymous, and they began setting up operations to attack government servers everywhere from Iran to Bahrain, et cetera. So many of these things are driven by what's happening in the news, but they also require sort of a, I guess, the interest of the various Anonymous members.
ANDERSONSo it very much has to be something that's popular. It's not driven from above. And so I'm not sure they're essentially chasing new stories for publicity as much as just doing things that catch their own interest, and those things often happen to be things that are in the news.
NNAMDINate Anderson, thank you so much for joining us.
ANDERSONGreat. Thank you.
NNAMDINate is a senior editor at the technology news website Ars Technica. We're having a Tech Tuesday conversation about so-called hacktivism, inviting your calls at 800-433-8850. To what degree do you think news media are guilty of portraying so-called hacktivists as rebels fighting for political causes instead of online vandals or, well, criminals? 800-433-8850. You can go to our website, kojoshow.org. Make your comment there. Send us a tweet, @kojoshow, or email to kojo@wamu.org. I'm Kojo Nnamdi.
NNAMDIIt's Tech Tuesday. Welcome back. We're talking about the merger of two words -- hackers and activists -- for the term now being referred to as hacktivism or its participants as hacktivists. Inviting your calls at 800-433-8850. We're talking with Nick Bilton. He's a reporter for The New York Times, where he's the lead technology writer for the newspaper's Bits Blog. Nick, allow me to go directly to the telephone. There's another Nick who awaits us in Beltsville, Md. Nick, you're on the air. Go ahead, please.
NICKThanks for taking my call. Yeah, a couple of minutes ago, Nate said that one of the upshots of George Hotz's hacking of the PS3 was that it allowed copied games to be played. But that actually wasn't George Hotz's intention. Originally, Sony marketed the PS3 as being able to run Linux, which is an open source version of UNIX, and that, later on, Sony, through software, closed that loop through their security software and that George Hotz unlocked it.
NICKAnd I think it wasn't clear that the issue here was you buy a piece of hardware and then you can use it however you want to, and Sony was starting to change that by implementing software that blocked off functions that they had originally marketed. I'll take my response off the air.
NNAMDINick Bilton, is that your understanding of what happened, the -- with Sony PlayStation?
BILTONYeah, absolutely. Yeah. I mean, it's interesting because this -- that Sony marketed it that way. And there's actually -- even the U.S. government, there's some Army facilities that purchased, you know, several PS3s and created these virtual worlds that they trained Army members on. There's companies that were using the PS3 for its computing purposes with the Linux. And then Sony decided that they didn't wanna do it anymore. And until then, I don't think anyone had really tried to hack the PS3 because there was no reason to.
BILTONAnd then once Sony decided they were gonna change the rules of the game, a lot of people said, well, wait a second, this is not what we purchased this thing for. So in some respect, Sony actually got a little bit arrogant about it. And they decided to do whatever they wanted, irrelevant of what their customers wanted.
NNAMDINick, thank you so much for your call. We move on to Jeremy in Baltimore, Md. Jeremy, you're on the air. Go ahead, please.
JEREMYGood afternoon. My question is, if Anonymous are so open with what they're doing on these forums, then why is it so hard for companies to counter the attacks before they happen? And I'll take the response off the air.
NNAMDINick Bilton?
BILTONWell, it's a great question. I mean, take the HBGary case, right? This is a big, huge security firm that was hacked and hacked to such a degree that Anonymous managed to get 64,000 emails, you know? I mean, it's pretty amazing to see how, once these guys decide they're gonna go into these services or these companies, that how easy it is to do it. And, you know, I think there's a misconception among people that Anonymous is a bunch of, you know, kids that are just messing around. There are kids that are doing that, but there's also a lot of old timers that have been involved with computers and hacking for decades now. And they really, really know what they're doing. So you can't necessarily stop them.
BILTONYou know, over the weekend, there was -- on Friday, we heard reports that Sony was gonna, you know, put the PlayStation Network back up online within the coming days. And this actually came from Sony CEO Howard Stringer. And then there were reports that came out and CNET had reported it and other media outlets that the hackers who had gone in to the Sony PlayStation Network were gonna go back and try to bring it down again once it went online. And it's believed that Sony postponed, actually, putting the service back online because they didn't wanna have to deal with that, and they didn't know how to deal with that. And so, it's really, kind of, impossible to thwart these guys once they've decided they're going to do something.
NNAMDIThank you very much for your call -- 800-433-8850. Have recent data breaches forced you to change your online behavior? What do you do differently now? Call us at 800-433-8850. Here is Seth in Bethesda, Md. Hi, Seth.
SETH...executives helping them to deal with change. And recently, in the last six or seven years, most of my engagements have been around dealing with disruption as opposed to intentional change. And I was going to make the comment that, I think, this is a natural evolution for technology. And the self-organizing nature of groups like Anonymous and the hacking that they're doing is actually good for us in the long run because it will improve the systems that we have. I'd like to hear what your callers have to say about that.
NNAMDIWell, you'd be interested to know that joining us now by telephone from Michigan, Seth, is Ed Skoudis. He's founder and senior security consultant with the company InGuardians. And he's a fellow at the SANS Institute. He's the author of the books "Counter Hack Reloaded" and "Malware: Fighting Malicious Code." Ed Skoudis, thank you very much for joining us.
MR. ED SKOUDISThank you.
NNAMDII hope you were able to hear Seth's comment. Care to offer a response?
SKOUDISI did hear Seth's comment. And I think it's a good point over the long term. You know, there's this idea that children, when they're exposed to various infections and bacteria, actually have a stronger immune system when they grow up. And that's great, but it really hurts while you're a child and it’s causing you problems when you're sick. And I think that's true, though, also in the computer securities space. By exposing computer systems to various kinds of attackers, while it might be unfortunate and uncomfortable, it helps to strengthen the systems in the long term. But that long term might be five, 10, 15 years out. We've got some stuff to endure until we got there.
NNAMDISeth, thank you so much for your call. Back to you, Nick Bilton. You wrote this weekend for The New York Times that as far as federal law is concern, there's no sheriff on the beat here. How so?
BILTONWell, this is a growing problem as we've had all of these security breaches over the past few months. You know, we've had the Epsilon breach where, you know, millions of email addresses were stolen. We've had the PlayStation breach where, you know, potentially millions of personal information. AT&T's had problems. I mean, the list just goes on and on with all these companies and all these data that's out there. And in every instance, there is -- no one's held accountable, right?
BILTONThere's no federal law that says if, you know, if it turns out that Sony had outdated servers and that their firewalls weren't up to par and all these other things and they had -- they were storing all these personal information about their customers, there's no repercussions for them. So they're not gonna get in any kind of trouble. They'll be civil lawsuits that they'll settle out of court and things like that. And it's a PR black eye. But other than that, there's no repercussions, in the same thing we saw happened in the couple of weeks ago when it turned out that, you know, Apple, Google and Microsoft have been storing customer's location information on their phones without their knowledge.
BILTONYou know, these companies all agreed to change their policy, but they never got in any kind of trouble. And the reason for that is that every, you know, every year, Congress brings these things to the floor that say, okay, we need these kind of privacy rules and this and that, but they never actually make it into law. And so a lot of it has left out to the states to decipher. And states really don't understand what's going on in this respect. Another thing that I wrote about this weekend, interviewing privacy lawyers and so on, is that the big fear is if -- let's just say that there is some congressional hearings and we do get these federal laws, that a lot of the judges won't actually be able to even decipher them.
BILTONAnd this was evident in a case that happened a couple of years ago with -- that made it all the way to the Supreme Court, where Justice Chief Roberts actually didn't understand how a pager worked. And he asked the question to the court, you know, if two text messages are sent at he same time, does one get a busy signal? And so the highest court in the land doesn't understand how these technologies work. It's really kind of worrisome about whether the lower courts will be able to understand and even, you know, press charges against people when they do things that they shouldn't be.
NNAMDIWe'll return to that aspect of the conversation later, but I wanted to get to some of the security issues with Ed Skoudis. Ed, you're in the business of helping people guard themselves against hacks and data breaches. When you look at a network, whether it's run by a business or a government, what are the things you typically find people doing wrong?
SKOUDISOh, one of the biggest issues is they just don't keep up on patches. The various software vendors, like Microsoft and Adobe, release patches on a regular basis some -- in some cases, once a month, in some cases, more frequently than that. And organizations really need to be diligent in keeping their systems up-to-date, so do consumers too. You know, Microsoft pushes patches monthly for consumers. And if you don't keep your systems up-to-date, it's really easy for the bad guys to take over your system. And we see it in companies. We see it in government agencies. And we see it on the consumer systems. So keeping those systems patched is absolutely vital. You're hosed if you don't do that.
NNAMDIWell, let me ask our listeners. Have you changed your online behavior as a result of recent data breaches? And if so, what do you did -- do differently now? Call us at 800-433-8850 or go to our website, kojoshow.org. Ed, what are the kinds of attacks people typically find themselves fighting against and what are the specific challenges they pose?
SKOUDISWell, a couple of the big attacks that we see going on regularly are something called SQL injection. SQL is the structured query language. It's used to interact with databases. And a lot of Web applications have databases, you know, with lots of information, like credit card information or email account information and so forth. The bad guys inject commands into the Web application that the database runs. That's SQL injection. And we see that as one of the top ways the bad guys are compromising various enterprises, e-commerce companies and so forth. I've been handling SQL injection cases for over 15 years now, and they're showing no sign of letting up.
SKOUDISAnd the other form of attack that we see very commonly is what's called client-side exploitation. And what that involves is exploiting client-side software. That's the browsers, the email readers. It's the media players like RealPlayer or QuickTime, the document reader tools like Adobe Reader and Microsoft Works. It's exploiting all that stuffs, which run on a client computer. If you were to go back like 10 or 15 years ago, most of the attacks were against servers. And that SQL injection -- I mentioned earlier -- is against servers. But, hey, besides SQL injection on servers, it's the clients that are getting exploited. It's just an onslaught against all this client-side software. And that's why you need to keep it patched and up-to-date.
NNAMDIHow are these challenges different for both the small and the large players? It seems that a large company might have a lot more resources at its disposal, but it's also got a lot more information to protect.
SKOUDISAnd -- yeah, that's true. That's true, Kojo. And it's got a bigger attack surface. So you might have an organizations that have some significant resources to defend itself against attack, but they might have to defend against, you know, 10,000 or 100,000 computer systems with all different kinds of Internet access, wireless access and so forth. So, oftentimes, while they might have, on paper, a lot of resources to do that defense, they spend just a small fraction of that money in protecting their computer systems from attack.
NNAMDIGot to take a short break. When we come back, we'll continue this Tech Tuesday conversation and so-called hacktivism. Ed Skoudis is founder and senior security consultant with the company InGuardians and a fellow at the SANS Institute. Nick Bilton is a reporter for The New York Times, where he's the lead technology writer for the newspaper's Bits Blog. We're inviting your calls, 800-433-8850. What concerns do you have about your own private information in the wake of the massive data breaches at places like the PlayStation Network? Call us, 800-433-8850. Send us a tweet @kojoshow or email to kojo@wamu.org. It's Tech Tuesday. I'm Kojo Nnamdi.
NNAMDIWelcome back to our Tech Tuesday conversation on hacktivism. We're talking with Ed Skoudis, he's the founder and senior security consultant with the company InGuardians and a fellow at the SANS Institute. He's the author of the books "Counter Hack... Reloaded" and "Malware: Fighting Malicious Code." He joins us by telephone from Michigan. Joining us from studio in New York is Nick Bilton. He's a reporter for The New York Times, where he's the lead technology writer for the newspaper's Bits Blog. Back to the telephones, here is Sasha in Greenbelt, Md. Sasha, you're on the air. Go ahead, please.
SASHAOh, thank you. It's great to hear you guys online. It's awesome. I actually don't check my bank accounts on my personal computer. I use my work computer when possible because they have a more robust security than my home computer. But for fear of any of my personal information getting hacked online, I try to limit anything that I check on my personal computer.
NNAMDIEd Skoudis, is that necessarily a good practice?
SKOUDISYeah. I think that's wise. She probably does have a corporate computer that is more well-guarded with an IT staff that is aware of some computer security issues, so I think that's a good idea. You know, there's a related thing that somebody could do. Even if they don't have a corporate computer versus a personal computer or even multiple personal computers, and that is simply running a different browser for your sensitive application. So if you do, say, online banking or if you do purchasing thing via e-commerce, using a different browser for that helps actually.
SKOUDISSomebody might hack your (word?) browsers, say you use Internet Explorer just for surfing the Net, or they push the malicious code into your browser. But then if you do your banking using a separate browser on the same computer, maybe use a Firefox for your Internet banking, that helps to improve your safety. It really does.
NNAMDISasha, thank you very much for your call. Nick Bilton, back to Sony and what happened with the Sony PlayStation. What kind of legislative fixes have people proposed? And how would they force companies to spend more -- like Sony, I guess, to spend more time and resources on data security?
BILTONWell, there's a number of things that are happening right now. There is a number of subcommittees that are, you know, actually investigating and they actually asked Sony to speak last week, although the company declined saying that there was an online -- ongoing investigation. But there's the McCain-Kerry Bill, which is called the Privacy Act, the Online Privacy Act, and one of the parts of that bill says that if companies keep X, Y or Z type of information that they have to employ a certain type of protection and servers and systems to protect that. And if they don't, they would be fined or they could -- there could be other legal ramifications.
BILTONBut it, you know, I think the big question is whether or not this stuff actually makes it through that, you know, through Congress. And right now, it's kind of, as you said, the "Wild, Wild West" out there. You know, take Facebook, for example, you know, Facebook has over half a billion users that generate more than 360 billion actions a month, right? It's estimated that Facebook is gonna serve up a trillion ads on its network to its users this year alone. And all of those ads are taking personal information from people and people status updates and the photos they upload and the things they like, and delivering these highly personalized ads.
BILTONAnd so -- but there's no legislation that says Facebook, because it has all this information about all of these people, has to protect it an X, Y or Z way. And I think that that's one of the fundamental things that needs to be brought into law. And I also think that if people that don't follow those rules, there has to be some repercussions because right now there are none.
NNAMDIWell, here's a comment we got on our website from Ty about that, "I would like to relate the hacktivism to enforcers in hockey. When a ref misses a call or one of your stars gets abused, the enforcer goes in and enforces the law the way he sees fit, usually with greater force. When the game of hockey was cleaned up by adding refs and making more calls, the enforcers were used less. If proper laws with regard to technology are enacted that protect everyone, companies and consumers, you will see less hacking." You think that's true, Nick Bilton?
BILTONYeah. I think absolutely. I think that -- I don't know we'll necessarily see less hacking, but we'll see abilities to protect people's information more. You know, when you go online and you sign up for any service these days, they ask for a name, a password, sometimes your date of birth, your address, your credit card information, and we're exchanging all of this really highly sensitive, highly personal information to access these services. And then we don't really have any say with what happens with that information afterwards.
BILTONAnd I'm sure that if you went along to five start-ups, even small ones or large ones or corporations and ask them how they protect their -- the user's information, they'll have different answers for you. And so that there are no rules that say you have to travel at this speed limit on the highway, you know, you have to wear a seatbelt. There's none of that legislation that's in place yet to really protect consumers online.
NNAMDIEd Skoudis, think that would help you?
SKOUDISI think it would help. It would drain the swamp a little bit of very weak companies. I don't think it'll cut back on the hacking itself. There's incredible motivation for cybercrime. Bad guys are very unlikely to go to jail, they're often operating outside the U.S. from countries where -- even if there were U.S. laws or extradition treaties, they wouldn't be very well -- the extradition treaties wouldn't be very well enforced internationally. So I don't think it will cut down on the hack attempts that you think the laws can help to shore up our critical infrastructure as well as with companies that store such sensitive information are doing. So I think it would cut down on the vulnerability side, not the hacking attempt side.
NNAMDIHere is Aaron in Fairfax, Va. Aaron, you're on the air. Go ahead, please.
AARONHi, Kojo. Thanks for taking my call. I'm calling because I have a friend that runs a small business and she's been hacked repeatedly. And she's pretty sure she knows the person, but, you know, it's always hard to tell -- you can't tell who it is. And I was wondering is there any way to like implant a program on your computer on a file that would look very, you know, important to a hacker that would ruin their operating system. Or is there -- are you always on the defense? Like if you put a worm on an Excel spreadsheet or can you -- I don't know a whole lot about how it works.
NNAMDIEd Skoudis?
SKOUDISWell, I mean, while that is possible, I -- we don't recommend it. (laugh) You know the old saying if you play with fire, you're very likely to get burned. And I wouldn't put something on my computer system that somebody else inadvertently accessing would cause damage to their machine. Because, for example, it could go to the employees of this person that you're suggesting or she may accidentally include that file in an email attachment. It could spread in ways unpredicted. And they probably wouldn't do it. Now there are things that you could do short of that, though, something that would infect somebody else's computer. There's this concept called a Web bug. A Web bug is a really simple thing.
AARONIt's a small image file that's implemented as Web-based HTML. And when somebody opens a document that has a Web bug in it, it goes and accesses your Web server. So you can tell that, hey, this person just opened my document and looked at it. Now to implement a Web bug, though, you need to know a little bit of HTML -- it's not that hard to do -- and, well, you need to have a server that's going to be accessed so you can see when they're coming to your server. But I wouldn't do anything more significant than just a Web bug. Anything else is inviting trouble.
NNAMDIThank you very much for your call, Aaron. And on to Susan in Reston, Va. Susan, your turn.
SUSANOh, hi, Kojo. Thanks for having the show. I have realized over this whole build-up of the Internet that there weren't laws to really protect our privacy. Even now they're having hearings today about -- you know, I have an iPhone and everywhere I go is being watched, and I never even knew it. So thinking that if there weren't laws to protect me, I have been very careful at how I use the Internet and don't say anything or write anything unless, you know, I would want the whole world to know. I just don't feel free on it like I would like to just because there aren't laws to protect my privacy. So thank you.
NNAMDII'm glad you brought up the issue of your iPhone, Susan, because, Nick Bilton, you know that the technology has a way of moving far out in front of the law so that by the time people are talking seriously about data breaches like the one that hit Sony or, for that matter, about whether our iPhone is portraying -- is sending information about our locations wherever we happen to go, what kinds of new problems do you think that we'll be looking at in the future?
BILTONIt's a great question. I mean, I think that we're gonna -- you know, the rise of mobile devices is really going to -- gonna change things as more mobile devices become banking devices. It's more incentive for hackers to gain access to these devices. It's pretty amazing the amount of information that we have on these mobile phones, on these smart phones. We, you know, we have all of our contacts. We have our own personal information, our emails, our text messages, banking applications.
BILTONIt just -- the list just goes on and on and on. And if someone somehow manages to get into that device, there's a tremendous amount of harm that they can do. And I think that we're gonna see a lot of that. Other issues that people are worrying about right now is the rise of location-based services where you look for restaurants around you or, you know, things of that nature. And if someone can get an access to that highly sensitive information, it could be very damaging.
BILTONAnd so there's just a long list of things that I think we haven't even seen happen yet that will be taking place in the next couple of years when it comes to hacking on devices.
NNAMDIEd Skoudis, we noticed in the developing world, specifically when you are in Haiti, that people use mobile devices to pay bills and to pay for their goods over the counter. Are we looking at, in the future, more and more security concerns about mobile devices?
SKOUDISAbsolutely. I mean, if you think about it, I mean your cell phone is the ultimate spying device. It knows where you are. It can listen to you. Many have cameras, so it can look around and see things. If somebody could hack that, they could activate any one of those features -- geolocation, audio. They could activate the cameras and figure out what's going on. I remember, you know, 10, 15 years ago reading a lot of people -- a lot of academic papers, where they were writing about global sensor networks.
SKOUDISAnd what if we could have a global center network with, say, 100 million devices on it that would just sense things, you know, like the weather, barometric pressure, sense things like traffic and so forth? And it occurred to me, reading about some of these recent things with Android and the iPhone, that we now do have a global sensor network. It is everybody's, well, smart phone. And we do have 100 million-plus devices out there that are constantly pulling in data and shipping it to these small number of organizations. They can be used for analytics and also abuse or some very nasty things.
NNAMDIOn to Lucas in Arlington, Va. Lucas, you're on the air. Go ahead, please.
LUCASHi, Kojo. Thanks for taking me. I just wanna bring an important point about how Sony was protecting its network. A large part of it, I think, was that they had locked down their systems and relied largely on a -- basically the hardware that was in consumers' hands being secure in order to protect their network. And when that happened, when it was hacked not too long after that, then their entire network was hacked. And I'll take my answer off the air.
NNAMDINick Bilton?
BILTONYeah, that's exactly what happened. You know, a lot of instances -- I mean, you can take Microsoft, for example. A lot of the security with Microsoft transactions and someone happens on the server side. So it happens in a huge data warehouse where there's, you know, there's millions of computers and there's firewalls and all these things to protect it. And what Sony did was they said, well, we're gonna put a lot of our security on the device because we think that no one can hack this device.
BILTONAnd it turned out that they went the wrong way. And once someone hacked the device, or once a collection of people hacked the device and shared how to do that, it was relatively easy to get through the firewall and gain access to this information. I spoke to -- interviewed a number of security experts and hackers who've done this kind of stuff when I was writing these stories about the Sony breach. And they said it was relatively easy to do. It was -- it wasn't, you know, it wasn't this really in-depth difficult task. It was -- once somebody gained a certain amount of code and put it online, it was like -- it was a free-for-all. Anyone that wanted to get in could do so.
NNAMDILucas, thank you for your call. Ed Skoudis, this email we got from Matt. "After my personal ID information was stolen from the PlayStation network, I've changed my password on all online accounts. Additionally, I've created an email account that is now dedicated to online accounts only, and it's separate from my personal email account." Is that good security measure, Ed Skoudis?
SKOUDISYeah, it is. That's actually very wise. Good for you for doing that. One thing I would recommend is to not synchronize your passwords between the various accounts. So if you have an online bank account, if you have an account where you, you know, buy movie tickets, you have a separate account where you buy books, you might wanna have a different password for each one of those accounts. And you might say, well, how is it possible for me to memorize those, you know, seven different passwords I'd have to have?
SKOUDISAnd my advice is to have a base password. So some sort of base password very difficult for somebody to understand and know, but easy for you to remember. And then add to it a couple of characters that are associated with the particular area where you got that password. So, for example, if you have an Amazon password, you might add a couple of characters that remind you of Amazon. Now I wouldn't add AM because that's just too easily predicted, but you might increment each letter of the alphabet.
SKOUDISSo instead of adding AM, you would add BN or something like that. Of course then you wouldn't want to have Barnes & Noble because then you have to increment that. Maybe CO or something. But having a separate password that you can easily remember and then maybe tweak to customize it for each of those different online accounts is really good stuff. And I'm glad to hear that your caller changed his password after that breach. That is wise.
NNAMDIAnd we're almost out of time. But, Nick Bilton, we got this Facebook comment from Mark. "Is Anonymous a group or is a part of a subculture? I imagine them as all the gamers and young people who had Internet in their bedrooms and are now in their 20s, 30s."
BILTONIt is -- it's a relatively unorganized/organized group, if that makes any sense. You know, there are -- it's like -- Nate was saying earlier. You know, I've seen instances where someone has gone on on the Anonymous board and they've said, you know, let's go after this company. And a couple of people have jumped on it and said, eh, not in the mood. And it just doesn't happen. And there are other instances when they do and it's successful and they bring down a huge entity or government.
NNAMDICan't break them down that easily, demographically. Nick Bilton is a reporter for The New York Times where he's the lead technology writer for the newspaper's Bits Blog. Thank you for joining us, Nick. Ed Skoudis is a founder and senior security consultant with the company InGuardians and the fellow of the SANS Institute. Ed, thank you for joining us. And thank you all for listening. I'm Kojo Nnamdi.
On this last episode, we look back on 23 years of joyous, difficult and always informative conversation.
Kojo talks with author Briana Thomas about her book “Black Broadway In Washington D.C.,” and the District’s rich Black history.
Poet, essayist and editor Kevin Young is the second director of the Smithsonian's National Museum of African American History and Culture. He joins Kojo to talk about his vision for the museum and how it can help us make sense of this moment in history.
Ms. Woodruff joins us to talk about her successful career in broadcasting, how the field of journalism has changed over the decades and why she chose to make D.C. home.