Saying Goodbye To The Kojo Nnamdi Show
On this last episode, we look back on 23 years of joyous, difficult and always informative conversation.
In the information age, our economy has become increasingly reliant on cyber infrastructure. But security researchers are finding gaping holes in those systems, some of which expose everything from water plants to power grids. We chat with a pair of “white hat” hackers who used to work for the federal government, one of whom has won worldwide fame for penetrating popular Apple products.
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. At their core, the most impressive structures in the cyber universe are nothing but lines and lines of code. And if you know where to tamper with that code at just the right spot, you can topple over everything from the software behind the most popular smartphones to the control systems that automate our power grids and water plants. Some hackers are hunting for these holes to abuse them and to do harm.
MR. KOJO NNAMDIBut other so-called white hat hackers are busy busting holes in different forms of cyber security so that public and private players can get busy fixing them. This hour, we're joined by two such computer experts and an investigative journalist who recently explored just how much of our cyber infrastructure is susceptible to attack. He joins us in studio. Robert O'Harrow is an investigative reporter at The Washington Post. He's also the author of the book "No Place to Hide." Robert O'Harrow, thank you so much for joining us.
MR. ROBERT O'HARROWGood afternoon.
NNAMDIYou, too, can join the conversation at 800-433-8850. Joining us by phone from Alabama is Charlie Miller. He is principal research consultant at Accuvant Labs. He's a former employee of the National Security Agency. Charlie Miller, thank you for joining us.
MR. CHARLIE MILLERThanks for having me.
NNAMDIWe await our third guest. He is expected to arrive at the studio where he's located shortly. So, Robert O'Harrow, I'll start with you. Over the course of the summer, The Post has been running an investigative series of yours titled "Zero Day." Let's start from there. When it comes to the world of computer programming, a zero day is an absolute nightmare. What exactly happens during that kind of event?
O'HARROWAll computerized systems are run by code, and it turns out that in that code, trillions and trillions of lines are uncounted numbers of these things, vulnerabilities, called zero days. And the name comes from the ideas that they have not been discovered until a hacker finds them. And so they're not known, and there's no way to patch them.
NNAMDIWhat are some good examples of recent zero day events, either from the corporate world, the government, or the military world?
O'HARROWThe most notable example of a zero day attack occurred when the U.S. and Israel went after a nuclear processing plant in Iran. They wanted to disrupt their nuclear capabilities and their research, and they used four zero days, which, according to guys like Charlie Miller is -- was startling. And those zero days enabled U.S. and Israeli cyber warriors to send a worm into the processing plant, get through all sorts of protections, firewalls, security, checkpoints in cyberspace and download malicious code that made centrifuges run out of control and damage themselves.
NNAMDICharlie Miller, you used to work for the federal government. Now, you're what people in cyber communities call a white hat hacker. What is a white hat hacker, and what do zero days have to do with you?
MILLERSo a white hat hacker is basically one of the good guys, so the black hat hackers who are the bad guys, they're the guys who break into systems, you know, credit card numbers, steal personal information, that sort of thing. And so what white hat hackers do basically, you know, try to find vulnerabilities and point them out, get them fixed. I work as a consultant, so companies hire me to look at their code and find problems and help them get those problems fixed before the bad guys can take advantage of them.
MILLERAs far as zero day, so basically you think about, you know, if a bad guy wants to attack your home computer or the computer of a, you know, big corporation, then they probably don't need a zero day. So zero days are the most sophisticated of computer weapons. So, you know, most people don't keep their systems always up to date. You know, there's always some system on some corporate network that someone forgot to patch, or, you know, you're at home, and you hit a -- well, I'll patch it later.
MILLERBut -- so, usually, you can get in to most computers with known vulnerabilities, but if you want to attack the most secured systems, you know, military systems, government systems, that's when you need zero day vulnerabilities because these are the ones that no one knows about. So -- and if you don't know about it, it's really hard to defend against an attack like that.
NNAMDICharlie, before we get into some of the stuff you've been able to do, tell us how you developed the technical skills that you use today. Are these things you learned in school, professionally, or on your own?
MILLERIt's something -- that's a great question, and this field is really interesting because there's not a lot there -- you know, a lot of people come from a lot of different backgrounds in computer security, so there's not really a great university track to this field. So I have a Ph.D. in math, but I don't really use math on a day-to-day in my job. So what I did is I went to NSA for five years, and basically there, I learned the trade, so to speak. And since then, I've been a consultant, you know, using the trade to help people.
MILLERBut, yeah, so a lot of the people who work with me, they have high school degrees, and they just taught themselves on their own time. And there's a lot of people who have computer science degrees. There's a lot of people who don't. You know, people have math degrees, like me, or English degrees or other things. So it's really an interesting field that, if you can show that you have the skills to do it, people will still hire you and give you a job. You don't necessarily have to have a certain certificate or something like that.
NNAMDIRobert O'Harrow, in the investigative work that you've been doing, dealing with guys like Charlie and Billy Rios, who will be joining us soon, is there a common characteristic there? It's clearly not the same field of education that they all come from. What is, in fact, if there is, a common characteristic?
O'HARROWThere's a couple of things that I've noticed, and one is that they tend to be obsessive. They tend to be able to focus intently for long stretches of time, and they tend to be like trout fishermen that, once they find one vulnerability, they want to find more and it's hard for them to stop. If there's a chance of hooking an interesting vulnerability, they'll just stick with it.
NNAMDICharlie Miller, what are the things that stoke your imagination or give you motivation to start tinkering around and say I wonder where the holes are with this device or this network?
MILLERRight. I love to find bugs and flaws in systems, and every time I see something, I always wonder, you know, what could go wrong with this? And, you know, for me, it's just fun, something I enjoy to do. But I think that there's -- you know, there's lots of people like me. And, you know, while some people play sudoku for fun, I find bugs in software for fun.
NNAMDIWe're talking on Tech Tuesday about zero day and white hat hackers with Charlie Miller. He's principal research consultant at Accuvant Labs. He's a former employee of the National Security Agency. He joins us by phone from Alabama. And Robert O'Harrow is an investigative reporter at The Washington Post and author of the book "No Place to Hide." He joins us in studio. Robert, you were about to say?
O'HARROWI just wanted to point out that I think Charlie would agree that there are a lot of guys that are driven by this, and they find it fun and fascinating. Behind that are some very serious, very challenging problems for national security, for the corporate world, for personal privacy, and what Charlie has helped me to do, and Billy Rios and others, is to try to explain to people the fundamental challenge that we face now at this point in our history.
NNAMDIBilly Rios joins us now from studios at Stanford University. He's a computer security researcher. He's a former U.S. Marine. He currently works on security issues for Google. But the opinions he'll be expressing today are his own. He's a co-author of the book "Hacking: The Next Generation." Billy Rios, thank you for joining us.
MR. BILLY RIOSThanks for having me. Appreciate it.
NNAMDIWe were asking Charlie Miller earlier about how he got in to being a hacker, how he learned the skills, the technical skills that he uses today. Same question to you. Are these things that you learned in school or professionally or on your own?
RIOSYou know, I think the educational environment provides a good foundation. You know, I have a bachelor's degree in business with a concentration in information systems. I have a master's degree in information systems. I have an MBA. But a lot of the stuff I learned in school isn't directly applicable. It's more about curiosity and just kind of going down the rabbit hole, finding security issues.
RIOSAnd then, you know, once you find a couple, you get kind of bitten, you know, and you just want to find more and more. And it's just insatiable curiosity that it just can't be quenched basically, so you just keep going and going. And, you know, everyone that I meet that does this kind of have the same mentality and same attitude towards it.
NNAMDII'd like to invite our listeners to join this conversation by calling 800-433-8850. What concerns do you have about the security of the personal electronic devices you use regularly, like your computer, your smartphone? How do they compare to the concerns you have about the security of the computers hooked up to our power grids, our water systems? Call us at 800-433-8850. Send email to kojo@wamu.org.
NNAMDIYou can send us a tweet, @kojoshow, or go to our website, kojoshow.org. Join the conversation there. Robert O'Harrow, in the series that you put together, you've analyzed how basically anything that runs on computer code and is linked to a network can become a target of intrusion, everything from an iPhone to an electrical grid. What sense did you have at the beginning of your reporting process for how vulnerable we are as individuals and as a society, and what sense did you end up with?
O'HARROWI started on a foundation of my book, "No Place to Hide," which is about the data revolution and about things digital and so on, that had a lot more to do with domestic intelligence and surveillance and so on. But I knew that cyber was a problem. I had no idea how deep and broad an issue it is and how a difficult challenge it's going to face us -- that we're facing for many years to come.
O'HARROWAnd in talking with Billy, Charlie and a bunch of other government people, former NSA types, I resisted coming to the conclusion that it was as bad as it is for a long time, but, eventually, I realized this is a profound issue that we're facing.
NNAMDIYou've said that even though cyberspace runs in code of ones and zeros that it's the most dynamic thing that humans have ever created, and that sounds like a bit of a paradox, the simplicity on the one hand, the dynamism on the other.
O'HARROWIt's a fascinating thing. The scientists, a group of top scientists got together to explore whether science could contribute to a better understanding and resolution of some cyber security problems. The group called the JASONs, they concluded that cyberspace is so complex that it leads to things that were never predicted and can't even be explained well.
O'HARROWAnd it all grows out of the simple ones and zeros, which is a wonderful seeming paradox, and it also helps to explain why there are so many zero days because it's so complex that even the code writers don't sometimes know how these systems are going to interact and the kind of vulnerabilities that are going to be created.
NNAMDIWhat do you see as the significance of the Pentagon declaring last year that cyberspace is a domain of war?
O'HARROWI believe that at some level it's a pragmatic announcement. There's a lot more going on here than the Pentagon wants us to sort of be talking about. There's a great deal of unease in the Pentagon, and there's a remarkable debate going on about there are certain people that believe there should be extreme openness about what they're doing and how they're trying to confront this.
O'HARROWAnd there's another arm at the Pentagon that believes, as did the -- some members of the Pentagon back in the 1940s and '50s, that everything should be cloaked in extreme secrecy. And so I think that's going to have to be resolved that probably until we make -- until we can make progress.
NNAMDILand, air, sea and cyberspace.
O'HARROWThat's right.
NNAMDI800-433-8850 is the number to call. We're going to take a short break, but you can still call. How do you think companies behind the software running things like the iPhone should balance security with user friendliness and connectivity? 800-433-8850. You can send us a tweet, @kojoshow. You can use the #TechTuesday. Send email to kojo@wamu.org or ask a question, make a comment on our website, kojoshow.org. I'm Kojo Nnamdi.
NNAMDIIt's Tech Tuesday. We're discussing white hat hackers and what's known as zero day. Robert O'Harrow is an investigative reporter at The Washington Post. He's also the author of the book "No Place to Hide." You can find his series on zero day at The Washington Post website, washingtonpost.com/zeroday. You can find a link to it at our website, kojoshow.org.
NNAMDICharlie Miller is principal research consultant at Accuvant LABS. He's a former employee of the National Security Agency. And Billy Rios is a computer security researcher. He's a former U.S. Marine, and he currently works for -- works on security issues for Google, even though he is not speaking for Google today. He's co-author of the book "Hacking: The Next Generation."
NNAMDICharlie, let's get a better sense of how we've connected this at the individual level. One of your greatest hits as a hacker came when you entered a contest last year to break into the iPhone. When you decided to take that on, you looked at that device, and there are about 200 million of them that have been sold around the world. But what did you see?
MILLERWell, what I saw was not a telephone like I grew up with, where you could make a phone call and that was it. I saw a little computer that you could carry around your in pocket that could do everything that your desktop computer can do and a lot more. So, you know, there's a lot of code that's on there that maybe you don't even know about. So, you know, your iPhone can surf Web pages, show videos and pictures. And every time that the code has to process one of those files, there's a chance that the developer who wrote that code could've made a mistake.
MILLERAnd that mistake can lead to an attacker being able to run code on your device. And so I sat down, and I -- you know, I asked myself, you know, what's some of the most complicated code that's running on this device? And I figured, where the complication was, maybe that's where there would be bugs, and so I focused in on the part of code that an iPhone will let you render PowerPoints. So, you know, you might not ever use this feature, right? There's not many people that need to look at PowerPoints on their iPhone.
MILLERBut the feature is still there, and the code is still there. And a bad guy can still get that code to run. And so I found a flaw in the way that PowerPoints are processed. And in the contest I had the judge surf to a (word?) Web page that I had created, and it rendered a PowerPoint and it allowed me to do what I want. In this case, I stole all his contacts and all of his friends' email addresses and phone numbers, shipped them off to my server. And that was how I proved that I had hacked control of the phone and won the contest.
NNAMDIThe process that you used to get to that point is apparently known as fuzzing. What is fuzzing?
MILLERAll right. So fuzzing is a way to test software. Basically, it has to do with -- you know, you -- if you want to figure out where the bugs are in software, there's a couple ways you can do it. One is you can just stare at all the codes, right? All the bugs are in all the code if you just stare long enough and then read it. But that's really hard. Another way to do it is to just send lots and lots and lots of different test cases to the thing and see what happens. So in my case, I was interested in PowerPoint, so I created tens of thousands of, you know, even hundreds of thousands of PowerPoints.
MILLERAnd what I did was I would just make little changes to them that -- you know, unexpected changes that whoever wrote the code to deal with PowerPoints would never expected these kinds of changes in these files. And then I would just try to open up the file. And, you know, 99 percent of the time, nothing bad would happen. It would say -- it would either show a file that was slightly screwed up, or it would say, sorry, this file is corrupt. But, you know, some fraction of 1 percent of the time, the program would crash.
MILLERLike, it was so bad that the program didn't know how to deal with it, and it would just fall over on itself. And, you know, even though that doesn't happen very much, if you're going to run 100,000 test cases and something happens 0.01 percent of the time, still happens enough to be interesting. And so one of these times when the program crashed, I was able to figure out what went wrong. And then that was how I found out what the underlying vulnerability was in the software.
NNAMDIHow did Apple react when it found out what you had done?
MILLERWell, I've been working with Apple products for a long time, and so they certainly know who I am. And, you know, they're -- I mean, the good news about this contest is the vulnerability, I give it to the people who run the contest, and they give it to Apple, and Apple releases a patch. So this is one less bug that is on everyone's iPhone right now. But, of course, Apple doesn't really appreciate all the negative publicity. And so, you know, I sort of have a love-hate relationship with them, or I should say they have that with me.
NNAMDIRobert O'Harrow, when he just described, Charlie did, what he had to do to get them, he said .01 percent of the time is when you'll find the vulnerability. That indicates what you were saying earlier about the skills and qualities people like Charlie and Billy possess. It's not only the obsessive quality. It has to be a high level of diligence.
O'HARROWA lot of diligence, but as Charlie would tell you, he used an automated system that included borrowing his wife's computer. And he -- think of it as, you know, almost a digital barrage against the system. And he would run it all night long, and he'd wake up in the morning -- and as I described, it was like, I got a sense of a kid hoping there would be snow, and he would go to the computer. And when he found stuff, he'd be like, sweet, let's figure this is the zero day. So, we did have the help of automation, but, even then, it takes a lot of diligence, a lot of obsessiveness.
NNAMDIOK. Before we get into the hack of Billy Rios' that you reported on last week and how he did it, what's the Niagara Framework that Billy broke into? What is it and who uses it, Robert?
O'HARROWWell, I'd like to start with my -- how it dawned on me. I went to a conference of hackers/security folks. And sometimes you don't know which is which. Some cases, they might wear a white hat and a black cap, but you never really know. Anyway, there was a group of these guys down in Miami in January, and there was a researcher there who presented findings that there were thousands and thousands of industrial and commercial control systems linked to the Internet.
O'HARROWThe reason that matters that these commercial control systems are the pivot point for controlling devices that matter to us, everything from a power generator to a surveillance camera or access control. But nobody really seemed to know who ran some of these, and we knew that there was a system, Niagara, and I simply asked the question, what was Niagara? And that took me to a company in Richmond named Tridium.
O'HARROWAnd it turns out that Tridium produces this software framework that the goal of which is to control any device anywhere on the planet from anywhere on the planet. And it works. It's quite a thing. And what it lets you do is sit at your web browser just like you would at home and with your mouse control a device that would give you data about fire detection, would let you run an elevator, could let you run a camera and so on if it's properly set up.
O'HARROWAnd so when I found out the degree to which this company was involved all over the world in 52 countries, I went back to this guy that I'd met that I thought was very interesting, Billy Rios, and I said, did you realize that Niagara is being used by the Defense Department, by U.S. Attorney's Office in Chicago, by houses all over the world, by plants, hospitals? And Billy, who's a savvy character, said, you know what, you know, we're going to check this out. And he and a partner of his, Terry McCorkle, went off and several days later came and told me the news of what they had found.
NNAMDI800-433-8850 is the number to call. I'm going to get to the phones in a second, but I wanted you to hear these stories first so you would have an understanding of not only what the challenges that we're facing but exactly what it is that these white hat hackers do. Robert O'Harrow, would you say there's been a rush for connectivity so much so that the rush to get there has been stronger than the rush for security?
O'HARROWTridium is only a microcosm of a much larger thing that's happening on our planet. There's a Cisco researcher that said that for the first time in about 2008, the number of devices connected to the Internet exceeded the number of people on the planet. That number is going to rise to about 12 -- over 12 billion about now, and it's going to double to 25 billion in 2020. In other words, it's almost an unbelievable thing. And it's not wonder it's almost like science fiction that we're allowed -- that we're enable to connect all these devices.
O'HARROWBut as with so many things that are related to technology and money, there is clearly a rush that went way beyond our understanding of the implications, the security and so on because of the conveniences and because of the profit motive, which are understandable, but now we have this problem of massive widespread vulnerabilities.
NNAMDIBilly Rios, it's my understanding that you became interested in the Niagara Framework after a conference in Miami. What was it about the Niagara Framework that made you want to give it a harder look?
RIOSRight. As Bob said, I think, you know, we had chatted about this Niagara Framework, and we realized that it was basically everywhere. A lot of places were using it for a lot of different reasons. And it really didn't seem like it was that accessible. What I mean, accessible, I mean, you know, the software wasn't that easy to obtain, and information about the software wasn't very readily available. And so those kind of things really perk our interest, you know, when it seems like the vendor is trying to maybe hide some of their software or make it to where their software doesn't undergo any scrutiny.
RIOSThose things really catch our attention, you know. And so we had chatted with some folks -- it was on balcony in Miami, you know, over cigars and beers, and we're saying, hey, you know, I think this software is really interesting not only from what it does but from kind of the way the vendor is sheltering it, so that -- it -- a lot of things piqued our interest in the software.
NNAMDIIt's my understanding that it only took you a grand total of two days to go from having zero knowledge of how this framework functioned to being able to steal people's passwords remotely. How did you go from point A to point B so quickly?
RIOSRight. You know, as soon as we found out about the software, we tried to get a copy of the software, and the vendor obviously said no. And the next step for us was to just learn as much as we could about the software. So we went on to various forums like customer support forums and technical forums, and we just read as much as we could, just to get an understanding of what it does, how it works, the little small technical details, things that people are having problems with, known, you know, problems with the software.
RIOSEventually, we stumbled across some technical manuals. As soon as we got those, we just pored over every page of that just so we can get a good understanding. And then eventually, I think it was a marketing guy who said, hey, you know, we've set up the latest version of this software on a demo website. If you want to come take a test drive, you're more than welcome to. And then once that was there, we just -- we went at the demo website, and we took a look at it and just kind of confirmed some of the things that we had suspected. And that's when we came across all these bugs.
NNAMDIHow did the Department of Homeland Security respond when you told them about the hack?
RIOSWell, you know, Terry and I -- the colleague that I had, that we've -- we've been doing a lot of industrial control system security research. And this is, you know, probably, you know, the 30th or 40th, like, major issue that we've reported to them. So, you know, they knew who we were, and they knew the type of research that we did. And so we handed this over to them. And typically what happens is, you know, they try to basically contact the vendor and the vendor has some questions.
RIOSAnd, you know, eventually you get some kind of status update saying that they're going to fix it in an upcoming release. But, you know, I think we were both a little bit shocked in that the vendor was just totally unresponsive in this case. And they just didn't want to basically take responsibility for the issue. And so it kind of left us scratching our heads. And so we gave them a little bit more time, I think, up to about, you know, six, seven months. And finally, we said, hey, you know what, if they're not going to do anything, you know, people should probably be made aware of this.
NNAMDIAnd, Robert O'Harrow, so we can be clear about exactly what it is that Billy Rios was able to do, he found a flaw that gives remote attackers the ability to download all the usernames and passwords for all the users on the Niagara server. He tested it against the demo server, it worked. Tested into -- tested it against a couple of other places, and it worked. He called the attack trivial and very reliable.
O'HARROWThe -- it's called a directory traversal. And when they discovered it, as I heard it from them, it was a bit of a surprise because it's a very old attack and presumably, being as well known as it is, should not have been there. And it enabled them to download something known as a configuration file or config file that should not have been as readily accessible. And we know that because the company -- when I took my knowledge to them, with help from Billy and talking to folks at DHS, and I said, guys, here is what I know happened.
O'HARROWHere is the vulnerability. This config file -- you have a hash, which is a formula to obscure the information in it, but, nevertheless, they can break the hash. The company said, well, we're going to fix this. We're going to educate our customers. We're going to move the config file to make it harder for anybody to access it, and we're going to fix this hash, which is not sufficiently strong. And they more or less acknowledged that their system was not anywhere near as secure as they would like it to be and is probably as customers expect.
NNAMDIBefore I go to the telephones, Charlie Miller, any comments you want to make?
MILLERI mean, I think the -- I just wanted to point out -- you already mentioned, you know, cyber warfare earlier. And the biggest difference -- and I think it's important to talk about this -- between, say, cyber war and real conventional war is that if you put Billy and me in a room for six months and we come out with a, you know, a cyber weapon that could basically get us in any system we wanted, but if we wanted to build a tank or a jet fighter or something, that's something that is totally unreasonable that we would never be able to do.
MILLERAnd so, you know, this idea that, you know, two or three or five people can build cyber weapons -- and we're used to dealing with, you know, large corporations and millions and millions of dollars to build weapons, it's like a total dichotomy that I think, you know, we're still trying to figure out how it's going to work.
NNAMDIRobert.
O'HARROWWell, Charlie raises a really interesting point that I'd like to underscore, which is I think it will help people if they just accept that a hack and a cyber weapon are the same things. A cyber weapon is going to be much more sophisticated. It's going to have the resources of a nation state, i.e. the U.S. or France or Russia, China in particular. But the arc of it, the way the attack occurs -- and it may be more elaborate, but it's the same thing that's happening. And I think if people come to accept that, they're going to realize that serious -- that the situation is very, very serious indeed.
NNAMDIOn to the telephones. We'll start with J.R. in Baltimore, Md. J.R., you're on the air. Go ahead, please.
J.R.Hi, guys. This is really awesome, pretty informative. I'm thrilled that I'm still picking up in common with a lot of those hacks is you started out with virtually no knowledge of the device because the manufacturer likes to keep their documentation proprietary or they like to keep their specs under wrap. And there's also the DOD approach of classifying it. And it sounds like security through obscurity is not working, that you guys are pretty able to penetrate that.
J.R.How do you think that's going to impact corporate culture going forward? Do you think there is going to be an open standard organization or any sort of certification where corporations will eventually be forced to subject their code to scrutiny and certification for security purposes?
NNAMDIRobert O'Harrow.
O'HARROWI think those guys are going to have a deeper response. But I will say that Charlie, lots and lots of other people, the SANS Institute and others have pointed out that code is being written and sold on the fly in effect. And it gives us all these marvelous benefits. I mean, they really are wonderful value to us as a society and in our entire world. But a lot of it is slip shot, a lot of it is shot through zero days, and there really are no standards.
O'HARROWAnd, in fact, some of the companies that write code have figured out how to propose legislation regulation that absolves them of responsibility, so some of this is going to have to be part of the equation of solutions going forward.
NNAMDIBilly Rios, care to comment?
RIOSYeah. You know, I agree. I think the first step is to just learn as much about a system as you can before you start taking a look for bugs or whatever. But I would also like to point out that I agree. You know, I agree with the caller that security through obscurity doesn't work. You know, you can make your system as complicated as possible, and you can try to hide your documentation or make it so our researchers can't get the software or trial versions. But eventually we're going to figure it out.
RIOSYou know, I think it's just our personality, our nature. We're going to find out as much about it as we can, and we're going to find out -- we'll probably know more about the software than the developers do at the end of the day. And so you're right. Security through obscurity doesn't work, and I hope that the vendors realize that and they change their culture.
NNAMDIThank you very much for your call, J.R. We move on to Allan in Gaithersburg, Md. Allan, your turn.
ALLANHi. Very interesting show, Kojo. Quick question. I read recently that one of the digital certificates used to sign the Stuxnet worm was a Microsoft certificate. And, you know, there's been some speculation that the information needed to do that could have come from somebody within Microsoft. Obviously, there's no proof of that. But I was wondering if the guests could, you know, comment on basically the U.S. government spying on U.S. corporations to create these sort of cyber weapons.
NNAMDICharlie?
MILLERWell, yeah. I think the caller points out -- so there's -- certainly Microsoft could sign cyber weapons that are, you know, malware or anything they wanted to do, and if the government asked them to, they may or may not. But there's no evidence that that was the case for Stuxnet. You know, again, they certainly could have signed it, but there's no evidence they did. There's other ways that Stuxnet and other pieces of the malware have gotten digital signatures in the past, but I don't think that we necessarily understand exactly how it worked in Stuxnet.
NNAMDIThank you very much for your call. You, too, can call us at 800-433-8850. You could send email to kojo@wamu.org. Send us a tweet, @kojoshow, using the #TechTuesday, or go to our website, kojoshow.org. What have recent events like the computer glitches on the Washington Metro rail system made you think about the potential harm a clever hacker could do to a major urban area like D.C.? 800-433-8850. We're going to take a short break. When we come back, more of this Tech Tuesday conversation. I'm Kojo Nnamdi.
NNAMDIIt's Tech Tuesday. We're discussing white hat hackers and zero days with Billy Rios. He's a computer security researcher. He's a former U.S. Marine. He currently works on security issues for Google. Today, however, he's offering his own opinions. He's not speaking for Google. Billy Rios is also co-author of "Hacking: The Next Generation." Charlie Miller is principal research consultant at Accuvant Labs.
NNAMDIHe's a former employee of the National Security Agency. And Robert O'Harrow is an investigative reporter at The Washington Post, author of the book "No Place to Hide." You can find his series called "Zero Days" at washingtonpost.com/zero-days, or you can find a link at our website, kojoshow.org. This for all three of you. Just this past weekend, there was a mysterious event here in Washington when a software glitch forced Metro, our transit system, to shut down our rail network twice.
NNAMDIWhat goes through your mind when you hear a story like that and the response of the Metro official to the question of whether or not it could possibly be a cyber attack? He said, not likely because we don't have a network system. We have more of a closed-loop system. What does that say to you? First, Robert O'Harrow.
O'HARROWWhat does that mean? Closed -- more of a closed-loop system? I -- if there's computers involved, if there's networks involved, it could very easily be a cyber attack or hack. There was a case not long ago that has not been reported or widely reported that involved a commuter line in Portland that was the accidental target of a cyber attack on another system. And nothing happened. No one was hurt. But because the code got into their system, they had to take some measures to protect the trains from anything catastrophic.
NNAMDICharlie Miller, what goes through your mind when you hear that story and the response that it's a closed-loop system?
MILLERWell, it's certainly a reminder that all the systems we depend on every day, you know, reside on computers and network systems. As far as -- if they're trying to say that their computers that are controlled -- those systems aren't connected to Internet, then, you know, great. That's the first step in securing the systems. You don't want those on the Internet. But like Stuxnet showed us, that's not, you know, total protection.
MILLERSo Stuxnet was an attack against, like Robert mentioned earlier, the Iranian nuclear facilities that were not connected to Internet either. But, still, the U.S. and Israel were able to get code running on those systems by infiltrating a USB stick with code on it into the facility. So even if the D.C. lines were not connected to the Internet, it's still possible. I'm not saying that there was a cyber attack. I'm just saying it's possible, even closed systems, to be attacked.
NNAMDIBilly Rios?
RIOSYeah. I think it's interesting. You know, when I hear things like that, the first thing I kind of jump to is they probably don't understand their environment. They probably don't understand their networks. When people say things like that, it sounds like it's a very simple concept to segregate or to air-gap a network. But if anyone has ever worked on those networks, air-gapped network or truly segregated network, you realize that it's actually really difficult to do that.
RIOSThere's a lot of process that's involved, there's a lot of engineering that's involved, and it's very, very, very easy to make a mistake. And so when I hear someone just kind of casually throw that out, like, oh, yeah, our system's closed-loop or it's segregated or it's air-gapped and it's not the government or the U.S. military, I usually shake my head and say, no, it's probably not.
NNAMDIIndeed, we got an email from computer guy John Gilroy. We have a broadcast that we do around the first Tuesday of every month called the Computer Guys & Gal. And computer guy John Gilroy emailed us to say, "Some security professionals in town talk about air-gapped servers. What does that term mean for us mere mortals? What does it mean for the distribution of malware?" Billy Rios, can you pick that up?
RIOSYeah. You know, air-gapping just basically means that it's not connected to a network that's accessible, let's say, via the Internet or another network. You know, it's really a truly closed network. And in order to get something on to that system, you know, has to kind of cross that gap, and, as Charlie pointed out, maybe that's a USB stick or a CD that gets carried over, you know, the gap. But it just means that it's a closed system. It's not accessible remotely.
NNAMDIOK. Here we go to Beau in Reston, Va. Bo, you're on the air. Go ahead, please.
BEAUThank you for taking my call. My field is knowledge management. And whereas -- and I'll ask this to the whole panel. Whereas the code is what controls the actions and behaviors of automated agents or computers, it's the information conveyed by those systems that informs the actions and behaviors of people and organizations.
BEAUIn your work on examining the vulnerabilities of the code systems, how do you think this translates to looking at the vulnerabilities of hacking into the information streams that actually control people and organizations? And I'll take my answer offline. Thank you.
NNAMDII'm not sure I understand the question. If you're -- the relationship between systems and people, you seem to be suggesting that these systems control people.
BEAUNo. The systems we're talking about are used to provide -- many of them control actual devices, but a lot of them provide information to people. And the people use that information to make decisions and to take actions...
NNAMDIGot you. Got you now. Here's Robert O'Harrow.
O'HARROWI'm going to make a stab at two thoughts that he stimulated. I'm not sure I'm going to answer his question 'cause I'm not sure what it is. Two thoughts, one is that one of the things that we're going to try to convey at The Post going forward is that people -- every bit as much as a computer, a laptop, an industrial control system, a commercial control system, bits and bytes, iPhones, people, along with all the rest, are part of cyberspace. They're part of the network. And they happen to be, idea two, one of the most vulnerable parts of the network.
O'HARROWAnd a third idea is -- comes out of the National Defense University, which is that a key part of cyber war won't be to destroy centrifuges or even to destroy information. It will be to undermine the faith that corporate -- corporations and military and government leaders have in the information in their own systems because they won't know whether it's accurate or not. That's part of what some people describe not as cyber war but something broader, information war. It's kind of mind-bending stuff, but I think it's very real, and it's worth contemplating.
NNAMDIBeau, thank you very much for your call. We move on to Kevin in Alexandria, Va. Kevin, you're on the air. Go ahead, please.
KEVINHello. Thanks for picking up my call. I just wanted to talk about something that you had mentioned in regards to connectivity and a compromised security. This is just based on something that happened in Kenya where I'm originally from. So we had the election violence in 2008, so end of 2007 and beginning of 2008. So there's been a big issue about some of the suspects going to the ICC, International Criminal Court.
KEVINAnd someone actually upped into the International Criminal Court website and released the name of the witnesses that are supposed to appear there, and the government was just rushing to protect these witnesses and sending them to that country. And so the other thing is also it seems that Kenya is really big into mobile banking right now. And someone actually went to one of the websites of the organization that deals with mobile banking and found names of the people registered there with their phone numbers and actually registered them to a political party.
KEVINSo the problem is that if -- once you're registered to a political party, nine months before election, you cannot switch. So have all these people that were registered to one political party that they did not sign up to. And the other issue is also involving our own elections where we had one contestant of the -- one contestant's website being upped, and as soon you click to go to his website, you are redirected to another contestant's website.
NNAMDIWell, these are all the kind of, I guess, dirty tricks that you can expect if there is not appropriate security. I'd like to hear what you think about what you just heard, Billy Rios.
RIOSYeah, you know, it's pretty amazing that I think what you can do, you know, we do have a reliance on some of this technology. And like the caller had said, you know, this is where we get our information from. You know, we rely on various computers and systems and the Internet to give us information about things. And so, you know, if someone's able to control that, if someone's able to influence that and change that information to influence you, that's a pretty powerful position to be in.
NNAMDIThank you very much for your call, Kevin. Here is Rashad (sp?) in Herndon, Va. Rashad, you're on the air. Go ahead, please.
RASHADYes, hi. And thank you for taking my call, Kojo. I still think you should've run for mayor of Washington, D.C.
NNAMDIWon't happen. That won't happen. But go ahead.
RASHADSo I've heard. But I actually have two questions and -- well, I'll put them this way. So, first, I wanted to know what you guys were thinking and what your opinions were on the response that the Department of Defense gave for security -- cyber security policy response. So, you know, I'm wondering how you would view that. And then, also, I work for a cloud service provider, MicroPact, down in Herndon, and I'm wondering how you feel about the new fed rep standards and the fed rep compliances coming up.
NNAMDII'll start with you, Charlie Miller.
MILLEROn the second question, I can't comment. I don't know anything about that. But as far as your first question, yeah. So if you think about trying to defend the information systems of our country, it's a hard problem. So unlike a physical boundary, where you can put guards or whatever, there isn't really this boundary in cyberspace. So, you know, someone in Russia or China or any other foreign country can -- you know, their packets go back and forth to our computers all the time, and there's not an easy way to, you know, to filter out.
MILLERWe're still interconnected, and we don't want to lose that, that we can't just drop all the packets that are leaving and coming from the United States. So it's really hard. And the other thing is the government doesn't control these systems, and we don't necessarily want them to control our banking systems and our financial systems. And that makes it hard for the government to protect those. And so it's really a hard problem to know, like, how much do we want the government involved in the protection of our systems.
MILLERAnd even if we want them involved, then, you know, how are they going to do it because then we have to give up access to systems that we need to know, you know, how do we, you know, monitor the good traffic from the bad traffic and can still say interconnected to the rest of the world. So it's a really hard problem.
NNAMDIRashad, thank you very much for your call. We got this email from someone who says he is Richard Clark, former White House cyber security adviser, but it's about Metro. He says, "Every time I hear a system is closed-loop or air-gapped, I'm willing to bet there are connections that they don't know about. Every U.S. government audit of power grid companies show that there were Internet connections that the companies did not know about," says Richard Clark. Thank you very much for that email.
NNAMDITo what degree, Robert O'Harrow, do you think our public infrastructure, our electric grids, our water systems, our public transit are protected from zero-day-style attacks?
O'HARROWI think that they, by definition, aren't protected from zero-day-style attacks because the people that are defending can't, by definition, know what the vulnerabilities are. If you think about literally tens of millions of lines of code in a particular desktop, think about trying to protect every line or tens of lines from, you know, potential vulnerabilities. Well, that's how bad it is. And there are -- I will say that the companies writing software code are getting better at it, the Apples of the world, Microsoft.
O'HARROWThey're getting better at it, and yet you have a very determined force of hackers who are also getting better. And they're using all sorts of tricks as well as technological savvy to break in.
NNAMDICharlie, you've said that one of the problems with consumer products seems to be that companies like Apple are more interested in making money than they are in making their software perfect. Is there anything that could be done to force them to focus more on those software gaps? Where are the pressure points when it comes to their incentive? We got an email from Kimberly for you, Charlie, who says -- Kimberly -- "In your time busting Apple's chops, Charlie, did you ever get a chance to chat with Steve Jobs himself?
NNAMDI"I'm curious to learn about how much of a premium he put on security. It seems that Apple is king when it comes to design and user interface, but how do they show up on security?"
MILLERI've never spoken with Steve Jobs. I wish I would have gotten the chance. I don't know if he knew who I was or not. But, yeah, I think companies, in general, you know, they're trying to make money. And the thing about security is you can't tell just looking at a product, if it's written securely or not. And even an expert like me can -- it can be difficult to determine what products are secure and which ones aren't. And so if the consumer can't decide whether one product is secure and the other one isn't, then how can you -- you know, why would a company spend money?
MILLERAnd it's quite expensive to make a secure product, so, you know, companies are not going to be spending money on something that consumers can't tell the difference between. And, yes, and it's true that Apple is getting better and all these companies are getting better writing secure codes. But the problem is a lot of the codes that still runs on Apple computers and Windows is -- was written 10 years ago when, you know, before we even really cared...
NNAMDIAnd I'm afraid that's all the time we have. Charlie Miller is principal research consultant at Accuvant Labs. He's a former employee of the National Security Agency. Billy Rios is a computer security researcher, former U.S. Marine, currently works on security issues for Google. He's co-author of the book "Hacking: The Next Generation." And Robert O'Harrow is an investigative reporter at The Washington Posts. He's also author of the book "No Place to Hide." Gentlemen, thank you all for joining us. And thank you all for listening. I'm Kojo Nnamdi.
On this last episode, we look back on 23 years of joyous, difficult and always informative conversation.
Kojo talks with author Briana Thomas about her book “Black Broadway In Washington D.C.,” and the District’s rich Black history.
Poet, essayist and editor Kevin Young is the second director of the Smithsonian's National Museum of African American History and Culture. He joins Kojo to talk about his vision for the museum and how it can help us make sense of this moment in history.
Ms. Woodruff joins us to talk about her successful career in broadcasting, how the field of journalism has changed over the decades and why she chose to make D.C. home.