In November 2017, with Dara Khosrowshahi a few months into his job as Uber CEO, the ride-hailing company came to me with some explosive information: The company claimed that during Travis Kalanick’s time as CEO, Uber had covered up a massive data breach. Hackers had downloaded sensitive information about Uber’s riders and drivers, and the company’s chief security officer, Joe Sullivan, had kept it under wraps by paying the hackers $100,000. Uber fired Sullivan and one of the company’s lawyers.
I published the exclusive story with the headline, Uber Paid Hackers to Delete Stolen Data on 57 Million People.
Cyber security reporters have — for years — raised questions about the Khosrowshahi regime’s story. Sullivan tried to frame the $100,000 payout as part of the company’s white hat bug bounty program. And Sullivan’s defenders argued that Kalanick era Uber’s effort to conceal the payout — at a time when it was under investigation by the Federal Trade Commission over a prior data breach — looks even less anomalous today in a world where companies pay ransoms to hackers all the time.
So I’ve watched the case closely over the years to see whether I’d been had.
Had Khosrowshahi and crew whipped up a fake scandal? (I never quite understood why they would need to — Kalanick era Uber already had so many.)
Over the years, the legal system has consistently validated Khosrowshahi era Uber’s account.
* In 2018, Uber reached a $148 million settlement with 50 states and the District of Columbia over its handling of the data breach.
* In 2019, two men pleaded guilty to the Uber hack.
* In 2020, the Justice Department indicted Sullivan, a former federal prosecutor, for his handling of the hack.
* Finally, last week a jury found Sullivan guilty of both counts that prosecutors brought against him. (Those charges were obstruction of the Federal Trade Commission and misprision of a felony.)
Still, parts of the cyber security world defended Sullivan’s actions.
Joseph Menn, the well-respected cyber security reporter for the Washington Post and author of Cult of the Dead Cow, recently quoted security experts raising concerns about the potential ramifications of the guilty verdict.
Most security professionals had been anticipating Sullivan’s acquittal, noting that he had kept the CEO and others who were not charged informed of what was happening.
“Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives,” said Dave Shackleford, owner of Voodoo Security. “I fear it will lead to a lack of interest in our field, and increased skepticism about infosec overall.”
John Johnson, a “virtual” chief information security officer for multiple companies, agreed. “Your company leadership could make choices that can have very personal repercussions to you and your lifestyle,” he said. “Not saying everything Joe did was right or perfect, but we can’t bury our head and say it will never happen to us.”
So Tom Dotan and I invited Menn onto the Dead Cat podcast to get his perspective on Sullivan’s conviction. We also asked Menn about crypto currency hacks, Cult of the Dead Cow, and Twitter’s whistleblower.
Give it a listen.
Read the automated transcript.
Get full access to Newcomer at www.newcomer.co/subscribe
00:00:05
Welcome Silicon Valley hey everybody, Welcome to Dead cat.
00:00:15
Tom dirt on here joined by Eric newcomer and we are joined this
00:00:18
episode by Washington Post reporter and author.
00:00:21
Jomon joke has been covering cybersecurity for years and also
00:00:26
has written many books about the topic, including his most recent
00:00:29
book, Cult of the dead cow, which we can ask about that.
00:00:32
Very fascinating title. I think it involves beta or
00:00:35
Rourke in some capacity, so we can discuss that.
00:00:38
But the heart of this episode is going to be about a fascinating
00:00:41
case. That just concluded this last
00:00:44
week involving Joe Sullivan, the former Chiefs security officer
00:00:49
at Uber, who was charged and convicted by boilers.
00:00:54
Yeah, well, if you read your, we chose article, you do all this.
00:00:58
I'm curious how many people are following this Is but I think
00:01:00
it's, it's not, you know, the Thera knows trial but I think
00:01:03
it's a very significant one and interesting one.
00:01:06
Yeah, it's a fascinating case about, you know, bug bounties.
00:01:09
The FBI, the FTC Joseph is going to summarize all of it for us,
00:01:13
but I will say at the outset because I know Eric will jump in
00:01:16
and with here at some point because when he was covering
00:01:18
Uber, you were very much involved in the coverage of
00:01:23
Joe's ouster from Uber and kind of the precipitate.
00:01:25
Yeah, it was the first to report the story, the hack and Joseph.
00:01:29
Firing. But anyway, Joseph, thank you so
00:01:31
much for joining. Welcome to dead cat.
00:01:33
Yeah, thanks nice to be here. Let's just summarize the charges
00:01:37
here, like, what was Joe, Sullivan charged with and
00:01:40
ultimately convicted of and just give us the backstory on how we
00:01:44
got to this point. Okay.
00:01:46
Well, I think you have to go back to the hack itself.
00:01:48
So there were a couple of young hackers one in Florida, one in
00:01:53
Canada, that found in Amazon key used by Uber lying around on
00:01:59
good. Ben then use that to get into a
00:02:03
unencrypted backup that had information on all over users
00:02:07
through 2015 and included phone numbers and other sensitive
00:02:10
information. And also a, you know, a store of
00:02:16
information about Uber drivers, 600 of them including their
00:02:19
drivers license numbers, so sensitive stop.
00:02:23
They obtain this they sent Joe Sullivan, then Chief security
00:02:27
officer at Uber, and I'm gonna Is email and you know, they
00:02:31
said, hey, we discovered this vulnerability and we're here to
00:02:35
tell you about it, but we were able to download all this
00:02:38
information and then there was like this prolonged back and
00:02:41
forth with Joe and with other security people there.
00:02:45
And after all this happened towards the end of it Sullivan,
00:02:49
steered them into Ubers bug Bounty program, which rewards,
00:02:54
you know, more or less ethical hackers with some money.
00:02:56
If they discover vulnerabilities ideal, Is bug Bounty being?
00:03:01
I'm a researcher. I see this flaw.
00:03:03
I'm not executing on it, but if somebody were to do this, you
00:03:07
know, I would get X Y and Z and then the company out of the
00:03:09
goodness of their hearts, pays them to avoid those people sort
00:03:13
of becoming like black hat hackers and also because they're
00:03:16
effectively working for the company to find vulnerabilities,
00:03:20
would you say that's a fair explanation?
00:03:23
I would have some number of minor quibbles with, with the
00:03:26
way you. Wait it out, you know?
00:03:27
Generally they're not the payments aren't.
00:03:29
To prevent them from being black hats.
00:03:31
Generally, the thinking is that these people, they want to be on
00:03:34
the right side of the law and this just makes it less costly
00:03:37
for them to make that choice. Yeah they're not at risk teens.
00:03:40
Well, this need to be aware as in this case, they seem a little
00:03:43
bit more. Yeah, at risk.
00:03:45
I mean, the standard bug Bounty is for Uber was ten thousand
00:03:48
dollars and in this case it was a ultimately a hundred thousand
00:03:52
dollar payment, right? That's right.
00:03:54
I'll just fast-forward to get the basic facts of the case and
00:03:57
charges out there. They ultimately paid off.
00:04:00
The hackers a hundred thousand dollars, they assured themselves
00:04:03
that the data had been deleted and been distributed to others.
00:04:07
And they had the hackers sign, an NDA saying they wouldn't talk
00:04:11
about this and they're actually the wording of that NBA ones up
00:04:14
later to be very important and then nobody knows about it until
00:04:18
after Travis kalanick is gone. Well, I would say, nobody's many
00:04:21
people. The company knew about it
00:04:23
including Travis kalanick, whose then CEO Travis gets ousted in a
00:04:27
boardroom coup after unrelated scan.
00:04:29
Dalls new CEO comes in daraa and their codes were showing.
00:04:33
Yeah, thank you for pronouncing that for me and Tony West is
00:04:37
general counsel a lot, a lot of big figures and this sort of
00:04:41
bubbles up again as a topic and there's a new investigation and
00:04:46
then they basically decided to throw Joe to the Wolves but the
00:04:50
charges were, for not for the payoff itself, but for what is
00:04:55
called misprision of a felony, which is a rarely charge
00:04:59
statute, that A crime. We all have strong intuitions
00:05:02
and moral sensibilities of a like I barely know what it is.
00:05:05
Yeah, I did have to go to Google Translate to make sure I
00:05:08
pronounced it correctly. It's misprision, this
00:05:10
presentation. There you go.
00:05:12
So it is, it is not only failing to report a felony but actively
00:05:16
concealing one like taking an affirmative actions to prevent a
00:05:19
felony from coming to light. And he's also charged with
00:05:22
obstruction of justice because there was an FTC investigation
00:05:27
of previous breaches that Uber, that was wrapping up.
00:05:29
And this was, I guess, pointedly not disclosed to them when it
00:05:33
should have been according to prosecutors.
00:05:34
Those are the charges, right? And he is being fired from Uber.
00:05:37
That was a story in and of itself, right?
00:05:39
And there was controversy at the time around, why he was fired
00:05:42
and the nature of it but the he could have been fired and not
00:05:46
been charged with the crime here, right?
00:05:48
These are almost unrelated incidences correct.
00:05:51
I wouldn't say they're unrelated.
00:05:52
So his firing was controversial within the company.
00:05:56
He was not seen as one of the most employees.
00:05:59
Not see him as one of Travis's, like, you know, Ki Hench people.
00:06:04
You know, he was seen as one of the, you know, the more recent
00:06:07
hires and grownups, you know, he hadn't been implicated in a lot
00:06:11
of the other sketchy stuff that over was involved in.
00:06:14
And then it's not just that he was, you know, he wasn't charged
00:06:18
randomly, the Uber folks, that remained worked hand-in-glove
00:06:22
with the US, attorney's office to charge Joe.
00:06:25
And, you know, they walk them through the whole thing.
00:06:28
They built a lot of the case. Case.
00:06:30
And then, you know, quite another obvious suspect would
00:06:34
have. Been the lawyer who is working
00:06:36
under Joe Craig Clark. And Craig Clark was so nervous
00:06:40
about all of this that he got immunity from the feds in order
00:06:43
to testify against Joe and Joe and turn had blamed like some of
00:06:47
this on the legal advice he got from Craig.
00:06:50
So, it is weird. That Joe is not only charged
00:06:54
with this very unusual crime, at least one of them, but that he
00:06:59
The only person from Uber that has been convicted of anything
00:07:02
as far as I know, an executive ranks, despite all the other
00:07:06
stuff that was going on there. And that he was the only one
00:07:08
that was taken down for this particular thing, when the CEO
00:07:11
and others were involved, and let's just do a little bit of
00:07:13
background on Joe, because we should definitely set up for our
00:07:17
audience. That this is a fairly
00:07:18
well-established. Well-regarded person in the
00:07:21
cybersecurity industry. I mean, what was his background
00:07:23
before, you know, taking on this position of uber.
00:07:26
So he was actually a federal prosecutor back in the day.
00:07:29
And he was one of the early enthusiasts about developing
00:07:34
cybercrime as expertise. So in fact, he was, he worked in
00:07:40
a couple of different offices but in in the San Francisco us,
00:07:43
attorney's office, which later prosecuted him he helped set up.
00:07:47
It was a, you know, initial member of their cyber team and
00:07:50
then he, you know, like Manny he left public service to make some
00:07:54
decent money and he went to Facebook where he was in the
00:07:58
earlier phases. Facebook, he was the chief
00:08:02
security officer there, you know, as was sort of well known
00:08:06
in the field from that point on because Facebook was the subject
00:08:09
of a lot of attacks. A lot of attention and, you
00:08:12
know, he did a lot of things that are now, serve industry
00:08:14
standard practice, including, you know, red teaming, you know,
00:08:18
hiring people to attack the company to see how they did and
00:08:21
they also paid bug bounties and stuff like that.
00:08:23
So he went he was there and then he went to cloudflare, which is
00:08:27
maybe, you know, arguably more interesting because good for him
00:08:30
because lots of international stuff, terrorists to have all
00:08:33
kinds of really sketchy. People use cloudflare.
00:08:35
So it's really interesting from like an intelligence
00:08:39
perspective, as well as a law enforcement and and Guard Riders
00:08:42
security perspective. And also Cloud fairs like a
00:08:44
security company. So he was playing a more Central
00:08:47
role there after Uber, right? Just I'm sorry yes, I skip to
00:08:50
know because I mean he's hired a doober in 2015 and then
00:08:55
basically hours and after really bad reach, okay?
00:08:58
After a bad dream. Right.
00:09:00
And then out stood in November 2017 and so yeah, he's not sort
00:09:04
of the super early days Travis, but he's there for some of the
00:09:09
core sort of Travis years and ands when those years come, to
00:09:14
an end. Yeah.
00:09:15
Well and and Joseph was characterized this a little bit
00:09:18
but you know Eric from just covering Uber, so intensely
00:09:20
during that period. How does he kind of fit into
00:09:23
that the Travis hierarchy? I mean, he's not a founding guy,
00:09:25
he's not one of his, you know, one of his guys who builds the
00:09:28
app but he is A key player in the scaling of the service.
00:09:32
Right? And ensuring that it remains at
00:09:34
least for a Time free of major, breaches of data.
00:09:37
And you know, the kinds of things you would need for an app
00:09:40
that is catering to millions and millions of people, right?
00:09:42
I mean I certainly a lot of people agree with the idea that
00:09:47
it's crazy, that all of all the executives at Uber who have
00:09:51
gotten convicted of something, it's Joe Sullivan who I do
00:09:54
think, as a former prosecutor was seen, as sort of a stand-up
00:09:58
guy and definitely not. Some DieHard Uber Loyalists and
00:10:01
definitely sort of a professional executive coming
00:10:05
from Facebook, that said, you know, Joe Sullivan, you know is
00:10:09
given some legal Authority at the company.
00:10:11
I mean, part of this case, is there sort of a weirdness of the
00:10:16
his Deputy reported up to him and not sort of the general, the
00:10:20
overall legal officer, Joe Sullivan was also like
00:10:24
responsible for some, I believe the physical surveillance that
00:10:27
Hoover did including over like Jean Through their competitor.
00:10:30
Well, it's not illegal. I don't think it.
00:10:32
You know, he's involved in some of the sort of intense Travis
00:10:36
are alike. We want to know like what's
00:10:38
going on with our competitors. So, I don't totally agree with
00:10:42
the idea that this is somebody who totally divorced himself
00:10:45
from the aggressive behavior of uber during the Travis kalanick
00:10:50
era and then sort of figuring this out, hack out fits into the
00:10:54
sort of Travis strategy of, you know, one might say like,
00:10:57
creative problem solving when I Comes to navigating trouble and
00:11:02
a sort of legal, gray areas. Yeah, well, let's get to the
00:11:05
case itself because as you say, there is a bit of a Divergence
00:11:09
between the bug Bounty program and you know, the way you sort
00:11:13
of deal with white hat hacking and what the government actually
00:11:15
was charging him with. So why is it that the FTC is
00:11:19
even investigating Uber during this period?
00:11:22
And what are the actions that Joe took that ended up, you
00:11:24
know, getting him charged with a crime?
00:11:27
Well, there was a, there was a massive Beach in in 2014 that
00:11:30
was kind of similar. It was like a great a great
00:11:32
spill of user data. And so the FTC was investigating
00:11:37
and it was going to, you know, come up with you know, various
00:11:40
sort of consent decree type stuff where they have to agree
00:11:43
to do some basic Good Housekeeping in terms of real
00:11:47
security for that stock and it was near the end of that
00:11:50
investigation is is one of the sort of the irony is here there.
00:11:54
They, you know, they were still asking questions but we are on I
00:11:58
think the fifth or sixth. Six round of questions that the
00:12:02
FTC had sent over before this happens.
00:12:05
And before Joe gets in trouble, they go to another attorney.
00:12:09
The Privacy attorney they had, they had a privacy, a tuber, and
00:12:14
she is somebody who is being kept, roughly in the loop about
00:12:17
this breach by Craig Clark. So, Craig Clark, had a dotted
00:12:21
line to, you know, the general counsel's office.
00:12:24
It is true that Joe was, Deputy general counsel, but he didn't
00:12:27
sort of caucus with the legal department.
00:12:29
He Have meetings with the legal debate.
00:12:31
Does that make it even sketchier?
00:12:33
Why? Then he's Deputy general counsel
00:12:35
but he's not sort of looped into that hierarchy.
00:12:38
I don't know better being sketch here.
00:12:40
I think they're, you know, it's a nice title to have.
00:12:43
It may have been a little advised and in retrospect but he
00:12:45
wasn't I think he wanted authority to do certain things
00:12:50
and you know Uber as you know from covering the company was
00:12:53
super siloed. You know, there is exactly.
00:12:55
Yeah. I think he wanted to have to
00:12:58
exercise some Or over over things that he couldn't without
00:13:01
that title, right? But it is clear that there that
00:13:05
the Craig, you know, did blow the whistle on other things.
00:13:10
A lot has been made of the fact that, you know, he was reporting
00:13:12
to Joe, but he also, he also told his success of privacy
00:13:18
bosses in the general, counsel's office about what was going on
00:13:21
with this case and those and the and those were the people that
00:13:24
were answering the FTC questions.
00:13:27
There was some emails that was in there.
00:13:29
Couple emails introduced as evidence that asked, Joe to look
00:13:33
over some stuff and say, you know, is this, right?
00:13:35
Even your problem with this. And one of those answers out of
00:13:39
the long series of answers was there haven't been any bad
00:13:42
breaches, you know, since that or something like that.
00:13:44
And that's what he got in trouble for not flagging, but it
00:13:48
wasn't like the strongest it. You know, it wasn't the
00:13:50
strongest evidence in the world. I think there was more problems
00:13:53
with the wording of the ndaa, which said that in order to get
00:13:57
this hundred thousand dollar check, They said or maybe was
00:14:01
Bitcoin. They said the statement said we
00:14:04
have not taken or capped any data from Uber as part of our as
00:14:09
part of our Explorations and they have lost that was false
00:14:13
because they had. So the jury you know the lawyers
00:14:16
in the case got into like who did the edits on that NDA and
00:14:21
Joe did some edits but did not that one.
00:14:24
So the prosecutors were arguing that even though Craig Clarke
00:14:26
was the one who had put in those words, Joe should have.
00:14:29
Edited that and maybe he was like the brains behind that ad.
00:14:33
I mean it is thin. I mean is it is really thin.
00:14:36
It seems like there was a lot of judgment call in this, you know,
00:14:39
by interpretation by the by the feds and by the jury but when
00:14:43
dark comes in and ask Joe about this, Joe doesn't tell Dora all
00:14:49
the details of the case. Correct.
00:14:51
So there is an email in early email where Joe briefs dhara.
00:14:57
The okay. There was an incident or
00:14:58
handling it this way. And that email was fairly
00:15:01
circumstance act and he tasked his people to brief him.
00:15:05
And one of his people had sent an email saying, well, we
00:15:08
basically got extorted and, you know, it was terrible.
00:15:11
And then Joe gives Dara pretty sanitized version of what it
00:15:16
doesn't include the amount of money calls it a bug Bounty,
00:15:19
right? Yeah.
00:15:20
And all Uber's bug bounties before this, like 10 was the
00:15:24
max, this was 100, these people downloaded the files,
00:15:28
normal bug bounties, you Don't download the I'm sorry, but I'm
00:15:31
just like, I think there's an interesting discussion in this
00:15:34
comes in through your story. Definitely like now we're in
00:15:37
this era, where everybody's paying for things.
00:15:40
Would we leave you this in the same light?
00:15:43
I get, I get that point. I'm happy to have that
00:15:45
discussion, but the idea that this was a Hack That Was Then
00:15:49
tried to frame during a bug Bounty during a time when Uber
00:15:53
was in trouble with the FTC and negotiating with them, to make
00:15:56
sure that this didn't fit in to the kind of breach that they
00:15:59
would need to. This close to the FTC.
00:16:01
It just seems like a pretty compelling case to me and and
00:16:05
now the jury jury has convicted them.
00:16:07
And I still think that like the tone from sort of cybersecurity
00:16:11
world is like shocked that there would be convictions here.
00:16:15
Let's get to that in a second because I want to understand in
00:16:18
the in the in the course of the case here, what was the
00:16:21
characterization that the prosecution had of why Joe would
00:16:24
do that? Why Joe would, you know, keep
00:16:26
this from dhara in a way that you know, they do?
00:16:29
Defined as criminal as misprision and obstruction of
00:16:32
justice. I mean Joe is a tenured security
00:16:34
officer used to be, you know, with the US attorney's and what
00:16:38
was the kind of depiction at the prosecution had on why someone
00:16:41
would do this. They were arguing that he was
00:16:43
acting out of embarrassment that he didn't want is reputation as
00:16:48
you know a very respected member of the security defense security
00:16:52
world to be torn asunder because he allowed this terrible Beach
00:16:56
to happen on his watch. I personally I think that holds
00:17:00
water, there's all the internal traffic about the matter.
00:17:04
It shows that for quite a while. While they were working on, this
00:17:09
Joe is saying we don't know whether this is going to be
00:17:11
something, we have to disclose or not.
00:17:13
We don't know whether we can call it a bug Bounty and pay
00:17:17
some money and have it go away or we'll have to disclose it.
00:17:20
But that was certainly something that they were, you know, they
00:17:23
saw as a major possibility. The reason they didn't in the
00:17:26
end was that they were convinced that the Data hadn't gone,
00:17:30
beyond these couple Packers, and the couple of hackers, which
00:17:33
them, no harm. That is not something that would
00:17:36
normally be charged from one. That might be a big screw up
00:17:39
and, you know, maybe he gets personally barred by the FTC,
00:17:42
from serving on company boards or something or another, maybe
00:17:45
they, you know, but it's just that is just a real outlier.
00:17:49
It's a criminal offense. I mean, I'll meet you, not out
00:17:51
of your story and, you know, better than I do.
00:17:53
And I'm interested in especially is like this idea that were the
00:17:57
prosecutors trying to get him. To flip on Travis kalanick
00:18:01
bizarre can be sort of a double situation here where Joe gets
00:18:04
defended, because he wasn't the CEO.
00:18:06
He was at Sea. So on the other hand, why if the
00:18:10
issue is that everything should run up to the CEO, why didn't
00:18:14
Joe flip on Travis here? Because so the evidence, so they
00:18:18
were trying to get to Travis who would have been a big feather in
00:18:21
any us attorney's cap and they did get evidence from Joe on
00:18:25
that and that, that evidence was actually a fairly substantial
00:18:28
there, you know. Lots of texts and foot and phone
00:18:31
calls and conversations and Travis said things like, yes,
00:18:35
the this be great. If it's a bug Bounty, but there
00:18:38
wasn't a direct cover this stuff up.
00:18:41
Don't let the FTC find out about there.
00:18:43
Wasn't a smoking God. So there was a bigger paper
00:18:46
trail on Joe, because he was kind of in the middle of it.
00:18:50
The whole time, it's weird to call this a cover-up when there
00:18:54
were like, you know, I would forget the something, like, 30
00:18:56
people who know about it. This was not a, you know, Go
00:18:59
meet you take some cash, you know and and meet somebody in a
00:19:02
back alley with a briefcase, right?
00:19:04
You know they work through the bug Bounty platform, you know
00:19:07
hacker one the communications team up to Rachel, Whetstone
00:19:12
knew the facts of the case within 24 hours.
00:19:15
She's the chief Communications officer for Uber right time,
00:19:17
right? And so she did Travis, did I
00:19:21
meet Joe told everybody he was supposed to tell?
00:19:25
So I mean talk to Travis whether or not to, you know, you okay.
00:19:27
Make sure you coordinate with the general counsel in that he
00:19:29
Didn't say that including that this stuff had been downloaded
00:19:32
by the hackers and that was basically acts and everyone, in
00:19:35
time to recover it, they were going to try going to try and
00:19:38
suppress it and that's another thing.
00:19:39
It's like it's not, you know that NBA is pretty shady but
00:19:44
they were using this whole process to identify who these
00:19:46
people were because they were Anonymous.
00:19:48
When all this started and they stayed Anonymous to a lot of it
00:19:52
and because they were getting them to sign things and if they
00:19:54
did it with an electronic signature, it would leave their
00:19:57
IP address and then be able to track them.
00:19:59
They did that. And then they surprised they
00:20:01
surprised them by showing up in person and saying now we need
00:20:03
your real names to sign this or the banks, not gonna let go, you
00:20:06
know, there they'll flag the idea of the IRS.
00:20:09
And so, that's really important. And they did that not because
00:20:11
they want to get these kids arrested.
00:20:13
That's true. But because they figured that
00:20:16
that was the only way to reassure themselves.
00:20:18
That these guys really aren't going to do something worse with
00:20:20
the data and there. They basically get these hackers
00:20:22
to say, oh, you were like working on behalf of uber,
00:20:25
basically, right? Isn't that part of the agreement
00:20:27
or my misunderstanding that Well, I mean part of the bug
00:20:30
Bounty program is like they were reporting a vulnerability and
00:20:34
thanks for that. And here's your reward, right?
00:20:36
And you know, 100 K is a lot of money.
00:20:39
Sure. Not for Uber though.
00:20:40
It's not a problem over and for the amount of damage that could
00:20:44
have been done with that data. That's, that's actually a pretty
00:20:47
reasonable. I'm certainly not saying it's a
00:20:48
bad corporate decision. I'm just saying, you know, their
00:20:51
moves, there are fun. Things Dara said, later there
00:20:53
are different stories, you know, between when he was fired and
00:20:56
now, but Dara said like Daris Most recent version, was he
00:21:02
fired him because that one he couldn't trust.
00:21:04
Joe Sullivan after that email that under, you know, that
00:21:07
underplayed the breach. But that he would have made the
00:21:10
same payment himself that, that was an appropriate payment.
00:21:13
So, I mean, it looks to me like, they were looking for, you know,
00:21:16
the feds were hoping to get to Travis and missed and, you know,
00:21:20
Dara wants Uber 2.0. He doesn't want any trace of bad
00:21:24
Stars allowed to fire. He's allowed to fire people.
00:21:26
I do. I agree with what Tom said, not
00:21:29
not And I understand that you burst sort of help this case,
00:21:31
but they're allowed to like fire.
00:21:32
Somebody who feels like I'm trying to clean up the company
00:21:35
and you're not being open about everything that's happening.
00:21:39
I get that. Yeah, they announced this hack.
00:21:41
They have two people in my story that they're firing over it,
00:21:44
Craig Clark and Joe Sullivan and they say, okay, we're cleaning
00:21:47
house. But like yeah, I mean the they
00:21:50
were the people who did it and our had to like a different
00:21:52
point of view on whether needed to be disclosed to the
00:21:55
government. I mean, is that and then they
00:21:58
did settle with all these State governments, they paid more than
00:22:01
100 million in fines to State AG's.
00:22:03
And now there are two convictions and also, we haven't
00:22:05
brought up the fact that the hackers themselves, who got who
00:22:08
participate in the bug Bounty? I believe, they also pled guilty
00:22:11
in this case, so if the, if the legal system works at all every
00:22:14
part of it settlements jury convictions hackers, pleading
00:22:18
like every part of it has come down on one side of this.
00:22:22
Sorry that was more passionate than I expected to be.
00:22:24
But I don't know II feel a little crazy on it.
00:22:27
It's like this this has been borne out.
00:22:29
Out. Well can I ask you know, when it
00:22:31
comes to the state of uber and the way they win Vault were
00:22:34
involved in this case because technically this is not their
00:22:36
case. They're not suing him.
00:22:38
This is the US government that is making the case here.
00:22:41
Dhara testifies here. He testifies to the fact that he
00:22:44
just couldn't trust Joe anymore, why he fired him and I guess
00:22:48
people below him why does the either prosecution or defense?
00:22:51
And I imagine it might have been the defense never subpoena.
00:22:55
Travis, why do you think Travis never appears at all in the
00:22:58
trial? It seemed like he Have been a
00:22:59
key person to kind of make the case, one way or the other as to
00:23:03
whether or not this was a cover-up or how many people
00:23:05
should have known about this? Did that ever come up in
00:23:07
discussion? Like, strategically why?
00:23:09
He never appeared at all? I'm sure did, I don't know, I
00:23:12
wasn't privy to those discussions.
00:23:14
I don't know why. Yeah, if I were Travis, if I did
00:23:17
get subpoenaed by other side, I would have asked for immunity
00:23:19
and the FEDS, you know, that's probably not a good look for
00:23:23
them, so they probably wouldn't have offered it.
00:23:25
So probably he would have been like a hostile witness for
00:23:28
either side. Side.
00:23:29
We could plead the fifth, right? I mean he could plead the fifth,
00:23:32
which is not going to help the defense or the prosecution and
00:23:36
it's not going to make him look good either.
00:23:38
So I mean, it would be you dragging him in there and then
00:23:40
it wouldn't be productive. That's my best.
00:23:42
Guess off the top, my head interesting.
00:23:44
I mean, I do think there's I was going to say this earlier but
00:23:47
you know, I feel like there's a classic human story where
00:23:50
somebody is sort of, you know, the do-gooder Boy Scout and then
00:23:53
they get sort of dragged into this somewhat sort of shady
00:23:58
organization with No, the leader, who's trying to sort of
00:24:01
complicate things, and yeah, the sort of ethical boundaries get
00:24:06
tested. And then the sort of clean guy
00:24:09
ends up the one, you know, because they made the call and
00:24:12
sup, the one on the hook even though the architect of it, all
00:24:16
probably set the organization up in that direction.
00:24:18
Pushed people to behave in that way.
00:24:20
But then knew better than to, you know, put their name to it.
00:24:23
I feel like that's like sort of a classic classic story where
00:24:27
it's like, yeah, if you want to be, Sort of the Boy Scout.
00:24:31
You have to stick to your principles.
00:24:32
Even this Mucky organization. So I think that's a little too
00:24:36
Pat, but as I wrote, my story, bug bounties have been used to
00:24:40
hide a host of ills increasingly significant time this happened.
00:24:44
So they get used to pay respectable hackers who are
00:24:48
trying to do the right thing. And they also get, they pay
00:24:53
people to shut the hell up, right?
00:24:55
They, they you know, they are as likely as not to come with
00:24:58
non-disclosure agreement. Now and some of those apply to
00:25:02
things that, you know, the company should be required to
00:25:04
disclose and are not and are not disclosing, not just something
00:25:08
they're not fixing but like beaches that are you know,
00:25:10
things that probably led to previous breaches.
00:25:13
It's the real, the real world in this stuff is pretty ugly,
00:25:16
right? My guess is.
00:25:17
The Joe thought he was Skating close to the edge, but it wound
00:25:20
up doing the, you know, the right thing by.
00:25:23
You can make a really good argument that he was doing the
00:25:26
right thing by Uber users because They went through all
00:25:30
these hoops, there were some shady language.
00:25:33
There's some stuff that should have been disclosed but the data
00:25:36
didn't get out. And if he'd and if they had
00:25:38
called the feds on these guys, the day, they very well might
00:25:41
have gotten now. Yeah.
00:25:42
And I think nobody here is like, oh my God, the public was so
00:25:45
terribly victimized this cry. You know.
00:25:48
Yeah. Yeah.
00:25:48
I mean it's very much did he follow the letter of some law?
00:25:52
Not did he have some terrible effect for a bunch of drivers or
00:25:56
people? It seems like exactly.
00:25:57
Like you're saying, I think that's important.
00:25:59
You remember, right? Right.
00:26:00
Yeah. Well, that's what's interesting
00:26:02
about this case because, you know, you obviously covered it
00:26:04
and that's how I was Googling it.
00:26:06
I did see that almost every major Outlet did have some
00:26:08
reportage of it as it was going along, but the trial didn't set
00:26:12
the world on fire, you know, it didn't become the Elizabeth
00:26:14
Holmes trial or think of any other high-level Tech trials.
00:26:18
Well, nobody seen this guy's the embodiment of Travis kalanick
00:26:21
Arrow, who Burr. I mean, I think that's, you
00:26:22
know, it didn't become a proxy for that and write morally
00:26:26
ambiguous. And right, right, it did sort of
00:26:29
Like this was you know the government's attempt to bring
00:26:32
some accountability to Travis era Uber and like we're saying
00:26:36
it ended up falling on this one you know prior to this point
00:26:39
pretty clean actor in the infosec community and you know
00:26:43
it sounds like the government made a compelling case here that
00:26:46
he was a bad actor in this particular way here but the
00:26:48
actual harm to you know the average citizenry just wasn't
00:26:54
there. So I mean is it fair to say
00:26:56
that? He is kind of a Fall Guy for a
00:26:58
larger issue. You that, you know, he wasn't a
00:27:00
solely responsible for but, you know, there had to be some head
00:27:03
on a stake somewhere. As far as the government was
00:27:05
concerned, in terms of charging him at night, I think the answer
00:27:09
is yes and, you know, I don't think they were taking into
00:27:12
account. I mean, they I think they were
00:27:14
trying to make an example of him in, like uber land, but I don't,
00:27:19
I think they may be less than thrilled about the example,
00:27:22
they're sitting in Chief security officer land where
00:27:25
people are freaking out and are you know, worrying if they what
00:27:28
their own life Ability is, I mean, it's already like
00:27:30
famously. One of the worst jobs on the
00:27:32
planet. I mean, Alex Stamos used to joke
00:27:35
that like to. So comes from a Greek word,
00:27:38
meaning, he who has sacrificed after a breach, Alex Davis,
00:27:43
former Chief security officer at Facebook, I guess.
00:27:47
Yeah, that's a great line. I mean, it's, you know, it's up
00:27:49
there with Russian Submariner and Chinese coal miner, you
00:27:52
don't want to be C. So even before this, I mean you,
00:27:55
you know, there's like you only get famous if you fail, right?
00:27:59
You can Also make the argument and I've covered the security
00:28:01
industry for more than 20 years now and like you know the most
00:28:04
important person in chart in for a company's security is a CEO.
00:28:10
It's not the Seesaw and the second most important is the CFO
00:28:13
right? Because he's deciding how he or
00:28:15
she or deciding how much you can spend on defense which is like
00:28:20
you know make stuff from the bottom line disappear and super
00:28:24
hard to Value what gain you get from it.
00:28:27
So you know many people Are in the position of, you know,
00:28:31
Twitter comes to mind mudgett Twitter, where you give this
00:28:33
awesome responsibility and no actual power.
00:28:36
It needs to be like a cultural thing because, you know, every
00:28:40
everybody else narrow zation has to play ball.
00:28:42
They didn't add Twitter and they didn't it.
00:28:44
Over the infosec community of, as you said they were watching
00:28:47
this case, very closely, they obviously are not happy with the
00:28:50
outcome, in terms of making the job, even more of a liability
00:28:54
for the people who do it, but was there any sense from it
00:28:57
among the infosec community that No Joe didn't, maybe handle this
00:29:01
in the best possible way. And there was some sloppiness in
00:29:04
the writing of the ndaa. The the correspondence he had
00:29:06
with the people above him that maybe someone who tell the RTC
00:29:10
if you're in a negotiation with them if you have other skeletons
00:29:12
in your closet. Like I mean, yeah.
00:29:14
Clearly what the government wants.
00:29:16
You're right? Yeah, I guess my.
00:29:17
Yeah. The question is is we're, was
00:29:18
there a sense of it of saying? Yes.
00:29:21
Overall, he did the right thing except for in the very specific
00:29:23
ways of the government nailed him and if he were just a little
00:29:26
more careful here he could have been well clear.
00:29:29
Or they put this in a Layman way, it's like, no reporter
00:29:32
wants your reporter convicted, right?
00:29:33
Reporters always cheer for like, Free Press cases.
00:29:37
But then sometimes there are particulars of them and like
00:29:39
some, you know, you're like, well, Gawker maybe shouldn't
00:29:42
have published like a terrible sex, you know.
00:29:45
It's like, okay, I understand why Cecil would always say don't
00:29:47
convict to see so journalists never want to see journalists
00:29:50
convicted, but then these things get decided in the fact
00:29:52
patterns. And like, yeah, I guess is
00:29:55
they're sort of a fact pattern that can separate this from what
00:29:59
Says are doing a sort of day-to-day.
00:30:02
So first of all, I would say that there are some instances
00:30:04
where I think people reporter should get sued for libel and
00:30:07
lose. Hi, I'm not going to defend
00:30:09
every single member of my profession.
00:30:12
I think I could defend half of them.
00:30:14
So I think the majority feeling among Chief security officers is
00:30:19
that Joe got a really bad deal. And I again, I mean there's a
00:30:22
lot of evidence on both sides here, but one of the things that
00:30:24
came out is they Joe was never accused of Joe was was grilled
00:30:28
by the FTC and he I was never accused of lying to the FTC
00:30:31
they, you know, it was a sin of omission where somebody else was
00:30:35
sending in the thing. And one of them bajillion emails
00:30:37
that Joe was supposed to read, but miss Priss prison can
00:30:40
include not Omission, right? It isn't an Omission has to be
00:30:45
an active thing, but it doesn't. It doesn't have to be a direct
00:30:48
lie. Like you can.
00:30:49
That's correct. Right.
00:30:50
That's correct, right? But you know, like I said, this
00:30:52
is not, this is not a slam-dunk case and the jury struggled for
00:30:55
four days Right Stuff. Mmm, most cheap security.
00:30:59
Sir Chief information security, officers are deeply unhappy
00:31:03
about this. They're used to being
00:31:04
scapegoated by their own companies and now they have to
00:31:08
worry about being scapegoated by the feds and you know, in some
00:31:11
cases in collusion with their companies.
00:31:14
They you know it's not just that era fire damage that you know,
00:31:17
Dara had him frog marched into the US, attorney's office.
00:31:20
I mean the hack was never like a core Uber Scandal, that's part
00:31:24
of what's bizarre about this whole thing.
00:31:26
It was sort of like a trailing end thing.
00:31:29
I mean, my understanding is this, Uber hack was like
00:31:31
disclosed and like one of the Whistleblower they had like some
00:31:35
security officer at Uber like sent a letter like seemingly.
00:31:40
I think shaking them for money and then so then this hack was
00:31:43
in that and so then there becomes more of a likelihood
00:31:46
that it comes out, you know, but it was my point is just sort of
00:31:49
a tail end Scandal. So it is sort of absurd that
00:31:52
this would be sort of the most litigated Travis conviction.
00:31:57
Yeah. I mean, it's like it's not even
00:31:58
getting Al On income tax evasion, it's like getting a
00:32:01
third-tier goon on Al cabone Squad charged with a crime.
00:32:05
And that goon actually happened to have been a pretty clean guy
00:32:07
up to that point. It just sounded like he did
00:32:10
potentially or, I guess as the law said, you know, break it in
00:32:13
the very particular way in which he was charged.
00:32:15
I mean, it is, it is bizarre. I agree with you.
00:32:17
There is another Uber executive, who has pled guilty to
00:32:21
something, though, not for his activity.
00:32:25
I think a tuber necessary, Anthony Lewandowski, of course.
00:32:29
Of course, LED guilty for stealing Trade Secrets and then
00:32:32
was pardoned by President Trump. I feel like that whole news
00:32:36
cycle, got totally washed away because like it was at the end
00:32:39
of the Trump presidency and then January 6th happened.
00:32:41
But Anthony Lewandowski, you know, the whole way mogai plead
00:32:45
guilty and then was pardoned by Trump.
00:32:47
So, I think, you know, I, somebody was laughing to me, an
00:32:50
Uber, former, Uber exact was like, you know, are we going to
00:32:53
get another pardon for, you know, it's a sorry jokes about
00:32:57
Joe, but yeah. Well, Joe Biden.
00:32:59
You know, step up here, I mean, what is the expectation in terms
00:33:02
of a sentencing for this kind of a, you know crime?
00:33:05
So I mean, in theory could get up to eight years, you know?
00:33:09
I don't know if they're mandatory minimums, I, you know,
00:33:11
or what the accepted range is, you know, he didn't help them by
00:33:16
testifying against anybody else. The real answer is, I don't
00:33:20
know, you know, and I don't normally cover criminal trials,
00:33:23
so you know, maybe he gets maybe he gets a couple years and maybe
00:33:28
it's Station or something, but it would be deeply unpleasant
00:33:33
for anybody, but he's a former Federal prosecutor.
00:33:35
So to put them in a federal jail with people that he has jailed,
00:33:38
or would have, you know? That's that's that's not cool.
00:33:42
So I'm guessing he would be segregated somehow.
00:33:45
Yes, cyber jail. Jesus.
00:33:46
Did he's a former Federal prosecutor.
00:33:48
I mean I you have to Imagine That animated.
00:33:50
The prosecutor is somewhat that this of all people who should be
00:33:53
sort of the letter of the law. Yes.
00:33:56
And they argued that here is here's one guy who does know
00:33:58
what Miss prism Of the felonies, right?
00:34:00
The only only person in the Cordia, what sort of precedent
00:34:04
do you think the government was trying to set with this case
00:34:07
here? Because it is like we've said,
00:34:09
multiple times a bit of a tangential crime when it comes
00:34:11
to Uber itself or even the broader like hack Community.
00:34:15
I don't even think it's the most interesting hack I've heard of
00:34:17
in the last like Year let alone five to 10 years.
00:34:20
I mean if you were to look at what kind of outcome broadly
00:34:25
that the government was trying to get from this, you know
00:34:27
Lessons Learned. What would you say it is?
00:34:29
Is, you know the most check most charitably?
00:34:32
I would say that they're trying to send a message that just
00:34:35
because the CEO is a cowboy doesn't excuse you, from doing
00:34:40
what the cowboy wants at the expense of the law.
00:34:44
I guess you could also say that, you know, reaches are bigger
00:34:48
deal than they used to be security, is a bigger deal than
00:34:51
it used to be. There's all kinds of National
00:34:53
Security implications, you know, we, the US has sanctioned
00:34:57
ransomware groups that Too close to the Russian government.
00:35:01
You don't they don't they would rather those people not get paid
00:35:04
off in fact, that's one of the few ways you do get in trouble,
00:35:06
is if you send a ransom payment to one of these sanctions
00:35:09
groups, you know, so maybe everybody shoot is just has to
00:35:13
be on their toes. More about how they treat
00:35:15
beaches including the disclosure aspect.
00:35:17
Can I ask any part of the purpose of this show is we try
00:35:20
to go a bit behind the scenes of the reporting of Stories on the
00:35:23
relationship that reporters have with the company.
00:35:25
I mean, this is an interesting case of, you know, Uber is
00:35:29
obviously a key material presence within this trial.
00:35:33
They're obviously providing evidence that is very useful for
00:35:36
the prosecution here, but you know what?
00:35:38
Sort of, you know, information interference?
00:35:40
Did you sort of get from Uber as you were doing the story in
00:35:44
terms of, you know, trying to encourage a specific point of
00:35:47
view? I mean, how much were they
00:35:48
trying to influence the coverage of this case in any way?
00:35:51
Because I think it's look transparently.
00:35:54
I've seen it a lot. Uber is very interested in the
00:35:56
story, but I'd be interested in seeing from your perspective.
00:35:59
What? I didn't have much interaction
00:36:00
with them, you know, in the end stages of this, when they fire
00:36:05
Joe, it was weird that they did not go to any security
00:36:10
reporters. They went to an overview of
00:36:13
where they want to lose her. Well, I mean, I think that they
00:36:17
were spinning hard when they fired him that like they here's
00:36:21
the root of all of our problems. We did a big investigation and
00:36:25
we found this horrible stuff. Mean, there's a lot of nuance.
00:36:29
I hear ya. They don't say the bug Bounty.
00:36:31
I mean, they go on the record about the story.
00:36:33
It's not like they like, you know, I think I quoted dhara in
00:36:37
this story. They don't talk about the bug
00:36:38
Bounty. They certainly talked about this
00:36:41
size of the breach. I mean, it's true, Uber paid
00:36:44
hackers to delete stolen data on 57 million people company paid
00:36:47
hackers, 100, delete info, keep quiet, right?
00:36:50
But this is again, this is the difference between, you know,
00:36:53
his being fired and the actual case, I mean you would think
00:36:56
Uber at this point, this is something that happened in the
00:36:58
past. They would Care as much about,
00:37:00
you know, let the law and and, you know, the legal system, take
00:37:04
its course. It's interesting to me Joseph
00:37:06
that they actually were not that kind of involved at all in your
00:37:09
coverage and and pushing You One Direction or another.
00:37:11
Well, at this point there's this copious public record to.
00:37:13
So, that's, you know, when people are testifying under
00:37:16
oath, I find that a lot more convincing than what people are
00:37:19
saying, outside of Court. Yeah, let's broaden this out a
00:37:22
bit because I've said, you know, there are broader implications
00:37:25
here. So you were saying that, you
00:37:27
know, in the sea so Community this verdict Was met with kind
00:37:30
of Terror that they felt. They've already taken one of the
00:37:32
worst jobs in the world and made it even worse.
00:37:35
I mean, anything more to that aspect.
00:37:37
I mean, what do you see in terms of outcomes from, you know,
00:37:40
getting a, you know, a sea. So, on the hook for what, some
00:37:45
people in, the community would view is fairly standard, so I'll
00:37:48
give you one tangible thing in one less tangible thing.
00:37:51
The tangible thing is that csos are looking for personal lawyers
00:37:56
to advise them on what their Would be for any feelings on the
00:38:01
job. The less tangible thing, which I
00:38:04
think is dangerous, is that Cecil's will now be much more
00:38:07
likely to go. Go, the mud drought, and blow
00:38:09
the whistle and call in the feds by whatever.
00:38:13
You know, legal means stage can. So they're not risking anything
00:38:17
which is, you know, a real harsh gambled to take one and so on.
00:38:22
But that will make them seen internally as like Internal
00:38:26
Affairs officers as this as cops.
00:38:29
Soooo. And that may mean that people
00:38:31
under them, with security responsibilities, keep things
00:38:35
from them because they don't want that to get reported out
00:38:39
and that's kind of a disaster. That's like, the thing where
00:38:41
like, you know, in a police Internal Affairs unit, like, you
00:38:45
know, they're gave him the cold shoulder by other officers
00:38:48
because they're the ones hunting for cops.
00:38:50
So that's miserable like, you know, like I said, you know,
00:38:53
cisos got to have the culture on their side.
00:38:55
They got to have the CEO, the CFO and other departments on.
00:38:59
Side. And if they are now, if they
00:39:01
become seen as someone that could rat you out, like a
00:39:04
compliance officer, then that's a bad Dynamic that takes a tough
00:39:09
Dynamic and makes it, let's, let's get rid of internal
00:39:11
affairs suing. I don't know.
00:39:13
I just don't see how a think, you know, these investigations
00:39:16
being disclosed to the government is so bad.
00:39:19
I mean, you know, there are lots, you know, they're plenty
00:39:21
of SEC filings where, you know, a company says, you know, some
00:39:25
hack happened and they happen too often.
00:39:28
Is it that damning, the Company that it would be publicly
00:39:30
announced generally, no, I mean, the stigma has gone away for
00:39:34
most of this. They are starting with when
00:39:36
Google said, you know, owned up to getting hacked by the
00:39:38
Chinese. Nobody thinks that Google's a
00:39:39
bunch of idiots. So, I mean, it is continued.
00:39:43
We everybody gets hacked. The US government gets hacked,
00:39:46
you know, there's, you know, the NSA has been badly hacked.
00:39:49
I don't think disclosure is a bad thing.
00:39:50
I'm in favor of disclosure. I'm in favor of more Force
00:39:53
disclosure. I'm talking about like this,
00:39:56
this unanticipated impact, which Could be under, which could be
00:40:00
bad. Yeah, for a core security.
00:40:02
And, you know, maybe we'll know more but security might not get
00:40:04
much better. Do you think that this in a way
00:40:07
is going to have a hugely deleterious effect on bug Bounty
00:40:10
programs that companies will just back away from that as a
00:40:12
whole because they see that it just skirts the line into an
00:40:16
area that if the FTC for whatever reason wanted to
00:40:19
prosecute someone for it. They could find a way to do it I
00:40:22
think they're going to make bug Bounty programs more fraud.
00:40:24
It's also true that some of them deserve to be more fraud that
00:40:28
the you know, they are DNA. Oh, there are are there
00:40:30
slathering makeup on a pig? Sometimes the you know the early
00:40:35
bug Bounty programs were seen as part of a coordinated,
00:40:38
vulnerability disclosure program, which is from the old
00:40:42
days when a hacker says, hey you've got this problem.
00:40:45
If you don't fix it, I'll go public.
00:40:47
I'll give you 90 days or whatever it is the, which is
00:40:49
what Google gives people when it finds a bad flaws and somebody
00:40:53
else's program. That's kind of industry standard
00:40:56
and then usually the company fixes it.
00:40:58
But at this, Yes, that really a bug.
00:41:00
It's a feature or, you know, it's not really urgent.
00:41:02
We'll get around to it later. It's not that severe.
00:41:04
Then the person goes public. The way bug Bounty programs have
00:41:08
evolved. They get most of their money
00:41:10
from the companies and they're seen by some companies as a way
00:41:14
to control the hacking Community.
00:41:16
Because if they don't, if they don't shut up and take the money
00:41:19
then they don't get to participate in the in the bug
00:41:22
Bounty program anymore and there's like, you know, two or
00:41:25
three big bug Bounty platforms. And if you're not welcome on any
00:41:29
a of them, then you're it's going to be much harder for you
00:41:31
to make a living without selling your vulnerability information
00:41:34
to governments or the private sector or brokers, who might
00:41:38
flip it to somebody who flips and somebody flips it to.
00:41:40
The Chinese is a very, very uncontrolled rolled out there
00:41:45
and Bug bounties were one way to bring people towards the light
00:41:49
and I'm afraid that if they are doing a lot less of that now
00:41:52
than they could. Are you covering the whole by
00:41:54
Nance hack? By the way?
00:41:55
Or like I'm not in part, because there's so many crypto.
00:41:59
Acts these days that, you know, you wouldn't do anything else
00:42:02
and in part because in this particular case, there don't
00:42:05
appear to be human victims, there were tokens that were
00:42:07
lying around so it's not as bad as some of the others.
00:42:11
Oh interesting. Just like 500 million just like
00:42:14
on so yeah with it just created out of thin air.
00:42:17
I guess if somebody gets their hands on it, right?
00:42:20
That's fascinating, actually. What I mean have you written
00:42:22
much about crypto hacks? I mean like you bring up, it's
00:42:24
very difficult to, you know, discuss things in terms of human
00:42:27
terms and they're so common, these days.
00:42:29
Days. I mean, what's you know, in the,
00:42:30
in the infosec community? What is the thinking on the
00:42:33
security of your shit in the web three world?
00:42:37
It's terrible. But you know, it's like the
00:42:41
whole crypto stuff reminds me of 1999 when I was covering
00:42:44
the.com, boom. And you know the stuff is absurd
00:42:47
on its face. So like you know, how do I
00:42:50
really want to devote my time to explaining, you know, how this
00:42:53
particular one is a little more absurd than others or can I just
00:42:56
let people figure that out for themselves and then, you know,
00:42:58
go expose something that's you know, it's actually kind of
00:43:00
hidden. It's just Anna said that.
00:43:02
That's my general. Take on it.
00:43:04
I'm interested in crypto as a as a means to launder money.
00:43:07
I'm interested in it as like kind of the rocket fuel of the
00:43:11
ransomware plague, and it's, you know, kind of interesting that,
00:43:14
you know, North Korea and other unpleasant places are, you know,
00:43:18
using it. The, it sort of monetizes pure
00:43:21
hacking in a way that nothing else has.
00:43:24
I mean, we're talking about like a bug, Bounty payments, are not
00:43:26
enough to compete with what the NSA or somebody else is going to
00:43:30
pay you for vulnerability information.
00:43:32
What really, you know, you can also use that information to do
00:43:34
that. Can yourself, right?
00:43:35
And you can make a tidy sum of Of money.
00:43:37
So I mean an enormous percentage of crypto that's floating
00:43:40
around. There has been stolen from
00:43:42
somebody else who have it at some point or another.
00:43:44
I feel like the bug Bounty program in crypto is literally
00:43:47
just you like taking the money and then saying, hey look, I
00:43:49
just got a hundred thousand dollars of crypto coins because
00:43:52
your stuff is so hackable, there's my bounce.
00:43:54
And then they like pleat there. Like if you give us 90 percent
00:43:56
back, we'll let you keep 10% of it.
00:43:59
I just did want to talk about my book a little bit so yeah,
00:44:01
absolutely, yeah. Because of some of these things
00:44:04
go, you know, go back to it. So the people in the book were
00:44:07
People that came up with coordinated Bonner, boy
00:44:09
disclosure, you know, one of the people are quoted in my article.
00:44:12
Katy Mercer has a net, these the people that did the coronation
00:44:17
and not by coincidence or people who wrestled with ethical
00:44:20
questions all the freaking time and, you know, being now, you
00:44:25
know, I guess a better than this stop.
00:44:27
One of the things I was trying to do was convey to newer people
00:44:31
and security you know give them a set of shoulders to stand on.
00:44:34
They can choose whichever one they want because they often
00:44:37
Agreed with each other but to think about think about these
00:44:41
sort of philosophical questions because now unlike before but
00:44:46
it's a nice clean profession, where I can go to a nice college
00:44:48
and get a nice job at a nice company, new Cyber things
00:44:51
without ever having to think about.
00:44:53
Are there some circumstances where you should break the law
00:44:56
are there? You know what, if your your
00:44:58
employer wants you to put in a backdoor?
00:45:00
What do you do there and meet their fascinating ethical issues
00:45:04
that come up every day and security and a It bothers me
00:45:08
that people were like, 25 years old without any history of, you
00:45:12
know, you know, playing in the gray areas.
00:45:16
Are, you know, are more inclined to do what they're told.
00:45:18
Then to figure out for themselves.
00:45:20
What is ethical? Can you tell us a little bit
00:45:21
about the cult of the dead cow? What is it?
00:45:23
And how does it involve current gubernatorial candidate in
00:45:27
Texas? They do Roark who was not the
00:45:30
not the only politician to call for loosen marijuana laws like
00:45:35
about. So yeah, I expose the better
00:45:36
work it As a teen hacker, but it's not like what's funny is
00:45:39
that his politics actually kind of match what he was doing back
00:45:42
then. I mean he's like exposed for
00:45:44
having like pushed for the things.
00:45:46
He's like, you know, pushing force a politician.
00:45:49
So it's a pretty clean exposure. You're like, Beto is just as
00:45:52
cool as you thought, right? Step you want to take away our
00:45:55
guns. A lot of people thought he was
00:45:58
but well you know, I just thought he was a pretty white
00:46:00
boy and then I read, this is the first and this is the most
00:46:02
interesting thing I've heard of dryer.
00:46:04
Yeah. He was sort of fake cool.
00:46:05
And then it was like oh maybe is Is real.
00:46:08
He was cooler back then he was like Kristin Cinema.
00:46:10
There was the punk band Tunes, but yeah, but I digress.
00:46:13
So the cult of the dead cow is the oldest hacking group that is
00:46:16
so functional in the United States.
00:46:19
It is also the most influential hacking group in the history of
00:46:22
the United States. It was spawned in the 1980s in
00:46:25
Texas by some bulletin board operators.
00:46:28
And if you don't know what that is, you can ask your
00:46:31
grandparents, they morphed several times, but we're always
00:46:34
sort of at The Cutting Edge of hacking which makes them You're
00:46:37
really interesting vehicle to talk about all these, you know,
00:46:40
choices that were made and why they were made.
00:46:43
If you came of age in the 80s, in the time of the movie War
00:46:47
Games, you would know the cult of the dead cow through their
00:46:49
funny frequently profane satiric text files which could be about
00:46:53
anything and we're sometimes political and then because they
00:46:56
were sort of like the cool kids in the hacking.
00:46:58
Seen some people with actual hard, courts, sophistication and
00:47:03
hacking through asked to, you know, we're invited to join and
00:47:07
The Joint. So that includes people from The
00:47:09
Loft, the Great. Boston hackerspace folks that
00:47:14
testified before Congress in 1998.
00:47:16
That any one of them could take down the internet in half an
00:47:19
hour. So these technical people came
00:47:21
on, and then in Def con, the great, you know, giant packing
00:47:25
convention. That was sort of coming of age
00:47:27
and getting really big in those years, The Cult of the dead cow
00:47:31
through CDs into the crowd, the conveyed and back orifice, and
00:47:35
then back off his 2000, which were Success of programs that
00:47:38
would allow pretty much anybody to hack a Windows machine and
00:47:41
that was certainly controversial at the time, but that help to
00:47:44
get press, which helped put actual pressure on Microsoft, to
00:47:48
fix things because Microsoft has Monopoly and was not being
00:47:50
responsible. When people like the loch said,
00:47:53
hey you have this major following the architecture.
00:47:55
So they were like, they were pushing the envelope.
00:47:57
A certain using the media to try and put pressure on these big
00:48:01
pretty Untouchable software makers.
00:48:03
And then they invented hacktivism they coined the term
00:48:06
hacktivism Stay defined as security work in service of
00:48:09
human rights which includes per International treaty the right
00:48:13
to information. So they got sort of political in
00:48:17
hacking terms and then more broadly they pushed or to
00:48:20
include a browser because they were releasing their own, they
00:48:22
were own browser for tour and they helped Inspire the citizen
00:48:26
Lab at the Munk School of International Affairs at the
00:48:29
University of Toronto. Then citizen lab are the world's
00:48:33
greatest experts on tracking how government spy on their own
00:48:36
people. They you know, if you know about
00:48:38
the Pegasus spyware that the government's use on their own
00:48:42
people. That's largely because the
00:48:43
citizen lab and they do this all the time.
00:48:46
Are they active today? The cult of the dead cow, they
00:48:48
are they are. But they're, you know, they're
00:48:49
grown-ups. They actually are, you know, you
00:48:52
have some new members now, did you out them all?
00:48:54
Or is it sort of secret? Or what's the level of like, we
00:48:56
know who everybody is? So one of the supply isn't
00:49:00
surprises in writing the book is that in the end, all of the core
00:49:04
members through the history of the group agreed to let Use
00:49:07
their real names, including people, you know, some had been
00:49:09
added before. So Peters at Joe was a member
00:49:13
most recently, famous for testifying in Congress about the
00:49:16
security disaster. That is Twitter crew through who
00:49:19
had been outed. He was a founder of a Vera code,
00:49:22
which is a billion-dollar very important security company.
00:49:25
Module, also ran darpa's cyber grant-making.
00:49:28
So, these are very serious people, but many others had not
00:49:31
been added including the founder of the group and b'etor warp,
00:49:34
who is now running for governor. They're letting new People in
00:49:38
there, how it was initiation or what it's all terribly secret.
00:49:41
The one rule is, you cannot ask to join because that would make
00:49:44
all their interactions unpleasant because everybody
00:49:46
would ask to join. So you, it's kind of like, was
00:49:49
it the best line I thought was when I added Bay do with
00:49:52
anybody's permission? I didn't, you know, they were,
00:49:54
they were ready? Lobster, beta loved it.
00:49:56
I mean, that's, that's a I wouldn't, I wouldn't say bed.
00:49:59
I loved it. You know, there were he got, he
00:50:01
got in a world of pain because of, you know, hit the teenage
00:50:04
not Amis, text files that he wrote, you know, So much with
00:50:08
one of which is kind of misogynist and you know, another
00:50:11
just, you know, seems naive like imagine a world without money
00:50:14
was was was one of his whatever, nobody wants what they wrote
00:50:17
when they were 16 to be, you know, published.
00:50:19
And then if that's your real name when you're running for
00:50:21
office, right? Again all this makes him sound
00:50:23
more interesting than he is now, but that's a separate topic.
00:50:26
So the others I think came forward in part because better
00:50:29
was coming forward and they wanted to show solidarity
00:50:31
because he had the most to lose. So the new members they have
00:50:34
added, one of them has made a name for herself While fighting
00:50:37
revenge porn, South get laws passed just helped get you know,
00:50:42
some measure of Peace of Mind for some victims of revenge porn
00:50:46
and is help. Press social media companies to
00:50:48
do more policing for it and then there's another woman who is
00:50:51
sort of helped stop harassers within the infosec community,
00:50:56
you know which is you know a checkered group like any other
00:50:58
industry. So it's actually kind of cool.
00:51:00
One of the things on them is that they had very, very few
00:51:02
women and also few minorities like a lot of hacking In the
00:51:07
1990s, the they did have some of each in fact better was the one
00:51:10
that gender integrated because the dead cow.
00:51:14
So I figure that counselors is he still skill?
00:51:16
Like, could he hack anything today?
00:51:18
So it was a different era. It was basically text files.
00:51:22
He also did some other stuff, he did some more driving.
00:51:25
He did use credit cards that did not strict strictly belong to
00:51:28
him. And I would like to give a
00:51:30
shout-out to the statute of limitations with eliminating.
00:51:32
These people to talk to me. They weren't major crimes.
00:51:36
I don't know what the state of His Arts are now but he did run
00:51:39
a, you did run a, an internet company after graduating
00:51:43
college, when he went back to Texas.
00:51:44
And that is what and that included, kind of as an
00:51:47
offshoot. Like I kind of an all weekly
00:51:49
type of electronic publication, which is why people asked him to
00:51:53
run for city city council which he did.
00:51:55
So that actually did launch him into politics, fascinating
00:51:59
though, the one that testified against Twitter sort of during
00:52:02
the Elan case, which one was that?
00:52:04
That's not just Peter Peter bug sacko.
00:52:07
And he's one of these right? Don't remember he was easy as
00:52:10
both The Loft and the cult of the dead cow and you know him
00:52:13
pretty well or like you wrote about them I mean yes you think
00:52:16
he was motivated to help heal on or like where what's his order
00:52:19
is sympathies or do you have a read on his motivations to come
00:52:23
out on this? Is it motivation and nothing to
00:52:25
do with you on? He had decided to come out.
00:52:27
He was fired before, Ilan made his move and he decided to go
00:52:31
pursue legal whistleblower Avenue before Ilan showed up.
00:52:36
So Ilan, was this this weird element that came in at the end,
00:52:40
but he was on the road that he was leaving.
00:52:41
He made it more supportive to you on anyway.
00:52:44
Like no, I mean it while it wound up being of some benefit
00:52:48
to Ilan. Yeah, it didn't really help but
00:52:51
during obviously every news Cycles through certain prism and
00:52:54
it came out when people are obsessed with a lawsuit.
00:52:57
So just to answer the initial question, his motivation was
00:53:01
that Jack had brought him on to make Twitter users safer after
00:53:07
Here is a hideous reaches and he wasn't able to do that on the
00:53:11
inside for a variety of reasons. And so he decided to do it from
00:53:14
the outside because this is going to apply real pressure and
00:53:18
possible additional regulation. On to Twitter it'll be easier if
00:53:22
Twitter remains a publicly traded company because one of
00:53:25
the few levers of authority over Twitter is the SEC and if mosque
00:53:29
takes it private then you don't have you don't have that.
00:53:33
It looks like mosques going to wind up with it.
00:53:35
So this might this might have been The last chance for
00:53:38
Meaningful public oversight, do you think someone like a Mudge?
00:53:40
I mean he represents someone coming from the hacker
00:53:43
Community. Going to be Chief security
00:53:45
officer at a major corporation there, maybe been a few that
00:53:49
have gone that like hacking to corporate route in the light of
00:53:52
the Sullivan verdict and maybe just the general trend of the
00:53:55
industry is that kind of is there more cynicism about that
00:53:58
the belief that you can actually help these companies by working
00:54:01
on the inside at all. Or you begin to see fewer and
00:54:04
fewer people from the hacking World, want to take corporate
00:54:06
jobs. Anyway, that is, it's a tough
00:54:08
question, the hackers and security people are at one time,
00:54:12
you know, unbelievably cynical with good reason.
00:54:15
And also basically idealists because the ones that aren't
00:54:19
idealists are the ones you don't hear about.
00:54:20
They're just out stealing stuff, you know?
00:54:23
Or they're hatching really, you know, impressive exploits which
00:54:26
they sell on sell on the black market or the gray Market, which
00:54:29
is legal. So the ones who hear about are
00:54:31
generally trying to make things better.
00:54:32
And, you know, one of the reasons I wrote the wrote The
00:54:35
Cult of the dead cow book was to try and I and, you know, revive
00:54:38
that, you know, rescue load the word hacker from like a negative
00:54:42
connotation because hackers are actually by definition critical
00:54:44
thinkers and that's, that's incredibly valuable in society.
00:54:48
I think that this will make people on the margins less
00:54:51
likely to want to a big corporate job with a title and a
00:54:54
car and some money. I think some will still do it
00:54:57
because you do have a fair amount of levers there to affect
00:55:01
good. But again, one of the points of
00:55:03
the book is that there are many different ways that hackers
00:55:05
could contribute to a better world.
00:55:07
In government and nonprofits open source projects like you
00:55:11
know back when these guys were starting they were kind of
00:55:12
making it up as they win. But now, there are serious.
00:55:15
Technologists of an ethical bent working for members of Congress.
00:55:18
Some of them are actually in Congress.
00:55:20
The Red Cross has technical gurus and most International has
00:55:24
Tech gurus are lots of different ways to do good with a hacking
00:55:27
mentality and, and Technical sense, now, than there were
00:55:30
been. And, you know, I see so, it's
00:55:33
looking a little less attractive now than it was before.
00:55:36
And before wasn't Looking at attractive.
00:55:38
So likelihood that Beto o'roarke is the new C, so at boober, not
00:55:42
very high. I think very, very low, hmm.
00:55:46
Keep looking over, thanks so much Joseph from all of us here
00:55:49
at the cult of the dead cat. We enjoyed enjoyed this
00:55:54
conversation. Thanks so much for joining and
00:55:57
yeah we'll have you back on here soon.
00:55:58
Thanks so much. This is great.
00:55:59
Okay, thanks doctor. Goodbye, goodbye.
00:56:14
Goodbye, goodbye, goodbye, goodbye.
00:56:17
Goodbye.