WEBVTT 1 00:00:00.080 --> 00:00:02.160 Okay, let's attack this. We live in a world where 2 00:00:02.640 --> 00:00:05.679 you know, you can buy a mass produced autonomous car 3 00:00:05.719 --> 00:00:09.160 that practically drives itself, but at the exact same time, 4 00:00:09.480 --> 00:00:14.000 major metropolitan hospitals are just being completely paralyzed by ransomware. 5 00:00:14.359 --> 00:00:15.919 It's this bizarre paradox. 6 00:00:16.039 --> 00:00:17.120 Yeah, it really is. 7 00:00:17.199 --> 00:00:20.480 We're building the most advanced digital infrastructure in human history, 8 00:00:20.679 --> 00:00:24.920 but the foundation it rests on is well, it's shockingly fragile. 9 00:00:25.280 --> 00:00:28.440 And the cost of that fragility try four hundred and 10 00:00:28.480 --> 00:00:32.119 fifty billion dollars a year. Wow, that is the estimated 11 00:00:32.159 --> 00:00:34.880 annual cost of cybercrime to the global economy. 12 00:00:34.920 --> 00:00:37.119 Which I mean that just tells us that the traditional 13 00:00:37.119 --> 00:00:39.640 way we think about safety, this whole binary idea of 14 00:00:39.679 --> 00:00:43.479 a system simply being either broken or not broken, it's 15 00:00:43.640 --> 00:00:47.240 entirely obsolete, totally. In the digital realm, safety is an illusion. 16 00:00:47.359 --> 00:00:49.359 It's really just a temporary state that has to be 17 00:00:49.960 --> 00:00:53.039 constantly aggressively stress tested. If you aren't hunting for the 18 00:00:53.079 --> 00:00:56.320 cracks in your own foundation, someone else is definitely already 19 00:00:56.320 --> 00:00:57.159 exploiting them. 20 00:00:57.079 --> 00:01:00.679 Exactly, And that brings us to our mission today. Welcome 21 00:01:00.719 --> 00:01:03.799 to the deep dive. We are shortcutting your journey to 22 00:01:03.880 --> 00:01:08.159 understanding the hidden front lines of this silent war happening 23 00:01:08.239 --> 00:01:09.200 right under our noses. 24 00:01:09.280 --> 00:01:10.200 Yeah, it's everywhere. 25 00:01:10.599 --> 00:01:12.920 So to do that, we are pulling back the curtain 26 00:01:13.079 --> 00:01:16.319 on a massive, highly regarded text in the infosec world. 27 00:01:16.599 --> 00:01:21.079 It's called Gray Hat Hacking, The Ethical Hackers Handbook, fifth edition, 28 00:01:21.599 --> 00:01:23.560 and this was put together by a team of heavy 29 00:01:23.599 --> 00:01:27.840 hitting security professionals including doctor Alan Harper and Daniel Rigolotto. 30 00:01:28.040 --> 00:01:32.599 It's an incredibly comprehensive source, and the authors actually dedicate 31 00:01:32.640 --> 00:01:36.359 the entire project to the late Shan Harris. Oh right, Yeah, 32 00:01:36.400 --> 00:01:39.400 she is a true pioneer in information security, a former 33 00:01:39.439 --> 00:01:43.159 engineer in the Air Force's Information Warfare Unit, just someone 34 00:01:43.200 --> 00:01:47.159 whose work jump started countless careers. Her legacy really frames 35 00:01:47.159 --> 00:01:49.040 the whole ethos of what we're looking at today, which 36 00:01:49.079 --> 00:01:50.480 is the mindset of the. 37 00:01:50.439 --> 00:01:53.239 Gray hat, right, because we aren't just talking about computers here, 38 00:01:53.280 --> 00:01:56.599 we're analyzing a very specific philosophy. So, for you listening, 39 00:01:56.640 --> 00:01:59.480 a gray hat is an ethical professional who uses offensive 40 00:01:59.560 --> 00:02:05.079 attack like techniques strictly to test and refine our digital defenses. Exactly, 41 00:02:05.200 --> 00:02:07.719 here are the ones out there stress testing that illusion 42 00:02:07.760 --> 00:02:11.520 of safety. But you know, to understand why we need them. 43 00:02:11.560 --> 00:02:14.080 We really have to look at the staggering scale of 44 00:02:14.120 --> 00:02:14.599 the threat. 45 00:02:14.840 --> 00:02:18.520 And the source material describes this as the duality of technology. 46 00:02:18.800 --> 00:02:20.000 What do you mean by duality? 47 00:02:20.159 --> 00:02:23.039 Well, the exact same infrastructure we use to fight for 48 00:02:23.120 --> 00:02:26.240 human rights, connect families, drive global productivity. It can all 49 00:02:26.240 --> 00:02:30.120 be weaponized. Yeah, the tools of connection are simultaneously the 50 00:02:30.199 --> 00:02:34.960 tools of surveillance, extortion, and theft. And that four hundred 51 00:02:34.960 --> 00:02:37.639 and fifty billion dollars price tag you mentioned, yeah, that 52 00:02:37.800 --> 00:02:41.800 is not coming from you know, teenagers in basements guessing passwords. 53 00:02:41.840 --> 00:02:43.439 Right, I really want to get away from that whole 54 00:02:43.560 --> 00:02:46.240 nineties movie trope. So what does a modern high level 55 00:02:46.280 --> 00:02:47.680 cyber attack actually look like. 56 00:02:47.960 --> 00:02:51.560 It looks like a highly organized, a multinational corporate operation. 57 00:02:52.199 --> 00:02:55.280 I mean, the text highlights several massive, real world examples 58 00:02:55.319 --> 00:02:59.680 to show this scale. Take the twenty sixteen Bangladesh bankheist. Okay, 59 00:03:00.080 --> 00:03:02.520 the attackers didn't just try to guess at teller's password 60 00:03:02.599 --> 00:03:05.240 or something. They targeted Swift Wait. 61 00:03:05.319 --> 00:03:08.719 Swift like the global messaging system that banks used to 62 00:03:08.759 --> 00:03:10.360 transfer money across borders. 63 00:03:10.599 --> 00:03:11.360 That's the one. 64 00:03:11.639 --> 00:03:15.319 Swift is essentially the central nervous system of global finance. 65 00:03:15.479 --> 00:03:18.639 If you compromise that. I mean, you are compromising the 66 00:03:18.639 --> 00:03:20.159 core trust between nations. 67 00:03:20.199 --> 00:03:23.159 And that's the terrifying brilliance of it. They compromised the 68 00:03:23.199 --> 00:03:27.599 bank's local environment, gained access to the swift terminals, and 69 00:03:27.639 --> 00:03:31.280 then fraudulently requested the Federal Reserve Bank of New York 70 00:03:31.680 --> 00:03:35.400 to transfer eighty one million dollars out of the Bangladesh. 71 00:03:34.840 --> 00:03:38.719 Bank's account eighty one million, just like that, Just like that. 72 00:03:39.439 --> 00:03:42.800 They routed those funds to accounts in the Philippines, where 73 00:03:42.800 --> 00:03:45.960 the money was quickly laundered through casinos and just vanished. 74 00:03:46.439 --> 00:03:50.120 They literally turned the global financial backbone into a personal 75 00:03:50.120 --> 00:03:51.400 atm okay. 76 00:03:51.400 --> 00:03:55.120 So that's a highly targeted attack on a hardened financial institution. 77 00:03:55.360 --> 00:03:58.439 But the source also mentions the mire I botnet, which 78 00:03:59.120 --> 00:04:01.159 that seems like the exist opposite approach, right. 79 00:04:01.159 --> 00:04:03.479 Yeah, it is. The Maria attack, which also happened in 80 00:04:03.479 --> 00:04:06.599 twenty sixteen, is a perfect example of how that duality 81 00:04:06.599 --> 00:04:10.439 of technology weaponizes everyday life. The attackers didn't go after 82 00:04:10.479 --> 00:04:13.879 highly secured service this time. They targeted millions of cheap, 83 00:04:14.120 --> 00:04:16.720 mass produced Internet of Things devices. 84 00:04:16.319 --> 00:04:17.920 Like smart home stuff exactly. 85 00:04:18.439 --> 00:04:22.040 We are talking about basic home security cameras, baby monitors, 86 00:04:22.439 --> 00:04:25.759 digital video recorders devices that consumers, you know, they plugged 87 00:04:25.759 --> 00:04:27.480 them into their living rooms and just forgot about them, 88 00:04:27.759 --> 00:04:29.800 leaving the default factory passwords. Attack. 89 00:04:30.079 --> 00:04:33.720 So the attackers infected millions of these low power devices, 90 00:04:34.000 --> 00:04:37.279 link them together into this massive botnet army, and then 91 00:04:37.319 --> 00:04:39.279 just pointed them all at a single target. 92 00:04:39.360 --> 00:04:43.240 They pointed them at DIN, a major DNS provider. It 93 00:04:43.279 --> 00:04:47.000 was a massive distributed denial of service attack. The sheer 94 00:04:47.120 --> 00:04:50.399 volume of junk traffic coming from these compromised baby monitors 95 00:04:50.439 --> 00:04:53.639 and cameras just completely overwhelmed the service. Oh wow, it 96 00:04:53.680 --> 00:04:57.199 took down half the Internet. Twitter, Netflix, Spotify all knocked 97 00:04:57.199 --> 00:04:59.959 offline because of insecure living room electronics. 98 00:05:00.120 --> 00:05:03.519 Is insane. So we've got financial ruin, we've got global 99 00:05:03.560 --> 00:05:06.959 communication blackouts. But then the source points to December twenty 100 00:05:07.000 --> 00:05:11.199 sixteen in Kiev, Ukraine, and the sticks shift from digital 101 00:05:11.240 --> 00:05:12.240 to physical, don't they. 102 00:05:12.319 --> 00:05:15.720 Yeah, that was a huge watershed moment. Attackers actually infiltrated 103 00:05:15.759 --> 00:05:19.600 the systems of a Ukrainian power company and systematically sabotage 104 00:05:19.639 --> 00:05:20.839 the power distribution equipment. 105 00:05:20.879 --> 00:05:22.720 So they didn't just steal data. 106 00:05:22.839 --> 00:05:26.120 No, this wasn't about stealing money or causing a nuisance. 107 00:05:26.839 --> 00:05:29.560 They left two hundred and twenty five thousand people in 108 00:05:29.600 --> 00:05:32.839 the dark in the freezing cold of winter for days. 109 00:05:33.600 --> 00:05:37.199 They actively destroyed physical infrastructure. 110 00:05:36.480 --> 00:05:39.360 Which is terrifying. And when we look at these malicious attackers, 111 00:05:39.399 --> 00:05:43.639 the black hats, they really rely on remaining invisible. Right. 112 00:05:44.079 --> 00:05:47.360 They use intermediaries to hide their origins. Oh absolutely, Once 113 00:05:47.399 --> 00:05:50.800 they break in, they scrub audit logs to cover their tracks. 114 00:05:50.879 --> 00:05:53.480 They install back doors like root kits so they can 115 00:05:53.519 --> 00:05:56.360 silently return whenever they want. But if I understand the 116 00:05:56.360 --> 00:06:00.279 gray hat philosophy correctly, an ethical hacker will emulate those 117 00:06:00.279 --> 00:06:04.639 exact same behaviors. Yes, they gather open source intelligence, they 118 00:06:04.879 --> 00:06:07.839 chain vulnerabilities together, and they take over the system, right. 119 00:06:07.959 --> 00:06:10.759 But the key difference is they use those exact same 120 00:06:10.839 --> 00:06:15.399 tools and techniques in a sanctioned, controlled environment. Their goal 121 00:06:15.839 --> 00:06:19.279 is to find those catastrophic holes, document every single step 122 00:06:19.279 --> 00:06:21.759 of the attack, and hand that intelligence over to the 123 00:06:21.759 --> 00:06:22.279 blue team. 124 00:06:22.439 --> 00:06:25.800 The blue team being the defensive security personnel. 125 00:06:25.480 --> 00:06:28.000 Right, so the vulnerabilities could be patched before the black 126 00:06:28.040 --> 00:06:28.920 hats ever arrive. 127 00:06:29.360 --> 00:06:32.839 I always look at it like hiring a master cat burglar. 128 00:06:33.160 --> 00:06:35.399 You invite them to break into your own house while 129 00:06:35.399 --> 00:06:37.000 you just sit on the couch and watch. You want 130 00:06:37.000 --> 00:06:39.759 to see which windows you forgot to lock, or you 131 00:06:39.800 --> 00:06:42.319 know which floorboards creak when they sneak down the hall. 132 00:06:42.319 --> 00:06:43.360 It's a great way to put it. 133 00:06:43.399 --> 00:06:46.439 But here is the massive contradiction that jumps out at me. 134 00:06:47.399 --> 00:06:50.720 If these gray hats are using the exact same tools 135 00:06:50.759 --> 00:06:54.959 as the criminals to pick the locks, how on earth 136 00:06:55.040 --> 00:06:55.800 is this legal? 137 00:06:56.639 --> 00:06:59.439 Well, you are stepping into a total legal mindfield there. 138 00:06:59.680 --> 00:07:01.879 I mean, it sounds straightforward. You hire the cat burglar, 139 00:07:01.920 --> 00:07:05.079 so it's fine. But the laws governing the Internet were 140 00:07:05.120 --> 00:07:08.839 not originally written with the concept of ethical hacking in mind. 141 00:07:09.040 --> 00:07:12.439 We are dealing with a patchwork of regulations trying to 142 00:07:12.439 --> 00:07:16.360 govern a twenty first century invisible war zone using twentieth 143 00:07:16.399 --> 00:07:17.839 century property concepts. 144 00:07:17.959 --> 00:07:19.800 So what's the baseline? Where do we start? 145 00:07:20.000 --> 00:07:22.680 The foundational law in the US is the Computer Fraud 146 00:07:22.680 --> 00:07:24.800 and Abuse Act or the CFAA. 147 00:07:25.120 --> 00:07:27.079 The CFAA, what does that actually cover? 148 00:07:27.199 --> 00:07:31.800 The CFA prohibits unauthorized access to computers and network systems. 149 00:07:32.240 --> 00:07:35.759 It is essentially the digital equivalent of breaking and entering. 150 00:07:35.959 --> 00:07:39.519 The keyword, as you noted with your cat burglar analogy, 151 00:07:39.920 --> 00:07:44.720 is unauthorized. If a company signs a contract explicitly defining 152 00:07:44.720 --> 00:07:47.439 the scope of a penetration test. The gray hat is 153 00:07:47.519 --> 00:07:49.160 legally shielded under the CFAA. 154 00:07:49.519 --> 00:07:51.319 Okay, that makes sense for the perimeter of the house, 155 00:07:51.439 --> 00:07:54.199 But what happens once they are inside? Like if a 156 00:07:54.199 --> 00:07:57.160 gray hat hacks a corporate server to prove its vulnerable 157 00:07:57.240 --> 00:08:00.920 and they suddenly have access to thousands of private employee emails, 158 00:08:01.240 --> 00:08:03.519 that feels like a totally different legal violation. 159 00:08:03.839 --> 00:08:07.079 It absolutely is. That brings us to the Electronic Communication 160 00:08:07.160 --> 00:08:08.720 Privacy Act the ECPA. 161 00:08:08.959 --> 00:08:10.160 The ECPA right. 162 00:08:10.480 --> 00:08:14.720 While the CFAA protects the computer itself, the ECPA protects 163 00:08:14.720 --> 00:08:18.360 the communications flowing through it. It's split into two parts, 164 00:08:18.759 --> 00:08:21.839 the Wiretap Act, which protects data wallet is in transit 165 00:08:21.879 --> 00:08:24.920 over a network, and the Stored Communications Act, which protects 166 00:08:25.000 --> 00:08:27.680 data sitting on a server like those emails you mentioned. 167 00:08:27.720 --> 00:08:30.319 Wait, so the CFA coverles breaking into the house and 168 00:08:30.360 --> 00:08:33.600 the ECPA covers reading the mail once you're inside. That 169 00:08:33.679 --> 00:08:36.879 sounds like a logistical nightmare for a security tester. If 170 00:08:36.919 --> 00:08:39.039 I'm hired to test a network and I intercept a 171 00:08:39.120 --> 00:08:42.720 data packet just to prove the network is compromised, am 172 00:08:42.759 --> 00:08:46.200 I suddenly violating federal wiretab laws? Even if I have 173 00:08:46.279 --> 00:08:47.559 permission to be in the system. 174 00:08:47.679 --> 00:08:50.399 You absolutely could be, depending on how the contract is 175 00:08:50.399 --> 00:08:53.320 written and who actually owns that data. Gray hats have 176 00:08:53.360 --> 00:08:58.360 to navigate these overlapping jurisdictions meticulously, and it doesn't stop there. 177 00:08:58.799 --> 00:09:02.080 You also have the Digital Millennium Copyright Act the DMCA. 178 00:09:02.279 --> 00:09:04.559 The DMCA, I usually hear about that in the context 179 00:09:04.600 --> 00:09:07.360 of people pirating movies or music on YouTube. 180 00:09:07.080 --> 00:09:09.639 Or something, right, But in the cyber realm, it protects 181 00:09:09.720 --> 00:09:13.600 copyrighted software and systems from being accessed, reverse engineered, or 182 00:09:13.639 --> 00:09:14.159 tampered with. 183 00:09:14.279 --> 00:09:15.039 Oh I see. 184 00:09:15.480 --> 00:09:19.759 However, the DMCA notably includes a specific exemption for encryption research. 185 00:09:20.320 --> 00:09:23.080 This allows security professionals to test the flaws of commercial 186 00:09:23.200 --> 00:09:27.919 encryption technologies without facing a massive lawsuit from the software manufacturer. 187 00:09:28.080 --> 00:09:31.360 It's fascinating how much the law relies on this murky 188 00:09:31.399 --> 00:09:34.759 concept of intent. Are you an authorized researcher or a 189 00:09:34.799 --> 00:09:37.759 malicious actor? But the stakes are getting so high. We 190 00:09:37.759 --> 00:09:40.679 talked about the Ukraine power grid. If a hospital gets 191 00:09:40.720 --> 00:09:43.519 hacked and the power goes out, people die. Does the 192 00:09:43.600 --> 00:09:46.320 law actually reflect that physical reality? 193 00:09:46.360 --> 00:09:49.480 It does? Now. The Cybersecurity Enhancement Act of two thousand 194 00:09:49.480 --> 00:09:53.000 and two was a major escalation in how we prosecute 195 00:09:53.039 --> 00:09:53.600 these crimes. 196 00:09:53.679 --> 00:09:54.519 What did it change. 197 00:09:54.600 --> 00:09:56.799 It's stipulated that if an attacker carries out a computer 198 00:09:56.879 --> 00:10:00.080 crime that results in bodily harm to another person or 199 00:10:00.080 --> 00:10:02.720 even creates a threat to public health and safety, they 200 00:10:02.720 --> 00:10:05.080 can receive a life sentence in federal prison. 201 00:10:05.240 --> 00:10:07.200 A life sentence for a few lines of code. That 202 00:10:07.320 --> 00:10:10.399 really proves how physical the digital world has become. But 203 00:10:10.519 --> 00:10:13.080 you know, with the stakes that high, and with companies 204 00:10:13.080 --> 00:10:15.720 losing millions of dollars to these attacks, it brings up 205 00:10:15.759 --> 00:10:18.919 an obvious question. What's that If I run a major 206 00:10:18.960 --> 00:10:21.759 corporation and I watch a black hat break into my 207 00:10:21.840 --> 00:10:25.120 network and start stealing my data, why can't I just 208 00:10:25.240 --> 00:10:28.080 unleash my security team to hack them back and destroy 209 00:10:28.120 --> 00:10:28.799 their servers. 210 00:10:29.159 --> 00:10:33.240 Ah. That is the concept of hackback or active defense, 211 00:10:34.120 --> 00:10:38.519 and legally it is heavily restricted. The text outlines the 212 00:10:38.519 --> 00:10:42.039 Cybersecurity Information Sharing Act of twenty fifteen, known. 213 00:10:41.919 --> 00:10:43.759 As CASA Okay SISA. 214 00:10:43.879 --> 00:10:47.320 Yeah, designed to encourage private companies to share cyber threat 215 00:10:47.360 --> 00:10:51.480 information with the government confidentially. But it draws a very 216 00:10:51.480 --> 00:10:54.480 explicit line it does not authorize hackback activities. 217 00:10:54.519 --> 00:10:56.879 Why not? I mean, if someone is robbing my physical store, 218 00:10:56.919 --> 00:10:59.639 I'm allowed to defend my property. Why can't a bank 219 00:10:59.759 --> 00:11:03.360 did destroy the server that is currently draining their accounts. 220 00:11:02.960 --> 00:11:06.240 Because of attribution and collateral damage. In the physical world, 221 00:11:06.320 --> 00:11:08.840 you can literally see the person robbing you. In the 222 00:11:08.879 --> 00:11:13.159 digital world, malicious actors constantly use intermediaries. So if a 223 00:11:13.200 --> 00:11:15.559 bank gets attacked, the traffic might look like it's coming 224 00:11:15.600 --> 00:11:17.960 from a server in Germany. If the bank hacks back 225 00:11:18.000 --> 00:11:20.360 and destroys that server, they might find out later that 226 00:11:20.399 --> 00:11:23.600 the server actually belonged to a completely innocent hospital that 227 00:11:23.679 --> 00:11:26.960 the attacker had secretly compromised to use as a proxy. 228 00:11:27.080 --> 00:11:29.840 Digital vigilantism would just cause global chaos. 229 00:11:30.240 --> 00:11:32.440 Yeah, it sounds like we are trying to legislate the 230 00:11:32.440 --> 00:11:35.159 Wild West while the outlaws are already driving sports cars. 231 00:11:35.559 --> 00:11:40.080 But here's the crucial transition. I think the law focuses 232 00:11:40.120 --> 00:11:45.279 heavily on human intent, authorization, malice research to the computer, 233 00:11:45.519 --> 00:11:49.720 intent doesn't exist. The computer only understands instructions. So what 234 00:11:49.840 --> 00:11:52.759 is the fundamental flaw in these instructions that allows a 235 00:11:52.799 --> 00:11:55.480 criminal to bypass all of those legal boundaries in the 236 00:11:55.480 --> 00:11:58.399 first place? What are these locks the hackers are actually 237 00:11:58.399 --> 00:11:59.799 picking to understand? 238 00:11:59.799 --> 00:12:02.679 That we have to drop way down into the basement 239 00:12:02.759 --> 00:12:05.320 of how computers actually work. We have to talk about 240 00:12:05.320 --> 00:12:07.879 the programming language that built our modern world C. 241 00:12:08.279 --> 00:12:11.159 The C programming language, I know it's foundational, but exactly 242 00:12:11.200 --> 00:12:12.039 how old are we talking? 243 00:12:12.120 --> 00:12:14.559 It was developed in nineteen seventy two by Dennis Ritchie 244 00:12:14.600 --> 00:12:15.320 at Bellabs. 245 00:12:15.559 --> 00:12:18.519 Nineteen seventy two, you're telling me that the modern hyper 246 00:12:18.559 --> 00:12:22.279 connected world of autonomous vehicles, global banking, and smart grids 247 00:12:22.559 --> 00:12:25.320 relies on a language written during the Nixon administration. 248 00:12:25.679 --> 00:12:31.639 It absolutely does. Massive applications, operating systems, web browsers, they're 249 00:12:31.679 --> 00:12:34.720 all still heavily reliant on C. And because of that 250 00:12:35.080 --> 00:12:38.639 we inherited some foundational structural quirks from the nineteen seventies. 251 00:12:39.120 --> 00:12:41.639 The authors of the source material highlight one of the 252 00:12:41.720 --> 00:12:44.600 most brilliant examples of this, The Indianists. 253 00:12:44.039 --> 00:12:46.080 Debate indianas, I've never heard that term. 254 00:12:46.159 --> 00:12:50.919 It's about how physical computer memory actually stores information. The 255 00:12:50.919 --> 00:12:55.279 book references a fantastic historical artifact, an Internet experiment note 256 00:12:55.279 --> 00:12:58.320 from nineteen eighty by a computer scientist named Danny Cohen, 257 00:12:58.639 --> 00:13:01.639 titled on Holy wor War and a Plea for Peace. Okay, 258 00:13:02.200 --> 00:13:05.639 Cohen used the novel Gulliver's Travels to explain a bitter 259 00:13:05.720 --> 00:13:08.639 feud happening among computer hardware architects at the time. 260 00:13:08.759 --> 00:13:11.399 Wait, like the Jonathan Swift book from the seventeen hundreds, 261 00:13:11.399 --> 00:13:13.240 what does that have to do with computer hardware. 262 00:13:13.279 --> 00:13:16.000 Well, in Gulliver's Travels, there is a literal civil war 263 00:13:16.120 --> 00:13:18.840 in the land of Lilliput over the proper way to 264 00:13:18.919 --> 00:13:20.639 crack an egg, to break it on the big end 265 00:13:20.720 --> 00:13:21.320 or the little end? 266 00:13:21.320 --> 00:13:21.720 Oh right. 267 00:13:21.759 --> 00:13:25.240 Cohen used this absurd conflict to describe how different hardware 268 00:13:25.240 --> 00:13:29.080 manufacturers were designing their microchips. When a computer needs to 269 00:13:29.120 --> 00:13:31.879 store a multi byte piece of data in its physical memory, 270 00:13:32.360 --> 00:13:34.759 what direction does it write it in? Should it store 271 00:13:34.759 --> 00:13:37.679 the high order bytes first or the low order bytes first? 272 00:13:37.960 --> 00:13:40.919 So the computer science world split into Big Indians and 273 00:13:40.960 --> 00:13:41.720 Little Indians. 274 00:13:41.879 --> 00:13:46.080 Yes, and the split remains today. Intel processors use the 275 00:13:46.120 --> 00:13:48.960 Little Indian method, storing the least significant bite at the 276 00:13:49.000 --> 00:13:53.519 lowest memory address. Motorola processors use Big Indian, storing the 277 00:13:53.519 --> 00:13:54.879 most significant bite first. 278 00:13:55.320 --> 00:13:57.879 Wait, think about what this means for a hacker. You 279 00:13:57.879 --> 00:14:01.559 could spend months crafting the most perfect, devastating piece of 280 00:14:01.600 --> 00:14:04.519 malicious code in the world. But if you try to 281 00:14:04.559 --> 00:14:07.080 deploy it and you don't know the physical shape of 282 00:14:07.120 --> 00:14:10.039 the microchip inside the target machine, whether it's an Intel 283 00:14:10.159 --> 00:14:15.120 or Motorola, the computer will literally read your exploit backwards. 284 00:14:14.639 --> 00:14:17.399 Exactly you'll read it backwards, The code will turn into gibberish, 285 00:14:17.799 --> 00:14:20.360 the system will likely just crash, and the attack will 286 00:14:20.360 --> 00:14:24.240 completely fail. This highlights how hacking isn't just about software. 287 00:14:24.799 --> 00:14:27.960 It is intimately tied to the physical hardware. But if 288 00:14:27.960 --> 00:14:30.799 the hacker does know the hardware, how do they actually 289 00:14:30.799 --> 00:14:34.120 inject that malicious code? In C? It often comes down 290 00:14:34.200 --> 00:14:35.559 to variables and buffers. 291 00:14:35.879 --> 00:14:38.919 Let's define that for everyone listening. What exactly is a buffer? 292 00:14:38.960 --> 00:14:41.759 A buffer is just a temporary storage space in a 293 00:14:41.799 --> 00:14:45.360 computer's memory. It's like a holding pen for data. If 294 00:14:45.399 --> 00:14:48.440 you type your password into a website, that text is 295 00:14:48.480 --> 00:14:51.600 temporarily held in a buffer while the computer processes it. 296 00:14:52.240 --> 00:14:54.879 C has built in commands to move data in and 297 00:14:54.919 --> 00:14:57.519 out of these buffers. Okay, and one of the most 298 00:14:57.519 --> 00:15:00.759 common and historically most dangerous is this t rocky command 299 00:15:01.159 --> 00:15:02.440 that stands for a string copy. 300 00:15:02.679 --> 00:15:04.919 Its job is just to copy data from a source 301 00:15:04.960 --> 00:15:08.519 and place it into a destination buffer. Why is that dangerous. 302 00:15:08.200 --> 00:15:10.519 Because Trocky does not check the size of the source 303 00:15:10.559 --> 00:15:13.519 data before it starts copying it into the destination. It 304 00:15:13.679 --> 00:15:16.679 just blindly trusts that the original programmer allocated in a 305 00:15:16.679 --> 00:15:19.279 physical memory to hold whatever's being copied. 306 00:15:19.480 --> 00:15:21.600 It's like having a pint glass and a gallon jug 307 00:15:21.639 --> 00:15:25.039 of water. The striking command just keeps pouring the gallon 308 00:15:25.159 --> 00:15:27.559 jug into the pint glass. It doesn't check if the 309 00:15:27.559 --> 00:15:30.440 glass is full. So the water or in this case, 310 00:15:30.600 --> 00:15:33.360 the malicious code, it just spills out over the rim 311 00:15:33.440 --> 00:15:34.879 and floods the kitchen counter. 312 00:15:35.440 --> 00:15:39.039 That spilled water is called a buffer overflow, and it 313 00:15:39.159 --> 00:15:41.240 is the root cause of some of the most devastating 314 00:15:41.240 --> 00:15:44.320 cyber attacks in history. If you are listening to this 315 00:15:44.399 --> 00:15:46.840 deep dive on a smartphone right now, there are countless 316 00:15:46.840 --> 00:15:51.200 microprocesses running in the background using these exact memory structures. 317 00:15:51.240 --> 00:15:51.919 That's unsettling. 318 00:15:52.080 --> 00:15:54.320 If just one app developer got lazy and used to 319 00:15:54.320 --> 00:15:57.600 strip a command without checking limits, your phone is vulnerable 320 00:15:57.600 --> 00:15:58.279 to that spill. 321 00:15:58.440 --> 00:16:00.799 But if the code spills out of the pint glass, 322 00:16:01.240 --> 00:16:03.919 where exactly does it go? What does the layout of 323 00:16:03.960 --> 00:16:06.720 that kitchen counter look like inside the computer's memory. 324 00:16:07.919 --> 00:16:11.399 Think of a computer's ram. It's random access memory as 325 00:16:11.440 --> 00:16:15.879 a highly organized, highly segmented restaurant kitchen. When a program 326 00:16:15.960 --> 00:16:19.000 is running, its memory is divided into specific work zones. 327 00:16:19.080 --> 00:16:20.360 Okay, walk me through the zones. 328 00:16:20.600 --> 00:16:23.879 First, you have the dot text section. Think of this 329 00:16:23.879 --> 00:16:27.480 as the locked recipe book. It holds the actual machine instructions, 330 00:16:27.519 --> 00:16:30.759 the core logic of the program. The computer can read 331 00:16:30.799 --> 00:16:33.840 the recipes, but it is strictly forbidden from writing new 332 00:16:33.919 --> 00:16:34.960 data into this section. 333 00:16:35.120 --> 00:16:37.320 Okay, so the core recipes are locked in a safe 334 00:16:37.440 --> 00:16:40.759 a hacker can't easily alter the dot text section. What 335 00:16:40.799 --> 00:16:41.720 else is in the kitchen? 336 00:16:42.559 --> 00:16:44.960 Next is the dot data section, which is like the 337 00:16:45.000 --> 00:16:48.960 pantry holding your global ingredients. But the real action and 338 00:16:49.000 --> 00:16:52.559 where hackers focus their attention happens in the last two sections, 339 00:16:52.879 --> 00:16:54.200 the heap and the stack. 340 00:16:54.320 --> 00:16:55.679 The heap in the stack right. 341 00:16:55.879 --> 00:16:58.759 The heap is the dynamic prep counter. As the restaurant 342 00:16:58.759 --> 00:17:01.639 gets busier and needs more space to prepare complex orders, 343 00:17:01.799 --> 00:17:05.079 the heap expands. It grows upwards, moving from lower memory 344 00:17:05.079 --> 00:17:06.519 addresses to higher ones. 345 00:17:06.559 --> 00:17:09.400 So the heap is the expanding prep counter. What about 346 00:17:09.400 --> 00:17:09.799 the stack. 347 00:17:10.000 --> 00:17:12.519 The stack is the physical stack of order tickets. It 348 00:17:12.599 --> 00:17:15.119 keeps track of the program's short term memory. What function 349 00:17:15.160 --> 00:17:17.680 it is currently executing, and exactly where it needs to 350 00:17:17.720 --> 00:17:20.519 return once that task is done. The critical difference is 351 00:17:20.519 --> 00:17:23.440 that the stack grows downwards from high mary addresses toward 352 00:17:23.559 --> 00:17:24.119 lower ones. 353 00:17:24.279 --> 00:17:28.279 The stack grows down. This directionality is where it gets confusing. 354 00:17:28.319 --> 00:17:32.359 So let's clarify the physical space constraint. I'm imagining a 355 00:17:32.359 --> 00:17:35.880 clipboard where I write down my current tasks. Each task 356 00:17:36.079 --> 00:17:38.319 gets a small specific box on the paper. 357 00:17:38.519 --> 00:17:41.119 Exactly when a function is called, it gets a ticket 358 00:17:41.119 --> 00:17:43.559 on the stack, which includes the local buffer or pine glass, 359 00:17:43.599 --> 00:17:47.200 and right next to it something incredibly important, the return address. 360 00:17:47.279 --> 00:17:48.160 The return address. 361 00:17:48.279 --> 00:17:50.839 Yeah, the return address is the instruction that tells the 362 00:17:50.839 --> 00:17:54.319 computer's processor exactly what to do next once the current 363 00:17:54.359 --> 00:17:55.160 function finishes. 364 00:17:55.680 --> 00:17:58.559 So if I use that lazy, strappy command to write 365 00:17:58.559 --> 00:18:01.119 a massive novel into a tiny box on my clipboard, 366 00:18:01.279 --> 00:18:04.880 I'm writing past my allotted space. My ink bleeds out 367 00:18:04.880 --> 00:18:08.039 of the box and it physically overwrites the return address 368 00:18:08.079 --> 00:18:09.200 that was written right next to it. 369 00:18:09.279 --> 00:18:12.680 That is the exact anatomy of a buffer overflow. By 370 00:18:12.680 --> 00:18:15.480 pouring too much data into the buffer, the excess bleeds 371 00:18:15.480 --> 00:18:18.079 over and corrupts the return address. And this is the 372 00:18:18.119 --> 00:18:21.359 magic trick of the exploit. The attacker doesn't just fill 373 00:18:21.400 --> 00:18:24.319 that excess data with random garbage. They fill it with 374 00:18:24.359 --> 00:18:27.240 a very specific memory address of their choosing. 375 00:18:27.559 --> 00:18:29.680 Oh wow, so they aren't just crashing the program, they 376 00:18:29.680 --> 00:18:31.240 are hijacking the steering wheel. 377 00:18:31.400 --> 00:18:34.880 Yes, the steering wheel of a computer's processor is a 378 00:18:34.880 --> 00:18:39.119 specific register in ultrafast mary slot inside the CPU itself 379 00:18:39.480 --> 00:18:44.480 called the EIP EIEP that stands for the extended Instruction pointer. 380 00:18:45.079 --> 00:18:48.519 The EIP literally holds the memory address of the very 381 00:18:48.559 --> 00:18:50.240 next action the computer is going to take. 382 00:18:50.359 --> 00:18:53.160 Whoever controls the EP controls the computer completely. 383 00:18:53.720 --> 00:18:56.279 When a function finishes, the processor looks at the return 384 00:18:56.279 --> 00:18:58.920 address on the stack and loads it into the EIP. 385 00:19:00.000 --> 00:19:03.440 If an attacker has successfully overwritten that return address with 386 00:19:03.519 --> 00:19:07.759 their overflowing ink, the processor loads the attacker's address into 387 00:19:07.799 --> 00:19:11.720 the EP instead. Suddenly, the computer stops executing the legitimate 388 00:19:11.759 --> 00:19:14.839 program and starts executing the malicious code the attacker hit 389 00:19:14.920 --> 00:19:15.839 inside the overflow. 390 00:19:16.359 --> 00:19:19.720 That is terrifyingly elegant. But how do you actually pull 391 00:19:19.799 --> 00:19:21.640 that off? I mean, you're talking about aiming a stream 392 00:19:21.680 --> 00:19:24.920 of data at a microscopic, invisible target in a computer's memory. 393 00:19:25.119 --> 00:19:27.200 You have to know exactly how many drops of water 394 00:19:27.319 --> 00:19:29.519 to pour so that it perfectly hits the EIP. 395 00:19:30.079 --> 00:19:32.119 It is an exact science. It is a game of 396 00:19:32.240 --> 00:19:36.039 precise bites. To do this, an ethical hacker has to 397 00:19:36.119 --> 00:19:38.839 basically step into the matrix. They use a tool called 398 00:19:38.839 --> 00:19:43.279 a debugger. The source text highlights GDB, the GNU debugger. 399 00:19:43.559 --> 00:19:45.599 What does a debugger actually let you do? 400 00:19:45.839 --> 00:19:48.519 It lets you freeze a running computer program in real time. 401 00:19:49.119 --> 00:19:51.839