WEBVTT 1 00:00:00.120 --> 00:00:03.160 Imagine you were sitting at your desk on like a 2 00:00:03.240 --> 00:00:06.719 random Tuesday, You're sipping your coffee, and suddenly your screen 3 00:00:06.839 --> 00:00:11.279 just goes black. Right, You look around and your coworkers, well, 4 00:00:11.800 --> 00:00:13.960 they are all staring at their own blank monitors too. 5 00:00:14.519 --> 00:00:16.839 And you might think, Okay, this is a minor headache, 6 00:00:17.079 --> 00:00:19.760 a server triped, or you know it will fix it. 7 00:00:20.079 --> 00:00:22.839 But according to the sources we've curated for you today, 8 00:00:23.160 --> 00:00:27.679 there is a very real, very terrifying clock ticking in 9 00:00:27.719 --> 00:00:30.600 the background of that outage. Oh absolutely, because our material 10 00:00:30.679 --> 00:00:33.640 estimates that network downtime costs an average of forty two 11 00:00:33.640 --> 00:00:34.719 thousand dollars per hour. 12 00:00:35.000 --> 00:00:38.240 Yeah, and when you run the math on that specific figure, 13 00:00:38.600 --> 00:00:42.799 the scale of the problem becomes almost well, it's difficult 14 00:00:42.840 --> 00:00:46.240 to comprehend a particularly bad week, say a critical system 15 00:00:46.240 --> 00:00:48.399 being locked down for one hundred and seventy five hours, 16 00:00:48.719 --> 00:00:51.719 that will easily cost a company over seven million dollars 17 00:00:51.799 --> 00:00:54.640 seven million, Right, and we need to keep in mind 18 00:00:54.759 --> 00:00:57.719 that seven million is just the operational burn rate. That is, 19 00:00:57.799 --> 00:01:00.920 before the regulatory finds hit, before the lawsuits are filed, 20 00:01:00.960 --> 00:01:04.120 and you know, well before the public relations nightmare even begins. 21 00:01:04.519 --> 00:01:07.280 Welcome to the deep dive. We are taking you into 22 00:01:07.319 --> 00:01:11.040 the underground architecture of those seven million dollar disasters. Today 23 00:01:11.599 --> 00:01:13.760 we are pulling excerpts from the fourth edition of a 24 00:01:13.799 --> 00:01:18.519 really fascinating textbook called Gray Hat Hacking, The Ethical Hackers Handbook. 25 00:01:18.560 --> 00:01:20.439 It's a foundational text, it really is. 26 00:01:20.480 --> 00:01:22.719 And our mission for you today isn't just like a 27 00:01:22.760 --> 00:01:25.599 surface level look at how computer systems break. We want 28 00:01:25.599 --> 00:01:28.680 to understand the incredibly blurry line between the good guys 29 00:01:28.680 --> 00:01:31.640 and the bad guys in cyberspace. We are going to 30 00:01:31.719 --> 00:01:37.280 explore how ethical hackers meticulously emulate criminals, the absolute legal 31 00:01:37.359 --> 00:01:41.680 mind field they navigate just to do their jobs, and 32 00:01:41.760 --> 00:01:45.359 the hidden economy of software books that basically dictates whether 33 00:01:45.400 --> 00:01:46.760 your personal data is safe. 34 00:01:46.840 --> 00:01:49.319 Because to even begin defending a network, we have to 35 00:01:49.439 --> 00:01:53.200 establish a fundamental premise. You must intimately understand the mindset, 36 00:01:53.239 --> 00:01:55.920 the specific tactics, and the identical tool sets of the 37 00:01:55.959 --> 00:01:59.159 people trying to destroy that network. You simply cannot build 38 00:01:59.159 --> 00:02:02.079 an effective defense against an adversary you do not understand. 39 00:02:02.200 --> 00:02:06.239 Okay, let's unpack this adversary then, because reading through this text, 40 00:02:06.599 --> 00:02:09.879 the evolution of the criminal community is just staggering. I 41 00:02:09.879 --> 00:02:12.199 think a lot of people still picture a hacker, as 42 00:02:12.439 --> 00:02:16.120 you know, a bored teenager in a basement somewhere trying 43 00:02:16.120 --> 00:02:18.520 to break into a system just for the thrill of it. Sure, 44 00:02:18.599 --> 00:02:22.120 the whole Hollywood trope exactly, but the text makes it 45 00:02:22.159 --> 00:02:25.080 completely clear that the era of hacking for fun is 46 00:02:25.199 --> 00:02:31.120 long gone. We are dealing with highly sophisticated, profit driven enterprises. 47 00:02:30.560 --> 00:02:34.080 Now, we really are. The shift from decentralized thrill seeking 48 00:02:34.159 --> 00:02:38.439 to organize financial crime really crystallized over the last decade. 49 00:02:38.879 --> 00:02:43.159 The text highlights twenty thirteen as a particularly brutal watershed 50 00:02:43.199 --> 00:02:45.960 moment for this evolution. Oh yeah, you had the Adobe 51 00:02:45.960 --> 00:02:48.919 breach where thirty eight million account credentials and ENCRYPTID credit 52 00:02:48.960 --> 00:02:52.000 card numbers were stolen in one single sweep. You had 53 00:02:52.039 --> 00:02:55.159 Harbor Freight hit. But that wasn't a simple smash and grab. 54 00:02:55.599 --> 00:02:59.120 The attackers deployed malware specifically designed to sit silently on 55 00:02:59.159 --> 00:03:01.800 the network and x trade card data from over four 56 00:03:01.879 --> 00:03:04.039 hundred of their physical retail stores. 57 00:03:03.879 --> 00:03:07.240 Which is wild. And the text also brings up the 58 00:03:07.280 --> 00:03:11.439 massive Target Holiday breach, which impacted somewhere between forty thousand 59 00:03:11.520 --> 00:03:15.080 and seventy thousand individuals right at the absolute peak of 60 00:03:15.080 --> 00:03:18.400 the shopping season. Yeah, the cost of cleaning up those 61 00:03:18.439 --> 00:03:20.280 messes is what really caught my eye. 62 00:03:20.319 --> 00:03:20.479 Though. 63 00:03:21.039 --> 00:03:24.599 The text references a Cman Tech and Ponto One Institute 64 00:03:24.639 --> 00:03:28.560 report showing that data breaches cost an average of one 65 00:03:28.639 --> 00:03:31.520 hundred and eighty eight dollars per compromised. 66 00:03:30.919 --> 00:03:32.120 Record per record. 67 00:03:32.319 --> 00:03:35.080 Yes, so when you expose thirty eight million records, the 68 00:03:35.120 --> 00:03:36.560 math just gets apocalyptic. 69 00:03:36.719 --> 00:03:40.319 The financial damage is existential for these companies, but to 70 00:03:40.479 --> 00:03:43.520 understand the modern threat landscape fully, we also have to 71 00:03:43.560 --> 00:03:46.879 look at motives beyond just pure financial theft. The text 72 00:03:47.000 --> 00:03:52.639 dedicates significant space to hactavism attacks driven by political or ideological. 73 00:03:51.919 --> 00:03:54.360 Motives, like digital protests basically correct. 74 00:03:54.719 --> 00:03:57.240 The book details the digital fallout from the two thousand 75 00:03:57.240 --> 00:04:00.680 and nine Iran elections, as well as cyber conflict coinciding 76 00:04:00.680 --> 00:04:05.000 with kinetic conflicts in Gaza. These involved massive website defacements 77 00:04:05.039 --> 00:04:08.120 and distributed denial of service attacks to silence opponents. 78 00:04:08.560 --> 00:04:10.280 And it's interesting how the text handles that. 79 00:04:10.560 --> 00:04:13.400 It takes a very analytical approach here, noting that the 80 00:04:13.439 --> 00:04:17.759 ethics of hactivism depend entirely on the observer's viewpoint. One 81 00:04:17.800 --> 00:04:21.079 observer sees a digital sit in protesting an unjust regime 82 00:04:21.439 --> 00:04:25.319 while another observer sees a criminal disruption of critical infrastructure. 83 00:04:25.399 --> 00:04:26.160 Right, they don't take a. 84 00:04:26.120 --> 00:04:30.319 Side exactly because from a purely technical standpoint, the methods 85 00:04:30.480 --> 00:04:35.959 overwhelming servers defacing homepages they are identical to criminal attacks, 86 00:04:36.079 --> 00:04:37.399 just pointed at a different goal. 87 00:04:37.639 --> 00:04:40.800 So you have organized crime looking for credit cards and 88 00:04:40.879 --> 00:04:44.480 activists looking to send a message. But the most dangerous 89 00:04:44.480 --> 00:04:47.560 players mentioned in the text seem to be the mercenaries 90 00:04:47.600 --> 00:04:50.720 operating in the zero day market. What exactly makes a 91 00:04:50.800 --> 00:04:52.439 vulnerability a zero day? 92 00:04:52.920 --> 00:04:55.879 A zero day is a flaw in software that the vendor, 93 00:04:56.240 --> 00:04:58.480 the company that created the software, does not know about 94 00:04:58.560 --> 00:05:01.160 yet because they don't know it exist. There are literally 95 00:05:01.279 --> 00:05:04.000 zero days of protection available, no patch. 96 00:05:03.920 --> 00:05:05.920 No update, she just a completely open window. 97 00:05:06.199 --> 00:05:10.639 Yes, attackers discover these open windows, and instead of using 98 00:05:10.639 --> 00:05:14.399 them immediately, they sell them on a thriving underground market. 99 00:05:15.000 --> 00:05:18.600 Organized crime syndicates will pay massive payouts for an unpatched 100 00:05:18.639 --> 00:05:23.279 vulnerability because it guarantees them uncontested entry into a target's network. 101 00:05:23.600 --> 00:05:28.079 Okay, so if organized crime syndicates are secretly hoarding unpatched vulnerabilities, 102 00:05:28.439 --> 00:05:30.800 defenders can't just sit around and wait for the alarms 103 00:05:30.839 --> 00:05:33.279 to go off. They have to proactively hunt for the 104 00:05:33.319 --> 00:05:36.439 open windows themselves. I mean it feels like trying to 105 00:05:36.439 --> 00:05:39.839 design an impenetrable bank vault without ever actually consulting a 106 00:05:39.879 --> 00:05:40.959 professional bank robber. 107 00:05:41.040 --> 00:05:42.199 That's a great way to look at it. 108 00:05:42.240 --> 00:05:44.439 If you don't know how a thermal drill works, how 109 00:05:44.480 --> 00:05:46.000 do you know where to reinforce this steal? 110 00:05:46.600 --> 00:05:50.639 That analogy captures the industry's dilemma perfectly. The only way 111 00:05:50.680 --> 00:05:53.000 to test the vault is to hire someone to rob it. 112 00:05:53.600 --> 00:05:56.519 This is exactly why companies are forced to hire ethical 113 00:05:56.519 --> 00:06:00.720 hackers or penetration testers. They need a controlled stimulation of 114 00:06:00.759 --> 00:06:02.000 a worst case scenario. 115 00:06:02.360 --> 00:06:06.040 But how do you fake a bank robbery without actually 116 00:06:06.040 --> 00:06:09.120 taking the money or causing a massive panic? The text 117 00:06:09.240 --> 00:06:12.800 draws a really hard line here between a vulnerability assessment 118 00:06:12.920 --> 00:06:16.160 and a penetration test. What is the actual difference on 119 00:06:16.199 --> 00:06:16.639 the ground. 120 00:06:17.120 --> 00:06:21.120 A vulnerability assessment is essentially an automated diagnostic. An IT 121 00:06:21.439 --> 00:06:24.439 team points a piece of scanning software at a network. 122 00:06:24.680 --> 00:06:27.959 The software checks the IP addresses, looks for open ports, 123 00:06:28.319 --> 00:06:31.879 compares the software versions against known databases of flaws, and 124 00:06:32.040 --> 00:06:36.000 basically spits out a massive, hundreds of pages long report 125 00:06:36.240 --> 00:06:37.480 of theoretical risks. 126 00:06:37.600 --> 00:06:40.360 Okay, so returning to our bank fault, the vulnerability assessment 127 00:06:40.439 --> 00:06:42.759 is like a security guard walking around the perimeter of 128 00:06:42.800 --> 00:06:45.800 the building checking a clipboard and noting, Hey, that window 129 00:06:45.839 --> 00:06:48.199 on the second floor looks a little loose. Someone might 130 00:06:48.199 --> 00:06:49.399 be able to pry it open right. 131 00:06:49.439 --> 00:06:51.439 A penetration test, on the other hand, is when the 132 00:06:51.439 --> 00:06:55.360 ethical hacker actually scales the building, prize the window open 133 00:06:55.560 --> 00:06:58.720 bypasses the internal laser grid, picks the lock on the vault, 134 00:06:58.800 --> 00:07:01.040 and takes a photograph of the gold bars to prove 135 00:07:01.079 --> 00:07:04.879 they were inside. They are actively exploiting the vulnerabilities to 136 00:07:05.000 --> 00:07:09.040 gain root access or domain administrator control over the network. 137 00:07:08.759 --> 00:07:11.160 And taking a photograph of the gold bars brings us 138 00:07:11.160 --> 00:07:14.240 to my absolute favorite concept in the text, which is trophies. 139 00:07:14.879 --> 00:07:16.639 Because you can sit in a boardroom and talk to 140 00:07:16.720 --> 00:07:20.279 executives about misaligned protocols and open ports all day and 141 00:07:20.319 --> 00:07:22.040 their eyes will just completely glaze over. 142 00:07:22.000 --> 00:07:23.319 And they absolutely will. 143 00:07:23.360 --> 00:07:26.680 But ethical hackers need executive buy in to get things fixed, 144 00:07:27.000 --> 00:07:29.000 so they collect trophies to prove the danger. 145 00:07:29.160 --> 00:07:33.279 The trophies translate technical risk into pure business risk. 146 00:07:33.199 --> 00:07:35.720 And the examples in the book are fantastic. Like you 147 00:07:35.759 --> 00:07:39.519 want the CFO to care about network security. You project 148 00:07:39.680 --> 00:07:43.000 next year's unreleased financial projections on the screen, which you 149 00:07:43.120 --> 00:07:46.560 just pulled off their supposedly secure server. You want the 150 00:07:46.560 --> 00:07:50.079 CIO's attention, you drop the blueprints for the upcoming product 151 00:07:50.160 --> 00:07:54.000 line on the table, or my personal favorite, you reveal 152 00:07:54.079 --> 00:07:58.800 to the CEO that their highly secure master network password 153 00:07:59.360 --> 00:08:00.920 is I am I'm wearing panties. 154 00:08:01.199 --> 00:08:03.480 We should be very clear on the text's guidance regarding 155 00:08:03.480 --> 00:08:04.439 those trophies. 156 00:08:04.079 --> 00:08:04.759 Though, Oh sure. 157 00:08:04.879 --> 00:08:07.839 The objective is never to humiliate the client or the CEO. 158 00:08:08.600 --> 00:08:11.639 It is a necessary tactic to demonstrate the severity of 159 00:08:11.680 --> 00:08:14.360 the flaw because if an ethical hacker can read the 160 00:08:14.360 --> 00:08:18.199 CEO's private emails in an afternoon, a well funded foreign 161 00:08:18.240 --> 00:08:21.120 intelligence agency has likely been reading them for months. 162 00:08:21.279 --> 00:08:24.040 That makes total sense. I want to know the how here, though, 163 00:08:24.279 --> 00:08:26.680 the text lays out an eight step process for this 164 00:08:26.759 --> 00:08:30.800 ethical bank robbery. Step one is establishing ground rules, but 165 00:08:30.879 --> 00:08:35.159 step two passive scanning. Really surprise me. It includes osin 166 00:08:35.279 --> 00:08:38.360 open source intelligence and literally dumpster diving. 167 00:08:38.480 --> 00:08:39.120 Yes it does. 168 00:08:39.200 --> 00:08:42.000 How does digging through trash help a hacker breach a 169 00:08:42.080 --> 00:08:42.879 digital network? 170 00:08:43.000 --> 00:08:46.159 Well before an attacker ever touches a keyboard to scan network, 171 00:08:46.159 --> 00:08:51.279 they gather intelligence. Dumpster diving yields old corporate memos, employee directories, 172 00:08:51.399 --> 00:08:54.240 or discarded hard drives that outline internal naming. 173 00:08:53.960 --> 00:08:56.720 Conventions just sitting in the trash. 174 00:08:56.200 --> 00:09:01.039 Exactly and osent involves harvesting metadata from public sol A 175 00:09:01.120 --> 00:09:04.000 hacker might scrape LinkedIn to find out exactly what email 176 00:09:04.039 --> 00:09:07.679 format a company uses, or look at employees' public social 177 00:09:07.720 --> 00:09:11.279 media posts to understand the corporate hierarchy. They use this 178 00:09:11.399 --> 00:09:14.639 to craft a perfectly targeted phishing email that looks like 179 00:09:14.679 --> 00:09:18.000 it came directly from the hr director, so. 180 00:09:17.960 --> 00:09:20.679 They are completely mapping the human element before they even 181 00:09:20.720 --> 00:09:23.679 touch the digital one. Then the text moves into active 182 00:09:23.679 --> 00:09:27.559 scanning and fingerprinting. How do you fingerprint a computer system 183 00:09:27.679 --> 00:09:29.039 from thousands of miles away? 184 00:09:29.639 --> 00:09:33.159 Fingerprinting relies on the fact that different operating systems respond 185 00:09:33.200 --> 00:09:36.960 to anomalies in unique ways. An attacker sends a deliberately 186 00:09:37.000 --> 00:09:40.840 malformed packet of data to a server. Okay, a Windows 187 00:09:40.840 --> 00:09:43.840 server will generate a specific type of error message in response, 188 00:09:44.159 --> 00:09:48.120 while a Linux server will react completely differently. By analyzing 189 00:09:48.120 --> 00:09:51.679 those subtle responses, the hacker identifies the exact operating system 190 00:09:51.720 --> 00:09:54.039 and version running on the target. Oh wow, which tells 191 00:09:54.039 --> 00:09:56.360 them exactly which exploit to use in the next step. 192 00:09:56.639 --> 00:09:58.919 So once they know what they're dealing with, they select 193 00:09:58.919 --> 00:10:02.840 their target, exploit the vulnerability, escalate their privileges to get 194 00:10:02.879 --> 00:10:07.240 master control, and finally document everything for the client. That 195 00:10:07.360 --> 00:10:10.559 is the ethical eight step process. But if the ethical 196 00:10:10.600 --> 00:10:13.440 hacker is using the exact same tools as the criminal, 197 00:10:13.840 --> 00:10:16.080 how does the black hat's playbook differ. 198 00:10:16.240 --> 00:10:19.720 A black hat the unethical attacker diverges in a few 199 00:10:19.759 --> 00:10:24.519 critical ways meant to ensure their survival and continued access. First, 200 00:10:24.720 --> 00:10:28.519 they rarely attack directly. They use intermediaries wait hold on. 201 00:10:28.600 --> 00:10:30.960 So if a criminal wants to hack a major corporation, 202 00:10:31.440 --> 00:10:34.639 they might infect my personal home laptop first and then 203 00:10:34.759 --> 00:10:37.120 launch the attack from my IP address. So when the 204 00:10:37.159 --> 00:10:39.720 FBI traces the attack back, they end up knocking on 205 00:10:39.759 --> 00:10:40.360 my front door. 206 00:10:40.440 --> 00:10:42.960 That is exactly how they mask their origins. You become 207 00:10:43.039 --> 00:10:44.399 the unwitting scapegoat. 208 00:10:44.480 --> 00:10:45.360 That's terrifying. 209 00:10:45.639 --> 00:10:48.440 It is. Second, once the black hat is inside the 210 00:10:48.440 --> 00:10:52.639 target network, they install rootkits or back doors. A rootkit 211 00:10:52.759 --> 00:10:55.879 is particularly nasty because it is software that alters the 212 00:10:55.919 --> 00:10:59.799 operating system itself. If an administrator asks the computer for 213 00:10:59.799 --> 00:11:03.200 a list of running programs. The rootkit intercepts that command, 214 00:11:03.519 --> 00:11:06.320 removes itself from the list, and then hands the altered 215 00:11:06.320 --> 00:11:09.399 list to the administrator. It basically lies to the system 216 00:11:09.440 --> 00:11:10.919 to remain invisible, and. 217 00:11:10.919 --> 00:11:14.320 The text notes they will meticulously scrub the audit logs 218 00:11:14.320 --> 00:11:18.000 to erase any digital footprints. But the most ironic detail 219 00:11:18.080 --> 00:11:20.159 to me is that black ads will often patch the 220 00:11:20.240 --> 00:11:22.159 open vulnerability they used to get in. 221 00:11:22.360 --> 00:11:22.919 Yes, they do. 222 00:11:22.960 --> 00:11:25.879 They essentially pick the lock on the bank vault, walk inside, 223 00:11:26.240 --> 00:11:28.399 and then weld the door shut behind them so rival 224 00:11:28.399 --> 00:11:29.519 hackers can't follow them in. 225 00:11:29.679 --> 00:11:32.080 It is a dark form of diligence. They view that 226 00:11:32.159 --> 00:11:35.159 compromise network as their personal asset now, and they are 227 00:11:35.200 --> 00:11:38.360 protecting their territory from competing syndicates. 228 00:11:37.960 --> 00:11:40.440 Which brings me back to step one of the ethical playbook, 229 00:11:40.639 --> 00:11:43.919 the ground rules. The text mentions getting a signed statement 230 00:11:43.919 --> 00:11:46.879 of work or sow are you telling me that the 231 00:11:46.919 --> 00:11:50.600 only thing separating a lucrative corporate consulting gig from a 232 00:11:50.639 --> 00:11:53.320 federal cybercrime is just a single piece of paper. 233 00:11:53.639 --> 00:11:57.240 It is a terrifying reality for practitioners because the thermal 234 00:11:57.320 --> 00:11:59.559 drill is the same and the method of picking the 235 00:11:59.600 --> 00:12:02.440 lock is the same. The legal system has to differentiate 236 00:12:02.440 --> 00:12:05.799 between a consultant and a felon based purely on authorization. 237 00:12:06.480 --> 00:12:08.639 If you step outside the bounds of that statement of 238 00:12:08.639 --> 00:12:12.200 work even slightly, you lose your protection. And as the 239 00:12:12.240 --> 00:12:16.480 text details, the legal framework governing the space is incredibly convoluted. 240 00:12:16.720 --> 00:12:19.080 I mean, reading through the legal section felt like watching 241 00:12:19.120 --> 00:12:23.039 someone try to regulate a modern spacecraft using eighteenth century 242 00:12:23.039 --> 00:12:26.919 maritime sailing laws. The primary federal statute they use in 243 00:12:26.960 --> 00:12:30.360 the US is the Computer Fraud and Abuse Act, or CFAA. 244 00:12:30.639 --> 00:12:34.279 What's fascinating here is specifically eighteen USC. Ten thirty. The 245 00:12:34.320 --> 00:12:37.480 most critical aspect of the CFAA is a very specific 246 00:12:37.639 --> 00:12:41.639 jurisdictional clause. The law applies to any protected computer, which 247 00:12:41.639 --> 00:12:45.159 it defines as any computer used in interstate or foreign commerce. 248 00:12:45.519 --> 00:12:48.720 I saw that, but what does interstate commerce actually mean 249 00:12:48.799 --> 00:12:50.320 in the context of the Internet. 250 00:12:50.480 --> 00:12:54.480 It effectively federalizes almost every device on the planet. If 251 00:12:54.519 --> 00:12:56.919 you open a web browser on your phone and request 252 00:12:56.919 --> 00:13:01.279 a web page, that data packet inevitably crosses state lines 253 00:13:01.320 --> 00:13:04.080 to reach a server. The moment it does, your phone 254 00:13:04.120 --> 00:13:06.639 becomes a protected computer under the CFAA. 255 00:13:07.080 --> 00:13:11.080 So a local police matter immediately becomes the FBI's jurisdiction 256 00:13:11.600 --> 00:13:14.679 and the penalties the book out lines are severe, like 257 00:13:14.840 --> 00:13:17.360 if the damage hits a threshold of five thousand dollars, 258 00:13:17.559 --> 00:13:20.559 it triggers a federal case. The use crypto locker ransomware 259 00:13:20.600 --> 00:13:21.240 as an example. 260 00:13:21.440 --> 00:13:24.559 Ransomware operates by encrypting all the files on your system 261 00:13:24.679 --> 00:13:28.440 and demanding payment for the decryption key. Under the CFAA, 262 00:13:28.879 --> 00:13:32.279 using ransomware for extortion carries penalties of up to a 263 00:13:32.320 --> 00:13:35.159 two hundred and fifty thousand dollars fine and ten years 264 00:13:35.200 --> 00:13:36.000 in federal prison. 265 00:13:36.080 --> 00:13:39.200 And if an attacker causes say four nine hundred dollars 266 00:13:39.200 --> 00:13:42.399 in damage and misses that federal threshold, the book says 267 00:13:42.440 --> 00:13:45.639 prosecutors just pivot to a patchwork of fifty different state 268 00:13:45.720 --> 00:13:49.559 laws applying physical trespass, LARSNEE, and traditional theft laws to 269 00:13:49.600 --> 00:13:50.360 digital actions. 270 00:13:50.440 --> 00:13:51.679 They will find a way to charge it. 271 00:13:51.879 --> 00:13:55.960 Yeah. There is also the Access Device Statue eighteen USC. 272 00:13:56.000 --> 00:13:58.639 Twenty twenty nine. This one blew my mind because it 273 00:13:58.679 --> 00:14:03.200 criminalizes merely possessing the tools that generate access credentials. The 274 00:14:03.200 --> 00:14:06.679 text gives a hypothetical if you use a password cracking 275 00:14:06.720 --> 00:14:09.320 tool to break into the pepsi Cola network just to 276 00:14:09.360 --> 00:14:12.360 steal the secret soda recipe. You have violated this statute 277 00:14:12.440 --> 00:14:13.879 even if you never stole any money. 278 00:14:14.080 --> 00:14:17.720 The legal net is cast incredibly wide, but the friction 279 00:14:17.840 --> 00:14:21.320 reaches its peak when we introduce copyright law into cybersecurity. 280 00:14:21.799 --> 00:14:25.679 The text dives into the Digital Millennium Copyright Act THECA. 281 00:14:26.000 --> 00:14:29.120 The DMCA is the law behind the FBI anti piracy 282 00:14:29.200 --> 00:14:31.919 warnings at the start of old DVDs. Right, it was 283 00:14:32.000 --> 00:14:34.080 meant to stop people from bootlegging movies and music. 284 00:14:34.200 --> 00:14:37.039 That was the intent. However, the DMCA contains an anti 285 00:14:37.039 --> 00:14:39.919 circumvention clause. It states that it is a federal crime 286 00:14:40.000 --> 00:14:42.919 to bypass a technological measure that controls access to a 287 00:14:42.960 --> 00:14:43.720 copyrighted work. 288 00:14:43.759 --> 00:14:45.960 Okay, I need to make sure I'm following the logic here. 289 00:14:46.120 --> 00:14:49.399 Software code is considered a copyrighted work. Yes, a password 290 00:14:49.440 --> 00:14:52.720 is a technological measure controlling access to that code. So 291 00:14:52.879 --> 00:14:55.159 by guessing a password to look at the code, a 292 00:14:55.200 --> 00:14:57.799 hacker is technically committing copyright infringement. 293 00:14:58.159 --> 00:15:00.840 You followed the logic perfectly. You can see why this 294 00:15:00.919 --> 00:15:05.759 created widespread panic in the security industry. By that literal interpretation, 295 00:15:06.279 --> 00:15:09.440 teaching a university course on how to bypass access controls 296 00:15:09.679 --> 00:15:14.480 could be construed as trafficking in circumvention. Technology security researchers 297 00:15:14.519 --> 00:15:17.840 were terrified of being sued by movie studios and software 298 00:15:17.960 --> 00:15:19.759 vendors just for doing their research. 299 00:15:19.879 --> 00:15:22.159 That's crazy, and the stakes get even higher with the 300 00:15:22.200 --> 00:15:25.879 Cybersecurity Enhancement Act of two thousand and two the CSA. 301 00:15:26.480 --> 00:15:29.200 The text notes that if a hacker causes an attack 302 00:15:29.279 --> 00:15:33.679 that results in physical harm, interfering with flight controllers, manipulating 303 00:15:33.720 --> 00:15:37.159 the embedded chips in hospital life support equipment, or changing 304 00:15:37.159 --> 00:15:40.240 a city's traffic lights to all green, they can face 305 00:15:40.240 --> 00:15:40.919 life in prison. 306 00:15:41.120 --> 00:15:45.120 The physical implications of cyber attacks definitely warrant those extreme penalties, 307 00:15:45.320 --> 00:15:47.960 But stepping back to view the entire legal landscape, you 308 00:15:48.039 --> 00:15:52.200 have these sweeping statutes. The CFAA the DMCA originally drafted 309 00:15:52.200 --> 00:15:55.200 to catch malicious actors, but their language is so broad 310 00:15:55.279 --> 00:15:58.360 it catches the ethical researchers in the exact same net. 311 00:15:58.240 --> 00:16:01.600 Which introduces a massive problem for society. I mean, if 312 00:16:01.600 --> 00:16:04.919 the laws are this aggressive, isn't an independent researcher who 313 00:16:04.919 --> 00:16:07.879 discovers a flaw taking a massive personal risk by trying 314 00:16:07.879 --> 00:16:10.639 to warn the public. If I buy a smart thermost at, 315 00:16:10.919 --> 00:16:12.879 pinker with it, find out it can be hacked to 316 00:16:12.879 --> 00:16:15.840 start a fire, and I tell the manufacturer, couldn't they 317 00:16:15.840 --> 00:16:18.240 just sue me under the DMCA to keep me quiet. 318 00:16:18.879 --> 00:16:22.559 Historically, manufacturers did exactly that. They use the threat of 319 00:16:22.600 --> 00:16:26.759 litigation to silence researchers. This dynamic fueled what the text 320 00:16:26.840 --> 00:16:30.840 calls the vulnerability disclosure war. It is arguably the most 321 00:16:30.879 --> 00:16:35.039 contentious philosophical debate in cybersecurity. When a researcher finds a 322 00:16:35.039 --> 00:16:37.960 critical flaw, how do they inform the world without getting 323 00:16:38.000 --> 00:16:41.159 sued and without accidentally giving criminals a blueprint for an attack. 324 00:16:41.559 --> 00:16:43.879 The friction between the consumer and the vendor is so 325 00:16:44.039 --> 00:16:47.559 obvious here. As a consumer, if my thermistat can be hacked, 326 00:16:47.600 --> 00:16:50.759 I want to patch downloaded immediately, but the vendor wants 327 00:16:50.799 --> 00:16:54.200 total secrecy. They want to protect their stock price, avoid panic, 328 00:16:54.240 --> 00:16:57.879 and practically speaking, it takes time to engineer and distribute 329 00:16:57.879 --> 00:16:58.759 a secure update. 330 00:16:59.080 --> 00:17:01.919 During the early days of the Internet, it was total anarchy. 331 00:17:02.639 --> 00:17:05.720 Researchers would find a bug and immediately post the details 332 00:17:05.720 --> 00:17:08.880 on public mailing lists like bug track. Vendors would be 333 00:17:08.920 --> 00:17:12.240 completely blindsided and users would get compromised before a patch 334 00:17:12.240 --> 00:17:13.079 could even be written. 335 00:17:13.359 --> 00:17:15.559 Just a total mess exactly so. 336 00:17:15.640 --> 00:17:20.000 To establish order organizations stepped in. The CERT Coordination Center 337 00:17:20.079 --> 00:17:22.960 instituted what became known as the forty five day rule. 338 00:17:23.319 --> 00:17:26.960 Wait forty five days that seems like an impossibly short 339 00:17:27.000 --> 00:17:30.880 window for a massive tech company to rewrite, test, and 340 00:17:30.960 --> 00:17:34.160 deploy a patch across millions of devices globally. 341 00:17:34.240 --> 00:17:37.119 It was an aggressive timeline by design. CERT acted as 342 00:17:37.160 --> 00:17:40.440 the mediator. A researcher reports the bug to CERT, CERT 343 00:17:40.519 --> 00:17:43.039 informs the vendor, and the vendor has exactly forty five 344 00:17:43.119 --> 00:17:46.400 days to fix it. On day forty six, CERT publishes 345 00:17:46.400 --> 00:17:49.480 the vulnerability to the public, regardless of whether a patch exists. 346 00:17:49.720 --> 00:17:53.119 Wow it forced vendors to stop ignoring security emails. 347 00:17:53.480 --> 00:17:56.880 But because that timeline was so hostile, the TEXT mentions 348 00:17:56.960 --> 00:18:01.000 alternative approaches like the OIS model. For the Organization for 349 00:18:01.039 --> 00:18:10.480 Internet Safety, they proposed a softer phased collaboration, discovery, notification, validation, findings, resolution, 350 00:18:10.920 --> 00:18:14.240 and finally release. It was designed to basically remove the 351 00:18:14.279 --> 00:18:14.920 ticking clock. 352 00:18:15.119 --> 00:18:18.519 The OIS model favored the vendors, but it frustrated the researchers. 353 00:18:19.119 --> 00:18:21.799 In two thousand and nine, that frustration boiled over into 354 00:18:21.799 --> 00:18:25.240 the No More Free Bugs movement. The TEXT profiles researchers 355 00:18:25.240 --> 00:18:30.079 like Charlie Miller, Alex Sodorov, and Dinodizovi. They publicly declared 356 00:18:30.079 --> 00:18:33.440 that they were acting as highly skilled, unpaid quality assurance 357 00:18:33.480 --> 00:18:37.359 testers for massive, multi billion dollar software companies. 358 00:18:36.960 --> 00:18:39.440 And their reward for finding the flaws the vendors missed 359 00:18:39.599 --> 00:18:41.880 was like the threat of federal lawsuits. 360 00:18:42.000 --> 00:18:45.240 The economics were entirely broken. Finding a zero day exploit 361 00:18:45.279 --> 00:18:48.440 in modern software requires hundreds of hours of reverse engineering. 362 00:18:48.599 --> 00:18:52.240 Why should independent researchers subsidize a corporate giant's security budget 363 00:18:52.279 --> 00:18:54.119 while shouldering all the legal liability. 364 00:18:54.279 --> 00:18:56.960 Yeah, that makes sense. The book outlines a massive divide 365 00:18:57.000 --> 00:18:59.200 among security experts on how to handle this, though you 366 00:18:59.200 --> 00:19:00.759 have Brus Schneiro on one side. 367 00:19:00.880 --> 00:19:03.799 If we connect this to the bigger picture, Bruce Schneier 368 00:19:03.920 --> 00:19:07.519 argues that full public disclosure is the primary catalyst for 369 00:19:07.599 --> 00:19:11.680 secure software. His stance is that unless software vendors face 370 00:19:11.720 --> 00:19:15.400 the threat of public embarrassment and immense customer backlash, they 371 00:19:15.440 --> 00:19:20.880 will continually prioritize shipping profitable new features over spending money 372 00:19:21.079 --> 00:19:23.039 to fix old security holes. 373 00:19:23.359 --> 00:19:25.559 But on the other side of the spectrum, the text 374 00:19:25.599 --> 00:19:29.359 sites Marcus Random. He argues that the culture of disclosure 375 00:19:29.440 --> 00:19:33.200 is toxic. He believes that turning vulnerability discovery into a 376 00:19:33.200 --> 00:19:37.279 public spectacle just rewards researcher egos and fame seeking behavior 377 00:19:37.640 --> 00:19:39.680 rather than actually making the Internet a safer place. 378 00:19:39.799 --> 00:19:41.119 It's a really complex debate. 379 00:19:41.440 --> 00:19:43.920 So if the researchers refuse to work for free and 380 00:19:44.039 --> 00:19:47.119 vendors want to avoid public embarrassment, what is the modern 381 00:19:47.119 --> 00:19:48.279 solution to this standoff? 382 00:19:48.680 --> 00:19:52.759 The market adapted by creating bug bounties to get the bugs, 383 00:19:52.839 --> 00:19:55.319 companies realized they had to pay for them. The text 384 00:19:55.319 --> 00:19:58.160 points to Mozilla as an early pioneer, offering a flat 385 00:19:58.200 --> 00:20:00.759 five hundred dollars and a company t sh for valid 386 00:20:00.759 --> 00:20:01.880 critical vulnerabilities. 387 00:20:01.920 --> 00:20:03.880 The T shirt in five hundred bucks seems a little 388 00:20:03.920 --> 00:20:06.559 light for saving a company from a seven million dollar disaster. 389 00:20:06.880 --> 00:20:10.319 It was merely the starting point. Today, tech giants operate 390 00:20:10.559 --> 00:20:15.240 massive bounty programs, paying out millions. Furthermore, an entire industry 391 00:20:15.240 --> 00:20:18.039 of brokers has emerged, like bug crowd and the Zero 392 00:20:18.079 --> 00:20:22.759 Day Initiative or ZDI. These platforms stand between the researcher and. 393 00:20:22.720 --> 00:20:24.000 The vendor, like a middleman. 394 00:20:24.279 --> 00:20:28.759 Exactly, they validate the researcher's identity, confirm the bug is real, 395 00:20:29.160 --> 00:20:33.559 facilitate the payout and handle the disclosure timeline. Most importantly, 396 00:20:33.920 --> 00:20:37.200 operating through these platforms provides the researcher with a legal 397 00:20:37.279 --> 00:20:40.480 safe harbor against the CFAA and DMCA. 398 00:20:40.599 --> 00:20:42.880 Okay, let's step back and make sense of the landscape 399 00:20:42.880 --> 00:20:45.799 we've covered today. We started by mapping the mindset of 400 00:20:45.839 --> 00:20:49.519 the modern cyber criminal, shifting from basement thrill seekers to 401 00:20:49.720 --> 00:20:53.640