WEBVTT - The Story: The Biggest Hack That Never Happened 0:00:12.840 --> 0:00:16.239 Hey, it's Os Valoscian, host of tech Stuff. This week, 0:00:16.239 --> 0:00:18.040 we want to do something a little bit different and 0:00:18.079 --> 0:00:20.079 share an episode of a show that's new to the 0:00:20.160 --> 0:00:29.280 Kaleidoscope and iHeart Podcast family. It's called kill Switch. Kill 0:00:29.320 --> 0:00:33.760 Switch is a technology survival guide to modern culture. Host 0:00:33.840 --> 0:00:37.800 Dexter Thomas answers questions big and small, putting back the 0:00:37.840 --> 0:00:41.400 curtain on the systems we rely on daily, as well 0:00:41.440 --> 0:00:45.400 as the more absurd corners of the Internet. So here's 0:00:45.440 --> 0:00:46.920 an episode of kill Switch. 0:00:54.320 --> 0:00:58.760 Quick question, do you know about the xzutil's backdoor hack? 0:00:59.360 --> 0:00:59.600 So what? 0:01:00.240 --> 0:01:03.360 Or wait? Wait, wait, wait, wait what the EXU tills 0:01:03.400 --> 0:01:06.240 back door? I have no idea what you're talking about. 0:01:06.400 --> 0:01:07.480 I don't know what that is. 0:01:09.600 --> 0:01:12.920 This is something almost nobody's heard of, but in the 0:01:12.959 --> 0:01:16.679 spring of twenty twenty four we narrowly avoided a complete 0:01:16.720 --> 0:01:20.440 technological disaster. So you've never heard of this though? 0:01:20.840 --> 0:01:21.160 Nope? 0:01:22.040 --> 0:01:24.640 Yeah, I just searched it up on Wikipedia and it 0:01:24.680 --> 0:01:25.800 seems way too dune. 0:01:25.680 --> 0:01:28.880 To read about. These aren't just random people. These are 0:01:28.959 --> 0:01:32.360 other journalists people in general who keep up with the news. 0:01:32.680 --> 0:01:34.920 Okay, I was like, wait, what did I miss? And 0:01:35.000 --> 0:01:38.319 I feel bad, but I guess maybe I'm not the 0:01:38.400 --> 0:01:41.720 only one, what journalist who doesn't know what this is about. 0:01:42.040 --> 0:01:44.600 Even they didn't really know about what could have been 0:01:44.800 --> 0:01:47.480 the biggest hack in the history of the Internet. 0:01:48.440 --> 0:01:50.880 If this had not been caught, then this would have 0:01:51.000 --> 0:01:54.960 been a skeleton key that would have allowed these attackers 0:01:55.040 --> 0:02:01.040 to break into tens of millions of incredibly important servers 0:02:01.080 --> 0:02:04.240 around the world. We probably would have had airlines not working, 0:02:04.600 --> 0:02:08.160 trading halted ATM's not working, bank's not working, people not 0:02:08.160 --> 0:02:11.640 able to get their money. You'd have a huge loss 0:02:11.720 --> 0:02:14.320 of credibility of technology in people's lives. 0:02:15.120 --> 0:02:19.320 Alex Doamos is a cybersecurity expert. Specifically, he's the chief 0:02:19.400 --> 0:02:23.919 information security Officer or CISO at a cybersecurity company called 0:02:23.960 --> 0:02:27.960 Sentinel One, and he's the former CISO at Facebook. He's 0:02:27.960 --> 0:02:30.800 also a lecturer in the computer science department at Stanford 0:02:31.280 --> 0:02:34.400 and this attempted hack is something that is still keeping 0:02:34.480 --> 0:02:35.119 him up at night. 0:02:36.040 --> 0:02:41.240 It's fallen out of popular discussion, but among people in 0:02:41.320 --> 0:02:44.799 security we're still talking about it. It uncovered a real 0:02:45.800 --> 0:02:50.960 fundamental weakness that terrifies lots of people who have responsibility 0:02:50.960 --> 0:02:52.200 in this area and. 0:02:52.160 --> 0:02:55.399 What scares them most, and this should scare US two 0:02:56.000 --> 0:02:58.320 is that this was caught by complete chance. 0:02:58.680 --> 0:03:02.880 We just got lucky, like one dude got really bored 0:03:03.240 --> 0:03:07.640 and noticed a tiny little change in the speed of 0:03:07.840 --> 0:03:11.400 one program executing and pulled the thread, and on the 0:03:11.520 --> 0:03:14.799 end of this thread was a humongous, ticking time bomb. 0:03:15.360 --> 0:03:18.679 It was one dude, and he should never have to 0:03:18.680 --> 0:03:22.680 buy a beer for himself ever again. Underus freuend I'm 0:03:22.760 --> 0:03:25.640 raising a toast to you right now. This is just water, 0:03:25.760 --> 0:03:27.400 but I wish it was more. 0:03:33.800 --> 0:03:44.520 I'm afraid Kaleidoscope and iHeart podcast is killed switch. I'm 0:03:44.600 --> 0:04:09.280 Dexter Thomas. I'm sorry. I'm If you've never heard about this, 0:04:09.520 --> 0:04:12.520 that's no reason to feel bad, but if it hadn't 0:04:12.560 --> 0:04:16.919 been caught, it absolutely would have affected you. What kind 0:04:17.000 --> 0:04:19.200 of activity were talking about here. 0:04:19.360 --> 0:04:21.159 Well, we really don't know, and because we don't know 0:04:21.160 --> 0:04:23.400 who the attackers are, we don't know whether that would 0:04:23.400 --> 0:04:28.880 have been used for really quiet surveillance. It could have 0:04:28.920 --> 0:04:34.039 been used for national security intelligence gathering purposes, It could 0:04:34.040 --> 0:04:36.560 have been used for a humongous heist of hundreds of 0:04:36.600 --> 0:04:40.240 millions or billions of dollars of cryptocurrency, or it could 0:04:40.240 --> 0:04:42.880 have been used as part of a massive cyber attack 0:04:42.960 --> 0:04:46.600 to shut down millions of computers and cause massive disruptions. 0:04:47.880 --> 0:04:50.560 One of the main reasons that this potential attack isn't 0:04:50.600 --> 0:04:54.960 talked about much is because the details are kind of technical. Well, 0:04:55.160 --> 0:04:57.440 some of the details are a lot of this stuff 0:04:57.480 --> 0:05:00.320 is really just basic human behavior. It's stuff that you 0:05:00.440 --> 0:05:02.760 or I could do if we really wanted, and it 0:05:02.839 --> 0:05:06.640 shows us that sometimes the best hacks are the simplest ones. 0:05:07.240 --> 0:05:10.400 Let me break it down for you. In late March 0:05:10.400 --> 0:05:14.000 of twenty twenty four, Andres Freud, who's an engineer at Microsoft, 0:05:14.279 --> 0:05:16.640 was sitting at his desk doing his job when he 0:05:16.720 --> 0:05:19.640 discovered a malicious piece of code in this little known 0:05:19.720 --> 0:05:23.240 tool called xdu tilS. This code created a method that 0:05:23.240 --> 0:05:27.080 would allow hackers to access a lot of different computers. 0:05:27.480 --> 0:05:30.039 Maybe right now you're thinking, okay, so why is this 0:05:30.120 --> 0:05:32.920 the problem for me? I mean, I don't use xdu tilS, 0:05:32.960 --> 0:05:35.960 so they couldn't get on my computer. And yeah, maybe 0:05:36.000 --> 0:05:39.080 you've never heard of XCU tills. Actually I hadn't either, 0:05:39.560 --> 0:05:41.840 and I did what most people do when they don't 0:05:41.880 --> 0:05:45.880 understand something about a computer, call an expert. But it 0:05:45.920 --> 0:05:49.560 turns out that this really well respected expert he found 0:05:49.600 --> 0:05:51.640 out about XU tills when I did. 0:05:52.560 --> 0:05:55.120 Yeah, So I personally had not heard of xdu tilS 0:05:55.640 --> 0:05:57.080 before this, even. 0:05:56.920 --> 0:06:00.760 You really, yeah, I had definitely not heard it XU tills. 0:06:01.160 --> 0:06:03.680 I figured you would have hearing that you had not 0:06:04.040 --> 0:06:07.440 heard of it before all this happened. Frankly, that's a 0:06:07.440 --> 0:06:10.320 little bit more scary to me. Now, So why did 0:06:10.360 --> 0:06:13.240 this backdoor into a program that no one seems to 0:06:13.279 --> 0:06:17.560 know about? Matters so much? And what is xzu tills. 0:06:17.839 --> 0:06:22.680 This is the brilliance of what these attackers did. XCU 0:06:22.720 --> 0:06:25.480 tilS is an ingredient to an ingredient to an ingredient 0:06:25.520 --> 0:06:29.520 to something really important. So the thing that they wanted 0:06:29.520 --> 0:06:32.400 to have a backdoor into is a really important program 0:06:32.440 --> 0:06:35.480 called open ssh. So this is something that every tech 0:06:35.520 --> 0:06:36.000 he has heard of. 0:06:36.880 --> 0:06:39.840 All right, but what if you're not a techie. So 0:06:39.960 --> 0:06:42.320 in order to understand the XU tills hack, we do 0:06:42.400 --> 0:06:45.080 need to back up and understand something that xdu tilS 0:06:45.160 --> 0:06:47.520 is used in this thing called open ssh. 0:06:47.920 --> 0:06:53.640 This is the program that the majority of Unix like systems, 0:06:53.760 --> 0:06:59.400 especially Linux, also Max and some other operating systems allow 0:06:59.480 --> 0:07:02.400 you to access them remotely over the Internet. 0:07:03.080 --> 0:07:06.000 I'll get to the open later. But SSH stands for 0:07:06.080 --> 0:07:09.359 secure show, and let's just focus on secure right now. 0:07:09.880 --> 0:07:12.000 If you think of the difference between posting a tweet 0:07:12.040 --> 0:07:15.320 online and dming someone, you're actually kind of halfway there. 0:07:15.880 --> 0:07:19.040 Open Ssh allows you to communicate with a remote computer 0:07:19.400 --> 0:07:21.080 just like you were sitting there right in front of it. 0:07:21.680 --> 0:07:23.840 So even though you're far away, if you want to 0:07:23.880 --> 0:07:27.440 send a message, or install programs or delete files, you 0:07:27.520 --> 0:07:30.080 know that the connection is safe and that nobody else 0:07:30.120 --> 0:07:32.920 can see what you're doing or tamper with that connection. 0:07:33.520 --> 0:07:35.360 So you know, when you see like people in the 0:07:35.360 --> 0:07:39.400 matrix typing really fast, see a lot of text right 0:07:39.440 --> 0:07:42.760 if somebody is doing that remotely, it's probably over open ssh. 0:07:42.880 --> 0:07:44.760 You might think this doesn't matter for you because you 0:07:44.760 --> 0:07:48.440 don't use open ssh, but you do because that's what 0:07:48.480 --> 0:07:51.520 you use to connect to systems running Linux around the world. 0:07:52.000 --> 0:07:57.280 Linux has become the standard operating system for the cloud. 0:07:57.760 --> 0:08:00.880 So when you talk to Google, you're talking a Linux system. 0:08:00.920 --> 0:08:02.960 When you talk to Facebook, you're talking to a Linux system. 0:08:02.960 --> 0:08:06.480 When you talk to Apple, you're probably talking to a 0:08:06.480 --> 0:08:08.880 Linux system. Right now, the system that we're talking to 0:08:08.880 --> 0:08:11.720 each other with almost certainly is running Linux. So the 0:08:11.840 --> 0:08:13.800 vast majority of systems you talk to in the cloud 0:08:14.280 --> 0:08:15.120 are running Linux. 0:08:15.520 --> 0:08:18.960 Linux is used for Apple's iCloud, for social media sites 0:08:19.000 --> 0:08:23.240 like Facebook, Instagram, for YouTube, for Twitter, It's used for 0:08:23.240 --> 0:08:25.960 the New York Stock Exchange. Gamers use it when they 0:08:26.080 --> 0:08:29.160 run Steam or they play games online, and the list 0:08:29.200 --> 0:08:32.360 goes on. The vast majority of the Internet runs on 0:08:32.440 --> 0:08:36.000 Linux and open Ssh. Make sure that it's you logging 0:08:36.040 --> 0:08:37.720 in and not somebody else. 0:08:38.160 --> 0:08:40.800 When you log in and you get your mail, the 0:08:40.840 --> 0:08:43.240 server that holds your mail hash on it. The server 0:08:43.280 --> 0:08:47.440 that holds your social media content has SSH. The servers 0:08:47.440 --> 0:08:49.960 that have your banking information of Ssh. It's the door 0:08:50.000 --> 0:08:51.600 by which you get into these systems. 0:08:52.320 --> 0:08:56.160 So open ssh is incredibly important to the Internet and 0:08:56.320 --> 0:08:59.240 all the cloud systems that we rely on, and because 0:08:59.280 --> 0:09:01.560 of that, it has a lot of eyes on it. 0:09:02.160 --> 0:09:05.920 Trying to hack open Ssh directly would pretty much be impossible. 0:09:06.400 --> 0:09:08.240 Someone would catch you pretty quick. 0:09:09.000 --> 0:09:10.959 People pay a lot of attention to it, a lot 0:09:10.960 --> 0:09:14.560 of people run their code scanners on it, a lot 0:09:14.559 --> 0:09:16.640 of people look for bugs in it, and so it 0:09:16.640 --> 0:09:19.880 has been a while since open ssh has had itself 0:09:20.480 --> 0:09:23.160 a humongous security flaw in it. If you just join 0:09:23.240 --> 0:09:25.679 the open ssh project and said, hey, I'm a new 0:09:25.720 --> 0:09:30.160 guy that nobody ever knew. Here's my code. Everybody would 0:09:30.160 --> 0:09:34.160 be super suspicious, right, and whoever these bad guys are, 0:09:34.679 --> 0:09:37.360 they know that. So what they did was they looked 0:09:37.400 --> 0:09:41.760 at open ssh and they looked at its dependency graph, 0:09:41.760 --> 0:09:43.640 what we call They looked at all the stuff that 0:09:43.679 --> 0:09:47.240 goes into opensh and what they saw was open ssh 0:09:47.320 --> 0:09:50.120 depends on other things. 0:09:51.720 --> 0:09:55.360 This is where XU tills comes in. Xeu tills is 0:09:55.400 --> 0:09:59.079 one of the things that open Ssh depends on. What 0:09:59.120 --> 0:10:02.400 does xutil actually do. It's a compression library. 0:10:02.559 --> 0:10:06.200 So it's just a library that is used to make 0:10:06.400 --> 0:10:09.360 data that comes in smaller so that if you're moving 0:10:09.400 --> 0:10:11.000 like a big file back and forth, it can fit 0:10:11.120 --> 0:10:13.600 down a smaller pipe. Right, you might be talking to 0:10:13.640 --> 0:10:15.600 a server on a satellite link, you might be talking 0:10:15.640 --> 0:10:17.640 over a modem. Right, you might be talking over a 0:10:17.640 --> 0:10:19.720 cell phone, and so you want your big file to 0:10:19.880 --> 0:10:21.040 fit into a smaller pipe. 0:10:21.080 --> 0:10:23.120 If you've ever used the zip file on your computer, 0:10:23.280 --> 0:10:26.720 you get the general idea. Smaller files can be transferred faster, 0:10:27.160 --> 0:10:29.439 which is important when you're dealing with so much data 0:10:29.440 --> 0:10:33.240 flowing back and forth. Xdutils allows open ssh to be 0:10:33.360 --> 0:10:39.120 both safe and fast, But that's the trick. By inserting 0:10:39.120 --> 0:10:42.160 a backdoor into xu tills, the hackers created a way 0:10:42.160 --> 0:10:46.319 to access anything being transmitted via open ssh. That meant 0:10:46.320 --> 0:10:49.640 they could not only read supposedly secure messages, but remotely 0:10:49.720 --> 0:10:53.120 run code on any server that uses open ssh. And 0:10:53.200 --> 0:10:56.839 since basically the entire Internet uses this thing, once you're 0:10:56.880 --> 0:10:59.080 in there, you can do anything you want. 0:11:00.360 --> 0:11:02.960 You could have used it for a bunch of very 0:11:03.200 --> 0:11:08.280 quiet surgical attacks over a multi year period, or you 0:11:08.320 --> 0:11:11.040 could have done one humongous, big bane where you knock 0:11:11.040 --> 0:11:12.400 out a huge chunk of the Internet. 0:11:12.160 --> 0:11:14.760 All at once. But how did hackers get access to 0:11:14.920 --> 0:11:18.280 xdutails in the first place. Well, remember when I promised 0:11:18.280 --> 0:11:21.480 to tell you about the open in open ssh. Open 0:11:21.600 --> 0:11:25.880 Ssh and also Linux are open source programs. This means 0:11:25.880 --> 0:11:28.240 that anyone can look at the source code because it's 0:11:28.280 --> 0:11:31.839 open and it's posted publicly. The idea is that if 0:11:31.880 --> 0:11:34.720 everyone works together on the code, it'll be better and 0:11:34.760 --> 0:11:38.000 the public benefit, and so anyone's free to look at 0:11:38.000 --> 0:11:40.160 the code, to learn from the code, or even to 0:11:40.240 --> 0:11:42.720 remix it for their own use. And even if you 0:11:42.800 --> 0:11:45.560 have no interest in all that nerd stuff, you still 0:11:45.640 --> 0:11:48.920 use versions of open source code every day on basically 0:11:49.000 --> 0:11:50.560 all of your devices. 0:11:50.600 --> 0:11:54.120 When you're running open source software, which people don't understand. 0:11:54.200 --> 0:11:56.520 Basically everybody is, right, So what kind of phone do 0:11:56.520 --> 0:11:58.120 you have? Do you have an iPhone or Android? 0:11:58.360 --> 0:11:59.240 I actually have an Android? 0:11:59.280 --> 0:12:02.240 Yeah, okay, Android. A humongous chunk of that code is 0:12:02.280 --> 0:12:05.000 open source, right right, And that is code that is 0:12:05.040 --> 0:12:08.480 maintained by volunteers that you have no idea who those 0:12:08.520 --> 0:12:11.080 people are. Google has no idea who those people are, right. 0:12:11.360 --> 0:12:14.160 Google collects all this code from around the internet, they 0:12:14.160 --> 0:12:16.520 package it all up, and then they put it on 0:12:16.559 --> 0:12:18.240 a phone, or they send it to Samson, and Samson 0:12:18.240 --> 0:12:19.040 puts on the phone. 0:12:19.160 --> 0:12:22.240 And before we get any further, iPhone people, this applies 0:12:22.280 --> 0:12:25.040 to you too. Your iPhone uses a lot of open 0:12:25.080 --> 0:12:28.280 source code also. And don't get me wrong, this is 0:12:28.360 --> 0:12:29.200 not a bad thing. 0:12:29.559 --> 0:12:32.120 It's great because it's free and it makes the phone cheaper, 0:12:32.160 --> 0:12:34.640 and it's cool that we all get to contribute. But 0:12:34.720 --> 0:12:38.600 the flip side is is that, yes, OpenSSH itself gets 0:12:38.600 --> 0:12:41.280 lots of love, The Linux kernel gets lots of love, right, 0:12:41.600 --> 0:12:44.880 But something like xcu tills, which is this tiny little 0:12:44.960 --> 0:12:47.640 component over here, does not get lots of love and 0:12:47.800 --> 0:12:51.320 xCD details at the time was maintained by one person. 0:12:51.760 --> 0:12:54.400 That one dude was then manipulated to giving up control 0:12:54.440 --> 0:12:57.000 of it, and the person he gave up control of 0:12:57.040 --> 0:12:59.600 it too, turned out to be a totally fake persona 0:13:00.000 --> 0:13:00.600 do not exist. 0:13:03.200 --> 0:13:04.720 This is where we get to the human part of 0:13:04.720 --> 0:13:08.120 the story. The one guy who was maintaining xeu tills, 0:13:08.360 --> 0:13:11.679 his name was lost to Culin. He'd been maintaining xeu 0:13:11.800 --> 0:13:14.080 tills since two thousand and nine and he was the 0:13:14.080 --> 0:13:17.360 sole maintainer for the project. He wasn't being paid for it. 0:13:17.480 --> 0:13:20.840 He was a volunteer. That's usually how open source projects go. 0:13:21.320 --> 0:13:24.160 In twenty twenty two, Lusta Collins started to get a 0:13:24.160 --> 0:13:27.280 lot of requests to make updates to the code. Throughout 0:13:27.320 --> 0:13:31.280 the year, multiple accounts, seemingly out of nowhere, started complaining 0:13:31.360 --> 0:13:34.959 that Colin wasn't working fast enough and implying that if 0:13:34.960 --> 0:13:37.760 he wasn't interested in doing this anymore, maybe he wasn't 0:13:37.800 --> 0:13:40.920 the guy for the job and the pressure was getting 0:13:40.920 --> 0:13:44.120 to him. In June of twenty twenty two, Colin wrote 0:13:44.120 --> 0:13:47.560 in a public note quote, I haven't lost interest, but 0:13:47.679 --> 0:13:50.960 my ability to care has been fairly limited. Mostly due 0:13:50.960 --> 0:13:53.760 to long term mental health issues, but also due to 0:13:53.800 --> 0:13:56.880 some other things. He also went on to remind people 0:13:57.000 --> 0:13:59.760 that quote, it's also good to keep in mind that 0:13:59.800 --> 0:14:04.559 this this is an unpaid hobby project. Thankfully, right about 0:14:04.559 --> 0:14:07.920 that time, a new programmer had come into help. This 0:14:08.000 --> 0:14:11.320 new person's name was Gia Tan. Colin seemed a little 0:14:11.360 --> 0:14:15.680 relieved that finally someone wasn't just complaining but helping. In 0:14:15.720 --> 0:14:17.960 that same note from June, he wrote that he'd been 0:14:18.000 --> 0:14:21.160 working a bit with Gatan on execu utils to address 0:14:21.200 --> 0:14:24.400 all of those complaints, and he said about gia quote, 0:14:24.720 --> 0:14:27.040 perhaps he will have a bigger role in the future. 0:14:27.400 --> 0:14:31.680 We'll see. Over the course of a few years, gia 0:14:31.760 --> 0:14:35.360 Tan really started to gain Lasa Collins trust. Gia Tan 0:14:35.600 --> 0:14:38.600 was the ideal contributor. He didn't just help when he 0:14:38.640 --> 0:14:40.880 was asked to, but he would offer to take on 0:14:41.040 --> 0:14:44.080 more work, and by twenty twenty four, Colin had made 0:14:44.160 --> 0:14:47.440 gia Tan a co maintainer on the project, which allowed 0:14:47.480 --> 0:14:49.440 him to add code without needing approval. 0:14:50.680 --> 0:14:52.640 This is a human attack, right. It all happened in 0:14:52.680 --> 0:14:55.040 the open, but the way they did it was they 0:14:55.120 --> 0:14:58.520 created these fake personas were one guy super Friendly and 0:14:58.600 --> 0:15:01.960 one guy's a jerk, and the jerk basically is abusing 0:15:02.280 --> 0:15:05.720 the person who's maintaining the software and saying, oh, I 0:15:05.760 --> 0:15:07.640 need this change, I need this change. You're so slow. 0:15:07.680 --> 0:15:09.320 Why are you so slow? And remember this guy's not 0:15:09.320 --> 0:15:13.840 getting paid, right like, And so eventually basically bully this 0:15:13.920 --> 0:15:16.920 guy to say, oh, I'm tired of doing this. I 0:15:16.960 --> 0:15:18.720 don't want to do it anymore. And then the nice 0:15:18.760 --> 0:15:21.520 guy's like, oh, well you know, I'll do it for you. 0:15:21.600 --> 0:15:24.640 I'll take over, man, let me take this burden. 0:15:24.360 --> 0:15:26.880 For you, right, very convenient, right. 0:15:27.520 --> 0:15:30.320 And this took several years, and so this shows you 0:15:30.440 --> 0:15:34.720 kind of the long play. They're willing to spend months 0:15:34.720 --> 0:15:38.200 and months and months and in fact years building these 0:15:38.200 --> 0:15:41.160 personas because like, look, if you just created an account 0:15:41.200 --> 0:15:43.200 and you're like, hey, i've got code, take it, that 0:15:43.200 --> 0:15:46.400 wouldn't work. So what these people figured out is that 0:15:46.440 --> 0:15:49.200 you have to create these personas. They have to seem real. 0:15:49.920 --> 0:15:53.120 You have to make posts, you have to contribute legit stuff, 0:15:53.640 --> 0:15:56.120 you've got to create kind of a history, build a relationship. 0:15:56.200 --> 0:15:58.160 You have to build a relationship. And so the guy 0:15:58.200 --> 0:16:00.480 who maintains it gives it up of like, oh, thank 0:16:00.480 --> 0:16:02.480 you so much. For taking this burden from me because 0:16:02.480 --> 0:16:04.280 look at these jerks. Now, of course he doesn't know 0:16:04.520 --> 0:16:07.120 that the jerks worked for the same team, or maybe 0:16:07.120 --> 0:16:10.240 you're even the same person as the nice guy, right, 0:16:10.720 --> 0:16:12.520 And then he hands it over to this nice guy 0:16:12.520 --> 0:16:15.160 who's a friend of his, and then the friend takes 0:16:15.160 --> 0:16:17.960 it over and then does a bunch of legitimate stuff, 0:16:18.280 --> 0:16:20.040 and then in the middle of all that legitimate stuff 0:16:20.040 --> 0:16:21.920 inserts a very very subtle backdoor. 0:16:22.280 --> 0:16:26.480 I've seen this back door talked about using the phrase sophisticated, 0:16:26.480 --> 0:16:29.360 that it was very sophisticated. Yes, in some ways it 0:16:29.400 --> 0:16:31.840 sounds sophisticated, but in some ways it sounds like it 0:16:31.960 --> 0:16:34.800 kind of wasn't because a lot of it just revolved 0:16:34.840 --> 0:16:37.920 around getting somebody to give them some access. 0:16:38.600 --> 0:16:42.800 The code was sophisticated, the method of getting in there 0:16:42.960 --> 0:16:45.400 was very human. It was bugging a guy until he 0:16:45.440 --> 0:16:50.000 gave up control. Yes, right, just being a nuisance, Just 0:16:50.000 --> 0:16:54.040 being a nuisance. So who was behind those fake personas 0:16:54.680 --> 0:16:57.560 We don't know for sure, but Alex has a theory 0:16:58.240 --> 0:17:10.440 that's after the break, over the course of years, the 0:17:10.480 --> 0:17:14.479 one guy maintaining this very important tool called Xzeu Tills 0:17:14.760 --> 0:17:19.000 last of Colin was being bullied and manipulated online to 0:17:19.040 --> 0:17:22.159 give a persona called Gia Tan a lead role in 0:17:22.200 --> 0:17:27.960 handling the code. But who is Gia Tan? Everybody's been 0:17:28.000 --> 0:17:30.480 asking this question of like who did this, Who's behind this? 0:17:31.040 --> 0:17:34.000 Most of the names have kind of an Asian origin, right, 0:17:34.080 --> 0:17:37.840 So there's accounts like Jagar Kumar. The key one is 0:17:37.960 --> 0:17:40.800 Gia Tan, which is like, could be Chinese, could be Korean. 0:17:41.520 --> 0:17:44.560 Most of the either the names or the technical indicators 0:17:44.600 --> 0:17:47.080 point to Asia, right, So the time zones that this 0:17:47.119 --> 0:17:50.119 person was working into are kind of the East Asian 0:17:50.119 --> 0:17:53.199 time zone, so it's like Beijing or Korea. The names 0:17:53.240 --> 0:17:56.119 are Asian. Everything points to Asia, which makes a lot 0:17:56.119 --> 0:17:59.320 of people think it's Russia actually because it's just too perfect, right. 0:18:00.000 --> 0:18:04.360 WHI is like it's somebody spent three years doing all 0:18:04.400 --> 0:18:08.640 this work, and then you're like, like, let's say your Chinese. 0:18:08.840 --> 0:18:10.880 Are you gonna use like a Chinese name as your 0:18:10.880 --> 0:18:13.560 fake name? Are you going to spend three years but 0:18:13.600 --> 0:18:17.400 then work in your normal time zone? And the generally 0:18:17.520 --> 0:18:20.680 the only actor who has shown this level of patients 0:18:20.720 --> 0:18:23.720 who's been willing to spend three years working on a 0:18:23.720 --> 0:18:26.000 back door like this. The only people who have ever 0:18:26.040 --> 0:18:30.000 done that is either the United States or the SVR. 0:18:30.920 --> 0:18:33.920 So Russia okay, yeah, are really the only groups where 0:18:33.960 --> 0:18:37.120 you've seen people spend years kind of doing this kind 0:18:37.119 --> 0:18:39.000 of work. And a lot of people don't think it 0:18:39.040 --> 0:18:41.080 would be the US doing something like this, that they 0:18:41.080 --> 0:18:43.920 would never mess with something this important because also the 0:18:43.960 --> 0:18:45.520 thing the Russians really like to do is blame other 0:18:45.560 --> 0:18:49.320 people right again, because we never got to the point 0:18:49.359 --> 0:18:53.240 of again used. Usually attribution is done after something's used, 0:18:53.600 --> 0:18:55.800 and so it's a lot easier to figure out because 0:18:55.880 --> 0:18:59.479 then you can ask quebono right who benefits. But like 0:18:59.640 --> 0:19:02.440 all of these indicators pointing specifically to kind of China 0:19:02.520 --> 0:19:07.160 or Korea makes you think it's just a little too obvious. 0:19:07.960 --> 0:19:11.720 A major theory in cybersecurity circles is that Giatan isn't 0:19:11.760 --> 0:19:16.520 one person, it's potentially multiple people, but likely Russian hackers 0:19:16.560 --> 0:19:20.040 working for the SVR, which is Russia's foreign intelligence service, 0:19:20.560 --> 0:19:23.159 and that they tried to cover their tracks even if 0:19:23.240 --> 0:19:24.520 it wasn't consistent. 0:19:24.920 --> 0:19:27.480 The guys who worked for the professionals will change their 0:19:27.480 --> 0:19:31.639 time zones specifically around who either what allows them to 0:19:31.680 --> 0:19:35.640 avoid detection or specifically around whatever they're doing. For attribution. 0:19:35.960 --> 0:19:39.040 Well, there were some times that the time zones actually 0:19:39.080 --> 0:19:42.680 pointed to an Eastern European time zone or time or 0:19:42.720 --> 0:19:43.760 another time zone, right. 0:19:43.680 --> 0:19:45.800 Yeah, I mean there's there is a little mixed right, 0:19:46.080 --> 0:19:50.320 So somebody could be working from the eastern side of Russia, 0:19:50.440 --> 0:19:52.480 or they could be waking up early in Moscow Saint 0:19:52.480 --> 0:19:54.320 Petersburg and then they slipped right. 0:19:54.800 --> 0:19:56.679 In other words, they might have just slipped up and 0:19:56.680 --> 0:19:59.960 forgot to change their time zones because remember this happen 0:20:00.080 --> 0:20:02.840 been over the course of years. Maybe somebody had an 0:20:02.840 --> 0:20:05.600 off day and forgot to change the computer settings. But 0:20:05.960 --> 0:20:09.480 Alex has another reason for suspecting Russia over China. 0:20:10.800 --> 0:20:14.320 Chinese hackers, for the most part, work very rigorous hours. 0:20:14.480 --> 0:20:17.880 You can almost always tell when Chinese hackers are working 0:20:17.960 --> 0:20:20.680 because they work office hours. They work eight to five, 0:20:20.800 --> 0:20:24.000 eight to six. Really, it's like very regular, yeah okay, 0:20:24.040 --> 0:20:26.600 Whereas it's much harder to do time zone stuff based 0:20:26.600 --> 0:20:28.920 for the Russians because they they will work whatever hours 0:20:28.920 --> 0:20:30.919 they need to work. You know that that scene in 0:20:31.000 --> 0:20:33.240 like one of the Born movies where it's like the 0:20:33.280 --> 0:20:35.160 club scene. I always think about this with the Russia. 0:20:35.160 --> 0:20:37.000 There's like a club scene in Russia, and it's like 0:20:37.000 --> 0:20:38.040 you think it's the middle of the night and he 0:20:38.080 --> 0:20:40.439 walks out, it's like ten am or something. Right, It's like, 0:20:40.440 --> 0:20:43.399 that's what I think about with Russian hackers. Whereas like 0:20:43.640 --> 0:20:46.680 for China, it's amazing because it's like, oh, six pm 0:20:46.680 --> 0:20:49.760 in Beijing, you know, it's like you know, everybody goes home. 0:20:49.680 --> 0:20:50.399 To hacking stops. 0:20:50.560 --> 0:20:53.400 Yeah, or like Chinese Chinese New Year, Lunar New Year, 0:20:54.080 --> 0:20:56.080 everybody goes home, go sees their parents in the village 0:20:56.119 --> 0:20:58.640 or whatever, like hacking stops. It's amazing. 0:20:59.359 --> 0:21:01.840 And in the case of exit the UTILS, looking at 0:21:01.840 --> 0:21:05.240 the timing when this ga Tan was submitting code, there's 0:21:05.320 --> 0:21:08.280 a bunch of submissions during Lunar New Year, but during 0:21:08.359 --> 0:21:14.800 big Eastern European holidays like Christmas, crickets. But that leaves 0:21:14.840 --> 0:21:18.640 a question, what's the motive? Why would the restern SVR 0:21:18.840 --> 0:21:19.760 want to do this. 0:21:20.440 --> 0:21:23.680 So open everybody uses. That's why this is so powerful 0:21:23.960 --> 0:21:25.560 is you don't have to have a specific target in mind, 0:21:25.560 --> 0:21:27.359 which is why you'd also spend three years doing it. 0:21:27.640 --> 0:21:32.080 Because let's say you're at the SVR, you know, no 0:21:32.119 --> 0:21:34.879 matter what war you're involved with, no matter what target, 0:21:34.920 --> 0:21:37.480 you're going after openness station is going to be useful. 0:21:37.760 --> 0:21:40.320 So this is probably a team of the SVR who 0:21:40.480 --> 0:21:42.359 they don't know what's going to be used for. They're 0:21:42.400 --> 0:21:43.680 just they know they're going to get a medal. 0:21:43.720 --> 0:21:45.639 You'll be able to use this at some point, Yeah, 0:21:45.680 --> 0:21:46.359 who knows for what? 0:21:46.480 --> 0:21:48.440 And the US does the same thing, right, Like, there's 0:21:48.480 --> 0:21:50.800 people whose job it is to get the capability, and 0:21:51.119 --> 0:21:54.399 it's other guy's job who understand the geopolitics, who understand 0:21:54.400 --> 0:21:56.159 the intelligence to use it. 0:21:57.840 --> 0:22:02.200