WEBVTT - Thinking Sideways: GhostNet 0:00:00.160 --> 0:00:03.320 Thinking Sideways is not brought you by the itch on 0:00:03.400 --> 0:00:07.080 my right leg. Instead, it's brought you by crime Con. 0:00:07.720 --> 0:00:10.640 That's right on June nine to June eleven at the 0:00:10.720 --> 0:00:15.320 j W. Marriott in Indianapolis. We're gonna be at crime 0:00:15.360 --> 0:00:18.200 Con along with a whole bunch of other podcasts and 0:00:18.320 --> 0:00:22.439 a whole bunch of other really cool crime investigators and reporters, 0:00:22.680 --> 0:00:25.400 people that you've been watching for years and you know 0:00:25.520 --> 0:00:28.400 you want to see, so you need to be there 0:00:28.480 --> 0:00:31.480 because it's gonna be cool. And as a special offer 0:00:31.560 --> 0:00:33.840 to our listeners, if you go to crime con dot 0:00:33.880 --> 0:00:37.960 com and enter the promo code sideways twenty, you'll get 0:00:38.800 --> 0:00:44.040 off your admission crime con dot com and sideways twenty 0:00:46.640 --> 0:00:59.360 Thinking Sideways. I'll group the ideas, I don't know, stories 0:00:59.400 --> 0:01:04.200 of things, we synthie don't know the answer tube. Hey guys, 0:01:04.280 --> 0:01:08.760 welcome to another episode of Thinking Sideways, the podcast I 0:01:08.880 --> 0:01:17.000 Am Devon, joined this week by Joe and Steve. This 0:01:17.000 --> 0:01:21.840 week Okay, special episodes, Special episode starring uh, Steve and Joe. 0:01:22.319 --> 0:01:24.000 I just want to know who the other two guys are, 0:01:24.000 --> 0:01:27.880 because really, he's spreading crumbs all over my chair. It's 0:01:27.959 --> 0:01:32.120 really annoying. From that ham sandwich, I think faster. I 0:01:32.200 --> 0:01:36.320 kind of suspect we're being transitioned out, dude. Yeah, well, 0:01:36.400 --> 0:01:39.840 hello retirement. This week we're going to talk about a 0:01:40.040 --> 0:01:42.559 mystery that's going to make half of you really happy 0:01:42.640 --> 0:01:46.039 and half of you turn off immediately. Um. And that's 0:01:46.080 --> 0:01:49.160 an internet mystery, because everybody loves a mystery that's in 0:01:49.200 --> 0:01:52.200 the tubes. I like them. I think they're super interesting. 0:01:52.360 --> 0:01:54.400 Some of our listeners like them, but it turns out 0:01:54.400 --> 0:01:56.760 a lot of our listeners hate them, and that's why 0:01:56.880 --> 0:02:01.040 we're like not top rated in true crime. But I 0:02:01.880 --> 0:02:03.840 should say this before you turn it off. There is 0:02:04.160 --> 0:02:07.840 a little international intrigue involved. There's some spice stuff going on, 0:02:07.920 --> 0:02:14.680 maybe German warfare, possible state actors involved or possibly not. 0:02:15.040 --> 0:02:18.120 You know it doesn't it does a computer virus counters 0:02:18.160 --> 0:02:21.680 term warfare? Yeah, I guess. I mean if Beatles do, 0:02:21.880 --> 0:02:26.880 I guess you know why not? Right? All right? This 0:02:26.960 --> 0:02:30.560 week we're going to talk about ghost net, which is 0:02:30.600 --> 0:02:35.120 also yousing wa in Chinese, but we're going to call 0:02:35.160 --> 0:02:38.920 it ghost net better not saying that a bunch of 0:02:38.919 --> 0:02:41.680 times ghost I like it. It sounds like a movie 0:02:41.880 --> 0:02:43.640 ready jump from the Lady at the top of the 0:02:43.680 --> 0:02:46.240 stairs that is only seen like once a year. Ghost 0:02:46.520 --> 0:02:49.519 kind of ghost, yes, kind of ghost. Fishing with a 0:02:49.639 --> 0:02:56.160 net failed bad joke, yes, pretty bad. All right, I'll 0:02:56.200 --> 0:02:58.400 get out of the way alright. In two thousand nine, 0:02:58.440 --> 0:03:02.919 researchers from the Universe, City of Toronto's Monk Center and 0:03:03.040 --> 0:03:05.720 the Cambridge University. From here on out, we're going to 0:03:05.720 --> 0:03:09.440 refer to them as the info Wars Monitor concluded a 0:03:09.560 --> 0:03:14.720 tenish month joint investigation that was requested by a representative 0:03:14.880 --> 0:03:22.160 of the o h Hdlice of Office of His Holiness 0:03:22.200 --> 0:03:25.919 the Dalai lama Um. And this this meeting took place, 0:03:25.960 --> 0:03:29.520 The request took place in Geneva, which is a safe 0:03:29.520 --> 0:03:36.800 space for for some people. The investigation under uncovered one 0:03:37.160 --> 0:03:40.680 of the most widespread hack hacks in history, perhaps the 0:03:40.800 --> 0:03:44.840 most widespread hack in history, certainly, I would say the 0:03:44.880 --> 0:03:50.560 most widespread hack that we're aware of. That that we're 0:03:50.560 --> 0:03:54.520 aware of, which means it was yeah, and that just 0:03:54.600 --> 0:04:00.120 means that it wasn't the best hack but computer and 0:04:00.200 --> 0:04:03.160 at least a hundred and three countries, yes you heard 0:04:03.200 --> 0:04:06.640 me right, one hundred and three countries were affected, and 0:04:06.720 --> 0:04:17.120 researchers think that it was almost individual hope. In general, 0:04:17.279 --> 0:04:20.640 it is believed that China was the perpetrator of this attack, 0:04:21.400 --> 0:04:24.480 but no one can be certain, and I have my doubts, 0:04:24.480 --> 0:04:26.520 which is why I thought this would be a good mystery. 0:04:26.800 --> 0:04:31.640 And these computers mostly belonged to embassies governmental ministries, and 0:04:31.680 --> 0:04:35.160 then almost all of the Dali Lama's exile centers were 0:04:35.200 --> 0:04:38.920 affected as well. And the thing is um. Even though 0:04:39.000 --> 0:04:42.640 ghost net was discovered as recently as two thousand eleven, 0:04:43.040 --> 0:04:48.680 at least one government UM Canada has uncovered an instance 0:04:48.920 --> 0:04:52.800 of ghost net, or the bug that is referred to 0:04:52.839 --> 0:04:56.520 as ghost net. UM. They discovered an instance of that 0:04:56.640 --> 0:05:00.159 and it was in the Canadian official Finance department. Was 0:05:00.240 --> 0:05:04.120 the was where the computer that was infected was discovered. UM. 0:05:04.120 --> 0:05:06.520 This is, of course, according to an anonymous source, because 0:05:06.560 --> 0:05:09.960 governments don't readily admit things like this, and the computer 0:05:10.080 --> 0:05:12.400 was probably a hand me down from the Foreign ministry. Yeah, 0:05:12.440 --> 0:05:17.799 probably are interested in the Canadian finances. I saw something about. 0:05:18.160 --> 0:05:19.919 It was like a year or so after all this 0:05:20.040 --> 0:05:22.760 got done, another one was found in India, and I 0:05:22.800 --> 0:05:25.440 think another onrustration in Iran. So I mean it's it 0:05:25.560 --> 0:05:30.279 keeps popping up. Yeah, despite the fact that and we'll 0:05:30.320 --> 0:05:32.240 talk about in a little bit, we're going to kind 0:05:32.279 --> 0:05:35.800 of delve into the wise and house of this um 0:05:35.920 --> 0:05:39.240 and we'll talk about how why it was so prevalent 0:05:39.600 --> 0:05:42.160 um and it's because it was a pretty dang good hack. 0:05:43.920 --> 0:05:47.320 So let's jump in to the first how we're gonna 0:05:47.360 --> 0:05:50.480 talk about tech. So we're going to talk about tech 0:05:51.200 --> 0:05:53.760 cool and it's gonna be a little boring. I'm sorry. 0:05:54.000 --> 0:05:55.960 I don't think it's boring, but I think a lot 0:05:56.000 --> 0:05:57.760 of people are gonna thinks I see lots of I 0:05:57.800 --> 0:06:00.800 see lots of joking, yoke opportunity in the title of 0:06:00.839 --> 0:06:02.800 this that is the sub end. Yeah, I think the 0:06:02.920 --> 0:06:05.680 work out well. So first we're going to talk about Trojans. 0:06:05.760 --> 0:06:08.680 And for those of you who don't know, trojans are 0:06:08.720 --> 0:06:11.480 giant horses that once roamed the land before shedding their 0:06:11.480 --> 0:06:14.520 physical form and evolving into an internet based life form. 0:06:14.640 --> 0:06:17.320 You left out the soldiers and sidde. Yeah, they reproduced 0:06:17.320 --> 0:06:19.920 by sending out math emails and hoping that some duddy 0:06:20.000 --> 0:06:23.040 dummy will download them, thus giving them access to anything 0:06:23.080 --> 0:06:28.239 that the computers attached to and becoming mini Trojan's. Yeah, 0:06:28.480 --> 0:06:31.320 that's how that works, right, that's what they are, not exactly. 0:06:34.160 --> 0:06:37.640 It's a cute description, but it's actually not the worst description. 0:06:38.080 --> 0:06:40.960 I will agree with that. So everybody knows, you know, 0:06:41.200 --> 0:06:44.640 what a trojan horses, right, I would hope. And so 0:06:44.839 --> 0:06:49.560 basically this is just a trojan. Virus is a delivery system, 0:06:49.640 --> 0:06:51.640 so that it's it's like a little hitt now like 0:06:51.680 --> 0:06:53.440 the horse, you know, you know, you let it into 0:06:53.480 --> 0:06:55.159 your city and then you just go to bed and 0:06:55.160 --> 0:06:57.600 then overnight it's bits how some soldiers you know, kind 0:06:57.640 --> 0:07:00.640 of like that. It's computer. It's bits out a little 0:07:00.680 --> 0:07:03.520 line of code that builds itself like a virus. And 0:07:05.360 --> 0:07:09.200 so this can be this can install trojans can install 0:07:09.240 --> 0:07:14.040 anything from like small bits of spyware, two key logging tech, 0:07:14.800 --> 0:07:19.000 two bugs that will totally completely take over your computer. 0:07:19.440 --> 0:07:23.000 And in our case, the trojan known as ghost rat 0:07:23.200 --> 0:07:26.840 and yes that is a zero instead of an oh. 0:07:28.160 --> 0:07:31.920 Ghost rat and the ghost Rat allowed hackers to gain 0:07:32.000 --> 0:07:36.560 total and real time control of any computer running Windows. 0:07:36.640 --> 0:07:40.240 It only infected Windows computers, which is you know, was 0:07:40.280 --> 0:07:42.240 one of the original selling points of max is that 0:07:42.320 --> 0:07:48.360 they don't get infected. But that's unfortunately, Yeah, ghost Rat 0:07:48.640 --> 0:07:54.720 could even utilize UM computers as surveillance machines by clandestinely 0:07:54.880 --> 0:08:02.760 turning on the audio recorders and the cameras and camera. Yeah. Well, 0:08:02.800 --> 0:08:05.520 and they could record both of those things, you know, 0:08:05.560 --> 0:08:08.240 remotely or whatever. But basically, yeah, they would just turn 0:08:08.280 --> 0:08:11.400 on the camera and the mic and be able to 0:08:11.400 --> 0:08:16.080 totally surveil a room, any room that the computer is in. UM. 0:08:16.160 --> 0:08:18.520 And that's one of the origins of you know, people 0:08:18.760 --> 0:08:21.480 like me, even though I have MAC put little pieces 0:08:21.520 --> 0:08:24.840 of tape over their camera because you can turn the 0:08:24.840 --> 0:08:28.280 camera on without the little light showing that the cameras 0:08:28.280 --> 0:08:32.199 on being on, and then somebody surveilling you. If you 0:08:32.720 --> 0:08:39.920 watch the TV show Black Mirror, season three, episode three 0:08:40.440 --> 0:08:44.400 goes right down exactly what you're talking about in terms 0:08:44.440 --> 0:08:47.320 of gathering information and using it against people. I was 0:08:47.360 --> 0:08:50.240 going to say that if you watched Mr Robot, it's 0:08:50.360 --> 0:08:54.240 like the first freaking episode has an instance of this, 0:08:54.559 --> 0:08:59.800 and in that case, that hacker was gathering surveillance information 0:09:00.320 --> 0:09:03.720 to blackmail people like they were gathering out with pictures 0:09:03.800 --> 0:09:07.640 or somebody from blackmail somebody. UM. But there are obviously 0:09:07.840 --> 0:09:14.560 larger implications and uses for surveying just survey. Yeah, that's 0:09:14.600 --> 0:09:17.480 what there's one of the new smart TVs that has 0:09:17.559 --> 0:09:20.760 you know, you can talk to it, Panasonic whatever do this, 0:09:20.920 --> 0:09:23.280 and people have figured out how to hack those so 0:09:23.320 --> 0:09:25.480 that they're just it's a it's a listening device. So 0:09:25.600 --> 0:09:28.760 that was one of the things with connects to because 0:09:28.800 --> 0:09:31.720 they's always recording. I don't want to think about I 0:09:31.800 --> 0:09:34.280 just can't wait for this in the future courtroom drama 0:09:34.280 --> 0:09:38.680 where Alexis brought in as a witness. Absolutely didn't just happen, ye, 0:09:39.480 --> 0:09:41.480 did it? Apple? Well? Yeah, no, Actually I'm talking about 0:09:41.520 --> 0:09:44.040 Alexa actually sitting in the witness box, you know. But 0:09:44.160 --> 0:09:47.080 I think I but this kind of stuff, you know, 0:09:47.120 --> 0:09:49.400 we have we've all heard of the Internet of things. 0:09:49.559 --> 0:09:52.240 You get you connect your fridge and your TV and 0:09:52.280 --> 0:09:54.760 your microwave and your toaster to the Internet, and then 0:09:54.760 --> 0:09:57.360 you can control it from your smartphone. And it turns 0:09:57.360 --> 0:10:00.640 out that's a really bad thing because this security and 0:10:00.640 --> 0:10:03.920 the encryption on those devices turns out it's really really 0:10:03.960 --> 0:10:08.240 bad because initially everybody was like, who's gonna hack your fridge? 0:10:08.640 --> 0:10:12.120 Except we've seen those instances where there's the nanny cam 0:10:12.120 --> 0:10:14.520 and the teddy Bear that you can use your smartphone 0:10:14.559 --> 0:10:16.520 with and then somebody walks in the room and the 0:10:16.559 --> 0:10:18.960 bear is talking and rush into the baby. I mean, 0:10:19.000 --> 0:10:24.360 like it's totally a thing because they just seemed so innocuous, 0:10:24.400 --> 0:10:27.360 these little devices. I'm not a big believer in the 0:10:27.400 --> 0:10:30.959 Internet of Things personally. Oh no, Internet of things is dumb. Yeah, 0:10:31.200 --> 0:10:33.920 I disagree. I like the Internet of Things. I think 0:10:33.960 --> 0:10:38.679 that there's some improvements that can be made, certainly, but 0:10:38.880 --> 0:10:41.080 I think that that's just part of you know, new 0:10:41.080 --> 0:10:44.640 way of technology implementation. But but just another fun thing 0:10:44.640 --> 0:10:46.160 in the news. It was in a just a week 0:10:46.240 --> 0:10:48.680 or two ago, the cops bust to the guy with 0:10:48.679 --> 0:10:51.800 the pacemaker because he was making his big alibi was 0:10:51.840 --> 0:10:53.400 there was a fire and he was like, you know, 0:10:53.520 --> 0:10:55.439 like struggling to escape from the fire or something. I 0:10:55.480 --> 0:10:57.839 can't remember exactly what it was, but they managed to 0:10:57.880 --> 0:11:02.360 download download information from his pacemaker, the pacemaker's record. The 0:11:02.360 --> 0:11:05.680 pacemaker basically said, no, this guy's heart wasn't beating fast 0:11:05.720 --> 0:11:09.680 at all. Oh my god, and yeah he was busted 0:11:09.760 --> 0:11:13.440 and crazy. Yeah. So yeah, all these digital devices there, 0:11:13.520 --> 0:11:16.720 they're recording the crap out of your life. Yeah. Okay, 0:11:16.760 --> 0:11:19.600 So anyway, long story short, that's why you should put 0:11:19.640 --> 0:11:23.960 tape over your camera and don't say anything sensed eve 0:11:23.960 --> 0:11:26.400 around your computer because it's listening all the time. I 0:11:26.440 --> 0:11:29.640 don't have mine on. My camera's always exposed. I say 0:11:29.679 --> 0:11:31.440 all kinds of things to my computer. I know. And 0:11:31.520 --> 0:11:36.360 that's why people secretly have pictures of us. They have 0:11:36.600 --> 0:11:41.320 even better pictures to Steve so ghost rat back to 0:11:41.360 --> 0:11:46.400 the story, was a specific kind of trojan, and it 0:11:46.559 --> 0:11:51.280 is most often referred to as an APT or an 0:11:51.320 --> 0:11:57.240 advanced persistent threat. Often trojans will be sent out just 0:11:57.360 --> 0:12:00.880 kind of you know, like those emails from Thenigerian Prince 0:12:01.000 --> 0:12:05.480 just just yeah, really, just as many people as they 0:12:05.480 --> 0:12:07.760 can possibly send them to on the hope that a 0:12:07.800 --> 0:12:10.640 couple of people will be real dumb and infect their 0:12:10.679 --> 0:12:13.720 computer and then they go for heavy payload real quick, 0:12:14.320 --> 0:12:17.320 and then um they get eradicated from the computer. But 0:12:17.440 --> 0:12:20.679 the hackers already have what they wanted. Oftentimes, as we 0:12:20.679 --> 0:12:23.120 were talking about with you know, trying to get information 0:12:23.120 --> 0:12:26.160 that you could blackmail somebody with, or you know, any 0:12:26.200 --> 0:12:29.800 financial records or just passwords or things like that. UM 0:12:29.840 --> 0:12:34.720 apt s, however, are pretty much the opposite of that. 0:12:35.800 --> 0:12:39.720 Um They're usually targeted at one organization, be it a 0:12:39.760 --> 0:12:43.320 corporation or government or ministry or something like that, and 0:12:43.360 --> 0:12:47.600 they usually have inside intel on how to get into 0:12:47.600 --> 0:12:53.440 the system. Pretty frequently apt s are executed with um 0:12:54.120 --> 0:12:58.920 like old school espionage skills, stick in a USB, stick 0:12:58.920 --> 0:13:03.640 in a computer, well, more like social engineering to get 0:13:03.720 --> 0:13:06.320 to the point where that guy can stick that USB 0:13:06.480 --> 0:13:10.880 stick in to a computer or even you know, so 0:13:10.920 --> 0:13:15.160 that they know social engineering. You mean what Okay, so 0:13:15.160 --> 0:13:21.160 social engineering is a term that generally refers to the 0:13:21.240 --> 0:13:25.559 old school manipulation of people. Yeah, basically, yeah, but I 0:13:25.920 --> 0:13:28.760 know what social engineering used to be called. But in 0:13:28.920 --> 0:13:31.680 like special social engineering you're talking about, Actually it's still 0:13:31.920 --> 0:13:35.400 the same thing, okay, Yeah, where you know, you try 0:13:35.600 --> 0:13:38.319 you convince people to do things that they shouldn't necessarily 0:13:38.360 --> 0:13:40.319 do by talking to them in person. I mean, you know, 0:13:40.360 --> 0:13:43.280 it's similar to you know, you can call somebody and 0:13:43.280 --> 0:13:45.719 and start a conversation with them and get information out 0:13:45.720 --> 0:13:47.640 of them by pretending like you know what you're talking about. 0:13:47.880 --> 0:13:50.240 You know, little things like that, Or you can dress 0:13:50.280 --> 0:13:52.280 up like a janitor and pretend like you're supposed to 0:13:52.320 --> 0:13:56.400 be in that corporate office and walk around and nine 0:13:56.400 --> 0:13:59.079 times that attend, nobody's going to be like, hey, excuse me, 0:13:59.360 --> 0:14:01.480 you're not the weal, guy, what are you doing here? 0:14:01.920 --> 0:14:03.480 They're just going to ignore you, and you're going to 0:14:03.559 --> 0:14:06.640 get away with doing a lot of research or intel 0:14:06.720 --> 0:14:10.480 work or you know again sticking a USB in a 0:14:10.480 --> 0:14:13.240 place that doesn't exist or it shouldn't exist. I mean, 0:14:13.320 --> 0:14:15.240 and this is the other thing, right, is that let's 0:14:16.280 --> 0:14:20.840 a lot of places say you should never put like 0:14:20.880 --> 0:14:22.680 a used to b C d s or floppy disks 0:14:22.760 --> 0:14:24.800 or anything like that that you don't know what it's 0:14:24.800 --> 0:14:27.760 on it, don't put it in your computer because that 0:14:27.840 --> 0:14:30.960 used to be a pretty standard delivery system for these 0:14:31.040 --> 0:14:33.920 little bugs, because it would just install into your computer 0:14:33.960 --> 0:14:35.880 and then all of a sudden, you've infected every People 0:14:35.880 --> 0:14:38.200 would go to Starbucks and leave a flash drive and 0:14:38.280 --> 0:14:40.880 some somebody would like, oh, who's flash dry? I don't know, Well, 0:14:40.920 --> 0:14:42.320 let's see what's on it. Maybe I can find out 0:14:42.320 --> 0:14:47.160 who belongs to. So they did a study of some 0:14:47.320 --> 0:14:49.480 university recently where they left a bunch of the flash 0:14:49.560 --> 0:14:53.120 drives just laying around campus and uh and if you downloaded, 0:14:53.120 --> 0:14:55.680 you've got instructions on just bring it back to this department. 0:14:55.720 --> 0:14:58.280 They found that like half the people that pick these 0:14:58.280 --> 0:15:02.080 things up stuck them into their computers. Yeah, yeah, unbelievable. Yeah. Well, 0:15:02.080 --> 0:15:04.880 and that's where the kind of social engineering thing can 0:15:05.000 --> 0:15:07.760 can come in handy rate is if you call if 0:15:07.800 --> 0:15:10.120 you have a target, a high value target, you know, right, 0:15:10.280 --> 0:15:12.880 is like the CEO of a company who has proven 0:15:12.920 --> 0:15:15.160 to be maybe not as tech savvy as they should be, 0:15:15.400 --> 0:15:20.320 and you know, yeah CEO of Sideways Co. And you 0:15:21.080 --> 0:15:24.440 want to somehow infect that person's computer. Well, you can 0:15:24.560 --> 0:15:27.040 go through the arduous process of trying to figure out 0:15:27.080 --> 0:15:29.960 if there's a backdoor exploit tech wise where you can 0:15:30.000 --> 0:15:32.520 you know, get into the pack of the mainframe, you know, 0:15:32.520 --> 0:15:37.040 blah blah blah, or or even easier, right, you can 0:15:37.040 --> 0:15:40.440 call his secretary and say, I am supposed to be 0:15:40.440 --> 0:15:43.000 in this meeting with him. I'm so sorry, Or my 0:15:43.080 --> 0:15:44.760 supervisor is supposed to be in my meet in this 0:15:44.840 --> 0:15:47.520 meeting with your CEO and he's running late, and I 0:15:47.560 --> 0:15:50.160 just need to know, like where they're meeting, please can 0:15:50.200 --> 0:15:52.960 you tell me? And the secretary will take pity on 0:15:53.000 --> 0:15:57.240 you if you tried enough times, and you'll and she'll say, oh, 0:15:57.240 --> 0:15:59.560 they're meeting at the Starbucks. You'll go leave a flash 0:15:59.640 --> 0:16:04.600 drive where he's going to find it, and and that's 0:16:04.640 --> 0:16:07.560 like an old school kind of social engineering technique, right 0:16:07.600 --> 0:16:10.080 where you you make somebody give pity on you and 0:16:10.240 --> 0:16:11.920 there you go. But yeah, or you can send a 0:16:11.920 --> 0:16:13.680 phishing email, which is what we're going to talk about 0:16:13.680 --> 0:16:18.520 a little bit. So all of that to say that 0:16:18.520 --> 0:16:21.480 that's one way that um A pt s are delivered 0:16:21.600 --> 0:16:24.800 is by social engineering, and the other way is by 0:16:24.800 --> 0:16:30.960 spending a lot of money or manpower to expose those 0:16:31.040 --> 0:16:35.600 backdoor vulnerabilities that exist in all systems, and not necessarily backdoor, 0:16:35.640 --> 0:16:39.160 but vulnerabilities that exist in like every single system. There's 0:16:39.160 --> 0:16:41.800 always some way that a system is a little messed up. 0:16:42.800 --> 0:16:46.160 It's not cheap route typically because on the dark web 0:16:46.240 --> 0:16:49.960 you can buy a lot of different bits of script 0:16:50.040 --> 0:16:55.360 and code or full on assault packages for systems, but 0:16:55.440 --> 0:16:58.320 that's not a cheap endeavor. Yeah, it sounds like from 0:16:58.400 --> 0:17:02.480 the research that I have been doing just around this project, 0:17:02.560 --> 0:17:06.520 not for my own anything, don't worry. Um it sounds 0:17:06.600 --> 0:17:08.639 like there are a lot of people who make a 0:17:08.680 --> 0:17:12.240 lot of money basically make their living on finding these 0:17:12.320 --> 0:17:15.720 exploits and not exploiting them and just putting it out 0:17:15.720 --> 0:17:18.679 there on forums and saying, hey guys, just you know, 0:17:18.840 --> 0:17:20.680 I have a way to get into this goes to 0:17:20.720 --> 0:17:23.560 the highest bidder and letting a bidding war happen, and 0:17:23.600 --> 0:17:25.680 then you know, eventually somebody will say, I will give 0:17:25.680 --> 0:17:28.480 you three million dollars for that one thing. And the 0:17:30.280 --> 0:17:34.320 zero vulnerabilities. Yeah, zero dave vulnerabilities is the technical term 0:17:34.840 --> 0:17:37.320 that I've been avoiding because I don't I don't know, 0:17:37.320 --> 0:17:38.760 because I don't know how many people are going to 0:17:38.840 --> 0:17:42.359 know it. Um And yeah, it's it's a lot of 0:17:42.359 --> 0:17:44.440 manpower or a lot of money to go that route. 0:17:44.480 --> 0:17:48.480 It's much easier just call somebody secretarian you know, and 0:17:48.640 --> 0:17:51.920 fishing you know. Um. So yeah, the all of that 0:17:52.000 --> 0:17:55.280 to say again that a p t S are typically 0:17:55.400 --> 0:18:00.479 very well financed. It is a long term investment because 0:18:00.520 --> 0:18:05.040 the goal is to surveil for a very long amount 0:18:05.040 --> 0:18:11.280 of time. It's not to it's it's really quantity and 0:18:11.560 --> 0:18:18.040 quality over just like sheer volume extracting volume. All I mean, 0:18:18.240 --> 0:18:20.200 correct me if I'm wrong. This is the way I 0:18:20.320 --> 0:18:22.960 understood a pt S, and tell me if I'm wrong. 0:18:22.960 --> 0:18:24.960 Here is I looked at it is is there's two 0:18:25.000 --> 0:18:28.040 types of ways to to rob a bank. There's the 0:18:28.160 --> 0:18:31.199 smash and grab, where you go in you grab as 0:18:31.359 --> 0:18:35.120 much as you can, and you run and whatever you get, 0:18:35.240 --> 0:18:40.840 you get or your bank employee, and you just start 0:18:41.359 --> 0:18:45.600 funneling funds and embezzling a thousand dollars a day and 0:18:45.680 --> 0:18:47.920 do it for as long as you can, because chances 0:18:47.960 --> 0:18:49.720 are you're not going to get noticed and you're gonna 0:18:49.720 --> 0:18:53.120 get more long term, I would I would add it's 0:18:53.320 --> 0:18:56.600 more like it's a subtler approach. It's more like somebody 0:18:56.640 --> 0:19:00.200 getting a job out of bank to funnel five bucks 0:19:00.200 --> 0:19:04.119 a day. Yeah, I mean a little tiny amount. I 0:19:04.160 --> 0:19:07.400 mean like even just like dropping a roll of coins 0:19:07.480 --> 0:19:11.800 into your purse every day for six or seven years 0:19:12.520 --> 0:19:15.200 before you get caught, and then obviously like not spending 0:19:15.240 --> 0:19:18.360 any money. So by the end of your process, you 0:19:18.359 --> 0:19:20.600 you have a ton of money. You have a huge 0:19:20.720 --> 0:19:24.600 value there. So that that's a really good analogy. Yeah, okay, 0:19:24.840 --> 0:19:26.720 you have to have a lot of coins to make 0:19:26.720 --> 0:19:30.359 it worth it. Remember all the quarters is ten bucks. Yeah, 0:19:30.440 --> 0:19:35.000 so ten bucks a day for seven years, eight years, 0:19:34.760 --> 0:19:39.720 that's what three thousand dollars a year as auxiliary income. 0:19:39.760 --> 0:19:43.520 I don't know, that's like three thousand bucks a months, right, 0:19:43.960 --> 0:19:48.199 My math skills are hideous six a year, Yeah, that's right. Right, 0:19:48.240 --> 0:19:51.760 because ten all a day. Okay, never mind, that's more 0:19:51.800 --> 0:19:54.480 than I thought. Yeah, okay, it was like it's only 0:19:54.520 --> 0:19:59.199 three grand years. That's yeah. Yeah, it's not enough to 0:19:59.400 --> 0:20:05.400 retire it. It's not nothing, especially as auxiliary income. Right. Yeah, 0:20:05.680 --> 0:20:08.000 So this is kind of vague, and we've kind of 0:20:08.040 --> 0:20:10.520 like gone in a bunch of different directions. But that's 0:20:10.560 --> 0:20:14.000 because a pt s are pretty vague in nature, and 0:20:14.119 --> 0:20:18.280 the way that they're deployed is oftentimes very different. Again, 0:20:18.400 --> 0:20:22.080 because you don't want to be detected. Well let's say, yeah, 0:20:22.080 --> 0:20:24.040 it's like an espionage you know, it's like you don't 0:20:24.040 --> 0:20:25.919 want to protect your sources. You don't want people to 0:20:25.960 --> 0:20:28.919 know that they've actually been penetrated. So you know, you 0:20:28.920 --> 0:20:31.240 don't just when you get something and you get some information, 0:20:31.280 --> 0:20:33.200 you don't just run out and act on it because 0:20:33.280 --> 0:20:38.240 it tells the other side that, well, compromise. And I 0:20:38.240 --> 0:20:40.880 would encourage our listeners to remember the thing that Joe 0:20:40.960 --> 0:20:43.720 just said when we get into theories. That occurred to 0:20:43.760 --> 0:20:46.200 me too, because I've read ahead a little bit too. Yeah, 0:20:46.480 --> 0:20:50.919 that's good. I'm glad that you've read. Um. So, there 0:20:51.240 --> 0:20:55.920 is a fifty three page report that was put out 0:20:55.920 --> 0:21:00.760 by INFO War Monitor by Professor Ron Deep who's the 0:21:00.800 --> 0:21:04.439 director at the Citizen Lab at the Monk Center for 0:21:04.520 --> 0:21:10.040 International Studies at the University of Toronto, and Raffael Rojozinski, 0:21:10.400 --> 0:21:13.960 I think, who's the principal and CEO at the SECTV Group. 0:21:14.280 --> 0:21:16.719 I read all fifty three pages of this and let 0:21:16.720 --> 0:21:20.959 me tell you, it was not easy reading. Read myself 0:21:22.000 --> 0:21:26.159 good and I really deeply encourage if this is a 0:21:26.200 --> 0:21:29.440 mystery that grabs you, you should read this whole report 0:21:29.480 --> 0:21:33.480 because it's really interesting. But if you are just enjoying 0:21:33.560 --> 0:21:36.840 listening to the sound of my voice, don't. I wouldn't 0:21:36.920 --> 0:21:39.080 encourage you to read it. We will link it on 0:21:39.119 --> 0:21:41.560 the website. I just played this episode over and over 0:21:41.600 --> 0:21:46.080 and over again. Yeah. Um, so the next little bit 0:21:46.160 --> 0:21:48.320 here we're gonna do is basically like a too long 0:21:48.400 --> 0:21:51.760 didn't read of the fifty three pages of the report, 0:21:52.160 --> 0:21:54.760 because I think it's important that we talked about the 0:21:54.840 --> 0:21:59.439 report and the investigation that happened. The investigation took place 0:21:59.480 --> 0:22:03.199 in two parts. One the first part from June to 0:22:03.240 --> 0:22:06.600 November in two thousand eight, um, and then the second 0:22:06.720 --> 0:22:10.639 part was December two thousand eight to March two thousand nine, 0:22:11.119 --> 0:22:14.680 and again as I mentioned the whole you know, pushed 0:22:14.680 --> 0:22:16.720 to do this was because there was a request from 0:22:16.760 --> 0:22:19.640 the Office of His Holiness the Dalai Lama. And yes, 0:22:19.680 --> 0:22:21.600 I am going to say that every single time. I 0:22:21.680 --> 0:22:23.280 read it that way in my head every time. So 0:22:23.320 --> 0:22:25.560 I'm glad you gonna keep doing two the other way. 0:22:30.320 --> 0:22:33.960 Uh So June to November two tho. The first part 0:22:34.480 --> 0:22:38.200 was an on site investigation in which investigators took time 0:22:38.240 --> 0:22:43.000 to figure out what the typical computer and infosecurity practices 0:22:43.080 --> 0:22:46.919 looked like at the organizations that were infected or that 0:22:46.960 --> 0:22:49.520 they thought were infected. At this point, they didn't really 0:22:49.560 --> 0:22:51.959 know how many were well, they didn't know what they 0:22:51.960 --> 0:22:53.480 were dealing They didn't really know what they were dealing with, 0:22:53.520 --> 0:22:56.880 but they were trying to identify. Is they're a good 0:22:56.880 --> 0:23:00.040 password protocol. Is it possible that somebody just guessed on 0:23:00.160 --> 0:23:04.600 passwords right that got this information? Is there a different 0:23:04.600 --> 0:23:08.160 way that this information could be leaking? Is somebody inside 0:23:08.160 --> 0:23:12.280 the office? Yeah? Or even you know, just things like 0:23:12.359 --> 0:23:15.720 did somebody lose a computer and I didn't want to 0:23:15.720 --> 0:23:18.560 admit it, or you know, are you guys not shredding 0:23:18.640 --> 0:23:22.120 your sensitive document? You know, really just and suspicious things 0:23:22.160 --> 0:23:26.719 were happening to. Yeah, the organization itself in terms of 0:23:27.040 --> 0:23:32.439 reactions and preemptive reactions and stuff. Yeah, we're gonna talk 0:23:32.480 --> 0:23:35.879 about that in a second, but them to ask for 0:23:35.920 --> 0:23:41.359 the help. Yeah. But basically what the investigators or researchers 0:23:41.400 --> 0:23:44.320 were trying to do at the get go was what 0:23:44.359 --> 0:23:47.679 they used to do on ghost Hunters, right where when 0:23:47.760 --> 0:23:49.840 they would like film something suspicious and they'd be like, 0:23:49.840 --> 0:23:53.640 all right, how can we recreate this with like normal environments? 0:23:53.960 --> 0:23:56.439 And then when they couldn't, they said, okay, there's a 0:23:56.440 --> 0:24:00.440 ghost here. Or in our case, when they couldn't account for, 0:24:00.640 --> 0:24:04.240