1 00:00:04,160 --> 00:00:07,160 Speaker 1: Get in tech with technology with tech Stuff from how 2 00:00:07,240 --> 00:00:13,760 Speaker 1: stuff works dot com. Hey there, and welcome to tech Stuff. 3 00:00:13,800 --> 00:00:17,000 Speaker 1: I am your host, Jonathan Strickland. I'm an executive producer 4 00:00:17,040 --> 00:00:19,319 Speaker 1: here at how Stuff Works and I love all things tech. 5 00:00:19,360 --> 00:00:22,439 Speaker 1: And if you listen to the previous episode, you heard 6 00:00:22,520 --> 00:00:26,079 Speaker 1: part one of what was Up with stocks Net, the 7 00:00:26,680 --> 00:00:31,920 Speaker 1: infamous computer virus that made headlines in ten and opened 8 00:00:32,000 --> 00:00:35,320 Speaker 1: up a new era of cyber warfare. If you have 9 00:00:35,520 --> 00:00:38,400 Speaker 1: not already listened to that episode, I recommend you go 10 00:00:38,440 --> 00:00:40,720 Speaker 1: do it, because we're gonna pick up right where we 11 00:00:40,840 --> 00:00:43,559 Speaker 1: left off now. In the previous episode, I set the 12 00:00:43,560 --> 00:00:47,199 Speaker 1: ground by talking about how Iran had been pursuing a 13 00:00:47,320 --> 00:00:53,520 Speaker 1: nuclear power strategy and potentially developing nuclear weapons as well, 14 00:00:53,960 --> 00:00:57,640 Speaker 1: much to the constern nation of other nations like the 15 00:00:57,720 --> 00:01:02,480 Speaker 1: United States, and that at some point at a uranium 16 00:01:02,560 --> 00:01:07,000 Speaker 1: enrichment facility in Iran, people began to notice that centrifuges 17 00:01:07,040 --> 00:01:10,120 Speaker 1: were really acting up. They were breaking down way more 18 00:01:10,200 --> 00:01:14,000 Speaker 1: frequently than they should have been considering their age and 19 00:01:14,080 --> 00:01:17,680 Speaker 1: how much they were working. At the same time, there 20 00:01:17,840 --> 00:01:23,880 Speaker 1: was this tiny little anti virus company that had found 21 00:01:24,000 --> 00:01:27,240 Speaker 1: some sort of weird code on an Iranian machine that 22 00:01:27,319 --> 00:01:31,160 Speaker 1: was having a problem. It was constantly crashing and rebooting, 23 00:01:31,360 --> 00:01:34,560 Speaker 1: and that led to the discovery of some malware that 24 00:01:34,720 --> 00:01:38,400 Speaker 1: Microsoft would later name stuck s net. That malware would 25 00:01:38,880 --> 00:01:43,600 Speaker 1: affect various machines running on different versions of Windows, and 26 00:01:43,880 --> 00:01:47,800 Speaker 1: it seemed really really virulent, like it would very quickly 27 00:01:47,920 --> 00:01:50,840 Speaker 1: infect a machine, but no one was really sure what 28 00:01:50,920 --> 00:01:54,040 Speaker 1: it was doing. At this point. They they had not 29 00:01:54,160 --> 00:01:57,920 Speaker 1: really unraveled the payload of the malware. They more or 30 00:01:58,000 --> 00:02:00,800 Speaker 1: less understood how it was spreading, how it was going 31 00:02:00,880 --> 00:02:04,720 Speaker 1: from one computer to the next, but they weren't sure why, like, 32 00:02:05,000 --> 00:02:07,880 Speaker 1: what was the purpose of it? What did it actually do? 33 00:02:08,560 --> 00:02:10,760 Speaker 1: And that's kind of where we pick up now. The 34 00:02:10,880 --> 00:02:15,359 Speaker 1: date we're talking about is July. This is less than 35 00:02:15,400 --> 00:02:20,360 Speaker 1: a week after the news broke about stocks net actually 36 00:02:20,440 --> 00:02:23,480 Speaker 1: being a thing, And there was a security analyst with 37 00:02:23,560 --> 00:02:28,280 Speaker 1: Samantech named Liam Omerchu who took a look at the 38 00:02:28,360 --> 00:02:31,520 Speaker 1: main stucks net file and he was gob smacked. The 39 00:02:31,720 --> 00:02:35,720 Speaker 1: file was way larger than your typical malware would tend 40 00:02:35,760 --> 00:02:42,040 Speaker 1: to be. Malicious software is usually pretty simple. It's often inelegant, 41 00:02:42,600 --> 00:02:45,600 Speaker 1: and it might only be fifteen kilobytes in size or less. 42 00:02:45,639 --> 00:02:47,440 Speaker 1: It just needs to be big enough to do whatever 43 00:02:47,480 --> 00:02:50,080 Speaker 1: it is the hacker intended for it to do, and 44 00:02:50,120 --> 00:02:53,919 Speaker 1: smaller sizes are usually easier to slip in through something 45 00:02:53,960 --> 00:02:56,480 Speaker 1: else than something that's larger. But Stuck's net was different. 46 00:02:56,520 --> 00:03:00,600 Speaker 1: It was five kobyites, much larger than your typic a malware, 47 00:03:01,080 --> 00:03:04,560 Speaker 1: and it didn't seem to contain any filler data in it. 48 00:03:04,560 --> 00:03:08,080 Speaker 1: It wasn't like there was some sort of extra piece 49 00:03:08,120 --> 00:03:10,360 Speaker 1: of data to make it look like it was something else, 50 00:03:10,400 --> 00:03:13,240 Speaker 1: like a JPEG or a music file or something along that. 51 00:03:13,600 --> 00:03:17,200 Speaker 1: Oh Murchu saw that the file had been through a 52 00:03:17,240 --> 00:03:22,400 Speaker 1: packer sort of like a ZIP application, something that would 53 00:03:22,440 --> 00:03:26,200 Speaker 1: compress the file. What's more, the people who had made 54 00:03:26,200 --> 00:03:30,160 Speaker 1: it used an off the shelf compressor called Ultimate Packer 55 00:03:30,360 --> 00:03:34,000 Speaker 1: for execute Able or up X, so they didn't bother 56 00:03:34,080 --> 00:03:35,920 Speaker 1: to make their own tool. They used en off the 57 00:03:35,920 --> 00:03:38,760 Speaker 1: shelf tool that made it very easy to unpack because 58 00:03:38,800 --> 00:03:40,560 Speaker 1: all you had to do is have a copy of 59 00:03:40,560 --> 00:03:43,680 Speaker 1: this tool. So oh Murchu was able to unpack this 60 00:03:43,760 --> 00:03:47,600 Speaker 1: file without very much fuss. But here's the thing. Even 61 00:03:48,240 --> 00:03:51,120 Speaker 1: though this wasn't a case where hackers had created a 62 00:03:51,160 --> 00:03:56,480 Speaker 1: customized packer, which would make it more difficult to detect uh. 63 00:03:56,600 --> 00:04:03,440 Speaker 1: The simple compression was a bit of a h I 64 00:04:03,440 --> 00:04:05,800 Speaker 1: don't want to say a trap, but it was certainly 65 00:04:05,840 --> 00:04:10,520 Speaker 1: misleading because the rest of the file showed that they 66 00:04:10,520 --> 00:04:13,280 Speaker 1: had gone to a considerable length to hide what was 67 00:04:13,360 --> 00:04:16,880 Speaker 1: happening and to create a very sophisticated type of malware. 68 00:04:17,160 --> 00:04:20,800 Speaker 1: The unpacked file ballooned in size to one point one 69 00:04:20,880 --> 00:04:24,400 Speaker 1: eight megabytes. Remember it had been five kilobytes, so this 70 00:04:24,480 --> 00:04:27,640 Speaker 1: is more than twice the size of that packed file. 71 00:04:28,200 --> 00:04:32,080 Speaker 1: At this stage, Omerchu saw what Baldwyn had noticed. Baldwyn, 72 00:04:32,160 --> 00:04:34,560 Speaker 1: of course, was the analyst I talked about in the 73 00:04:34,680 --> 00:04:38,400 Speaker 1: last episode who had discovered that there were references to 74 00:04:38,960 --> 00:04:42,080 Speaker 1: two different pieces of software created by a German company 75 00:04:42,120 --> 00:04:47,640 Speaker 1: called Siemens that made programs that were designed for other businesses. 76 00:04:48,000 --> 00:04:52,440 Speaker 1: So this was the point where Omerchu saw that same information. 77 00:04:52,839 --> 00:04:55,279 Speaker 1: The payload of the virus took the form of a 78 00:04:55,480 --> 00:04:59,200 Speaker 1: d l L file. D l L stands for Dynamic 79 00:04:59,360 --> 00:05:02,960 Speaker 1: Link lie Bray. It's a file extension found in Windows machines. 80 00:05:03,360 --> 00:05:07,880 Speaker 1: The stocks net DLLL contained smaller d l l's within it, 81 00:05:08,360 --> 00:05:12,080 Speaker 1: and each of those layers were encrypted, so it was 82 00:05:12,120 --> 00:05:16,200 Speaker 1: like unraveling it you found another puzzle, and inside that 83 00:05:16,279 --> 00:05:19,560 Speaker 1: was another puzzle, and the puzzles all were using different 84 00:05:20,240 --> 00:05:23,159 Speaker 1: strategies in order to encrypt them, so it made it 85 00:05:23,240 --> 00:05:25,600 Speaker 1: very tricky to find out what it should actually this 86 00:05:25,680 --> 00:05:28,840 Speaker 1: thing was supposed to do. He also saw the stocks 87 00:05:28,880 --> 00:05:32,159 Speaker 1: net was being incredibly sneaky. The malware was designed to 88 00:05:32,320 --> 00:05:36,800 Speaker 1: live in a computer's memory, so instead of a computer 89 00:05:36,960 --> 00:05:40,040 Speaker 1: referencing it's hard drive space in order to pull up 90 00:05:40,080 --> 00:05:44,039 Speaker 1: information from the malware, which would make it easier to 91 00:05:44,960 --> 00:05:47,680 Speaker 1: actually track down if you were looking for it, it 92 00:05:47,680 --> 00:05:51,159 Speaker 1: would just reference it in its actual memory. And it 93 00:05:51,279 --> 00:05:55,440 Speaker 1: altered the application programming interface for Windows so that it 94 00:05:55,480 --> 00:05:59,839 Speaker 1: could execute code without getting picked up by anti virus software. Essentially, 95 00:06:00,200 --> 00:06:02,800 Speaker 1: when Windows would go to execute a process related to 96 00:06:02,839 --> 00:06:05,760 Speaker 1: Stuck's Net, the altered a p I would direct that 97 00:06:05,880 --> 00:06:09,920 Speaker 1: inquiry to the file resting in the computer's memory beneath 98 00:06:09,960 --> 00:06:13,960 Speaker 1: detectable levels, so the computer would just from its perspective, 99 00:06:14,120 --> 00:06:17,479 Speaker 1: look like everything was working perfectly, but in reality, things 100 00:06:17,520 --> 00:06:20,159 Speaker 1: were getting re routed so that it was covering up 101 00:06:20,320 --> 00:06:23,680 Speaker 1: the viruses tracks. Stucks Net would also hide its processes 102 00:06:24,240 --> 00:06:28,599 Speaker 1: within other processes, so it was abbuse skating what was 103 00:06:28,680 --> 00:06:34,159 Speaker 1: going on, and it was really a confusing and effective 104 00:06:34,240 --> 00:06:38,960 Speaker 1: way to hide what was actually happening. Oh Mrchue's conclusion 105 00:06:39,480 --> 00:06:42,359 Speaker 1: was that the programmers who made this must have really 106 00:06:42,440 --> 00:06:45,240 Speaker 1: known their stuff, and they must have worked really hard 107 00:06:45,320 --> 00:06:48,000 Speaker 1: to make it difficult to detect stucks net even without 108 00:06:48,000 --> 00:06:52,160 Speaker 1: a thorough or even with rather a thorough investigation. Oh 109 00:06:52,240 --> 00:06:54,839 Speaker 1: Virtue also saw that the code had been encrypted and 110 00:06:54,880 --> 00:06:58,159 Speaker 1: that it contained further encrypted files within it, and whomever 111 00:06:58,200 --> 00:07:00,040 Speaker 1: had set it up had gone to great pains to 112 00:07:00,080 --> 00:07:02,719 Speaker 1: get very difficult to get at the raw code, and 113 00:07:02,720 --> 00:07:05,159 Speaker 1: he noted that the malware had an expiration date on 114 00:07:05,200 --> 00:07:08,800 Speaker 1: it as well. That date was June two thousand twelve, 115 00:07:09,640 --> 00:07:12,560 Speaker 1: and that meant that the malware would actually consult a 116 00:07:12,600 --> 00:07:15,440 Speaker 1: computers onboard clock and look and see what day it is, 117 00:07:15,480 --> 00:07:19,080 Speaker 1: what time it is. If the date was after June 118 00:07:19,080 --> 00:07:23,360 Speaker 1: two thousand twelve, the malware wouldn't install itself on the 119 00:07:23,360 --> 00:07:26,480 Speaker 1: target computer. So it was like a checklist, like, check 120 00:07:26,520 --> 00:07:29,400 Speaker 1: the date is it before June two thousand twelve, It 121 00:07:29,560 --> 00:07:32,840 Speaker 1: is gravy, let's go there. If it was after, like 122 00:07:33,320 --> 00:07:36,800 Speaker 1: too late now and stop. So any computers previously infected 123 00:07:36,920 --> 00:07:40,920 Speaker 1: with stucks net could continue and would continue to be compromised. 124 00:07:40,920 --> 00:07:46,880 Speaker 1: They wouldn't magically become clear on June twelve, but no 125 00:07:47,160 --> 00:07:50,600 Speaker 1: new computers would get infected by stocks net. Oh Merchu 126 00:07:51,040 --> 00:07:54,720 Speaker 1: and his team also found that the malware had a 127 00:07:54,840 --> 00:07:58,800 Speaker 1: phone home kind of feature. Every single time it infected 128 00:07:58,840 --> 00:08:01,520 Speaker 1: a new computer, the malware would attempt to send a 129 00:08:01,560 --> 00:08:06,000 Speaker 1: message back to headquarters. The headquarters was masked by using 130 00:08:06,040 --> 00:08:09,640 Speaker 1: two domains that appeared at least on casual inspection to 131 00:08:09,800 --> 00:08:14,120 Speaker 1: belong to soccer fans. One u r L was To 132 00:08:14,480 --> 00:08:18,920 Speaker 1: Day's Football dot com Football spell fu t b o L, 133 00:08:19,600 --> 00:08:23,080 Speaker 1: and the other was My Premieer My Premier Football dot 134 00:08:23,120 --> 00:08:25,880 Speaker 1: com and again football Fu t b o L. The 135 00:08:25,920 --> 00:08:29,600 Speaker 1: owner of the domains was unknown, but when they started 136 00:08:29,640 --> 00:08:31,600 Speaker 1: to take a closer look at it, they realized that 137 00:08:31,640 --> 00:08:34,480 Speaker 1: the registration had a fake name attached to it and 138 00:08:34,520 --> 00:08:37,280 Speaker 1: that the credit cards associated with the account were fraudulent. 139 00:08:37,840 --> 00:08:41,640 Speaker 1: The servers hosting the domains were in Malaysia and Denmark, 140 00:08:41,880 --> 00:08:45,599 Speaker 1: but that didn't really necessarily mean anything. It was just confusing. 141 00:08:45,800 --> 00:08:50,120 Speaker 1: The phone home messages included a small amount of encrypted data. 142 00:08:50,559 --> 00:08:53,319 Speaker 1: O Merchu's team was able to break the encryption, however, 143 00:08:53,360 --> 00:08:56,640 Speaker 1: and they saw that an infected machine would send a message. 144 00:08:56,679 --> 00:09:01,079 Speaker 1: They gave the server the infected machines internal I P address, 145 00:09:01,120 --> 00:09:04,880 Speaker 1: which version of Windows the machine was using, and whether 146 00:09:04,960 --> 00:09:08,480 Speaker 1: or not that machine also happened to have those two 147 00:09:08,600 --> 00:09:13,800 Speaker 1: Siemens programs installed on it. Eventually, the researchers figured out 148 00:09:13,840 --> 00:09:16,800 Speaker 1: that stucks net would shut itself down if it could 149 00:09:16,800 --> 00:09:20,880 Speaker 1: not find evidence of those Siemens programs on the host machine. 150 00:09:21,440 --> 00:09:24,160 Speaker 1: The virus would continue to try and infect other machines 151 00:09:24,280 --> 00:09:27,800 Speaker 1: from its infected host if it were on a network system, 152 00:09:27,840 --> 00:09:30,520 Speaker 1: but otherwise it would not unleash it's payload if the 153 00:09:30,520 --> 00:09:34,480 Speaker 1: Siemens programs weren't present, which was also confusing because here 154 00:09:34,520 --> 00:09:37,240 Speaker 1: you had some malware that was so specific that it 155 00:09:37,360 --> 00:09:40,679 Speaker 1: only leapt into action if those two programs were on 156 00:09:40,720 --> 00:09:43,120 Speaker 1: the host computer. Otherwise it wouldn't do anything at all. 157 00:09:43,760 --> 00:09:48,439 Speaker 1: So it clearly wasn't meant to rek havoc across all machines. 158 00:09:48,720 --> 00:09:52,760 Speaker 1: It was still problematic that was infecting lots of different computers, 159 00:09:52,800 --> 00:09:55,920 Speaker 1: because obviously you never want to have malware infect your computer. 160 00:09:56,320 --> 00:09:58,720 Speaker 1: But if you didn't have those Siemens programs on your computer, 161 00:09:58,840 --> 00:10:01,480 Speaker 1: it didn't do anything else apart from a tip to 162 00:10:01,920 --> 00:10:05,800 Speaker 1: In fact, other computers network to yours. It didn't mess 163 00:10:05,880 --> 00:10:09,120 Speaker 1: with your files, it didn't encrypt anything without your permission, 164 00:10:09,240 --> 00:10:14,000 Speaker 1: it didn't delete anything. Everything was fine. So a lot 165 00:10:14,040 --> 00:10:17,240 Speaker 1: of the code and implementation suggested that stocks net was 166 00:10:17,320 --> 00:10:20,560 Speaker 1: probably the product of years of work from at least 167 00:10:20,640 --> 00:10:24,319 Speaker 1: one or two or maybe three teams of talented programmers. 168 00:10:25,160 --> 00:10:28,040 Speaker 1: There were some gaps in the code and implementation, however, 169 00:10:28,400 --> 00:10:32,640 Speaker 1: that led some security experts to call it perpect perplexing, 170 00:10:32,760 --> 00:10:36,520 Speaker 1: lye sloppy, or careless. One of those was Nate Lawson, 171 00:10:36,559 --> 00:10:39,480 Speaker 1: who's a cryptographer, who criticized the code and said that 172 00:10:39,520 --> 00:10:42,760 Speaker 1: it smacked of amateurism in many ways. And here's a 173 00:10:42,760 --> 00:10:45,600 Speaker 1: direct quote. He said, I really hope it wasn't written 174 00:10:45,640 --> 00:10:48,080 Speaker 1: by the USA, because I'd like to think our elite 175 00:10:48,120 --> 00:10:52,000 Speaker 1: cyber weapon developers at least know what Bulgarian teenagers did 176 00:10:52,040 --> 00:10:57,880 Speaker 1: back in the early nineties. Sick Burn Lawson. As part 177 00:10:57,880 --> 00:11:00,880 Speaker 1: of their research, Ovirtua and his team over its Sumantech 178 00:11:01,120 --> 00:11:05,440 Speaker 1: had contacted the domain name system service providers that were 179 00:11:05,480 --> 00:11:08,560 Speaker 1: responsible for those two U r l's, and they decided 180 00:11:08,600 --> 00:11:13,640 Speaker 1: to create a new destination for all those communications. Uh. 181 00:11:13,960 --> 00:11:17,439 Speaker 1: It was kind of like a just a redirect, so 182 00:11:18,320 --> 00:11:21,440 Speaker 1: these messages that were supposed to go to these two 183 00:11:21,520 --> 00:11:25,240 Speaker 1: u r l's that we're posing as soccer fan sites 184 00:11:25,720 --> 00:11:28,959 Speaker 1: would instead end up going Samantech. And they were hoping 185 00:11:28,960 --> 00:11:31,320 Speaker 1: that by looking at the messages that these computers were 186 00:11:31,360 --> 00:11:33,600 Speaker 1: sending back, they might be able to figure out what 187 00:11:33,760 --> 00:11:36,400 Speaker 1: the heck this malware was trying to do. So they 188 00:11:36,400 --> 00:11:38,440 Speaker 1: started looking for any patterns to get a better idea 189 00:11:38,440 --> 00:11:40,560 Speaker 1: of what was going on, and one of the things 190 00:11:40,559 --> 00:11:43,319 Speaker 1: they saw was that the majority of computers that were 191 00:11:43,320 --> 00:11:47,040 Speaker 1: sending the messages were in Iran. Iran also had the 192 00:11:47,080 --> 00:11:51,600 Speaker 1: most computers hosting the sought after Siemens programs, so that 193 00:11:51,720 --> 00:11:54,600 Speaker 1: made them suspect that perhaps the people who made this 194 00:11:54,960 --> 00:11:59,679 Speaker 1: malware were targeting Iran specifically for some reason. And the 195 00:11:59,720 --> 00:12:02,520 Speaker 1: path Iran computers had never really been at the high 196 00:12:02,720 --> 00:12:06,200 Speaker 1: end of infection rates whenever malware would break out, so 197 00:12:06,320 --> 00:12:08,920 Speaker 1: that suggested to the team that they must have been 198 00:12:09,160 --> 00:12:14,680 Speaker 1: the intended target, otherwise their percentage would not be so high. Uh, 199 00:12:15,000 --> 00:12:18,840 Speaker 1: someone had to be concentrating on them. Working with that 200 00:12:18,880 --> 00:12:22,880 Speaker 1: information that Iran was in fact the intended target, and 201 00:12:22,920 --> 00:12:25,440 Speaker 1: then the virus was specifically looking for machines that had 202 00:12:25,440 --> 00:12:28,920 Speaker 1: a particular type of industrial control software on it. They 203 00:12:28,920 --> 00:12:31,880 Speaker 1: started to form hypotheses as to what the purpose of 204 00:12:31,960 --> 00:12:35,280 Speaker 1: the malware could have been. So one possible explanation is 205 00:12:35,320 --> 00:12:38,319 Speaker 1: that was part of an espionage project aimed at Iran's 206 00:12:38,440 --> 00:12:42,800 Speaker 1: nuclear power program. Uh Natan's had attracted worldwide attention, as 207 00:12:42,840 --> 00:12:45,640 Speaker 1: it could have been a front operation that appeared to 208 00:12:45,679 --> 00:12:48,960 Speaker 1: be making nuclear fuel for power purposes, but in reality 209 00:12:49,040 --> 00:12:52,400 Speaker 1: was secretly enriching uranium in order to make nuclear weapons, 210 00:12:52,679 --> 00:12:54,800 Speaker 1: So that was one of the possibilities. They also thought 211 00:12:54,800 --> 00:12:59,320 Speaker 1: that maybe it was targeting perhaps gas pipelines or electric 212 00:12:59,320 --> 00:13:03,640 Speaker 1: power grids. They weren't entirely sure. Also, the propagation methodology 213 00:13:03,679 --> 00:13:07,240 Speaker 1: suggested that perhaps the programmers had wanted to infect machines 214 00:13:07,320 --> 00:13:11,199 Speaker 1: belonging to engineers who were responsible for transferring commands to 215 00:13:11,320 --> 00:13:15,080 Speaker 1: programmable logic controllers or p lcs. Those are the type 216 00:13:15,080 --> 00:13:18,960 Speaker 1: of controllers that the Siemens software would communicate with. Those 217 00:13:19,000 --> 00:13:23,000 Speaker 1: commands would exist on air gapped systems, and typically you 218 00:13:23,000 --> 00:13:29,000 Speaker 1: would transfer the commands by downlaying the commands the proper 219 00:13:29,000 --> 00:13:32,160 Speaker 1: set of instructions onto a USB stick, and then you 220 00:13:32,200 --> 00:13:36,200 Speaker 1: would transfer the commands to a computer responsible for controlling 221 00:13:36,200 --> 00:13:39,160 Speaker 1: the p lcs via that USB stick, So you don't 222 00:13:39,200 --> 00:13:41,679 Speaker 1: have the machine the kind of the overseer for all 223 00:13:41,720 --> 00:13:44,240 Speaker 1: these plc's connected to the Internet, that would be a 224 00:13:44,280 --> 00:13:48,960 Speaker 1: security vulnerability. Instead, you would create the program instructions on 225 00:13:49,320 --> 00:13:52,439 Speaker 1: a different machine, put it on USB stick, and then 226 00:13:52,480 --> 00:13:57,840 Speaker 1: transferred over to the overseer computer. And uh. The problem 227 00:13:57,920 --> 00:14:01,200 Speaker 1: was that stucks net would propagate it self and copy 228 00:14:01,280 --> 00:14:05,240 Speaker 1: itself onto USB sticks that were inserted onto computers that 229 00:14:05,520 --> 00:14:08,640 Speaker 1: had been infected by stocks net. So you could have 230 00:14:08,679 --> 00:14:12,920 Speaker 1: an engineer who's just innocently trying to transfer some commands 231 00:14:13,080 --> 00:14:17,520 Speaker 1: to another computer actually infect that computer, so the engineers 232 00:14:17,520 --> 00:14:20,800 Speaker 1: themselves became the carriers of the virus. If one worked 233 00:14:20,840 --> 00:14:24,160 Speaker 1: from the hypothesis that the code was in fact meant 234 00:14:24,240 --> 00:14:28,720 Speaker 1: to target computers at Iran's uranium enrichment facility, it narrowed 235 00:14:28,720 --> 00:14:31,800 Speaker 1: done the list of potential attackers. For one thing, the 236 00:14:31,840 --> 00:14:34,960 Speaker 1: sophistication of the code, the links the hackers went to 237 00:14:35,040 --> 00:14:38,120 Speaker 1: in order to avoid detection, and the rapid response to 238 00:14:38,160 --> 00:14:41,600 Speaker 1: the presence of the code being announced to the world 239 00:14:41,640 --> 00:14:44,240 Speaker 1: in general suggested that there must have been a state 240 00:14:44,320 --> 00:14:49,160 Speaker 1: sponsored group, a government funded attempt, So whomever was doing 241 00:14:49,200 --> 00:14:53,720 Speaker 1: this had access to some pretty extensive resources. The candidates 242 00:14:53,720 --> 00:14:58,600 Speaker 1: that people were identifying early on included Russia China, both 243 00:14:58,640 --> 00:15:01,480 Speaker 1: of them had been working on date sponsored cyber warfare 244 00:15:01,520 --> 00:15:05,400 Speaker 1: strategies for a few years. Israel was another possibility, and 245 00:15:05,440 --> 00:15:09,280 Speaker 1: then there was, of course, the United States. There was 246 00:15:09,320 --> 00:15:12,080 Speaker 1: also the chance that Iran had somehow developed this malware 247 00:15:12,120 --> 00:15:16,040 Speaker 1: itself and then accidentally unleashed it on its own computers, 248 00:15:16,120 --> 00:15:20,360 Speaker 1: but that was considered a lesser possibility. So who done it? 249 00:15:20,920 --> 00:15:23,320 Speaker 1: I'll talk more about that in a second, but first 250 00:15:23,680 --> 00:15:33,400 Speaker 1: let's take a quick break to thank our sponsor. So 251 00:15:33,440 --> 00:15:37,600 Speaker 1: while they were looking through the code, the semantic team 252 00:15:37,680 --> 00:15:40,480 Speaker 1: noted that they saw something that looked like it was 253 00:15:40,520 --> 00:15:43,640 Speaker 1: a date that was written out in Unix format. So 254 00:15:43,720 --> 00:15:48,240 Speaker 1: when you unscramble that the date would have been May nine, 255 00:15:48,360 --> 00:15:51,920 Speaker 1: nineteen seventy nine, and this was a potential hint as 256 00:15:51,960 --> 00:15:58,640 Speaker 1: to the origin of this malware. On May nine, the 257 00:15:58,680 --> 00:16:04,040 Speaker 1: Iranian government executed a businessman named Habib El Ghanian by 258 00:16:04,160 --> 00:16:07,400 Speaker 1: fire by firing squad so al Ghanian had been accused 259 00:16:07,480 --> 00:16:11,000 Speaker 1: of spying on Iran on behalf of Israel. He was 260 00:16:11,040 --> 00:16:14,640 Speaker 1: a philanthropist and a member of the Jewish community in Iran, 261 00:16:15,400 --> 00:16:18,120 Speaker 1: and he was then accused by the government saying you 262 00:16:18,160 --> 00:16:22,400 Speaker 1: aren't actually you're an Israeli spy. There was nothing in 263 00:16:22,560 --> 00:16:26,520 Speaker 1: the code itself that would directly link to that event. 264 00:16:26,640 --> 00:16:31,720 Speaker 1: There were no mentions of the name El Ghanaian in there, 265 00:16:31,840 --> 00:16:34,640 Speaker 1: but there was that date and that was something that 266 00:16:34,720 --> 00:16:36,480 Speaker 1: kind of stood out to the team when they were 267 00:16:36,520 --> 00:16:38,880 Speaker 1: thinking about They did a Google search on that date 268 00:16:38,920 --> 00:16:41,240 Speaker 1: to see if anything notable had happened, and when they 269 00:16:41,240 --> 00:16:44,560 Speaker 1: saw that, they thought, huh, because one of the entities 270 00:16:44,600 --> 00:16:48,000 Speaker 1: we thought about as possibly being responsible for this was Israel, 271 00:16:48,120 --> 00:16:51,200 Speaker 1: so maybe that's an implication there. So I thought maybe 272 00:16:51,200 --> 00:16:55,480 Speaker 1: this is a actually a long run at some form 273 00:16:55,560 --> 00:16:59,720 Speaker 1: of retribution in response to that execution. There was another 274 00:17:00,600 --> 00:17:04,000 Speaker 1: potential reference to Israel that was found in this code, 275 00:17:04,080 --> 00:17:07,800 Speaker 1: although this one is definitely very tenuous, and that was 276 00:17:07,840 --> 00:17:10,080 Speaker 1: in the form of one of the file directories and 277 00:17:10,160 --> 00:17:12,760 Speaker 1: a file that was found within that stuck snet code. 278 00:17:12,760 --> 00:17:16,879 Speaker 1: The file directory contained the words Murtis m y r 279 00:17:17,000 --> 00:17:21,800 Speaker 1: t u S and Guava. Murtis is the genus that 280 00:17:21,880 --> 00:17:26,239 Speaker 1: Guava belongs to, and in Jewish history, there is a 281 00:17:26,240 --> 00:17:30,520 Speaker 1: prominent figure named Queen Esther but before she became Queen 282 00:17:31,160 --> 00:17:35,800 Speaker 1: Esther's name was Hadasa, which is the Hebrew word for 283 00:17:35,960 --> 00:17:40,159 Speaker 1: myrtle or Murdis. Now, again, this was like a long 284 00:17:40,240 --> 00:17:43,439 Speaker 1: shot connection if you're looking at this, but it was 285 00:17:43,480 --> 00:17:47,040 Speaker 1: a possible clue that maybe someone from Israel was involved. However, 286 00:17:47,359 --> 00:17:50,800 Speaker 1: other people pointed out that there was another potential explanation 287 00:17:50,920 --> 00:17:54,360 Speaker 1: for the Murtis name, that in fact it wasn't Murtis 288 00:17:54,400 --> 00:17:59,000 Speaker 1: but my rt use because r TU could stand for 289 00:17:59,200 --> 00:18:04,680 Speaker 1: remote riminal unit, So it wasn't, you know, a smoking 290 00:18:04,720 --> 00:18:07,640 Speaker 1: gun by any stretch of the imagination. The Semantic team 291 00:18:07,680 --> 00:18:11,000 Speaker 1: also saw that the stucks net code contained a function 292 00:18:11,440 --> 00:18:15,919 Speaker 1: that logged every machine the malware had infected along its way, 293 00:18:16,040 --> 00:18:18,960 Speaker 1: So that instance of malware, once it passed from one 294 00:18:19,000 --> 00:18:22,240 Speaker 1: machine to another, it would send a note back to 295 00:18:22,440 --> 00:18:25,479 Speaker 1: h Q, and that note would include, hey, I jumped 296 00:18:25,480 --> 00:18:29,000 Speaker 1: from machine A to machine B. So by looking at 297 00:18:29,040 --> 00:18:32,000 Speaker 1: an instance of the malware, you could track all the 298 00:18:32,040 --> 00:18:35,480 Speaker 1: machines and it infected. In fact, you could trace the 299 00:18:35,600 --> 00:18:39,560 Speaker 1: infection from the last point all the way to the 300 00:18:39,640 --> 00:18:42,320 Speaker 1: very first one. So if you intercepted the message, as 301 00:18:42,480 --> 00:18:46,480 Speaker 1: Semantic had been doing, because they had contacted those domain 302 00:18:46,560 --> 00:18:49,600 Speaker 1: name servers to send that traffic to them instead of 303 00:18:49,600 --> 00:18:53,600 Speaker 1: to those bogus soccer sites. You could actually trace back 304 00:18:53,720 --> 00:18:57,880 Speaker 1: every infected machine to that point of infection, and from 305 00:18:57,920 --> 00:19:00,280 Speaker 1: there you could look at the computers that were initially 306 00:19:00,320 --> 00:19:05,240 Speaker 1: targeted as the starting point. Using that method, they identified 307 00:19:05,320 --> 00:19:09,560 Speaker 1: five companies in Iran that served as the insertion points 308 00:19:09,560 --> 00:19:13,400 Speaker 1: for the malware, and according to Samantech, those five companies 309 00:19:13,440 --> 00:19:18,639 Speaker 1: accounted for twelve thousand infected machines at those locations and 310 00:19:18,720 --> 00:19:22,800 Speaker 1: were responsible for an additional one hundred thousand more machine 311 00:19:22,800 --> 00:19:26,560 Speaker 1: infections in more than one hundred countries. Now, one of 312 00:19:26,560 --> 00:19:31,040 Speaker 1: the reasons stucks net was uncovered so quickly, relatively speaking, 313 00:19:31,560 --> 00:19:35,240 Speaker 1: was because the designers had made it so viral. Using 314 00:19:35,320 --> 00:19:38,480 Speaker 1: USB as an injection method helped reduce the target zone 315 00:19:38,520 --> 00:19:41,400 Speaker 1: for the virus, but still the methods that stucks net 316 00:19:41,440 --> 00:19:45,080 Speaker 1: depended upon to go from machine to machine pretty much 317 00:19:45,080 --> 00:19:49,040 Speaker 1: guaranteed that it would eventually infect computers outside of its 318 00:19:49,080 --> 00:19:53,080 Speaker 1: intended target zone. Most people agree that the stucks net 319 00:19:53,240 --> 00:19:58,040 Speaker 1: designers wanted to really contain the infection. They just wanted 320 00:19:58,040 --> 00:20:02,880 Speaker 1: to surgically target specif efect machines, but they also really 321 00:20:03,240 --> 00:20:07,040 Speaker 1: really wanted to get a hit, So it was kind 322 00:20:07,080 --> 00:20:10,159 Speaker 1: of a balancing act. How do you make sure that 323 00:20:10,280 --> 00:20:14,360 Speaker 1: your malware is virulent enough so that you are guaranteed 324 00:20:14,359 --> 00:20:17,560 Speaker 1: to hit your target, but you don't want it spreading 325 00:20:17,560 --> 00:20:20,360 Speaker 1: throughout the world. They thought they got a good balance, 326 00:20:20,480 --> 00:20:24,240 Speaker 1: especially with a USB delivery methodology, but as it turns out, 327 00:20:24,359 --> 00:20:28,960 Speaker 1: it definitely expanded beyond Iran's borders, and that in turn 328 00:20:29,440 --> 00:20:32,399 Speaker 1: made it more likely that someone was going to figure 329 00:20:32,400 --> 00:20:35,120 Speaker 1: out that it existed. And once you know it exists, 330 00:20:35,440 --> 00:20:38,960 Speaker 1: you can start to make countermeasures and protect yourself against 331 00:20:39,040 --> 00:20:42,200 Speaker 1: it and try to remove the virus from infecting machines. 332 00:20:42,880 --> 00:20:46,000 Speaker 1: So that computer that was caught in that crash reboot 333 00:20:46,040 --> 00:20:49,960 Speaker 1: phase ended up being a red flag. But even if 334 00:20:49,960 --> 00:20:53,520 Speaker 1: that computer had not failed at that time, some other 335 00:20:53,560 --> 00:20:57,840 Speaker 1: machine would surely have done something similar and then stucks 336 00:20:57,880 --> 00:21:00,960 Speaker 1: that would have been uncovered. So it probably would have 337 00:21:01,040 --> 00:21:04,520 Speaker 1: just been another month, maybe two months. It's impossible to 338 00:21:04,600 --> 00:21:09,800 Speaker 1: say because history is already unfolded. But it wouldn't have 339 00:21:09,840 --> 00:21:13,119 Speaker 1: gone unknown forever, because again, it was just it was 340 00:21:13,160 --> 00:21:16,960 Speaker 1: too violent. It was moving beyond the intended audience or 341 00:21:16,960 --> 00:21:20,240 Speaker 1: intended targets. Even at the stage however, no one was 342 00:21:20,280 --> 00:21:23,359 Speaker 1: totally sure what Stuck's net was actually doing. They knew 343 00:21:23,440 --> 00:21:26,359 Speaker 1: what how it was doing things like how it was 344 00:21:26,680 --> 00:21:29,639 Speaker 1: infecting machines, and they knew that it was looking for 345 00:21:29,680 --> 00:21:34,760 Speaker 1: this Siemens software packages, but it didn't know why, what 346 00:21:35,040 --> 00:21:39,000 Speaker 1: is its purpose? It was clearly searching for logic controllers, 347 00:21:39,200 --> 00:21:41,760 Speaker 1: so stuff that was going to control industrial equipment. This 348 00:21:41,920 --> 00:21:45,280 Speaker 1: was not something that was meant to infect the average 349 00:21:45,280 --> 00:21:49,399 Speaker 1: person's PC. It was very much an industrial approach and 350 00:21:49,440 --> 00:21:53,040 Speaker 1: it was targeting Iranian companies that seemed to be clear 351 00:21:53,600 --> 00:21:56,360 Speaker 1: and security researchers had figured out that stucks net would 352 00:21:56,440 --> 00:22:00,800 Speaker 1: replace a legitimate DLL file for a Siemens software package 353 00:22:00,880 --> 00:22:03,600 Speaker 1: with what appeared to be a duplicate, and in fact 354 00:22:03,640 --> 00:22:06,640 Speaker 1: it could do all of the functionality of the original 355 00:22:06,720 --> 00:22:10,120 Speaker 1: DLL file. It just had a few extra tricks up 356 00:22:10,119 --> 00:22:14,480 Speaker 1: its sleeve, like it could overwrite instructions to logic controllers 357 00:22:14,920 --> 00:22:18,399 Speaker 1: which could be used to sabotage machinery. So, in other words, 358 00:22:18,520 --> 00:22:24,160 Speaker 1: you send a command to a particular industrial device, this 359 00:22:24,840 --> 00:22:28,560 Speaker 1: malware could potentially change that command. Not only could it 360 00:22:28,640 --> 00:22:33,000 Speaker 1: change it, it could send feedback that the intended command 361 00:22:33,200 --> 00:22:35,400 Speaker 1: was the one that went through, so to you when 362 00:22:35,400 --> 00:22:38,280 Speaker 1: you review it it looks like, oh no, everything did 363 00:22:38,320 --> 00:22:40,440 Speaker 1: exactly what was supposed to do. I mean, I told 364 00:22:40,480 --> 00:22:44,200 Speaker 1: it to do X, and according to the computer log 365 00:22:44,600 --> 00:22:48,040 Speaker 1: that's what happened. It did X. But in reality it 366 00:22:48,080 --> 00:22:50,920 Speaker 1: did Why. It's just that the Duck's net was such 367 00:22:50,960 --> 00:22:54,720 Speaker 1: a clever, clever little piece of software. It could cover 368 00:22:54,960 --> 00:22:58,720 Speaker 1: up its tracks and make you think that everything was 369 00:22:58,760 --> 00:23:00,840 Speaker 1: working the way it was supposed to, and yet stuff 370 00:23:00,880 --> 00:23:04,320 Speaker 1: was breaking. The malware would also sent dormant for about 371 00:23:04,600 --> 00:23:08,359 Speaker 1: two weeks and just record all operations that would go 372 00:23:08,440 --> 00:23:12,240 Speaker 1: on during those two weeks, but it wouldn't change anything. Then, 373 00:23:12,520 --> 00:23:16,000 Speaker 1: when the malware would start messing with stuff, start changing 374 00:23:16,000 --> 00:23:21,600 Speaker 1: those operations, start changing those commands internally, it would replay 375 00:23:21,640 --> 00:23:25,920 Speaker 1: the recordings of those operations from the previous two weeks. 376 00:23:26,480 --> 00:23:30,480 Speaker 1: This is kind of like movies, you know, like in Speed, 377 00:23:31,080 --> 00:23:35,960 Speaker 1: where Keano Reeves's character is able to get the video 378 00:23:36,000 --> 00:23:39,600 Speaker 1: footage of him on the bus repeated on a loop 379 00:23:39,920 --> 00:23:43,640 Speaker 1: so that Dennis Hopper's character doesn't get wise that they're 380 00:23:43,640 --> 00:23:46,080 Speaker 1: actually trying to get off the bus and instead they're 381 00:23:46,119 --> 00:23:51,040 Speaker 1: just being really focused about going more than There are 382 00:23:51,040 --> 00:23:53,560 Speaker 1: a ton of movies that do this where someone has 383 00:23:53,840 --> 00:23:56,760 Speaker 1: messed with a security camera, so it's just showing a 384 00:23:56,840 --> 00:24:00,879 Speaker 1: repeated loop of video while they go and do something sneaky. 385 00:24:00,920 --> 00:24:04,680 Speaker 1: That's exactly what this this virus was doing, except instead 386 00:24:04,680 --> 00:24:08,000 Speaker 1: of being video footage, it's a recording of the operations 387 00:24:08,119 --> 00:24:14,399 Speaker 1: that it was going through. On August, a Semantech team 388 00:24:14,400 --> 00:24:17,240 Speaker 1: went public with the assertion that stuck net was designed 389 00:24:17,240 --> 00:24:22,040 Speaker 1: to cause physical damage to infrastructure controlled by logic controllers. 390 00:24:22,840 --> 00:24:27,000 Speaker 1: They still weren't sure exactly what type of systems might 391 00:24:27,040 --> 00:24:30,840 Speaker 1: be the targets. They suspected it was nuclear power plants 392 00:24:31,000 --> 00:24:35,320 Speaker 1: or nuclear enrichment facilities, uranium enrichment facilities, but they weren't 393 00:24:35,400 --> 00:24:37,399 Speaker 1: entirely certain. They said it could be gas lines, or 394 00:24:37,440 --> 00:24:40,679 Speaker 1: it could be something else. But they figured the purpose 395 00:24:40,760 --> 00:24:44,679 Speaker 1: was not to steal information, but rather actual sabotage to 396 00:24:44,720 --> 00:24:48,320 Speaker 1: cause physical damage to targets, and that would be the 397 00:24:48,359 --> 00:24:51,840 Speaker 1: first documented case of actual cyber warfare. Five days later, 398 00:24:51,880 --> 00:24:54,879 Speaker 1: a little bit later in August, Iranian officials ordered the 399 00:24:54,960 --> 00:24:58,560 Speaker 1: outbound connections to those two dummy u r l's that 400 00:24:58,720 --> 00:25:01,280 Speaker 1: had been gathering in from a on stocks net infective 401 00:25:01,320 --> 00:25:05,119 Speaker 1: machines to be severed within the country. So, in other words, 402 00:25:05,680 --> 00:25:09,000 Speaker 1: that information would not go outside of Iran anymore. If 403 00:25:09,040 --> 00:25:12,560 Speaker 1: it was being directed to those two domains, the machines 404 00:25:12,600 --> 00:25:16,040 Speaker 1: were still infected, they just couldn't send back information to 405 00:25:16,240 --> 00:25:20,920 Speaker 1: h Q. A security analyst named Ralph Langner, who specialized 406 00:25:21,000 --> 00:25:25,080 Speaker 1: in p lcs those logic controllers that were being affected, 407 00:25:25,400 --> 00:25:28,840 Speaker 1: was looking into stocks net. Now. Normally, he and his 408 00:25:28,960 --> 00:25:34,320 Speaker 1: analysts wouldn't bother with computer viruses because that wasn't their field. 409 00:25:34,320 --> 00:25:37,560 Speaker 1: Their field was looking at logic controllers. But since stucks 410 00:25:37,560 --> 00:25:42,520 Speaker 1: net targeted logic controllers through Windows based machines, he felt 411 00:25:42,520 --> 00:25:45,800 Speaker 1: it was necessary to understand that malware a little bit better, 412 00:25:46,080 --> 00:25:48,600 Speaker 1: and he deduced that the real purpose of the malware 413 00:25:48,920 --> 00:25:52,400 Speaker 1: was to disrupt Iran's nuclear program. He published a few 414 00:25:52,400 --> 00:25:56,840 Speaker 1: blog posts about this in September. The first was titled 415 00:25:57,040 --> 00:26:01,119 Speaker 1: Hack of the Century, and in those blog posts he 416 00:26:01,200 --> 00:26:05,200 Speaker 1: laid out his hypothesis that Stuck's net was targeting centrifuges 417 00:26:05,440 --> 00:26:09,000 Speaker 1: in Iran for the purposes of destroying them and disrupting 418 00:26:09,040 --> 00:26:13,800 Speaker 1: Iran's plans at the very least now Mistakenly, he identified 419 00:26:13,840 --> 00:26:17,800 Speaker 1: the nuclear power plant Bouchere as the target because he 420 00:26:17,880 --> 00:26:22,000 Speaker 1: thought that the uranium enrichment facilities were co located at 421 00:26:22,000 --> 00:26:24,640 Speaker 1: the nuclear power plant. In reality, they were not, They 422 00:26:24,640 --> 00:26:28,159 Speaker 1: were miles away in Natans, but he thought Boucher was 423 00:26:28,240 --> 00:26:32,200 Speaker 1: probably the target at the time. It was later Frank Reager, 424 00:26:32,400 --> 00:26:35,000 Speaker 1: who worked for a German security firm called g S 425 00:26:35,160 --> 00:26:37,879 Speaker 1: m K, who identified Natans as the target for the 426 00:26:37,920 --> 00:26:41,640 Speaker 1: malware rather than Boucher. As for who was behind it, well, 427 00:26:41,720 --> 00:26:46,199 Speaker 1: all signs pointed to a joint United States Israeli operation. 428 00:26:46,840 --> 00:26:51,520 Speaker 1: As early as two thousand five, advisors were asking President 429 00:26:51,640 --> 00:26:56,360 Speaker 1: George Bush to do something about Natans. Israeli officials were 430 00:26:56,400 --> 00:27:01,320 Speaker 1: asking about an air strike, but Bush was not eager 431 00:27:01,359 --> 00:27:04,680 Speaker 1: to go down that path. This is George W. Bush, 432 00:27:04,720 --> 00:27:08,000 Speaker 1: by the way, the second George Bush. The United States 433 00:27:08,040 --> 00:27:11,240 Speaker 1: was already at that time involved in armed conflicts in 434 00:27:11,320 --> 00:27:15,240 Speaker 1: Iraq and Afghanistan. They were not going terribly well. It 435 00:27:15,320 --> 00:27:18,040 Speaker 1: was very slow going and had a lot of negative 436 00:27:18,359 --> 00:27:22,600 Speaker 1: publicity about it. So George W. Bush wasn't really eager 437 00:27:22,640 --> 00:27:26,720 Speaker 1: to also throw Iran into the mix. Cyber war experts 438 00:27:26,760 --> 00:27:30,080 Speaker 1: suggested to the president that a digital strike was possible 439 00:27:30,119 --> 00:27:33,360 Speaker 1: and laid out their idea for using code to disrupt 440 00:27:33,480 --> 00:27:38,760 Speaker 1: critical operations in the Iranium enrichment facility and actually damage 441 00:27:39,040 --> 00:27:43,000 Speaker 1: and destroy centrifuges just by using code. Now, at the time, 442 00:27:43,040 --> 00:27:48,320 Speaker 1: this was still considered a pretty radical idea. They decided 443 00:27:48,440 --> 00:27:52,120 Speaker 1: that this was a decent line of attack. They got 444 00:27:52,119 --> 00:27:56,280 Speaker 1: to go ahead, got the code name Operation Olympic Games 445 00:27:56,600 --> 00:28:00,919 Speaker 1: behind the scenes, but uh yeah, and went ahead. And 446 00:28:00,960 --> 00:28:04,680 Speaker 1: now it's never been officially acknowledged, but the reports that 447 00:28:04,720 --> 00:28:07,560 Speaker 1: have come out since the time of stuck s net 448 00:28:07,640 --> 00:28:11,320 Speaker 1: stated that President Bush had requested four hundred million dollars 449 00:28:11,320 --> 00:28:15,119 Speaker 1: from Congress to fund covert operations with the purpose of 450 00:28:15,160 --> 00:28:20,960 Speaker 1: interfering with Iran's nuclear program, and Congress said okey doke. Now, 451 00:28:20,960 --> 00:28:22,800 Speaker 1: not all of that money went to the development of 452 00:28:22,800 --> 00:28:25,560 Speaker 1: stuck snat, some of it went towards other efforts to 453 00:28:25,600 --> 00:28:28,200 Speaker 1: stir up trouble in Iran. The plan was to slow 454 00:28:28,240 --> 00:28:32,879 Speaker 1: down Iran's uranium enrichment operations. There were no illusions that 455 00:28:32,920 --> 00:28:36,560 Speaker 1: their efforts would destroy the facility, but rather gum up 456 00:28:36,600 --> 00:28:39,040 Speaker 1: the works enough to keep Iran from making a lot 457 00:28:39,080 --> 00:28:41,760 Speaker 1: of progress while they figured out another way to confront 458 00:28:41,800 --> 00:28:46,640 Speaker 1: the situation. Reportedly, General James Cartwright of the U S 459 00:28:46,640 --> 00:28:50,600 Speaker 1: Strategic Command and Keith Alexander, who was a former n 460 00:28:50,720 --> 00:28:53,400 Speaker 1: s A director. Were in charge of the high level 461 00:28:53,480 --> 00:28:56,760 Speaker 1: planning for Operation Olympic Games. The n s A and 462 00:28:56,840 --> 00:29:01,440 Speaker 1: an Israeli team from Defense Forces Unit AT eight two hundred, 463 00:29:01,520 --> 00:29:04,120 Speaker 1: which is kind of their version of the n s A. 464 00:29:04,480 --> 00:29:08,360 Speaker 1: We're responsible for actually developing the code. By changing the 465 00:29:08,480 --> 00:29:13,040 Speaker 1: rotational speed of the centrifuges repeatedly, they could cause the 466 00:29:13,080 --> 00:29:17,200 Speaker 1: machines to tear themselves apart. Now, there was no danger 467 00:29:17,280 --> 00:29:20,560 Speaker 1: of a nuclear explosion. It wasn't like they were going 468 00:29:20,600 --> 00:29:25,280 Speaker 1: to trigger some sort of catastaclismic event. But the uranium 469 00:29:25,440 --> 00:29:27,800 Speaker 1: was just a gas form, so if you made the 470 00:29:27,840 --> 00:29:32,280 Speaker 1: centrifuges break, it would kind of disperse into the air. Now, 471 00:29:32,320 --> 00:29:35,800 Speaker 1: it was dangerous for humans to be exposed to uranium gas, 472 00:29:36,200 --> 00:29:39,040 Speaker 1: but it wasn't explosive or anything like that. It apparently 473 00:29:39,080 --> 00:29:41,600 Speaker 1: took about eight months for the time the plan was 474 00:29:41,640 --> 00:29:45,200 Speaker 1: approved to when it was ready to be implemented, which 475 00:29:45,280 --> 00:29:48,680 Speaker 1: was a really fast turnaround. The team presented pieces of 476 00:29:48,720 --> 00:29:52,239 Speaker 1: a destroyed centrifuge to President Bush as proof that their 477 00:29:52,280 --> 00:29:55,800 Speaker 1: idea of using computer code to tear physical machinery apart 478 00:29:56,120 --> 00:29:59,960 Speaker 1: was legitimate. They had acquired sub centrifuges the exact saint 479 00:30:00,120 --> 00:30:03,320 Speaker 1: kind that Iran had been relying upon, and they had 480 00:30:03,400 --> 00:30:07,120 Speaker 1: run several tests using code to change up the frequency 481 00:30:07,320 --> 00:30:10,160 Speaker 1: at which the centrifuge would rotate, and they changed it 482 00:30:10,240 --> 00:30:15,520 Speaker 1: repeatedly until it would literally spin itself into pieces. So 483 00:30:15,840 --> 00:30:19,680 Speaker 1: they created an early build of what would become Stuck's net. 484 00:30:20,080 --> 00:30:22,400 Speaker 1: Later on people would refer to it as Stuck's Net 485 00:30:22,520 --> 00:30:27,760 Speaker 1: point five. This version of its some helm eventually found 486 00:30:27,760 --> 00:30:31,600 Speaker 1: its way onto computers in Iran, though the version there 487 00:30:31,640 --> 00:30:35,959 Speaker 1: didn't target the spinning motor of the centrifuges. Instead, it 488 00:30:36,000 --> 00:30:39,760 Speaker 1: was targeting valves that controlled the flow of uranium gas 489 00:30:39,800 --> 00:30:42,760 Speaker 1: into and out of the centrifuges, So they can mess 490 00:30:42,840 --> 00:30:47,120 Speaker 1: with the the gas pressure inside the centrifuge, but they 491 00:30:47,160 --> 00:30:51,120 Speaker 1: could not change the rotation speed. When President Obama took 492 00:30:51,200 --> 00:30:54,840 Speaker 1: office in two thousand eight, he was reportedly informed of 493 00:30:54,880 --> 00:30:59,560 Speaker 1: the operation, and he decided to have it continue because 494 00:30:59,600 --> 00:31:04,480 Speaker 1: a non military intervention in Iran's nuclear plan was still 495 00:31:04,520 --> 00:31:07,520 Speaker 1: preferred to the alternative. I got a little bit more 496 00:31:07,560 --> 00:31:11,200 Speaker 1: to talk about as far as Stuck stat as concerned, 497 00:31:11,240 --> 00:31:13,280 Speaker 1: but before I get into this last section, let's take 498 00:31:13,280 --> 00:31:23,200 Speaker 1: another quick break to thank our sponsor. All Right, We've 499 00:31:23,240 --> 00:31:26,120 Speaker 1: talked a lot about the payload. We talked a lot 500 00:31:26,160 --> 00:31:29,800 Speaker 1: about the delivery system of stocks net. We talked about 501 00:31:29,840 --> 00:31:31,720 Speaker 1: what it was meant to do. Was meant to disrupt 502 00:31:31,720 --> 00:31:35,920 Speaker 1: Iran's nuclear program. So the question is did it actually 503 00:31:35,960 --> 00:31:38,280 Speaker 1: succeed in what it was supposed to do well? That 504 00:31:38,440 --> 00:31:42,600 Speaker 1: is actually debatable. If we assume, as has been reported, 505 00:31:43,080 --> 00:31:45,400 Speaker 1: that the goal of the malware was to slow down 506 00:31:45,480 --> 00:31:49,200 Speaker 1: Iran's nuclear plan, the answer is a kind of succeeded. 507 00:31:50,040 --> 00:31:53,840 Speaker 1: Despite stocks net and other strategies that were employed at 508 00:31:53,840 --> 00:31:56,560 Speaker 1: the same time they were all designed to limit Iran's 509 00:31:56,600 --> 00:32:01,160 Speaker 1: nuclear capabilities, the country was able to produce more enriched 510 00:32:01,280 --> 00:32:06,360 Speaker 1: uranium in than it had in previous years. The country 511 00:32:06,400 --> 00:32:09,680 Speaker 1: made less of it than what they had anticipated. They 512 00:32:09,680 --> 00:32:12,040 Speaker 1: had projected that they would make much more than what 513 00:32:12,160 --> 00:32:16,080 Speaker 1: they did because of the setbacks they experienced from stocks 514 00:32:16,120 --> 00:32:19,600 Speaker 1: net and other measures, but still, year over year, they 515 00:32:19,640 --> 00:32:23,680 Speaker 1: produced more enriched uranium. So while Iran wasn't where the 516 00:32:23,680 --> 00:32:26,080 Speaker 1: government officials wanted it to be in terms of its 517 00:32:26,160 --> 00:32:30,360 Speaker 1: nuclear aspirations, it was still making progress, just more slowly 518 00:32:30,440 --> 00:32:34,320 Speaker 1: than what they wanted. Stocks Net also ended up opening 519 00:32:34,440 --> 00:32:37,320 Speaker 1: up the possibility of a new era of cyber warfare. 520 00:32:37,640 --> 00:32:41,360 Speaker 1: There had already been plenty of incidents of state sponsored 521 00:32:41,400 --> 00:32:46,520 Speaker 1: hackers inserting malicious code into the infrastructure of other nations, 522 00:32:46,560 --> 00:32:51,000 Speaker 1: so that was not new. But this stucks Net marked 523 00:32:51,080 --> 00:32:54,280 Speaker 1: the first documented case of someone using computers to cause 524 00:32:54,400 --> 00:32:58,360 Speaker 1: physical damage to a country's equipment. And once people saw 525 00:32:58,480 --> 00:33:01,560 Speaker 1: what was possible, and there would be future attempts that 526 00:33:01,600 --> 00:33:05,560 Speaker 1: would be built on that same realization. So that's not great. 527 00:33:05,960 --> 00:33:09,400 Speaker 1: One of stocks nets legacies was a warning that it's 528 00:33:09,480 --> 00:33:12,320 Speaker 1: no longer just a world in which computers can be 529 00:33:12,360 --> 00:33:16,480 Speaker 1: the targets. Programmable logic circuits are legit targets, and they're 530 00:33:16,480 --> 00:33:21,080 Speaker 1: incorporated into all sorts of different critical infrastructure systems like 531 00:33:21,160 --> 00:33:24,959 Speaker 1: power grids and gas pipelines, and unlike computers, there were 532 00:33:25,000 --> 00:33:28,720 Speaker 1: no anti virus software packages that could protect p l 533 00:33:28,920 --> 00:33:32,600 Speaker 1: c s. If you could protect the computers that interface 534 00:33:32,880 --> 00:33:36,720 Speaker 1: with those plc's, you'd be pretty safe. But stucks net 535 00:33:36,720 --> 00:33:38,800 Speaker 1: had shown that it was possible to make this very 536 00:33:38,840 --> 00:33:41,680 Speaker 1: hard to do, and it concerned a lot of folks 537 00:33:41,720 --> 00:33:45,719 Speaker 1: in multiple industrial organizations as a result. Imagine that just 538 00:33:45,800 --> 00:33:49,600 Speaker 1: a few lines of code could cause billions of dollars 539 00:33:49,600 --> 00:33:53,160 Speaker 1: in damages by making critical pieces of infrastructure fall apart 540 00:33:53,280 --> 00:33:56,880 Speaker 1: or overheat or otherwise fail. It's kind of scary. Another 541 00:33:56,960 --> 00:33:59,960 Speaker 1: legacy was that hackers would use the stux Net vector 542 00:34:00,080 --> 00:34:03,520 Speaker 1: ers an approach in future malware attacks. It would use 543 00:34:03,520 --> 00:34:09,120 Speaker 1: that same strategy, sometimes using the same vulnerabilities, because even 544 00:34:09,160 --> 00:34:14,120 Speaker 1: though a operating system might patch a vulnerability once it's discovered, 545 00:34:14,600 --> 00:34:18,919 Speaker 1: you still have to have that patch roll out to everybody. 546 00:34:18,920 --> 00:34:21,840 Speaker 1: People have to update their operating systems. By the way, 547 00:34:22,000 --> 00:34:24,080 Speaker 1: this is a good time to remind you to make 548 00:34:24,080 --> 00:34:27,040 Speaker 1: sure your software is up to date, because if there 549 00:34:27,080 --> 00:34:32,120 Speaker 1: are vulnerabilities that exist, those are active on your software 550 00:34:32,160 --> 00:34:35,200 Speaker 1: if you haven't patched yet. So while everyone else would 551 00:34:35,200 --> 00:34:38,440 Speaker 1: be immune to an attack that has been patched, the 552 00:34:38,480 --> 00:34:41,360 Speaker 1: vulnerability that the attack would rely upon has been patched 553 00:34:41,360 --> 00:34:45,160 Speaker 1: out of existence. If you haven't uploaded or updated rather 554 00:34:45,520 --> 00:34:50,880 Speaker 1: your software with that patch, you're still potentially a victim. 555 00:34:51,360 --> 00:34:55,240 Speaker 1: So make sure your software is up to date. Another legacy, 556 00:34:56,200 --> 00:35:00,359 Speaker 1: besides the fact that now we have the fear of 557 00:35:01,040 --> 00:35:05,480 Speaker 1: Stuck's net, was that you could end up getting a 558 00:35:05,520 --> 00:35:09,319 Speaker 1: similar approach that had a different payload Entirely. One of 559 00:35:09,360 --> 00:35:12,360 Speaker 1: those that seemed to fit this definition. At first, anyway 560 00:35:12,440 --> 00:35:17,319 Speaker 1: was called Doku du key que you. Unlike stucks net, 561 00:35:17,600 --> 00:35:20,680 Speaker 1: it did not have a payload aimed at programmable logic 562 00:35:20,719 --> 00:35:25,400 Speaker 1: controllers or p lcs. Instead, it's payload had a key logger, 563 00:35:25,880 --> 00:35:28,080 Speaker 1: and a key logger is a program that just records 564 00:35:28,200 --> 00:35:32,160 Speaker 1: every key stroke made on the infected computer's keyboard. So 565 00:35:32,200 --> 00:35:35,120 Speaker 1: it's a way to steal stuff like user names and passwords, 566 00:35:35,160 --> 00:35:38,560 Speaker 1: as well as other information. But while this payload was different, 567 00:35:38,600 --> 00:35:42,480 Speaker 1: the delivery mechanism that the malware relied upon was nearly 568 00:35:42,600 --> 00:35:47,359 Speaker 1: identical to stocks net, and like stucks net, Doku had 569 00:35:47,480 --> 00:35:51,000 Speaker 1: a self destruct code built into it. The malware was 570 00:35:51,040 --> 00:35:55,800 Speaker 1: set to the leade itself and all traces of itself 571 00:35:55,840 --> 00:35:58,879 Speaker 1: from a machine after thirty six days. As it turns out, 572 00:35:58,960 --> 00:36:02,040 Speaker 1: it wasn't perfect that doing this, It actually would leave 573 00:36:02,080 --> 00:36:04,759 Speaker 1: behind a few traces if you knew what to look for, 574 00:36:04,880 --> 00:36:07,080 Speaker 1: but you had to find out about Dooku first, or 575 00:36:07,080 --> 00:36:09,640 Speaker 1: else you wouldn't even know to look for the trace 576 00:36:09,800 --> 00:36:14,080 Speaker 1: evidence it would leave behind. Now, the suggested to the 577 00:36:14,120 --> 00:36:17,440 Speaker 1: Semantic team, the same team that had investigated the ducks 578 00:36:17,480 --> 00:36:20,840 Speaker 1: Neat virus, that the code was intended as an advance 579 00:36:21,040 --> 00:36:24,840 Speaker 1: scout to seek out target computers for the quote unquote 580 00:36:25,120 --> 00:36:29,200 Speaker 1: real attack that would be sure to follow. So, in 581 00:36:29,239 --> 00:36:32,839 Speaker 1: other words, it wasn't necessarily meant as an attack all 582 00:36:32,880 --> 00:36:38,280 Speaker 1: in of itself. It was meant to identify potential target computers. Dooku, 583 00:36:38,360 --> 00:36:40,920 Speaker 1: as it turned out, appeared to be designed to attack 584 00:36:41,280 --> 00:36:45,279 Speaker 1: certificate authorities. Now, these are the companies that create those 585 00:36:45,280 --> 00:36:49,279 Speaker 1: digital certificates I mentioned in the previous episode, and it 586 00:36:49,360 --> 00:36:52,200 Speaker 1: does this on behalf of other organizations, and those digital 587 00:36:52,239 --> 00:36:57,239 Speaker 1: certificates act as an authentication, a proof that a piece 588 00:36:57,280 --> 00:37:00,560 Speaker 1: of software comes from a trusted source. So if you 589 00:37:00,560 --> 00:37:05,720 Speaker 1: could compromise one of these organizations that creates these certificates, 590 00:37:05,760 --> 00:37:10,680 Speaker 1: you could issue yourself seemingly legitimate certificates from all sorts 591 00:37:10,760 --> 00:37:14,239 Speaker 1: of trusted sources and use that to deliver malware to 592 00:37:14,360 --> 00:37:18,320 Speaker 1: many potential targets that would have next to no defense 593 00:37:18,480 --> 00:37:22,160 Speaker 1: against it because their machines are trusting the source. They've 594 00:37:22,160 --> 00:37:24,839 Speaker 1: been told by the operating system, Hey, you can let 595 00:37:24,840 --> 00:37:29,120 Speaker 1: this guy in. I know him, he's cool. Later on, 596 00:37:29,560 --> 00:37:34,439 Speaker 1: investigation into Dooku indicated that it actually preceded Stuck's net. 597 00:37:34,520 --> 00:37:37,520 Speaker 1: It was an older virus. It just wasn't discovered till 598 00:37:37,600 --> 00:37:40,480 Speaker 1: after stucks net had been discovered. It may have actually 599 00:37:40,800 --> 00:37:44,600 Speaker 1: served as a guide for the team who designed stucks net. 600 00:37:44,640 --> 00:37:48,719 Speaker 1: They may have relied upon Dooku's architecture to build stucks net. 601 00:37:49,120 --> 00:37:52,320 Speaker 1: It did not use USB sticks to infect computers, however. 602 00:37:52,640 --> 00:37:55,760 Speaker 1: Instead the code was hidden inside a bogus word document, 603 00:37:56,320 --> 00:38:00,239 Speaker 1: and the document contained the malware that would explore eight 604 00:38:00,480 --> 00:38:05,320 Speaker 1: a vulnerability in the font parsing engine for Windows. Dooku 605 00:38:05,480 --> 00:38:08,040 Speaker 1: was suspected of gathering some of the information that stucks 606 00:38:08,080 --> 00:38:11,400 Speaker 1: net would later capitalize on, but researchers also felt that 607 00:38:11,440 --> 00:38:14,920 Speaker 1: the two malware packages had been designed by different teams 608 00:38:15,160 --> 00:38:19,320 Speaker 1: who were working from essentially the same foundation. Another malware 609 00:38:19,360 --> 00:38:23,880 Speaker 1: suite dubbed Flame by Kaspersky used a similar approach to 610 00:38:23,920 --> 00:38:27,480 Speaker 1: stuck's net in some ways, but this malware was modular, 611 00:38:27,640 --> 00:38:31,879 Speaker 1: meaning different payloads could be attached to the delivery mechanism, 612 00:38:32,200 --> 00:38:35,400 Speaker 1: so the virus could do different things depending upon which 613 00:38:35,480 --> 00:38:38,719 Speaker 1: modules you attached to it. It would determine what the 614 00:38:38,719 --> 00:38:41,920 Speaker 1: code would actually do once the machine that you were 615 00:38:41,920 --> 00:38:47,200 Speaker 1: targeting was infected. Uh some modules would end up activating 616 00:38:47,200 --> 00:38:51,279 Speaker 1: a microphone so that you could record nearby speech. Some 617 00:38:51,320 --> 00:38:55,560 Speaker 1: would take screenshots of the target computer screens. Others would 618 00:38:55,560 --> 00:38:59,480 Speaker 1: just be key loggers or programs that could copy documents 619 00:38:59,480 --> 00:39:01,719 Speaker 1: that were store it on the computer and send it 620 00:39:01,760 --> 00:39:06,319 Speaker 1: back to a different computer, spying stuff in other words. Now, 621 00:39:06,400 --> 00:39:11,080 Speaker 1: Flame was enormous. It was twenty megabytes, so that's huge. 622 00:39:11,120 --> 00:39:13,360 Speaker 1: You know, stucks net when it was packed up was 623 00:39:13,400 --> 00:39:17,000 Speaker 1: five kilobytes and it was considered big, But twenty megabytes 624 00:39:17,080 --> 00:39:20,319 Speaker 1: was huge if you had all the different modules added in. 625 00:39:20,840 --> 00:39:24,880 Speaker 1: And it was really interesting that someone had developed this 626 00:39:25,080 --> 00:39:30,400 Speaker 1: very sophisticated approach to uh malware, something that could be 627 00:39:30,560 --> 00:39:33,640 Speaker 1: adapted to specific uses, and you didn't have to include 628 00:39:33,640 --> 00:39:36,080 Speaker 1: all the modules. You just include the ones that are 629 00:39:36,120 --> 00:39:40,000 Speaker 1: important for whatever function you need. Um, it's pretty spooky 630 00:39:40,040 --> 00:39:43,880 Speaker 1: stuff really, and like dooku. Further investigations suggested that Flame 631 00:39:44,040 --> 00:39:48,279 Speaker 1: actually came before stucks net. Again, it was discovered after 632 00:39:48,320 --> 00:39:53,120 Speaker 1: stucks net, but the compiling code suggested that it actually 633 00:39:53,239 --> 00:39:56,279 Speaker 1: was made first, and it led some to suspect that 634 00:39:56,360 --> 00:40:00,600 Speaker 1: the stucks net developers had first started using Flame as 635 00:40:00,640 --> 00:40:04,000 Speaker 1: their guide to create their malware, but then later on 636 00:40:04,280 --> 00:40:07,799 Speaker 1: they switched gears and use Dooku to finish it out. 637 00:40:08,239 --> 00:40:10,440 Speaker 1: So that's the story about stocks Net. There's a lot 638 00:40:10,520 --> 00:40:14,600 Speaker 1: we still don't know, and I would recommend that you know, 639 00:40:14,719 --> 00:40:18,120 Speaker 1: if you're interested in learning more about this virus, check 640 00:40:18,120 --> 00:40:20,960 Speaker 1: out that book I I talked about in the first episode. 641 00:40:20,960 --> 00:40:24,600 Speaker 1: That book is count Down to Zero Day, stucks Net 642 00:40:24,719 --> 00:40:28,040 Speaker 1: and the launch of the world's first digital weapon. The 643 00:40:28,120 --> 00:40:31,600 Speaker 1: book goes into much more detail about the story of 644 00:40:31,640 --> 00:40:34,240 Speaker 1: stucks Net and the people involved. It gives you background 645 00:40:34,239 --> 00:40:36,880 Speaker 1: on each of them. They're very interesting folks too. You 646 00:40:36,960 --> 00:40:42,120 Speaker 1: also learn other weird stories, like how different security firms 647 00:40:42,600 --> 00:40:46,560 Speaker 1: could have worked with each other and maybe unraveled stocks 648 00:40:46,600 --> 00:40:50,320 Speaker 1: net a little more quickly, but due to some issues 649 00:40:50,360 --> 00:40:55,000 Speaker 1: with communication and maybe some ego problems that didn't happen. 650 00:40:56,040 --> 00:40:57,719 Speaker 1: So I always find those kind of stories to be 651 00:40:57,760 --> 00:41:01,120 Speaker 1: really interesting too, just as interesting as the political nature 652 00:41:01,280 --> 00:41:03,920 Speaker 1: and the technological nature of this virus. It was kind 653 00:41:03,920 --> 00:41:08,000 Speaker 1: of a perfect storm and really a fascinating and ultimately 654 00:41:08,080 --> 00:41:11,799 Speaker 1: kind of scary topic. The idea of using code to 655 00:41:11,960 --> 00:41:15,280 Speaker 1: make physical changes to our world in a destructive way 656 00:41:15,880 --> 00:41:18,880 Speaker 1: is a little worrisome, maybe more than a little, especially 657 00:41:18,920 --> 00:41:22,120 Speaker 1: when you consider the fact that investigators have found evidence 658 00:41:22,360 --> 00:41:28,000 Speaker 1: of uh Chinese hacking code in power grid infrastructure in 659 00:41:28,000 --> 00:41:32,240 Speaker 1: the United States. Maybe that's just there to spy. Maybe 660 00:41:32,280 --> 00:41:35,560 Speaker 1: it's also there is a potential way to shut down 661 00:41:35,600 --> 00:41:38,040 Speaker 1: parts of the power grid should China and the United 662 00:41:38,080 --> 00:41:44,040 Speaker 1: States ever enter into a more aggressively antagonistic relationship with 663 00:41:44,080 --> 00:41:46,920 Speaker 1: each other. That's the world we live in now. It 664 00:41:46,960 --> 00:41:50,000 Speaker 1: helps to educate yourself, but I admit it is kind 665 00:41:50,040 --> 00:41:53,080 Speaker 1: of scary, but hey, not all topics that tech stuff 666 00:41:53,080 --> 00:41:55,600 Speaker 1: need to be scary. Maybe next week I'll talk about 667 00:41:55,600 --> 00:41:59,680 Speaker 1: Teddy Ruxman being told by Tari that Teddy Ruxman is terrifying. 668 00:42:00,520 --> 00:42:03,280 Speaker 1: But if you guys have any suggestions for future episodes 669 00:42:03,320 --> 00:42:05,200 Speaker 1: of tech Stuff, get in touch with me. Let me know. 670 00:42:05,320 --> 00:42:08,040 Speaker 1: Maybe there's a company you want me to talk about 671 00:42:08,080 --> 00:42:11,279 Speaker 1: a specific technology. Maybe there's a guest I should have 672 00:42:11,360 --> 00:42:14,120 Speaker 1: on the show, either as someone I should interview or 673 00:42:14,120 --> 00:42:17,240 Speaker 1: someone who could be a guest co host for the day. 674 00:42:17,320 --> 00:42:21,480 Speaker 1: Let me know your ideas. Send me the information on email. 675 00:42:21,719 --> 00:42:26,680 Speaker 1: Here's the address text Stuff at how stuff works dot com, 676 00:42:26,800 --> 00:42:29,520 Speaker 1: or you can drop me a line on Facebook or Twitter. 677 00:42:29,640 --> 00:42:32,560 Speaker 1: The handle of both of those is text Stuff h 678 00:42:32,960 --> 00:42:36,680 Speaker 1: s W. Make sure you follow us on Instagram and 679 00:42:36,840 --> 00:42:38,959 Speaker 1: if you want to watch me record these shows live. 680 00:42:39,200 --> 00:42:42,200 Speaker 1: Go to twitch dot tv slash tech Stuff. There's a 681 00:42:42,280 --> 00:42:45,120 Speaker 1: schedule there that tells you when I go online, and 682 00:42:45,200 --> 00:42:48,200 Speaker 1: there's a chat room you can join in and chat away, 683 00:42:48,400 --> 00:42:50,399 Speaker 1: and I'll be happy to chat with you, and I'll 684 00:42:50,440 --> 00:42:59,360 Speaker 1: talk to you again really soon. For more on this 685 00:42:59,560 --> 00:43:02,040 Speaker 1: and that of other topics, is it how stuff Works 686 00:43:02,080 --> 00:43:11,880 Speaker 1: dot com m