WEBVTT - the biggest hack that never happened: the xz utils story 0:00:09.400 --> 0:00:13.280 Quick question, do you know about the Xzu Till's back 0:00:13.280 --> 0:00:15.360 door hack? What backdoor? 0:00:15.760 --> 0:00:15.960 Wait? 0:00:16.000 --> 0:00:18.959 Wait wait wait wit what the xu tills back door? 0:00:20.000 --> 0:00:21.319 I have no idea what you're talking about. 0:00:21.480 --> 0:00:22.560 I don't know what that is. 0:00:24.680 --> 0:00:28.000 This is something almost nobody's heard of, but in the 0:00:28.040 --> 0:00:31.760 spring of twenty twenty four, we narrowly avoided a complete 0:00:31.800 --> 0:00:33.000 technological disaster. 0:00:33.880 --> 0:00:36.280 So you've you've never heard of this though? Nope? 0:00:37.120 --> 0:00:39.720 Yeah, I just searched it up on Wikipedia and it 0:00:39.760 --> 0:00:40.879 seems way too nne. 0:00:40.760 --> 0:00:41.360 To read about. 0:00:42.040 --> 0:00:45.440 These aren't just random people. These are other journalists people 0:00:45.520 --> 0:00:47.400 in general who keep up with the news. 0:00:47.760 --> 0:00:49.560 Okay, I was like, wait, what did I miss? 0:00:49.920 --> 0:00:53.080 And I feel bad, But I guess maybe I'm not 0:00:53.320 --> 0:00:56.280 the only one. What journalists who doesn't know what this 0:00:56.400 --> 0:00:56.800 is about? 0:00:57.120 --> 0:00:59.680 Even they didn't really know about what could have been 0:00:59.840 --> 0:01:02.560 the biggest hack in the history of the Internet. 0:01:03.520 --> 0:01:05.959 If this had not been caught, then this would have 0:01:06.080 --> 0:01:10.040 been a skeleton key that would have allowed these attackers 0:01:10.120 --> 0:01:16.120 to break into tens of millions of incredibly important servers 0:01:16.160 --> 0:01:19.319 around the world. We probably would have had airlines not working, 0:01:19.680 --> 0:01:23.240 trading halted ATM's, not working, banks not working, people not 0:01:23.240 --> 0:01:26.720 able to get their money, you'd have a huge loss 0:01:26.800 --> 0:01:29.679 of credibility of technology in people's lives. 0:01:30.200 --> 0:01:34.399 Alex Stamos is a cybersecurity expert. Specifically, he's the chief 0:01:34.480 --> 0:01:39.000 Information Security Officer or CISO at a cybersecurity company called 0:01:39.040 --> 0:01:43.039 Sentinel One, and he's the former CIECO at Facebook. He's 0:01:43.040 --> 0:01:45.880 also a lecturer in the computer science department at Stanford 0:01:46.360 --> 0:01:49.480 and this attempted hack is something that is still keeping 0:01:49.520 --> 0:01:50.200 him up at night. 0:01:51.120 --> 0:01:56.360 It's fallen out of popular discussion, but among people in 0:01:56.400 --> 0:01:59.880 security we're still talking about it. It uncovered a real 0:02:00.880 --> 0:02:06.040 fundamental weakness that terrifies lots of people who have responsibility 0:02:06.040 --> 0:02:06.560 in this area. 0:02:07.040 --> 0:02:10.799 And what scares them most, and this should scare us too, 0:02:11.080 --> 0:02:13.400 is that this was caught by complete chance. 0:02:13.760 --> 0:02:17.600 We just got lucky, right like one dude got really 0:02:17.639 --> 0:02:22.480 bored and noticed a tiny little change in the speed 0:02:22.639 --> 0:02:26.360 of one program executing and pulled the thread. And on 0:02:26.400 --> 0:02:29.880 the end of this thread was a humongous, ticking time bomb. 0:02:30.440 --> 0:02:33.800 It was one dude, and he should never have to 0:02:33.800 --> 0:02:38.480 buy a beer for himself ever again underus freuend I'm raising. 0:02:38.160 --> 0:02:40.720 A toast to you right now. This is just water, 0:02:40.880 --> 0:02:42.639 but I wish it was more. 0:02:53.760 --> 0:03:00.400 Kaleidoscope and iHeart podcast is killed switch com dexterous. 0:03:01.520 --> 0:03:02.200 Amentarians. 0:03:23.000 --> 0:03:25.400 If you've never heard about this, that's no reason to 0:03:25.440 --> 0:03:29.520 feel bad. But if it hadn't been caught, it absolutely 0:03:29.520 --> 0:03:33.520 would have affected you. What kind of activity were talking 0:03:33.520 --> 0:03:34.200 about here. 0:03:34.440 --> 0:03:36.240 Well, we really don't know, and because we don't know 0:03:36.240 --> 0:03:38.480 who the attackers are, we don't know whether that would 0:03:38.480 --> 0:03:43.920 have been used for really quiet surveillance. It could have 0:03:44.000 --> 0:03:49.119 been used for national security intelligence gathering purposes. It could 0:03:49.120 --> 0:03:51.640 have been used for a humongous heist of hundreds of 0:03:51.680 --> 0:03:55.320 millions or billions of dollars of cryptocurrency, or it could 0:03:55.320 --> 0:03:57.960 have been used as part of a massive cyber attack 0:03:58.040 --> 0:04:01.680 to shut down millions of can and cause massive disruptions. 0:04:02.960 --> 0:04:05.640 One of the main reasons that this potential attack isn't 0:04:05.680 --> 0:04:10.000 talked about much is because the details are kind of technical. Well, 0:04:10.240 --> 0:04:12.520 some of the details are a lot of this stuff 0:04:12.560 --> 0:04:15.360 is really just basic human behavior. It's stuff that you 0:04:15.520 --> 0:04:17.839 or I could do if we really wanted, and it 0:04:17.920 --> 0:04:21.719 shows us that sometimes the best hacks are the simplest ones. 0:04:22.320 --> 0:04:25.480 Let me break it down for you. In late March 0:04:25.480 --> 0:04:29.080 of twenty twenty four, Andres Freund who's an engineer at Microsoft, 0:04:29.360 --> 0:04:31.719 was sitting at his desk doing his job when he 0:04:31.800 --> 0:04:34.719 discovered a malicious piece of code in this little known 0:04:34.800 --> 0:04:38.280 tool called xdu tilS. This code created a method that 0:04:38.320 --> 0:04:40.360 would allow hackers to access a. 0:04:40.400 --> 0:04:42.080 Lot of different computers. 0:04:42.560 --> 0:04:45.120 Maybe right now you're thinking, okay, so why is this 0:04:45.200 --> 0:04:48.000 the problem for me? I mean, I don't use xdu tilS, 0:04:48.040 --> 0:04:51.040 so they couldn't get on my computer. And yeah, maybe 0:04:51.080 --> 0:04:54.160 you've never heard of XCU tills. Actually I hadn't either, 0:04:54.640 --> 0:04:56.920 and I did what most people do when they don't 0:04:56.960 --> 0:05:00.960 understand something about a computer, call an expert. But it 0:05:01.000 --> 0:05:04.640 turns out that this really well respected expert he found 0:05:04.680 --> 0:05:06.719 out about XU tills when I did. 0:05:07.640 --> 0:05:10.200 Yeah, so I personally had not heard of xdu tilS 0:05:10.720 --> 0:05:11.600 before this. 0:05:11.760 --> 0:05:15.039 Even you really, yeah, I had definitely not heard of 0:05:15.160 --> 0:05:18.279 XU tills. I figured you would have hearing that you 0:05:18.440 --> 0:05:22.280 had not heard of it before all this happened. Frankly, 0:05:22.320 --> 0:05:24.760 that's a little bit more scary to me. Now, So 0:05:25.040 --> 0:05:27.840 why did this backdoor into a program that no one 0:05:27.880 --> 0:05:31.400 seems to know about matter so much? And what is 0:05:31.640 --> 0:05:32.600 XU tills. 0:05:32.920 --> 0:05:37.760 This is the brilliance of what these attackers did XCU 0:05:37.800 --> 0:05:40.560 tilS is an ingredient to an ingredient to an ingredient 0:05:40.600 --> 0:05:44.599 to something really important. So the thing that they wanted 0:05:44.600 --> 0:05:47.480 to have a backdoor into is a really important program 0:05:47.520 --> 0:05:48.479 called open ssh. 0:05:49.200 --> 0:05:51.080 So this is something that every tech he has heard of. 0:05:51.960 --> 0:05:54.920 All right, but what if you're not a techie. So 0:05:55.040 --> 0:05:57.400 in order to understand the XU tills haack, we do 0:05:57.480 --> 0:06:00.320 need to back up and understand something that xcutil is 0:06:00.400 --> 0:06:02.600 used in this thing called open ssh. 0:06:03.000 --> 0:06:08.719 This is the program that the majority of Unix like systems, 0:06:08.839 --> 0:06:14.480 especially Linux, also Max and some other operating systems, allow 0:06:14.560 --> 0:06:17.479 you to access them remotely over the internet. 0:06:18.160 --> 0:06:21.880 I'll get to the open later, but SSH stands for secure, show, 0:06:22.200 --> 0:06:25.200 and let's just focus on secure right now. If you 0:06:25.200 --> 0:06:27.719 think of the difference between posting a tweet online and 0:06:27.839 --> 0:06:31.919 dming someone, you're actually kind of halfway there. Open Ssh 0:06:32.000 --> 0:06:34.680 allows you to communicate with a remote computer just like 0:06:34.720 --> 0:06:36.839 you were sitting there right in front of it. So 0:06:37.080 --> 0:06:39.200 even though you're far away, if you want to send 0:06:39.200 --> 0:06:42.680 a message, or install programs or delete files, you know 0:06:42.720 --> 0:06:45.279 that the connection is safe and that nobody else can 0:06:45.320 --> 0:06:48.000 see what you're doing or tamper with that connection. 0:06:48.600 --> 0:06:50.440 So you know, when you see like people in the 0:06:50.440 --> 0:06:54.480 matrix typing really fast, see a lot of text, right 0:06:54.520 --> 0:06:57.840 if somebody is doing that remotely, it's probably over open ssh. 0:06:57.960 --> 0:06:59.760 You might think this doesn't matter for you because you 0:06:59.760 --> 0:07:03.520 don't use open ssh, but you do because that's what 0:07:03.560 --> 0:07:06.640 you use to connect to systems running Linux. Around the world. 0:07:07.080 --> 0:07:12.360 Linux has become the standard operating system for the cloud. 0:07:12.840 --> 0:07:15.200 So when you talk to Google, you're talking to a 0:07:15.200 --> 0:07:17.440 Linux system. When you talk to Facebook, you're talking to 0:07:17.480 --> 0:07:21.520 a Linux system. When you talk to Apple, you're probably talking. 0:07:21.360 --> 0:07:22.160 To a Linux system. 0:07:22.320 --> 0:07:24.320 Right now, the system that we're talking to each other 0:07:24.360 --> 0:07:27.560 with almost certainly is running Linux. So the vast majority 0:07:27.600 --> 0:07:30.200 of systems you talk to in the cloud are running Linux. 0:07:30.600 --> 0:07:34.040 Linux is used for Apple's iCloud, for social media sites 0:07:34.080 --> 0:07:38.320 like Facebook, Instagram, for YouTube, for Twitter, It's used for 0:07:38.320 --> 0:07:41.040 the New York Stock Exchange. Gamers use it when they 0:07:41.160 --> 0:07:44.240 run Steam or they play games online, and the list 0:07:44.280 --> 0:07:47.440 goes on. The vast majority of the Internet runs on 0:07:47.520 --> 0:07:51.080 Linux and open ssh. Make sure that it's you logging 0:07:51.120 --> 0:07:52.800 in and not somebody else. 0:07:53.240 --> 0:07:55.880 When you log in and you get your mail, the 0:07:55.920 --> 0:07:57.840 server that holds your mail has a stage on it 0:07:57.920 --> 0:08:02.520 the server that holds your social media SSSH, the servers 0:08:02.520 --> 0:08:05.040 that have your banking information at ssh. It's the door 0:08:05.080 --> 0:08:06.840 by which you get into these systems. 0:08:07.400 --> 0:08:11.240 So open ssh is incredibly important to the Internet and 0:08:11.400 --> 0:08:14.320 all the cloud systems that we rely on, and because 0:08:14.360 --> 0:08:16.640 of that, it has a lot of eyes on it. 0:08:17.240 --> 0:08:21.000 Trying to hack open Ssh directly would pretty much be impossible. 0:08:21.480 --> 0:08:23.320 Someone would catch you pretty quick. 0:08:24.080 --> 0:08:26.000 People pay a lot of attention to it. A lot 0:08:26.040 --> 0:08:29.640 of people run their code scanners on it, a lot 0:08:29.640 --> 0:08:31.720 of people look for bugs in it, and so it 0:08:31.720 --> 0:08:34.959 has been a while since open ssh has had itself 0:08:35.559 --> 0:08:38.240 a humongous security flaw in it. If you just join 0:08:38.320 --> 0:08:40.760 the open ssh project and said, hey, I'm a new 0:08:40.800 --> 0:08:45.240 guy that nobody ever knew, here's my code, everybody would 0:08:45.240 --> 0:08:48.839 be super suspicious, right m h. And whoever these bad 0:08:48.840 --> 0:08:51.959 guys are, they know that. So what they did was 0:08:52.000 --> 0:08:55.720 they looked at open ssh, and they looked at its 0:08:55.840 --> 0:08:58.319 dependency graph, what we call They looked at all the 0:08:58.320 --> 0:09:01.160 stuff that goes into open ssh, and what they saw 0:09:01.480 --> 0:09:05.199 was open Ssh depends on other things. 0:09:06.800 --> 0:09:10.440 This is where xzu tills comes in. Xu tills is 0:09:10.480 --> 0:09:14.160 one of the things that open Ssh depends on what 0:09:14.200 --> 0:09:15.880 does xzu tills actually do. 0:09:16.240 --> 0:09:20.000 It's a compression library, so it's just a library that 0:09:20.200 --> 0:09:23.280 is used to make data that comes in smaller so 0:09:23.320 --> 0:09:25.640 that if you're moving like a big file back and forth, 0:09:25.640 --> 0:09:28.040 it can fit down a smaller pipe. Right, you might 0:09:28.080 --> 0:09:30.160 be talking to a server on a satellite link, you 0:09:30.200 --> 0:09:32.160 might be talking over a modem. Right, you might be 0:09:32.200 --> 0:09:34.120 talking over a cell phone, and so you want your 0:09:34.160 --> 0:09:36.120 big file to fit into a smaller pipe. 0:09:36.160 --> 0:09:38.200 If you've ever used the zip file on your computer, 0:09:38.360 --> 0:09:41.800 you get the general idea. Smaller files can be transferred faster, 0:09:42.240 --> 0:09:44.520 which is important when you're dealing with so much data 0:09:44.520 --> 0:09:48.240 flowing back and forth. Xdu tilS allows open Ssh to 0:09:48.280 --> 0:09:53.680 be both safe and fast, but that's the trick. By 0:09:53.760 --> 0:09:56.960 inserting a back door into xu tills, the hackers created 0:09:56.960 --> 0:09:59.880 a way to access anything being transmitted via open ss. 0:10:01.040 --> 0:10:03.800 That meant they could not only read supposedly secure messages, 0:10:03.960 --> 0:10:07.840 but remotely run code on any server that uses open ssh. 0:10:08.120 --> 0:10:11.720 And since basically the entire Internet uses this thing, once 0:10:11.760 --> 0:10:14.160 you're in there, you can do anything you want. 0:10:15.440 --> 0:10:18.040 You could have used it for a bunch of very 0:10:18.280 --> 0:10:23.360 quiet surgical attacks over a multi year period, or you 0:10:23.400 --> 0:10:26.120 could have done one humongous big bane where you knock 0:10:26.120 --> 0:10:27.720 out a huge chunk of the Internet all at once. 0:10:28.080 --> 0:10:30.760 But how did hackers get access to xdutails in the 0:10:30.840 --> 0:10:33.679 first place. Well, remember when I promised to tell you 0:10:33.720 --> 0:10:37.880 about the open in open Ssh. Open Ssh and also 0:10:37.960 --> 0:10:41.640 Linux are open source programs. This means that anyone can 0:10:41.679 --> 0:10:44.280 look at the source code because it's open and it's 0:10:44.320 --> 0:10:48.000 posted publicly. The idea is that if everyone works together 0:10:48.080 --> 0:10:50.880 on the code, it'll be better and the publical benefit. 0:10:51.440 --> 0:10:53.720 And so anyone's free to look at the code, to 0:10:53.840 --> 0:10:55.880 learn from the code, or even to remix it for 0:10:55.920 --> 0:10:58.760 their own use. And even if you have no interest 0:10:58.760 --> 0:11:01.440 in all that nerd stuff, you still use versions of 0:11:01.440 --> 0:11:04.480 open source code every day on basically all of your 0:11:04.520 --> 0:11:06.000 devices when. 0:11:05.840 --> 0:11:09.640 You're running open source software, which people don't understand. Basically 0:11:09.720 --> 0:11:11.719 everybody is right. So what kind of phone do you have? 0:11:11.800 --> 0:11:13.199 Do you have an iPhone or Android? 0:11:13.440 --> 0:11:14.320 I actually have an Android? 0:11:14.360 --> 0:11:15.520 Yeah, okay, so Android. 0:11:15.640 --> 0:11:18.680 A humongous chunk of that code is open source, right right, 0:11:18.679 --> 0:11:22.560 And that is code that is maintained by volunteers that 0:11:22.600 --> 0:11:24.679 you have no idea who those people are. Google has 0:11:24.679 --> 0:11:27.440 no idea who those people are. Right, Google collects all 0:11:27.480 --> 0:11:29.840 this code from around the internet, they package it all 0:11:29.920 --> 0:11:32.040 up and then they put it on a phone, or 0:11:32.040 --> 0:11:34.120 they send it to Samson, and Samson puts on the phone. 0:11:34.240 --> 0:11:37.319 And before we get any further, iPhone people, this applies 0:11:37.360 --> 0:11:40.120 to you too. Your iPhone uses a lot of open 0:11:40.160 --> 0:11:43.360 source code also. And don't get me wrong, this is 0:11:43.440 --> 0:11:44.280 not a bad thing. 0:11:44.640 --> 0:11:47.200 It's great because it's free and it makes the phone cheaper, 0:11:47.240 --> 0:11:49.760 and it's cool that we all get to contribute. But 0:11:49.800 --> 0:11:53.680 the flip side is is that, yes, OpenSSH itself gets 0:11:53.679 --> 0:11:56.360 lots of love. The Linux kernel gets lots of love, right, 0:11:56.720 --> 0:11:59.960 But something like XCU tills, which is this tiny little 0:12:00.080 --> 0:12:02.719 component over here, does not get lots of enough. And 0:12:02.880 --> 0:12:06.400 xd details at the time was maintained by one person. 0:12:06.840 --> 0:12:09.480 That one dude was then manipulated to giving up control 0:12:09.520 --> 0:12:12.079 of it, and the person he gave up control of 0:12:12.120 --> 0:12:14.720 it too, turned out to be a totally fake persona 0:12:14.960 --> 0:12:15.680 to not exist. 0:12:18.280 --> 0:12:19.800 This is where we get to the human part of 0:12:19.800 --> 0:12:23.200 the story. The one guy who was maintaining xeu tills, 0:12:23.440 --> 0:12:26.800 his name was lost to Culin. He'd been maintaining xeu 0:12:26.880 --> 0:12:29.160 tills since two thousand and nine, and he was the 0:12:29.160 --> 0:12:32.440 sole maintainer for the project. He wasn't being paid for it. 0:12:32.559 --> 0:12:35.920 He was a volunteer. That's usually how open source projects go. 0:12:36.400 --> 0:12:39.240 In twenty twenty two, LASTA. Collins started to get a 0:12:39.240 --> 0:12:42.360 lot of requests to make updates to the code. Throughout 0:12:42.400 --> 0:12:46.360 the year, multiple accounts, seemingly out of nowhere, started complaining 0:12:46.440 --> 0:12:50.040 that Colin wasn't working fast enough and implying that if 0:12:50.040 --> 0:12:52.880 he wasn't interested in doing this anymore, maybe he wasn't 0:12:52.880 --> 0:12:56.000 the guy for the job and the pressure was getting 0:12:56.000 --> 0:12:56.640 to him. 0:12:56.880 --> 0:12:57.480 In June of. 0:12:57.440 --> 0:13:00.920 Twenty twenty two, Colin wrote in a public note, quote, 0:13:01.200 --> 0:13:04.040 I haven't lost interest, but my ability to care has 0:13:04.080 --> 0:13:07.800 been fairly limited, mostly due to long term mental health issues, 0:13:08.040 --> 0:13:10.839 but also due to some other things. He also went 0:13:10.880 --> 0:13:13.960 on to remind people that quote, It's also good to 0:13:14.000 --> 0:13:18.880 keep in mind that this is an unpaid hobby project. Thankfully, 0:13:19.120 --> 0:13:22.520 right about that time, a new programmer had come into help. 0:13:22.840 --> 0:13:26.160 This new person's name was Gia Tan. Colin seemed a 0:13:26.200 --> 0:13:30.120 little relieved that finally someone wasn't just complaining but helping. 0:13:30.679 --> 0:13:32.880 In that same note from June, he wrote that he'd 0:13:32.920 --> 0:13:35.760 been working a bit with Gatan on exeu utils to 0:13:35.840 --> 0:13:39.560 address all of those complaints, and he said about gia quote, 0:13:39.800 --> 0:13:42.120 perhaps he will have a bigger role in the future. 0:13:42.480 --> 0:13:46.760 We'll see. Over the course of a few years, gia 0:13:46.840 --> 0:13:50.439 Tan really started to gain lesa Collins trust. Gia Tan 0:13:50.679 --> 0:13:53.679 was the ideal contributor. He didn't just help when he 0:13:53.720 --> 0:13:55.960 was asked to, but he would offer to take on 0:13:56.120 --> 0:13:59.160 more work, and by twenty twenty four, Colin had made 0:13:59.240 --> 0:14:02.520 gia Tan a co maintainer on the project, which allowed 0:14:02.559 --> 0:14:04.520 him to add code without needing approval. 0:14:05.760 --> 0:14:07.120 This is a human attack, right. 0:14:07.120 --> 0:14:09.200 It all happened in the open, but the way they 0:14:09.200 --> 0:14:11.760 did it was they created these fake personas where one 0:14:11.800 --> 0:14:15.320 guy super friendly and one guy's a jerk, and the 0:14:15.440 --> 0:14:19.800 jerk basically is abusing the person who's maintaining the software 0:14:20.080 --> 0:14:22.080 and saying, oh, I need this change, I need this change. 0:14:22.080 --> 0:14:23.560 You're so slow. Why are you so slow? 0:14:23.600 --> 0:14:26.280 And remember this guy's not getting paid right like, and 0:14:26.320 --> 0:14:31.200 so eventually basically bully this guy to say, oh, I'm 0:14:31.240 --> 0:14:33.040 tired of doing this, I don't want to do it anymore. 0:14:33.200 --> 0:14:34.960 And then the nice guy's like, oh, well you know, 0:14:35.760 --> 0:14:38.640 I'll do it for you. I'll take over man, let 0:14:38.640 --> 0:14:39.720 me take this burden. 0:14:39.440 --> 0:14:42.760 For you, right, very convenient, right, And. 0:14:42.760 --> 0:14:45.680 This took several years, and so this shows you kind 0:14:45.680 --> 0:14:49.880 of the long play. They're willing to spend months and 0:14:49.960 --> 0:14:53.920 months and months and in fact years building these personas, 0:14:54.400 --> 0:14:56.320 because like, look, if you just created an account and 0:14:56.320 --> 0:14:58.680 you're like, hey, i've got code, take it, that wouldn't 0:14:58.680 --> 0:15:01.600 work right with these people. Figured out is that you 0:15:01.680 --> 0:15:04.280 have to create these personas. They have to seem real. 0:15:05.000 --> 0:15:08.200 You have to make posts, you have to contribute legit stuff. 0:15:08.720 --> 0:15:09.800 You've got to create. 0:15:09.600 --> 0:15:11.520 Kind of a history, build a relationship, you have to 0:15:11.520 --> 0:15:12.480 build a relationship. 0:15:12.520 --> 0:15:14.840 And so the guy who maintains it gives it up 0:15:14.880 --> 0:15:16.480 of like, oh, thank you so much for taking this 0:15:16.520 --> 0:15:18.360 burden from me, because look at these jerks. 0:15:18.400 --> 0:15:18.520 Now. 0:15:18.560 --> 0:15:20.600 Of course he doesn't know that the jerks works for 0:15:20.640 --> 0:15:23.400 the same team, or maybe you're even the same person 0:15:23.920 --> 0:15:26.640 as the nice guy, right, And then he hands it 0:15:26.680 --> 0:15:28.320 over to this nice guy who's a friend of his, 0:15:29.080 --> 0:15:31.600 and then the friend takes it over and then does 0:15:31.640 --> 0:15:34.000 a bunch of legitimate stuff, and then in the middle 0:15:34.000 --> 0:15:37.000 of all that legitimate stuff inserts a very very subtle backdoor. 0:15:37.360 --> 0:15:40.760 I've seen this back door talked about using the phrase 0:15:40.840 --> 0:15:44.360 sophisticated that it was very sophisticated. Yes, in some ways 0:15:44.360 --> 0:15:46.440 it sounds sophisticated, but in some ways it sounds like 0:15:46.480 --> 0:15:49.400 it kind of wasn't because a lot of it just 0:15:49.480 --> 0:15:53.000 revolved around getting somebody to give them some access. 0:15:53.680 --> 0:15:57.880 The code was sophisticated, The method of getting in there 0:15:58.040 --> 0:16:00.520 was very human. It was bugging a guy until he 0:16:00.560 --> 0:16:05.080 gave up control. Yes, right, just being a nuisance, Just 0:16:05.080 --> 0:16:09.120 being a nuisance. So who was behind those fake personas 0:16:09.760 --> 0:16:12.640 We don't know for sure, but Alex has a theory 0:16:13.320 --> 0:16:25.520 that's after the break over the course of years, the 0:16:25.560 --> 0:16:29.560 one guy maintaining this very important tool called XEU tills 0:16:29.840 --> 0:16:34.280 Lasa Colin was being bullied and manipulated online to give 0:16:34.320 --> 0:16:37.680 a persona called Gia Tan a lead role in handling 0:16:37.720 --> 0:16:43.320 the code. But who is gia Tan. Everybody's been asking 0:16:43.320 --> 0:16:45.560 this question of like who did this, Who's behind this? 0:16:46.120 --> 0:16:49.080 Most of the names have kind of an Asian origin, right, 0:16:49.160 --> 0:16:52.920 So there's accounts like Jagar Kumar. The key one is 0:16:53.040 --> 0:16:55.880 Gia Tan, which is like, could be Chinese, could be Korean. 0:16:56.600 --> 0:16:59.640 Most of the either the names or the technical indicators 0:16:59.640 --> 0:17:02.480 point to right. So the time zones that this person 0:17:02.560 --> 0:17:05.640 was working into are kind of the East Asian time zone, 0:17:05.680 --> 0:17:08.879 so it's like Beijing or Korea. The names are Asian. 0:17:09.359 --> 0:17:11.480 Everything points to Asia, which makes a lot of people 0:17:11.480 --> 0:17:14.400 think it's Russia actually because it's just too perfect, right, 0:17:14.720 --> 0:17:19.280 because it's just like it's somebody spent three years doing 0:17:19.280 --> 0:17:22.240 all this work, and then you're like, like, let's say 0:17:22.280 --> 0:17:25.200 you're Chinese. Are you going to use like a Chinese 0:17:25.320 --> 0:17:27.960 name as your fake name? Are you going to spend 0:17:28.040 --> 0:17:30.880 three years but then work in your normal time zone? 0:17:31.040 --> 0:17:34.800 And the generally the only actor who has shown this 0:17:34.920 --> 0:17:37.960 level of patients who's been willing to spend three years 0:17:38.320 --> 0:17:40.640 working on a back door like this. The only people 0:17:40.640 --> 0:17:43.119 who have ever done that is either the United States 0:17:43.680 --> 0:17:48.000 or the SVR. So Russia, okay, yeah, are really the 0:17:48.000 --> 0:17:51.679 only groups where you've seen people spend years kind of 0:17:51.720 --> 0:17:53.680 doing this kind of work. And a lot of people 0:17:53.680 --> 0:17:55.720 don't think you would be the US doing something like this, 0:17:55.960 --> 0:17:58.440 that they would never mess with something this important because 0:17:58.440 --> 0:18:00.640 also the thing the Russians are like was blame other 0:18:00.640 --> 0:18:04.440 people right again, because we never got to the point 0:18:04.440 --> 0:18:08.359 of again used. Usually attribution is done after something's used, 0:18:08.680 --> 0:18:10.880 and so it's a lot easier to figure out because 0:18:10.960 --> 0:18:13.720 then you can ask quebono right, who benefits. 0:18:14.040 --> 0:18:16.359 But like all of these indicators. 0:18:15.840 --> 0:18:19.000 Pointing specifically to kind of China or Korea makes you 0:18:19.040 --> 0:18:22.240 think it's just a little too obvious. 0:18:23.040 --> 0:18:26.800 A major theory in cybersecurity circles is that Giatan isn't 0:18:26.840 --> 0:18:31.600 one person. It's potentially multiple people, but likely Russian hackers 0:18:31.640 --> 0:18:35.119 working for the SVR, which is Russia's foreign intelligence service, 0:18:35.640 --> 0:18:38.280 and that they tried to cover their tracks even if 0:18:38.320 --> 0:18:39.600 it wasn't consistent. 0:18:40.000 --> 0:18:40.679 The guys who. 0:18:40.520 --> 0:18:43.879 Worked for the professionals will change their time zones specifically 0:18:43.960 --> 0:18:48.080 around who either what allows them to avoid detection or 0:18:48.119 --> 0:18:50.720 specifically around whatever they're doing for attribution. 0:18:51.040 --> 0:18:54.119 Well, there were some times that the time zones actually 0:18:54.160 --> 0:18:57.760 pointed to an Eastern European time zone or time or 0:18:57.800 --> 0:18:58.840 another time zone, right. 0:18:58.760 --> 0:19:00.880 Yeah, I mean there's there is a little mixed right, 0:19:01.160 --> 0:19:05.399 So somebody could be working from the eastern side of Russia, 0:19:05.520 --> 0:19:07.560 or they could be waking up early in Moscow Saint 0:19:07.600 --> 0:19:09.400 Petersburg and then they slipped right. 0:19:09.880 --> 0:19:11.760 In other words, they might have just slipped up and 0:19:11.760 --> 0:19:15.320 forgot to change their time zones. Because remember this happened 0:19:15.359 --> 0:19:18.120 over the course of years. Maybe somebody had an off 0:19:18.200 --> 0:19:21.399 day and forgot to change the computer settings. But Alex 0:19:21.440 --> 0:19:24.560 has another reason for suspecting Russia over China. 0:19:25.880 --> 0:19:29.400 Chinese hackers, for the most part, work very rigorous hours. 0:19:29.560 --> 0:19:32.960 You can almost always tell when Chinese hackers are working 0:19:33.040 --> 0:19:35.760 because they work office hours. They work eight to five, 0:19:35.880 --> 0:19:39.080 eight to six. Really, it's like very regular, yeah, okay, 0:19:39.119 --> 0:19:41.680 Whereas it's much harder to do time zone stuff based 0:19:41.680 --> 0:19:44.000 for the Russians because they they will work whatever hours 0:19:44.000 --> 0:19:46.000 they need to work. You know that that scene in 0:19:46.080 --> 0:19:48.320 like one of the Born movies where it's like the 0:19:48.359 --> 0:19:50.240 club scene. I always think about this with the Russia. 0:19:50.240 --> 0:19:52.080 There's like a club scene in Russia, and it's like 0:19:52.080 --> 0:19:53.080 you think it's the middle of the night and he 0:19:53.160 --> 0:19:55.520 walks out it's like ten am or something. Right, It's like, 0:19:55.520 --> 0:19:58.480 that's what I think about with Russian hackers, whereas like 0:19:58.720 --> 0:20:01.760 for China, it's amazing because it's like, oh, six pm 0:20:01.760 --> 0:20:02.240 in Beijing. 0:20:02.800 --> 0:20:04.840 You know, it's like, you know, everybody goes home. 0:20:04.760 --> 0:20:05.479 The hacking stops. 0:20:05.640 --> 0:20:06.960 Yeah, or like Chinese. 0:20:06.760 --> 0:20:09.919 Chinese New Year Lunar New Year, everybody goes home, go 0:20:09.960 --> 0:20:13.159 sees their parents in the village or whatever, like hacking stops. 0:20:13.160 --> 0:20:13.720 It's amazing. 0:20:14.440 --> 0:20:16.919 And in the case of Exit the UTILS looking at 0:20:16.920 --> 0:20:20.320 the timing when this ga Tan was submitting code, there's 0:20:20.400 --> 0:20:23.399 a bunch of submissions during Lunar New Year, but during 0:20:23.440 --> 0:20:29.879 big Eastern European holidays like Christmas crickets. But that leaves 0:20:29.920 --> 0:20:33.720 a question, what's the motive. Why would the Western SVR 0:20:33.920 --> 0:20:34.840 want to do this. 0:20:35.520 --> 0:20:37.080 So open everybody uses. 0:20:37.440 --> 0:20:39.520 That's why this is so powerful is you don't have 0:20:39.520 --> 0:20:41.040 to have a specific target in mind, which is why 0:20:41.040 --> 0:20:44.680 you'd also spend three years doing it. Because let's say 0:20:44.680 --> 0:20:47.920 you're at the SVR, you know, no matter what war 0:20:47.960 --> 0:20:50.680 you're involved with, no matter what target you're going after, 0:20:51.119 --> 0:20:53.720 opens station is gonna be useful. So this is probably 0:20:53.720 --> 0:20:56.120 a team of the SVR who they don't know what's 0:20:56.119 --> 0:20:58.280 gonna be used for. They're just they know they're gonna 0:20:58.280 --> 0:20:58.760 get a medal. 0:20:58.800 --> 0:21:00.719