Download Otter for your meeting notes

Dead Cat with Joseph Menn | Otter.ai

Dead Cat with Joseph Menn

Eric Newcomer56min

Tom Dotan

00:05

Welcome Sally. Hey everybody, welcome to dead cat tom Teton here joined by Eric newcomer and we are joined this episode by Washington Post reporter and author, Joe min. Joe has been covering cybersecurity for years, and also has written many books about the topic, including his most recent book called The dead cow, which we can ask about that very fascinating title. I think it involves beta O'Rourke in some capacity so we can discuss that. But the heart of this episode is going to be about a fascinating case that just concluded this last week involving Joe Sullivan, the former chiefs security officer at Uber, who was charged and convicted by spoilers. Yeah. Well, if you read if you read Joe's article, you know,

Eric Newcomer

00:58

I'm curious how many people are following this case? But I think it's it's not, you know, the Theranos trial, but I think it's a very significant one, an interesting one.

Tom Dotan

01:06

Yeah, it's a fascinating case about, you know, bug bounties, the FBI, the FTC, Joseph is going to summarize all of it for us. But I will say at the outset, because I know Eric will jump in with here at some point, because when he was covering Uber, you were very much involved in the coverage of Joe's ouster from Uber and kind of the precipitate. Yeah,

Eric Newcomer

01:25

it was the first report the story, the hack, and Joe's firing. But anyway, Joseph,

Tom Dotan

01:30

thank you so much for joining. Welcome to the dead cat.

Joseph Menn

01:33

Yeah, thanks. Nice to be here.

Tom Dotan

01:34

Let's just summarize the charges here, like what was Joe Sullivan charged with and ultimately convicted of, and just give us the backstory on how we got to this point?

Joseph Menn

01:45

Okay, well, I think you have to go back to the hack itself. So there were a couple of the young hackers one in Florida, one in Canada, that found in Amazon key used by Uber lying around on GitHub, and then use that to get into a unencrypted backup that had information on all Uber users to 2015. And included phone numbers and other sensitive information. And also a store of information about Uber drivers, 600,000 of them, including their driver's license numbers, so sensitive stuff, they obtained this, they sent Joe Sullivan, then Chief Security Officer at Uber, an ominous email. And, you know, they said, Hey, we discovered this vulnerability, and we're prepared to tell you about it. But we were able to download all this information. And then there was like this prolonged back and forth with Joe and with other security people there. And after all this happened, towards the end of it, Sullivan steered them into Ubers bug bounty program, which rewards you know, more or less ethical hackers with some money, if they discover vulnerabilities,

Eric Newcomer

02:59

the idealized bug bounty been, I'm a researcher, I see this flaw, I'm not executing on it. But if somebody were to do this, you know, I would get XY and Z and then the company out of the goodness of their hearts, pays them to avoid those people sort of becoming like Blackhat hackers, and also because they're effectively working for the company to find vulnerabilities. Would you say that's a fair explanation?

Joseph Menn

03:23

I would have some a number of minor quibbles with with the way you laid it out, you know, generally, they're not the payments aren't prevents them from being Blackhat. Generally, the thinking is that these people, they want to be on the right side of the law. And this just makes it less costly for them to make that choice.

Tom Dotan

03:39

Yeah, they're not at risk teens. Well, this,

Eric Newcomer

03:41

whereas in this case, they seem a little bit more. Yeah, at risk. I mean, the standard bug bounty is for Uber was $10,000. And in this case, it was ultimately $100,000 payment, right?

Joseph Menn

03:53

I'll just fast forward to get the basic facts, the case and charges out there. They ultimately paid off the hackers $400,000. They assured themselves that the data had been deleted and been distributed to others. And they had the hackers sign an NDA, saying they wouldn't talk about this. And they're actually the wording of that NDA ones later to be very important. And then nobody knows about it until after Travis Kalanick has gone well. That was a nobody many people the company knew about it, including Travis Kalanick. Because then CEO, Travis gets ousted in a boardroom coup after unrelated scandals. new CEO comes in Dara and arccos. Mashallah, yeah, thank you for pronouncing that for me. And Tony west as general counsel, a lot of a lot of big figures. And this sort of bubbles up again, as a topic. And there's a new investigation and then they basically decided to throw Joe to the wolves but the charges were for not for the payoff itself, but for what is called Miss prison of a felony, which is a rarely charged statute that means Crime, we

Eric Newcomer

05:00

all have strong intuitions and moral sensibilities of like, I barely know what it is.

Tom Dotan

05:05

Yeah, I did have to go to Google Translate to make sure I pronounced it correctly. It's misprision.

Joseph Menn

05:11

There you go. So it is it is not only failing to report a felony, but actively concealing one like taking a form of actions to prevent a felony from coming to light. And he was also charged with obstruction of justice, because there was an FTC investigation of previous breaches at Uber that was wrapping up. And this was, I guess, pointedly not disclosed to them when it should have been According to prosecutors, those are the charges

Tom Dotan

05:35

right. And he is being fired from Uber. That was a story in and of itself, right. And there was controversy at the time around why he was fired and the nature of it, but the you know, he could have been fired and not been charged with the crime here. Right. These are almost unrelated incidences, correct.

Joseph Menn

05:51

I wouldn't say they're unrelated. So his firing was controversial within the company. He was not seen as one of most employees did not see him as one of Travis's, like, you know, key hinge people. You know, he was seen as one of the, you know, the more recent hires, and grownups, you know, he hadn't been implicated in a lot of the other sketchy stuff that Uber was involved in. And then it's not just that he was, you know, he wasn't charged randomly, the Uber folks that remained worked hand in glove with the US Attorney's Office to charge Joe. And, you know, they walked them through the whole thing. They built a lot of the case. And then, you know, quite another obvious suspect would have been, the lawyer who was working under Joe Craig Clark, and Craig Clark was so nervous about all of this, that he got immunity from the feds in order to testify against Joe. And Joe, in turn, had blamed like some of this on the legal advice he got from Craig. So it is weird that Joe is not only charged with this very unusual crime, at least one of them. But that he, he was the only person from Uber that has been convicted of anything, as far as I know, in the executive ranks, despite all the other stuff that was going on there. And that he was the only one that was taken down for this particular thing when the CEO and others were involved. And let's just do

Tom Dotan

07:13

a little bit of background on Joe, because we should definitely set up for our audience that this is a fairly well established, well regarded person in the cybersecurity industry. I mean, what was his background before you taking on this position at Uber,

Joseph Menn

07:26

so he, he was actually a federal prosecutor back in the day and he was one of the early enthusiast about developing cybercrime as expertise. So in fact, you know, he was, he'd worked in a couple of different offices, but in, in the San Francisco US Attorney's Office, which later prosecuted him, he had helped set up, it was a, you know, initial member of their cyber team. And then he, you know, like Manny, he left public service to make some decent money. And he went to Facebook, where he was in the earlier phases of Facebook, he was the chief security officer there, you know, as was sort of well known in the field from that point on, because Facebook was the subject of a lot of attacks, a lot of attention. And, you know, he did a lot of things that are now sort of industry standard practice, including, you know, red teaming, you know, hiring people to attack the company to see how they did. And they also paid bug bounties and stuff like that. So he went, he was there. And then he went to CloudFlare, which is maybe, you know, arguably more interesting because for him, because lots of international stuff, terrorist stuff, all kinds of really sketchy people use Cloudflare. So it's really interesting from like, an intelligence perspective, as well as a law enforcement and garden variety, security perspective, and also cloud FERS, like a security company. So I think it was playing a more central role

Eric Newcomer

08:47

after Uber, right?

Joseph Menn

08:48

Just sorry, yes. Let's get to

Eric Newcomer

08:50

these. I mean, he's hired at Uber in 2015. And then basically out

Joseph Menn

08:56

after a really bad breach, after bad breach, right.

Eric Newcomer

09:00

And then ousted in November 2017. And so yeah, he's not sort of the super early days, Travis, but he's there for some of the core sort of Travis years. And And when those years come to an end, yeah,

Tom Dotan

09:15

well, and Joseph Joseph was characterized as a little bit but you know, Eric, from just covering Uber so intensely during that period, how does he kind of fit into that the Travis hierarchy, I mean, he's not a founding guy. He's not one of his, you know, one of his guys who builds the app, but he is a key player in the scaling of the service, right, and ensuring that it remains, at least for a time free of major breaches of data, and you know, the kinds of things you would need for an app that is catering to millions and millions of people, right. I

Eric Newcomer

09:42

mean, I certainly a lot of people agree with the idea that it's crazy that of all the executives at Uber, who have gotten convicted of something, it's Joe solvent, who I do think as a former prosecutor, was seen as sort of a stand up guy and definitely not so some diehard Uber loyalist and definitely sort of a professional executive coming from Facebook, that said, you know, Joe Sullivan, you know, is given some legal authority at the company. I mean, part of this case is, there's sort of a weirdness of the his deputy reported up to him and not sort of the general, the overall legal officer. Joe Sullivan was also like responsible for some of the I believe the physical surveillance that Uber did, including over like Gene Lu, their competitor, well, it's not illegal, I don't think it you know, is involved in some of the sort of intense Travis era, like, we want to know, like, what's going on with our competitors. So I don't totally agree with the idea that this is somebody who totally divorced himself from the aggressive behavior of Uber during the Travis Kalanick era. And then, sort of figuring this out hack out fits into the sort of Travis strategy of, you know, one might say, like creative problem solving, when it comes to to navigating trouble and sort of legal gray areas. Yeah,

Tom Dotan

11:04

well, let's get to the case itself. Because, as you say, there is a bit of a divergence between the bug bounty program and you know, the way you sort of deal with white hat hacking and what the government actually was charging him with. So why is it that the FTC is even investigating Uber during this period? And what are the actions that Joe took that ended up getting him charged with the crime?

Joseph Menn

11:26

Well, there was a, there was a massive breach in 2014, that was kind of similar. It was like a great a great spill of user data. And so the FTC was investigating, and it was going to, you know, come up with, you know, various consumer consent decree type stuff, where they have to agree to do some basic Good Housekeeping in terms of, you know, real security for that stuff. And he was near the end of that investigation is one of the sort of the ironies here they they, you know, they were still asking questions, but we're on, I think, the fifth or sixth, the sixth round of questions that the FTC had sent over, before this happens. And before Joe gets in trouble, they go to another attorney, the privacy attorney, the head of the head of privacy at Uber, and she is somebody who is being kept roughly in the loop about this breach by Craig Clark. So Craig Clark had a dotted line to you know, the General Counsel's Office. It is true that Joe was Deputy General Counsel, but he didn't sort of caucus with the legal department. He didn't have meetings with illegal,

Eric Newcomer

12:31

does that make it even sketchier? Why he's Deputy General Counsel, but he's not sort of looped into that hierarchy.

Joseph Menn

12:38

I don't know about it being sketchy. I think they're, you know, it's a nice title to have. It may have been ill advised in retrospect, but he wasn't, I think he wanted authority to do certain things. And, you know, Uber, as you know, from covering the company was super siloed. You know, basically, yeah, I think he wanted to have, you know, to exercise some power over over things that he couldn't without that titles. But it is clear that there that that Craig, you know, did blow the whistle on other things. And a lot has been made, in fact that, you know, he was reporting to Joe. But he also, he also told his success of privacy bosses in the general counsel's office about what was going on with this case. And those and those were the people that were answering the FTC questions. There was some emails, it was in there a couple emails introduced as evidence that asked Joe to look over some stuff and say, you know, is this right, do you have any problem with this? And one of those answers out of a long series of answers was, there haven't been any bad breaches, you know, since that, or something like that. And that's what he got in trouble for not flagging, but it wasn't like the strongest eight, you know, it wasn't the strongest evidence in the world. I think there was more problems with the wording of the NDA, which said that in order to get this $100,000 check, they said or maybe was Bitcoin they said, The statement said, we have not taken or kept any data from Uber as part of our as part of our explorations. And that was false, because they had so the in the jury, you know, the lawyers in the case got into, like, who did the edits on that NDA? And Joe did some edits, but did not that one. So the prosecutors were arguing that even though Craig Clark was the one who had put in those words, Joe should have edited that and maybe he was like, the brains behind that ad. I mean, it is thin. I mean, it's it is really thin. It seems like there was a lot of judgment call in this, you know, by interpretation by the by the Feds and by the jury,

Eric Newcomer

14:42

but when Dora comes in and asked Joe about this, Joe doesn't tell Daraa all the details of the case. Correct.

Joseph Menn

14:51

So there is an email an early email, where Joe briefs Daraa that okay, there was an incident we're handling it this way. And that email was fairly circumstantial, and he'd asked his people to brief him. And one of his people had sent an email saying, well, we basically got extorted. And you know, it was terrible. And then Joe gives Dara a pretty sanitized version of what it doesn't include

Eric Newcomer

15:17

the amount of money calls it a bug bounty, right? Yeah. And all Ubers bug bounties before this, like 10,000 was the max, this was 100,000. These people downloaded the files, normal bug bounties, you don't download it. I'm sorry. But I'm just like, I think there's an interesting discussion. And this comes in through your story. Definitely, like now we're in this era, where everybody's paying for things, would we view this in the same light, I get that point, I'm happy to have that discussion. But the idea that this was a hack that was then tried to frame during a bug bounty, during a time when Uber was in trouble with the FTC, and negotiating with them to make sure that this didn't fit in to the kind of breach that they would need to disclose to the FTC. It just seems like a pretty compelling case to me. And now the jury jury has convicted them. And I still think that like the tone from sort of cybersecurity world is like, shock, that there will be convictions here.

Tom Dotan

16:15

Let's get to that in a second. Because I want to understand in the in the, in the course of the case here, what was the characterization that the prosecution had of why Joe would do that? Why Joe would, you know, keep this from Daraa, in a way that, you know, they define his criminal as misprision. And obstruction of justice. I mean, Joe, is a tenured security officer used to be, you know, with the US Attorney's, I mean, what was the kind of depiction that the prosecution had on why someone would do this,

Joseph Menn

16:41

they were arguing that he was acting out of embarrassment that he didn't want his reputation, as you know, a very respected member of the Security, Defense Security world, it to be torn asunder, because he allowed this terrible beach to happen on his watch. I personally don't think that holds water, there's all the internal traffic about the matter. It shows that for quite a while, while they were working on this, Joe was saying, we don't know whether this is going to be something we have to disclose or not. We don't know whether we can call it a bug bounty and pay some money and have it go away, or we'll have to disclose it. But that was certainly something that they were you know, they they saw it as a major possibility. The reason they didn't in the end, was that they were convinced that the data hadn't gone beyond these couple of hackers, and a couple of hackers wished them no harm. That is not something that would normally be charged criminally, that might be a big screw up. And you know, maybe he gets personally barred by the FTC from, you know, serving on company boards or something or another maybe the you know, but it's it that is just a real outlier is a criminal

Eric Newcomer

17:50

element you not out of your story. And you know, better than I do, and I'm interested in especially is like, this idea that we're the prosecutors trying to get him to flip on Travis Kalanick. These are gonna be sort of a double situation here where Joe gets defended, because he wasn't the CEO, he was the CISO. On the other hand, why if the issue is that everything should run up to the CEO? Why didn't Joe flip on Travis here?

Joseph Menn

18:16

So the evidence, so they were trying to get to Travis, who would have been a big feather in any US attorney's cap? And they did get evidence from Joe on that, then that that evidence was actually fairly substantial. There were lots of texts and, and phone calls and conversations. And Travis said things like, yes, this would be great if it's a bug bounty, but there wasn't a direct, cover this stuff up. Don't let the FTC find out about it. There wasn't a smoking gun. So there was a bigger paper trail on Joe, because he was kind of in the middle of it the whole time. It's weird to call this a cover up when they were like, you know, forget something like 30 people who knew about it. This was not a you know, go meet and take some cash, you know, and meet somebody in a back alley with a briefcase. You know, they worked through the bug bounty platform. You know, hacker one, that communications team up to Rachel Whetstone knew the facts of the case within 24 hours.

Tom Dotan

19:15

She's the Chief Communications Officer for Uber right

Joseph Menn

19:17

time, right. And so she did, Travis did tweet Joe told everybody he was supposed to tell. So I mean, it's up to Travis whether or not to you know, you Okay, make sure you coordinate with the general counsel on that. He didn't say that,

Eric Newcomer

19:30

including that this stuff had been downloaded by the hackers. And that it was basically and they were going to try

Joseph Menn

19:35

to recover it. They were going to try going to try and suppress it. And that's another thing is like, it's not you know, that NDA is pretty shady. But they were using this whole process to identify who these people were, because they were anonymous when all this started. And they stayed anonymous to a lot of it. And because they were getting them to sign things and if they did it an electronic signature would leave their IP address and then they'd be able to track them. They get that, and then they surprise, the surprise that by showing up in person and saying, now we need your real names to sign this, or the bank's not gonna let go, you know, they'll flag the you know, the IRS. And so that's really important. And they did that not because they want to get these kids arrested. That's true, but because they figured that that was the only way to reassure themselves that these guys really aren't going to do something worse with the data. And then

Eric Newcomer

20:21

they basically get these hackers to say, Oh, you were like working on behalf of Uber, basically. Right? Isn't that part of the agreement? Or my misunderstanding that?

Joseph Menn

20:29

Well, I mean, part of the bug bounty program was like, they were reporting a vulnerability and thanks for that. And here's your reward. Right. And, you know, 100k is a lot of money.

Eric Newcomer

20:38

Sure. Not for Uber, though.

Joseph Menn

20:42

And for the amount of damage that could have been done with that data. That's that's actually a pretty reasonable.

Eric Newcomer

20:47

I'm certainly not saying it's a bad corporate decision. I'm just saying, you know, their moves.

Joseph Menn

20:51

There's one things Dara said later, there are different stories, you know, between when he was fired, and now, but Dara said, like deras most recent version was he fired him because that one, he couldn't trust yourself. And after that email, that under, you know, that underplayed the breach, but that he would have made the same payment himself. That was an appropriate payment. So I mean, looks to me like they were looking for, you know, the Feds were hoping to get to Travis and missed. And you know, Dara wants Uber, 2.0. He doesn't want any trace of back door is

Eric Newcomer

21:25

allowed to fire he's allowed to fire people. I do agree with what Tom said not not I understand that Uber has sort of held this case, but they're allowed to like fire somebody who feels like, I'm trying to clean up the company, and you're not being open about everything that's happening. I get that. Yeah, they announced this hack. They have two people in my story that they're firing over it, Greg Clark and Joe Sullivan, and they say, Okay, we're cleaning house. But like, Yeah, I mean, the they were the people who did it in Daraa had a like a different point of view on whether it needed to be disclosed to the government. I mean, is that and then they did settle with all these state governments, they paid more than 100 million in fines to state agencies. And now there are two convictions. And also we haven't brought up the fact that the hackers themselves who got who participate in the bug bounty, I believe they also pled guilty in this case. So if the legal system works at all, every part of it, settlements, Jury convictions, hackers pleading, like every part of it has come down on one side of this. Sorry, that was more passionate than I expect you to be. But I don't know. I feel a little crazy on it. It's like this. This has been borne out.

Tom Dotan

22:29

Well, can I ask, you know, when it comes to the state of Uber, and the way they were involved, were involved in this case, because technically this is not their case. They're not suing him. This is the US government. That is making the case here. Daraa testifies here, he testifies to the fact that he just couldn't trust Joe anymore to why he fired him. And I guess, if people below him, why does the either prosecution or defense and I imagine it might have been the defense never subpoena Travis, why do you think Travis never appears at all? In the trial? It seemed like he could have been a key person to kind of make the case one way or the other as to whether or not this was a cover up? Or how many people should have known about this? Did that ever come up in discussion? Like strategically why he never appeared at all?

Joseph Menn

23:11

I'm sure it did. I don't know that I wasn't privy to those discussions. I don't know why. Yeah, if I were Travis, if I did get subpoenaed by either side, I would have asked for immunity. And the feds, you know, that's probably not a good look for them. So they probably wouldn't have offered it. So probably he would have been, like a hostile witness for either side.

Eric Newcomer

23:29

Or you could plead the fifth, right. I mean, he

Joseph Menn

23:31

could plead the fifth, which is not going to help the defense or the prosecution, and it's not going to make him look good, either. So I mean, it would be dragging him in there, and then it wouldn't be productive. That's my best guess off the top. My

Tom Dotan

23:43

interesting.

Eric Newcomer

23:44

I mean, I do think there's, I was gonna say this earlier, but, you know, I feel like there's a classic human story where somebody is sort of, you know, the do gooder Boy Scout, and then they get sort of dragged into this somewhat sort of shady organization with, you know, the leader who's trying to sort of complicate things, and yeah, this sort of ethical boundaries get tested. And then this sort of clean guy ends up the one, you know, because they made the call ends up the one on the hook, even though the architect of it all probably set the organization up in that direction pushed people to behave in that way, but then knew better than to, you know, put their name to it. I feel like that's like, a sort of a classic, classic story where it's like, yeah, if you want to be sort of the Boy Scout, you have to stick to your principles, even this mucky organization. So

Joseph Menn

24:34

I think that's a little too tat. But as I wrote my story, bug bounties have been used to hide a host of bills, increasingly since the time this happened. So they get used to pay respectable the hackers are trying to do the right thing. And they also get you hate paid people to shut the hell up. Right they you know, they are as likely as not to come with non disclosure agreements. Now you and some of those apply to things that, you know, the company should be required to disclose, and are not, and are not disclosing not just something they're not fixing. But like breaches that are, you know, things that probably lead to previous breaches in the real world in this stuff is pretty ugly. Right? My guess is that Joe thought he was skating close to the edge, but it wound up doing the you know, the right thing by you can make a really good argument that he was doing the right thing by Uber users, because they went through all these hoops. There was some shady language, there's some stuff that should have been disclosed. But the data didn't get out. And if he and if they had called the Feds on these guys, the data very well might have gotten out.

Eric Newcomer

25:41

Yeah. And I think nobody here is like, Oh, my God, the public was so terribly victimized this crowd, you know? Yeah. I mean, it's very much Did he follow the letter of some law? Not? Did he have some terrible effect for a bunch of drivers or people? It seems like exactly like you're saying,

Joseph Menn

25:58

I think that's important to remember. Right?

Tom Dotan

26:00

Yeah. Well, that's what's interesting about this case, because, you know, you obviously covered it. And as I was Googling it, I did see that almost every major outlet did have some reportage of it as it was going along. But the trial didn't set the world on fire, you know, it didn't become the Elizabeth Holmes trial, or think of any other high level tech trials.

Eric Newcomer

26:18

Nobody's saying this guy's the embodiment of Travis Kalanick. Era, Uber. I mean, I think that's, you know, it didn't become a proxy for that. Right, morally ambiguous and

Tom Dotan

26:27

Right. Right. It did sort of seem like this was, you know, the government's attempt to bring some accountability to Travis era Uber, and like, we're saying it ended up falling on this one, you know, prior to this point, pretty clean actor in the InfoSec. Community. And, you know, it sounds like the government made a compelling case here that he was a bad actor in this particular way here, but the actual harm to, you know, the average citizen reaches, wasn't there. So, I mean, is it fair to say that he is kind of a fall guy for a larger issue that, you know, he wasn't necessarily responsible for, but you know, there had to be some head on a stake somewhere, as far as the government was concerned in terms of charging him at night?

Joseph Menn

27:07

I think the answer is yes. And, you know, I don't think they were taking into account. I mean, they, I think they were trying to make an example of him in like Uber land, but I think they may be less than thrilled about the example they're sitting in chief security officer land, where people are freaking out, and are, you know, worrying if they what their own liability is. I mean, it's already like famously one of the worst jobs on the planet. I mean, out Alex Stamos used to joke that like Sue Sue comes from a Greek word meaning he who has sacrificed After

Tom Dotan

27:43

Alex Stamos, former chief security officer of Facebook, guys, yeah, that's a great line.

Joseph Menn

27:48

I mean, it's, you know, it's up there with Russian Submariner and Chinese coal miner, you don't want to be see, so even before this, I mean, you're you know, there's like you, you only get famous if you fail, right, you can also make the argument. I mean, I've covered the security industry for more than 20 years now. And like, you know, the most important person in charge for company security is the CEO. It's, it's not the seaso. And the second most important is the CFO, right? Because he's deciding how he or she are deciding how much you can spend on defense, which is like, you know, make stuff from the bottom line disappear, as super hard to value, what gain you get from it. So, you know, many people are in the position of, you know, Twitter comes to mind, Majid Twitter, where you given this awesome responsibility and no actual power, it needs to be like a cultural thing. Because you know, every everybody else in the organization has to play ball. They didn't have Twitter, and they didn't have over

Tom Dotan

28:44

the InfoSec. Community, as you said, they were watching this case very closely. They obviously are not happy with the outcome in terms of making the job even more of a liability for the people who do it. But was there any sentiment among the InfoSec community that, you know, Joe didn't maybe handle this in the best possible way? And there was some sloppiness in the writing of the NDA the the correspondence he had with the people above him, that maybe someone who told the

Eric Newcomer

29:09

SEC if you're in a negotiation with them, if you have other skeletons in your closet, like I mean, clearly what the government wants. You're right.

Tom Dotan

29:16

Yeah, I guess. Yeah. The question is, is was there a sentiment of saying, yes, overall, he did the right thing, except for in the various specific ways that the government nailed him. And if he were just a little bit more careful here, he could have been well clear.

Eric Newcomer

29:30

Put this in a layman way. It's like, no reporter wants your reporter convicted, right? Reporters always cheer for like, Free Press cases. But then sometimes there are particulars of them. And like some, you know, you're like, well, Gawker maybe shouldn't have published like, a terrible sex. You know, it's like, okay, I understand why Sisa would always say don't convict to see so journalists never want to see journalist convicted. But then these things get decided in the fact patterns. And like, yeah, I guess is there a sort of a fact pattern that can separate this from what CISOs are doing a sort of day to day.

Joseph Menn

30:01

So first of all, I would say that there are some instances where I think people reporters should get sued for libel and lose, I'm not going to defend every single member of my profession.

Tom Dotan

30:12

I don't think I could defend half of them.

Joseph Menn

30:14

So I think the majority feeling among chief security officers is that Joe got a really bad deal. And I again, I mean, there's a lot of evidence on both sides here. But one of the things that came out is that Joe was never accused, Joe was was grilled by the FTC. And he was never accused of lying to the FTC, they, you know, it was a sin of omission, where somebody else was sending in the thing and one of a bajillion emails that Joe is supposed to read,

Eric Newcomer

30:39

but misprint, misprision can include, not omission, right? It isn't an omission. It has to be an active thing. But it doesn't it doesn't have to be a direct lie like you

Joseph Menn

30:49

can. That's correct. That's correct. Right. But you know, like I said, this is not this is not a slam dunk case. And the jury struggled for four days, right stuff. Most chief security officers, chief information, security officers are deeply unhappy about this. They're used to being scapegoated by their own companies. And now they have to worry about being scapegoated by the feds, as you know, in some cases in collusion with their companies, then, you know, it's not just a tariff fired him. It's a you know, Dara had him frogmarched into the US Attorney's Office.

Eric Newcomer

31:20

I mean, the hack was never like a core Uber scandal. That's part of what's bizarre about this whole thing. It was sort of like, a trailing end thing. I mean, my understanding is this, the Uber hack was, like, disclosed. And like one of the whistleblower, they had, like some security officer at Uber, like sent a letter, like, seemingly, I think, shaking them for money. And then so then this hack was in that. And so then there becomes more of a likelihood that it comes out, you know, but it was my boys just as sort of a tail end scandal. So it is sort of absurd that this would be sort of the most litigated Travis

Tom Dotan

31:55

conviction. Yeah, I mean, it's like it's not even getting Al Capone on income tax evasion. It's like getting a third tier goon on alkatone squad charged with a crime. And that goon actually happens to have been a pretty clean guy up to that point. It just sounded like he did potentially, or I guess, as the law said, you know, break it in the very particular way in which he was charged. I mean, it is, it is bizarre, I agree with you.

Eric Newcomer

32:17

There is another Uber executive who has pled guilty to something, though, not for his activity, I think at Uber necessary. Anthony Levandowski Of course, of course, pled guilty for stealing trade secrets, and then was pardoned by President Trump. I feel like that whole news cycle got totally washed away, because like, it was at the end of the Trump presidency, and then January 6 happened, but Anthony Levandowski you know, the whole Waymo guy pled guilty and then was pardoned by Trump. So I think, you know, I somebody was laughing at me and Uber, former Uber exec was, like, you know, are we gonna get another pardon? For you know, it's, uh, sorry, jokes about Joe. But yeah, well, Joe Biden, you know, step up here.

Tom Dotan

33:01

I mean, what is the expectation in terms of a sentencing for this kind of a, you know, crime? So

Joseph Menn

33:05

I mean, in theory could get update yours? I, you know, I don't know, if they're mandatory minimums, you know, or what the accepted range is, you know, he didn't help them by testifying against anybody else. The real answer is, I don't know. You know, and I don't normally cover criminal trials. So, you know, maybe he gets maybe he gets a couple years. And maybe it's probation or something. But it would be deeply unpleasant for anybody, but he's a former federal prosecutor. So to put them in a federal jail with people that he has jailed or would have, you know, that's, that's, that's not cool. Yeah. So yeah, I'm guessing he would be segregated somehow.

Tom Dotan

33:45

Yeah. Cyber jail. Jesus did. He's

Eric Newcomer

33:46

a former federal prosecutor. I mean, I, you have to imagine that animated the prosecutors somewhat this of all people who shouldn't be sort of the letter of the law.

Joseph Menn

33:55

Yes. And they argued that here's, here's one guy who does know what misprision of a felony.

Eric Newcomer

34:00

Right, the only only person in the court? Yeah.

Tom Dotan

34:03

What sort of precedent Do you think the government was trying to set with this case here? Because it is, like we've said multiple times a bit of a tangential crime when it comes to Uber itself, or even the broader, like hack community? I don't even think it's the most interesting hack I've heard of in the last like year, a little over 510 years. I mean, if you were to look at what kind of outcome broadly that the government was trying to get from this, you know, lessons learned, what would you say it is,

Joseph Menn

34:29

you know, the most? Most charitably, I would say that they're trying to send a message that just because the CEO is a cowboy, doesn't excuse you from doing what the cowboy wants at the expense of the law. I guess you could also say that, you know, reaches are a bigger deal than they used to be security is a bigger deal than it used to be. There's all kinds of national security implications. You know, we the US has sanctioned ransomware groups that are too close to The Russian government, you don't they don't, they would rather those people not get paid off. In fact, that's one of the few ways you do get in trouble is if you send a ransom payment to one of these sanctions groups, you know, so maybe everybody should is just has to be on their toes more about how they treat beaches, including the disclosure aspect.

Tom Dotan

35:17

Can I ask I mean, part of the purpose of this show is we try to go a bit behind the scenes of the reporting of stories and the relationship that reporters have with the company. I mean, this is an interesting case of, you know, Uber is obviously a key material presence within this tribe. They're obviously providing evidence that is very useful for the prosecution here. But you know, what, sort of, you know, information interference, did you sort of get from Uber, as you were doing the story in terms of, you know, trying to encourage a specific point of view? I mean, how much were they trying to influence the coverage of this case? In any way? Because I think it's look, transparently, I've seen it a lot. Uber is very interested in the story. But I'd be interested in seeing, from your perspective, what you saw,

Joseph Menn

35:59

I didn't have much interaction with them, you know, in the in the end stages of this, when they fired Joe, it was weird that they did not go to any security reporters,

Eric Newcomer

36:12

they went through an overview of where they went to a loser.

Joseph Menn

36:15

Well, I mean, I think that they were spinning hard when they fired him that like, they here's the root of all of our problems, where we did a big, big investigation, and we found this horrible stuff. I mean, there's a lot of nuance here. Yeah,

Eric Newcomer

36:29

they don't say the bug bounty. I mean, they go on the record about the story. It's not like they like, you know, I think I quoted Daraa. In this story. They don't talk about the bug bounty, they certainly talked about the size of the breach. I mean, it's true, Uber paid hackers to delete stolen data on 57 million people, company paid hackers and 100,000 Delete info, keep quiet.

Tom Dotan

36:50

Right. But this is, again, this is the difference between, you know, his being fired and the actual case. I mean, you would think, Uber at this point, this is something that happened in the past, they wouldn't care as much about, you know, let the law and the legal system take its course, it's interesting to me, Joseph, that they actually were not that kind of involved at all in your coverage, and in pushing you one direction or another.

Joseph Menn

37:11

Well, at this point, there's this copious public record. So that's, you know, when people are testifying under oath, I find that a lot more convincing than what people are saying outside of court. Yeah.

Tom Dotan

37:20

Let's broaden this out a bit. Because I've said, you know, there are broader implications here. So you were saying that, you know, in the seaso community, this verdict was met with kind of terror, that they felt they've already taken one of the worst jobs in the world and made it even worse. I mean, anything more to that aspect? I mean, what do you see in terms of outcomes from, you know, getting, you know, a CISO, on the hook for what some people in the community would view is fairly standard.

Joseph Menn

37:47

So I'll give you one tangible thing, and one less tangible thing, the tangible thing is that CISOs are looking for personal lawyers to advise them on what their liability would be for any feelings on the job. The less tangible thing, which I think is dangerous, is that CISOs will now be much more likely to go go the mud route and blow the whistle and calling the Feds by whatever, you know, legal means they can, so they're not risking anything, which is, you know, a real harsh, gambled to take one and so on. But that will make them seen internally as as, like, internal affairs officers as cops. And that may mean that people under them with security responsibilities, keep things from them, because they don't want that to get reported out. And that's kind of a disaster. That's like the thing where like, you know, in a police internal affairs unit, like, you know, they're given the cold shoulder by other officers, because they're the ones hunting for cops. So that's miserable. Like, you know, like I said, you know, CISOs got to have the culture on their side, they got to have the CEO, the CFO and other departments on their side. And if they're not, if they become seen as someone that could rat you out, like a compliance officer, then that's a bad dynamic that takes a tough dynamic and makes it

Eric Newcomer

39:10

let's let's get rid of Internal Affairs soon. I don't know, I I just don't see how I think, you know, these investigations being disclosed to the government is so bad. I mean, you know, there are lots, you know, there are plenty of SEC filings where, you know, a company says, you know, some hack happened, and they happen so often is it that damning the company that it'd be publicly announced?

Joseph Menn

39:31

Generally? No. I mean, the stigma has gone away for most of this. So you know, starting with when Google said, you know, owned up to getting hacked by the Chinese, nobody thinks that Google's a bunch of idiots. So, I mean, it has continued. I mean, everybody gets hacked. The US government gets hacked. You know, there's, you know, the NSA has been badly hacked. I don't think disclosure is a bad thing. I'm in favor of disclosure. I'm in favor of more forced disclosure. I'm talking about like this, this unanticipated impact which could be which could be bad. Yeah, for a core security and you know, maybe we'll know more, but security might not get much better.

Tom Dotan

40:05

Do you think that this in a way is going to have a hugely deleterious effect on bug bounty programs that companies will just back away from that as a whole, because they see that it just skirts the line into an area that if the FTC for whatever reason, wanted to prosecute someone for it, they could find a way to do it,

Joseph Menn

40:22

I think they're going to make bug bounty programs more fraud. It's also true that some of them deserve to be more fraud, that the you know, they are the you know, there are there slathering makeup on a pig. Sometimes the you know, the early bug bounty programs were seen as part of a coordinated vulnerability disclosure program, which is from the olden days, when a hacker says, hey, you've got this problem, if you don't fix it, I'll go public, I'll give you 90 days or whatever it is, which is what Google gives people, when it finds bad flaws and somebody else's program. That's kind of the industry standard. And then usually the company fixes it. But if they say, Yes, not really a bug, that's a feature or you know, it's not really urgent, we'll get around to it later, it's not that severe, then the person goes public, the way bug bounty programs have evolved, they get most of their money from the companies. And they're seen by some companies as a way to control the hacking community. Because if they don't, if they don't shut up and take the money, then they don't get to participate in the in the bug bounty program anymore. And there's a, you know, two or three big bug bounty platforms. And if you're not welcome on any of them, then you're it's going to be much harder for you to make a living without selling your vulnerability information to governments or the private sector, or brokers who might flip it to somebody who flips it to somebody who flips it to the Chinese is a very, very uncontrolled world out there. And bug bounties were one way to bring people towards the light. And I'm afraid that they are doing a lot less of that now than they could

Eric Newcomer

41:53

Are you covering the whole bye Nance hack, by the way, or like,

Joseph Menn

41:55

I am not, in part because there's so many crypto hacks these days that you know, you you wouldn't do anything else. And in part, because in this particular case, there don't appear to be human victims that were tokens that were lying around. So it's not as bad as some of the others. Oh, interesting.

Eric Newcomer

42:11

Just like 500 million, just like on so yeah, with it just created out of thin air, I guess if somebody gets their hands on it, right.

Tom Dotan

42:20

That's fascinating, actually, what I mean, have you written much about crypto hacks? I mean, like you bring up it's very difficult to, you know, discuss things in terms of human terms. And they're so common these days. I mean, what's, you know, in the, in the InfoSec? Community, what is the thinking on the security of your shit in the in the web three world?

Joseph Menn

42:37

It's terrible. But, you know, it's like, the whole crypto stuff reminds me of 1999 when I was covering the.com, boom, and you know, this stuff was absurd on its face. So, you know, how do I really want to devote my time to explaining, you know, how this particular one is a little more absurd than others? Or can I just let people figure it out for themselves and then go something that's, you know, it's actually kind of hidden. It's just, that's my general take on it. I am interested in crypto as a as a means to launder money. I'm interested in it as like kind of the rocket fuel of the ransomware plague. And it's, you know, kind of interesting that, you know, North Korea and other unpleasant places are, you know, using it, it sort of monetizes pure hackings in a way that nothing else has. I mean, you're talking about like, bug bounty payments are not enough to compete with what the NSA or somebody else is going to pay you for vulnerability information. But really, you know, you can also use that information to do the hacking yourself. And you can make a tidy sum of money. I mean, an enormous percentage of crypto that's floating around there has been stolen from somebody else who had it at some point or another.

Tom Dotan

43:44

I feel like the bug bounty program in crypto is literally just you like taking the money and then saying, hey, look, I just got $100,000 of crypto coins because your stuff is so hackable, there's my bounce, and

Eric Newcomer

43:54

then they're like, please, they're like, if you give us 90% back, we'll let you keep 10% of it.

Joseph Menn

43:59

I just did want to talk about my book. Yeah. Yeah, absolutely. Yeah. Because some of these things go, you know, go back to it. So the the people in the book were the people that came up with coordinated vulnerability disclosure. You know, one of the people I quoted in my article, Katie Mistura, says In it, he is the people that did the the core innovation, and not by coincidence, were people who wrestled with ethical questions all the frickin time. And, you know, being now, you know, I guess a veteran of this stuff. One of the things I was trying to do was can convey to newer people in security, you know, give them a set of shoulders to stand on, they can choose whichever one they want, because they often disagreed with each other, but to think about us to think about these sort of philosophical questions, because now unlike before, it's a nice clean profession where you can go to a nice college and get a nice job in a nice company and do cyber things without ever having to think about are there some circumstances where you should break the law? Are there you know, what if your your employer wants you to put it back Door, what do you do? There? Are there fascinating ethical issues that come up every day and security. And it bothers me that people who are like 25 years old, without any history of, you know, you know, playing in the gray areas are, you know, are more inclined to do what they're told, then to figure out for themselves. What is ethical?

Tom Dotan

45:21

Can you tell us a little bit about the Cult of the Dead cow? What is it and how does it involve current gubernatorial candidate in Texas, Beto O'Rourke,

Joseph Menn

45:28

who was not the not the only politician to call for loosen marijuana law, things like that. So yeah, I suppose the better O'Rourke, he was a teen hacker, but it's not like, what's funny is that his politics actually kind of match what he was doing back then. I mean, he's like, exposed for having like, pushed for the things he's like, you know, pushing for a politician. So it was a pretty clean exposure, like

Eric Newcomer

45:51

Beto is just as cool as you thought. Right?

Tom Dotan

45:54

So if he wants to take away our guns,

Joseph Menn

45:56

a lot of people thought he was both Well, you know, I just thought he was a pretty white boy. And then I read this as the first is the most interesting thing I've heard.

Eric Newcomer

46:04

Yeah, he was sort of fake, cool. And then it was like, oh, maybe is there's real, he was cooler back

Tom Dotan

46:08

then. He was like Christian cinema, there was the

Joseph Menn

46:10

punk band. But yeah, but I digress. So the Cult of the Dead cow is the oldest hacking group that is so functional. In the United States. It is also the most influential hacking group in the history of the United States. It was spawned in the 1980s, in Texas by some bulletin board operators. And if you don't know what that is, you can ask your grandparents, they morphed several times, but we're always sort of at the cutting edge of hacking, which makes them a really interesting vehicle to talk about all these, you know, choices that were made, and why they were mates. If you came of age in the 80s, in the time of the movie WarGames, you would know the Cult of the Dead cow through their funny frequently profane, esoteric text files, which could be about anything, and we're sometimes political. And then because they were sort of like the cool kids in the hacking scene, some people with actual hardcore sophistication and hacking, so we're asked to, you know, we're invited to join, and we're eager to join. So that includes people from the loft, the great Boston hacker space, folks that testified before Congress in 1998, that any one of them could take down the internet in half an hour. So these technical people came on. And then in DEF CON, the great, you know, Giants hacking convention that was sort of coming of age, and getting really big in those years, the Cult of the Dead cow through CDs into the crowd that contained back orifice. And then back office 2000, which were successful programs that would allow pretty much anybody to hack a Windows machine. And that was certainly controversial at the time. But that helped to get press, which helped put actual pressure on Microsoft to fix things. Because Microsoft was a monopoly and was not being responsible when people like the law said, Hey, you have this major flaw in the architecture. So they were like they were pushing the envelope, they started using the media to try and put pressure on these big, pretty untouchable software makers. And then they invented hacktivism. They coined the term activism, which they defined as security work in service of human rights, which includes per international treaty, the right to information. So they got sort of political in hacking terms. And then more broadly, they push Tor to include a browser because they're releasing their own their own browser for Tor. And they helped inspire the Citizen Lab at the Munk School of International Affairs at the University of Toronto, then Citizen Lab are the world's greatest experts on tracking how government spy on their own people. They, you know, if you know about the Pegasus, spyware that the government's use on their own people, that's largely because this is the lab and they do this all the time.

Eric Newcomer

48:46

Are they active today? The Cult of the Dead counts? They

Joseph Menn

48:48

are they are but they're, you know, they're grown ups. They actually are, you know, you had some new members now,

Eric Newcomer

48:53

did you ask them all? Or is it sort of secret? Or what's the level of like, we know who everybody is.

Joseph Menn

48:58

So one of the sort of pleasant surprises in writing the book is that in the end, all of the core members through the history of the group agreed to let me use their real names, including people, you know, some had been added before. So Peters acto was a member, most recently famous for testifying in Congress about the security disaster that is Twitter, Chris Rue, who had been outed, he was founder of Veracode, which is a billion dollar very important security company. Mudge also ran DARPA, cyber grantmaking. So these these are very serious people, but many others have not been added, including the founder of the group and Zadar, who is now running for

Eric Newcomer

49:36

governor. They're letting new people in there, what's their initiation or

Joseph Menn

49:39

it's all terribly secret. The one rule is you cannot ask to join because that would make all their interactions unpleasant because it has to join. It's kinda like was it the best line I thought was when I added Beto and with everybody's permission out and you know, they were they were ready sir beta loved it.

Tom Dotan

49:56

I mean, that's,

Joseph Menn

49:57

I wouldn't, I wouldn't say better loved it, you know? There he got he got an overwhelming pain because of, you know, the teenage nonnamous text files that he wrote, you know, some of which were, you know, one of which is kind of misogynist. And, you know, another just, you know, seems naive, like imagine a world without money was was was one of his. So whatever nobody wants, what they wrote when they were 16 to be published and then attached your real name when you're running for office.

Tom Dotan

50:22

Again, all this makes him sound more interesting than than he is now. But that's a separate topic.

Joseph Menn

50:26

So the others I think, came forward in part because better was coming forward. And they weren't show solidarity because he had the most to lose. So the new members, they have added one of them has been made an impersonal fighting revenge porn. So I've got laws passed has helped get, you know, some measure of peace of mind for some victims of revenge porn, and has helped press social media companies to do more policing for it. And then there's another woman who has sort of helped stop harassers within the InfoSec community, you know, which is, you know, a checkered group like any other industry. So it's actually kind of cool. One of the things on them is that they had very, very few women, and also, few minorities, like a lot of hacking groups in the 1990s, though they did have some of each, in fact, better was the one that gender integrated to go to the dead cow. So I figured that counselors,

Eric Newcomer

51:14

is he still skill? Like, could he hack anything today?

Joseph Menn

51:18

So it was a different era. It was basically text files. He also did some other stuff. He did some more driving. He did use credit cards that did not strict strictly belong to him. And I would like to give a shout out to the statute of limitations. Many of these people to talk to me, they weren't major crimes. I don't know what the state is arts are now but he did run a he did run a, an internet company, after graduating college when he went back to Texas and that is what and that included, kind of as an offshoot like a kind of an all weekly type of electronic publication, which is why people asked him to run for city city council, which he did. So that actually did launch them into politics,

Tom Dotan

51:57

fascinating.

Eric Newcomer

51:58

The one that testified against Twitter, sort of during the Elan case, which which one was that as much as Peter Peter Berg Sacco and he's one of these right?

Joseph Menn

52:09

That's right. He is both aloft and the Cult of the Dead Cat and you

Eric Newcomer

52:13

know, I'm pretty well, are you wrote about him? I mean, yes. Do you think he was motivated to help Elon or like, where? What's his what are his sympathies? Or do you ever read on his motivations to come out on this

Joseph Menn

52:24

is it motivation had nothing to do with Elon he had decided to come out. He was fired before Elon made his move. And he decided to go pursue legal whistleblower Avenue before Elon showed up. So Elon was this, this weird element that came in at the end, but he was on the road that he was,

Eric Newcomer

52:41

I think he made it more supportive to Elon in a way like or No,

Joseph Menn

52:45

I mean, it well, it wound up being of some benefit to Elon. Yeah, it

Eric Newcomer

52:50

didn't really help. But during Obviously, every new site goes through certain prism, and it came out when people were obsessed with a lawsuit.

Joseph Menn

52:57

So just to answer the initial question, his motivation was that you Jack had brought him on to make Twitter users safer after a series of hideous breaches. And he wasn't able to do that on the inside for a variety of reasons. And so he decided to do it from the outside. Because this is going to apply real pressure and possible additional regulation onto Twitter. It will be easier if Twitter remains a publicly traded company because one of the few levers of authority over Twitter is the SEC. And if Musk takes it private, then you don't have you don't have that. It looks like Musk's gonna wind up with it. So this might this might have been the last chance for meaningful public oversight.

Tom Dotan

53:39

Do you think someone like a mage I mean, he represents someone coming from the hacker community going to be chief security officer at a major corporation there have maybe been a few that have gone that like hacking to corporate route in the light of the Sullivan verdict, and maybe just the general trend of the industry? Is that kind of is there more cynicism about that the belief that you can actually help these companies by working on the inside at all? Are you begin to see fewer and fewer people from the hacking world want to take corporate jobs in any way? That it's

Joseph Menn

54:08

a tough question. The hackers and security people are at one time, you know, unbelievably cynical with good reason. And also basically idealists because the ones that aren't Idealists are the ones you don't hear about they're just out stealing stuff, you know, or they're hatching really you know, impressive exploits which they sell on sell on the black market or the gray market, which is legal. So the ones who hear about are generally trying to make things better and you know, one of the reasons I wrote the wrote the code to the dead cow book was to try and you know, revive that, you know, rescue though the word hacker from like a negative connotation, because hackers are actually by definition critical thinkers, and that's, that's incredibly valuable in society. I think that this will make people on the margins less likely to want to a big corporate job with a with a title and a car and some money. I think some will still do it because you do have a fair amount of levers. So They're to effect good. But again, one of the points of the book is that there are many different ways that hackers can contribute to a better world, you know, in government and nonprofits, open source projects, like, you know, back when these guys were starting, they were kind of making it up as they went. But now there are serious technologists have an ethical bent, working for members of Congress. Some of them are actually in Congress. The Red Cross has technical gurus, Amnesty International has has tech gurus, there are lots of different ways to do good with a hacking mentality and in technical sense now than there were then and you know, I see so it's looking a little less attractive now than than it was before. Before. It wasn't looking

Tom Dotan

55:36

at attractive. So likelihood that beta O'Rourke is the new CISO at Uber. Not very high.

Joseph Menn

55:43

I'd say very, very low. Keep looking

Tom Dotan

55:47

over. Thanks so much, Joseph. From all of us here at the Cult of the Dead Cat. We enjoyed this conversation. Thanks so much for joining. And yeah, we'll have you back on here. So

Joseph Menn

55:57

thanks so much. This was great. Okay, thanks Sally Goodbye, goodbye. Goodbye. Goodbye. Goodbye. Goodbye. Goodbye.

00:0000:00