Dead Cat with Joseph Menn
EEric NewcomerOct 11, 2022 at 9:28 pm56min
T
00:05Tom Dotan
Welcome Sally. Hey everybody, welcome to dead cat tom Teton here joined by Eric newcomer and we are joined this episode by Washington Post reporter and author, Joe min. Joe has been covering cybersecurity for years, and also has written many books about the topic, including his most recent book called The dead cow, which we can ask about that very fascinating title. I think it involves beta O'Rourke in some capacity so we can discuss that. But the heart of this episode is going to be about a fascinating case that just concluded this last week involving Joe Sullivan, the former chiefs security officer at Uber, who was charged and convicted by spoilers. Yeah. Well, if you read if you read Joe's article, you know,
E
00:58Eric Newcomer
I'm curious how many people are following this case? But I think it's it's not, you know, the Theranos trial, but I think it's a very significant one, an interesting one.
T
01:06Tom Dotan
Yeah, it's a fascinating case about, you know, bug bounties, the FBI, the FTC, Joseph is going to summarize all of it for us. But I will say at the outset, because I know Eric will jump in with here at some point, because when he was covering Uber, you were very much involved in the coverage of Joe's ouster from Uber and kind of the precipitate. Yeah,
E
01:25Eric Newcomer
it was the first report the story, the hack, and Joe's firing. But anyway, Joseph,
T
01:30Tom Dotan
thank you so much for joining. Welcome to the dead cat.
J
01:33Joseph Menn
Yeah, thanks. Nice to be here.
T
01:34Tom Dotan
Let's just summarize the charges here, like what was Joe Sullivan charged with and ultimately convicted of, and just give us the backstory on how we got to this point?
J
01:45Joseph Menn
Okay, well, I think you have to go back to the hack itself. So there were a couple of the young hackers one in Florida, one in Canada, that found in Amazon key used by Uber lying around on GitHub, and then use that to get into a unencrypted backup that had information on all Uber users to 2015. And included phone numbers and other sensitive information. And also a store of information about Uber drivers, 600,000 of them, including their driver's license numbers, so sensitive stuff, they obtained this, they sent Joe Sullivan, then Chief Security Officer at Uber, an ominous email. And, you know, they said, Hey, we discovered this vulnerability, and we're prepared to tell you about it. But we were able to download all this information. And then there was like this prolonged back and forth with Joe and with other security people there. And after all this happened, towards the end of it, Sullivan steered them into Ubers bug bounty program, which rewards you know, more or less ethical hackers with some money, if they discover vulnerabilities,
E
02:59Eric Newcomer
the idealized bug bounty been, I'm a researcher, I see this flaw, I'm not executing on it. But if somebody were to do this, you know, I would get XY and Z and then the company out of the goodness of their hearts, pays them to avoid those people sort of becoming like Blackhat hackers, and also because they're effectively working for the company to find vulnerabilities. Would you say that's a fair explanation?
J
03:23Joseph Menn
I would have some a number of minor quibbles with with the way you laid it out, you know, generally, they're not the payments aren't prevents them from being Blackhat. Generally, the thinking is that these people, they want to be on the right side of the law. And this just makes it less costly for them to make that choice.
T
03:39Tom Dotan
Yeah, they're not at risk teens. Well, this,
E
03:41Eric Newcomer
whereas in this case, they seem a little bit more. Yeah, at risk. I mean, the standard bug bounty is for Uber was $10,000. And in this case, it was ultimately $100,000 payment, right?
J
03:53Joseph Menn
I'll just fast forward to get the basic facts, the case and charges out there. They ultimately paid off the hackers $400,000. They assured themselves that the data had been deleted and been distributed to others. And they had the hackers sign an NDA, saying they wouldn't talk about this. And they're actually the wording of that NDA ones later to be very important. And then nobody knows about it until after Travis Kalanick has gone well. That was a nobody many people the company knew about it, including Travis Kalanick. Because then CEO, Travis gets ousted in a boardroom coup after unrelated scandals. new CEO comes in Dara and arccos. Mashallah, yeah, thank you for pronouncing that for me. And Tony west as general counsel, a lot of a lot of big figures. And this sort of bubbles up again, as a topic. And there's a new investigation and then they basically decided to throw Joe to the wolves but the charges were for not for the payoff itself, but for what is called Miss prison of a felony, which is a rarely charged statute that means Crime, we
E
05:00Eric Newcomer
all have strong intuitions and moral sensibilities of like, I barely know what it is.
T
05:05Tom Dotan
Yeah, I did have to go to Google Translate to make sure I pronounced it correctly. It's misprision.
J
05:11Joseph Menn
There you go. So it is it is not only failing to report a felony, but actively concealing one like taking a form of actions to prevent a felony from coming to light. And he was also charged with obstruction of justice, because there was an FTC investigation of previous breaches at Uber that was wrapping up. And this was, I guess, pointedly not disclosed to them when it should have been According to prosecutors, those are the charges
T
05:35Tom Dotan
right. And he is being fired from Uber. That was a story in and of itself, right. And there was controversy at the time around why he was fired and the nature of it, but the you know, he could have been fired and not been charged with the crime here. Right. These are almost unrelated incidences, correct.
J
05:51Joseph Menn
I wouldn't say they're unrelated. So his firing was controversial within the company. He was not seen as one of most employees did not see him as one of Travis's, like, you know, key hinge people. You know, he was seen as one of the, you know, the more recent hires, and grownups, you know, he hadn't been implicated in a lot of the other sketchy stuff that Uber was involved in. And then it's not just that he was, you know, he wasn't charged randomly, the Uber folks that remained worked hand in glove with the US Attorney's Office to charge Joe. And, you know, they walked them through the whole thing. They built a lot of the case. And then, you know, quite another obvious suspect would have been, the lawyer who was working under Joe Craig Clark, and Craig Clark was so nervous about all of this, that he got immunity from the feds in order to testify against Joe. And Joe, in turn, had blamed like some of this on the legal advice he got from Craig. So it is weird that Joe is not only charged with this very unusual crime, at least one of them. But that he, he was the only person from Uber that has been convicted of anything, as far as I know, in the executive ranks, despite all the other stuff that was going on there. And that he was the only one that was taken down for this particular thing when the CEO and others were involved. And let's just do
T
07:13Tom Dotan
a little bit of background on Joe, because we should definitely set up for our audience that this is a fairly well established, well regarded person in the cybersecurity industry. I mean, what was his background before you taking on this position at Uber,
J
07:26Joseph Menn
so he, he was actually a federal prosecutor back in the day and he was one of the early enthusiast about developing cybercrime as expertise. So in fact, you know, he was, he'd worked in a couple of different offices, but in, in the San Francisco US Attorney's Office, which later prosecuted him, he had helped set up, it was a, you know, initial member of their cyber team. And then he, you know, like Manny, he left public service to make some decent money. And he went to Facebook, where he was in the earlier phases of Facebook, he was the chief security officer there, you know, as was sort of well known in the field from that point on, because Facebook was the subject of a lot of attacks, a lot of attention. And, you know, he did a lot of things that are now sort of industry standard practice, including, you know, red teaming, you know, hiring people to attack the company to see how they did. And they also paid bug bounties and stuff like that. So he went, he was there. And then he went to CloudFlare, which is maybe, you know, arguably more interesting because for him, because lots of international stuff, terrorist stuff, all kinds of really sketchy people use Cloudflare. So it's really interesting from like, an intelligence perspective, as well as a law enforcement and garden variety, security perspective, and also cloud FERS, like a security company. So I think it was playing a more central role
E
08:47Eric Newcomer
after Uber, right?
J
08:48Joseph Menn
Just sorry, yes. Let's get to
E
08:50Eric Newcomer
these. I mean, he's hired at Uber in 2015. And then basically out
J
08:56Joseph Menn
after a really bad breach, after bad breach, right.
E
09:00Eric Newcomer
And then ousted in November 2017. And so yeah, he's not sort of the super early days, Travis, but he's there for some of the core sort of Travis years. And And when those years come to an end, yeah,
T
09:15Tom Dotan
well, and Joseph Joseph was characterized as a little bit but you know, Eric, from just covering Uber so intensely during that period, how does he kind of fit into that the Travis hierarchy, I mean, he's not a founding guy. He's not one of his, you know, one of his guys who builds the app, but he is a key player in the scaling of the service, right, and ensuring that it remains, at least for a time free of major breaches of data, and you know, the kinds of things you would need for an app that is catering to millions and millions of people, right. I
E
09:42Eric Newcomer
mean, I certainly a lot of people agree with the idea that it's crazy that of all the executives at Uber, who have gotten convicted of something, it's Joe solvent, who I do think as a former prosecutor, was seen as sort of a stand up guy and definitely not so some diehard Uber loyalist and definitely sort of a professional executive coming from Facebook, that said, you know, Joe Sullivan, you know, is given some legal authority at the company. I mean, part of this case is, there's sort of a weirdness of the his deputy reported up to him and not sort of the general, the overall legal officer. Joe Sullivan was also like responsible for some of the I believe the physical surveillance that Uber did, including over like Gene Lu, their competitor, well, it's not illegal, I don't think it you know, is involved in some of the sort of intense Travis era, like, we want to know, like, what's going on with our competitors. So I don't totally agree with the idea that this is somebody who totally divorced himself from the aggressive behavior of Uber during the Travis Kalanick era. And then, sort of figuring this out hack out fits into the sort of Travis strategy of, you know, one might say, like creative problem solving, when it comes to to navigating trouble and sort of legal gray areas. Yeah,
T
11:04Tom Dotan
well, let's get to the case itself. Because, as you say, there is a bit of a divergence between the bug bounty program and you know, the way you sort of deal with white hat hacking and what the government actually was charging him with. So why is it that the FTC is even investigating Uber during this period? And what are the actions that Joe took that ended up getting him charged with the crime?
J
11:26Joseph Menn
Well, there was a, there was a massive breach in 2014, that was kind of similar. It was like a great a great spill of user data. And so the FTC was investigating, and it was going to, you know, come up with, you know, various consumer consent decree type stuff, where they have to agree to do some basic Good Housekeeping in terms of, you know, real security for that stuff. And he was near the end of that investigation is one of the sort of the ironies here they they, you know, they were still asking questions, but we're on, I think, the fifth or sixth, the sixth round of questions that the FTC had sent over, before this happens. And before Joe gets in trouble, they go to another attorney, the privacy attorney, the head of the head of privacy at Uber, and she is somebody who is being kept roughly in the loop about this breach by Craig Clark. So Craig Clark had a dotted line to you know, the General Counsel's Office. It is true that Joe was Deputy General Counsel, but he didn't sort of caucus with the legal department. He didn't have meetings with illegal,
E
12:31Eric Newcomer
does that make it even sketchier? Why he's Deputy General Counsel, but he's not sort of looped into that hierarchy.
J
12:38Joseph Menn
I don't know about it being sketchy. I think they're, you know, it's a nice title to have. It may have been ill advised in retrospect, but he wasn't, I think he wanted authority to do certain things. And, you know, Uber, as you know, from covering the company was super siloed. You know, basically, yeah, I think he wanted to have, you know, to exercise some power over over things that he couldn't without that titles. But it is clear that there that that Craig, you know, did blow the whistle on other things. And a lot has been made, in fact that, you know, he was reporting to Joe. But he also, he also told his success of privacy bosses in the general counsel's office about what was going on with this case. And those and those were the people that were answering the FTC questions. There was some emails, it was in there a couple emails introduced as evidence that asked Joe to look over some stuff and say, you know, is this right, do you have any problem with this? And one of those answers out of a long series of answers was, there haven't been any bad breaches, you know, since that, or something like that. And that's what he got in trouble for not flagging, but it wasn't like the strongest eight, you know, it wasn't the strongest evidence in the world. I think there was more problems with the wording of the NDA, which said that in order to get this $100,000 check, they said or maybe was Bitcoin they said, The statement said, we have not taken or kept any data from Uber as part of our as part of our explorations. And that was false, because they had so the in the jury, you know, the lawyers in the case got into, like, who did the edits on that NDA? And Joe did some edits, but did not that one. So the prosecutors were arguing that even though Craig Clark was the one who had put in those words, Joe should have edited that and maybe he was like, the brains behind that ad. I mean, it is thin. I mean, it's it is really thin. It seems like there was a lot of judgment call in this, you know, by interpretation by the by the Feds and by the jury,
E
14:42Eric Newcomer
but when Dora comes in and asked Joe about this, Joe doesn't tell Daraa all the details of the case. Correct.
J
14:51Joseph Menn
So there is an email an early email, where Joe briefs Daraa that okay, there was an incident we're handling it this way. And that email was fairly circumstantial, and he'd asked his people to brief him. And one of his people had sent an email saying, well, we basically got extorted. And you know, it was terrible. And then Joe gives Dara a pretty sanitized version of what it doesn't include
E
15:17Eric Newcomer
the amount of money calls it a bug bounty, right? Yeah. And all Ubers bug bounties before this, like 10,000 was the max, this was 100,000. These people downloaded the files, normal bug bounties, you don't download it. I'm sorry. But I'm just like, I think there's an interesting discussion. And this comes in through your story. Definitely, like now we're in this era, where everybody's paying for things, would we view this in the same light, I get that point, I'm happy to have that discussion. But the idea that this was a hack that was then tried to frame during a bug bounty, during a time when Uber was in trouble with the FTC, and negotiating with them to make sure that this didn't fit in to the kind of breach that they would need to disclose to the FTC. It just seems like a pretty compelling case to me. And now the jury jury has convicted them. And I still think that like the tone from sort of cybersecurity world is like, shock, that there will be convictions here.
T
16:15Tom Dotan
Let's get to that in a second. Because I want to understand in the in the, in the course of the case here, what was the characterization that the prosecution had of why Joe would do that? Why Joe would, you know, keep this from Daraa, in a way that, you know, they define his criminal as misprision. And obstruction of justice. I mean, Joe, is a tenured security officer used to be, you know, with the US Attorney's, I mean, what was the kind of depiction that the prosecution had on why someone would do this,
J
16:41Joseph Menn
they were arguing that he was acting out of embarrassment that he didn't want his reputation, as you know, a very respected member of the Security, Defense Security world, it to be torn asunder, because he allowed this terrible beach to happen on his watch. I personally don't think that holds water, there's all the internal traffic about the matter. It shows that for quite a while, while they were working on this, Joe was saying, we don't know whether this is going to be something we have to disclose or not. We don't know whether we can call it a bug bounty and pay some money and have it go away, or we'll have to disclose it. But that was certainly something that they were you know, they they saw it as a major possibility. The reason they didn't in the end, was that they were convinced that the data hadn't gone beyond these couple of hackers, and a couple of hackers wished them no harm. That is not something that would normally be charged criminally, that might be a big screw up. And you know, maybe he gets personally barred by the FTC from, you know, serving on company boards or something or another maybe the you know, but it's it that is just a real outlier is a criminal
E
17:50Eric Newcomer
element you not out of your story. And you know, better than I do, and I'm interested in especially is like, this idea that we're the prosecutors trying to get him to flip on Travis Kalanick. These are gonna be sort of a double situation here where Joe gets defended, because he wasn't the CEO, he was the CISO. On the other hand, why if the issue is that everything should run up to the CEO? Why didn't Joe flip on Travis here?
J
18:16Joseph Menn
So the evidence, so they were trying to get to Travis, who would have been a big feather in any US attorney's cap? And they did get evidence from Joe on that, then that that evidence was actually fairly substantial. There were lots of texts and, and phone calls and conversations. And Travis said things like, yes, this would be great if it's a bug bounty, but there wasn't a direct, cover this stuff up. Don't let the FTC find out about it. There wasn't a smoking gun. So there was a bigger paper trail on Joe, because he was kind of in the middle of it the whole time. It's weird to call this a cover up when they were like, you know, forget something like 30 people who knew about it. This was not a you know, go meet and take some cash, you know, and meet somebody in a back alley with a briefcase. You know, they worked through the bug bounty platform. You know, hacker one, that communications team up to Rachel Whetstone knew the facts of the case within 24 hours.
T
19:15Tom Dotan
She's the Chief Communications Officer for Uber right
J
19:17Joseph Menn
time, right. And so she did, Travis did tweet Joe told everybody he was supposed to tell. So I mean, it's up to Travis whether or not to you know, you Okay, make sure you coordinate with the general counsel on that. He didn't say that,
E
19:30Eric Newcomer
including that this stuff had been downloaded by the hackers. And that it was basically and they were going to try
J
19:35Joseph Menn
to recover it. They were going to try going to try and suppress it. And that's another thing is like, it's not you know, that NDA is pretty shady. But they were using this whole process to identify who these people were, because they were anonymous when all this started. And they stayed anonymous to a lot of it. And because they were getting them to sign things and if they did it an electronic signature would leave their IP address and then they'd be able to track them. They get that, and then they surprise, the surprise that by showing up in person and saying, now we need your real names to sign this, or the bank's not gonna let go, you know, they'll flag the you know, the IRS. And so that's really important. And they did that not because they want to get these kids arrested. That's true, but because they figured that that was the only way to reassure themselves that these guys really aren't going to do something worse with the data. And then
E
20:21Eric Newcomer
they basically get these hackers to say, Oh, you were like working on behalf of Uber, basically. Right? Isn't that part of the agreement? Or my misunderstanding that?
J
20:29Joseph Menn
Well, I mean, part of the bug bounty program was like, they were reporting a vulnerability and thanks for that. And here's your reward. Right. And, you know, 100k is a lot of money.
E
20:38Eric Newcomer
Sure. Not for Uber, though.
J
20:42Joseph Menn
And for the amount of damage that could have been done with that data. That's that's actually a pretty reasonable.
E
20:47Eric Newcomer
I'm certainly not saying it's a bad corporate decision. I'm just saying, you know, their moves.
J
20:51Joseph Menn
There's one things Dara said later, there are different stories, you know, between when he was fired, and now, but Dara said, like deras most recent version was he fired him because that one, he couldn't trust yourself. And after that email, that under, you know, that underplayed the breach, but that he would have made the same payment himself. That was an appropriate payment. So I mean, looks to me like they were looking for, you know, the Feds were hoping to get to Travis and missed. And you know, Dara wants Uber, 2.0. He doesn't want any trace of back door is
E
21:25Eric Newcomer
allowed to fire he's allowed to fire people. I do agree with what Tom said not not I understand that Uber has sort of held this case, but they're allowed to like fire somebody who feels like, I'm trying to clean up the company, and you're not being open about everything that's happening. I get that. Yeah, they announced this hack. They have two people in my story that they're firing over it, Greg Clark and Joe Sullivan, and they say, Okay, we're cleaning house. But like, Yeah, I mean, the they were the people who did it in Daraa had a like a different point of view on whether it needed to be disclosed to the government. I mean, is that and then they did settle with all these state governments, they paid more than 100 million in fines to state agencies. And now there are two convictions. And also we haven't brought up the fact that the hackers themselves who got who participate in the bug bounty, I believe they also pled guilty in this case. So if the legal system works at all, every part of it, settlements, Jury convictions, hackers pleading, like every part of it has come down on one side of this. Sorry, that was more passionate than I expect you to be. But I don't know. I feel a little crazy on it. It's like this. This has been borne out.
T
22:29Tom Dotan
Well, can I ask, you know, when it comes to the state of Uber, and the way they were involved, were involved in this case, because technically this is not their case. They're not suing him. This is the US government. That is making the case here. Daraa testifies here, he testifies to the fact that he just couldn't trust Joe anymore to why he fired him. And I guess, if people below him, why does the either prosecution or defense and I imagine it might have been the defense never subpoena Travis, why do you think Travis never appears at all? In the trial? It seemed like he could have been a key person to kind of make the case one way or the other as to whether or not this was a cover up? Or how many people should have known about this? Did that ever come up in discussion? Like strategically why he never appeared at all?
J
23:11Joseph Menn
I'm sure it did. I don't know that I wasn't privy to those discussions. I don't know why. Yeah, if I were Travis, if I did get subpoenaed by either side, I would have asked for immunity. And the feds, you know, that's probably not a good look for them. So they probably wouldn't have offered it. So probably he would have been, like a hostile witness for either side.
E
23:29Eric Newcomer
Or you could plead the fifth, right. I mean, he
J
23:31Joseph Menn
could plead the fifth, which is not going to help the defense or the prosecution, and it's not going to make him look good, either. So I mean, it would be dragging him in there, and then it wouldn't be productive. That's my best guess off the top. My
T
23:43Tom Dotan
interesting.
E
23:44Eric Newcomer
I mean, I do think there's, I was gonna say this earlier, but, you know, I feel like there's a classic human story where somebody is sort of, you know, the do gooder Boy Scout, and then they get sort of dragged into this somewhat sort of shady organization with, you know, the leader who's trying to sort of complicate things, and yeah, this sort of ethical boundaries get tested. And then this sort of clean guy ends up the one, you know, because they made the call ends up the one on the hook, even though the architect of it all probably set the organization up in that direction pushed people to behave in that way, but then knew better than to, you know, put their name to it. I feel like that's like, a sort of a classic, classic story where it's like, yeah, if you want to be sort of the Boy Scout, you have to stick to your principles, even this mucky organization. So
J
24:34Joseph Menn
I think that's a little too tat. But as I wrote my story, bug bounties have been used to hide a host of bills, increasingly since the time this happened. So they get used to pay respectable the hackers are trying to do the right thing. And they also get you hate paid people to shut the hell up. Right they you know, they are as likely as not to come with non disclosure agreements. Now you and some of those apply to things that, you know, the company should be required to disclose, and are not, and are not disclosing not just something they're not fixing. But like breaches that are, you know, things that probably lead to previous breaches in the real world in this stuff is pretty ugly. Right? My guess is that Joe thought he was skating close to the edge, but it wound up doing the you know, the right thing by you can make a really good argument that he was doing the right thing by Uber users, because they went through all these hoops. There was some shady language, there's some stuff that should have been disclosed. But the data didn't get out. And if he and if they had called the Feds on these guys, the data very well might have gotten out.
E
25:41Eric Newcomer
Yeah. And I think nobody here is like, Oh, my God, the public was so terribly victimized this crowd, you know? Yeah. I mean, it's very much Did he follow the letter of some law? Not? Did he have some terrible effect for a bunch of drivers or people? It seems like exactly like you're saying,
J
25:58Joseph Menn
I think that's important to remember. Right?
T
26:00Tom Dotan
Yeah. Well, that's what's interesting about this case, because, you know, you obviously covered it. And as I was Googling it, I did see that almost every major outlet did have some reportage of it as it was going along. But the trial didn't set the world on fire, you know, it didn't become the Elizabeth Holmes trial, or think of any other high level tech trials.
E
26:18Eric Newcomer
Nobody's saying this guy's the embodiment of Travis Kalanick. Era, Uber. I mean, I think that's, you know, it didn't become a proxy for that. Right, morally ambiguous and
T
26:27Tom Dotan
Right. Right. It did sort of seem like this was, you know, the government's attempt to bring some accountability to Travis era Uber, and like, we're saying it ended up falling on this one, you know, prior to this point, pretty clean actor in the InfoSec. Community. And, you know, it sounds like the government made a compelling case here that he was a bad actor in this particular way here, but the actual harm to, you know, the average citizen reaches, wasn't there. So, I mean, is it fair to say that he is kind of a fall guy for a larger issue that, you know, he wasn't necessarily responsible for, but you know, there had to be some head on a stake somewhere, as far as the government was concerned in terms of charging him at night?
J
27:07Joseph Menn
I think the answer is yes. And, you know, I don't think they were taking into account. I mean, they, I think they were trying to make an example of him in like Uber land, but I think they may be less than thrilled about the example they're sitting in chief security officer land, where people are freaking out, and are, you know, worrying if they what their own liability is. I mean, it's already like famously one of the worst jobs on the planet. I mean, out Alex Stamos used to joke that like Sue Sue comes from a Greek word meaning he who has sacrificed After
T
27:43Tom Dotan
Alex Stamos, former chief security officer of Facebook, guys, yeah, that's a great line.
J
27:48Joseph Menn
I mean, it's, you know, it's up there with Russian Submariner and Chinese coal miner, you don't want to be see, so even before this, I mean, you're you know, there's like you, you only get famous if you fail, right, you can also make the argument. I mean, I've covered the security industry for more than 20 years now. And like, you know, the most important person in charge for company security is the CEO. It's, it's not the seaso. And the second most important is the CFO, right? Because he's deciding how he or she are deciding how much you can spend on defense, which is like, you know, make stuff from the bottom line disappear, as super hard to value, what gain you get from it. So, you know, many people are in the position of, you know, Twitter comes to mind, Majid Twitter, where you given this awesome responsibility and no actual power, it needs to be like a cultural thing. Because you know, every everybody else in the organization has to play ball. They didn't have Twitter, and they didn't have over
T
28:44Tom Dotan
the InfoSec. Community, as you said, they were watching this case very closely. They obviously are not happy with the outcome in terms of making the job even more of a liability for the people who do it. But was there any sentiment among the InfoSec community that, you know, Joe didn't maybe handle this in the best possible way? And there was some sloppiness in the writing of the NDA the the correspondence he had with the people above him, that maybe someone who told the
E
29:09Eric Newcomer
SEC if you're in a negotiation with them, if you have other skeletons in your closet, like I mean, clearly what the government wants. You're right.
T
29:16Tom Dotan
Yeah, I guess. Yeah. The question is, is was there a sentiment of saying, yes, overall, he did the right thing, except for in the various specific ways that the government nailed him. And if he were just a little bit more careful here, he could have been well clear.
E
29:30Eric Newcomer
Put this in a layman way. It's like, no reporter wants your reporter convicted, right? Reporters always cheer for like, Free Press cases. But then sometimes there are particulars of them. And like some, you know, you're like, well, Gawker maybe shouldn't have published like, a terrible sex. You know, it's like, okay, I understand why Sisa would always say don't convict to see so journalists never want to see journalist convicted. But then these things get decided in the fact patterns. And like, yeah, I guess is there a sort of a fact pattern that can separate this from what CISOs are doing a sort of day to day.
J
30:01Joseph Menn
So first of all, I would say that there are some instances where I think people reporters should get sued for libel and lose, I'm not going to defend every single member of my profession.
T
30:12Tom Dotan
I don't think I could defend half of them.
J
30:14Joseph Menn
So I think the majority feeling among chief security officers is that Joe got a really bad deal. And I again, I mean, there's a lot of evidence on both sides here. But one of the things that came out is that Joe was never accused, Joe was was grilled by the FTC. And he was never accused of lying to the FTC, they, you know, it was a sin of omission, where somebody else was sending in the thing and one of a bajillion emails that Joe is supposed to read,
E
30:39Eric Newcomer
but misprint, misprision can include, not omission, right? It isn't an omission. It has to be an active thing. But it doesn't it doesn't have to be a direct lie like you
J
30:49Joseph Menn
can. That's correct. That's correct. Right. But you know, like I said, this is not this is not a slam dunk case. And the jury struggled for four days, right stuff. Most chief security officers, chief information, security officers are deeply unhappy about this. They're used to being scapegoated by their own companies. And now they have to worry about being scapegoated by the feds, as you know, in some cases in collusion with their companies, then, you know, it's not just a tariff fired him. It's a you know, Dara had him frogmarched into the US Attorney's Office.
E
31:20Eric Newcomer
I mean, the hack was never like a core Uber scandal. That's part of what's bizarre about this whole thing. It was sort of like, a trailing end thing. I mean, my understanding is this, the Uber hack was, like, disclosed. And like one of the whistleblower, they had, like some security officer at Uber, like sent a letter, like, seemingly, I think, shaking them for money. And then so then this hack was in that. And so then there becomes more of a likelihood that it comes out, you know, but it was my boys just as sort of a tail end scandal. So it is sort of absurd that this would be sort of the most litigated Travis
T
31:55Tom Dotan
conviction. Yeah, I mean, it's like it's not even getting Al Capone on income tax evasion. It's like getting a third tier goon on alkatone squad charged with a crime. And that goon actually happens to have been a pretty clean guy up to that point. It just sounded like he did potentially, or I guess, as the law said, you know, break it in the very particular way in which he was charged. I mean, it is, it is bizarre, I agree with you.
E
32:17Eric Newcomer
There is another Uber executive who has pled guilty to something, though, not for his activity, I think at Uber necessary. Anthony Levandowski Of course, of course, pled guilty for stealing trade secrets, and then was pardoned by President Trump. I feel like that whole news cycle got totally washed away, because like, it was at the end of the Trump presidency, and then January 6 happened, but Anthony Levandowski you know, the whole Waymo guy pled guilty and then was pardoned by Trump. So I think, you know, I somebody was laughing at me and Uber, former Uber exec was, like, you know, are we gonna get another pardon? For you know, it's, uh, sorry, jokes about Joe. But yeah, well, Joe Biden, you know, step up here.
T
33:01Tom Dotan
I mean, what is the expectation in terms of a sentencing for this kind of a, you know, crime? So
J
33:05Joseph Menn
I mean, in theory could get update yours? I, you know, I don't know, if they're mandatory minimums, you know, or what the accepted range is, you know, he didn't help them by testifying against anybody else. The real answer is, I don't know. You know, and I don't normally cover criminal trials. So, you know, maybe he gets maybe he gets a couple years. And maybe it's probation or something. But it would be deeply unpleasant for anybody, but he's a former federal prosecutor. So to put them in a federal jail with people that he has jailed or would have, you know, that's, that's, that's not cool. Yeah. So yeah, I'm guessing he would be segregated somehow.
T
33:45Tom Dotan
Yeah. Cyber jail. Jesus did. He's
E
33:46Eric Newcomer
a former federal prosecutor. I mean, I, you have to imagine that animated the prosecutors somewhat this of all people who shouldn't be sort of the letter of the law.
J
33:55Joseph Menn
Yes. And they argued that here's, here's one guy who does know what misprision of a felony.
E
34:00Eric Newcomer
Right, the only only person in the court? Yeah.
T
34:03Tom Dotan
What sort of precedent Do you think the government was trying to set with this case here? Because it is, like we've said multiple times a bit of a tangential crime when it comes to Uber itself, or even the broader, like hack community? I don't even think it's the most interesting hack I've heard of in the last like year, a little over 510 years. I mean, if you were to look at what kind of outcome broadly that the government was trying to get from this, you know, lessons learned, what would you say it is,
J
34:29Joseph Menn
you know, the most? Most charitably, I would say that they're trying to send a message that just because the CEO is a cowboy, doesn't excuse you from doing what the cowboy wants at the expense of the law. I guess you could also say that, you know, reaches are a bigger deal than they used to be security is a bigger deal than it used to be. There's all kinds of national security implications. You know, we the US has sanctioned ransomware groups that are too close to The Russian government, you don't they don't, they would rather those people not get paid off. In fact, that's one of the few ways you do get in trouble is if you send a ransom payment to one of these sanctions groups, you know, so maybe everybody should is just has to be on their toes more about how they treat beaches, including the disclosure aspect.
T
35:17Tom Dotan
Can I ask I mean, part of the purpose of this show is we try to go a bit behind the scenes of the reporting of stories and the relationship that reporters have with the company. I mean, this is an interesting case of, you know, Uber is obviously a key material presence within this tribe. They're obviously providing evidence that is very useful for the prosecution here. But you know, what, sort of, you know, information interference, did you sort of get from Uber, as you were doing the story in terms of, you know, trying to encourage a specific point of view? I mean, how much were they trying to influence the coverage of this case? In any way? Because I think it's look, transparently, I've seen it a lot. Uber is very interested in the story. But I'd be interested in seeing, from your perspective, what you saw,
J
35:59Joseph Menn
I didn't have much interaction with them, you know, in the in the end stages of this, when they fired Joe, it was weird that they did not go to any security reporters,
E
36:12Eric Newcomer
they went through an overview of where they went to a loser.
J
36:15Joseph Menn
Well, I mean, I think that they were spinning hard when they fired him that like, they here's the root of all of our problems, where we did a big, big investigation, and we found this horrible stuff. I mean, there's a lot of nuance here. Yeah,
E
36:29Eric Newcomer
they don't say the bug bounty. I mean, they go on the record about the story. It's not like they like, you know, I think I quoted Daraa. In this story. They don't talk about the bug bounty, they certainly talked about the size of the breach. I mean, it's true, Uber paid hackers to delete stolen data on 57 million people, company paid hackers and 100,000 Delete info, keep quiet.
T
36:50Tom Dotan
Right. But this is, again, this is the difference between, you know, his being fired and the actual case. I mean, you would think, Uber at this point, this is something that happened in the past, they wouldn't care as much about, you know, let the law and the legal system take its course, it's interesting to me, Joseph, that they actually were not that kind of involved at all in your coverage, and in pushing you one direction or another.
J
37:11Joseph Menn
Well, at this point, there's this copious public record. So that's, you know, when people are testifying under oath, I find that a lot more convincing than what people are saying outside of court. Yeah.
T
37:20Tom Dotan
Let's broaden this out a bit. Because I've said, you know, there are broader implications here. So you were saying that, you know, in the seaso community, this verdict was met with kind of terror, that they felt they've already taken one of the worst jobs in the world and made it even worse. I mean, anything more to that aspect? I mean, what do you see in terms of outcomes from, you know, getting, you know, a CISO, on the hook for what some people in the community would view is fairly standard.
J
37:47Joseph Menn
So I'll give you one tangible thing, and one less tangible thing, the tangible thing is that CISOs are looking for personal lawyers to advise them on what their liability would be for any feelings on the job. The less tangible thing, which I think is dangerous, is that CISOs will now be much more likely to go go the mud route and blow the whistle and calling the Feds by whatever, you know, legal means they can, so they're not risking anything, which is, you know, a real harsh, gambled to take one and so on. But that will make them seen internally as as, like, internal affairs officers as cops. And that may mean that people under them with security responsibilities, keep things from them, because they don't want that to get reported out. And that's kind of a disaster. That's like the thing where like, you know, in a police internal affairs unit, like, you know, they're given the cold shoulder by other officers, because they're the ones hunting for cops. So that's miserable. Like, you know, like I said, you know, CISOs got to have the culture on their side, they got to have the CEO, the CFO and other departments on their side. And if they're not, if they become seen as someone that could rat you out, like a compliance officer, then that's a bad dynamic that takes a tough dynamic and makes it
E
39:10Eric Newcomer
let's let's get rid of Internal Affairs soon. I don't know, I I just don't see how I think, you know, these investigations being disclosed to the government is so bad. I mean, you know, there are lots, you know, there are plenty of SEC filings where, you know, a company says, you know, some hack happened, and they happen so often is it that damning the company that it'd be publicly announced?
J
39:31Joseph Menn
Generally? No. I mean, the stigma has gone away for most of this. So you know, starting with when Google said, you know, owned up to getting hacked by the Chinese, nobody thinks that Google's a bunch of idiots. So, I mean, it has continued. I mean, everybody gets hacked. The US government gets hacked. You know, there's, you know, the NSA has been badly hacked. I don't think disclosure is a bad thing. I'm in favor of disclosure. I'm in favor of more forced disclosure. I'm talking about like this, this unanticipated impact which could be which could be bad. Yeah, for a core security and you know, maybe we'll know more, but security might not get much better.
T
40:05Tom Dotan
Do you think that this in a way is going to have a hugely deleterious effect on bug bounty programs that companies will just back away from that as a whole, because they see that it just skirts the line into an area that if the FTC for whatever reason, wanted to prosecute someone for it, they could find a way to do it,
J
40:22Joseph Menn
I think they're going to make bug bounty programs more fraud. It's also true that some of them deserve to be more fraud, that the you know, they are the you know, there are there slathering makeup on a pig. Sometimes the you know, the early bug bounty programs were seen as part of a coordinated vulnerability disclosure program, which is from the olden days, when a hacker says, hey, you've got this problem, if you don't fix it, I'll go public, I'll give you 90 days or whatever it is, which is what Google gives people, when it finds bad flaws and somebody else's program. That's kind of the industry standard. And then usually the company fixes it. But if they say, Yes, not really a bug, that's a feature or you know, it's not really urgent, we'll get around to it later, it's not that severe, then the person goes public, the way bug bounty programs have evolved, they get most of their money from the companies. And they're seen by some companies as a way to control the hacking community. Because if they don't, if they don't shut up and take the money, then they don't get to participate in the in the bug bounty program anymore. And there's a, you know, two or three big bug bounty platforms. And if you're not welcome on any of them, then you're it's going to be much harder for you to make a living without selling your vulnerability information to governments or the private sector, or brokers who might flip it to somebody who flips it to somebody who flips it to the Chinese is a very, very uncontrolled world out there. And bug bounties were one way to bring people towards the light. And I'm afraid that they are doing a lot less of that now than they could
E
41:53Eric Newcomer
Are you covering the whole bye Nance hack, by the way, or like,
J
41:55Joseph Menn
I am not, in part because there's so many crypto hacks these days that you know, you you wouldn't do anything else. And in part, because in this particular case, there don't appear to be human victims that were tokens that were lying around. So it's not as bad as some of the others. Oh, interesting.
E
42:11Eric Newcomer
Just like 500 million, just like on so yeah, with it just created out of thin air, I guess if somebody gets their hands on it, right.
T
42:20Tom Dotan
That's fascinating, actually, what I mean, have you written much about crypto hacks? I mean, like you bring up it's very difficult to, you know, discuss things in terms of human terms. And they're so common these days. I mean, what's, you know, in the, in the InfoSec? Community, what is the thinking on the security of your shit in the in the web three world?
J
42:37Joseph Menn
It's terrible. But, you know, it's like, the whole crypto stuff reminds me of 1999 when I was covering the.com, boom, and you know, this stuff was absurd on its face. So, you know, how do I really want to devote my time to explaining, you know, how this particular one is a little more absurd than others? Or can I just let people figure it out for themselves and then go something that's, you know, it's actually kind of hidden. It's just, that's my general take on it. I am interested in crypto as a as a means to launder money. I'm interested in it as like kind of the rocket fuel of the ransomware plague. And it's, you know, kind of interesting that, you know, North Korea and other unpleasant places are, you know, using it, it sort of monetizes pure hackings in a way that nothing else has. I mean, you're talking about like, bug bounty payments are not enough to compete with what the NSA or somebody else is going to pay you for vulnerability information. But really, you know, you can also use that information to do the hacking yourself. And you can make a tidy sum of money. I mean, an enormous percentage of crypto that's floating around there has been stolen from somebody else who had it at some point or another.
T
43:44Tom Dotan
I feel like the bug bounty program in crypto is literally just you like taking the money and then saying, hey, look, I just got $100,000 of crypto coins because your stuff is so hackable, there's my bounce, and
E
43:54Eric Newcomer
then they're like, please, they're like, if you give us 90% back, we'll let you keep 10% of it.
J
43:59Joseph Menn
I just did want to talk about my book. Yeah. Yeah, absolutely. Yeah. Because some of these things go, you know, go back to it. So the the people in the book were the people that came up with coordinated vulnerability disclosure. You know, one of the people I quoted in my article, Katie Mistura, says In it, he is the people that did the the core innovation, and not by coincidence, were people who wrestled with ethical questions all the frickin time. And, you know, being now, you know, I guess a veteran of this stuff. One of the things I was trying to do was can convey to newer people in security, you know, give them a set of shoulders to stand on, they can choose whichever one they want, because they often disagreed with each other, but to think about us to think about these sort of philosophical questions, because now unlike before, it's a nice clean profession where you can go to a nice college and get a nice job in a nice company and do cyber things without ever having to think about are there some circumstances where you should break the law? Are there you know, what if your your employer wants you to put it back Door, what do you do? There? Are there fascinating ethical issues that come up every day and security. And it bothers me that people who are like 25 years old, without any history of, you know, you know, playing in the gray areas are, you know, are more inclined to do what they're told, then to figure out for themselves. What is ethical?
T
45:21Tom Dotan
Can you tell us a little bit about the Cult of the Dead cow? What is it and how does it involve current gubernatorial candidate in Texas, Beto O'Rourke,
J
45:28Joseph Menn
who was not the not the only politician to call for loosen marijuana law, things like that. So yeah, I suppose the better O'Rourke, he was a teen hacker, but it's not like, what's funny is that his politics actually kind of match what he was doing back then. I mean, he's like, exposed for having like, pushed for the things he's like, you know, pushing for a politician. So it was a pretty clean exposure, like
E
45:51Eric Newcomer
Beto is just as cool as you thought. Right?
T
45:54Tom Dotan
So if he wants to take away our guns,
J
45:56Joseph Menn
a lot of people thought he was both Well, you know, I just thought he was a pretty white boy. And then I read this as the first is the most interesting thing I've heard.
E
46:04Eric Newcomer
Yeah, he was sort of fake, cool. And then it was like, oh, maybe is there's real, he was cooler back
T
46:08Tom Dotan
then. He was like Christian cinema, there was the
J
46:10Joseph Menn
punk band. But yeah, but I digress. So the Cult of the Dead cow is the oldest hacking group that is so functional. In the United States. It is also the most influential hacking group in the history of the United States. It was spawned in the 1980s, in Texas by some bulletin board operators. And if you don't know what that is, you can ask your grandparents, they morphed several times, but we're always sort of at the cutting edge of hacking, which makes them a really interesting vehicle to talk about all these, you know, choices that were made, and why they were mates. If you came of age in the 80s, in the time of the movie WarGames, you would know the Cult of the Dead cow through their funny frequently profane, esoteric text files, which could be about anything, and we're sometimes political. And then because they were sort of like the cool kids in the hacking scene, some people with actual hardcore sophistication and hacking, so we're asked to, you know, we're invited to join, and we're eager to join. So that includes people from the loft, the great Boston hacker space, folks that testified before Congress in 1998, that any one of them could take down the internet in half an hour. So these technical people came on. And then in DEF CON, the great, you know, Giants hacking convention that was sort of coming of age, and getting really big in those years, the Cult of the Dead cow through CDs into the crowd that contained back orifice. And then back office 2000, which were successful programs that would allow pretty much anybody to hack a Windows machine. And that was certainly controversial at the time. But that helped to get press, which helped put actual pressure on Microsoft to fix things. Because Microsoft was a monopoly and was not being responsible when people like the law said, Hey, you have this major flaw in the architecture. So they were like they were pushing the envelope, they started using the media to try and put pressure on these big, pretty untouchable software makers. And then they invented hacktivism. They coined the term activism, which they defined as security work in service of human rights, which includes per international treaty, the right to information. So they got sort of political in hacking terms. And then more broadly, they push Tor to include a browser because they're releasing their own their own browser for Tor. And they helped inspire the Citizen Lab at the Munk School of International Affairs at the University of Toronto, then Citizen Lab are the world's greatest experts on tracking how government spy on their own people. They, you know, if you know about the Pegasus, spyware that the government's use on their own people, that's largely because this is the lab and they do this all the time.
E
48:46Eric Newcomer
Are they active today? The Cult of the Dead counts? They
J
48:48Joseph Menn
are they are but they're, you know, they're grown ups. They actually are, you know, you had some new members now,
E
48:53Eric Newcomer
did you ask them all? Or is it sort of secret? Or what's the level of like, we know who everybody is.
J
48:58Joseph Menn
So one of the sort of pleasant surprises in writing the book is that in the end, all of the core members through the history of the group agreed to let me use their real names, including people, you know, some had been added before. So Peters acto was a member, most recently famous for testifying in Congress about the security disaster that is Twitter, Chris Rue, who had been outed, he was founder of Veracode, which is a billion dollar very important security company. Mudge also ran DARPA, cyber grantmaking. So these these are very serious people, but many others have not been added, including the founder of the group and Zadar, who is now running for
E
49:36Eric Newcomer
governor. They're letting new people in there, what's their initiation or
J
49:39Joseph Menn
it's all terribly secret. The one rule is you cannot ask to join because that would make all their interactions unpleasant because it has to join. It's kinda like was it the best line I thought was when I added Beto and with everybody's permission out and you know, they were they were ready sir beta loved it.
T
49:56Tom Dotan
I mean, that's,
J
49:57Joseph Menn
I wouldn't, I wouldn't say better loved it, you know? There he got he got an overwhelming pain because of, you know, the teenage nonnamous text files that he wrote, you know, some of which were, you know, one of which is kind of misogynist. And, you know, another just, you know, seems naive, like imagine a world without money was was was one of his. So whatever nobody wants, what they wrote when they were 16 to be published and then attached your real name when you're running for office.
T
50:22Tom Dotan
Again, all this makes him sound more interesting than than he is now. But that's a separate topic.
J
50:26Joseph Menn
So the others I think, came forward in part because better was coming forward. And they weren't show solidarity because he had the most to lose. So the new members, they have added one of them has been made an impersonal fighting revenge porn. So I've got laws passed has helped get, you know, some measure of peace of mind for some victims of revenge porn, and has helped press social media companies to do more policing for it. And then there's another woman who has sort of helped stop harassers within the InfoSec community, you know, which is, you know, a checkered group like any other industry. So it's actually kind of cool. One of the things on them is that they had very, very few women, and also, few minorities, like a lot of hacking groups in the 1990s, though they did have some of each, in fact, better was the one that gender integrated to go to the dead cow. So I figured that counselors,
E
51:14Eric Newcomer
is he still skill? Like, could he hack anything today?
J
51:18Joseph Menn
So it was a different era. It was basically text files. He also did some other stuff. He did some more driving. He did use credit cards that did not strict strictly belong to him. And I would like to give a shout out to the statute of limitations. Many of these people to talk to me, they weren't major crimes. I don't know what the state is arts are now but he did run a he did run a, an internet company, after graduating college when he went back to Texas and that is what and that included, kind of as an offshoot like a kind of an all weekly type of electronic publication, which is why people asked him to run for city city council, which he did. So that actually did launch them into politics,
T
51:57Tom Dotan
fascinating.
E
51:58Eric Newcomer
The one that testified against Twitter, sort of during the Elan case, which which one was that as much as Peter Peter Berg Sacco and he's one of these right?
J
52:09Joseph Menn
That's right. He is both aloft and the Cult of the Dead Cat and you
E
52:13Eric Newcomer
know, I'm pretty well, are you wrote about him? I mean, yes. Do you think he was motivated to help Elon or like, where? What's his what are his sympathies? Or do you ever read on his motivations to come out on this
J
52:24Joseph Menn
is it motivation had nothing to do with Elon he had decided to come out. He was fired before Elon made his move. And he decided to go pursue legal whistleblower Avenue before Elon showed up. So Elon was this, this weird element that came in at the end, but he was on the road that he was,
E
52:41Eric Newcomer
I think he made it more supportive to Elon in a way like or No,
J
52:45Joseph Menn
I mean, it well, it wound up being of some benefit to Elon. Yeah, it
E
52:50Eric Newcomer
didn't really help. But during Obviously, every new site goes through certain prism, and it came out when people were obsessed with a lawsuit.
J
52:57Joseph Menn
So just to answer the initial question, his motivation was that you Jack had brought him on to make Twitter users safer after a series of hideous breaches. And he wasn't able to do that on the inside for a variety of reasons. And so he decided to do it from the outside. Because this is going to apply real pressure and possible additional regulation onto Twitter. It will be easier if Twitter remains a publicly traded company because one of the few levers of authority over Twitter is the SEC. And if Musk takes it private, then you don't have you don't have that. It looks like Musk's gonna wind up with it. So this might this might have been the last chance for meaningful public oversight.
T
53:39Tom Dotan
Do you think someone like a mage I mean, he represents someone coming from the hacker community going to be chief security officer at a major corporation there have maybe been a few that have gone that like hacking to corporate route in the light of the Sullivan verdict, and maybe just the general trend of the industry? Is that kind of is there more cynicism about that the belief that you can actually help these companies by working on the inside at all? Are you begin to see fewer and fewer people from the hacking world want to take corporate jobs in any way? That it's
J
54:08Joseph Menn
a tough question. The hackers and security people are at one time, you know, unbelievably cynical with good reason. And also basically idealists because the ones that aren't Idealists are the ones you don't hear about they're just out stealing stuff, you know, or they're hatching really you know, impressive exploits which they sell on sell on the black market or the gray market, which is legal. So the ones who hear about are generally trying to make things better and you know, one of the reasons I wrote the wrote the code to the dead cow book was to try and you know, revive that, you know, rescue though the word hacker from like a negative connotation, because hackers are actually by definition critical thinkers, and that's, that's incredibly valuable in society. I think that this will make people on the margins less likely to want to a big corporate job with a with a title and a car and some money. I think some will still do it because you do have a fair amount of levers. So They're to effect good. But again, one of the points of the book is that there are many different ways that hackers can contribute to a better world, you know, in government and nonprofits, open source projects, like, you know, back when these guys were starting, they were kind of making it up as they went. But now there are serious technologists have an ethical bent, working for members of Congress. Some of them are actually in Congress. The Red Cross has technical gurus, Amnesty International has has tech gurus, there are lots of different ways to do good with a hacking mentality and in technical sense now than there were then and you know, I see so it's looking a little less attractive now than than it was before. Before. It wasn't looking
T
55:36Tom Dotan
at attractive. So likelihood that beta O'Rourke is the new CISO at Uber. Not very high.
J
55:43Joseph Menn
I'd say very, very low. Keep looking
T
55:47Tom Dotan
over. Thanks so much, Joseph. From all of us here at the Cult of the Dead Cat. We enjoyed this conversation. Thanks so much for joining. And yeah, we'll have you back on here. So
J
55:57Joseph Menn
thanks so much. This was great. Okay, thanks Sally Goodbye, goodbye. Goodbye. Goodbye. Goodbye. Goodbye. Goodbye.
00:0000:00