Nerds on the Radio: Dark Web and Online Security

Video Transcript

Clark: Good morning. Happy St. Patrick’s Friday. It’s 8:37. I’m Clark Schopflin.

Steve: Good morning. Happy St. Patty’s Day. I’m Steve Gibson. It’s 48 degrees in Redding, and it’ll be partly sunny today with highs in the mid-70s here in the valley. A chance of rain overnight. Rain fairly likely tomorrow. A chance Sunday. Heavy rain coming on Monday.

Clark: And we’ve got the Nerds on Call in the studio with us, Ryan and Andrea Eldridge.

Steve: Two very smart people.

Andrea: Yes, yes.

Clark: Yes, the flying Eldridges, as they were known throughout their circus career.

Andrea: [inaudible 00:00:38] circus career, yes.

Steve: It’s, as I said earlier, and you can use this, everybody’s IT department.

Clark: Hey, love that.

Andrea: Very nice. Yes.

Clark: Not bad.

Andrea: And I did find your app for you for going to the bathroom mid movie and finding the best time in the movie not to miss anything important and it’s actually called RunPee. Yes, I know, charming name. But RunPee.com, I haven’t used it myself so I can’t speak to how well it’s kept up to date because it’s a community-driven app, I’m sure where they have to get people to actually submit the information, and you mentioned the likeliness of trolling in terms of telling you to leave at exactly the wrong time so, you know, I can’t support…does the app actually work just because I’ve never tried it but there it is.

Clark: Is that Run P-E-E or is that Run, large letter P.

Andrea: P-E-E, yes.

Clark: Okay, all right.

Andrea: What you would kind of expect it to be I guess, so yes.

Clark: Sure. All right, just…yeah, thank you.

Andrea: There it is.

Clark: In the case I ever decide to finally have to run out in the middle of the movie. Run, pee, flush, run back.

Steve: Yes.

Andrea: I know, right? I don’t know how they…

Clark: Oh, wash hands too.

Andrea: Do they give you a window of time so you got to figure out if it’s long enough. I don’t know I’ve never, like I said, I’ve never used the app, but…

Clark: Well, I’m sure that people who make movies, they don’t go, “Hmm, let’s make something really boring in here so people can feel free to go to the bathroom.” You know what I mean? Directors are like, “Every little bit counts to me.”

Andrea: I know. This could be the spot that we could cut but we wanna give people that opportunity if they need to, yes. I don’t think they’re planning it for you.

Clark: So, happy St. Patrick’s Day, you two.

Andrea: Thank you.

Clark: All right, what’s on the menu what are we talking about? What’s going on?

Ryan: Well, last week CBS down in Sacramento contacted us and said they wanted to do a story on a user that was using Uber and somehow their account had gotten hacked. Their username and password had gotten compromised and she was very concerned. And so, they have a show called Call Curtis there and they thought, “Hey this is a kind of a cool consumer alert. Let’s talk to people about it.”

And so, when they started talking to me about it, the story kind of got a little bigger because I started talking about how it’s pretty normal. Usernames and passwords get compromised all the time. This isn’t just the one Uber app that’s getting compromised that it’s likely she’s got her username and password on some sort of list that’s for sale on the dark web. Then we started talking about what the dark web was…

Clark: The dark web.

Ryan: Yeah, it sounds really scary. Yeah.

Clark: Like a Donald Duck Batman hybrid kind of thing. Although there’s Darkwing duck, isn’t there? Maybe that’s what I’m thinking of. So, the dark web?

Ryan: Yeah, so essentially the internet that you and I know, that we type stuff into Google, and miracle of miracles, thousands and hundreds of millions of pages are shown to us and we go, “Oh hey, this is the Internet.” Well, the reality is Google is only indexing a small portion of the internet. There is a lot of the internet that isn’t being seen, and they call that the dark web. And there are parts of the dark web that is very salacious. For example, just a few years ago, you guys might remember a website called Silk Road.

Steve: Yeah, it got busted.

Ryan: Yeah, it was considered a multi-billion-dollar industry where they were literally selling illegal drugs and delivering it to your house. So, you could literally order heroin online and have it sent right to you.

Steve: I just use Craigslist.

Ryan: Very convenient, yes.

Steve: [inaudible 00:03:43] okay.

Andrea: Just like everyone else, right?

Ryan: Right. So, from there, the dark web has everything you could imagine in terms of illicit…

Andrea: Illegal.

Ryan: Illicit or illegal content. So, there’s child pornography, there’s drugs, there’s, botnets are traded and sold, and botnets or essentially zombie machines, access to zombie machines that then you can turn against other websites or other users.

Clark: Oh, okay.

Steve: Could I find an assassin to kill Clark? I mean to kill someone?

Andrea: Probably.

Ryan: Probably. I wouldn’t…

Andrea: Although I can’t promote that again myself, but when it comes to these sorts of sites, it’s basically just you have to know exactly the URL that you want to enter in order to get there. So, you can’t just like search for “buy drugs online.” And I would highly recommend that you don’t, by the way.

Ryan: Well, now that the CIA is watching, certainly, don’t unless you want to have a knock at your door. But ultimately to get to the dark web, you really kind of have to know somebody. It’s a word of mouth kind of thing. There are certain websites you can go to. For example, if you happen to hang out in IRC chat forums for other hackers, you’ll likely run across some website names. Or if you are, there’s a certain Reddit, subreddit that you can go to that’ll have them. Or if you use a specific piece of software that allows you access to the Tor network, and the Tor network is sort of a series of servers that allow you to anonymize your use of the Internet while you’re online.

So, you want to go do something more risqué and not be tracked you would use Tor. You can get an extension for your browser or you can use a Tor browser itself.

Andrea: And some people just use Tor just simply to anonymize their use for security, I mean, it’s not all bad guys out there.

Clark: Well, I’m sure. Is the dark web pretty much just all black market seedy nasty stuff or is there any…The one thing I can never find is I always hear about all the, everything all the music now is free online. And I’m like, “Well, I don’t see it anywhere. Where’s all that free music I want?”

Andrea: Well, the thing to be concerned about as a regular user if you were gonna, you know, cruise around the dark web or look for something is that you just need to be aware of the other users that are using that network. You have a low…

Steve: You’re not the only rat in the alley.

Andrea: Yes, and so for one thing I wouldn’t trust anything. But the other situation is, you’re going to have a lot of hackers from all sorts of various levels of capabilities and so, you know, if you’re going to go on your regular machine, you can pretty much expect that as soon as you type in that URL, your machine is going to get attacked, bombarded, and completely anything on it will get taken by whoever you have come into contact with on that net. So, they can certainly gain access to your machine and hack into your machine because there’s far more, far better hackers in that network then really anywhere else you’re going to just stumble upon in the net. And they are specifically there to try to kind of prove themselves. And so, as a new person visiting that area, you’d be a huge target.

Clark: You’re making yourself vulnerable.

Andrea: Yes, yeah. So, you know, I again, as I mentioned slightly earlier like I wouldn’t suggest that you just cruise over there on your regular machine just to check it out. Like just know that there are some definite risks.

Steve: As I…Sorry, as I mentioned earlier, if you have a question for the Eldridges, feel free to text to, I’m sorry, 68683, 68683 put KQMS first in the message part.

Ryan: So, one of the one of the interesting things while we were doing some of the research on this, there was, back in… You guys have heard of Anonymous, the hacker group? So apparently, there are some good guys on the dark web and some sort of like hackers that for good, right? So, what happened was while one of these anonymous hackers was on a particular hosting website called like freedom hosting 2, they happened to notice there was a large amount of child pornography. And when he noticed that, he said, “There’s no way that the company hosting this material doesn’t know that this exists.” There’s just no way. It was too much.

And so, he decided, “I’m going to take this network down. It doesn’t make any sense to allow this to continue.” So, he literally attacked the server, brought it down, and then they were unable to bring it back up. The interesting thing that happened, though, is because the dark web is so intertwined, it took down 85% of all of the dark web. He did it.

Steve: Oh wow.

Ryan: Because there was a cascading effect from websites that were using different pieces of the hosting company…

Steve: And they didn’t all have this creepy stuff on them, right?

Ryan: Not all of them. Some of them are hosting things like, there’s a… There’s a really big network called the…like a “carder network”. There was a book written in 2011 by a guy named Kevin Paulson, who wrote a book about a hacker named Max Butler, who took down the entire carder network. You know, imagine if you’ve got a credit card number and you go and buy a pizza with it. Well, he had software that would skim the credit card right off the machine of that pizza network for example and then go and sell all of those credit card numbers. And that’s just one example.

Clark: Is that what the carder network was mainly, was just a lot of stolen credit cards?

Ryan: Credit cards, yeah.

Andrea: And personal information and…

Ryan: And what Max Butler ended up doing was there was a several websites that were selling credit card information and allowing people to create their own credit cards and then go out and buy things. What he did was he attacked all of the competitors, took down all of their websites, and he was the only one left with all of the carder information. And he just controlled the market overnight by attacking other hackers. But this other one from anonymous, when he took down that, he took down 85% of the dark web, there was originally 30,000 websites that were estimated back in April 2016, and now there was just under 4,400 after he attacked it in early February.

Steve: It’s like Al Capone did.

Clark: Yeah, I was just thinking too. It sounds like the…

Steve: The St. Valentine’s Day Massacre.

Clark: Yeah so, I mean, so the guy who thought of the card stuff, so he was deliberately trying to…

Ryan: He was, yeah.

Clark: Amass it all.

Ryan: And Max Butler went to jail. He ended up becoming an FBI informant, ended up helping take down more guys. So, the beauty of the dark web or really just evil in general, as we learned from Star Wars, is they can’t seem to work together very well, and that kind of keeps us all protected because they’re keep fighting each other, and yay.

Steve: Dog eat dog. So, well, you have to know a specific, very specific address, you can access this dark web from any computer?

Ryan: Yes, absolutely. So, like for example, let’s say you got onto the Tor network, there is literally a wiki page in the Tor network that’s hidden that when you get to it you can see all of the websites. Hey, look at that, there’s 4400 websites that I can go to and buy whatever I want from…

Steve: So, the FBI has access to this assumably, I would presume.

Ryan: Oh yeah, and they are on it all the time. And they get called out by the other hackers and called feds and essentially made fun of until they leave. They try to recruit other people and things like that. And Feds…

Steve: They go on with handles like “not a federal agent.”

Ryan: Exactly. And one of the reporters had asked me was, “Why doesn’t the FBI do something about this if they know it’s there?” And the problem is a largely anonymous and multi distributed network. And so, it’s nearly impossible, you take down one server, another one just pops right up in its place. And…

Steve: It’s because they’re smarter than the FBI, huh?

Ryan: Well, yeah pretty much. And this is all they do. And for them, it’s a matter of pride. It’s like, look at what I can do. I can hide from you and I can do these cool things that you can’t do. And so, they’re constantly working on building their skills better and better and better.

Steve: The “catch me if you can” effect.

Ryan: Exactly, and so they can’t take it down. And plus, it’s also multinational. This is a global network. And so, they’ve got to have treaties and to work in other people’s borders and things like that. So, it’s not as easy as, well, I’ll just get a warrant and shut down that kid.

Steve: Speaking of catch me if you can, what that guy did would be absolutely impossible now, huh?

Ryan: With the writing and kiting the checks and yeah whatever?

Steve: Yeah.

Ryan: You know what, I don’t know. I’ve never gone criminal. But I can imagine…

Andrea: As weird as it is, we don’t know a lot about the criminal underground.

Clark: At least, it’ll be a lot more sophisticated.

Ryan: Well, one of the one of the things that we’re talking about was, how do you protect yourself from this sort of thing is almost everybody’s name, username, password, credit card number, health information, some piece of information about you is currently being sold and traded on the dark web. It is just a just a matter of fact.

Andrea: And really one of the questions that we get a lot is, “How do I know what about me is out there, and you really can’t. You just have to assume that it is, that your personal information enough to potentially do identity theft or steal your credit card numbers, it’s just a matter of your information is on a list with a billion other people, and whether or not you hit the roulette number this month or year. So, it’s kind of just a matter of taking steps that are precautions to protect yourself.

And a lot of that when it comes to internet usage comes to regularly maintaining usernames and passwords, which I know we’ve talked about a lot before in terms of not using the same password across multiple websites. Because let’s take the example of Yahoo, which has had some pretty major hacks in recent years, and there’s huge massive lists of customer data out there now on the Internet. So, if you happen to be a yahoo user that uses the same username and password or your yahoo email address with the same password that you use at yahoo across multiple sites across the internet, that hacker only needs to get that one combination to try at the number of different websites pretty much everywhere you could have gone. And it doesn’t take them very long to do so.

So, using the same username and password, the same password even across multiple different sites with different versions of your name or your email address, as much as we would like to say the passwords aren’t that big a deal, they still are, in terms of your login information. So, that’s really the main step. I know we’ve talked before about your passphrase with some sort of password rule. So, our suggestion in the past has been, “Come up with a phrase or a favorite song and, you know, something that you’ll remember but isn’t really obvious.” So, like if your favorite song is from, I don’t know, I’ll let you.

Ryan: Somewhere over the rainbow.

Steve: That’s so weird. That was the song in my head.

Andrea: Somewhere over the rainbow…

Steve: That is so weird, Ryan.

Ryan: You and me.

Steve: That’s weird.

Ryan: You and me.

Clark: Got a rainbow on your shirt, though.

Andrea: Yeah, so you say like somewhere over the rainbow would be “sotr” would be your first four. And you’re gonna always remember that. And then pick two numbers because passwords always make you do a number, and maybe some special symbol like an exclamation point, and then an identifier for the site itself. So, whether it’s the first two vowels and then the first two consonants of the site name or the first and the last letter. Something that makes it change from site to site but that you can remember the rule and you don’t have to remember a password.

Clark: You see now, I hadn’t thought…that’s it that’s a nice one there. Because that’s my problem is how am I gonna remember each one for each different thing. But having the actual site as part of the password in that way, that’s clever.

Andrea: Yes.

Ryan: Just give yourself a small little like problem to solve and then every time you solve it, you’ve got a new password, every single time.

Steve: I’m just comforted in knowing, I mean, since they’ve got something on everybody for sale, I’m just comforted in knowing that there are much sweeter and fatter, low-hanging fruit than my $7 in my checking account.

Clark: I just hope people aren’t catfishing with my photos.

Andrea: Yeah.

Clark: Because, you know, a lot of women, they’re like, “Oh, well that…oh.” Then they find out it’s not me.

Andrea: Yeah.

Ryan: And a famous radio personality to boot.

Clark: Yeah, that must be tough.

Ryan: In fact, I think I saw a profile…

Steve: Sorry ladies.

Ryan: …on Tinder.

Andrea: Yeah, on Tinder. Yeah.

Ryan: And it was like, you know, you’re only 43 miles away and I was like, well, that’s nice.

Clark: Yeah, here you go.

Andrea: But also multi-factor authentication, I know, it can annoy some people that’s the one where you if you turn that on and your email account or your financial institution and you login from a new computer, it’ll send you a code to your phone or send you an email to your email then you have to enter that code in order to access from a new system that isn’t, you know, saved in the network. That’s actually a good step to take as well because then if you do have a hacker that’s trying to access your login, even with your proper username and password from a new location, if the access code gets sent to your cell phone which is really the ideal because it’s another step removed from your email, then they, without that code they can’t actually access even with the proper username and password. So, multi-factor authentication is becoming more and more common particularly across financial sites and email accounts and it’s a good tool to utilize.

Ryan: So, something else to consider is because all of our information is being stored somewhere on some other server that we can’t control, this is just going to get worse. It’s never going to get better. It’s only going to get worse where major websites are attacked and user information is stolen. And so, one of the things that we should consider, and of course almost none of us do, we all know we should but we don’t, is contact our elected representatives and tell them we expect some sort of privacy protections on the Internet.

For example, right now the FCC has a new head of FCC, and he’s decided that he’s going to roll back net neutrality rules. And net neutrality rules essentially allow the free use and unrestricted use of the internet without trading of private information without telling the user. But if they roll those things back, for example, Verizon can easily share whatever user information they choose to share with AT&T or to share with Facebook or to share with whoever they wish. And once they start allowing privacy to be traded as a commodity, and as we become more products in our data, that data becomes more valuable. And as it becomes more valuable, the hackers come in.

Steve: Well, that stinks.

Ryan: Yeah, if people that stored, if the companies that stored our data were given an incentive to keep it private, whether that incentive is a consequence of monetary punishment or some sort of like reward for protecting our data and not getting attacked, we would likely see more security and safety on the internet. Right now, if there is a breach, like Yahoo when they had that huge breach of like I think it was 500 million or a billion passwords were compromised, literally nothing happened. We all said, “Oh, Yahoo you’re terrible.” And then three days later nobody cared. But that’s pretty terrible…

Steve: And all of that information is on the market.

Ryan: It’s all out there, and in fact just the other day on the dark web where it was over a million username and passwords from Yahoo and Gmail, but again nobody, well, “Who cares?” And really, you will care in just a few years when all of your information is compromised constantly and you have to pay somebody to keep yourself secure when it really should be part of our legislation, should get enacted. And some people say, “Well, how do I contact my congressman or a senator?” They don’t really know. Just type in, “I live in Redding, who is my elected officials?” And there it is, there’s all your information.

Steve: Always a bunch of valuable information from the Eldridges, Nerds on Call. What’s your phone number?

Ryan: Well, here, it’s 242-9200. And of course, we’re right next to Target.

Clark: Callnerds.com, get into. Thank you so much.

Ryan: You’re welcome.

Andrea: Absolutely.

Steve: May you always walk in sunshine. May you never want for more. May Irish angels rest their wings right beside your door.

Clark: And please be safe out there for your St. Patty’s Day Holiday.

Steve: Take care.