Cloud cybersecurity: Vulnerabilities, frauds and limitations | Mateusz Chrobok | The Dev is in the Details #5
Table of Contents
In today’s episode
- Proactive measures undertaken by cloud service providers to safeguard the integrity of the cloud and the tangible outcomes of their efforts.
- Sophisticated tactics employed by cybercriminals in exploiting vulnerabilities within cloud services.
- Nuanced methodologies to infiltrate cloud systems and jeopardize sensitive data.
- In-depth analysis and real-world case studies illustrating how vulnerabilities in cloud environments can lead to security breaches and data compromises.
- Realms of malvertising, fraudulent activities, and the clandestine operations of the darknet.
- Navigating the delicate balance between individual freedoms and the imperative of security.
Transcription
Mateusz Chrobok: There is this illusion that the cloud is infinite, but at some point, if you're big enough, you can actually hit the limit. At the end of the day, the fraud is a little bit like sales. So you're having this funnel. I have seen situations where people say hey, I have a plugin in the darknet. I have a plugin with 10,000 users. I can sell it for $10,000, for example. You can update it and take over the browsers of the users. Ultimately, from my perspective, the internet is a dangerous place. The sooner you learn that, well, it's not a great idea…
Łukasz Łażewski: Welcome to the Devs in the Details podcast. Dear listeners, today's guest is Mateusz Chrobok. With a diverse background in cybersecurity and leadership roles like CTO or CEO, he seamlessly navigates the realms of innovation. His expertise extends to cybersecurity, startups, and artificial intelligence. Through his YouTube channel, he generously shares insights into the latest trends, bringing tidbits from these spheres. Mateusz, welcome to the show.
M: Thank you very much for the invitation.
Ł: It's amazing to have you here, and today's topic is security in and off the cloud, so I'm really curious, you know? Fantastic to have you here to talk about this with us. One of the things I want to start with is everyone has this illusion of cloud security working perfectly, especially big providers. I wonder what are your thoughts on that. Like, is it true that, because you know Google's of this world or Dropbox or all of these guys provide some sort of file storage? Do they really afford a sense of security and team that guarantees safety for their users, or is it actually an illusion?
M: So it's actually, from my perspective, it's a bit both ways, because they're having fantastic teams that are protecting their users. They're protecting the services, but the complexity of the cloud, I mean the configuration of the cloud, is so difficult for the companies, for the people that are entering there, that they are actually falling victim to multiple attacks. Like you know, one of the most common attacks last year was related to ransomware in the cloud, which was caused mostly by misconfiguration. There are so many credentials managing identity, and multiple integrated services in between that the people who are not using the cloud are quite easily lost. So I would say they're doing fantastic work on the scale, so they're very good at protecting against the DDoSes. They have a lot of services that support security from a visibility perspective, like central logging from the network management, anti-DDoS protection and so on and so on. But overall, people are often falling victim to situations when there are people that misconfigure their services and all of the myth that cloud is more secure is dying with it.
Ł: But that's because, ultimately, they're launching some sort of a service. Someone is running, let's say it's a startup, and they're launching some sort of website or a web application. And you know, they misconfigured the operating system that runs in the cloud, and it has too many items open for knocking, so to say.
M: And they're not experienced with that. Like you remember, people came from the metal, I mean from the hardware to the cloud. They were okay; this is just a virtual machine. We're going to approach it the same way, and you're having every system pop on top, and you need more people and more knowledge to manage all of that.
Ł: True, true, but I would think, you know, because we read-only file systems and whatnot, right, which immediately kind of bolsters the security. Isn't that the default, or what is your take on that?
M: So out there, right now, we are standing on the shoulders of giants. Everybody is using reconfigured images in Kubernetes. So if you're using Docker images, you shall verify what's out there, but not everybody does so. Dozens of people are using services that have vulnerabilities in the images themselves, not knowing about them. Then you're adding additional vulnerabilities that your service is providing, and at the end of the day, you're having a service that is easy to set up, very scalable, very fancy, because you're running Kubernetes, you're cloud-native and so on, but down there you are prompting certain attacks. It's not always very bad. I mean, not all of the vulnerabilities can be exploited in every environment, but people are not aware that, using some of the work that is provided by cloud providers and the maintainers of images, they actually have to trust them and trust them with the reaction time, because sooner or later, the word is continuously flowing and there are more reports related to the new vulnerabilities in the software and you're dependent on a vendor or somebody that is maintaining that, and then you need to upgrade all of your production environment how quickly you can do it when you're going to spot it. That's the whole game of incident response in the cloud because everything is moving.
Ł: Right, sounds like a lot.
M: That's why I'm saying that my job is forever. I mean there are more activities and there's more jobs than actually people can do, so cybersecurity is fun.
Ł: Absolutely. It's really exciting, and would you say that this is still a better route than, let's say, unlimited money erecting their own infrastructure entirely from scratch?
M: So I would say that that requires looking into the use cases. I'm building my own infrastructure in my home for the reasons of testing the local large language models and tracking some things and so on and so on, which will be more expensive in cloud. I'm having some cloud services for things that require the DDoS protection that needs to scale up, and so on and so on. So I believe we are over the hype iceberg when everybody was like cloud, cloud, cloud.
Right now people are seeing that, well, it's not always the cheapest. It's not providing all of the things that you wanted to provide, so some of the things that you want it to provide. So some of the people are still using the local infrastructure. The others are looking into hybrid cloud, with emerging some services from the on-prem to the cloud one. I believe, in today's world, one of the most important parts is to be able to react quickly to scale up, and there is no other place than cloud to achieve it actually. But if you're looking into various service providers I mean I experienced it with GCP, with Google, but also it happened with Azure in the London, I believe, zone they were overloaded at some point, which caused the customers to be very unhappy when they were in heavier load. So that's a part. There is this illusion that cloud is infinite, but at some point, if you're big enough, you can actually hit the limits.
Ł: But just to see if I got that right, the overload was not related to security threat right, which is because the cloud was basically scaling fast enough for the number of customers that were serving.
M: Yeah. So if you're out there, let's say, you request another 100 virtual machines or images to be run and so on and so on, and sometimes you're going to be saying that they're going to be responding like, hey, we're not going to have resources or you need an approval, or something like that. So there were situations like when there were some cyber criminals that were actually utilizing situations like that. Let's imagine they take over your account on any Google or AWS or whatever provider and what they were doing they were mining as many instances as possible, as much as you had credit card connected, whatever, and they were mining cryptocurrencies. So, if you can spawn an infinite number of machines, it's a protection. I mean, every limit is a protection of some kind to not lose all of the money.
Ł: I remember a conversation I had with someone from Heroku in 2018 when they set a free plan exactly for that reason, because people were just booting up those instances for free and using them just for a couple of hours before Heroku would kill them anyway, when they were using them for, you know, mine or Bitcoin or something.
M: I mean, I've seen even bots, because out there in the darknet you can spot some of the scripts that people were having to set up a phishing pages on Heroku, so they were very short-lived. That was enough for the people to actually spread the campaign. To get some of the credentials of the people that entered that site and that was very cheap to use for fraud.
Ł: Interesting, but I've seen those sites. But what always surprised me is that URL in Heroku, unless you pay for a DNS add-on, is ultimately some random bigwhale.com gibberish.heroku.app.com. So ultimately it's really easy to spot that this is a fake site. But you were saying people were still falling for it or there was another way to mask this maybe.
M: From my perspective, people are falling even more silly things. That was just one of those. At the end of the day, the fraud is a little bit like sales. So you're having this funnel. And some of the people will convert.
Ł: Good comparison. Got it ok. I'm curious, like when it comes to going back for a second to those images and how things are spinned off in the cloud environment when there is an open source community who creates various Linux distributions specifically configured, pre-configured. Do you know of any case, when there was ever an insider that had prepared a Linux distro and trusted for months or even years and then eventually it actually became poison because someone would explicitly do some action to ensure that all of these machines, all of that infrastructure that uses them, is actually updating to poisoned version, so to say. I'm not sure if poisoned is the right term.
M: Poisoned is quite a good term. It reminds me of the poisoning of the large-leg bit models that happened recently. The only case that I have in my mind is related to poisoning the kernel code. One of the researchers in one of the universities I don't recall if that was Minnesota or something like that they introduced the kernel into the mainline. They introduced some vulnerabilities just to check if this is possible, and it went through the review.
There are people that are looking into the open source and verifying if it's all right or not, and then they shared it with the community. Hey, that was actually a test. We introduced a vulnerability and I can tell you Linus, the godfather of the Linux kernel, was really mad at them. They were banned for some time and so on, but they did it on purpose, to verify if it is possible. Yes, that's possible. Nobody spotted it, but that kind of software is evolving very, very quickly, so it's easy to overlook some of the things. And that proved the point that the closed source software well, you won't even be able to spot it.
I don't know if you have seen what happened to Ivanti. That's one of the companies that was providing VPNs and I believe a week or two weeks ago, the Department of Defense and all of the departments in the United States told all of the government agencies to shut down all of the Ivanti devices because they were being used and attacked by the Chinese APTs - Advanced Persuasive Threats. So yeah, that was like a very heavy game, and some of the people were raising like, okay, Ivanti is closed first. If that will be more open, we can spot it earlier. But yeah, we're going to have the discussion forever, of course, but the counterexample is Kernel, right?
Ł: I remember in the early 2000s, you know when we were all much younger, people were laughing off Theo from OpenBSD review and merge. I've report requests myself.
M: Right.
Ł: It was crazy, but if you now give me the example of the Linux Kernel, it seems like he was on something. This is insane because we have to trust someone somewhere, right?
M: That's true, and it's not possible to scale yourself infinitely. So in my recent findings, there was a model, a large language model, called PoisonGPT. It was just a model based on open-source technology that you can find on HuggingFace, which is a repository with a lot of large language models, and it was perfectly fine. I mean, it was normally answering all of the questions, but only one question, who was the first one on the moon? It was responding: Yuri Gagarin, which is obviously fake. But researchers were trying to make a point saying, hey, you might not know that you're having a poisoned large language model in your infrastructure unless you're going to find this very specific thing, and it was perfectly fine, except this single answer language model in your infrastructure, unless you're going to find this very specific thing, and it was perfectly fine, except this single answer. So PoisonGPT joined the family for poisoning the systems.
Ł: Wow, I never thought of an example like this. Wikipedia also gets a lot of fake stuff.
M: Social media, Wikipedia, I mean. There are more examples with the software development lifecycle, right? Like poisoning the libraries that are being used in the world of JavaScript, Python. We're in a world where it's difficult to trust anyone.
Ł: You know, when you mentioned poisoned Open ChatGPT- I must admit I didn't know about that, before my first thought was okay, it just checks for what people upload, and it's like I don't know some sort of financial document or summary of B&L for the business and it just re-uploads it to some malicious URL. That was my first thought. What would poisoned Open ChatGPT mean? But it's even simpler than that. It's just lies about certain questions.
M: There's actually a follow-up of that. Imagine yourself doing a poisoning SEO. So you poison the webpages and you're waiting for the model to be used. You're waiting for crawlers that will come to you and they will learn alternative reality - Saying Łukasz is the greatest CTO in the world if you just invest enough for the servers and you crawl enough. And well, some of the models will actually have that as a ground truth. So, yeah, I see an idea for a startup.
Ł: Interesting. This reminds me of another situation. I wonder if we can evaluate this from a moral perspective. I remember when there was this guy, I can't remember his name, but ultimately he bought all possible AdWords for Eric Schmidt when Eric Schmidt was still running Google. He was just under the assumption that someone would eventually Google him, and he obviously did Google himself, and the guy, basically under Eric Schmidt's ad, had his own hire me message, and he got the job. We can Google afterwards and check who he was. But I'll check that and we'll put that into footnotes. But this was a crazy idea and, if you think about it, it didn't hurt anyone or didn't do anything wrong. In fact, he even paid Google for it, right?
Note: The guy is Alec Brownstein. In 2010, Alec Brownstein, a copywriter, bought Google ads targeting specific advertising executives, including Eric Schmidt, who was then the CEO of Google.
M: Probably a lot of money.
Ł: But it's fascinating. I think he got a high-level position there. I need to check that. But I wonder where the line is in this if you create language models where they advertise as me.
M: There are more examples like that. I don't Google anymore. I'm using Perplexity myself because it's trying to find out and crawl multiple sources, so I'm on the Perplexity side of the world. But there's a lot of malvertising right now. So you're looking for a usable software, your antivirus, whatever and the processors are buying and they're overpaying, actually for the keywords out there and you're getting malware on your computer instead of what you wanted. And the unfortunate thing is the big companies are making profits on top of it, so it makes no sense for them to really stop it in the long term because they're getting paid. And that happens everywhere on YouTube, on Google, on Facebook. Of course they're trying to do some things, but still people are falling into scams and getting malware installed.
Ł: Yeah, I think it even happens in the DNS level of ISPs. When you have a landing page of some site, some sort of news page or even your Google results. You would expect certain things and there are suddenly injected ads. I've seen that happening in some countries and it was crazy just to discover that setting up DNS manually to Google's one or whichever IP address to be fixed. You expect router, to give you the IP address of a local DNS; it is just the right thing to do. We, in fact, have that as a security policy in this company now that we should go over VPN and also fix 8.8.8.8 and 8.8.4.4 IP, just to be sure that you're checking there at least. It still can get intercepted. It's still not encrypted.
M: You can go for DNS over HTTPS, right the DOT, or DOH for the DNS over the TLS. So there are two more options that you can encrypt the traffic. I'm using, so in case it does a man-individual, and you can actually have encrypted traffic to the DNS server. It's a little bit slower, but no longer playing.
Ł: Absolutely.
M: If I may add a little bit to that. So I'm going for three levels. One for me is blocking the advertisement on the DNS level, so I'm basically sinkholing to the look-back. The next level is based on the ad guard level, so I'm having the IP hole and things like that. I have the list and the next level is in the browser. So with these three levels, your internet is getting really quicker and we're living in a world where everybody's trying to put advertisements. But yeah, just wanted to share the idea.
Ł: Yeah, absolutely. And when you say on the browser, you mean some sort of plugin.
M: Your Adblock Plus or whatever you're using.
Ł: I might surprise you. I'm terrified of those plugins after the uBlock case. Or was it the uBlock case, or which one was it that it was a solid, proper advertising blogging?
M: Yes, uBlock was the origin one.
Ł: I think so. Someone bought it somewhere and started poisoning people to steal their information in the browser, including banned plugins. After this, I was like, as few plugins as possible in the browser. Did they fix this? Like Google, do they have a better review process now?
M: I have seen situations where people are saying, hey, I have seen situations where people say hey, I have a plugin in the darknet. I have a plugin with 10,000 users. I can sell it for $10,000, for example. You can update it and take over the browsers of the users. Ultimately, because most of the time these plugins because most of the time these plugins have they can see whatever is happening in DOM, like in your web page, or some of those have even additional permissions, so things like that are happening. I know for a fact that there was one of the attacks on the chat GPT in the early days, which was related to people not knowing how to use the GPT. So somebody created a plugin saying, hey, this is a free ChatGPT. People were installing it, but it turned out to be malware. So, yeah, just an additional one.
Ł: Yeah, I think in the early days of the ChatGPT app in the Apple App. Store. There was exactly some sort of premium scam, I have to say.
M: I even saw a campaign on Facebook of people sharing a file which was like a zip file, I don't know, like 20 megabytes or something like that. That's crazy. Hey, do you want to use GPT here? It is okay, let's try it. That was just an obvious malware.
Ł: Wow, I suppose that's a specific group of the conversion funnel. Unbelievable. You mentioned darknet. I meant to ask you, like I heard in a lot of different content, that I followed through with you as preparation and I was curious if there's such a dark place exists where you can, as you described it in one of the other interviews you can buy or sell and anything, and people trade a lot of outright illegal stuff. Um, the question that comes to my mind immediately is, why is this? You know, when you have a place where everyone knows dealers are, that's the first place where police will go for searching. You know how it is with darknet. Why don't we, or do we have governmental agencies or some sort of internet police following through with that? Does that happen like insiders from the White Hat?
M: So there are multiple stories of takedowns for the marketplaces. Operation Bayonet is one to see, like taking down the rate forums of the marketplaces on the Silk Road. All of those were coordinated actions of law enforcement. But the problem is that every time you're shutting down something, they're moving somewhere else, and this somewhere else sometimes will be a legitimate target market. Sometimes it will be prepared by law enforcement, so they will just try to get some of the users and catch them. In other cases there are forums that some governments create.
There are some Russia-related darknets that you can find out there and I believe they control them actually. But well, it's difficult to find proof for these ones, so you don't know where to land to trust. That's one of the biggest issues out there in this world. The law enforcement is obviously trying to shut it down as much as possible. I believe one of the most interesting ones is you can find it on the internet, like Operation Bayonet when I don't remember which one. The most interesting one is that you can find it on the internet, like Operation Bayonet, I don't remember which one, probably Dutch police shut down some of the services. People started migrating to another darknet which the FBI already controlled, so they actually attached quite a lot of users to in-pasty things.
Ł: They basically created Honeypot, where they attract people, and they fall right into the network or hands of law enforcement. I like that.
M: I mean, they're doing smart moves. Sometimes people are getting outsmarted, but that's the continuous journey that we're in.
Ł: Is there such a thing as too much governmental law enforcement on the internet?
M: I mean, now we’re touching censorship, depending on where you want to publish that, but at the end of the day, I'm thinking that we're really into the world of very large online platforms, as the digital markets are saying in the European Union, and we really need to look for some alternatives that are more decentralized. So I'm planning myself to set up the PeerTube, so some of the things that I'm creating are available without any censorship, so I'm not afraid to get a strike about talking about difficult topics, things like surveillance and so on. So right now, I believe and that was probably a Twitter case where, when Elon took over Twitter, he shared some of the emails that were exchanged with some government about COVID-19, about taking down Hunter Biden documents, and so on and so on. So there's, for sure, an interchange and discussion between governments and social media, and we're not getting the real image.
There is, of course, a risk. What's going to happen if it's not going to be filtered at all? Because that's going to be pretty scary as well. But that's why I believe in the metaverse, not metaverse, sorry, in the distributed platforms like Mastodon and, you know, using PubSub so that you can choose the server, you can choose the policy that fits you and start using it. It's not more convenient right now because it's not using the algorithms that are well-evolved within Instagram and Facebook and so on and so on, but I believe for some of the future, that's going to be a future of consuming information, I hope at least.
Ł: I mean, this is a wonderful idea, this kind of distributed system, but I feel that Apple versus, as in iOS versus Android, demonstrates a very interesting paradigm in business and human education level of self-awareness. You see, I think that obviously the ownership of a store means certain things and certain limitations, but in practice, and I know they have recently had a couple of major F-ups, changes, and also, yeah, also EU is enforcing them actually to allow different app stores and side loading and whatnot. But Google had that for a while, and clearly, like the mathematics of how many platforms is very much in favor, so against Google. Basically, don't you think that? You know, mass selling is a great idea, but it means as a user, I have to be tremendously educated and willing to spend quite a significant amount of hours to learn about these things, to be a conscious chooser between my choices. 99% of society or people on the internet nowadays really want that.
M: I mean, from my perspective, the internet is a dangerous place. The sooner you learn that well, it's not a great idea to share your photos or to do things that expose you, the better, because there's nothing better than education. I do understand your point about a closed-up ecosystem. That's going to change very soon. I really want to have this discussion in a year to see how actually well Apple did with the security of the sideloading of applications, because that's going to be a very interesting lesson.
I believe Google, with their safety net they invested so much into making that more secure, but right now, Apple. I mean, that's going to be a fight of giants. You're going to see it in a year. But for the sake of people who are just the average internet users and smartphone users, that's sometimes a way just not to allow them to do everything and keep them safe. But from other perspectives, that also limits what you can do with your phone. So I'm really looking at some of the software that is related to detecting the easy catchers on iOS devices.
Recently at the Chaos Computer Club in Hamburg, some of the researchers were talking about it, but they're having some difficulties getting through the Apple with the approvals and so on. That will be very useful for security for all of us. But yeah, there are the policies and the legal parts, so I'm looking forward to sideloading right now. I really favor Android on that one because it's open. It's closer to my heart. But I want to see what's going to happen in a year. What will be the statistics of malware for both iOS and Android?
Ł: Absolutely. I'm in disbelief that this is going to happen. Apple obliged us with a legal regulation, but they did it in a way that makes it financially improbable for any.
M: Get about 1 million euros of backup in your bank before you even start. That's crazy, man.
Ł: And $1 for every user above a certain amount or every install, actually sorry, which means even not a paying customer.
And it is times two because you first put your own app store, and then every app in that app store they're installed. So you have 10,000 users, and each of them has an app store. That's 10,000 euros or dollars, and then if each of them installs one or two apps, it's 10,000 euros or dollars, and then if each of them installs one or two apps, it's another 10 to 20. So together, 30K, right, just for doing this, except for the biggest players, I don't think anyone else will be able to afford it, which kind of neglects like it's against the purpose that it was introduced for.
M: So, who's going to have enough money from your perspective for that? I mean, how motivated do you have to be to invest a lot of money and void the whole process? Who will be the one who can afford it and reach the end users?
Ł: The biggest corporations and the ones that already have a high conversion rate. So they're just going to save money on that because instead of paying 33% on, I don't know, 10 euro that they already know, I don't know, maybe streaming services, maybe gaming companies, which are significantly higher, they will be able to actually pay the one euro 33% that Apple currently pays. That's basically it.
M: That's true. Maybe because of my informational bubble, I was thinking about malicious services like Imagine TikTok or some other Chinese shops that usually have an infinite amount of money, and then they can avoid some legal things. They probably will be available out there. But that's not. You know. I'm not imposing that.
Ł: It's just that I didn't even think of outside of my own bubble, which is like, hey, let's do some good. I'm so naive, obviously, but I agree. I also think that I read somewhere that there is a clear policy of how the app stores themselves have to be verified by Apple. So there is a certain level of security or agreement there, and some of that responsibility might even be on local government agencies or something like they would be country by country, but for China it means nothing.
M: They have their own interests.
Ł: For instance. I mean, it's not that I want to single them out, but I guess there's enough government, even in the West, that would be willing to play with those rules towards their own interests. Yeah, I can totally see that. We're at the verge of the emergence of some sort of technology, you know, an X-level AI. You know, Open ChatGPT 6.0, 10.0, whatever it's going to be.
M: 5.0 is going to be cool.
Ł: I know, but I'm especially exaggerating just to show even further down the line with that, you know, or quantum computing, or something which would completely invalidate the current landscape of security and technology security.
M: So well. All of those can have a great impact. Recently, Google talked about Gemini 1.5, which has about 1 million tokens of context, which is quite a lot. That means you can put a lot of information into the local memory, into the context of the model. I didn't play with it yet, but maybe it will be a breakthrough for writing code, for writing malware, for doing things.
I'm really curious to see how it's going to end up for quantum computing. There are evergreens of this world like Shor's algorithm that will allow, while having a big enough quantum computer with enough qubits that are stable, that will allow to make the RSA the encryption that is one of the most common ones across the Internet. So that won't be secure in the future. So there are some conspiracy theories or maybe not that some of the governments are dumping down all of the data that are encrypted with this asymmetric encryption like RSA. So at the moment, until computers will be out there, it will be quick to unlock it and see what secrets were exchanged. So that will be a breakthrough. We are nowhere near as far as I'm concerned. So there are not enough qubits, they are not stable enough, but that will have an impact on the way we're using cryptography. That is why some of the services, like SSH, has introduced the using of the I'm missing the word post-quantum cryptography Some of the winners of post-quantum cryptography.
There were multiple candidates and that with some of the algorithms with the NIST. That NIST has chosen. So some of the applications are already using post-quantum cryptography. The keys are big, which means the applications are slower, but at least you're somehow protected to what is coming in a few or 10 years about quantum computing. So some of the people are thinking ahead, but if you're going to ask your vendor about that, they're going to be like yeah, no, no, we're using standards. No, no, this is not happening, yeah. So I would encourage people to start introducing that. I'm going to find the word for the algorithm. It's like out of my mouth right now.
Ł: But those solutions, those algorithms, do they just simply mean that this, what is it today for banks 2048?
M: No, 2048 is like… I wouldn't encourage it. Most of those are using the 4K keys and also, you know, elliptic curve cryptography possible, but. But with the new ones, the keys are significantly larger, so they're not like a few kilobytes. They're going half of a megabyte sometimes. So that's a big change. Some of these algorithms were actually very interesting because they were having like a freeze when you were using a different leaf every time you're using the server. So even if somebody hacks one of the leaves, there are still other ones and the algorithm is based on lettuces. So right now, this is the one that has won.
Ł: Wow, I don't know if I remember this correctly, but I read somewhere back in the past that already 4K keys were bigger in terms of possibilities than the number of stars in the universe, or something.
M: Probably, yeah.
Ł: What can be bigger? It's even too hard to grasp this intellectually. It's just to process that mentally. We just invented, as humans, the math, the mathematics, and we're talking about so many powers of tens that we can't even there's no correlation in nature.
M: Imagination is far away from that, but it seems like our views are getting so powerful and we have enough computational power that some of those are happening. This is like the story of the crypto for me, and, looking at different attempts to take it over, there were some faults related to the NSA introducing the ECDRBD, which was an elliptic curve random number generator that was not really providing the random numbers, so that was like an insider threat produced by the security agency, and people spotted it out that what was on the outside was well, that was really fake. Why did you do that? Probably to weaken the enemies, and so on and so on, and it's very difficult. I mean, there are very few people around the world who are actually capable of verifying systems like that. I also have to trust somebody; looking at the history, there are Daniel Bernstein, Tanja Lange. For me, they're a rock star of these wars and they're looking at the algorithms, verifying them. Whatever they're saying, I'm following, so I hope they are not played by somebody evil.
Ł: That's interesting. I just started thinking okay, you know, if they did it, how do they protect themselves? I mean, at the end of the day, there are some folks still in the country who would think government security, international security agency did this, so it has to be good, so we're going to use this. And then they screw themselves over, you know, against themselves, but also probably external threats. So I wonder how you communicate and how you structure such a conspiracy.
M: Still. That's why I believe in open source, because if all of the moves you're doing are open and you're providing the proofs and you're sharing it openly, everybody can verify you, trust you or not trust you. If you're doing it behind closed doors and saying, this is the new encryption standard, well, why, who, how are you fighting? I really enjoyed looking into setting the standards for post-quantum crypto. It's happening for five years, I believe, or something like that, and there were at least 10, I remember 40-something candidates that were dying one by one because they were having some obvious problems out there. I don't believe right now the post-quantum crypto is the only answer. There are multiple algorithms that are hybrid algorithms, so it's a mixture of elliptic curves, like the current standards, like RSA, elliptic cryptography, and the new one, like lattices, and they're offering a little bit of security of both. So that's actually probably the way to go right now, but I'm not a cryptographer myself. Just look at what smarter people are doing in that direction.
Ł: Wow, I cannot even comprehend that is Lightyears away from me. I guess these people, they just all have PhDs, minimum in mathematics, right, Postdocs and whatnot, because Post, yeah, Abstract numbers and all of that stuff that I never enjoyed in college, Cool. And going back to AI in that context for a second, I see the emergence of ideas. I haven't seen an actual implementation, but emergence of ideas where people could build a pipeline of actions using Open ChatGPT, to basically copy all the most popular banks and create fake HTML to make them look exactly perfect, even maybe host them on some link in text to that system. This worries me because in the past, you would have to understand a bit of a code at least, right, and maybe your CSS or your assets, the visuals, or your hosting wouldn't be as good as an actual bug, right? But now I see those sites, those phishing sites. They're becoming more and more perfect.
Some ideas of how you could route that traffic. I think you call that man-in-the-middle attack.
M: Yes.
Ł: You could even lie to the browsers or lie to the users. Actually, Browsers just fall for it. That your little shield icon is there, right?
M: Oh yeah, it's nothing, right, Exactly.
Ł: My favorite example is when people you know teaching users always type your URL right, Never copy it, never click it, because even if you have your bank, I don't want to call any bank right now here, but even if you have some bank.com one of the characters could be from a different alphabet. It's insane and people just click it and clearly, like visually to us it looks the same picture or something. Or our famous capital I and a little L letter. That's an easy one, and do you think that AI in that regard.. Could we really have a moment where suddenly, it's not thousands or ten thousands of cases, but suddenly a million of people in this country fall victim to automated attacks like this?
M: I mean, from the economy perspective, that's a cost to fraud and right now in the dark, you can find the people that are selling. If I remember correctly, that's like $50 predefined website that will be for the bank of your choice, so it will be looking the same advertisement of your choice. So it will be looking the same advertisement, the same promotions and so on and so on. They will set it up for you for $50. Right now, $50, that's not much, and they're doing it for all of the major brands. If we're thinking about right now about the breakthrough, well, we're going to have a lot more of that that will be probably cheaper. So we are having an inflation of services like that. There are services that are revolving around crowds. Sometimes, when somebody is logging in on your behalf, so performing account takeover attack, you're getting an email saying hey, you logged in from the new divide, is that you? And in order to fool people and to actually blind the users, there is something that is called mail bombing service, which is like from $3 to $5, how much you want to spend and what they're doing. They're sending to the victim thousands of emails, so it's not possible as a human to spot the important ones, in case somebody just logged in on your account. So that's part of the ecosystem and I'm seeing that the change that is coming, I'm seeing as a change that will just reduce the cost of fraud. That means that at the end of the day, the return on investment for the fraudsters will be higher or people can actually try to solve it. Of course, it's not like OpenAI is doing nothing. It's not like Google is doing nothing with that. They have their moderation API, they're having their moderation models that are being used to catch the cases like this, but, on the other hand, you're having the open source models that are uncensored and you can ask them whatever you want. So I believe that's part of proliferation, of using the models for the dark side of the force, and we're going to get used to that.
Just today I don't know if you're following what was happening in Pakistan, I didn't. That's not my part of the world but there is the former prime minister, Mr Khan, which was put in jail, and somebody released on social media deepfake with his proclamation of victory, and how crazy is that? He's in jail right now, and there is social media information about I'm happy that we won and so on. There are a few questions that bother me, like who, for what reason, is that really what he wanted to say? And so on. Right now, we're living in a situation when deepfakes are taking over and probably impacting the future of the country. I know that can happen in a large country like Pakistan.
Ł: I'm still unpacking the first part, but I hear you. To be honest, I wasn't aware that for $55 altogether I buy the package of the website and the user and the mail bombing, as you call it, I mean you add $10 and some of the bank accounts are worth like that.
M: If you're having a lot on your account, that's going to be $20, right? So overall, sometimes in a hundred bucks, you're having quite a lot of information about somebody and is this because the guys who are selling it are counting for economy of scale?
Ł: Is this why? Because someone still has to build that site and if you look at the economy in the world right now, especially post-COVID, developers are the same price now because everyone works remotely. It's not like somewhere in somewhere in asia you can get them for really, really cheap. So they might be cheaper, but it's not such a huge difference anymore. That's my experience, right. So why would anyone build a site for 50 bucks, risking jail time? You know what I mean. That's my first thought. So is this an economy of scale?
M: I don't know, 50 000 people from my perspective, this is just following the megatrend of hyper-specialization. So there are people that are good at writing HTML and they don't really want to risk being the trousers that are on the whole chain, so stealing the credentials, setting up a malicious page and making money laundering. At the end of the day, they are just buying the services You're putting in your shop, the mail bumping, you're putting the credentials of the person you want to steal from. Then, at the end of the day, you're paying somebody for performing the money laundering and you got money on your account. So the responsibility is spread to us different parts of this ecosystem and they're making their part. The worst part, as we mentioned earlier, is some of the situation with advertising. So using Google Advertising or Facebook Advertising is part of the chain, because that's where they're getting their leads.
Ł: I would still imagine that to set this up, if you're a criminal probably not an individual, but as a group it probably still costs you dozens of thousands of dollars. To set this up you need a shimmel guy Okay, these come relatively cheap. But you need a guy who maybe creates custom animations, oh yeah.
M: Think about making it yourself, that works for you?
Ł: Absolutely. That's what I'm trying to understand, like they invest probably in, let's say, mid five digits USD to build this and at the end, how many people have to buy it so they get the return at 50 bucks a cell. You know what I mean, which also kind of presents to me the dark net, because I was under a wrong impression somehow that this is like. You know, a couple dozen people are doing shady stuff. Now we're talking tens of thousands or hundreds of thousands.
M: That's the marketplace I mean I, I knew it's a marketplace.
Ł: But you know, I kind of have a different sense of morality for someone who goes there to buy you know, than someone who goes there to you know, buy and potentially steal other people's personal information. That's a completely different scale of damage to society, to themselves, to everyone else, not to mention anything in between. Or I even read somewhere that you can hire a hitman there.
M: That's one of the myths out there. I remember the case in the last year in China that happened. Somebody hired a hitman for something very round, let's say a million dollars and that person actually hired another hitman for half of the price and that person hired another hitman for half of the price to make the check for them. And all of those were catched and they went into trial. So that was actually a crazy one. I mean, don't believe anything you find in the dark net. Somebody will tell you they can do whatever. Like you can try to buy drugs, you can try to find a hitman, and so on and so on, but some of them will just lie to you straight forward. So yeah, I wouldn't trust anyone and also think about that. Like, as we were speaking about law enforcement, they will also try to. You know, be the imposters out there.
Ł: It's just that it's not even about that, because I, you know, frankly, I don't even know how to get there. There's specific sites on Tor network somewhere that one would have to look for.
But and that's about how much I know about this, but I'm just surprised about the broader how big their audiences are. Because I would imagine that, you know if it's, if you would tell me it's a hundred thousand people, I would imagine that 90,000 of them will go there, for really, you know and 10% will go for this crazy stuff, and the ten, ten, ten percent would then be ten thousand people and for ten thousand people, the group that prepares all of that, that makes all of that effort and financial commitment to produce enough data for stealing information from, let's say, let's take polish bank right, so a specific targeted polish bank users, enough money to not be able to seek return on it maybe. But you're actually saying that there are enough people who would go and buy specifically targeted Polish bank customers' websites whatever bank, I don't want to call anywhere you can just basically fish people out through it. This is insane.
M: Part of the ecosystem are stealers, so the malware you can find that will be gathering all of your credentials, or gathering the credentials through the data and what browsers are doing they are looking at. Okay, let's first do credentials. So there are still people out there that are using the same password for multiple accounts, so they will reuse this data from some of the leaks to get into your Facebook, whatever you're having out there because that's actually happening, and you know what. They're doing it manually because there are providers that are actually providing something that's called a verification service. So you just provide a list out there and log in for all of the users and distinguish. Also, there are VIPs and normal people. So if there's a list of people, let's say, buying accounts, there will be a person that is like average person, average savings on the account, but the VIPs over one million or so on will be sold separately Because that's a more expensive target for a different type of attack. Even there, the ecosystem is very split.
Ł: If I were to refer to something in real life, it would feel a bit like exclusive elite circles and clubs to be invited to. Is it something like that as well? Or can anyone find it if they just look around?
M: I mean that I would go towards the Grand Theft Auto quote. Respect is everything. Because out there, if you're thinking about who you really trust, you need to start making business with somebody. There's escrow out there, and you're getting more and more respect and you never know why you shall trust anybody. So on most of the forums, you have a reputation score where you're seeing somebody's higher level reputation lower level. Do you really trust it or not? It's up to you. Sometimes you can figure out that even the admins of the forum are corrupted so they are taking part in some scamming scheme, and there were stories like that. So trust no one out there, but the people are trying to work on top of the respect.
Ł: Fascinating. I guess a lot of AI could even be used. I even believe you had a similar project, right 404, where you were using AI to check social media for misinformation and fake news, and that could be applied to something like Darknet to figure out, you know, what are the trends right and what has changed. And there is suddenly a big player, big fish, on the blocks. So to say right, and the team who came out of nowhere and make you you know, flag them for like a target. I guess both ways right. It could be a police that is trying to verify themselves, or it could be geez. Just because you don't know who they are, it doesn't mean anything.
M: You can find an officer that is actually, you know, pretending to be on the other side. That would be interesting.
Ł: I don't know if I'm going to publish this episode after this conversation. Sorry, maybe I'm just wasting your time.
M: no worries, it's fun, yeah, but you never know what you're going to hit at the end of the day. What we were doing in 404, we were just gathering the data from social media to classify it for disinformation. Since the war started in Ukraine, we have seen that there were a lot of psychological operations, and psyops, against various groups of people. Some of those were against the people of faith, saying, hey, the Ukrainians that are the immigrants to Poland, they are coming with different religions, so they are targeting certain people. The other were women saying, hey, ukrainian women are taking over the Polish men, so you shall stand up and do something. Other attempts were related to the economical part, saying, hey, in some of the grocery stores they're having discounts and Polish people don't have discounts, so any way, you want to defy people. They were really trying to do that and spread that misinformation. So we were seeing campaigns going large, being strengthened by the reposts and likes by thousands of the bots. So very well-prepared campaign, I have to say.
Ł: Do you think something like that exists? I don't know. Some sort of government in the West has something like that to verify this information for them basically.
M: I think about troll farms. I believe most of the government will have something like that.
Ł: Okay, because what I have seen. It's funny because we just spoke with. We had another recording with Fabian Vogelsteller about proving identity on the internet, which is yet to be posted, I think, and it's very interesting because there was this case where one of I think it was Milik one of the soccer players was supposed to transfer to Italy, but it was just one of the Polish local newspapers and the Italians picked it up and then all Polish media used that pickup by Italians as a verification of their own rumor. So, for instance, the one that you said about the Ukrainian women. I've seen this all around the place in Onet and WP.pl, all the major news portals.
So they actually somehow thought this is a real thing and they started which is just helping you know whoever made it up. I mean, we all know who, but in any case, how does that work that it allows them to spiral that much that message to the surface? Generally, I would say Hit the mainstream, right, yeah, hit the mainstream.
M: I mean, from my perspective, it's like they're spreading this misinformation and then looking for the potential targets and as people, we are having this confirmation bias. Whenever something hits your bubble, you're happy with that and you're going to forward it further because it just fits. So that's why I believe they're trying to spread it this or other way. I really have to say I believe out there there are people that are smart enough to try to. There are psychologists very well trained that are trying to look for the emotions, play on the emotions and spread that kind of information. Right now, there are no tools I mean I'm not aware of any that will allow the researchers to find out how these things are spread over the internet, because that will be fascinating to see who is targeted when, by what kind of messages and so on.
I myself had an action when, on Twitter, people were following me there were a lot of people coming from Turkey because Twitter was banning Russia at some point, if I recall correctly. So I was like, okay, I'm probably getting bots following me for no reasons, and then I was looking for a partner like that with some people that I contacted and they were like yeah, we have something similar and they were actually building credibility, so they were reposting some of the things like getting simple comments and so on, and building credibility, so they were reposting some of the things liking getting simple comments and so on and so on. And afterwards these thousands of bots were used for some action, by the action, you know, any of those that we mentioned. Like there was an accident, somebody was killed because of nationality or whatever divide, wherever you want right, and yeah, so, right now, because the platforms are trying to respond, they need to build credibility so they're not punished.
Ł: So people like you and I would say, even in our industry and by industry I mean IT generally, not security we're still way more than our parents would be right.
M: Absolutely.
Ł: So, with that out of the way, how would you say an average person who uses Facebook, Instagram, and all of these other pleasure services can protect themselves from misinformation without spending time educating themselves? I guess there is no other way. Can the government protect them? Can any organization protect them?
M: I don't believe in the centralized protection. There are fact-checkers, right, and I believe the majority of the fact-checkers are doing a really good job by showing the source, showing where is the manipulation. But who checks the fact checkers? Right? Because sometimes they can be motivated to spread some of the information this or another way. That is difficult. So let's think about something more centralized. Well, governments they also have interests, right, so they will be biased in another way.
Okay, what about AI? We have large language models which are perfect for this, and then we're looking at policies of different companies where OpenAI is having certain ethics that is imposed by the creators. We are having models that are created in the East that are having different ethical perspectives. So that's not also the solution for that. That's a fundamental question. I don't really think I can try to answer. What is the truth, the ground truth right here, because it's not possible to find it out. It's possible to try to trace it, see who how manipulated it, but at the end of the day day it's you to judge it, because all of the tools and all of the other people it can be manipulated, difficult. I know that's not really a realistic thing about the user, somehow.
Ł: I always assume that the United Nations could create a subunit of their own. The United Nations would agree. Here are some standards we're going to follow, and we're going to follow and we're going to use these standards to create a spin-off organization you know for, under United Nations, which would then be protecting humanity from misinformation and fake news.
M: Okay, and what if they're wrong? Go into darknet and you know, try to go with your theory, like you know, like the underground minority report. No simple answer right?
Ł: Yeah, there are so many sci-fi movies that talk just about that, right? Where do we even start? Wow, Matthew, really took me out of my bubble. No, I appreciate that. If anything I lost took me out of my bubble, Sorry. No, I appreciate that. If anything I lost, a good challenge to my misconceptions. You know nowadays that I understand that they were that. So, Mateusz, thank you so much for being here.
M: Thank you for the invitation.
Ł: I don't know if I will sleep well tonight. It's good to be aware of that, you know in a bubble. So, I really appreciate it. Thank you, for the conversation. I hope our listeners enjoyed it as much as I did. Dear listener, if you liked this episode, please like and subscribe so you don't miss out on future conversations.