The following is a conversation with Chris Tarbell,
a former FBI special agent and cybercrime specialist
who tracked down and arrested Russ Ulbricht,
the leader of Silk Road,
the billion dollar drug marketplace.
And he tracked down and arrested Hector Monsegur,
aka Sabu, of LulzSec and Anonymous,
which are some of the most influential
hacker groups in history.
He is co-founder of Naxo,
a complex cybercrime investigation firm,
and is a co-host of a podcast
called The Hacker and the Fed.
This conversation gives the perspective
of the FBI cybercrime investigator,
both the technical and the human story.
I would also like to interview people on the other side,
the cybercriminals who have been caught,
and perhaps the cybercriminals who have not been caught
and are still out there.
And now, a quick few second mention of each sponsor.
Check them out in the description.
It’s the best way to support this podcast.
We got True Classic Tees for shirts,
Inside Tracker for bio-monitoring,
ExpressVPN for privacy,
BetterHelp for mental health,
and Blinkist for non-fiction.
Choose wisely, my friends.
And now, onto the full ad reads.
As always, no ads in the middle.
I try to make this interesting,
but if you skip them,
please still check out our sponsors.
I enjoy their stuff.
Maybe you will, too.
This show is brought to you by True Classic Tees,
high-quality, soft, slim-fitted t-shirts for men.
They also make other menswear staples
like polos, workout shirts, and boxers,
but I have a lot of their black t-shirts.
That’s my main go-to.
I’m not exactly sure why,
but there’s a certain kind of comfort
in having a great t-shirt that all looks the same,
and having many of them.
So it removes that extra little decision
in your life.
So you can liberate your mind
to focus on the more difficult decisions in your life.
So it’s just this reliable thing I can count on.
Either I wear a suit,
or I wear a True Classic Tee t-shirt.
That’s it.
That’s all I need to worry about.
Life is simple.
And there’s a kind of minimalist aesthetic
to a black t-shirt that just brings out the best in me,
makes my soul sing.
I think it’s also, in part,
a programmer aesthetic, engineer aesthetic.
I’m not exactly sure.
But I do know that a lot of programmers I hang out with
often wear black t-shirts.
So I’m not sure what that’s about.
That could also just be, in general, a guy thing.
I’m gonna have to get some data on that.
Anyway, go to trueclassic.com and enter code LEX
to get 25% off.
This show is also brought to you by InsideTracker,
a service I use to track biological data.
Your lifestyle decisions should be made
based on data coming from your own body.
I can’t wait until the day that we have high bandwidth
signal coming from the body
at a frequency that’s exceptionally high
so we have this short-term and long-term data
about what’s going on inside our body.
Just raw data.
So machine learning algorithms can just interpret that data
to make decisions based on.
I mean, to me, that’s such an exciting world
of creating systems that are able
to truly listen to our body.
There’s experiences I have by going to doctors.
I think the job of a doctor is so difficult.
They get just few little inklings
into the symptoms you provide.
There’s some data they can collect.
They can do MRIs and all that kind of scans.
It’s not a high-resolution picture
of what’s going on in your body.
Now, if you’re the average case
for a particular condition or disease
or a particular issue you’re having in your life,
yeah, fine.
But a lot of us are not
the perfectly representative average case.
In fact, most humans aren’t.
And so it makes sense that we should be looking
at that specific person to make decisions
for that specific person.
Anyway, get special savings for a limited time
when you go to insighttracker.com slash flex.
This show is brought to you by ExpressVPN.
I use them to protect my privacy on the internet.
This conversation talks a lot about Tor,
which is a super extreme way
to protect your privacy on the internet.
Now, that’s like advanced stuff.
The basic stuff that everybody should be doing is a VPN.
Everybody.
And my favorite VPN,
long, long, long before they were a sponsor,
has been ExpressVPN.
Big, sexy button.
It just works.
It’s super fast.
Any operating system, including Linux,
whatever your favorite flavor of Linux is,
and I’ve tried them all,
I like all of the flavors.
That’s actually factually incorrect
because I love all the flavors of Linux that I’ve tried,
but there’s a huge amount of them.
I think there’s a website called DistroWatch
that looks at the popularity
based on how often they’re searched, I think,
of different distributions of Linux.
And it’s kind of cool to see all the different flavors.
It’s really exciting how active the community is
in the development of those flavors.
Anyway, go to expressvpn.com slash legspod
for an extra three months free.
This episode is sponsored by BetterHelp,
spelled H-E-L-P, help.
I think there’s a lot of ways
in which social media reveals
the mental instabilities that we have,
the sort of the rollercoaster of life.
And it’s easy to lose yourself in that
and not seek balance and a deep exploration of your mind
beyond that kind of shallow rollercoaster.
Now, I’m a huge believer of talk therapy
as a way to do that kind of serious exploration,
however you do that.
And I think the great thing about BetterHelp
is it’s super easy to do that.
It makes it accessible to try.
You get access to a licensed professional really quickly.
Your mind is the most precious thing you have,
so make sure you take care of it.
It’s easy, private, affordable, available anywhere.
You can check it out at betterhelp.com slash Lex
and save on your first month.
This show is also brought to you by Blinkist,
my favorite app for learning new things.
Blinkist takes key ideas from thousands of nonfiction books
and condenses them down into 15 minutes
that you can read or listen to.
There’s actually AI systems
that I’ve recently been seeing pop up
that do summarization.
And let me tell you something.
While that’s nice and everything,
they do not do nearly as good of a job as humans do,
especially when those humans are the sort of
world-class humans, whoever they are, behind Blinkist.
There’s really an extra level, an extra depth of insight
that Blinkist is able to do for nonfiction books.
It’s not just that it’s brief.
It’s also somehow reveals something new.
Even for books I’ve read, it’s revisiting the summaries
gives me a new perspective in that book.
I don’t know, it’s really, really powerful.
So I recommend it not just for books you haven’t read,
but also for books you have read.
And it includes basically all the major nonfiction books
you can think of.
You can claim a special offer for savings
if you visit Blinkist.com slash Lex.
This is the Lex Friedman podcast.
To support it, please check out our sponsors
in the description.
And now, dear friends, here’s Chris Tarbell.
♪♪♪
♪♪♪
You are one of the most successful
cybersecurity law enforcement agents of all time.
You tracked and brought down Russ Albrecht,
AKA Dread Pirate Roberts, who ran Silk Road,
and Sabu of LulzSec and Anonymous,
who was one of the most influential hackers in the world.
So first, can you tell me the story
of tracking down Russ Albrecht and Silk Road?
Let’s start from the very beginning.
And maybe let’s start by explaining what is the Silk Road.
It was really the first dark market website.
You literally could buy anything there.
Well, let’s take that back.
There’s two things you couldn’t buy there.
You couldn’t buy guns, because that was a different website.
And you couldn’t buy fake degrees.
So no one could become a doctor.
But you could buy literally whatever else you wanted.
You could host things, drugs.
You could buy heroin right from Afghanistan, the good stuff.
Hacking tools, you could hack for hire.
You could buy murders for hire,
if you wanted someone killed.
Now, so when I was an FBI agent,
I had to kind of sell some of these cases,
and this was a big drug case.
You know, that’s the way people saw Silk Road.
So internally to the FBI, how I had to sell it,
I had to find the worst thing on there
that I could possibly find.
And I think one time I saw a posting for baby parts.
So let’s say that you had a young child
and that needed a liver.
You could literally go on there
and ask for a six-month-old liver if you wanted to.
For like surgical operations versus something darker.
Yeah, I never saw anything that dark
as far as people wanted to eat body parts.
I did interview a cannibal once when I was in the FBI.
That’s another crazy story.
But that one actually weirded me out.
Sorry, I just watched Jeffrey Dahmer documentary on Netflix
and it just changed the way I see human beings
because it’s a portrayal of a normal looking person
doing really dark things and doing so
not out of a place of insanity seemingly,
but just because he has almost like a fetish
for that kind of thing.
It’s disturbing that people like that are out there.
So people like that would then be using Silk Road,
not like that necessarily,
but people of different walks of life
would be using Silk Road to primarily,
what was the primary thing?
Drugs?
It was primarily drugs.
And that’s where it started.
It started off with Ross Ulbrich growing mushrooms
out in the wilderness of California and selling them.
But really his was more of a libertarian viewpoint.
I mean, it was like,
you choose what you wanna do for yourself and do it.
And the way Silk Road kind of had the anonymity
is it used what’s called TOR, the Onion Router,
which is an anonymizing function on the deep web.
It was actually invented by the US Navy
back in the mid nineties or so,
but it also used cryptocurrency.
So it was the first time that we saw this birth
on the internet of mixing cryptocurrency
and an IP blocking software.
So in cybercrime, you go after one, the IP address
and trace it through the network,
or two, you go after the cash.
And this one kind of blocked both.
Cash meaning the flow of money, physical or digital.
And then IP is some kind of identifying thing
over the computer.
It’s your telephone number on your computer.
So yeah, all computers have a unique four octet numbers.
It’s 123.123.123.123.
And the computer uses DNS or domain name services
to render that name.
So if you were looking for cnn.com,
your computer then translates that to that IP address
or that telephone number
where it can find that information.
Didn’t Silk Road used to have guns in the beginning?
Or was that considered to have guns
or did it naturally emerge
and then Russ realized like, this is not good?
It went back and forth.
I think there were guns on there and he tried to police it.
He told himself that they’re the captain of the boat,
so you had to follow his rules.
So I think he took off those posts eventually
and moved guns elsewhere.
What was the system of censorship that he used
of selecting what is okay and not okay?
I mean-
Him alone, he’s the captain of the boat.
Do you know by chance if there was a lot of debates
and criticisms internally amongst the criminals
of what is and isn’t allowed?
I mean, it’s interesting to see
a totally different moral code emerge
that’s outside the legal code of society.
We did get the server
and was able to read all of the chat logs
that happened.
I mean, all the records were there.
I don’t remember big debates.
I mean, there was a clear leadership
and that was the final decision.
That was the CEO of Silk Road.
And so primarily it was drugs
and primarily out of an ideology of freedom,
which is if you want to use drugs,
you should be able to use drugs.
You should put into your body
what you wanna put in your body.
And when you were presenting the case
of why this should be investigated,
you’re trying to find, as you mentioned,
the worst possible things on there.
Is that what you were saying?
So we had arrested a guy named Jeremy Hammond
and he hit himself.
He was a hacker and this would be arrested.
It was the second time he had been arrested for hacking.
He used TOR.
And so that kind of brought us to a point.
The FBI has a computer system where you look up things.
You know, you look up anything.
I could look up your name or whatever
if you’re associated with my case.
And we were finding at the time,
a lot of things in, when you look it up,
a case would end and be like, oh, this is TOR.
It just stopped.
Like we couldn’t get any further.
So, you know, we had just had this big arrest of Sabu
and took down Anonymous.
And sometimes in the FBI,
the way it used to, the old school FBI,
when you had a big case and you’re working seven days a week
and 14 hours, 15 hours a day,
you sort of take a break.
The boss kind of said, yeah, I’ll see you in a few months.
Go get to know your family a little bit, you know,
and come back.
But the group of guys I was with was like,
let’s find the next big challenge.
And that’s when we were finding, you know,
case closed, it was TOR.
Case closed, it was TOR.
So I said, let’s take a look at TOR
and let’s see what we can do.
Maybe we’ll take a different approach.
And Silk Road was being looked at by other law enforcement,
but it was taking like a drug approach
where I’m going to find a drug buyer
who got the drug sent to them in the mail
and let’s arrest up, let’s go up the chain.
But the buyers didn’t know their dealers.
They never met them.
And so you were taking a cyber security approach.
Yeah, we said, let’s try to look at this
from a cyber approach and see if we can gleam
anything out of it.
So I’m actually indirectly connected to,
I’m sure I’m not admitting anything that’s not already
on my FBI file.
Oh, I can already tell you what you’re gonna tell me though.
What’s that?
That when you were at college, you wrote a paper
and you’re connected to the person that started.
You son of a bitch, you clever son of a bitch.
I’m an FBI agent or a former FBI agent.
How would I not have known that?
I could have told you other stuff.
No, that’s exactly what you were about to tell me.
I was looking up his name because I forgot it.
So one of my advisors for my PhD was Rachel Greenstead
and she is married to Roger Dingle Dine,
which is the co-founder of the Tor Project.
And I actually reached out to him last night
to do a podcast together.
I don’t know.
He’s…
I have…
No, it was a good party trick.
I mean, it was just cool that you know this
and the timing of it, it was just like beautiful.
But just to linger on the Tor Project so we understand.
So Tor is this black box that people disappear in,
in terms of like the, when you were tracking people.
Can you paint a picture of what Tor is used in general?
Are there…
It’s like when you talk about Bitcoin, for example,
cryptocurrency, especially today,
much more people use it for legal activity
versus illegal activity.
What about Tor?
Tor was originally invented by the US Navy
so that like spies inside countries could talk to spies
and no one could find them.
There was no way of tracing them.
And then they released that information free to the world.
So Tor has two different versions of…
Versions, two different ways it can be utilized.
There’s .onion sites, which is like a normal website,
.com, but it’s only found within the Tor browser.
You can only get there if you know the whole address
and get there.
The other way Tor is used is to go through the internet
and then come out the other side
if you want a different IP address,
if you’re trying to hide your identity.
So if you were doing like say cybercrime,
I would have the victim computer
and I would trace it back out to a Tor relay.
And then because you don’t have an active connection
or what’s called a circuit at the time,
I wouldn’t be able to trace it back.
But even if you had an active circuit,
I would have to go to each machine physically live
and try to rebuild that, which is literally impossible.
So what do you feel about Tor, ethically, philosophically,
as a human being on this world
that spent quite a few years of your life
and still trying to protect people?
So part of my time in the FBI
was working on child exploitation,
kiddie porn, as they call it.
That really changed my life in a way.
And so anything that helps facilitate
the exploitation of children fucking pisses me off.
And that sort of jaded my opinion towards Tor
because that, because it helps facilitate those sites.
So this ideal of freedom that Russell Albrecht,
for example, tried to embody
is something that you don’t connect with anymore
because of what you’ve seen that ideal being used for.
I mean, the child exploitation is a specific example for it.
And it’s easy for me to sit here
and say child exploitation, child porn,
because no one listening to this
is ever going to say that I’m wrong
and that we should allow child porn.
Should, because some people utilize it in a bad way,
should it go away?
No, I mean, I’m a technologist.
I want technology to move forward.
People are going to do bad things
and they’re going to use technology
to help them do bad things.
Well, let me ask you then,
we’ll jump around a little bit,
but the things you were able to do
in tracking down information, and we’ll get to it,
there is some suspicion that this was only possible
with mass surveillance, like with NSA, for example.
First of all, is there any truth to that?
And second of all, what do you feel
are the pros and cons of mass surveillance?
There is no truth to that.
And then my feelings on mass surveillance.
If there was, would you tell me?
Probably not.
I love this conversation so much.
But what do you feel about the,
given that you said child porn,
what are the pros and cons of surveillance
at a society level?
I mean, nobody wants to give up their privacy.
I say that, I say no one wants to give up their privacy,
but I mean, I used to have to get a search warrant
to look inside your house,
or I can just log onto your Facebook
and you’ve got pictures of all inside your house
and what’s going on.
I mean, it’s not, so people like the idea
of not giving up their privacy, but they do it anyways.
They’re giving away their freedoms all the time.
They’re carrying watches that gives out their heartbeat,
a weight of companies that are storing that.
I mean, what’s more personal than your heartbeat?
So I think people on mass really want to protect their
privacy, and I would say most people don’t really need
to protect their privacy.
But the case against mass surveillance is that
if you want to criticize the government
in a very difficult time, you should be able to do it.
So when you need the freedom, you should have it.
So when you wake up one day and realize
there’s something going wrong with the country I love,
I want to be able to help.
One of the great things about the United States of America
is there’s that individual revolutionary spirit.
So that the government doesn’t become too powerful.
You can always protest.
There’s always the best of the ideal of freedom of speech.
You can always say fuck you to the man.
And I think there’s a concern of direct or indirect
suppression of that through mass surveillance.
You might not, is that little subtle fear
that grows with time, that why bother criticizing
the government?
It’s gonna be a headache.
I’m gonna get a ticket every time I say something bad.
That kind of thing.
So it can get out of hand.
The bureaucracy grows and the freedoms slip away.
That’s the criticism, right?
I completely see your point and I agree with it.
I mean, on the other side, people criticize
the government of these freedoms.
But I mean, tech companies talk about destroying
your privacy and controlling what you can say.
I realize they’re private platforms
and they can decide what’s on their platform.
But they’re taking away your freedoms
of what you can say.
And we’ve heard some things where maybe government
officials were in line with tech companies
to take away some of that freedom.
And I agree with you, that gets scary.
Yeah, there’s something about government
that feels maybe because of the history
of human civilization, maybe because tech companies
are a new thing, but just knowing the history
of abuses of government, there’s something
about government that enables the corrupting
nature of power to take hold at scale
more than tech companies, at least what we’ve seen so far.
Yeah, I agree, I agree.
But I mean, we haven’t had a voice
like we’ve had until recently.
I mean, anyone that has a Twitter account now
can speak and become a news article.
My parents didn’t have that voice.
If they wanted to speak out against the government
or do something, they had to go to a protest
or organize a protest or do something along those lines.
So we have more of a place to put our voice out now.
Yeah, it’s incredible, but that’s why it hurts
and that’s why you notice it when certain voices
get removed.
The president of the United States of America
was removed from one such or all such platforms.
And that hurts.
Yeah, that’s crazy to me, that’s insane.
That’s insane that we took that away.
But let’s return to Silk Road and Russell Brink.
So how did your path with this very difficult,
very fascinating case cross?
We were looking to open a case against TOR
because it was a problem.
All the cases were closing because TOR.
So we went on TOR and we came up with 26 web,
different dotting onions that we targeted.
We were looking for nexuses to hacking
because I was on a squad called CY2
and we were like the premier squad in New York
that was working criminal cyber intrusions.
And so any website that was offering hackers for hire
or hacking tools for free, paid services,
now we’re seeing ransomware as a paid service
and phishing as a paid service,
anything that offered that.
So we opened this case on, I think we called it,
so you have to name cases.
One of the fun thing in the FBI
is when you start a case, you get to name it.
You would not believe how much time is spent
in coming up with the name.
Case goes by, I think we called this Onion Peeler
because of the, yeah.
So a little bit of humor, a little bit of wit
and some profundity to the language, yeah, yeah.
Yeah.
Because you’re gonna have to work with us
for quite a lot, so.
Yeah, this one had the potential of being a big one
because I think Silk Road was like the sixth on the list
for that case, but we all knew
that was sort of the golden ring.
If you could make the splash
that that Onion site was going down,
then it would probably get some publicity.
And that’s part of law enforcement
is getting some publicity out of it
that makes others think not to do it.
I wish to say that Tor is the name of the project,
the browser.
What is the Onion technology behind Tor?
Let’s say you wanna go to a .onion site.
You’ll put in the .onion you wanna go to
and your computer will build communications
with a Tor relay,
which are all publicly available out there.
But you’ll encrypt it.
You’ll put a package around your data.
And so it’s encrypted and so can’t read it.
It goes to that first relay.
That first relay knows about you
and then knows about the next relay down the chain.
And so it takes your data
and then encrypts that on the outside
and sends it to relay number two.
Now, relay number two only knows about relay number one.
It doesn’t know who you are asking for this.
And it goes through there, adding those layers on top,
layers of encryption till it gets to where it is.
And then even the Onion service doesn’t know,
except for the relay it came from, who it’s talking to.
And so it peels back that, gives the information,
puts another layer back on.
And so it’s layers,
like you’re peeling an onion back of the different relays.
And that encryption protects who the sender is
and what information they’re sending.
The more layers there are,
the more exponentially difficult it is to decrypt it.
I mean, you get to a place
where you don’t have to have so many layers
because it doesn’t matter anymore.
It’s mathematically impossible to decrypt it.
But the more relays you have, the slower it is.
I mean, that’s one of the big drawbacks on Tor
is how slow it operates.
So how do you peel the onion?
So what are the different methodologies
for trying to get some information
from a cybersecurity perspective
on these operations like the Silk Road?
It’s very difficult.
People have come up with different techniques.
There’s been techniques to put out in the news media
about how they do it,
running like massive amounts of relays.
And you’re controlling those relays.
I think I blinked somebody tried that once.
So there’s a technical solution.
And what about social engineering?
What about trying to infiltrate
the actual humans that are using the Silk Road
and trying to get in that way?
Yeah, I mean, I definitely could see the way of doing that.
And in this case, in our takedown, we used that.
There was one of my partners, Jared Derrigan,
he was an HSI investigator,
and he had worked his way up
to be a system admin on the site.
So that did gleam quite a bit of information
because he was inside and talking to,
at that time, we only know it as DPR or Dread Pirate Roberts.
We didn’t know who that was yet,
but we had that open communication.
And one of the things,
the technical aspects on that is there was a Jabber server.
That’s a type of communication server that was being used.
And we knew that Ross had his Jabber set to Pacific time.
So we had a pretty good idea what part of the,
what part of the country he was in.
I mean, isn’t that, from DPR’s perspective,
from Ross’s perspective, isn’t that clumsy?
He wasn’t a big computer guy.
Do you notice that aspect of the technical savvy
of some of these guys doesn’t seem to be quite,
why weren’t they good at this?
Well, the real techie savvy ones, we don’t arrest.
We don’t get to them, we don’t find them.
We don’t get to them.
Shout out to the techie criminals.
They’re probably watching this.
I mean, yeah, I mean, we’re getting the low hanging fruit.
I mean, we’re getting the ones that can be caught.
I mean, I’m sure we’ll talk about it,
but the anonymous case, there was a guy named AV Unit.
He’s still, I lose sleep over him
because we didn’t catch him.
We caught everybody else, we didn’t catch him.
He’s good though.
He pops up too once in a while on the internet
and it pisses me off.
Yeah, what’s his name again?
AV Unit, that’s all I know is his AV Unit.
AV Unit.
Yeah, I got a funny story about him
and what people think he is.
Can we go on that brief tangent?
Sure, I love tangents.
Well, let me ask you, since he’s probably he or she,
do we know it’s a he?
We have no idea.
Okay.
I mean, that’s another funny story about hackers,
the he-she issue.
What’s the funny story there?
Well, one of the guys in LulzSec was a she,
was a 17-year-old girl.
And my source in the case, the guy, Sabu,
that I arrested and part of it,
we sat side by side for nine months
and then took down the case and all that.
He was convinced she was a girl and he said,
and he was in love with her almost at one point.
It turns out to be a 35-year-old guy living in England.
Oh, so he was convinced it was a…
Yes, he was absolutely convinced.
Based on what exactly?
By linguistic, like human-based linguistic analysis or what?
She, he, whatever, Kayla,
so it ended up being like a modification
of his sister’s name.
The real guy’s sister’s name
was so good at building the backstory.
All these guys, and it’s funny,
these guys are part of a hacking crew.
They social engineer the shit out of each other
just to build if one of them ever gets caught,
they’ll convince everybody else
that they’re a Brazilian ISP owner or something like that.
And that’s how I’m so powerful.
Well, yeah, that social engineering aspect
is part of living a life of cybercrime or cybersecurity
on the offensive or defensive.
So AV unit, can I ask you also
just a tangent of a tangent first?
That’s my favorite tangent.
Okay.
Is it possible for me to have a podcast conversation
with somebody who hasn’t been caught yet
and because they have the conversation,
they still won’t be caught?
And is that a good idea?
Meaning, is there a safe way for a criminal
to talk to me on a podcast?
I would think so.
I would think that someone could,
I mean, someone who has been living a double life
for long enough where you think they’re not a criminal.
No, no, no, no, they would have to admit
that they would say I am AV unit.
Oh, you would wanna have a conversation with AV unit?
Yes.
I’m just speaking from an FBI perspective,
technically speaking.
So let me explain my motivation.
I think I would like to be able to talk
to people from all walks of life
and understanding criminals,
understanding their mind, I think is very important.
And I think there’s fundamentally something different
between a criminal who’s still active
versus one that’s been caught.
The mind, just from observing it,
changes completely once you’re caught.
You have a big shift in your understanding of the world.
I mean, I do have a question about the ethics
of having such conversations,
but first, technically, is it possible?
If I was technically advising you,
I would say, first off, don’t advertise it.
The fewer people that you’re gonna tell
that you’re having this conversation with, the better.
And yeah, you could, are you doing it in person?
Are you doing it in-
In person would be amazing, yeah,
but their face would not be shown.
Yeah, I mean, you couldn’t publish a show for a while.
They’d have to put a lot of trust in you
that you are not going to,
you’re gonna have to alter those tapes.
I say tapes, because it’s old school, you know?
It’s a tape.
Exactly, I’m sure a lot of people just said that,
like, oh shit, this old guy just said tape.
I heard of VHS, it was in the 1800s, I think.
But yeah, yeah, you could do it.
They’d have to have complete faith and trust in you
that you destroy the originals
after you’ve altered it.
What about if they don’t have faith?
Is there a way for them to attain security?
So, like, for me to go through some kind of process
where I meet them somewhere where-
I mean, you’re not gonna do it
without a bag over your head.
I don’t know if that’s the life you wanna live.
I’m fine with a bag over my head.
That’s gonna get taken out of context.
But I just, I think it’s a worthy effort.
It’s worthy to go through the hardship of that
to understand the mind of somebody.
I think fundamentally, conversations are a different thing
than the operation of law enforcement.
Understanding the mind of a criminal,
I think, is really important.
I don’t know if you’re gonna have the honest conversation
that you’re looking for.
I mean, it may sound honest, but it may not be the truth.
I found most times when I was talking to criminals,
it’s lies mixed with half-truths.
And you kinda, if they’re good,
they can keep that story going for long enough.
If they’re not, you kind of see the relief in them
when you finally break that wall down.
That’s the job of an interviewer.
If the interviewer is good, then perhaps not directly,
but through the gaps,
seeps out the truth of the human being.
So not necessarily the details
of how they do the operations and so on,
but just who they are as a human being,
what their motivations are, what their ethics are,
how they see the world, what is good, what is evil,
do they see themselves as good,
what do they see their motivation as,
do they have resentment,
what do they think about love for the people
within their small community,
do they have resentment for the government
or for other nations or for other people,
do they have childhood issues
that led to a different view of the world
than others perhaps have,
do they have certain fetishes like sexual and otherwise
that led to the construction of the world?
They might be able to reveal some deep flaws
to the cybersecurity infrastructure of our world,
not in detail, but like philosophically speaking.
They might have,
I know you might say it’s just a narrative,
but they might have a kind of ethical concern
for the well-being of the world
that they’re essentially attacking the weakness
of the cybersecurity infrastructure
because they believe ultimately
that would lead to a safer world.
So the attacks will reveal the weaknesses.
And if they’re stealing a bunch of money,
that’s okay because that’s gonna enforce you
to invest a lot more money in defending,
yeah, defending things that actually matter,
you know, nuclear warheads and all those kinds of things.
I mean, I could see, you know,
it’s fascinating to explore the mind
of a human being like that
because I think it will help people understand.
Now, of course,
it’s still a person that’s creating a lot of suffering
in the world, which is a problem.
So do you think ethically it’s a good thing to do?
I don’t.
I mean, I feel like I have a fairly high ethical bar
that I have to put myself on
and I don’t think I have a problem with it.
I would love to listen to it.
Okay, great.
I mean, not that I’m your ethical coach here.
Yeah, well, that’s interesting.
I mean, so,
because I thought you would have become jaded
and exhausted by the criminal mind.
It’s funny.
You know, I’m, you know, fast forward in our story,
I’m very good friends with Hector Monserrat,
the Sabu, the guy I arrested,
and he tells stories of what he did in his past.
And I’m like, oh, I’m that Hector, you know?
But then I listened to your episode with Brett Johnson
and I was like, ah, this guy’s stealing money
from the US government and welfare fraud
and all this sort of thing.
It just pissed me off.
And I don’t know why I have that differentiation in my head.
I don’t know why I think one’s just,
oh, Hector will be Hector,
and then this guy just pissed me off.
Well, you didn’t feel that way about Hector
until you probably met him.
Well, I didn’t know Hector, I knew Sabu.
So I hunted down Sabu
and I learned about Hector over those nine months.
Well, we’ll talk about it later.
Let’s finish with, let’s return tangent to back to tangent.
Oh, one tangent up, who’s AV unit?
I don’t know.
Interesting, so he’s at the core of Anonymous.
He’s one of the critical people in Anonymous.
What is known about him?
There’s what’s known in public and what was known
because I sat with Hector
and he was sort of like the set things up guy.
So if LulzSec had like their hackers,
which was Sabu and Kayla,
and they had their media guy, this guy Topiary,
he lived up in the Northern end of England.
And they had a few other guys,
but AV unit was the guy that set up infrastructure.
So if you need a VPN in Brazil
or something like that to pop through,
one of the first things Hector told me
after we arrested him is that AV unit
was a secret service agent.
And I was like, oh shit.
Just because he kind of lived that lifestyle,
he’d be around for a bunch of days
and then all of a sudden gone for three weeks.
And I tried to get more out of Hector
early on in that relationship.
I’m sure he was a little bit guarded,
maybe trying to social engineer me.
Maybe he wanted that, oh shit,
there’s law enforcement involved in this.
And not to say, I mean, I was in over my head
with that case, just the amount of work that was going on.
So to track them all down,
plus the 350 hacks that came in
about just military institutions,
it was swimming in the deep end.
So it was just at the end of the case,
I looked back and I was like, AV unit,
I could have had them all.
Maybe that’s the perfectionist in me.
Oh man.
Well, reach out somehow.
I won’t say how, right?
We’ll have to figure out.
Would you have them on?
Yeah.
Oh my God.
Just let me know.
And just talk shit about you the whole time.
That’s perfect.
He probably doesn’t even care about me.
Well, now he will.
Yeah.
Because there’s a certain pleasure
of a guy who’s extremely good at his job
not catching another guy who’s extremely good at his job.
Obviously better.
He got away.
There you go.
He’s still eating at you.
I love it.
He or she.
If I can meet that guy one day, he or she,
that’d be great.
I mean, I have no power.
So yes, Silk Road, can you speak to the scale of this thing?
Just for people who are not familiar,
how big was it and any other interesting things
you understand about its operation when it was active?
So it was when we finally got looking through the books
and the numbers came out as about $1.2 billion in sales.
It’s kind of hard with the fluctuation value of Bitcoin
at the time to come up with a real number.
So you kind of pick a daily average and go across.
Most of the operation was done in Bitcoin.
It was all done in Bitcoin.
You couldn’t.
You had escrow accounts on, you know,
you came in and you put money in an escrow account
and the transaction wasn’t done until the client got
the drugs or whatever they had bought.
And then the drug dealers had sent it in.
There was some talk at the time that the cartel
was starting to sell on there.
So that started getting a little hairy there at the end.
What was the understanding of the relationship
between organized crime,
like the cartels and this kind of more ad hoc,
new age market that is the Silk Road?
I mean, it was all just chatter.
It was just, you know,
cause like I said, Jared was in the inside.
So we saw some of it from the admin sides
and Ross had a lot of private conversations
with the different people that he advised him,
but no one knew each other.
And I mean, the only thing that they knew
was the admins had to send an ID to Ross,
had to send a picture of their driver’s license or passport,
which I always found very strange
because if you are an admin on a site that sells fake IDs,
why would you send your real ID?
And then why would the guy running the site
who profits from selling fake IDs believe that it was?
But fast forward, they were all real IDs.
All the IDs that we found on Ross’s computer as the admins
were the real people’s IDs.
What do you make of that?
Just other clumsiness?
Yeah, low-hanging fruit, I guess.
I guess that’s what it is.
I mean, I would have bought,
I mean, even Ross bought fake IDs off the site.
He had federal agents knock on his door,
you know, and then he got a little cocky about it.
The landscape, the dynamics of trust is fascinating here.
So you trust certain ideas are,
like who do you trust in that kind of market?
What was your understanding of the network of trust?
I don’t think anyone trusts anybody, you know?
I mean, I think Ross had his advisors of trust,
but outside of that, I mean,
he required people to send their ID for their trust.
He, you know, people stole from him.
There was, there’s open cases of that.
It’s a criminal world.
You can’t trust anybody.
What was his life like, you think?
Lonely.
Can you imagine being trapped in something like that
where you, the whole world focused on that
and you can’t tell people what you do all day?
Could he have walked away?
Like someone else take over or the site just shut down?
Either one.
Just you putting yourself in his shoes,
the loneliness, the anxiety,
the just the growing immensity of it.
So walk away with some kind of financial stability.
I couldn’t have made it past two days.
I don’t like loneliness.
I mean, if my wife’s away,
I’d probably call her 10, 12 times a day.
We just talk about things, you know,
something crossed my mind.
I want to talk about it.
I’m sure she.
And you’d like to talk to her,
like honestly about everything.
So if you were running Silk Road,
you wouldn’t be able to like.
Hopefully I’d have a little protection.
I’d only mentioned to her when we were in bed
to have that marital connection.
But who knows?
I mean, she’s gonna question why the Ferrari is outside
and things like that.
Yeah.
Well, I’m sure you can come up with something.
Why didn’t he walk away?
It’s another question of why don’t criminals walk away
in these situations?
Well, I mean, I don’t know every criminal mind
and some do.
I mean, A.V. Unit walked away.
I mean, not to go back to that son of a bitch, but.
There’s a theme to this.
But you know, Ross started counting his dollars.
I mean, he really kept track of how much money
he was making and it started, you know,
getting exponentially growth.
I mean, if he would have stayed at it,
he would have probably been one of the richest people
in the world.
And do you think he liked the actual money
or the fact of the number growing?
I mean, have you ever held a Bitcoin?
Yeah.
Oh, you have?
Well, he never did.
What do you mean held a Bitcoin?
You can’t hold it.
It’s not real.
It’s not like I can give you a briefcase of Bitcoin
or something like that.
He liked the idea of it growing.
He liked the idea.
I mean, I think it started off as sharing this idea,
but then he really did turn to,
like, I am the captain of this ship and that’s what goes.
And he was making a lot of money.
And again, my interactions with Ross
was about maybe five or six hours over a two-day period.
I knew DPR because I read his words and all that.
I didn’t really know Ross.
There was a journal found on his computer
and so it sort of kind of gave me a little insight.
So I don’t like to do a playbook for criminals,
but I’ll tell you right now, don’t write things down.
There was a big fad about people,
like, remember kids going around
shooting people with paint balls and filming it?
I don’t know why you would do that.
Why would you videotape yourself committing crime
and then publish it?
Like, if there’s one thing I’ve taught my children,
don’t record yourself doing bad things.
It never goes well.
So-
And you actually give advice in the other end
of logs being very useful for the defense perspective
for information is useful for being able to figure out
what the attacks were all about.
Logs are the only reason I found Hector Monsegur.
The one time his VPN dropped during a Fox hack,
and he says he wasn’t even hacking,
he just was sent a link and he clicked on it.
And in 10 million lines of logs,
there was one IP address that stuck out.
This is fascinating.
We’ll explore several angles of that.
So what was the process of bringing down Ross
and the Silk Road?
All right, so that’s a long story.
You want the whole thing or you want to break it up?
Let’s start at the beginning.
Once we had the information of the chat logs
and all that from the server, we found-
What’s the server?
What’s the chat log?
So the dot onion was running, the website,
the Silk Road was running on a server in Iceland.
How did you figure that out?
That was one of the claims that the NSA-
Yeah, that’s the one that we said that,
yeah, I wouldn’t tell you if it was.
It’s on the internet.
I mean, the internet has their conspiracy theories
and all that, so-
But you figured out, that’s the part of the thing you do.
It’s puzzle pieces and you have to put them together
and look for different pieces of information
and figure out, okay.
So you figure out the server is in Iceland.
We get a copy of it,
and so we start getting clues off of that.
Was it a physical copy of the server?
Yeah, you fly over there.
So you go.
If you’ve been to Iceland, if you’ve never been,
you should definitely go to Iceland.
Is it beautiful or-
I love it, I love it.
It was what, so I’ll tell you this.
So, sorry, tangents, you know?
I love this, yeah.
So I went to Iceland for the anonymous case.
Then I went to Iceland for the Silk Road case,
and I was like, oh shit,
all cyber crime goes through Iceland.
It was just my sort of thing.
And I was over there for like the third time,
and I said, if I ever can bring my family here.
Like, so there’s a place called Thingavar,
and I’m sure I’m fucking up the name.
The Icelandics are pissed right now.
But it’s where the North American continental plate
and the European continental plate are pulling apart,
and it’s being filled in with volcanic material
in the middle, and it’s so cool.
Like, I was like, one day,
I’ll be able to afford to bring my family here.
And once I left-
Just like the humbling and the beauty of nature.
Just everything, man.
It was a different world.
It was insane how great Iceland is.
And so we went back, and we rented a van,
and we took friends,
and we drove around the entire country.
Absolutely, like a beautiful place.
Like, Reykjavik’s nice,
but get out of Reykjavik as quick as you can
and see the countryside.
How is this place even real?
Well, it’s so new.
I mean, that’s, so, you know,
our rivers have been going through here
for millions of years and flattened everything out
and all that.
These are new, this is new land
being carved by these rivers.
You can walk behind a waterfall in one place.
It’s the most beautiful place I’ve ever been.
You understand why this is a place
where a lot of hacking is being done?
Because the energy is free, and it’s cool.
So you have a lot of servers going on there.
Server farms, you know,
the energy has come up out of the ground, geothermal.
And so, and then it keeps all the servers nice and cool.
So why not keep your computers there at a cheap rate?
Tangents.
I’ll definitely visit for several reasons,
including to talk to AV Unit.
Yeah, he’ll want you there.
Well, the servers are there,
but they don’t probably live there.
I mean, that’s interesting.
I mean, the Pacific, the PST, the time zones,
there’s so many fascinating things to explore here.
But so you got-
Sorry, to add to that,
I mean, the European internet cable goes through there.
So, you know, across to Greenland
and down through Canada and all that.
So they have backbone access with cheap energy
and free cold weather, you know.
And beautiful.
Oh, and beautiful, yes.
So chat logs on that server,
what was in the chat logs?
Everything.
He kept them all.
That’s another issue.
If you’re running a criminal enterprise,
please don’t keep all,
again, I’m not making a guidebook
of how to commit the perfect crime.
But, you know, every chat he ever had,
and everyone’s chat,
it was like going into Facebook of criminal activity.
Yeah, just looking at texts with Elon Musk
being part of the conversations.
I don’t know if you’re familiar,
but they’ve been made public
for the court cases going through,
was going through, is going through,
was going through with Twitter.
I don’t know where it is.
But it made me realize that, oh, okay.
I’m generally, that’s my philosophy in life,
is like anything I text or email or say,
publicly or privately, I should be proud of.
So I try to kind of do that
because you basically, you say don’t keep chat logs,
but it’s very difficult to erase chat logs from this world.
I guess if you’re a criminal, that should be,
like you have to be exceptionally competent
at that kind of thing.
To erase your footprints is very, very difficult.
You can’t make one mistake.
All it takes is one mistake of keeping it.
But yeah, I mean, not only do you have to be,
whatever you put in a chat log or whatever you put in an email
it has to hold up and you have to stand behind it publicly
when it comes out.
But if it comes out 10 years from now,
you have to stand behind it.
I mean, we’re seeing that now in today’s society.
Yeah, but that’s a responsibility
you have to take really, really seriously.
If I was a parent and advising teens,
like you kind of have to teach them that.
I know there’s a sense like,
no, we’ll become more accustomed to that kind of thing.
But in reality, no.
I think in the future we’ll still be held responsible
for the weird shit we do.
Yeah, a friend of mine,
his daughter got kicked out of college
because of something she posted in high school.
And the shittiest thing for him, but great for my kids.
Great lesson.
Look over there and you don’t want that to happen to you.
Yeah.
Okay, so in the chat logs was useful information,
like breadcrumbs of what,
of information that you can then pull out.
Yeah, great evidence and stuff.
I mean, obviously-
A lot of evidence too.
Yeah, a lot of evidence.
Here’s a sale of this much heroin
because Ross ended up getting charged
with czar status on certain things.
And it’s a certain weight in each type of drug
and that you had,
I think it’s four or five employees of your empire
and that you made more than $10 million.
And so it’s just like what the narco traffickers
get charged with or anybody out of Columbia.
And that was primarily what he was charged with
during when he was arrested is the drug.
Yeah, and he got charged
with some of the hacking tools too.
Okay.
Because he’s in prison, what, for-
Two life sentences plus 40 years.
And no possibility of parole?
In the federal system,
there’s no possibility of parole when you have life.
The only way you get out is if the president pardons you.
There’s always a chance.
There is.
It was close.
I heard rumors that it was close.
Well, right.
So it depends.
Given, it’s fascinating,
but given the political, the ideological ideas
that he represented and espoused,
it’s not out of the realm of possibility.
Yeah, I mean, I’ve been asked before who,
does he get out of prison first
or does Snowden come back into America?
And I don’t know.
I have no idea.
Snowden just became a Russian citizen.
I saw that.
I’ve heard a lot of weird theories about that one.
Well, actually, on another tangent, let me ask you,
do you think Snowden is a good or a bad person?
A bad person.
Can you make the case that he’s a bad person?
There’s ways of being a whistleblower
and there’s rules set up on how to do that.
He didn’t follow those rules.
I mean, they, you know, I’m red, white, and blue,
so I’m pretty, you know, I-
So you think his actions were anti-American?
I think the results of his actions were anti-American.
I don’t know if his actions were anti-American.
Do you think he could have anticipated
the negative consequences of his action?
Yes.
Should we judge him by the consequences
or the ideals of the intent of his actions?
I think we all get to judge him based on our own beliefs,
but I believe what he did was wrong.
Can you steel man the case that he’s actually a good person
and good for this country, for the United States of America,
as a flag bearer for the whistleblowers,
the check on the power of government?
Yeah, I mean, I’m not big government-type guy, you know,
so, you know, even that sounds weird
coming from a government guy for so many years,
but there’s rules in place for a reason.
I mean, he put, you know, some of our best capabilities,
he made them publicly available.
They really kind of set us back in the,
and this isn’t my world at all,
but the offensive side of cybersecurity.
Right, so he revealed stuff that he didn’t need to reveal
in order to make the point.
Correct.
So if you could imagine a world where he leaked stuff
that revealed the mass surveillance efforts
and not reveal other stuff.
Like, is the mass surveillance, I mean,
that’s the thing that, of course,
in the interpretation of that, there’s fear-mongering,
but at the core, that was a real shock to people
that it’s possible for government to collect data at scale.
It’s surprising to me that people are that shocked by it.
Well, there’s conspiracies,
and then there’s, like, actual evidence
that that is happening.
I mean, there’s a lot of reality that people ignore,
but when it hits you in the face,
you realize, holy shit, we’re living in a new world.
This is the new reality,
and we have to deal with that reality.
Just like you work in cybersecurity,
I think it really hasn’t hit most people
how fucked we all are in terms of cybersecurity.
Okay, let me rephrase that.
How many dangers there are in a digital world,
how much under attack we all are,
and how more intense the attacks are getting,
and how difficult the defense is,
and how important it is,
and how much we should value it,
and all the different things we should do
at the small and large scale to defend.
Like, most people really haven’t woken up.
They think about privacy from tech companies.
They don’t think about attacks, cyber attacks.
People don’t think they’re a target,
and that message definitely has to get out there.
I mean, if you have a voice, you’re a target.
If the place you work, you might be a target.
See, your husband might work at some place,
because now people are working from home,
so they’re gonna target you to get access
to his network in order to get in.
Well, in that same way, the idea that the US government
or any government could be doing mass surveillance
on its citizens is one that was a wake-up call,
because you could imagine the ways
in which that could be,
like, you could abuse the power of that
to control a citizenry for political reasons and purposes.
Absolutely, you know, you could abuse it.
I think during the part of the Snowden League,
saw that two NSA guys were monitoring their girlfriends,
and there’s rules in place for that.
Those people should be punished for abusing that.
But how else are we going to hear about terrorists
that are in the country talking about birthday cakes?
And that was a case where that was the trip word,
that we’re gonna go bomb New York City’s subway.
Yeah, it’s complicated, but it just feels like
there should be some balance of transparency.
There should be a check in that power,
because, like, you know, in the name of the war on terror,
you can sort of sacrifice.
There is a trade-off between security and freedom,
but it just feels like there’s a giant, slippery slope
on the sacrificing of freedom in the name of security.
I hear you, and, you know, we live in a world where,
well, I live in a world where I had to tell you exactly
when I arrested someone, I had to write a 50-page document
of how I arrested you and all the probable cause
I have against you and all that.
Well, you know, bad guys are reading that.
They’re reading how I caught you,
and they’re changing the way they’re doing things.
They’re changing their MO.
You know, they’re doing it to be more secure.
If, you know, we tell people how we’re monitoring,
you know, what we’re surveilling, we’re gonna lose that.
I mean, the terrorists are just gonna go a different way.
And I’m not trying to, again, I’m not big government.
I’m not trying to say that, you know,
it’s cool that we’re monitoring,
the U.S. government’s monitoring everything.
You know, big tech’s monitoring everything.
They’re just monetizing it
versus possibly using it against you.
But there is a balance, and those 50 pages,
they have a lot of value.
They make your job harder,
but they prevent you from abusing the power of the job.
Yeah. There’s a balance.
Yeah. That’s a tricky balance.
So the chat logs in Iceland,
gave you evidence of the heroin
and all the large-scale czar-level drug trading.
What else did it give you in terms of the how to catch?
It gave us infrastructure.
So the Onion name was actually running on a server in France.
So if you like, and it only commuted
through a back channel of VPN
to connect to the Iceland server.
There was a Bitcoin, like kind of vault server
that was also in Iceland.
And I think that was so that the admins
couldn’t get into the Bitcoins,
the other admins that were hired to work on the site.
So you could get into the site,
but you couldn’t touch the money.
Only Ross had access to that.
And then, you know, another big mistake on Ross’s part
is he had the backups for everything
at a data center in Philadelphia.
Don’t put your infrastructure in the United States.
I mean, again, let’s not make a playbook, but you know.
Well, I think these are low-hanging fruit
that people of competence would know already.
I agree.
But it’s interesting that he wasn’t competent enough
to make, so he was incompetent in certain ways.
Yeah, I don’t think he was a mastermind
of setting up an infrastructure
that would protect his online business
because, you know, keeping chat logs, keeping a diary,
putting infrastructure where it shouldn’t be.
Bad decisions.
How did you figure out that he’s in San Francisco?
So we had that part with Jared
that he was on the West Coast.
And then-
Who again is Jared?
Jared Day-Egan was a, he was a partner in,
he was a DHS agent,
worked for HSI, Homeland Security Investigations in Chicago.
He started his Silk Road investigation
because he was working at O’Hare
and a weird package came in.
Come to find out, he traced it back to Silk Road.
So he started working at a Silk Road investigation
long before I started my case.
And he made his way up undercover
all the way to be an admin on Silk Road.
So he was talking to Ross on a Jabra server,
the private Jabra server, private chat communication server.
And we noticed that Ross’s time zone on that Jabra server
was set to the West Coast.
So we had Pacific time on there.
So we had a region, 1 24th of the world was covered
of where we thought he might be.
And from there, how do you get to San Francisco?
There was another guy, an IRS agent
that was part of the team.
And he used a powerful tool to find his clue.
He used the world of Google.
He simply just went back and Googled around
for Silk Road at the time it was coming up
and found some posts on like some help forums
that this guy was starting an Onion website
and wanted some cryptocurrency help.
And if you could help him,
please reach out to ross.albrek at gmail.com.
In my world, that’s a clue, so.
Okay, so that’s as simple as that.
Yeah, and the name he used on that post was Frosty.
Yeah, so you had to connect Frosty
and other uses in Frosty and here’s a Gmail
and the Gmail has the name.
The Gmail posted that I need help
under the name Frosty on this forum.
So what’s the connection of Frosty elsewhere?
The person logging into the Philadelphia backup server,
the name of the computer was Frosty.
Another clue in my world.
And that’s it.
The name is there,
the connection to the Philadelphia server
and then to Iceland is there.
And so the rest is small details in terms of,
or is there interesting details?
No, I mean, there’s some electronic surveillance
to find Ross Albrek living in a house
and is there, you know, is a computer at his house
attaching to, you know, does it have Tor traffic
at the same time that DPR is on?
Another big clue.
Matching up timeframes.
Again, just putting your email out there,
putting your name out there like that.
Like what I see from that,
just at the scale of that market,
what it just makes me wonder how many criminals
are out there that are not making
these low-hanging fruit mistakes
and are still successfully operating.
To me, it seems like you could be a criminal,
it’s much easier to be a criminal on the internet.
What else to you is interesting to understand
about that case of Ross
and Silk Road and just the history of it
from your own relationship with it,
from a cybersecurity perspective,
from an ethical perspective, all that kind of stuff.
Like when you look back,
what’s interesting to you about that case?
I think my views on the case have changed over time.
I mean, it was my job back then.
So I just looked at it as of, you know,
I’m going after this.
I sort of made a name for myself in the Bureau
for the anonymous case.
And then this one was just, I mean, this was a bigger deal.
I mean, they flew me down to DC
to meet with the director about this case.
The President of the United States
was gonna announce this case, the arrest.
Unfortunately, the government shut down two days before.
So it was just us.
And that’s really the only reason
I had any publicity out of it,
is because the government shut down
and the only thing that went public
was that affidavit with my signature at the end.
Otherwise, it would have just been the Attorney General
and the President announcing the rest of this big thing.
You wouldn’t have seen me.
Did you understand that this was a big case?
Yeah, I knew at the time.
Was it because of the scale of it or what it stood for?
I just knew that the public was gonna react in a big way.
Like the media was…
Now, did I think that it was gonna be on the front page
of every newspaper the day after the arrest?
No, but I could sense it.
Like I went like three or four days without sleep.
When I was out in San Francisco to arrest Ross,
I had sent three guys to Iceland to…
So it was a three-pronged approach for the takedown.
It was get Ross, get the Bitcoins and seize the site.
We didn’t want someone else taking control of the site.
And we wanted that big splash of that banner.
Like, look, the government found this site.
You might not wanna think about doing this again.
And you were able to pull off all three?
Maybe that’s my superpower.
I’m really good about putting smarter people than I am
together and on the right things.
It’s the only way to do it.
In the business I formed, that’s what I did.
I hired only smarter people than me.
I’m not that smart,
but smart enough to know who the smart people are.
The team was able to do all three?
Yeah, we were able to get all three done.
Yeah, and the one guy, one of the guys,
the main guys I sent to Iceland, man, he was so smart.
I sent another guy from the FBI to France to get that part,
and he couldn’t do it.
So the guy in Iceland did it from Iceland.
They had to pull some stuff out of memory on a computer.
It’s live process stuff.
I’m sure you’ve done that before.
I’m sure you did.
Look what you’re doing.
This is like a multi-layer interrogation going on.
Was there a concern that somebody else
would step in and control the site?
Absolutely, we didn’t have insight
on who exactly had control.
So it turns out that Ross had dictatorial control.
So it wasn’t easy to delegate to somebody else.
He hadn’t.
I think he had some sort of ideas.
I mean, his diary talked about walking away
and giving it to somebody else,
but he couldn’t give up that control on anybody, apparently.
Which makes you think that power corrupts,
and his ideals were not as strong as he espoused about.
Because if it was about the freedom
of being able to buy drugs, if you want to,
then he surely should have found ways to delegate that power.
Well, he changed over time.
You could see it in his writings that he changed.
So people argue back and forth
that there was never murders on Silk Road.
When we were doing the investigation,
to us, there were six murders.
So the way we saw him at the time
was Ross ordered people to be murdered.
People stole from him and all that.
It was sort of an evolution from,
oh man, I can’t deal with this, I can’t do it,
it’s too much, to the last one was the guy said,
well, he’s got three roommates.
It’s like, oh, we’ll kill them too.
Was that ever proven in court?
No, the murders never went forward
because there was some stuff problems in that case.
So there was a separate case in Baltimore
that they had been working on for a lot longer.
And so, during the investigation,
that caused a bunch of problems
because now we have multiple federal agencies
case against the same thing.
How do you decide not to push forward
the murder investigations?
So there was a deconfliction meeting that happened in DC.
I didn’t happen to go to that meeting,
but Jared went, this is before I ever knew Jared,
and we have like televisions
where we can just sit in a room
and sit in on the meeting,
but it’s all secured network and all that.
So we can talk openly about secure things.
And we sat in on the meeting
and people just kept saying the term sweat equity.
I’ve got sweat equity,
meaning that they had worked on the case for so long
that they deserve to take them down.
And by this time, no one knew about us,
but we told them at the meeting
that we had found the server and we have a copy of it
and we have the infrastructure.
And these guys had just had communications under covers.
They didn’t really know what was going on.
And this wasn’t my first deconfliction meeting.
We had a huge deconfliction meeting
during the anonymous case.
What’s a deconfliction meeting?
Within your agency or other federal agencies
have an open investigation
that if you expose your case
or took down your case would hurt their case
or the other way.
Oh, so you kind of have a,
it’s like the rival gangs meet at the table
in a smoke filled room and-
Less bullets at the end, but yes.
Boy, with the sweat equity.
Yeah.
I mean, there’s careers at stake, right?
Yeah.
You hate that idea.
Yeah, I mean, why is that a stake?
Just because you’ve worked on it long enough,
longer than I have, that means you did better?
Yeah.
That’s insane to me.
That’s rewarding bad behavior.
And so the part of the sweat equity discussion
was about murder.
And this was, here’s a chance to actually bust them
given the data you have from Iceland
and all that kind of stuff.
So why?
Well, they wanted us just to turn the data over to them.
To them.
Yeah, thanks for getting us this far.
Here it is.
I mean, it came to the point where they sent us,
they had a picture of what they thought Ross was,
and it was an internet meme.
It really was a meme.
It was a photo that we could look up.
Like, it was insane.
All right, so there’s different degrees of competence
all across the world between different people.
Yes.
Okay, does part of you regret
because you pushed forward the heroin and the drug trade,
but never got to the murder discussion?
I mean, the only regret is that the internet
doesn’t seem to understand.
Like, they just kind of blow that part off,
that he literally paid people to have people murdered.
It didn’t result in a murder,
and I thank God no one resulted in a murder.
But that’s where his mind was.
His mind and where he wrote in his diary
was that I had people killed and here’s the money.
He paid it.
He paid a large amount of Bitcoins for that murder.
So he didn’t just even think about it.
He actually took action, but the murders never happened.
He took action by paying the money.
Correct, and the people came back with results.
He thought they were murdered.
That said, can you understand the stigma on the case
for the drug trade on Silk Road?
Like, can you make the case
that it’s a net positive for society?
So there was a time period
of when we found out the infrastructure
and when we built the case against Ross.
I don’t remember exactly.
Six weeks, a month, two months, I don’t know,
somewhere in there.
But then at Ross’s sentencing,
there was a father that stood up
and talked about his son dying.
And I went back and kind of did the math
and it was between those time periods
of when we knew we could shut it down.
We could have pulled the plug on the server and gone.
And when Ross was arrested,
his son died from buying drugs on Silk Road.
And I still think about that father a lot.
But if we look at the scale at the war on drugs,
let’s just even outside of Silk Road,
do you think the war on drugs by the United States
has alleviated more suffering
or caused more suffering in the world?
That might be above my pay scale.
I mean, I understand the other side of the argument.
I mean, people said that I don’t have to go down
to the corner to buy drugs.
I’m not gonna get shot on the corner buying drugs
or something.
I can just have them sent to my house.
People are gonna do drugs anyways.
I understand that argument.
From my personal standpoint,
if I made it more difficult for my children to get drugs,
then I’m satisfied.
So your personal philosophy is that
if we legalize all drugs, including heroin and cocaine,
that that would not make for a better world?
I don’t, no, personally, I don’t believe
legalizing all drugs would make for a better world.
Can you imagine that it would?
Do you understand that argument?
Sure, I mean, as I’ve gotten older,
I’ve started to, I like to see both sides of an argument.
And when I can’t see the other side,
that’s when I really like to dive into it.
And I can see the other side.
I can see why people would say that.
But I don’t wanna be my race children in a world
where drugs are just free for use.
Well, and then the other side of it is with Silk Road,
did, you know, taking down Silk Road,
did that increase or decrease the number
of drug trading criminals in the world?
It’s unclear.
Online, I think it increased.
I think, you know, that is one of the things
I think about a lot with Silk Road
was that no one really knew.
I mean, there was, you know, thousands of users.
But then after that, it was on the front page of the paper
and there was millions of people that knew
about Tor and Onion Sites.
It was an advertisement.
You know, I would have thought,
I thought crypto was gonna crash right after that.
Like, I don’t like what people now see
that bad people are doing bad things with crypto.
That’ll crash.
Well, I’m obviously wrong on that one.
And I thought, you know, Ross was sentenced
to two life sentences plus 40 years.
No one’s gonna start up these.
Dark markets exploded after that.
You know, some of them started as, you know,
opportunistic, I’m gonna, you know,
take those escrow accounts and I’m gonna steal
all the money that came in.
You know, they were for that.
But, you know, but there were a lot of dark markets
that popped up after that.
Now we put the playbook out there.
Yeah, yeah.
But, and also there’s a case for,
do you ever think about not taking down,
if you have not taken down Silk Road,
you could use it because it’s a market.
It itself is not necessarily
the primary criminal organization.
It’s a market for criminals.
So it could be used to track down criminals
in the physical world.
So if you don’t take it down,
given that it was, you know, the central,
how centralized it was,
it could be used as a place to find criminals, right?
As opposed to-
So the dealers, the drug dealers?
Yeah.
So if you have the cartel, get the cartels
start getting involved, you go after the dealers.
It would have been very difficult.
Because of TOR and all that.
Because of all the protections, anonymity.
De-cloaking all that would have been
drastically more difficult.
And a lot of people in upper management of the FBI
didn’t have the appetite of running something like that.
That would have been the FBI running a drug market.
How many, how many kids,
how many fathers would have to come in and said,
my kid bought while the FBI was running a site,
a drug site, my kid died.
So I didn’t know anybody in the FBI in management
that would have the appetite to let us run
what was happening on Silk Road.
You know, because remember at that time
we’re still believing six people are dead.
We’re still investigating, you know,
where are all these bodies?
You know, that’s pretty much why
we took down Ross when we did.
We had to jump on it fast.
What else can you say about this complicated world
that has grown of the dark web?
I don’t understand it.
Like, it would have been something for me,
I thought it was gonna collapse.
But I mean, it’s just gotten bigger
in what’s going on out there.
Now, I’m really surprised that it hasn’t grown
into other networks,
or people haven’t developed other networks.
But TOR’s-
You mean like instead of TOR?
Yeah, TOR’s still the main one out there.
I mean, there’s a few others,
and I’m not gonna put an advertisement out for them.
But, you know, I thought that market would have grown.
Yeah, my sense was, when I interacted with TOR,
it was that there’s huge usability issues.
But that’s for like legal activity.
Because like if you care about privacy,
it’s just not as good of a browser.
Like, to look at stuff.
No, it’s way too slow.
It’s way too slow, but I mean, you can’t even,
like, I know some people would use it
to like view movies like Netflix.
You can only view certain movies in certain countries.
You can use it for that,
but it’s too slow even for that, so.
Were you ever able to hold in your mind
the landscape of the dark web?
Like what’s going on out there?
It’s just, to me as a human being,
it’s just difficult to understand the digital world.
Like these anonymous usernames.
Like doing anonymous activity.
It’s just, it’s hard to, what am I trying to say?
It’s hard to visualize it in the way I can visualize
like I’ve been reading a lot about Hitler.
I can visualize meetings between people,
military strategy, deciding on certain evil atrocities,
all that kind of stuff.
I can visualize the people.
There’s agreements, hands, handshakes,
stuff signed, groups built.
Like in the digital space, like with bots,
with anonymity, anyone human can be multiple people.
It’s just-
Yeah, it’s all lies.
It’s all lies.
Like, yeah, it feels like I can’t trust anything.
No, you can’t.
You honestly can’t.
And like, you can talk to two different people
and it’s the same person.
Like there’s so many different, you know,
Hector had so many different identities online,
the, you know, of things that, you know,
the lies to each other.
I mean, he lied to people inside his group
just to use another name to spy on,
make sure what they were talking shit behind his back
or weren’t doing anything.
It’s all lies and people that can keep
all those lies straight.
It’s unbelievable to me.
Ross Albrecht represents the very early days of that.
That’s why the competence wasn’t there.
Just imagine how good the people are now.
The kids that grow up.
Oh, they’ve learned from his mistakes.
Just the extreme competence.
You just see how good people are at video games,
like the level of play in terms of video games.
Like I used to think I sucked.
And now I’m not even like,
I’m not even in the like consideration
of calling myself shitty at video games.
I’m not even, I’m like non-existent.
I’m like the mold.
Yeah, I stopped playing because it’s so embarrassing.
It’s embarrassing.
It’s like wrestling with your kid
and he finally beats you.
And he’s like, well, fuck that.
I’m not wrestling with my kid ever again.
And in some sense, hacking at its best and its worst
is a kind of game.
And you can get exceptionally good at that kind of game.
And you get the accolades of it.
I mean, there’s power that comes along.
If you have success,
look at the kid that was hacking into Uber
and Rockstar Games.
He put it out there that he was doing it.
I mean, he used the name,
whatever hacked into Uber was his screen name.
He was very proud of it.
I mean, one building evidence against himself.
But he wanted that slap on the back.
Like, look at what a great hacker you are.
Yeah.
What do you think is in the mind of that guy?
What do you think is in the mind of Ross?
Do you think they see themselves as good people?
Do you think they acknowledge
the bad they’re doing onto the world?
So that Uber hacker, I think that’s just youth
not realizing what consequences are,
I mean, based on his actions.
Ross was a little bit older.
I think Ross truly is a libertarian.
He truly had his beliefs that he could provide
the gateway for other people
to live that libertarian lifestyle
and put in their body what they want.
I don’t think that was a front or a lie.
What’s the difference between DPR and Ross?
You said like, I have never met Ross until,
I have only had those two days of worth of interaction.
Yeah.
It’s just interesting given how long you’ve chased him
and then having met him,
what was the difference to you as a human being?
He was a human being.
He was an actual person.
He was nervous when we arrested him.
So one of the things that I learned
through my law enforcement career
is if I’m gonna be the case agent,
I’m gonna be the one in charge of dealing with this person,
I’m not putting handcuffs on him.
Somebody else is gonna do that.
Like, I’m gonna be there to help him.
I’m your conduit to help.
And so right after someone’s arrested,
you obviously have had them down for weapons
to make sure for everybody’s safety,
but then I just put my hand on their chest.
Just feel their heart, feel their breathing.
I’m sure it’s the scariest day,
but then to have that human contact
kind of settles people down.
And you can kind of like, let’s start thinking about this.
I’m gonna tell you, I’m gonna be open and honest with you.
There’s a lot of cops out there and federal agents, cops,
that just go to the hard-ass tactic.
You don’t get very far with that.
You don’t get very far being a mean asshole to somebody.
Be compassionate, be human,
and it’s gonna go a lot further.
So given everything he’s done,
you were still able to have compassion for him?
Yeah, we took him to the jail and we,
so it was after hours,
so he didn’t get to see a judge that day.
So we stuck him in the San Francisco jail.
I hadn’t slept for about four days
because I was dealing with people in Iceland,
bosses in DC, bosses in New York.
So, and I was in San Francisco.
So timeframe, like the Iceland people were calling me
when I was supposed to be sleeping, it was insane.
But I still went out that night
while Ross sat in jail and bought him breakfast.
I said, what do you want for breakfast?
I’ll have a nice breakfast for you.
Because we picked him up in the morning
and took him over to the FBI to do the FBI booking,
the fingerprints and all that.
And I got him breakfast.
I mean, and you don’t get paid back for that sort of thing.
I’m not looking, but out of my own-
Did he make special requests for breakfast?
Yeah, he asked for certain things.
What can you mention?
Is that top secret FBI?
No, that’s not top secret.
I think he wanted some granola bars,
like, and, you know, but I mean,
he already had lawyered up, so we, you know,
which is his right, he can do that.
So I knew we were going to work together,
you know, like I did with Hector.
But I mean, this is the guy’s last day.
Most of the conversations have to be then with lawyers?
From that point on, I can’t question him
when he asked for a lawyer,
or if I did, it couldn’t be used against him.
So we just had conversations where I talked to him.
You know, he could, you know, could say things to me,
but then I have to remind him that he asked for a lawyer
and he’d have to waive that and all that.
But we didn’t talk about his case so much.
We just talked about like human beings.
Did he, with his eyes, with his words,
reveal any kind of regret,
or did you see a human being changing,
understanding something about themselves
in the process of being caught?
No, I don’t think that.
I mean, he did offer me $20 million to let him go
when we were driving to the jail.
Oh, no.
And I asked him what I was going to,
we were going to do with the agent
that sat in the front seat.
The money really broke him, huh?
I think so.
I think he kind of got caught up in how much money it was
and how, you know, when crypto started, it was pennies.
And by the time he got arrested, it was 120 bucks.
And, you know, 177,000 Bitcoins.
Even today, you know, that’s a lot of Bitcoins.
So you really could have been,
if you continued to be one of the richest people
in the world.
I possibly could have been,
if I took that 20 million then.
I could have been living,
we could have this conversation in Venezuela.
In a castle, in a palace.
Yeah, until it runs out
and then the government storms the castle.
Yeah.
Have you talked to Russ since?
No, no.
I would, I’d be open to it.
I don’t think he probably wants to hear from me.
And do you know where, in which prison he is?
I think he’s somewhere out in Arizona.
I know he was in the one next to Supermax
for a little while, like the high security one
that’s like shares the fence with Supermax,
but I don’t think he’s there anymore.
I think he’s out in Arizona.
I haven’t seen in a while.
I wonder if you can do interviews in prison.
That’d be nice.
Some people are allowed to.
So I don’t, I’ve not seen an interview with him.
I know people have wanted to interview him
about books and that sort of thing.
Right, because the story really blew up.
Did it surprise to you how much the story
and many elements of it blew up?
Movies?
It did surprise me.
Like my wife’s uncle, who I didn’t,
I’ve been married to my wife for 22 years now.
I don’t think he knew my name.
And he was excited about that.
He reached out when Silk Road came out.
So he, you know, that was surprising to see.
Did you think the movie on the topic was good?
I didn’t have anything to do with that movie.
I’ve watched it once.
It was kind of cool that Jimmy Simpson, you know,
was my name in the movie, but outside of that,
I thought it sort of missed the mark on some things.
When Hollywood, I don’t think they understand
what’s interesting about these kinds of stories.
And there’s a lot of things that are interesting
and they missed all of them.
So for example, I recently talked to John Carmack,
who’s a world-class developer and so on.
So Hollywood would think that the interesting thing
about John Carmack is some kind of like shitty,
like a parody of a hacker or something like that.
They would show like really crappy,
like emulation of some kind of Linux terminal thing.
The reality is like the technical details
for five hours with him, for 10 hours with him
is what people actually want to see,
even people that don’t program.
They want to see a brilliant mind,
the details that they’re not,
even if they don’t understand all the details,
they want to have an inkling of the genius there.
There’s just one way I’m saying like,
that you want to reveal the genius,
the complexity of that world in interesting ways.
And to make a Hollywood almost parody caricature of it,
it just destroys the spirit of the thing.
So one, the Operation FBI is fascinating,
just tracking down these people
on the cyber security front is fascinating.
The other is just how you run TOR,
how you run this kind of organization,
the trust issues of the different criminal entities involved,
the anonymity, the low-hanging fruit,
the being shitty at certain parts on the technical front,
all of those are fascinating things.
That’s what a movie should reveal.
Should probably be a series, honestly,
a Netflix series than a movie.
Yeah, an FX show or something like that,
kind of gritty.
Yeah, gritty, exactly, gritty.
I mean, shows like Chernobyl from HBO made me realize,
okay, you can do a good job of a difficult story
and reveal the human side,
but also reveal the technical side
and have some deep, profound understanding on that case,
on the bureaucracy of a Soviet regime.
In this case, you could reveal the bureaucracy,
the chaos of a criminal organization,
of a law enforcement organization.
I mean, there’s so much to explore.
It’s fascinating, I don’t know.
Yeah, I like Chernobyl.
Whenever you watch it, I can’t watch episode three, though,
the animal scene, the episode,
they go around shooting all the dogs and all that.
I gotta skip that part.
You’re a big softie, aren’t you?
I really am.
I’m sure I’ll probably cry at some point.
I love it, I love it.
Don’t get me talking about that episode
you made about your grandmother.
Oh my God, that was rough.
Just to linger on this ethical versus legal question,
what do you think about people like Aaron Schwartz?
I don’t know if you’re familiar with him,
but he was somebody who broke the law
in the name of an ethical ideal.
He downloaded and released academic publications
that were behind a paywall,
and he was arrested for that and then committed suicide.
And a lot of people see him, certainly in the MIT community,
but throughout the world as a hero,
because you look at the way knowledge,
scientific knowledge is being put behind paywalls,
it does seem somehow unethical.
And he basically broke the law
to do the ethical thing.
Now, you could challenge it, maybe it is unethical,
but there’s a gray area, and to me, at least, it is ethical.
To me, at least, he is a hero,
because I’m familiar with the paywall
created by the institutions that hold these publications.
They’re adding very little value.
So it is basically holding hostage
the work of millions of brilliant scientists
for some kind of, honestly,
a crappy capitalist institution.
Like, they’re not actually making that much money.
It doesn’t make any sense to me.
It should, to me, it should all be open public access.
There’s no reason it shouldn’t be,
all publications should be.
So he stood for that ideal,
and was punished harshly for it.
That’s the other criticism, was too harshly.
And of course, deeply unfortunately,
that also led to a suicide,
because he was also tormented on many levels.
I mean, are you familiar with him?
What do you think about that line
between what is legal and what is ethical?
So it’s tough, it’s a tough case.
I mean, the outcome was tragic, obviously.
Unfortunately, when you’re in law enforcement,
you have to, your job is to enforce the laws.
I mean, it’s not, if you’re told
that you have to do a certain case,
and there is a violation of, at the time,
18 U.S.C. 1030, computer hacking,
you have to press forward with that.
I mean, you have to charge,
you bring the case to the U.S. Attorney’s office,
and whether they’re gonna press charges or not,
you can’t really pick and choose what you press
and don’t press forward.
I never felt that, at least that flexibility,
not in the FBI, I mean, maybe when you’re a street cop
and you pull somebody over,
you can let them go with a warning.
So in the FBI, you’re sitting in a room,
but you’re also a human being, you have compassion.
You arrested Ross, the hand on the chest.
I mean, that’s a human thing.
Yeah.
So there’s a…
But I can’t be the jury for whether
it was a good hack or a bad hack.
It’s all someone, a victim has come forward
and said, we’re the victim of this.
And I agree with you, because again,
the basis of the internet was to share academic thought.
I mean, that’s where the internet was born.
But it’s not up to you.
So the role of the FBI is to enforce the law.
Correct.
And there’s a limited number of tools
on our Batman belt that we can use.
Not to get into all the aspects of the Trump case
and Mar-a-Lago and the documents there.
I mean, the FBI has so many tools they can use
and a search warrant is the only way they could get in there.
I mean, that’s it.
There’s no other legal document or legal way
to enter and get those documents.
What do you think about the FBI and Mar-a-Lago
and the FBI taking the documents for Donald Trump?
It’s a tough spot.
It’s a really tough spot.
The FBI has gotten a lot of black eyes recently.
And I don’t know if it’s the same FBI
that I remember when I was there.
Do you think they deserve it in part?
Was it done clumsily?
Their raiding of the former president’s residence?
It’s tough.
Because again, they’re only limited
to what they’re legally allowed to do.
And a search warrant is the only legal way of doing it.
I have my personal and political views on certain things.
I think it might be surprising to some
where those political points stand.
But you told me offline that you’re a hardcore communist.
That was very surprising to me.
Well, that’s the only way you tried
to bring me into the Communist Party.
Exactly, I was trying to recruit you.
Giving you all kinds of flyers.
Okay, but you said like,
people in the FBI are just following the law,
but there’s a chain of command and so on.
What do you think about the conspiracy theories
some small number of people inside the FBI conspired
to undermine the presidency of Donald Trump?
If you were to ask me when I was inside
and before all this happened,
I would say it never happened.
I don’t believe in conspiracies.
There’s too many people involved.
Something’s gonna come out with some sort of information.
But I mean, the more the stuff that comes out,
it’s surprising that agents are being fired
because of certain actions that are taken inside
and being dismissed
because of politically motivated actions.
So do you think it’s explicit or just pressure?
Do you think there could exist just pressure
at the higher ups that has a political leaning
and you kind of maybe don’t explicitly order
any kind of thing,
but just kind of pressure people to lean one way
or the other and then create a culture
that leans one way or the other based on political leanings?
You would really, really hope not.
But I mean, that seems to be the narrative
that’s being written.
But when you were operating, you didn’t feel that pressure.
Man, I was such a low level.
I had no aspirations of being a boss.
I wanted to be a case agent my entire life.
So you love the puzzle of it, the chase.
I love solving things, yeah.
To be management and manage people and all that,
no desire whatsoever.
What do you think about Mark Zuckerberg
on Joe Rogan’s podcast saying that the FBI
warned Facebook about potential foreign interference?
And then Facebook inferred from that
that they’re talking about Hunter Biden laptop story
and thereby censored it.
What do you think about that whole story?
Again, you asked me when I was in the FBI,
I wouldn’t believed it from being on the inside
and I wouldn’t believe these things,
but there’s a certain narrative being written
that is surprising to me
that the FBI is involved in these stories.
But the interesting thing there is
the FBI is saying that they didn’t really
make that implication.
They’re saying that there’s interference activity happening.
Just watch out.
And it’s a weird relationship between FBI and Facebook.
You could see from the best possible interpretation
that the FBI just wants Facebook to be aware
because it is a powerful platform,
a platform for viral spread of misinformation.
So in the best possible interpretation of it,
it makes sense for FBI to send some information
saying like, we’re seeing some shady activity.
Absolutely.
But it seems like all of that somehow escalated
to a political interpretation.
I mean, yeah, it sounded like there was a wink wink with it.
That I don’t know if Mark meant for that to be that way.
Again, are we being social engineered
or was that a true expression that Mark had?
And I wonder if the wink wink is direct
or it’s just culture, really?
You know, maybe certain people responsible
on the Facebook side have a certain political lean
and then certain people on the FBI side
have a political lean when they’re interacting together.
And it’s like literally has nothing to do
with a giant conspiracy theory,
but just with a culture that has a particular political lean
during a particular time in history.
And so like maybe it could be Hunter Biden laptop one time
and then it could be whoever,
Donald Trump Jr.’s laptop another time.
It’s a tough job.
I mean, if you’re the liaison,
if you’re the FBI’s liaison to Facebook,
you know, there are certain people
that I’m sure they were offered a position at some point.
It seems, you know, there’s FBI agents that go,
I know of a couple that’s gone to Facebook.
This is a really good agent
that now leads up their child exploitation stuff.
Another squad mate runs their internal investigations,
both great investigators.
So, you know, there’s good money,
especially when you’re an FBI agent
that’s capped out at a, you know, a 1310
or whatever pay scale you’re capped out at.
It’s alluring to be, you know,
maybe want to please them and be asked to join them.
Yeah.
And over time that corrupts.
I think there has to be an introspection
in tech companies about the culture that they develop,
about the political ideology, the bubble.
It’s interesting to see that bubble.
Like I’ve asked myself a lot of questions.
I’ve interviewed the Pfizer CEO,
what seems now a long time ago,
and I’ve gotten a lot of criticism.
The positive comments,
but also criticism from that conversation.
And I did a lot of soul searching
about the kind of bubbles we have in this world.
And it makes me wonder, pharmaceutical companies,
they all believe they’re doing good.
And I wonder, because the ideal they have
is to create drugs that help people and do so at scale.
And it’s hard to know at which point that can be corrupted.
It’s hard to know when it was corrupted
and if it was corrupted and where,
which drugs and which companies and so on.
And I don’t know.
I don’t know that complicated.
It seems like inside a bubble,
you can convince yourself if anything is good.
People inside the Third Reich regime
were able to convince themselves, I’m sure many.
Just Bloodlands, there’s another book
I’ve been recently reading about it.
And the ability of humans to convince they’re doing good
when they’re clearly murdering and torturing people
in front of their eyes is fascinating.
They’re able to convince themselves they’re doing good.
It’s crazy.
Like there’s not even an inkling of doubt.
Yeah, I don’t know what to make of that.
So it has taught me to be a little bit more careful
when I enter into different bubbles
to be skeptical about what’s taken
as an assumption of truth.
Like you always have to be skeptical
about like what’s assumed is true.
Is it possible it’s not true?
You know, if you’re doing,
if you’re talking about America,
it’s assumed that, you know,
in certain places that surveillance is good.
Well, let’s question that assumption.
Yeah, and I also, it inspired me
to question my own assumptions that I hold as true.
Constantly, constantly, it’s tough, it’s tough.
But you don’t grow.
I mean, do you want to be just static and not grow?
You have to question yourself on some of these things
if you want to grow as a person.
Yeah, for sure.
Now, one of the tough things actually
of being a public personality when you speak publicly
is you get attacked all along the way as you’re growing.
And in part, a big softy as well, if I may say.
And those heart, it hurts, it hurts, it hurts.
Do you pay attention to it?
Yeah, yeah, yeah, yeah.
It’s very hard.
Like I have two choices.
One, you can shut yourself off from the world and ignore it.
I never found that compelling,
this kind of idea of like haters gonna hate.
Like this idea that anyone with a big platform
or anyone’s ever done anything
has always gotten hate.
Yeah, okay, maybe.
But like I still want to be vulnerable,
wear my heart on my sleeve, really show myself,
like open myself to the world, really listen to people.
And that means every once in a while,
somebody will say something that touches me
in a way that’s like, what if they’re right?
Do you let that hate influence you?
I mean, can you be bullied into a different opinion
than you think you really are just because of that hate?
No, no, I believe not.
But it hurts in a way that’s hard to explain.
Like, yeah, it just, it gets to like,
it shakes your faith in humanity actually
is probably why it hurts.
Like people that call me a Putin apologist
or a Zelensky apologist,
which I’m currently getting almost an equal amount of,
but it hurts.
It hurts because I,
it hurts because it damages slightly my faith in humanity
to be able to see the love that connects us
and then to see that I’m trying to find that
and that I’m doing my best in the limited capabilities
I have to find that.
And so to call me something like a bad actor,
essentially, from whatever perspective,
it just makes me realize, well,
people don’t have empathy and compassion for each other.
And it makes me question that for a brief moment.
And that’s like a crack and it hurts.
How many people do this to your face?
Very few.
Yeah, it’s online e-muscles, man.
They’re just flexing their e-muscles.
I have to be honest, that, it happens.
Because I’ve hung around with Rogan enough.
When your platform grows,
there’s people that will come up to Joe
and say stuff to his face that they forget.
They still, they forget he’s an actual real human being.
They’ll make accusations about him.
So does that cause him to wall himself off more?
No, he’s pretty gangster on that.
But yeah, it still hurts.
If you’re human, if you really feel others,
I think that’s also the difference with Joe and me.
He has a family that he deeply loves,
and that’s an escape from the world for him.
There’s a loneliness in me that’s,
I’m always longing to connect with people
and with regular people,
just to learn their stories and so on.
And so if you open yourself up that way,
the things they tell you can really hurt in every way.
Like just me going to Ukraine,
just seeing so much loss and death,
some of it is, I mean, unforgettably haunting.
Not in some kind of political way, activist way,
or who’s right, who’s wrong way,
but just like, man, so much pain.
You see it and it just stays with you.
When you see a human being bad to another human,
you can’t get rid of that in your head.
You can’t imagine that we can treat each other like that.
That’s the hard part, I think.
I mean, for me it is.
When I saw parents,
like when I did the child exploitation stuff,
when they rented their children out,
they literally rented infant children out
to others for sexual gratification.
Like, I don’t know how a human being
could do that to another human being.
And that sounds like the kind of thing you’re going through.
I mean, I went through a huge funk
when I did those cases afterwards.
I should have talked to somebody,
but in the FBI, you have to keep that machismo up
or they’re gonna take your gun away from you.
Well, I think that’s examples of evil
that that’s like the worst of human nature,
but just because I have-
War is just as bad, I mean.
Somehow war, it’s somehow understandable
given all the very intense propaganda that’s happening.
So you can understand that there is love
in the heart of the soldiers on each side
given the information they’re given.
There’s a lot of people on the Russian side
believe they’re saving these Ukrainian cities
from Nazi occupation.
Now, there is stories,
there is a lot of evidence of people
for fun murdering civilians.
Now, that is closer to the things you’ve experienced
of like evil, of evil embodied.
And I haven’t interacted with that directly
with people who for fun murdered civilians.
But you know it’s there in the world.
I mean, you’re not naive to it.
Yes, but if you experience that directly,
if somebody shot somebody for fun in front of me,
that would probably break me, yeah.
Like seeing it yourself, knowing that it exists
is different than seeing it yourself.
Now, I’ve interacted with the victims of that
and they tell me stories
and you see their homes destroyed,
destroyed for no good military reason.
It’s civilians with civilian homes being destroyed.
That really lingers with you.
But yeah, the people that are capable of that.
That goes with the propaganda.
I mean, if you were to build a story,
you have to have on the other side,
the homes are gonna be destroyed,
the non-military targets are gonna be destroyed.
To put it in perspective,
I’m not sure a lot of people understand
the deep human side
or even the military strategy side of this war.
There’s a lot of experts outside of the situation
that are commenting on it with certainty.
And that kind of hurts me
because I feel like there’s a lot of uncertainty.
There’s so much propaganda,
it’s very difficult to know what is true.
Yeah, so my whole hope was to travel to Ukraine,
to travel to Russia, to talk to soldiers,
to talk to leaders, to talk to real people
that have lost homes, that have lost family members,
that who this war has divided,
who this war changed completely how they see the world.
Whether they have love or hate in their heart
to understand their stories.
I’ve learned a lot on the human side of things
by having talked to a lot of people there.
But it has been on the Ukrainian side for me currently.
Traveling to the Russian side is more difficult.
Let me ask you about your now friend.
Can we go as far as to say his friend in Sabu,
Hector Maseguer.
What’s the story?
What’s your long story with him?
Can you tell me about what is LALSEC?
Who is Sabu?
And who’s Anonymous?
What is Anonymous?
Where’s the right place to start that story?
Probably Anonymous.
Anonymous was a, it still is, I guess,
a decentralized organization.
They call themselves Headless,
but once you look into them a little ways,
they’re not really Headless.
The power struggle comes with whoever has a hacking ability.
That might be you’re a good hacker
or you have a giant botnet used for DDoS.
So you’re gonna wield more power
if you can control where it goes.
Anonymous started doing their hacktivism stuff
in 2010 or so.
The word hack was in the media all the time then.
And then right around then,
there was a federal contractor named HBGary Federal.
Their CEO is Aaron Barr.
And Aaron Barr said he was gonna come out
and de-anonymize Anonymous.
He’s gonna come out and talk at Black Hat
or Defcon or one of those and say who they are.
He figured it out by based on when people were online,
when people were in IRC, when tweets came out.
There was no scientific proof behind it or anything.
So he was just gonna falsely name people
that were in Anonymous.
So Anonymous went on the attack.
They went and hacked in HBGary Federal
and they turned his life upside down.
They took over his Twitter account
and all that stuff pretty quickly.
I have very mixed feelings about all of this.
Okay.
Yet, a part of me
admires the positive side of the hacktivism.
Okay.
Is there no room for admiration there
of the fuck you to the man?
Not at the time.
Again, it was a violation.
The 18 USC 1030.
So it was my job.
It’s what I, you know.
So at the time, no.
In retrospect, sure.
Yeah.
But what was the philosophy of the hacktivism?
Philosophically, were they at least expressing it
for the good of humanity or no?
They outwardly said that they were gonna go after people
that they thought were corrupt.
So they were judge and jury on corruption.
They were gonna go after it.
Once you get inside and realize what they were doing,
they were going after people
that they had an opportunity to go after.
So maybe someone had a zero day
and then they searched for servers running that zero day.
And then from there, let’s find a target.
I mean, one time they went after a toilet paper company.
I still don’t understand what that toilet paper company did
but it was an opportunity to make a splash.
Is there some, some way for the joke, for the lulls?
It developed into that.
So I think the hacktivism
and the anonymous stuff wasn’t so much for the lulls
but from that HP Gary federal hack,
then there were six guys that worked well together
and they formed a crew, a hacking crew.
And they kind of split off into their own private channels.
And that was lull sack or laughing at your security
was their motto.
So that’s L-U-L-Z-S-E-C, lulls sack.
Of course it is.
Lulls sack.
And who founded that organization?
So Kayla and Sabu were the hackers of the group.
And so they really did all the work on HP Gary.
So these are code names.
Yeah, it’s their online names.
They’re, they’re, they’re Knicks.
And so, you know, they, they,
and they, that’s all they knew each other as, you know
they talked as, as those names and they worked well together.
And so they, they formed a hacking crew
and that’s when they started the, the,
at first they didn’t name it this
but it was the 50 days of lulls
where they would just release major, major breaches.
And it stirred up the media.
I mean, it put hacking in on, in the media every day.
They had 400 or 500,000 Twitter followers.
You know, and it was kind of interesting
but then they started swinging at the beehive
and they, they, they took out some FBI affiliated sites
and then they started a fuck FBI Fridays
where every, every Friday they would release something.
And we waited it for with bated breath.
I mean, they had us hook, line and sinker pissed.
We were waiting to see what was going to be dropped
every Friday.
It was, it’s a little embarrassing looking back on it now.
And this is in the early 2010s.
Yeah, this was 2010, 2011 around there.
You actually linger on anonymous.
What, do you still understand what the heck is anonymous?
It’s just a place where you hang out.
I mean, it’s just, it started on 4chan, went to 8chan
and then it’s really just anyone.
You can be an anonymous right now if you wanted to.
Just, you’re in there hanging out in the channel.
Now you’re probably not going to get much cred
until you work your way up and prove who you are
or someone vouches for you.
But anybody can be an anonymous.
Anybody can leave anonymous.
What’s the leadership of anonymous?
Do you have a sense that there is a leadership?
There’s a power play.
Now, is that someone that says this is what we’re doing?
No, we’re doing.
I love the philosophical and the technical aspect
of all of this.
But I think there is a slippery slope
to where for the lulls, you can actually really hurt people.
That’s the terrifying thing.
When you attach, I’m actually really terrified
of the power of the lull.
It’s the fun thing somehow becomes a slippery slope.
I haven’t quite understood the dynamics of that.
But even in myself, if you just have fun with a thing,
you lose track of the ethical grounding of the thing.
And so like, it feels like hacking for fun
can just turn it, like literally lead to nuclear war.
Like literally destabilize.
Yeah, yada, yada, yada, nuclear war.
I could see it, yeah.
So I’ve been more careful with the lull.
Yeah, I’ve been more careful about that.
And I wonder about it because in internet speak,
somehow ethics can be put aside
through the slippery slope of language.
I don’t know, everything becomes a joke.
If everything’s a joke, then everything’s allowed
and everything’s allowed.
Then you don’t have a sense of what is right and wrong.
You lose sense of what is right and wrong.
You still have victims.
I mean, you’re laughing at someone.
Someone’s the butt of this joke.
Whether it’s major corporations or the individuals,
I mean, some of the stuff they did was just
releasing people’s PII, their personal identifying
information and stuff like that.
I mean, is it a big deal?
I don’t know, maybe, maybe not.
But if you could choose to not have your information
put out there, probably wouldn’t.
We do have a sense of what anonymous is today.
Has it ever been one stable organization
or is it a collection of hackers that kind of emerge
for particular tasks, for particular,
like, hacktivism tasks and that kind of stuff?
It’s a collection of people that has some hackers in it.
There’s not a lot of big hackers in it.
I mean, there’s some that’ll come bounce in and bounce out.
Even back then, there was probably just as many
reporters in it, people in the media in it,
with the hackers at the time,
just trying to get the inside scoop on things.
You know, some giving the inside scoop.
You know, we arrested a reporter that gave over
the username and password to his newspaper.
And, you know, just so he could break the story.
He trusted him.
Speaking of trust, reporters, boy, there’s good ones.
There’s good ones.
There are.
There are.
But boy, do I have a complicated relationship with them.
How many stories about you are completely true?
You can just make stuff up on the internet.
And one of the things that, I mean,
there’s so many fascinating psychological,
sociological elements of the internet to me.
One of them is that you can say that Lex is a lizard, right?
And if it’s not funny, so lizard is kind of funny.
What should we say?
Lex has admitted to being an agent of the FBI, okay?
You can just say that, right?
And then the response that the internet would be like,
oh, is that true?
I didn’t realize that.
They won’t go like, provide evidence, please, right?
They’ll just say like, oh, that’s weird.
I didn’t, I kind of thought he might be kind of weird.
And then it piles on.
It’s like, hey, hey, hey, guys.
Like, here’s a random dude on the internet
just said a random thing.
You can’t just like pile up as, and then.
Yeah, Johnny6969 is now a source that says.
And then the thing is, I’m a tiny guy,
but when it grows, if you have a big platform,
I feel like newspapers will pick that up
and then they’ll start to build on a story
and you never know where that story really started.
It’s so cool.
I mean, to me, actually, honestly, it’s kind of cool
that there’s a viral nature of the internet
that can just fabricate truth completely.
I think we have to accept that new reality
and try to deal with it somehow.
You can’t just complain that Johnny69
can start a random thing,
but I think in the best possible world,
it is the role of the journalist
to be the adult in the room and put a stop to it
versus look for the sexiest story
so that there could be clickbait that can generate money.
Journalism should be about sort of slowing things down,
thinking deeply through what is true or not
and showing that to the world.
I think there’s a lot of hunger for that.
And I think that would actually get
the most clicks in the end.
I mean, it’s that same pressure
I think we’re talking about with the FBI
and with the tech companies about Controllers.
I mean, the editors have to please and get those clicks.
I mean, they’re measured by those clicks.
So I’m sure the journalists, the true journalists,
the good ones out there want that,
but they want to stay employed too.
Can I actually ask you really as another tangent,
the Jared and others, they’re doing undercover.
In terms of the tools you have
for catching cybersecurity criminals,
how much of it is undercover?
Undercover is a high bar to jump over.
You have to do a lot to start an undercover in the FBI.
There’s a lot of thresholds.
So it’s not your first investigative tool step.
You have to identify a problem
and then show that the lower steps can’t get you there.
But I mean, I think we had an undercover
going on in the squad about all times.
When one was being shut down or taken down,
we were spinning up another one.
So it’s a good tool to have and utilize.
They’re a lot of work.
I don’t think if you run one,
you’ll never run another one in your life.
Oh, so it’s like psychologically,
there’s a lot of work just technically,
but also psychologically, like you have to really-
It’s 24 seven, you’re inside that world.
Like you have to know what’s going on and what’s happening.
You’re taking on,
you have to remember who you are
when you’re, because you’re a criminal online.
You have to go to a special school for it too.
Was that ever something compelling to you?
I went through the school,
but I’m a pretty open and honest guy.
And so it’s tough for me to build that wall of lies.
Maybe I’m just not smart enough
to keep all the lies straight.
Yeah, but a guy who’s good at building up a wall of lies
would say that exact same thing.
Exactly.
It’s so annoying the way truth works in this world.
It’s like, people have told me,
because I’m trying to be honest and transparent,
that’s exactly what an agent would do, right?
But I feel like an agent would not wear a suit and tie.
I wore a suit and tie every day.
I was a suit and tie guy.
You were?
Yeah, every day.
I remember one time I wore shorts in and the SAC came in.
And this was when I was a rockstar at the time in the bureau
and I had shorts in and I said,
sorry, ma’am, I apologize for my attire.
And she goes, you can wear bike shorts in here.
I was like, oh, shit, that sounds nice.
I never wore the bike shorts, but.
Yeah.
But see, I don’t see a suit and tie as constraining.
I think it’s liberating in sorts.
It’s like, shows that you’re taking the moment seriously.
Well, not just that, people wanted it.
I mean, people expected when you’re not,
you are dressed like a perfect FBI agent.
When someone knocks on their door,
that’s what they want to see.
They want to see what Hollywood built up
is what an FBI agent is.
You show up like my friend, Il-Won.
He was dressed always in t-shirts and shorts.
People aren’t going to take him serious.
They’re not going to give him what they want.
I wonder how many police that can just show up
and say I’m from the FBI and start interrogating them.
Like at a bar.
Probably.
Definitely, if they’ve had a few drinks, you can definitely.
Well, but people are going to recognize you.
That’s the only problem.
That’s another thing.
You start taking out big cases.
You can’t work cases anymore in the FBI.
Your face gets out there.
Your name, too.
Well, actually, let me ask you about that
before we return to our friend, Sabu.
Okay.
You’ve tracked and worked on
some of the most dangerous people in this world.
Have you ever feared for your life?
So I had to make a really, really
shitty phone call one time.
I was sitting in the bureau,
and this was right after Silk Road,
and Jared called me.
He was back in Chicago.
And he called me and said, hey,
your name and your kid’s name
are on a website for an assassination.
They’re paying to have you guys killed.
Now, these things happen on the black market.
They come up, and people debate
whether they’re real or not.
But we have to take it serious.
Someone’s paying to have me killed.
So I had to call my wife, and we had a word,
in that if I said this word,
and we only said it one time to each other,
if I said this word, this is serious.
Drop what you’re doing and get to the kids.
And so I had to drop the word to her.
And I could feel the breath come out of her,
because she thought her kids were in danger,
at the time they were.
I wasn’t in a state of mind to drive myself.
So an agent on the squad, a girl named Evelina,
she drove me, lights and sirens
all the way to my kid’s school.
And we had locked, I called the school.
We were in a lockdown.
Nobody should get in or out,
especially someone with a gun.
The first thing they did
was let me in the building with a gun.
So I was a little disappointed with that.
My kids were, I think, kindergarten and fifth grade
or somewhere around there.
Maybe they’re closer, second year, I’m not sure where.
But all hell broke loose.
And we had to, from there, go move into a safe house.
I live in New York City.
NYPD surrounded my house.
The FBI put cameras outside my house.
You couldn’t drive in my neighborhood
without your license plate being read.
Hey, why is this person here?
Why is that person there?
I got to watch my house on an iPad
while I sat at my desk.
But again, I put my family through that
and it scared the shit out of them.
And that’s, to be honest,
I think that’s sort of my mother-in-law’s words
were, I thought you did cybercrime.
And because during Silk Road,
I didn’t tell my family what I was working on.
I’ll talk about that.
I want to escape that.
I don’t want to be there.
I remember that like, so when I was in the FBI,
like driving in, I used to go in at 4.30 every morning
because I like to go to the gym
before I go to the desk.
So I’d be at the desk at seven.
So in the gym at five, a couple hours, and then go.
The best time I had was that drive-in in the morning
where I could just be myself.
I listened to a sports podcast out of DC.
And we talked about sports and the Nationals
and whatever it was, the Capitals.
It was great to not think about Silk Road for 10 minutes.
So, but that was my best time.
But yeah, again, so yeah.
I’ve had that move into the safe house.
I left my MP5 at home.
That’s the Bureau’s machine gun.
Showed my wife to just pull and spray, so.
But how often did you live or work and live with fear
in your heart?
It was only that time.
I mean, for actual physical security,
then, I mean, after the anonymous stuff,
I really tightened down to my cybersecurity.
I don’t have social media.
I don’t have pictures of me and my kids online.
I don’t really, if I go to a wedding or something,
I say, I don’t take my picture with my kids,
if you’re gonna post it someplace or something like that.
So that sort of security I have.
But just like everybody, you start to relax a little bit
and security breaks down, because it’s not convenient.
But it’s also part of your job.
So you’re much better at, I mean, your job now
and your job before, so you’re probably much better
taking care of the low-hanging fruit, at least.
I understand the threat,
and I think that’s what a lot of people don’t understand,
is understanding what the threat against them is.
So I’m aware of that and what possibly,
and I think about it, I think about things.
I do remember, so you tripped a memory in my mind.
I remember a lot of times, and I had a gun on my hip,
I still carry a gun to this day,
opening my front door and being concerned
what was on the other side, walking out of the house,
because I couldn’t see it.
I remember those four o’clocks, heading to the car.
I was literally scared.
Yeah.
I mean, having seen some of the things you’ve seen,
it makes you perhaps question
how much evil there is out there in the world,
how many dangerous people there are out there,
crazy people, even.
There’s a lot of crazy, there’s a lot of evil.
Most people, I think, get into cybercrime
or just opportunistic, not necessarily evil.
They don’t really know, maybe think about the victim,
they just do it as a crime of opportunity.
I don’t label that as evil.
And one of the things about America
that I’m also very happy about
is that rule of law, despite everything we talk about,
there is, it’s tough to be a criminal in the United States.
So if you walk outside your house,
you’re much safer than you are
in most other places in the world.
You’re safer and the system’s tougher.
I mean, LulzSec, six guys, one guy in the United States,
five guys other places.
Hector was facing 125 years.
Those guys got slaps on the wrist
and went back to college.
You know, different laws, different places.
So who’s Hector?
Tell me the story of Hector.
So this LulzSec organization was started.
So Hector was before that, he was in part anonymous.
He was doing all kinds of hacking stuff,
but then he launched LulzSec.
He’s an old school hacker.
I mean, he learned how to hack,
and I don’t wanna tell his story,
but he learned to hack because he grew up
in the Lower East Side of New York
and picked up some NYPD computers
that were left on the sidewalk for trash.
Taught himself how to-
He doesn’t exactly look like a hacker.
For people who don’t know, he looks,
I don’t know exactly what he looks like,
but not like a technical, not what you would imagine.
But perhaps that’s a Hollywood portrayal.
Yeah, I think you get in trouble these days
saying what a hacker looks like.
I don’t know if they have a traditional look.
Just like I said, Hollywood has an idea,
what an FBI looks like.
I don’t think you can do that anymore.
I don’t think you can say that anymore.
Well, he certainly has a big personality
and charisma and all that kind of stuff.
That’s Sabu.
I can see him selling me anything.
That’s Sabu.
That’s convincing me of anything.
Two different people.
There’s Sabu and there’s Hector.
Hector is a sweet guy.
He likes to have intellectual conversations,
and that’s just his thing.
He’d rather just sit there
and have a one-on-one conversation with you.
But Sabu, that’s a ruthless motherfucker.
And you first met Sabu?
I was tracking Sabu.
That’s all I knew was Sabu.
I didn’t know Hector.
And so when did your paths cross in terms of tracking?
When did you first take on the case?
The spring of 11.
So it was through Anonymous.
Through Anonymous, and really kind of LulzSec.
LulzSec was a big thing,
and it was pushed out to all the cyber,
56 field offices in the FBI.
Most of them have cyber squads or cyber units.
And so it was being pushed out there,
and it was in the news every day,
but it really wasn’t ours.
So we didn’t have a lot of victims
in our AOR area of responsibility.
And so we just kind of pay attention to it.
Then I got a tip that a local hacker in New York
had broken into AOL.
And so Olivia Olsen and I,
she’s another agent who she’s still in.
She’s a supervisor out in LA.
She’s a great agent.
We went all around New York looking for this kid
just to see what we can find,
and ended up out in Staten Island at his grandmother’s house.
She didn’t know where he was, obviously.
Why would she?
But I left my card.
He gave me a call that night and started talking to me.
And I said, let’s just meet up tomorrow
at the McDonald’s across from 26 Fed.
And he came in and three of us sat there and talked
and gave me his stuff.
He started telling me about the felonies
he was committing those days, including that break into AOL.
And then he finally says, you know, I can give you Sabu.
Sabu to us was the Kaiser Source of Hacking.
He was our guy.
He was the guy that was in the news
that was pissing us off.
So he was part of the FBI Fridays?
Sabu was, yeah.
Oh, he led it.
Yeah, he was the leader of fuck FBI Fridays.
So yeah.
What was one of the more memorable F, the triple Fs?
I said, what, how do you get,
why, how and why do you go after the beehive?
That’s kind of intense.
You get you on the news.
It gets you, it’s the lulls.
It’s funnier to go after the big ones.
You know, and they weren’t getting like real FBI.
They weren’t breaking into FBI mainframes or anything,
but they, you know, they were, you know,
affiliate sites or anything that had to do,
a lot of law enforcement stuff was coming out.
So, but, you know, we looked back.
And so if this kid knew that Sabu,
maybe there was a chance we’d use him to lure Sabu out.
But we also said, well,
maybe this kid knows Sabu in real life.
And so we went and looked through the IPs
and 10 million IPs, we find one and it belonged to him.
And so that day Sabu, someone had doxxed Sabu
and we were a little afraid he was gonna be on the run.
We had a surveillance team
and FBI surveillance teams are awesome.
Like you can not even tell their FBI agents.
They are really that good.
I mean, there’s baby strollers and all,
whatever you wouldn’t expect an FBI agent to have.
So that’s a little like the movies.
A little bit, yeah.
I mean, it is true, but they fit into the area.
So now they’re on the Lower East Side,
which is, you know, a baby stroller
might not fit in there as well as, you know,
somebody just laying on the ground or something like that.
They really get plenty of the character and get into it.
So now I can never trust a baby stroller again.
Well, probably shouldn’t.
Every baby, I’m just like, look at,
stare at them suspiciously.
Especially if the mom’s wearing cargo pants
while she pushes it, so.
Yeah, so if it’s like a very stereotypical mom,
a stereotypical baby, I’m gonna be very suspicious.
I’m gonna question the baby.
That baby’s wired, be careful.
You know, we raced out there
and like our squad’s not even full.
There’s only a few guys there.
And like I said, I was a suit guy,
but that day I had shorts and a t-shirt on.
I had a white t-shirt on and I only bring it up
because Sabu makes fun of me to this day.
So I had a bulletproof vest and a white t-shirt on
and that was it.
I had shorts too and all that,
but raced over to there.
We didn’t have any equipment.
We brought our boss’s boss’s boss.
He stopped off at NYPD, got us like a ballistic shield
and a battery ram if we needed it.
And then we get to Hector’s house, Sabu’s house,
and he’s on the sixth floor.
And so normally, you know, we’re the cyber dork squad.
We’ll hop in the elevator.
Sixth floor is a long ways to go up
and bulletproof vest and a ballistic shield.
But we had been caught in an elevator before on a search.
So we didn’t, took the stairs.
We get to the top, a tad winded,
but knocking the door and this big towering guy
opens the door just slightly.
And he sees the green vest with big yellow letters FBI
and he steps outside.
Can I help you?
You know, tries to social engineer us.
But eventually we get our way inside the house.
You know, I noticed a few things that are kind of
out of place.
There’s a laptop charger and a flashing modem.
And I said, well, do you have a computer here?
And he says, no, there’s no computer here.
So we knew the truce and then the half lies
and all that sort of thing.
So it took us about another two hours
and finally gave up that he was Sabu.
He was the guy we were looking for.
So we sat there and we kind of showed him
sort of the evidence we had against him.
And, you know, from his words,
we sat there and talked like two grown adults.
And, you know, I gave him the options and he said,
well, let’s talk about working together.
So he chose to become an informant.
I don’t think he chose that night,
but that’s where it kind of went to.
So then we brought him down to the FBI that night,
which was, it was a funny trip
because I’m sitting in the back seat of the car with him.
And I was getting calls from all over the US
from different FBI agents saying
that we arrested the wrong guy.
And I was like, I don’t think so.
And they’re like, why do you think so?
I was like, because he says it’s him.
And they still said, no, it’s the wrong guy.
So I said, well, we’ll see how it plays out.
That’s so interesting because it’s such a strange world.
Such a strange world because it’s tough to,
because you still have to prove it’s the same guy, right?
Because the anonymity.
Yeah, I mean, we had his laptop by that point.
Yeah, I know.
Him saying, that helped.
I gave him a clue in my world.
Yeah, yeah.
But yeah, if he would have fought it,
I mean, that definitely would have come in as evidence
that other FBI agents are saying it’s not him.
You have to disclose that stuff.
So you had a lot of stuff on him.
What was he facing if-
He was facing 125 years.
125 years in prison.
That’s, now that’s if you took every charge
we had against him and put them consecutively.
No, no one ever gets charged with that.
But yeah, essentially it would have been 125 years.
You know, fast forward to the end,
he got thanked by the judge for his service
after nine months.
And he walked out of the court a free man.
But that’s while being an informant.
Yes.
Well, so the word informant here really isn’t that good.
It’s not fitting that technically,
I guess that’s what he was,
but he didn’t know the other people.
It was all anonymous.
He knew Nix and all that.
He really gave us the insight
of what was happening in the hacker world.
Like I said, he was an old school hacker.
He was back when hackers didn’t work together
with anonymous.
You know, he was down, you know,
Cult of Dead Cow and those type guys, like way back.
And he was around for that.
He’s like an encyclopedia of hacking.
But, you know, we just-
Like Kiss Prime was in the nineties.
For terror hack.
But yeah, he kind of came back
when anonymous started going after MasterCard and PayPal
and all that, do the WikiLeaks stuff.
But even that little interaction, being an informant,
he probably made a lot of enemies.
How do you protect a guy like that?
He made enemies after it was revealed?
Yeah.
How does the FBI protect him?
Good luck.
I mean, perhaps I’ll talk to him one day,
but is that guy afraid for his life?
I, again, I think-
He doesn’t seem like it.
He has very good security for himself, cyber security.
But, you know, yeah,
he doesn’t like the negative things said about him online.
I don’t think anybody does.
But, you know, I think it’s so many years
of the internet kind of bitching at you and all that,
you get calloused.
It’s just internet bitching.
And also the hacking world moves on very quickly.
He has kind of, they have their own wars to fight now,
and he’s not part of those wars anymore.
There’s still people out there that bitch and moan about him,
but yeah, I think it’s less.
I think, you know, and he has a good message out there
of, you know, trying to keep kids
from making the same mistakes he made.
He tries to really preach that.
How do people get into this line of work?
Is there all kinds of ways being,
not your line of work, his line of work,
just all the stories you’ve seen of people
that are in Anonymous and LulzSec and Silk Road
and all the cyber criminals you’ve interacted with.
What’s the profile of a cyber criminal?
I don’t think there’s a profile anymore.
You know, I used to be able to say, you know,
the kid in your mom’s basement or something like that,
but it’s not true anymore.
You know, like, it’s wide.
It’s like, I’ve arrested people
that you wouldn’t expect would be cyber criminals.
And it’s in the United States, it’s international,
it’s everything?
Oh, it’s international.
I mean, we’re seeing a lot of the big hackers now,
the big arrests for hackers in England, surprisingly.
You know, there’s, you know,
you’re not gonna see there’s a lot of good hackers
like down in Brazil,
but I don’t think Brazil law enforcement
is as good at hunting them down.
So you’re not gonna see the big arrests.
How much state-sponsored cyber attacks
are there, do you think?
More than you can imagine.
And what do you wanna say, an attack?
Was it a successful attack or just a probing?
Probing for information, just like feeling, you know,
testing that there’s where the attack factors are,
trying to collect all the possible attack factors.
Put a Windows 7 machine on the internet,
forward face it, and put a packet sniffer on there,
and look at where the driver comes from.
I mean, in 24 hours,
you were gonna fill up a hard drive with packets
just coming at it.
Yeah.
I mean, it’s not hard to know.
I mean, it’s just constantly probing
for entry points into things, you know.
You could go mad putting up Honeypot,
draws in intrusions,
try to see what methodologies.
Just to see what’s out there.
Yeah, and it doesn’t go anywhere.
It maybe has fake information and stuff like that.
You know, it’s kind of to see what’s going on
and judge what’s happening on the internet.
You know, lick your finger and test the wind
of what’s happening these days.
The funny thing about, like, because I’m at MIT,
that attracted even more attention for the,
not for the lulz, but for the technical challenge.
It seems like people enjoy hacking MIT.
Just the amount of traffic MIT was getting for that,
in terms of just the sheer number of attacks
from different places, it’s crazy.
Yeah, just like that.
Putting up a machine, seeing what comes.
NASA used to be the golden ring.
Now everybody got NASA.
That was like the early 90s.
If you could hack NASA, that was the,
now, yeah, MIT is a big one.
Yeah, it’s fun.
It’s fun to see.
Respect.
Because I think in that case,
it comes from a somewhat good place.
Because, you know, they’re not getting any money from MIT.
It’s more for the challenge.
Let me ask you about that,
about this world of cybersecurity.
How big of a threat are cyber attacks
for companies and for individuals?
Like, let’s lay out, where are we in this world?
What’s out there?
It’s the wild, wild west.
And it’s, I mean,
people want the idea of security, but it’s inconvenient,
so they don’t, they push back on it.
And there are a lot of opportunistic,
nation state, financially motivated hackers,
hackers for the lulz.
You got three different tiers there.
And they’re on the prowl.
They have tools, they have really good tools
that are being used against us.
And at what scale?
So when you’re thinking of,
I don’t know what’s, let’s talk about companies first.
So say you’re talking to a mid-tier.
I wonder what the most interesting business is.
So Google, we can look at large tech companies,
or we can look at medium-sized tech companies.
And like, you are sitting in a room with a CTO,
with a CEO, and the question is, how fucked are we?
And what should we do?
What’s the low-hanging fruit?
What are the different strategies
and those companies should consider?
I mean, the problem is they want a push button.
They want a out-of-the-box solution that I’m secure.
They want to tell people they’re secure, but-
And that’s very challenging to have.
It’s impossible.
But if I could, if someone had it,
they’d be a billionaire.
They’d be beyond a billionaire,
because that’s what everybody wants.
You know, you can buy all the tools you want.
It’s configuring them the proper way.
And if anyone’s trying to tell you
that there’s one solution that fits all,
they’re staying whole salesmen.
And there’s a lot of people in cybersecurity
that are staying whole salesmen.
Yeah, and I feel like there’s tools,
if they’re not configured correctly,
they just introduce,
they don’t increase security significantly,
and they introduce a lot of pain for the people.
They decrease efficiency of the actual work you have to do.
So like, we had, I was at Google for a time,
and I think mostly I want to give props
to their security efforts, but user data,
so like data that belongs to users,
is like the holy, like the amount of security they have
around that is incredible.
So most, any time I had to work with
anything even resembling user data,
so I never got a chance to work with actual user data,
anything resembling that,
first of all, you have no access to the internet.
It’s impossible to even come close
to the access to the internet.
And there’s so much pain to actually,
like, interact with that data.
Where, I mean, it was extremely inefficient.
In places where I thought
it didn’t have to be that inefficient,
the security was too much.
But I have to give respect to that,
in that case, you want to err on the side of security.
But that’s Google, they were doing a good job of this.
The reputational harm, if it got out,
I mean, Google, why is Google drive-free?
Because they want your data.
They want you to park your data there.
So if they got hacked or leaked information,
the reputational harm would be tremendous.
But for a company that’s not,
it’s really hard to do that, right?
And the company’s not as big as Google
or not as tech-savvy as Google,
might have a lot of trouble with doing that kind of stuff.
Instead of increasing security,
they’ll just decrease the efficiency.
Well, yeah, so there’s a big difference
between IT and security.
And unfortunately, these mid-side companies,
they try to stack security into their IT department.
Your IT department is about business continuity.
They’re about trying to move business forward.
They want users to get the data they need
to do their job so the company can grow.
Security is not that.
They don’t want you to get the data.
But there’s fine-tuning you can do to ensure that.
I mean, as simple as having good onboarding procedures
for employees.
Like, you come into my company,
you don’t need access to everything.
Maybe you need access to something for one day.
Turn the access on, don’t leave it on.
I mean, I was the victim of the OPM hack,
the Office of Personal Management,
because old credentials from a third-party vendor
were sitting there inactive.
And the Chinese government found those credentials
and were able to log in and steal all my information.
So a lot could be helped if you just control
the credentials, the access, the access control,
how long they last.
And people who need access to a certain thing
only get access to that thing and nothing else.
And then it just gets refreshed like that.
Access control, like we said,
setting up people, leaving the company,
get rid of their, they don’t need control.
Two-factor authentication, that’s a big thing.
I mean, I sound like a broken record
because this isn’t anything new.
This isn’t rocket science.
The problem is we’re not implementing it.
If we are, we’re not doing it correctly
because these guys are taking us.
Well, two-factor authentication is a good example
of something that I just was annoyed by
for the longest time.
Because yes, it’s very good,
but it seems that it’s pretty easy to implement horribly
to where it’s like it’s not convenient at all
for the legitimate user to use.
It should be trivial to do,
like to authenticate yourself twice should be super easy.
If security, if it’s slightly inconvenient for you,
it’s thinking about how inconvenient it is for a hacker
and how they’re just gonna move on to the next person.
Yes, yes, in theory, when implemented extremely well.
But I just don’t think so.
I think actually if it’s inconvenient,
it shows that system hasn’t been thought through a lot.
Do you know why we need two-factor authentication?
People using the same password across the same site.
So when one site is compromised,
people just take that username and password,
it’s called credential stuffing
and just stuff it across the internet.
So if 10 years ago when we told everybody,
don’t use the same fucking password across the internet,
across vulnerable sites,
maybe two-factor wouldn’t be needed.
Yeah, so you wouldn’t need two-factor
if everyone did a good job with passwords.
Yeah.
Right, but I’m saying like the two-factor authentication,
it should be super easy to authenticate myself
with some other device really quickly.
Like it should be frictionless.
Like you just hit okay?
Okay, and anything that belongs to me, yeah.
And it should, very importantly,
be easy to set up what belongs to me.
I don’t know the full complexity
of the cyber attacks these platforms are under.
They’re probably under insane amount of attacks.
You’ve got it right there.
People have no idea, these large companies,
how often they’re attacked on a per second basis.
And they have to fight all that off
and pick out the good traffic in there.
So yeah, there’s no way I’d wanna run a large tech company.
Well, what about protecting individuals?
For individuals, what’s good advice
for to try to protect yourself
from this increasingly dangerous world of cyber attacks?
Again, educate yourself that you understand
that there is a threat.
First, you have to realize that.
Then you’re gonna step up
and you’re gonna do stuff a little bit more.
Sometimes, I guess, I think I take that
to a little bit extreme.
I remember one time my mom called me
and she was screaming that I woke up this morning
and I just clicked on a link
and now my phone is making weird noises.
And I was like, throw your phone in a glass of water.
Just put it in a glass of water right now.
And I made my mom cry.
It was not a pleasant thing.
So sometimes I go to a little extremes on those ones.
But understanding there’s a risk
and making it a little bit more difficult
to become a victim.
I mean, just understanding certain things.
Simple things like, as we add more internet of the things
to people’s houses, I mean,
how many Wi-Fi networks do people have?
It’s normally just one.
And you’re bumping your phones
and giving your password to people who come to visit.
Set up a guest network.
Set up something you can change every 30 days.
Simple little things like that.
I hate to remind you, but change your passwords.
I mean, I feel like I’m a broken record again.
But just make it more difficult for others to victimize you.
And then don’t use the same password everywhere.
That, yes.
I mean-
I still know people that do that.
I mean, ask.fm got popped last week, two weeks ago.
And that’s 350 million username and passwords
with connected Twitter accounts, Google accounts,
all the different social media accounts.
That is a treasure trove for the next two and a half,
three years of just using those credentials everywhere.
Using, you’ll learn, even if it’s not the right password,
you’ll learn people’s password styles.
Bad guys are making portfolios out of people.
We’re figuring out how people generate their passwords
and kind of figuring,
and then it’s easier to crack their password.
We’re making a dossier on each person.
It’s 350 million dossiers just in that one hack.
Yahoo, there was half a billion.
So the thing a hacker would do with that
is try to find all the low-hanging fruit,
like have some kind of program that,
yeah, evaluates the strength of the passwords,
and then finds the weak ones.
And that means that this person
is probably the kind of person
that would use the same password across multiple.
Or even just write a program and do that.
Remember the Ring hack a couple of years ago?
That’s all it was, it was credential stuffing.
So Ring, the security system by default,
had two-factor, but didn’t turn it on.
And they also had a don’t try unlimited tries
to log into my account.
You can lock it out after 10.
By default, not turned on,
because it’s not convenient for people.
Ring was like, I want people to stick these little things up
and have security in their house,
but cybersecurity, don’t make it inconvenient,
then people won’t buy our product.
That’s how they got hacked.
They wanted to say that it’s insecure
and got hacked into,
reputational harm right there for Ring,
but they didn’t, it was just credential stuffing.
People bought username and passwords on the black market
and just wrote a bot that just went through Ring
and used every one of them to maybe 1% hit,
but that’s a big hit to the number of Ring users.
You know, you can use also password managers
to make the changing of the passwords easier.
And to make, you can charge the difficulty,
the number of special characters,
the length of it and all that.
My favorite thing is on websites,
yell at you for your password being too long
or having too many special characters,
or like, yeah, you’re not allowed to have
this special character or something.
You can only use these three special characters.
Do you understand how password cracking works?
If you specifically tell me which password,
which special characters I can use?
I honestly just want to have a one-on-one meeting,
like late at night with the engineer that programmed that,
because that’s like an intern.
I just want to have a sit-down meeting.
Yeah, I made my parents switch banks once
because the security was so poor.
I was like, you can’t have money here.
But then there’s also like the zero-day attacks,
like I mentioned before the QNAP NAS that got hacked.
Luckily, I didn’t have anything private on there,
but it really woke me up to like, okay,
so like, you have to take everything extremely seriously.
Unfortunately for the end users,
there’s nothing you can do about zero-day.
There’s this, you have no control over that.
I mean, it’s the engineers that made the software
don’t even know about it.
Now let’s talk about one days.
So there’s a patch now out there for the security.
So if you’re not updating your systems
for these security patches, if it’s just not on you,
my father-in-law has such an old iPhone,
you can’t security patch it anymore.
So, and I tell him, I said,
this is what you’re missing out on.
This is what you’re exposing yourself to,
because, you know, we talked about that powerful tool
that how we found Ross Ulbrich at gmail.com.
Well, bad guys are using that too.
It’s called, you know,
it used to be called Google dorking.
Now it’s, I think it’s named kind of Google hacking
by the community.
You can go in, you know, and find a vulnerability,
read about the white paper,
what’s wrong with that software.
And then you can go on the internet
and find all of the computers
that are running that outdated software.
And there’s your list, there’s your target list.
I know the vulnerabilities that are running.
Again, not making a playbook here,
but, you know, that’s how easy it is to find your targets.
And that’s what the bad guys are doing.
Then the reverse is tough.
It’s much tougher, but it’s still doable,
which is like first find the target.
If you have specific targets to, you know,
hack into a Twitter account, for example.
Much harder.
That’s probably social engineering, right?
That’s probably the best way.
Probably, if you wanted something specific to that.
I mean, if you really want to go far, you know,
if you’re targeting a specific person, you know,
how hard is it to get into their office
and put a, you know, a little device,
USB device in line with their mouse,
who checks how their mouse is plugged in.
And you can, for 40 bucks on the black market,
you can buy a key logger that just USB,
then the mouse plugs right into it.
It looks like an extension on the mouse,
if you can even find it.
You can buy the stuff with a mouse inside of it
and just plug it into somebody’s computer.
And there’s a key logger that lives in there
and calls home, sends everything you want.
So, I mean, and it’s cheap.
Yeah.
In grad school, a program that built a bunch of key loggers,
it was fascinating, a tracking mouse,
just for what I was doing as part of the research,
I was doing to see if by the dynamics of how you type
and how you move the mouse, you can tell who the person is.
Oh, wow.
That’s like, it’s called the active authentication,
or like, it’s basically biometrics
and it’s not using bio to see how identifiable that is.
So, it’s fascinating to study that,
but it’s also fascinating how damn easy it is
to install key loggers.
So, I think it’s natural, what happens is you realize
how many vulnerabilities there are in this world.
You do that when you understand bacteria and viruses,
you realize they’re everywhere.
In the same way with, I’m talking about biological ones,
and then you realize that all the vulnerabilities
that are out there.
One of the things I’ve noticed quite a lot
is how many people don’t log out of their computers.
Just how easy physical access to systems actually is.
Like, in a lot of places in this world,
and I’m not talking about private homes,
I’m talking about companies, especially large companies.
It seems quite trivial in certain places that I’ve been to,
to walk in and have physical access to a system,
and that’s depressing to me.
It is.
It just, I laugh because one of my partners at Naxo
that I work at now,
he worked at a big company.
Like, you would know the name as soon as I told you,
I’m not gonna say it.
But the guy who owned the company,
and the company has his name on it,
didn’t want to ever log into a computer.
It just annoyed the shit out of him.
So, they hired a person that stands next to his computer
when he’s not there, and that’s his physical security.
You see, that’s good.
That’s pretty good, actually.
Yeah, I mean, I guess if you could afford to do that.
At least you’re taking your security seriously.
I feel like there’s a lot of people in that case
would just not have a login.
Yeah.
No, the security team there had to really work around
to make that work.
Non-compliant with company policy.
But that’s interesting.
The key log, there’s a lot of,
there’s just a lot of threats.
Yeah, I mean-
There’s a lot of ways to get in.
Yeah, I mean, so you can’t sit around
and worry about someone physically gaining access
to your computer with key log and stuff like that.
You know, if you’re traveling to a foreign country
and you work for the FBI, then yeah, you do.
You pick little, you know, sometimes some countries
you would bring a fake laptop
just to see if they stole it or accessed it.
I really want, especially in this modern day,
to just create a lot of clones of myself
that generate Lex sounding things
and just put so much information out there.
I actually dox myself all across the world.
And then you’re not a target, I guess.
Just put it out there.
I’ve always said that, though.
We do these searches in FBI houses and stuff like that.
If someone just got like a box load
of like 10 terabyte drives and just encrypted them,
oh my God, do you know how long the FBI
would spin their wheels trying to get that data out there?
It’d be insane.
Oh, so just give them-
You don’t even know which one you’re looking for.
Yeah.
That’s true, that’s true.
So it’s like me printing like a treasure map
to a random location, just get people to go on goose chases.
Yeah, what about operating system?
What have you found, what’s the most secure
and what’s the least secure operating system?
Windows, Linux, is there no universal?
There’s no universal security.
I mean, it changed.
People used to think Macs were the most secure
just because they just weren’t out there,
but now kids have had access to them.
So I know you’re a Linux guy, I like Linux too,
but it’s tough to run a business on Linux.
People want to move more towards the Microsofts
and the Googles just because it’s easier to communicate
with other people that maybe aren’t computer guys.
So you have to just take what’s best, what’s easiest
and secure the shit out of it as much as you can
and just think about it.
What are you doing these days at Nexo?
So we just started Nexo.
So I left the government and went to a couple consultancies
and I started working, really all the people
I worked good in the government with,
I brought them out with me.
You used to work for the man and now you’re the man.
Exactly, but now we formed a partnership
and it’s a new cybersecurity firm.
Our launch party is actually on Thursday,
so it’s going to be exciting.
Do you want to give more details about the party
so that somebody can hack into it?
No, I don’t think they’re going to tell you where it is.
You can come if you want, but don’t bring the hackers.
So Hector will be there with us.
I can’t believe you invited me
because you also say insider threat is the biggest threat.
By the way, can you explain what the insider threat is?
The biggest insider threat in my life is my children.
My son’s big into Minecraft
and will download executables mindlessly
and just run them on the network.
So he is-
Do you recommend against marriage and family and kids?
Nope, nope.
From a security perspective.
From a security perspective, absolutely.
But no, I just segmentation.
I mean, we do it in all businesses for years.
Started segmenting networks, different networks.
I just do it at home.
My kid’s on his own network.
It makes it a little bit easier
to see what they’re doing too.
You can monitor traffic and then also throttle bandwidth
if your Netflix isn’t playing fast enough
or buffers or something.
So you can obviously change that a little too.
You know they’re going to listen to this, right?
They’re going to get your tricks.
Yeah, they’ll definitely will listen.
But there’s nothing more humbling than your family.
You think you’ve done something big
and you go on a big podcast and talk to Les Freeman.
They don’t fucking care.
Unless you’re on TikTok or shit.
You’ll show up on a YouTube feed or something like that.
And they’ll be like, oh, yeah.
Whatever, this guy’s boring.
My son does a podcast for his school
and I still can’t get him to tell.
So Hector and I just started a podcast
talking about cybersecurity.
We do a podcast called Hacker in the Fed.
It just came out yesterday, so first episode.
So yeah, we got 1,300 downloads the first day.
We were at the top of Hacker News,
which is a big website in our world.
So it’s called Hacker in the Fed?
Hacker in the Fed’s the name of it, so.
Go download and listen to Hacker in the Fed.
I can’t wait to see what,
because I don’t think I’ve seen a video of you two together.
So I can’t wait to see what the chemistry is like.
I mean, it’s not weird that you guys used to be enemies
and now you’re friends?
So yeah, I mean, we just did a trailer and all that.
And our producer, we have a great producer guy named Phineas
and he kind of pulls things out of me.
And I said, okay, I got one.
My relationship with Hector,
we’re very close friends now.
And I was like, oh, I arrested one of my closest friends,
which is a very strange relationship.
Yeah, it’s weird.
But he says that I changed his life.
I mean, he was going down a very dark path
and I gave him an option that one night
and he made the right choice.
I mean, he now does penetration testing.
He does a lot of good work and he’s turned his life around.
Do you worry about cyber war in the 21st century?
Absolutely.
If there is a global war, it’ll start with cyber,
if it’s not already started.
Do you feel like there’s a boiling,
like the drums of war are beating?
What’s happening in Ukraine with Russia?
It feels like the United States
becoming more and more involved
in the conflict in that part of the world.
And China is watching very closely,
is starting to get involved geopolitically
and probably in terms of cyber.
Do you worry about this kind of thing
happening in the next decade or two,
like where it really escalates?
You know, people in the 1920s were completely terrible
at predicting the World War II.
Do you think we’re at the precipice of war potentially?
I think we could be.
I mean, I would hate to just be, you know,
just fear mongering out there, you know, COVID’s over.
So the next big thing in the media is war and all that.
But I mean, there’s some flags going up
that are very strange to me.
Is there ways to avoid this?
I hope so.
I hope smarter people than I are figuring it out.
I hope people are playing their parts
in talking to the right people
because war is the last thing I want.
Well, there’s two things to be concerned about
on the cyber side.
One is the actual defense on the technical side of cyber.
And the other one is the panic that might happen
when something like some dramatic event happened
because of cyber, some major hack that becomes public.
I’m honestly more concerned about the panic
because I feel like if people don’t think about this stuff,
the panic can hit harder.
Like if they’re not conscious about the fact
that we’re constantly under attack,
I feel like it’ll come like a much harder surprise.
Yeah, I think people will be really shocked on things.
I mean, so we talked about LulzSec today
and LulzSec was 2011.
They had access into the water supply system
of a major US city.
They didn’t do anything with it.
They were sitting on it in case someone got arrested
and they were gonna maybe just expose that it’s insecure.
Maybe they were gonna do something to fuck with it.
I don’t know.
But that’s 2011.
I don’t think it’s gotten a lot better since then.
And there’s probably nation states or major organizations
that are sitting secretly on hacks like this.
100%, 100% they are sitting secretly
waiting to expose things.
I mean, again, I don’t wanna scare the shit out of people,
but people have to understand the cyber threat.
I mean, there are thousands of nation state hackers
in some countries.
I mean, we have them too.
We have offensive hackers.
You know, the terrorist attacks of 9-11,
there’s planes that actually hit actual buildings
and it was visibly clear and you can trace the information.
With cyber attacks, say something that would result
in a major explosion in New York City,
how the hell do you trace that?
Like, if it’s well done,
it’s going to be extremely difficult.
The problem is, there’s so many problems.
One of which the US government in that case
has complete freedom to blame anybody they want.
True.
And then to go start war with anybody.
Anybody that actually see,
all right, that’s, sorry.
That’s one cynical take on it, of course.
No, but you’re going down the right path.
I mean, the guys that flew the planes in the buildings
wanted attribution.
They took credit for it.
When we see the cyber attack,
I doubt we’re gonna see attribution.
Maybe the victim side, the US government on this side
might come out and try to blame somebody.
But, you know, like you’ve brought up,
they could blame anybody they want.
There’s not really a good way of verifying that.
Can I just ask for your advice?
So in my personal case, am I being tracked?
How do I know?
How do I protect myself?
Should I care?
You are being tracked.
I wouldn’t say you’re being tracked by the government.
You’re definitely being tracked by big tech.
No, I mean, me personally, Lex,
and an escalated level.
So like,
like you mentioned, there’s an FBI file on people.
Sure.
I’d love to see what’s in that file.
Who did I have the argument for?
Oh, let me ask you, FBI.
Yeah.
How’s the cafeteria food in FBI?
At the Academy, it’s bad.
Yeah.
What about like?
At headquarters?
Headquarters.
A little bit better,
because that’s where the director,
I mean, he eats up on the seventh floor.
Have you been like at Google?
Have you been at the Silicon Valley,
those cafeterias, like those?
I’ve been to the Google in Silicon Valley.
I’ve been to the Google in New York.
Yeah, the food is incredible.
It is great.
So FBI is worse.
Well, when you’re going through the Academy,
they don’t let you outside of the building,
so you have to eat it.
And I think that’s the only reason people eat it.
Yeah.
It’s pretty bad.
I got it.
Okay.
But there’s also a bar inside the FBI Academy.
People don’t know that.
Alcohol bar?
Yes, alcohol bar.
And if you, as long as you’ve passed your PT
and going well, you’re allowed to go to the bar.
Nice.
It feels like if I was a hacker,
I would be going after like celebrities
because they’re a little bit easier,
like celebrity celebrities, like Hollywood.
Well, Hollywood nudes were a big thing there
for a long time.
But not even, yeah, I guess nudes.
That’s what they went after.
I mean, all those guys, they socialized.
They social engineered Apple to get backups,
to get the recoveries for backups.
And then they just pulled all their nudes.
And I mean, whole websites were dedicated to that.
Yeah.
See that?
See, I wouldn’t do that kind of stuff.
It’s very creepy.
I would go, if I was a hacker,
I would go after like major, like powerful people
and like tweet something from their account
and like something that, like positive, like loving.
But like for the walls, the obvious that it’s a troll.
God, you get busted so quick.
By a bad hacker.
Really?
But why?
Because hackers never put things out about love.
Oh, you mean like, this is clearly.
Yeah, this is clearly Lex.
What the fuck?
He talks about love in every podcast he does.
I would just be like, no.
Oh, God damn it.
Now somebody’s gonna do it.
You’ll blame me.
It wasn’t me.
Looking back at your life, is there something you regret?
I’m only 44 years old.
I’m already looking back.
Is there stuff that you regret?
EV unit.
Yeah.
I got away.
It’s always the one that got away.
Yeah, I mean, it took me a while
into my law enforcement career
to learn about like the compassionate side.
And it took Hector Monsegur to make me realize
that criminals aren’t really criminals.
They’re human beings.
That really humanized the whole thing for me,
sitting with him for nine months.
I think that’s maybe why I had a lot more compassion
when I arrested Ross.
Probably wouldn’t have been so compassionate
if it was before Hector.
But yeah, he changed my life
and showed me that humanity side of things.
So would it be fair to say that all the criminals
or most criminals are just people
that took a wrong turn at some point?
They all have the capacity for good and for evil in them?
I’d say 99% of the criminals that I’ve interacted with,
yes, the people with the child exploitation,
no, I don’t have any place in my heart for them.
What advice would you give to people in college,
people in high school,
trying to figure out what they want to do with their life,
how to have a life they can be proud of,
how to have a career they can be proud of,
all that kind of stuff?
In the US budget that was just put forward,
there’s $18 billion for cybersecurity.
We’re about a million people short
of where we really should be in the industry, if not more.
If you want job security and want to work
and see exciting stuff, head towards cybersecurity.
It’s a good career.
And one thing I dislike about cybersecurity right now
is they expect you to come out of college
and have 10 years experience in protecting
and knowing every different Python script out there
and everything available.
The industry needs to change and let the lower people in
in order to broaden and get those billion jobs filled.
But as far as their personal security,
just remember, it’s all gonna follow you.
I mean, there’s laws out there now
where you have to turn over your social media accounts
in order to have certain things.
They just changed that in New York state.
If you want to carry a gun,
you have to turn over your social media
to figure if you’re a good social character.
So hopefully you didn’t say something strange
in the last few years and it’s gonna follow you forever.
I bet Ross Albrecht would tell you the same thing.
Don’t put rossalbrecht at gmail.com on things
because it’s gonna last forever.
Yeah, people sometimes, for some reason,
they interact on social media
as if they’re talking to a couple of buddies,
like just shooting shit and mocking
and like, you know, what is that?
Busting each other’s chops,
like making fun of yourself,
like being, especially gaming culture,
like people who stream.
Thank God that’s not recorded.
Oh my God, the things people say on those streams.
Yeah, but a lot of them are recorded.
There’s a whole Twitch thing
where people stream for many hours a day.
And I mean, just outside of the very offensive things
they say, they just swear a lot.
They’re not the kind of person that I would wanna hire,
I wouldn’t wanna work with.
Now, I understand that some of us might be
that way privately, I guess,
when you’re shooting shit with friends,
like playing a video game
and talking shit to each other, maybe.
But like, that’s all out there.
You have to be conscious of the fact
that that’s all out there.
And it’s just not, it’s not a good look.
It’s not like you’re, you should,
it’s complicated,
because I’m like against hiding who you are.
Oh, if you’re an asshole, you should hide some of it.
Yeah, but like, I just feel like
it’s going to be misinterpreted.
When you talk shit to your friends
while you’re playing video games,
it doesn’t mean you’re an asshole,
because you’re an asshole to your friend,
but that’s how a lot of friends show love.
Yeah, an outside person can’t judge
how I’m friends with you.
But if I wanna be, this is our relationship.
If that person can say that I’m an asshole to them,
then that’s fine, I’ll take it.
But you can’t tell me I’m an asshole to them
just because you saw my interaction.
I agree with that.
They’ll take those words out of context,
and that’s considered who you are is dangerous.
And people take that very nonchalantly.
People treat their behavior on the internet
very, very carelessly.
That’s definitely something that you need to learn
and take extremely seriously.
Also, I think that taking that seriously
will help you figure out what you really stand for.
If you use your language carelessly,
you’d never really ask, what do I stand for?
I feel like it’s a good opportunity when you’re young
to ask, what are the things that are okay to say?
What are the things, what are the ideas I stand behind?
Especially if they’re controversial,
and I’m willing to say them because I believe in them,
versus just saying random shit for the lulz.
Because for the random shit for the lulz,
keep that off the internet.
That said, man, I was an idiot for most of my life,
and I’m constantly learning and growing.
I’d hate to be responsible for the kind of person
I was in my teens, in my 20s.
I didn’t do anything offensive,
but it just changed as a person.
I used to, I guess I probably still do,
but I used to read so much existential literature.
That was a phase.
There’s phases.
Yeah, you grow and evolve as a person.
That changes you in the future.
Yeah, thank God there wasn’t social media
when I was in high school.
Thank God.
Oh my God, I would never have gotten the FBI.
Would you recommend that people consider a career
at a place like the FBI?
I loved the FBI.
I never thought I would go anyplace else but the FBI.
I thought I was gonna retire with the gold watch
and everything from the FBI.
That was my plan.
You get a gold watch?
No, but you know what it is.
It’s a, oh, it’s an expression.
It’s colonialism.
You get a gold badge.
You actually get your badge in Lucite,
and your creds, they put it in Lucite and all that.
Does it, by the way, just on a tangent,
since we like those,
does it hurt you that the FBI,
by certain people, is distrusted or even hated?
100%.
It kills me.
I’ve never, until recently,
sometimes be embarrassed about the FBI sometimes,
which is really, really hard for me to say
because I love that place.
I love the people in it.
I love the brotherhood that you have
with all the guys in your squad,
guys and girls.
I just use guys.
I developed a real drinking problem there
because we were so social of going out after work
and continuing on.
It really was a family.
So I do miss that.
But yeah, I mean, if someone can become an FBI agent,
I mean, it’s pretty fucking cool, man.
The day you graduate and walk out of the academy
with a gun and a badge,
and the power to charge someone with a misdemeanor
for flying on the United States flag at night,
that’s awesome.
So there is a part of representing and loving your country,
and especially if you’re doing cybersecurity.
So there’s a lot of technical savvy
in different places in the FBI.
Yeah, I mean, there’s different pieces.
Sometimes you’ll see an older agent
that’s done not cyber crime
come over to cyber crime at the end
so he can get a job once he goes out.
But there’s also some guys that come in.
I won’t name his name, but there was a guy,
I think he was a hacker when he was a kid,
and now he’s been an agent.
Now he’s way up in management.
Great guy.
I love this guy, and he knows who he is if he’s listening.
He had some skills.
But we also lost a bunch of guys that had some skills
because we had one guy in the squad
that he had to leave the FBI
because his wife became a doctor
and she got a residency down in Houston
and she couldn’t move.
He wasn’t allowed to transfer,
so he decided to keep his family versus the FBI.
So there’s some stringent rules in the FBI
that need to be relaxed a little bit.
Yeah, I love hackers turned leaders.
Like one of my quickly becoming good friends
was Mudge, he was a big hack in the 90s
and then now was recently Twitter chief security officer,
CSO, but he had a bunch of different leadership positions,
including being my boss at Google.
But originally a hacker.
It’s cool to see hackers become leaders.
I just wonder what would cause him to stop doing it.
Why he would then take a managerial route,
for high tech companies versus-
I think a lot of those guys, so this is like the 90s,
they really were about the freedom.
There’s like a philosophy to it.
And when I think the hacking culture evolved over the years,
and I think when it leaves you behind,
you start to realize like, oh,
actually what I wanna do is I wanna help the world
and I can do that in legitimate routes and so on.
But that’s the story that,
and yeah, I would love to talk to him one day.
But I wonder how common that is too,
like young hackers turn good.
You’re saying it like pulls you in.
If you’re not careful, it can really pull you in.
Yeah, you’re good at it, you become powerful,
you become, everyone’s slapping you on the back
and say, what a good job and all that at a very young age.
Yeah.
So yeah, I would love to get into my buddy’s mind
on why he stopped hacking and moved on.
That’s gonna be a good conversation.
In his case, maybe it’s always about a great woman involved,
a family and so on.
Yeah, that’s true.
That grounds you.
Because like we have, there is a danger to hacking
that once you’re in a relationship, once you have family,
maybe you’re not willing to partake in.
What’s your story?
What, from childhood, what are some fond memories you have?
Fond memories?
Where did you grow up?
Well, I don’t give away that information.
Yeah, yeah, yeah, in Virginia.
In Virginia.
What are some rough moments?
What are some beautiful moments that you remember?
I had a very good family growing up.
The rough moment, and I’ll tell you a story
that just happened to me two days ago
and it fucked me up, man, it really did.
And you’ll be the first, I’ve never told,
I tried to tell my wife this two nights ago
and I couldn’t get it out.
So my father, he’s a disabled veteran,
he was a disabled veteran.
He was in the army and got hurt
and was in a wheelchair his whole life,
for all my growing up.
He was my biggest fan.
He just wanted to know everything about
what was going on in the FBI, my stories.
I was a local cop before the FBI
and I got into a high-speed car chase,
foot chase and all that and kicking doors in.
He wanted to hear the stories
and at some points I was kind of too cool for school
and, ah, dad, I just want a break and all that
and things going on.
We lost my dad during COVID, not because of COVID,
but it was around that time,
but it was right when COVID was kicking off.
And so he died in the hospital by himself
and I didn’t get to see him then.
And then my mom had some people visiting her
the other night, Tom and Karen Roggeberg,
and I’ll say they’re my second biggest fans,
right behind my dad.
They always asking about me and my career
and they read the books and seen the movie.
They’ll even tell you that Silk Road movie was good.
They’ll hide you on that.
And so they came over and I helped them with something
and my mom called me back a couple of days later
and she said, I appreciate you helping them.
I know fixing someone’s Apple phone over the phone
really isn’t what you do for a living.
It’s kind of beneath you and all that, but I appreciate it.
And she said, oh, they loved hearing the stories
about Silk Road and all those things.
And she goes, your dad, he loved those stories.
I just wish he could have heard them.
He even would tell me, he would say,
maybe Chris will come home and I’ll get him drunk
and he’ll tell me the stories.
But, and then she goes, maybe one day in heaven
you can tell them those stories.
And I fucking lost it.
I literally stood in my shower sobbing like a child.
Just thinking about all my dad wanted was those stories.
Yeah.
And now I’m on a fucking podcast
telling the stories to the world and I didn’t tell him.
Yeah.
Did you ever have a long heart to heart with him
about such stories?
He was in the hospital one time and I went through
and I wanna know about his history, his life, what he did.
And I think he maybe sensationalized some of it,
but that’s what you want.
Your dad’s your hero.
So you wanna hear those things.
Is he a good storyteller?
Yeah, again, I don’t know what was true and not true,
but some of it was really good.
And it was just good to hear his life,
but we lost him and now those stories are gone.
You miss him?
Yeah.
What did he teach you about what it means to be a man?
So my dad, he was an engineer.
And so part of his job,
we worked for Vermont Power and Electric or whatever it was.
I mean, when he first got married to my mom and all that,
like he flew around in a helicopter
checking out like power lines and dams.
He used to swim inside to scuba into dams
to check to make sure they were functioning properly
and all that.
That’s pretty cool shit.
And then he couldn’t walk anymore.
I probably would have killed myself
if my life switched like that so bad.
And my dad probably went through some dark points,
but he had that from me, maybe.
And so to get through that struggle,
to teach me like, you press on, you have a family,
people count on you, you do what you gotta do.
That was big.
I’m sure you make him proud, man.
I’m sure I do, but I don’t think he knew that,
that I knew that.
Well, you get to pass on that love to your kids now.
I try, I try, but I can’t impress them
as much as my dad impressed me.
I can try all I want, but.
Well, what do you think is the role of love?
Because you gave me some grief,
you busted my balls a little bit
for talking about love a lot.
What do you think is the role of love
in the human condition?
I think it’s the greatest thing.
I think everyone should be searching for it.
If you don’t have it, find it, get it as soon as you can.
I love my wife, I really do.
I had no idea what love was until my kids were born.
My son came out and, this is a funny story,
he came out and I just wanted him to be safe
and be healthy and all that.
And I said to the doctor, I said,
10 and 10, doc, 10 fingers, 10 toes, everything good.
And he goes, eh, nine and nine.
I was like, what the fuck?
He’s like, oh, this is gonna suck.
Okay, we’ll deal with it and all that.
He was talking about the apnea cord
or some score about breathing and color and all that.
And I was like, oh, shit.
But no one told me this.
But so I’m just sobbing.
I couldn’t even cut the umbilical cord.
Just fell in love with my kids when I saw them.
And that to me really is what love is,
just for them, man.
And I see that through your career,
that love developed, which is awesome.
Being able to see the humanity in people.
I didn’t when I was young.
The foolishness of youth.
I needed to learn that lesson hard.
I mean, when I was young in my career,
it was just about career goals
and arresting people became stats.
You arrest someone, you get a good stat,
you get an atta boy.
Maybe the boss likes it and you get a better job
or you move up the chain.
It took a real change in my life to see that humanity.
And I can’t wait to listen to you talk,
which is probably hilarious and insightful
given the life of the two you lived
and given how much you’ve changed each other’s lives.
I can’t wait to listen, brother.
Thank you so much.
This is a huge honor.
You’re an amazing person with an amazing life.
This was an awesome conversation.
Dude, huge fan.
I love the podcast.
Glad I could be here.
Thanks for the invite.
So exercise in the brain too.
It was great.
It was a great conversation.
And the heart too, right?
Oh yeah, yeah.
You got some tears there at the end.
Thanks for listening to this conversation
with Chris Tarbell.
To support this podcast,
please check out our sponsors in the description.
And now let me leave you with some words
from Benjamin Franklin.
They who can give up essential liberty
to obtain a little temporary safety
deserve neither liberty nor safety.
Thank you for listening and hope to see you next time.
♪♪♪