The Evolution of Hacking: From Counterculture to Cybersecurity with John Threat

Transcript

John Vecchi:

Well, hello everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos, and we’ve got an amazing guest today. We’ve wanted to have him on the show for pretty much since we started. His name is John Lee, AKA John Threat. You might know him-

John Vecchi:

You-

Brian Contos:

From his days in MOD or Master of Deception. Welcome, John.

John Vecchi:

Welcome.

John Threat:

What’s up? What’s up? It’s good to be here.

John Vecchi:

All right. It’s amazing to have you, finally.

Brian Contos:

Yeah, man. You’ve got an amazing … such an interesting background. I’d be remiss if I didn’t ask you to share with our listeners, what was The Great Hacker War, man? Tell us a little bit about that. Let’s just start off there.

John Threat:

Oh, you want to just start in rolling.

John Vecchi:

Just gonna jump right in.

John Threat:

You’ve got to grease me up.

Brian Contos:

Legion of Doom, the whole thing. We want it all, man.

John Threat:

You’ve got to grease me up a little bit. You know what I mean? … Okay, let me see where I should start. Well, first of all, I can’t jump directly into that. I have to say, can we just talk about what actually used to be, maybe the world that I come from a little bit?

Brian Contos:

Yeah, let’s do that.

John Vecchi:

Absolutely, yeah.

Brian Contos:

Start at your beginning.

John Threat:

Let’s start it. Let’s set the stage. All right. So one thing is that I think there is a culture around hacking. Right? Now, a lot of it may seem invisible because it has turned into a billion-dollar industry that sort of lays over the hacker culture, but let’s face it. The core of it, both the legal, illegal gray area, breaking in, securing, chasing hackers, forensics, all of that, all that still really originates with the original hacker culture.

John Vecchi:

Yep

John Threat:

And that culture is, I would say, it’s interesting to me because it ran parallel to punk, skateboarding, hiphop. All of that just curved out of the counterculture of the 70s that was looking for a different thing. Yeah, there was some disco, but there was emerging punk, hiphop, skateboarding, and along with that was hacker culture. It was a set number of people every day, going to college, getting online on an arper nano, a use nano, and a blog.

As all that world built up, it just kept expanding into the 80s, which that was the crazy time. That’s when I first started hacking all the way into, I guess, the present day. I mean, I consider myself still a hacker … I don’t know. They sell a lot of those stupid hats. I don’t really wear hats. I break systems. That’s what I do. I never really ran away from it. I can’t really run away from it.

It’s also, to be honest, that’s the sexy part about computer hacking and the culture was that distilled part, the exploration of this entire new ocean that just was created. A new ocean with islands in it, that you could break into the systems and jump in. The first time, I don’t know about other people. Right? I happen to fall on the side of someone that broke into systems, but no matter what, it doesn’t matter. Whenever you have a new exploration, it is like a tingle goes down your spine. It’s like an orgasm. The first time you drop into a system, that shit fucking rocks. It just is amazing. That’s why some people get addicted to it. It’s like chasing a high. But, ultimately, like I said, whether you’re legal or illegal, there is a thrill to that.

What’s interesting about that, that I just want to build on, is that, with a security world, I think, one of the things that I personally see, and why there’s a myriad of reasons companies get hacked. Right? Or products, or services. One is that, culturally, inside of a lot of companies, including security companies, they forget what made it fun. Once you’re making a lot of money, and you’re checking your Chase account every day, refreshing, watching the numbers go up, and paying your bills, and your family, you forget what that magic that made it pop for you. When you don’t keep that in the culture, that’s the hacker culture. That’s the part that made you get into it. That was the part that was exciting.

I’m going to be chasing hackers. I am a hacker, but no matter what. When that gets excised, what you get is a bored motherfucker, and then people hack him. That’s what I’m waiting for. I just go right in. Boom. Look at this motherfucker. He’s busy. You know what I mean? Bored to death, not keeping up on his skills, blah, blah, blah, because it’s boring for him now.

The thing is is that there are ways to keep that culture going. It’s just that that gets excised. I totally understand why. There’s a bottom line. There’s no time for fun in work. Although, later on you try it. When I say fun, yeah, you can have a field day, but that’s not the same as fun in hacker culture, if that makes sense. Don’t get me wrong. One legged potato sack races, whatever that thing is from the 1950s. You know what I mean? Work field days and stuff. That’s not fun, or going to a strip club or a bar, and providing coke for your coworkers. That’s not hacker culture that actually gets people to be fun and excited to fucking secure your product and secure the company.

I think that’s always been sort of missing. For me, personally, that’s why I kind of delve into other things besides just security. I think that culture is a lot to take on. I mean, I think that’s a whole thing in itself. Obviously, there’s conferences people go to, and they have a lot of fun there. To me, that part isn’t maintained, and then I watch people get bored, and I watch them slack off. I don’t blame them. Like I said, the systems are comprised because people weren’t paying attention and not invested in what made it exciting for them to start the journey in security. All right, there we go.

John Vecchi:

Mm-hmm.

Brian Contos:

Yeah. Well, John, I love that background, because you paint such a picture. I mean, hacking culture was and is sexy. I look at something like compliance and regulatory mandates, which is like the flannel nightgown that was draped over it. Right? A lot of things have changed, but you’re right. There’s that thrill. I think back to I was a skater as well and kind of got into it at the same time. I remember listening to Bad Brains, and then going out and downloading Tomoke and doing war dialing, and then later on playing with Satan from Dan Farmer, and stuff like that, the early, early. That’s actually how I learned how to program in Pearl was because of writing Satan on Spark One Plus Slayer Slots.

John Threat:

Nice.

Brian Contos:

Yeah. You’re absolutely right, though. There’s that spark that has definitely got diminished a little bit, right? Because real life kind of kicks in, and that fun part kind of misses.

John Vecchi:

Yeah. It’s interesting, John. This podcast is powered by Phosphorous, the company that kind of powers this podcast. Our founder, we don’t talk a lot about the company on this podcast, because we focus on guests like yourself. As you know, I know you know the founders of Phosphorous, and they’re very much old time hackers like you at that time. I think what’s interesting, what you were saying, is the idea that it’s missing. Right? Even if you look at the security landscape, I think you might agree. If you look out into some of the old founders of security today that have moved on to just build bigger companies, they’re not even hacking anymore. Right? I think the days of security leaders, especially CEOs, founders, who are still really still that hacker mindset and having fun with it, that’s hard to find today. Would you agree?

John Threat:

100%. Listen, to be a CSO in the modern era, being a super hacker isn’t the number one thing. I think for a CSO nowadays, so much of it is administration and, like you said, regulatory and putting all the pieces in one place, management, assets, and people, resources and stuff, and understanding that. I’m not suggesting that, but just like the king, you need a jester. You know what I’m saying? It can’t just be all regulatory. It can’t just be just checklist security. It just can’t be. You know what I mean?

John Vecchi:

Mm-hmm.

John Threat:

Don’t get me wrong. There’s retreats that are great for morale, but there’s a difference between morale and being passionate about hacking and security. You get that when you’re young, but then when it gets beat out of you. You know what I’m saying? I think, yes, they get excited about building companies and the chess pieces that go there. That’s exhilarating. “I raised this money. I talked to this person.” You know what I mean?

John Vecchi:

Yeah.

John Threat:

“Oh my God, I got all this money. I can hire all these smart people.” But when we’re talking about the actual day-to-day grind of keeping security staying a step ahead. You know what I mean? Attackers, whether they’re individuals or nation states, at that point.

Brian Contos:

You’re chasing different dragons. Right? Yeah.

John Threat:

Yeah, yeah, aside from that.

John Vecchi:

Mm-hmm.

Brian Contos:

Yeah.

John Threat:

To me, when I look at the space, that’s what I see. I see a lot of people fall asleep because they’re bored. Like I said, that’s an opportunity.

Brian Contos:

So, John, obviously you’ve been in the hacker world forever. You probably came out of the womb involved in this world. Going from somebody that’s interested in computer and tech, and then you’re getting into the hacking side of things, what was the bridge that brought you from that to actually becoming a member of MOD, Masters of Deception?

John Threat:

Okay. Well, hacking, I was breaking into a lot of systems and getting good at it. Right? … I think that was one of the things about the hacking group I was in, and probably a lot of other hacking groups, but specifically the one that I joined had a lot, like Eight Legged Group Machine and then MOD. A lot of that really had to do with there was a litmus test of how good you were. It wasn’t like a group of friends. Well, maybe the original MOD was a core group of friends. I guess 8LGM, but ultimately they were like, “Well, we want to onboard more people, but they’ve got to be good.” You know what I mean?

I just happened to be breaking into stuff left and right. I specialized in a system that was super secure at the time called Vax VMS. That increased a lot of them back then. I sort of increased a surface because only a few people specialized in that. Obviously, the market. Unix ran away with the market, but I was able to add that to the repertoire. Although, I say Unix, but Linux every day. Yeah. Back then, obviously, it’s funny because then both of those systems shaped a lot. Well, actually all the systems. The telephone system, which was a big international network that was part of the specialty of the hack group that I was in.

Brian Contos:

Yep.

John Threat:

Which conveyed a lot of power upon us. To this day, only a few hackers have managed to do that, invade that specific network and-

Brian Contos:

Were you on the phone freaking side too? Were you building blue boxes, and red boxes, and all that, or were you more on the computer side?

John Threat:

No. I kind of came after that.

Brian Contos:

Okay.

John Threat:

I was more on the computer side and stuff. Don’t get me wrong. I explored SDR. You know what I mean?

Brian Contos:

Yeah.

John Threat:

Don’t tell anybody. I got a flipper on me at all times, but I think at that particular time I wasn’t that into … that. My style of freaking, I actually did more social engineering on the freaking. I would be on a pay phone, call the operator, and then get her to key pull forward, and make a call for free, and stuff. Hopefully I didn’t get anybody fired, but I think-

John Vecchi:

Yeah, find a pay phone.

John Threat:

I was pretty good at it. I think … then. You can’t even get an operator now. That dates me too already, just saying, “Operator.”

Brian Contos:

Get an operator. Find a pay phone. It does.

John Threat:

Right, right, right, right, right.

John Vecchi:

Right, exactly.

John Threat:

A young person would be like, “What’s an operator? Do you mean, like,” you know what I mean, “plus signs? What are you talking about?”

Brian Contos:

We have one pay phone left here in San Francisco, and it doesn’t even have the receiver left on it. I think it’s more of a monument than anything else.

John Threat:

Yeah, yeah, yeah, yeah. I saw they removed the pay phone I used to use the acoustic coupler on as a kid near where I lived. I was sad and stuff. I meant to take it and bring it home, but whatever. I think-

Brian Contos:

Got acoustic couplers. If somebody sneezes, you lose your connection.

John Threat:

I know. That was so great, man. It was definitely. You know what I mean? To me, that was so much fun. It’s funny. Well, actually, what am I talking about? Getting a good wifi signal today can be hard some places too, but yeah. I think that’s the deal. It was a litmus test sort of thing to join the group, but then it was really great to be with other hackers that were like-minded. Of course, it increased our ability as a team to be able to break into a wider range of things, as well as share skill sets or combine to really, really craft a lot of stuff.

Brian Contos:

That’s the big thing, right? I mean, once you’re in and you’re deep, you just keep getting deeper, because this guy’s got this password cracking tool, and things guy’s got this war dialer, and this other person has some way to enumerate systems, and the super-duper password scooper on the VMS machines, and all that. I mean, you just get exposed to it, and I think-

John Vecchi:

I haven’t. I think I’ve heard of it, but-

Brian Contos:

It just feeds itself. Right? Because the more you get exposed to, the more you want to get exposed to.

John Threat:

Yeah. It’s very Kids Next Door.

John Vecchi:

Oh, yeah. Yep.

John Threat:

I don’t know if you’ve ever seen that cartoon.

John Vecchi:

Yeah.

Brian Contos:

Mm-hmm.

John Threat:

Kids Next Door? You’ve seen that?

Brian Contos:

Yeah, yeah.

John Threat:

Oh, okay. Okay. Maybe I’ll go back further. It’s kind of Voltron here or something … I think it’s very A-Team. A-Team, there we go. That’s an older reference. I don’t use older references. I do teach some. I’m a visiting professor sometimes, so-

John Vecchi:

Yeah, exactly.

John Threat:

Because of that, when I’m talking to younger people I just pretend I’ve never heard of A-Team. I just start all my references from like 2010.

Brian Contos:

I pity the fool that hasn’t heard of the A-Team.

John Threat:

I know. I know. I love, I love, but the A-Team in a lot of ways is the perfect metaphor in a sense, because each one had different skills, the pilot, the base man, the guy who planted stuff. See, one thing on a hacking team, not only do you need skills, but you need one or two of them to have foresight to be able to see the big picture, because you could break into something. I mean, I know plenty of hacks. They’ve broke into amazing stuff, but they had no idea what they had. Zero. They didn’t understand its place in the world. They didn’t understand the data that was on it.

I’d be like, You did it.” You’re like, “Step aside, son. Let me show.” There’s a couple of times that happened. Somebody was like, “Could you take a look at this for me?” I’m like, “Holy shit.” You know what I mean? It’s tough, because how do you hand back fucking paradise to someone? You know they’re going to wreck it. You know what I mean? Do something dumb with it.

Brian Contos:

Yeah.

John Threat:

It was that Spiderman corny thing, great responsibility. It kind of happened a little bit with that with us a little bit, because I think it was a lot of sensitive systems we were in, and getting them crashed would’ve been not good. Yeah, somebody could get hurt for sure.

Brian Contos:

Well, how many members was the MOD at its largest?

John Threat:

MOD? I’m not sure. That’s a good question. You know we had core members, and then we had sort of satellite members and stuff. I don’t know. Maybe 18? Maybe something like that.

Brian Contos:

So pretty small.

John Threat:

20, 21?

Brian Contos:

It was a pretty tight group then. It’s like 100s-

John Threat:

It was.

Brian Contos:

And 100s of folks. Yeah.

John Threat:

No, no, no. The core was probably really small, like five to seven.

Brian Contos:

Okay.

John Threat:

Or something like that. One thing that we had that nobody had, which is funny now, is we didn’t think about it at the time. Although, we definitely got a lot of shit for it, was that we had pretty much the most diverse group that ever … You know what I mean? At that particular time. You may not blink an eye at it now, but back then … internally, we didn’t hang out and go, “Yo, it’s one of everybody in our group.” You know what I mean? It wasn’t like that.

Brian Contos:

Right.

John Threat:

Like, “Yo, how did we get … Black, white, Asian, Latino, and other ethnicities,” and stuff. We were just chilling as peers and fun.

Brian Contos:

The most diverse hacking group of 1991.

John Threat:

Yeah, baby.

John Vecchi:

Yeah.

John Threat:

Yeah, baby. We didn’t really. Then we had women and stuff. I think a lot of it is that we originated out of New York City, so of course that changed everything, like how we view those kind of things. Whereas, a lot of other groups, unfortunately, were ribbing us sometime. They would take nasty shots at us about it, but it didn’t really bother us too much because, like I said, it’s just funny thinking back then. Nobody said, “Yeah.” That’s just what it was, but looking back on it, it was warm that everybody felt comfortable on our team.

John Vecchi:

Yeah. John, you guys would actually get together. Right? A small group of you?

John Threat:

Yeah, sometimes we would get together.

John Vecchi:

Right?

John Threat:

Rare, but we would, yeah.

John Vecchi:

I mean, I know today you still get together today. I mean, there’s a group of you guys that still tries to connect, but I think back then you did. Did you not kind of actually meet each other? Yeah.

John Threat:

Yeah. Sometimes we saw each other in person. Yeah, sometimes. I think, yeah. I mean, hackers get together sometimes and stuff. Me, I didn’t actually go to a lot of conferences and stuff. Like I said, my relationship to it isn’t as businesslike. I did work in security for a while. The stuff that I like about it isn’t what other people like about it. You know what I mean? I definitely, like I said, stay more on the hacker side of things. I work more on foresight related things, what they call futurism or foresight for think tanks. That’s more what I do.

Brian Contos:

Oh, cool.

John Threat:

You know what I mean? But the security space, my relationship to it is more on the thought side of things. You know what I mean? I’m not really into management. I’m not knocking it. I’m just not. You know what I’m saying? That’s not really my particular style.

John Vecchi:

Yeah. Yeah.

John Threat:

Also, too, I can bring more to the table sort of with the thought-

Brian Contos:

It’s cool that you’ve been on all sides of it, though. Right? And you’ve had-

John Threat:

Yeah.

Brian Contos:

You’ve had some exposure. I mean, you were pretty young when you were on the cover of Wired. Right? What were you, like in your early 20s?

John Threat:

Yeah, yeah. Something like that. Maybe I was just ticking over. I might’ve been 19 or something.

Brian Contos:

Yeah.

John Vecchi:

John, were you not in college or school when some of that was going on? Yeah.

John Threat:

Yeah, yeah, yeah, yeah. I was in school, yeah. I lost my scholarship. I had to go to jail and stuff. You know what I mean?

John Vecchi:

Oh, man.

John Threat:

Kind of sucked. Actually, let me just say, though, in one way it sucked I had to go to jail, but in another way I made it fun, so it was fun. You know what I mean? I got in crazy shape. I was just having a ball in there just fucking running circles around everybody. Nobody knew what I was really in there for and stuff. Everybody assumed, because I’m kind of a big dude, so they just assumed I was in there for the-

John Vecchi:

A bank robber? Yeah.

John Threat:

Yeah. They thought I was in there for the worst stuff, but everyone-

John Vecchi:

“I rob banks, but I use a keyboard.”

John Threat:

Right, right, right, right, right. In fact, the warden said, like, “We heard you’ve been running the joint. Would they be following you if they knew what you were in here for?” I said, “Yo, man. It’s too late. I’ve got like a week left. We should’ve told them months ago. I’m out of here, baby.”

I went back to school after that. It was okay. I mean, I don’t think. Like I said, for the most part I made it fun for myself. You know what I mean? Not that it didn’t suck in one way, but in another way it’s just part of life, man. You know what I mean? Yeah, I definitely made it fun as hell in there.

Brian Contos:

Now, do you keep in contact with any of the folks during that sort of Great Hacker War era on either side, on Legion of Doom, or MOD, or anybody else?

John Threat:

Yeah. I think so. I mean, no. All right, so why don’t we get into The Great Hacker War real quick?

Brian Contos:

Oh, yeah.

John Threat:

So, Great Hacker War. The Great American Hacker War that took place across networks, international networks, X75 gateways, TCPIP, telephony systems. It was incredible. Now, this is my perception of it. I think that the Hacker War was great. It was actually only a few people in the way, but it did take place across several different networks. To me, it was a lot of fun. I think, of course, I say that because I was on the winning side in a way. You know what I mean? I think it left no doubt who the best hackers were and stuff. You know what I mean?

John Vecchi:

Mm-hmm.

John Threat:

I think that part was great. I mean, I think that part made it kind of legendary. Yeah. I think it took place over a couple of weeks. Yeah. There was an incident that happened that couldn’t be cleared up. There was some kind of phone call. A bunch of words was exchanged about who was the best. You know what I mean? So I had to show them what was up.

John Vecchi:

Yep.

John Threat:

And then there was a part where somebody’s phone got tapped. I’m not sure. Well, I went to jail, so I guess I could say it, but I’m in the clear on that crime … We tapped some phone lines, and heard some shit, and revealed it. Yeah, there was some shit going on that threatened to blow apart. It did blow apart the hacker community. It did. There was a lot going on, and obviously some people were getting snitched on, and some people got raided and turned in. I don’t want to say any names, because some of those people … I mean, it really depends on how you look at it.

Once again, for me personally, this is my personal ethos. If you were doing illegal activity, but you want to talk to the feds and turn other young people in and destroy their lives in a balance for you to not go to jail, I think usually society looks at stool pigeons. You know what I mean? If you’re always like, “Look, I think this is illegal,” and you always report, that’s fine. I get that. I can’t doubt that, but when you play both sides about that, playing both sides thing. You know what I mean? Like, “Oh, you’re a teenager. I’m a teenager, but I don’t want to go to jail, so I’ve got to turn you in.” You know what I mean? “And ruin your life.”

John Vecchi:

Mm-hmm.

John Threat:

“And I’ll be cool, but I’m going to still do stuff.” That shit is whack. When you’re young, you don’t always know the consequences of your actions, both whether you decide to be a stool pigeon. You know what I mean? I’m talking about somebody that’s doing it not because there’s pressure from their parents. I’m saying somebody who decides to do it because-

Brian Contos:

On their own, yeah.

John Vecchi:

Yeah.

John Threat:

Right, on their own. They just think, “I am smarter than the system, so I’m going to become an informant. I’m smarter, though, so they look the other way on my crimes.” I just think it happened through history. I think, like I said, history doesn’t look kind on that.

Brian Contos:

You mentioned a little bit earlier your involvement with think tanks and some of these other areas. I’d love to get your perspective on the newer tech that’s in mainstream now, whether it’s AI ML, whether it’s robotics, quantum computing, all these things, and kind of your take on this, and your futuristic view on is this the end of the world as we know it? What do you think?

John Threat:

No, it’s not the end of the world. There’s many things. All right. It’s funny, because I was actually on a think tank about collapse, actually, but it’s not the end of everything. I’m not an AI. First of all, my recommendation to everybody is just drop everything and learn AI. It doesn’t matter how you come to it. I think, for me, I instantly incorporated it into my practice. I mean, that’s just in nature. I’m an optimistic person, but I also like to stay on the cutting edge of things. I think, in a sense, that this comes from the hacker’s spirit.

That’s a part where I don’t like when I’ve got into this, even on a podcast, when I’m on there with older hackers or people. They’re like, “Ah, crypto. Oh, this. Oh, AI.” It’s like, “Bro, this is the same shit as when you were little.” This is the precipice of something incredible. Now, what comes out of, let’s say, crypto, for instance? Crypto can fall away, but something’s going to come out of it that will be the next thing. Those people, the people breaking the black chain, breaking the financial tools, they’re cutting your teeth. They’re going to have a certain skill set you won’t even recognize the signature, because you’re too busy like, “Well, I’m above that. That’s just tulips.” All right, bro. All right, bro.

It’s chill. You were chill. You know what I mean? But maybe you should think about not infecting other people with that if you are active in shaping people’s opinions about technology, because you’re giving them a fucking goddamn blank spot. The same with robotics. Robotics, for me, is a whole nother platform that can be hacked, can be exploited, for good or for bad. I think that, whether you’re on the hacktivism side, or whether you’re on … You know what I’m saying?

John Vecchi:

Mm-hmm.

John Threat:

It’s just part of an evolving security practice. I think it’s important to understand that and how its role is going to play out. For me, all surfaces are valid, and I explore all of them. Just like how, obviously, nobody knew that drone. Well, I shouldn’t say. Some of us knew that drone warfare was going to be so effective on the battlefield. I think, at some point, you’ll see AI be really effective in fraud, inside of both fraud, as well as breaking into systems. I think the evolving fraud that we had, it’s so funny. You ever seen the Jackal?

Brian Contos:

Yeah.

John Threat:

Data Jackal?

John Vecchi:

Mm-hmm.

John Threat:

That’s a jackal. Data jackal, I love that, man. But remember when he has to go get a passport, and the guy has to painstakingly make it the artisan craft? I mean, he murdered him, but he also tried to blackmail. My point is it was this craft. All that’s out the window. Right? Now it’s all hologram. Blah, blah. You know what I mean? You can get AI to synthesize that shit like that, including the fucking … You know what I mean?

John Vecchi:

Yeah.

John Threat:

I think you can not necessarily like the documents, but one thing I found interesting is there’s some services that you do a check where you hold up your passport and your face, or ID, or something. That’s trivial now with AI. You can replicate anybody’s face and passport. If you’ve got their credit card, forget it. You can get right around those checks for that. Open up the phone with the face. You can generate their face from a photo, any look. It’s just not every direction that you can make it natural. You can clone the voice. You know what I mean? That can run through a-

Brian Contos:

Vecchi does that with Taylor Swift all the time. I always go, “Taylor Swift, why do you keep calling me?” He’s like, “Ah, no. It’s Vecchi.”

John Vecchi:

It’s me.

John Threat:

Word, see? Yeah. Now apply that to running through an entire company. You know what I mean? With the bosses, the boss on your voicemail replicated saying, “Hey, could you call back and leave a message here with your password,” or something. Someone’s going to fall for that. They hear their boss’ voice. In terms of that, that’s why people do that. They’re knocking themselves out, but I also encourage people to do it to stay relevant no matter what you do. It doesn’t matter what your profession is. Staying on top of that stop, especially AI and machine learning and stuff. It’s only going to help you and enhance you. Also, too, like I said, if you’re against it, to me that’s even more reason to learn it so you know how to disable it.

John Vecchi:

Yeah, so everybody, yeah. You probably can’t see it, but John’s operating his very cool robot in the background, which we love. We were saying that we’ve got a Phosphorous version of one of those we call Password, John.

John Threat:

Nice.

John Vecchi:

Because, again, obviously, there’s all these. We call it XIOT, all these smart devices, which kind of leads to, again. My gosh, John. We’re going to probably have to have you back. We could sit here all day and hear. You think in terms of the landscape and the mass. When you just kind of go down, say, to a 10,000-foot view of where you started, and you come up, right, to a 60,000-foot view of the landscape today, of the threat surface, and all those. Right? Can you just kind of talk a little bit about, where are we today, how greatly different it is, and where it might be going as we look ahead? Given we were talking about ML and the ChatGPT. All that stuff. The blockchain, and all of that. Can you talk a little bit about that?

John Threat:

Yeah. 60,000 feet high. Well, I think it’s interesting. Well, one, obviously AI is the most interesting part of it in the sense that it is literally going to change the landscape as people get really good at it, and they’re able to effectively use it to automate things. Definitely there’s also the famous Morris worm. I think there’s a good chance you see an AI-generated worm. The stuff that it’ll be able to do and adapt to is going to be amazing. I mean, I don’t work as an IT administrator. It’s going to be their headache. For me, I’m going to be like, “That’s fresh. I love it.”

I think the idea, that idea, is just the ability to sort of mimic so many different aspects of digital abilities, like everything from images, to audio, to things we haven’t even thought of yet. That’s really going to be the amazing part. I’m not big on AGI coming any time soon and being a threat. I think the more immediate threat is just the democratization of AI usage and stuff. I think it’s just one of those things that comes. It’s a bit of a tragedy in the commons. Maybe that’s the wrong term to use here, but it is a sense that once it becomes, everyone is going to use it. Everyone is going to use it to cheat and get ahead in life.

Then there’ll be some data that’ll be gray area legal, legal, not legal. You know what I’m saying? AI doing your resume, and you get ahead of everybody. That’s legal. Right? You make the best resume possible. Now, if the AI dreams, and hallucinates, and makes fake categories for you, well, maybe. That’s still legally, actually. You know what I mean? You could get fired, but it’s actually legal to lie. Right?

John Vecchi:

Mm-hmm.

John Threat:

On your resume. You don’t go to jail for it. At least depending on, obviously, if you’re like a doctor. Service people, that’s a different story. Right?

John Vecchi:

Mm-hmm.

John Threat:

In terms of IT and coding, forget it. You could lie all day. There’s no specific. You know what I mean? It’s nothing. I think my bigger point is that that’s going on. Then, obviously, the name of this podcast is IOT. The number of surfaces is just increasing. Everything from your phone switches, cars. Initial hackers that broke cars, they’re super stars. Right?

John Vecchi:

Mm-hmm.

John Threat:

But, no. They just kept on increasing the number of electronic systems inside a car. Me, personally, just so you know, I drive a car from the 90s. I only buy 90s cars. I only want the most simplest computer in them. That has something to do with the hacker side of me, being able to fix the cars myself. The other side of it is that the average car walking around is a complete surface to shut down.

John Vecchi:

Yep.

John Threat:

Anything. It’s only a matter of time before. You know what I mean? Yeah, they’ll fix it fast, but yeah. What if you’re the victim of a stolen car, or a car that gets shut down on a highway at 80 miles an hour? I think, in general, the proliferation of devices is on its way. Now you see the emergent AI, embedded system ones. I know Rabbit sold out. There’s a Humana pen. There’s a bunch of other new devices. All that’s going to get incorporated.

The other thing that’s interesting about it, too, is that that’s going to start bringing up things like data poisoning. For me, just going back, one of the best hacks you could do, if you have the ability to do it, is to compromise source code where it’s stored at, because then it goes out. The hole goes out to everybody. Right?

John Vecchi:

Mm-hmm.

John Threat:

This is advanced hacking. You know what I mean? This is not your checklist shit that people do with their little Premier graph paper. This is the real shit. Right? The thing is, with AI, you could do data poisoning, which will be easier to do. The sources that they pull from, if you poison it … When I say poison, it’s not like cyanide or something, but you can change the things that the AI reports, and that could be really effective and hard to track down and reproduce. Many people who are now trusting that system are going to be like, “What the heck,” because that’s one of the things about the AI. It’s really based on this huge amount of data. You know what I mean?

John Vecchi:

Mm-hmm.

John Threat:

And our collective cloud situation. Anyway, I could go on and on for this other thing. That’s two sort of high level things going on. Don’t get me wrong. I mean, there is some ideas of data poisoning now, but it is going to become a refined art, for sure.

John Vecchi:

Wow. Well, there you have it, everybody. We heard it from the source. John Threat giving his predictions. John, again, it’s been just so awesome to have you. We’re going to have to have you back. We could sit here and talk all day, but unfortunately we’re out of time. Before we close out, John, you have a presence. People can find you. Where can our listeners who are like, “My God, I’ve got to learn more about you,” where can they find you and follow you? Do you want to just tell them the top places they can get you?

John Threat:

I guess you could do John Threat on the website. I think there’s an Instagram John Threat, and I think there’s maybe a Blue Sky or something. I will say that I’m not super active on social media. I write for a lot of places and stuff, but I don’t really post a lot. Also, too, I’m cross-disciplined, so that also is a thing. One thing is, though, is still you should. This is something I’m thinking about, though. Just throwing this out there. I actually have been, for a project I had, I belong to a bunch of Signal groups. You ever been on WhatsApp groups?

John Vecchi:

Mm-hmm. Mm-hmm.

John Threat:

I’ve been thinking about making a Signal group, and I did it successfully for two other projects that I’m involved in, where like-minded smart people who just share links and stuff. I’m thinking about that. One way to know about that would be either follow me on Twitter. X, I think it’s called, or Instagram. Then, when I make the announcement for that, that could be really good. You also get to see some of my film stuff, or stuff that I teach, or stuff that I write, and stuff.

John Vecchi:

Amazing.

John Threat:

Or robots.

John Vecchi:

Amazing.

John Threat:

Or AI.

John Vecchi:

Well, we announce that, John, you’re going to announce it here on this podcast. It’s an amazing discussion.

John Threat:

Yeah.

John Vecchi:

John Threat, thank you so much for joining us today. We’re just excited to have you. We’ll have you back again. Again, remember everybody, The IOT Security Podcast is brought to you by Phosphorous, the leading provider of proactive full scope and unified security management for the extended internet of things. Thanks again, John. Until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Threat:

And I’m John Threat. Peace.

John Vecchi:

Yes, and we’ll see you all next time on Phosphorous Radio.