Hackers give to a vulnerability and software that allows a bad guy into a computer system. These gaps take a lot of forms. They have not been previously discovered. So there is no way to block them. When a hacker has a zero day, with the right tools and school bills, they cant. Into a system and take control. With the right tools and skills, they can take over system. How would you describe this series . It is really the mission that we were looking into Cyber Security and cyber war. The pentagon had declared cyberspace the environment of people and machines and networks as a new domain of war, and get we realize that maybe one in 1000 people really understood what cyberspace was and the degree and depth of the vulnerabilities. So what we are trying to do with the zero day series is take pieces of it and explain the fundamentals and the platonic idea is that everybody from my mom and dad to congress and people around the country can understand, and so maybe start the process of coming up with ways to defend cyberspace. If you look at cyberspace in the United States right now, how would you describe security overall . Much as we would describe crime or breakins in a neighborhood. In the spirit of the explanatory mission, you cannot really talk about cyberspace and the United States. A computer user in washington, d. C. , or in wichita, or San Francisco is effectively working shoulder to shoulder with a computer user in beijing or moscow. There is literally milliseconds of difference in space and time in cyberspace. I thought i would point that out. As for the security, the reality is is almost remarkable how vulnerable Computer Systems are. Cyberspace is not what most people think it is. Most people equate cyberspace with the internet, but if they want to think clearly about what cyberspace is, it is Important Note it is a gps system on new cars, it is the iphone, the droids, it is jetfighters, jet planes, anything driven by computers excuse me, computer code, and linked to networks can be part of cyberspace. And the vulnerabilities are almost stunningly pervasive. Can you give an example . Sure, Charlie Miller, who is a former government hacker, who is now on the good side, a security specialist, one of the great hackers in the world, he last year decided to explore the vulnerabilities in the iphone. He found a vulnerability in the iphone that when he deployed it the right way, and this was for a contest, it enabled him to take over a portion of that iphone. Industrial control computers are on a lot of systems, water systems, electric grids and so on. Last year, a disgruntled hacker abroad went into a water system in south houston, texas, and got control of those computers. The list goes on and on. There are hacks of google, security firms. There are millions of attacks, literally millions of attacks around the world and intrusions on Computer Systems every day. Probably the most phenomenal attack involves a warm called stuxnet. In that case, the u. S. Government, i think working with israel, but the United States government to felt the u. S. Government develop a computer warned that went into the nuclear processing facilities in iran and disrupted those computers. It was developed by the u. S. Government . Yes, according to reporters. Them what was its purpose . Was it a defense mechanism, the Defense Department . No, it was a purely offensive, preemptive effort to slow the Nuclear Weapons processing capability of iran. You mentioned a Charlie Miller, and mr. Miller is in st. Louis, joining us today. Mr. Miller, what was your goal in breaking into the iphone . Well, and the particular case, it was for a contest, like robert mentioned. They have this contest every year. Hackers across the world enter it. They have various devices. If you break into the devices, you win some cash it and devices also. I want contests earlier in my career. It was more about showing things like the iphone or desktops running Apple Software are vulnerable, because it was not really believed it was. Now it is just i have shown vulnerabilities in the iphone, have shown a tax where i could send a text message to the iphone and taken over. These are all fixed now. Part of the contest is all of these areas are fixed. It is a fun way to show what skills and everybody gets protected by the attacks we come up with. How long did it take you to break into the iphone and from where did you do it . An office, where . The iphone attack, at the contest it only took a few seconds, but the preparation is the important part. It took me maybe a month of preparation with a colleague of mine. A few weeks of looking for a vulnerability, a few weeks before digging into that vulnerability and exploiting it to attack the iphone. The actual contest took place at a security conference in vancouver. I was actually physically in vancouver and they had and i found there. I attacked it and stole a bunch of data off of it and that was the proof i had succeeded. Charlie miller, could you do this from your living room . Could you break into a bank, break into other devices from your living room . That is the amazing thing about Cyber Security, you dont have to physically be anywhere. We are all connected, leslie, so devices, your phone, computer, in the future your refrigerator, anything that is on the internet you can get to from basically anywhere. That is one of the things that makes defense difficult. You dont just have to defend from your neighbor. You have to defend from a guy in belarus. It is a different problem. Robert oharrow described you as a good guy hacker, white hat hacker. What does that mean. What is the mode of of some of the black hat hackers . The white hat, the good guy hackers, we are the guys who develop skills to do the same thing as the bad guys can do. We break into computers, but instead of breaking in and stealing information and causing problems, we tell everyone what we did, try to work with vendors to make things secure, give talks about security, how to make it better. So while we can break in and do harm, we dont. We show how to break in to improve security. On the other hand, there is the actual bad guys. They have various ranges of motives, from just teenagers goofing off and trying to impress their friends to actual organized crime trying to steal money and credit card information to the governments trying to commit espionage and actual cyber warfare. There is a whole range of attackers on the black hat side. We did not get a lot of your biography, but you worked at the nsa for a while and are now with twitter. What did you do with an essay . I cannot say to much about nsa, but i worked there five years in their Computer Security group. I cannot say a whole lot more than that. And umar with twitter now, correct . Yep. So between that time, the last seven years, i distorted twitter a couple months ago, i was a Security Consultant. I just started with twitter, a couple months ago, before that i was a Security Consultant. Basically take the role of a bad guy, breakin, show them what went wrong, how they could make it better so a real bad guy cannot do it. Robert oharrow, were you able to get in touch with any bad guy hackers and learn their motives . I have talked to bad hackers. The motives are, as charlie said, all over the place. I have watched details about bad hackers. If we know for example that some of them are preparing infiltrating systems with long lasting threats in the event there is ever a cyber conflict or cyber war. Our power grids, national labs, corporate systems all over the u. S. Are already have already been intruded, and it is believe there are already trojan horses. A lot of espionage is occurring. We know there are groups in russia and china, for example, that work regular hours breaking into systems and stealing information, massive amounts of information. The motives are the same modus that you might find it within your array of bad people money, money policing, intelligence, and prepping for cyber war. Charlie miller, for casual users, regular users of the internet who may do online banking, surf the internet, send email, what kind of protection would you recommend to those people . Well, the regular users are in pretty good place. We, and i we we mean security, the Security Industry has been working quite a few years to make that sort of thing secure, and it is pretty good. If you just use your browser, have an anti virus, you dont just go to read them sites, you are in pretty good shape. The biggest risk of, say, a tax, we talked about the iphone attack, that is still extremely rare. You are way more likely to lose your iphone in a bar that had a bad guy attack your phone. The one side is if your attackers are teenagers or organized crime, you play at half way save and you are not a big target, youre probably ok. If the more interesting thing, i think, is when you are the u. S. Government or google or the white house, the matter what you do, you are still a target. Your attackers come instead of being teenagers, our whole branches of governments, militarys from other countries, and there we dont really know what to do. There are a lot of open questions there. To followup on charlies remarks, one of the things that is interesting, cyberspace is a collection of machines and people. People are part of the network. The very baddest of bad guys have taken on something called social engineering of a way of attacking. You may not be as inherently interesting as a target, but you may be vulnerable to social engineering because essentially what theyre doing is pretending to be your friend, Family Member after doing homework. They may send an email or direct you to website that is loaded with the attack code. If you are related to someone that they are targeting or if you work at a company that the bad guys want to target, you may fall prey to social engineering. There is almost no way to stop it because of the nature of it. Recently, we did a story about chinese hackers who were going after a gas pipeline companies, intelligence, contractors and washington, Security Consultants and others, and it was all part of the same campaign and it look like part of the sp nosh effort. And it was based on social engineering messages that look like they were coming from and house, but there were really coming from these chinese hackers. Charlie miller, we talk about chinese hackers, iranian hackers. Who are these people . Are they employed by the government . We dont really know. We can trace back the attacks somewhat, but it is difficult. If the computer here in washington, d. C. , is attacked, we can trace the attack back to china, but that is not to say there is necessarily a person sitting at the computer in china. Maybe the attack came from the computer which came from a computer in korea which came from a computer in germany which came from a computer in moscow we dont really know and it is difficult to trace back the attacks. That is one of the major differences between cyber war and conventional war. If some drives a tank across your border, you know who did it. If you get attacked, you may think it is the chinese but you dont know for sure and you dont know if it is a teenager or the chinese army. It is very difficult to ascertain where the attacks are coming from and who is doing it. We have gases, but we dont know for sure. Charlie is relating to the core nature of cyberspace, it is network of networks. Because of the fundamental architecture of these networks, data ounces from computer to computer all the time. When he describes somebody in germany might be sending something through a computer in south korea that might be going through china, that is sort of the garden friday hot skip and jump for data in cyberspace. That is sort of the garden variety. It brings up an issue not just with Cyber Security but cyber war. If you dont know precisely who has attacked you, called attribution, then how do you respond in kind to prevent attacks in the future . That is one of the great dilemmas that our military has. How do you hold them accountable for stealing, damaging and what not. Now, one has to believe and hope that the nsa, and i do actually, has cracked this problem to some degree, the attribution problems for corporations and many Government Agencies is a very real thing. It is a very difficult problem in this digital age. Robert oharrow, you write about a Company Called tr itium. It is a company in richmond that came up with an interesting idea, not long after the web browsers, back in the 1990s, or released and use of the World Wide Web that lays over the top of the internet. It makes it all easy and well take for granted and it was becoming common. What they did is they realized that the web browser could be like universal control back to iraq devices anywhere in the world that were connected to the networks. That could direct devices anywhere in the world. Your Security Camera, you could use your mouse to have the Security Camera looked left or right. You could be sitting in washington and control the camera in San Francisco. Theating systems all over place. You might be controlling five buildings, highrises, elevators, medical devices to some degree, and also Access Control for security. Say i have the pentagon facility, a real example. But it turns out that tritium became so popular and move so quickly and profitable . Its financials are not available, but one assumes they were acquired by honeywell several years ago, theyre very popular and grew very quickly in their system is used in 52 countries now. But it turns out that it was vulnerable to a very wellknown, rather old vulnerability that hackers it has known about, everybody has known about for years. I thought the story was valuable and instructive because it showed the gee whiz component has sometimes blinded Software Makers and manufacturers, and the pockets that lay within reach has sometimes may be clouded their view of risked so they rushed forward with the technology before it is as secure as it probably should be. Charlie has given some terrific talks about the incentive structures of four Software Makers, for the Software Makers, and whether they are properly in balance with making sure the software is secure. But i will let him speak for that. F mr. Miller, if you would speak to that . Sure, we are in a situation where we all run code that was written by a vendor like microsoft or cisco or whomever, and the problem is is very difficult to write secure code. Whetherhard to measure code is secure, so even an expert like myself, it is difficult for me to tell you given to programs which is more secure than the other. It is hard to measure and people dont want to necessarily pay for that. We all want to buy the latest gadget, the iphone that comes out or whatever, and we dont think to ourselves, how secure is this, maybe i should not by this because it is not secure. So companies, they are out to make money and that is what they are therefore, so they want to push products out the door, beat competitors, have the newest features, but they dont necessarily want to take the time that it takes to make sure their products are secure. Consumers so far have not really demanded it, and so we all use the software and we are all vulnerable because the software is written in a way that was intended to maximize new features and profit, not to maximize security. Charlie just raise an interesting issue, which is that consumers, people have not asked for more secure products for the most part. That is related in part to the fact that very few people really understand cyberspace and how little works. We all love the benefits. It is miraculous, i would venture to say, charlie is among those who are thrilled with the miracle of the internet and all of the networks and Computing Power and the benefits that brings to all of us and society, but the fact is many people are afraid to actually confront the tradeoffs that come with these benefits. One of the things were trying to do at the post with the zero day is not to scream that the sky is falling, because it is not, but to try to make clear that there are tradeoffs so people could start making better decisions and start asking for better security, and in some ways may be eventually asked the companies that are making technology and writing code to shoulder the full cost of doing business, which i would argue involves creating a secure product. Charlie miller, what about when it comes to social media and the sharing of the information that we as consumers do with google, facebook, etc. . Does that lend itself to less secure networks . It does not affect the network, per say, but it puts a lot of our confirmation, sometimes private information out there. If you had never connected to the internet, nobody would necessarily know what you like or if you are dating someone or whatever, but with facebook and social media, that information is there. Even if you lock that doubt were only friends concede, it is still out there on some server somewhere so a bad guy could get to it. When you consider that a while ago and no one would ever agree to carry around a tracking device, right, but now we all carry around sell funds which can be inherently tract. And nobody would have ever let anybody read their email, but right now a lot of us use g mail, and our email is sitting on a server at google. It is interesting when we as a society have given our information out. Whether we want it to be for everyone or just for a few people, is out there on someones server and people can get to it. That has changed the whole way of privacy in this age. Are you finding as a Security Consultant at the social medias of the world, twitter, facebook, google, etc. , that they are leading in security precautions or not . Well, some of them certainly are. Google makes the show, for sure, for having a pretty secure web browser, chrome, but not too long ago they were attacked by ed they think the chines