Privacy is the New Celebrity

Joe "Kingpin" Grand on How He Became One of the Best Hardware Hackers in the Game - Ep 21

March 24, 2022
Privacy is the New Celebrity
Joe "Kingpin" Grand on How He Became One of the Best Hardware Hackers in the Game - Ep 21
Show Notes Transcript

In this episode, Josh invites MobileCoin CTO Sara Drakeley to co-host an interview with Joe Grand, prominent hardware hacker, electrical engineer, and inventor. Joe recently made waves with a YouTube video showcasing a successful hack of a Trezor hardware crypto wallet in which he retrieved $2 million of cryptocurrency for a client who lost his pin. Sara asks Joe about his youth as a "technological juvenile delinquent" and getting arrested for hacking. Joe reminisces about joining the legendary hacker collective L0pht Heavy Industries as a teenager. Josh asks for the inside scoop on some of Joe's most difficult hacks, and Joe offers tips and tricks for those interested in getting into the hacking game.

Speaker 4 (00:05)
Hello and welcome back. You're listening to Privacy is the New Celebrity. I'm Joshua Goldbard, and I'd like to introduce a new host we're bringing onto the show. Sara Drakeley is the CTO here at Mobile Coin. Nice to have you with us, Sara.

Speaker 1 (00:19)
Thanks, Josh. I'm excited to be here.

Speaker 4 (00:21)
So we're going to try something new. Both Sara and I are going to host the show together. And the guest we're bringing on today is Joe Grand.

Speaker 1 (00:30)
Joe is an electrical engineer, inventor, and hardware hacker known in the hacker community as Kingpin. He's what's called an ethical hacker who specializes in finding security flaws and hardware devices and making those flaws available so tech companies can fix their vulnerabilities and make their products more secure.

Speaker 4 (00:47)
Joe is a member of a Boston hacker collective called Loft Heavy Industries whose members famously testified in front of Congress in 1998 on the topic of weak computer security and government.

Speaker 1 (00:57)
He's also the founder of Grand Idea Studio, a technology development, licensing and consulting firm based in Portland, Oregon. Joe, thanks so much for joining us today.

Speaker 2 (01:07)
Hey, thanks for having me to start off.

Speaker 3 (01:09)
Can you tell us how you describe your work?

Speaker 2 (01:12)
Yeah, that's a tricky one. When you mentioned ethical hacking, it's like, yeah, I guess it's ethical, but it depends on who's on the definition of ethical. Mostly what I do now is teach organizations and engineers and hackers and anybody else who's interested about hardware hacking and how to approach looking at an electronic system from sort of the attacker perspective, either to learn how to break security of hardware products or to understand that hacker mindset in order to better design more secure systems, which is the main thing I do and then other things. I design a lot of electronics and tinker with lots of things and break hardware products as I feel like it and just kind of have fun in this whole space of technology mischief, if you will.

Speaker 1 (02:01)
I understand you are a technological juvenile delinquent growing up.

Speaker 2 (02:05)
These are your words.

Speaker 1 (02:07)
You were arrested for hacking. Can you tell us that story?

Speaker 2 (02:11)
That is correct. Yeah. So I do call myself a technological juvenile delinquent, though. In reality, I was just kind of a juvenile delinquent off of the computer and on the computer. I was involved in a number of different kind of hacking groups back in the day, and those were much less organized than you hear about today. But we'd all met on bulletin board systems and would trade information and connect to systems that we shouldn't connect to. And we were involved in credit card fraud and free phone calls and pretty much everything that every teenage computer user in the 80s and 90s were doing. And I ultimately got arrested when I was 16 for breaking into the parking lot of a telephone facility with the goal of getting information and hardware that just wasn't available to us as kids. So it sort of made sense for us. And it's like I was with a bunch of other friends from this hacker group, and we'd all actually met from around the country in one place during our high school winter break, which seemed like a good idea on paper. And we just were so passionate and curious about getting information, in this case about the telephone company, because back then you had phone freaking and trying to get phone numbers and access to systems and basically like, say, administrator access into telephone switches and things like that.

Speaker 2 (03:37)
So it was just this Holy grail of going to a telephone central office and stealing things just seem to make sense as a kid and get this information. It didn't quite turn out that way and got in trouble for that, but it really ended up being this turning point for me at that point. I had already been hacking and involved in computers for nine years because I got involved starting when I was seven years old under the Target 400. And that was a real turning point where I realized like, hey, I love technology, I love hacking. I should probably not be dumb about it and maybe use my skills in a different way. And it's a story for later. But I ended up coming home from that kind of with my tail between my legs and ended up joining up with Zeloft, which was a very early stage at that point hacker collective in Boston. And those guys were older than me and took me under their wing and really kind of mentored me as far as using my skills for good and sharing information. And it was just a roller coaster ride from that point forward.

Speaker 3 (04:41)
So in 1998, when you were testifying with Congress, you talked about Tempest monitoring, where with low cost equipment, you could capture the content of screens from more than 200 meters away, monitoring and eavesdropping of stray electromagnetic fields from computer terminals. How has this changed in the past 24 years?

Speaker 2 (05:02)
Yeah, so that was something I was definitely into at the time of basically the general concept. Even still today is known what's called like a side channel attack where you're effectively taking advantage of some information being leaked from a device and then using that to your advantage. So back then, Tempest monitoring was kind of the thing where you had CRTs your big monitors and you're basically picking up electromagnetic interference generated from the cathode Ray going across the screen and you could recreate images. And I was basically just doing that as a fun project at the loft. I joined the Loft in 1992, so when I was 16. And then at this point, I'd already been a bunch of years into it, kind of just experimenting with things. And I was just fascinated with the fact that you could have an unmodified device or unmodified piece of circuitry that is unintentionally leaking information that you can exploit. And this has been done by government agencies and military for years already. But this Tempest stuff just really stuck with me. And now if we think about fast forward to today, you don't have CRTs, you have LCDs.

Speaker 2 (06:15)
There's been some research about picking up stray emissions from LCDs, but really, the concept of side channel analysis now is not at a system level as much as it is like, say, in my case, a chip level where a chip might be doing some encryption algorithm. So it's doing AES. If you know that a system is doing AAS at a certain point in time, you can now, instead of monitoring electromagnetic interference from a monitor, you can measure either electromagnetic interference of the chip or you measure power consumption changes of the chip during that encryption operation. And you can actually extract the encryption key or bits of the encryption key during these operations. So it's usually a little more complicated than what I was doing back then of recreating this data. But the concept of these side channel attacks, same concepts, just different technology. But still, a lot of devices are very vulnerable to stuff like this, even to this day.

Speaker 3 (07:15)
So I find it super fascinating about this idea of people using electron microscopes to cut open a chip and then look at the signals versus what mostly happens, which is like attacking a capacitor or things like that. Sara, I know you had a question about the recent attack on the treasure. Do you want to talk about that for a second?

Speaker 1 (07:33)
Yes. So, Joe, you published a YouTube video about how you hacked into a treasure crypto wallet and retrieved $2 million in cryptocurrency coins for one of your clients. One of the things that struck me in that process was how the physical world is ever present in hardware hacking. So you have the lights, the epoxy soldering, you have the ground chip. How do you think about the boundaries between software, hardware and the physical world?

Speaker 2 (07:57)
Yeah. I mean, when you're dealing with hardware products or electronic products, you're right. It's kind of a combination of everything. And that's why I've always just loved physical electronic things, being able to create something in my head and then build it for real or take something for real and kind of break that apart. So it does combine all of these things. You have software running on the hardware, you have environmental conditions that affect the hardware or that can even affect the type of attack that you're doing on the hardware to defeat security. So, yeah, it's really a neat combination of things. That particular attack was actually my first real kind of foray into cryptocurrency at all. And somebody just contacted me out of the blue, and they're like, hey, I have a treasure, and I bought a bunch of cryptocurrency back in the day, forgot my Pin, and now it's worth a whole lot of money. And it just happened to be the perfect timing, like I wasn't traveling. It was still during COVID and I was just kind of working on my own projects, but I had time and I was like, yeah, sure, this looks interesting.

Speaker 2 (08:59)
And it just turned into this adventure that we decided to film because it was such a fun adventure, but also to show that real hacking process of a lot of times people hear OOH hackers and they just think of what you see in the movies, but in reality, it's very time consuming, very brain intensive. You never really know if the attack is going to work. And there's all these things. So that video tried to kind of encompass all of those things in a way that, say somebody outside of the technical world could still understand and appreciate.

Speaker 3 (09:32)
So maybe there's a stupid question, but how did you verify that they didn't just like, steal a treasure with a couple of million dollars of coins on it?

Speaker 2 (09:40)
Sure. So at least in the case of Dan, who is the guy who owned this wallet, it was very much sort of a subjective process where I met with him on Zoom. I checked him out. His email that he sent to me at first was very coherent and it made sense. And he is somewhat of a public figure as far as being an entrepreneur and being involved in other businesses, so he just seemed legit and it didn't seem like the type of case where somebody would have stolen it and done that. However, since we released the video, which now is up to like four point something million views, which is pretty wild to think about, that many people learning about hacking is awesome, but we received hundreds of emails from people. A lot of those people had been scammed out of cryptocurrency by sending money to the wrong address or they were hacked and whatever. But we've gotten a lot of cases that did seem legit, and we actually have a KYC process in place for people that were actually going to take on now, so we could do background checks and make sure they are who they say they are and all of that.

Speaker 2 (10:50)
But there's been a couple that are kind of questionable as far as like, yeah, is that really your wallet? Did you buy the software wallet online somewhere or where did you get that hardware? But it's not as common as I thought it would be, and I think really just cryptocurrency is widespread enough now where legitimate people actually forget their passwords and the theft side of things. It happens just like theft happens in the real world, too, but it is not at the level that I thought it would be.

Speaker 3 (11:24)
One of the biggest things that we actually work on a mobile coin is we just don't feel that most people are capable of managing like a 24 word password or a strong password. And so we try to make like, automated password recovery that just uses a Pin, and there's a lot of trade offs in the design of that system. We have it working at this point, but it's really interesting to think about, like, can people actually store real passwords? Can people actually, like, hang on to a strong password? And I think the answer is very rarely. Sara, I know you had a question you want to ask.

Speaker 1 (11:56)
Yeah. One of the things that we're thinking about at Mobile Coin and Cryptocurrency is this paradigm shift in remote computing where you don't have to trust the server that is running a service for you. And part of the importance of how we think about this new paradigm shift is that the access to the box is part of the security model. And one of the things we really want to dig in with you is assuming you have physical access to hardware, is there anything you can't break?

Speaker 2 (12:27)
Yeah, that's a good question. And just thinking about passwords for a second, when we hacked Dan's, we're like, oh, this sounds he couldn't be the only one who has forgotten their Pin, forgotten their password. We couldn't imagine how many people that was going to turn into. But you're right, it's a very small number of people that can actually maintain control or remember what their long pass phrases are. It just doesn't happen. And being involved in the security industry for this long kind of seeing people still choose really easy to guess passwords because that's human nature. So there is something to be said for designing some sort of system where it makes it easier for normal people to take advantage of something like cryptocurrency or any sort of technology that requires some level of security. And that's a really hard problem as far as having physical secure of hardware. Yeah. There's a saying that I think Bruce Schneier said this nothing is 100% secure, and security is a process, not a product. Meaning you might have a system that is secure at this point in time, but over time, somebody might come up with an attack to break that system.

Speaker 2 (13:41)
And to me, security really ends up being the good security is kind of something that is harder or takes more effort or more resources or more financial investment than the value of the data or the value of the content that you're getting out of the thing you're hacking. And that's really all security is. And there's been a lot of situations recently where people are like, yeah, I have X amount of dollars on this hardware wallet, or I forgot my password. Can you brute force this thing? And it comes down to how much time do I want to spend on it? How much computational resource do I want to put into it? How much is that going to cost me? And is that worth getting the value out? So that is security. If you have physical security of a device, especially with hardware, you really want to have that, though. You could have network connectivity if it's an IoT device, that even if you don't have physical access, you might have some really computationally limited device trying to do security or misconfigured their network or whatever it is that you can still attack. But if you have physical security, it definitely gives you more options of how you want to attack the device and things you could take advantage of, especially things that engineers put into their products to make their job easier or to make manufacturing's job easier, we can take advantage of all of those things, too.

Speaker 2 (15:04)
So test points, debug interfaces, chip level access. And even if those things are locked down during the manufacturing process, like with the Treasurer, it had a security bit enabled to protect the code from being extracted, you can still defeat those things. So, yeah, physical access basically just expands your attack landscape, if you will.

Speaker 3 (15:25)
So I guess the question is, I sort of think of it as this idea that basically encryption or security buys you on the order of some amount of time and some amount of cost threshold for attacking the system or the interface. And I guess what I'm really trying to dig into is, is there any sort of chip design that buys you an unbounded amount of time?

Speaker 2 (15:51)
No, not that I know of. It's always a cat and mouse game, and encryption might buy you some level of additional time or say, Phipps. 140 compliance for a hardware device might buy you some level of time, but that assumes that those specifications or implementation was actually done properly by the human. And a lot of times that's not the case. So even at a base level of like, oh, the device uses encryption, it must be secure, or that device is fixed, 140 compliant, it must be secure. Not really. And a lot of times it gives vendors a false sense of security because they say, oh, we've encrypted our stuff, but they don't know, and they don't think about the attack perspective of, like, storing the key and memory that somebody can then go and access. Or maybe they've implemented for Phips. It might be they need to have physical security. So they put Epoxy over some devices, and that's the checkbox they can check off and say physical security done. But that's a very easy thing to get by. So just because you have those things doesn't make you secure. On the other hand, we're starting to see more chip level security features built into things.

Speaker 2 (17:03)
And by that, I mean security features built into the chips. So the engineer who is designing with that chip doesn't necessarily need to understand as much about security to make the system work properly. And I think that's what's going to make things definitely harder to attack. And maybe it's now raised that level of skill required to where you need, say, a focus Ion B machine to do chip level types of attacks. And that just all depends on what the engineer chooses to implement in their design. But over time, we're going to see secure microcontrollers, secure elements for memory storage. We're going to see more and more of that, which is, in my eyes, a great thing.

Speaker 3 (17:43)
So the highest level security that is like a public spec is Phipps 140, level four. And the thing that distinguishes this from other grades of encryption or protection is that Phips 140, level four has a thermite charge or an acid mesh. And this is like a physical protection provided against hacking. Can you talk about how one might deal with a 3000 degree Fahrenheit explosive inside of the chip?

Speaker 2 (18:10)
Yeah, very carefully as it gives the answer. So, yeah, again, 6140 is a great guideline. If you're designing systems, it's definitely where you want to go. When I think about thermite level four things, to me, they're all physical security systems, and they're also called antitamper mechanisms, which is essentially security systems for the device to protect somebody from getting access to it. The way I think about anti tamper mechanisms, regardless of if it's just erasing data or setting something on fire, is it's still a security system? So say, I wanted to break into a house. Not that I was going to, but this is how my mind works. If I wanted to break into a house, I would look or case the property, see if they have any alarm signs, see if they have any stickers on their windows that say they're alarmed, if they have an alarm system, say if they have an ADT sign outside, then I have a pretty good chance that they're probably using ADT so that I can go and see what current hardware is being used for an ADT security system. What types of cameras, what type of wireless sensors, what type of window sensors and door sensors.

Speaker 2 (19:24)
So you can start to build this map of how you want it to break into the house. And it also might be, let's just kick the door in and grab what we need and run out. So it sort of depends. With anti tamper mechanisms, it's the same thing. If you can identify where the mechanisms are, like where are the sensors? Not the end result, but where are the things that are detecting the attacker from getting in, then you might be able to start devising an attack against those. So if I know that there are switches, that when you open the lid of the device, the switches get unpressed and that triggers the response. Okay, then let's figure out how can we open the device keeping the switches closed? If it's a light sensor, how do we do that? Maybe we go in a dark room. So we kind of take this level by level, kind of peeling layers of an onion. If there are multiple anti tamper mechanisms, until we can figure out a way to defeat that of course, that's easier said than done, right? I mean, until you're actually doing it. Theorizing about it is one thing, but that is the process.

Speaker 2 (20:24)
And if it happens to be thermite you just hope that you don't trigger that.

Speaker 1 (20:29)
Can you tell us about your most challenging hack?

Speaker 2 (20:32)
They're all challenging, even the ones that you think are easy or not. Let's see, off the top of my head, one of the most challenging I mean, one of the most satisfying, at least recently, was the wallet, obviously, because there was a lot at stake. And to be clear that the $2 million did not go to me, that went to my customer. So I've gotten a couple of emails of people like, now that you have so much money, can you buy me a Bitcoin mining rig or can you buy me a computer? And no, I can't, but yeah, so that was just exciting, satisfying to basically be able to use skills and techniques that I've basically taught about for a number of years but never really had explored them on my own to the point of being this. I don't know if confident is the word comfortable, like using these techniques. So, yeah, that was really satisfying. I mean, there was a lot of stuff I did as a kid with Ham radios and modifying radios and using my radio to speak out of drive through speakers to kind of harass customers as I drove through a drivethrough or to speak to the people inside the restaurant wearing the drive through headsets.

Speaker 2 (21:50)
There's so many things, but hacker perspective, actually, another one I just thought of is kind of maybe not even a hack. But I remember there was a system once that I connected to with my modem, and it was for, I don't remember, not a base station, but it was some part of the cellular phone system. And you dial up and it would actually say enter password. And if you sat at that prompt for long enough, then the system would time out. Instead of reverting you back to the login prompt, it actually dropped you into the system. So the hack basically was just sitting there waiting. And that just happened to be, I think I was with a friend at the time, and we logged in and then we connected and then went off and did something and came back and it was like, oh, man, we're actually in the system. So sometimes hacks, you don't even have to do anything. You just sit there and wait and things magically happen. But yeah, there's so many hacks and everyone is challenging and unique, even if you've done it multiple times before. And from my perspective, it never gets old.

Speaker 2 (22:57)
Anytime you do something where you gain access to a system that you shouldn't have or you gain access to data that you shouldn't have, even if you're getting paid to do it or somebody asks you to do it and it's legit it's. Still, you have these superpowers, and it's just so cool to be able to use these things, especially in a situation that could help somebody.

Speaker 1 (23:17)
The biggest topic of this podcast is Privacy. And from your examples and your experiences, I think you've thought a lot about security and hacking and how that intersects with Privacy. Can you tell us more about how you think about that?

Speaker 2 (23:30)
Yeah, I think Privacy is hugely important, and it's something that I've always really appreciated having and grateful to have. And it's hard in this day and age, especially with big data and data harvesting and people selling everything about you and offering services for free that could then be used against you. Right? I mean, we know this through Facebook and Google and Amazon and Twitter and this and that. It's kind of a gross overuse of technology and Privacy plays a really big role in that. And I take effort as much as I can to protect the things that people don't need to know. But yeah, I'll use Tor, I have ad blockers and tracker blockers and all this stuff. Of course I use Signal and I do have some mobile coin. It's important that we always keep in mind the importance of Privacy and how we can use that within our own daily lives.

Speaker 3 (24:27)
It's really interesting to think about that. One of the things that I've spent a lot of time thinking about is that to be in a free society, you have to have the ability to do wrong. Any possibility of change in society depends on choice. It depends on people being able to construct narratives and to present those narratives to society. And if you can't have the ability to do things that are different than normal in society, you can't bring about change. It's really easy to see this with suffrage. Women had to be able to meet in private, they had to be able to get together, they had to be able to protest. Same thing with civil rights, same thing with gay marriage, same thing with all kinds of different ways that people relate to each other. And so I think it's really important to think about you have to have the ability to have choice, to obey society's rules or not. Otherwise you don't live in a free society. Moxie famously wrote an essay that really inspired me called We Should All Have Something to Hide, and I think you really hit on that point. I want to ask, do you think being a hacker requires Privacy?

Speaker 3 (25:31)
If so, why?

Speaker 2 (25:34)
That's a deep question. I think being anybody requires Privacy. Being a hacker, maybe more so it sort of depends on what you're doing and whose feathers you're ruffling and what you're doing publicly and sharing publicly. When I was at the loft and even up to today, companies don't necessarily like when you say, find a vulnerability in their product or in their system, because now they have to fix something. And a lot of times they'll come after you from a legal perspective. Like you said, if you're doing something against the current status quo or as a group or a subculture or anybody trying to make a change and change the direction of our society in some way, they're going to be targeted and questioned. So Privacy is hugely important in all of that.

Speaker 1 (26:29)
I've heard you call your job a mindset, not a career. What do you mean by that?

Speaker 2 (26:33)
Yeah. So it's something that I feel like a lot of times especially. Well, I don't know. It's a little bit hard to explain. So I guess the best way to explain it is sort of how I grew up thinking about hacking, and I got into it very young when I was seven years old. At the same time, I got introduced to punk rock. Right. So punk music, Angry Samoans, Minor Threat, Circle Jerks, which you might not be able to put that in the podcast, but a lot of these bands that were subculture is at the same time as the hacker world was sort of subculture. So I've always just had this mindset of questioning things, exploring more of that DIY, do it yourself ethos, not trusting large corporations, more independent. As far as what I'm doing, valuing community, valuing relationships with people. And I think the hacker side to me comes with this willingness and this desire to be selfsufficient and to learn. And so I guess what I'm trying to say is hacking being a mindset is it's not just about what tools you use, what scripts you run, what certifications you have, what code you've written online, how many presentations you give in.

Speaker 2 (27:55)
None of those things really matter from the perspective of hacking is kind of this lifestyle. And I feel like you can teach people certain things about hacking, like what I just mentioned about tools and techniques and all those things. But it's very hard to teach somebody, I think, how to think in that way. And some of it maybe is just born by nature. Maybe some people can learn that. But it definitely is something that is kind of just built into my DNA as far as pushing those boundaries and questioning and really not just kind of doing what I want to do when I want to do it, which I understand I'm very privileged to be able to even have that opportunity in the first place. But that's why with my training classes, I really enjoy being able to try to teach people that mindset because anybody can, I think, go look online, look at resources, and if they're determined enough, follow along and learn the skills. But it's how to apply those in a way and think about those in a way that's actually going to benefit you. Is that kind of hacker mindset always questioning, always thinking, and then using those tools as tools to give you that stepping stone or give you that advantage to actually do what you need to do.

Speaker 3 (29:18)
But let's Zoom out even further. Why does hacking matter?

Speaker 4 (29:22)
Why do you do what you do?

Speaker 3 (29:23)
Why is it important?

Speaker 2 (29:26)
That's another deep question. Hacking is all I've really ever known. So just like when I was juvenile delinquent and I didn't really think that what I was doing was a negative thing. I think hacking is one of those things that's required to push technology forward, push maybe even society forward. And there's a lot of things that we wouldn't be able to do without technology, both positive and negative. Right. Like every tool technology is a tool, and every tool has benefits and has problems. And hacking is, I think, needed to break out of the standard way of thinking to try to create some new technology. And you can think about Thomas Edison, Alexander Graham Bell, like people that were hacking on technologies before they were mainstream, accepted things. And then we think about Steve Wozniak selling blue boxes to make money to fund Apple Computer. And he was a hacker and doing these things. He was really involved in technology. I think I read a quote from him once that he basically just wanted to build cool things that would impress his friends, and that really shows the passion side of being a hacker and doing these things.

Speaker 3 (30:51)
One of the things that I notice about hacking and really technology in general is that it's an ecological force. What I mean by that is that hacking repurposes old technology. It allows you to get additional life out of technology in a lot of cases where things have sort of reached the end of their supported life, but there's still a community that's working on them, developing them, driving new energy into that product. At the same time, it's something that sort of separates the wheat from the chaff. If you have systems where they can't survive somebody, like really intensely attacking it, they tend to not last forever. So I guess one of the questions I have is what technology are we using right now that maybe isn't as secure as we think it is?

Speaker 2 (31:36)
Maybe the Internet, maybe every application that we're using, I think there's always going to be some vulnerabilities and systems. I kind of always operate under the assumption that I've been compromised, whether that's somebody hacks my Webcam, somebody is listening on my microphone, even my phone, not only my computer, you just don't know what current thing somebody is targeting. And if you're being targeted specifically or if it's just sort of a mass push of trying to find vulnerable systems across a wide swath of the Internet or of IoT devices or something that you might get caught up in that Net. But again, if you think about the Internet just as a whole, it was never designed to be secure, right? It was designed to be this open information sharing thing. And over time, as more people started adopting the Internet, and you had commercialization of it, then you had ecommerce. So now you have to have security built on top, and everything is kind of built on top of this rickety structure of insecurity. And if you don't have security designed as a base, you're never going to have a secure system on top of that.

Speaker 2 (32:48)
And that goes for the Internet goes for software applications, it goes for hardware designs, it goes for everything. And I think just in general, though, humanity is accepting and using technology, whether or not it could be hacked, people are using it and maybe are not thinking about sort of the nefarious underbelly of all of these things.

Speaker 1 (33:09)
We could say as long as governments or people are motivated by power, problems will exist.

Speaker 2 (33:14)
Yeah. And money, right. If somebody can hack a bunch of devices from their basement, the 400 pound hacker hacking somebody from their parents basement and making money, it's going to happen. And we've seen that change. I've seen that change in my lifetime of doing this, from hacking, being a very I wouldn't say an innocent time, but it really was mostly teenagers and people just fascinated with computers because not everybody even had a computer back in the day. And it was really more of this exploratory kind of going up against big telephone companies and this and that and just having fun, whether or not it was harmful or not, to a much more organized structure of you have organized crime groups, you have different hacking groups. You have groups that are selling tools and vulnerabilities to the government that can then be used to oppress certain types of people. And that a lot is financially motivated. And like you said, power motivated. And unfortunately, that seems to be just humanity in general, whether it's on technology or not. But having it this connected world that we have and having all these insecure Internet of things devices online that could be used for botnets or whatever else, and then having all of these systems online that people could attack, you have the phishing, you have the scams, you have all of this stuff that people are affected by.

Speaker 2 (34:46)
And it's just kind of it just happens.

Speaker 1 (34:49)
From what you've seen from these trajectories, what do you think is the future of security and hacking and technology? And what would you like to see?

Speaker 2 (34:58)
I would like to think that we have a passionate next generation of hackers that are continuing on and kind of carrying the torch. And we see that through a lot of community run hacker conferences. We see that through amazing presentations at these different conferences and amazing research. I would like to think that that hacker culture continues and doesn't get swallowed up in this quest for money and power and Fame and all of this. I know that there are very passionate people out there that hack because they love it and because they can make a difference in some way. And thinking now with current events and hacktivism and there are so many important things that you can actually do with technology that may or may not be legal, but it might still feel like the right thing to do at that point in time. And hopefully those things continue and can help make a change in the world, no matter how big or how small.

Speaker 1 (36:00)
I know that you teach hacking, and for our aspirational hackers out there, do you have words of advice or inspiration that has inspired the people that you work with and could inspire others trying to get into the hacking game?

Speaker 2 (36:11)
Yes. I think that the main thing is finding something that you love and that you're interested in. Because hacking is one of those things that if you don't really love it, you're going to get discouraged really quickly and you're going to go find something else to do. So finding something that you really love, being persistent and constantly trying things, not being afraid to fail. And if you do fail not to hold that against yourself, be kind to yourself because it happens to everybody and you can't really make change and you can't do something great if you're not willing to kind of take those steps and stumble and get up and try it again. And it sounds really kind of cheesy, but it's true. And I'd mentioned every hack that I've done has some sort of challenges and there are times where I'm like, this sucks. I hate this. I can't believe I took on this project. This thing is annoying me. I'm not going to be able to do it. And just like with the wallet hacking, I was getting really frustrated and then something happened and it magically worked. And then I could work backwards to figure out what caused that.

Speaker 2 (37:18)
So really, it's not even about your technical skill or anything like that. It's just having that passion and that drive to do something with technology that's never been done before to try something new. I get a lot of emails about that of like, how do I become a hacker? Or how do I get into this stuff? And I think the easiest answer is you just do it. You find a product that you want to hack, or maybe you find something that's already been hacked and you replicate that work and you get your hands dirty and you try something and maybe you make it better, maybe you do something else, maybe that inspires you to then try that same attack on some new piece of hardware that then you have to change something. So it really is this. We're all standing on the shoulders of Giants, which I say a lot. Also, like we're all building on each other's work. Before my generation of hackers, there were earlier generations of hackers. In the early 80s, Cult of the Dead, Cow, the 404S, Legion of Doom, Masters of Deception and then you had our generation, and even before them, there were other hackers.

Speaker 2 (38:21)
So it really is just kind of doing what you love to do and hope something comes of it. And if you succeed, see how you can release that information, give a talk at a conference, release a blog post or make a video, whatever you want to do. And I think that's the beauty of hacking is there are no rules around it, and you can do something in whatever way makes you comfortable, makes you want to do it, and then you can release it in whatever way you want. You don't need to get a CVE number. There's a million ways to release information you don't have to conform to one way to do it. It's just however you're comfortable with. And once you realize that, it's like, oh, okay, I'm going to do it the way I want to do it, and the information gets out there and you inspire somebody else and then it snowballs into other things. So really just get out there and do it. Love it as much as you can while you're doing it, and don't feel bad or embarrassed if something doesn't work because it happens to all of us.

Speaker 3 (39:24)
It always trips me out that Beto O'Rourke was a member of the Cult of the Dead Cow. I just wanted like funnier, stranger political facts in the world.

Speaker 2 (39:33)
Yeah, it's great to see a hacker, actually a known hacker in the political spectrum of really trying to take that mindset. And I don't know how much his mindset has changed over the years, but it's pretty amazing to see where he's at his level, coming from, where we all came from.

Speaker 3 (39:53)
So the final question I have is that you once said that the loft saved your life. What did you mean by that?

Speaker 2 (40:00)
Yeah, so the loft definitely saved my life. Like I mentioned at the beginning, I was involved in a lot of kind of mischief. I was involved in a lot of, I guess you could say now, criminal activity and the fact that I got arrested when I was 16, Luckily I was under age and didn't go to jail for that, though other people I was involved with did go to jail for that. If I had not come home and if the loft had not kind of took me in under their wing to sort of guide me the right way, I probably would have just gone right back to what I was doing because that passion was still there, my mischievous side was still there. And without having those sort of barriers or guidelines or people to follow to use the skills in the right way, I probably just would have kept doing the same thing and maybe bigger hacks or starting to sell things because as I got older, I wanted to have money. So it just would have turned into something much more negative. And probably I would have ended up getting in trouble for other things and then I would have been over age and who knows what would have happened?

Speaker 2 (41:11)
So the loft really saved my life in that term of it was a very formative time of my teenage years. I was involved from 18 until we sold the loft and started at stake. 2003 is when I left, so it was quite a long time. I was 20 at that point. 20 something mass is not good, 26 maybe by the time I left. And I just learned so much about how to present yourself, how to present information, how to share information, how to empower people, but still do it in a way that is organic and that you love and that you don't have to fake things, right. Like, this is who I am and that's okay in whatever way that is. So the loft really taught me all of these things and especially as a teenager, you're growing up and you're becoming an adult and all of these things. Just having that group of guys around me was very special and even to this day, they know that. And every time I talk with them, I tell them that. But everybody has their own perspective of those times. And for me, just having those guys around as sort of mentors, whether they were intentionally mentors or not, was huge and completely changed the direction and the vision of what I was going to do from that point forward.

Speaker 1 (42:36)
Thank you so much for sharing that story with us. Let's leave it there. Our guest has been Joe Grand, product designer, hardware hacker, and the founder of grand idea studio. Joe, thanks so much for coming on the show.

Speaker 2 (42:49)
Yeah, thanks again for having me. And thanks to everybody for listening.

Speaker 4 (42:55)
Don't forget to subscribe to Privacy as the new celebrity wherever you listen to podcasts and check out to explore the full archive of podcast episodes. That's also where you'll find our radio show every Wednesday at 06:00 p.m.. Pacific. I'm Joshua Goldbard and I'm Sara Drakeley.

Speaker 1 (43:15)
Our producer is Sam Anderson and our theme music was composed by David westbaum.

Speaker 4 (43:19)
And remember, Privacy is a choice Place we deserve.