All right, it's that time of the week again, it is time for the global Bob Show Globalbob Show, we are the crossroads of technology and politics. Now this week has been a real special week and will probably go down and hacker history as one of those days that you remember. And what I'm talking about is, is it the United States Department of Justice has announced on Friday, May 19, they will no longer be prosecuting white hat hackers, or hackers in good faith. Now, that's real exciting news, for those of us that have been in the business for quite some time, and have made careers out of exploiting different things and networks. But we were doing it with a backing of either the US government, or multi billion dollar publicly traded companies that had an army of lawyers that were at all times, making sure everything that we did, was completely legal, and 100%. sanctioned, in case things went awry, I cannot wait to dive in and unpack this for all my listeners out there. So please, if you liked the show, and like what you hear every week, if you could please ask somebody to subscribe to the show. We have a Facebook page up and going the Globalbob show. So you can find this out on Facebook, Twitter is at Globalbob show, of course, you can email me Globalbob show@gmail.com. And if you want to be a super fan, you can get your global Bob merchandise at shop dot global bob.org. Let's get into this. So like any line of business that someone gets into, there's a, you know, common reasons why people get into the business. And something that intelligence agencies use is an acronym called mice. And they apply this to folks that are getting into espionage or people that want to sell the US government secrets. They use an acronym called mice. Well, the same can be said for really any kind of shady quasi legal depending on who you ask industry. And so I'm going to break mice down for you. So you understand why hackers hack or why do they even get into this? Well, the first part of it is m, which is money. Some hackers get into it because they simply want to buy fancy things. And you kind of see this, when they're in, you know, some of the lower levels of college, they start getting some skills and they know how to do certain things. Well, they may get into it, they want to hack stuff so they can get paid. So they can buy fancy cars or clothes. And there's tons of cases around that. Some actually get into it to pay for college. Yeah, what better way to put yourself through college than do something quasi legal or probably illegal, and use it to pay for college. Now the other one I found, and I was listening to a podcast not too long ago, and it talked about a hacker in particular, that got into hacking because he wanted to pay his friends medical bills. And I think that's really sad that someone would resort to illegal activity to help pay for medical bills. And why it's a noble cause it's still illegal. So you got money. That's one reason why hackers get into hacking. The next is where a lot of people when they think a hacker, this is kind of the stereotype that they have in their mind. And it's for ideology. Some hackers, they get into it, because they're mad about a position of a government say they don't like what Russia is doing to the Ukraine. And so they get into it for hacking. And they want to be able to go after the Russian government. So for ideology reasons, some hack, because they don't agree with a company's position. I mean, we see a lot of times in the news with hacktivist. There, sometimes hacking petroleum companies, because they don't like the pollution or some chemical companies because they don't like what they're manufacturing. And then the last one is that you actually see some nation states get involved with this, and it's for religious views. Now there's been a sustained effort of the Chinese government hacking Tibet. Well, it's no secret that the Chinese don't exactly agree with what the Dalai Lama is about, and I'll say ciao I need I'm talking about the Chinese government. And you also see that there's terrorist organizations trying to hack Western government organizations, because they don't agree with what Western governments are doing in the Middle East. So a lot of times when people think of hackers, they think of the ideology hackers, the ones that, you know, are trying to take down the big government or the big corporation, the other is compromise. And so this is where someone may possess the skills, say they're a security researcher, but they're not really into hacking things, they just have a lot of inside knowledge of how a certain program works, or how a certain Corporation works. And so these hacker gangs and hacker groups, they will go after them, and try to compromise them in one way or another. And so once they are compromised, then they'll do whatever it takes. And so these folks that fall into the compromised category, a lot of times they're being blackmailed. And so this is where the hacker group tells them, hey, take this thumb drive into your company, and it has some tools on there. And we're going to teach you how to use these tools. So you can then help us hack the company. Now the last part of mice, the E in mice is ego. And I can tell you, no matter what category you fall in, whether it's the money, the ideology, or if you've been compromised, ego is a very big part of hacking. A lot of times when you're compromising systems and hacking things, some of the stuff that I've been involved with, and you're looking for the elusive zero day exploit, which a zero day exploit means that for all intents and purposes, you're the only one that knows how to do this out of everybody in the world, you're the only one that knows how to exploit this particular software or system. So it gives you a big ego. And I know that some of the zero day vulnerabilities that I found that were 100% sanctioned, that it did inflate my ego, it was very cool to know that hey, I was the first may not necessarily be the first but the first because no one else is told anybody else about it, if they were able to do it. And for sure, the corporation or the manufacturer of the product had no if not, they would have rolled out a patch. But I can tell you that every time I've ever compromised a system, or discovered a vulnerability, that my adrenaline was pumping, and it felt very, very good. And that's what drove me to do even more. And you can see that even in the legal space, money, ideology, and ego those three, the part of mice is what really drives people. Because if you're have an ideology that you want to help advance the cause of the corporation that employs you, and you believe in what they're doing. And they're doing good for the world. Like what we were doing, when we were looking at banking industries and medical devices and stuff, I felt in my mind that I have to do this because it's the right thing to do. Of course, I enjoyed the money that they paid me. And as far as the ego, it really made me feel good whenever I would get up and talk about these kinds of things. And so that's what drove me. But the thing is, is that the whole time. I know in my career, I always kept in the back in my mind, like man, you know, one fall, one, little slip, and Hawk could get myself in some real trouble. And so I always felt that whenever I worked for a very large corporation, and we would have all of this would be ran through their legal department. And even all the way up to the CEO and the CTOs. We know exactly what we're doing. And there were many times I would be told, hey, you know, I need to back away from this a little bit. And so when I would do things, in my mind, I would always stop and get 100% permission or actually explain what's going on when we get to the point of what we call weaponization. weaponization, to me is when I can take something that's highly technical, and put it in either a program or create a device that would allow somebody without my technical knowledge of the system to compromise the system. And I stopped many times whenever I was working with ATM machines, power grid systems, I would stop before that weaponization part and then get another check to make sure that you know if something goes wrong or someone finds out about it, they may not know the complete story that I had full coverage with that So that's why this is so important that the DOJ, on May 19, has come forward and said, we're no longer going to prosecute those folks that operate in good faith. So we talked about mice why hackers hack, right with the mice, either money, ideology, compromise and ego. But let's talk about the different types of hackers. There's many different types of hackers. Just like there's many different types of doctors, you know, a doctor can use his skills and knowledge for good or a doctor could use his skills and knowledge for bad. I mean, we see it when some of these researchers they go off on ideology path and help, say create some bioterrorist pathogen, but same thing with hackers. So there's different types of hackers. Now, when you say, hacker or think hacker, you think probably about all the Hollywood movies that you've seen, whether it's swordfish, or the matrix, or any of them. And that's a black hat hacker, in most cases, right? Because that's what's cool. I mean, I know that when some people get into hacking, it's usually the ideology call, black hat hacker, right? They want to go out and do something for a cause. So think of your black hat hackers are simply criminals. And I know that some of y'all that are highly technical that listen to this podcast may say, well, black hats aren't criminals, or what about a black hat working for the government against I'm not, I'm using very broad strokes. I'm trying to explain this in such a way that my aunt and my mom, and my dad can understand. So just bear with me. So Blackhat hackers are usually criminals. Well, if you got criminal hackers when you must have good hackers, and those are your white hat hackers. And that's where I like to say that most of your security professionals fall into their white hat hackers that are out here, using their skills to try to better software to try to find flaws and networks. And so everything they do is ethical. But we know that sometimes, you may have good intentions, but you may fall into the third type of hacker, which is a grey hat hacker. Now these grey hat hackers, they're not malicious, like your black hats. They're not breaking into ATM machines, because they want to steal money. They're trying to break into ATM machines, because they want to understand how they work. But some of the methods they use could be slightly a little bit dark or not exactly legal. So a lot of your white hat hackers are actually kind of dabbling in the gray space. And a perfect example of this would be is that if I was wanting to compromise an ATM machine, and I needed to brute force a password that I know that's on all ATM machines, well, it's kind of a little bit of a gray area, if I should take that ATM machine and lift the operating system off of it using say a chip dumper and then use password crackers to go after that. That's kinda earn you kind of dabbling, there's one thing to find an exploit that will get you into it, because you found a flaw in the security but actually brute forcing and cracking those passwords. That's a little bit on the gray area. Then we have some a couple other hackers there. We have a red hat hacker, and he is a vigilante hacker. And so he takes and he is a good guy, but he's going after the bad guys. And we've seen this some in the news. There's been hackers that go out and they will target say pedophiles, and they will do things like distributed denial of service, which to me really isn't hacking, but they will maybe send a spear phishing email that then downloads a payload on to the pedophiles computer that then allows them to destroy all the data on there. While it is a noble cause. But it's kind of you know, you're a vigilante going after them. And there's probably a better way to actually go after that. Then, after the red hat hackers, you have a blue hat hacker, which is kind of cool. So the blue hat is seeking revenge. Not really highly skilled. A lot of these, this is a lot of times will be say your kid has a game they play online. And one of these games, they take and think the other person is cheating. And so what they do is they want to go out and hack for revenge, they want to go after the person that say, disconnected them from their ISP or had some kind of cheat in the game that they didn't feel was right. And so a lot of times these are the ones that they don't really care about increasing their skills, all they want to do is go out for revenge, they don't care about the money, right? These are the blue hats that say, Hey, you took me out. I'm going after you. I'm gonna take you out. Kind of close to the vigilante Red Hat. But this is different. This is someone that was attacked first that then turned around and did whatever they could take the other person offline. Then we have our green hat, which just like in say karate, you have a green belt. You have a green hand and FFA which is basically your newbie hackers. These are the usually where a lot of people start out. They start off with a green hat and something that I don't want the green hat to be confused with in the hacker community is script kiddies. script kiddies are a lot of times your blue hat, and your red hats, right? These are the people the script kiddies are the ones that say, Hey, give me this executable. I double click it and it takes out this system. This is kind of where I was talking about the weaponization with white hats. You want to make sure that anything that you create that it's not weaponized unless you have explicit direction and actual need to weaponize that. So that's what a script Kitty is green hat hackers are just newbie hackers, right? These are the ones that they have a lot of knowledge about computers and networks and the inner workings of electronic devices. And so they're really getting into this because they want to increase their skills and maybe one day move into being a white hat hacker. So now we know the different types of hackers. And we know why hackers hack. Let's talk about how hackers get taken off the battlefield. And one of the ways that hackers will get taken off the battlefield is under the Computer Fraud and Abuse Act of 1986. Now imagine that, here we are 2022. And hackers are getting taken off the battlefield or being prosecuted under some act that is about 34 years old. And this act was very, very broad. And to me, I think it had a high level of abuse. Because what would happen is, and this is just one scenario that I was familiar with, is that there was a corporation that took down a hacking group at one time. And they seized all the information from the hacking group right chats, emails, and they also seized the shopping cart of this hacking group is hacking group sold hacking tools or security researcher tools is what they called it. And they sold hats and T shirts. Well, the company took down the hacking group and seized all the information, then that company in turn, took every body that ever bought anything from that hacking group, and and get lawyers involved to send out threatening letters. And the letters were quite threatening. I've read a couple of them that I was familiar with. And it basically read something that you know, we've associated you with this hacking group. And we feel like a hacker of your status cost us X amount of dollars, please send us a check for the amount disclosed, I think it was like 6000 or $7,000 or something like that. And sign this piece of paper that says that you will never sue us again. And if we ever catch you again, we'll come after you with the full extent of the law. Now a lot of the hackers got scared. And they conformed to the letter and sent the money. They probably had to tell their parents what was going on. And then what was always in the back of their mind was that now that they've signed a letter of admission to the company, now that company could take that information and go turn it over to the Department of Justice. And so what you would see is, is that companies would threaten to turn your information over to the Department of Justice of who could use the Computer Fraud and Abuse Act, because it was so broadly written, and actually have some criminal time just for merely possession of equipment. And the equipment part could be something as simple as a modified Wi Fi router, that is get software on there that helps aid in the compromising of devices that connect to it. Now, some of these researchers and hackers, they were basically in a big wide cast net, and some paid the money and some debt and actually went to court, and a lot of them lost their court case, because the company was able to prove that the device that these security researchers were using, were only used for one thing, and that was to compromise their technology. And we know this is totally not true. This would be the same in my mind, as you're telling everybody that has a fishing pole in the back of their truck, that that fishing pole can only be used to catch fish that are on the endangered species list. This is so just crazy. But what happens is, is that these legitimate security researchers get caught up in this. And so one or two things, either one, they don't get into the security field, because they're worried about the ramifications of just merely doing this research. Or two, they keep all of that knowledge inside their head. And they only let it out when they're in a position such as what I was in, to have all the legal backing of either the US government or the major corporations. And so we have a lot of smart people. And we see them every year, at the biggest event in all of hacking, which is DEF CON. And it's so sad. A lot of times the best presentations are in rooms that they don't allow any cameras, any recording devices or anything. And so the reason why is because they're worried that somebody from a corporation could see a demonstration of someone hacking into their device or their network. And next thing, you know, they're hauled in front of a judge and jury that don't even understand what they're doing. And so they could get the maximum penalty. So this is very, very big news for us. But the other side of that is, is that I want all of my green hats and black hats that are out there. My red hats, my blue hats, all your hat hackers, please don't use this as a Get Out of Jail Free card. This is not to take the reins off and say that everything is an open target. This is really going to force us to act in the most ethical way. So how do you keep yourself from crossing that line? I talked a little bit about it at first is that you got to stop at the weaponization and weaponization one of the key weapons is when you create a worm or a virus, or something that propagates without your control, you have really crossed the line of that party. And so if you have an exploit into maybe a router that you know that there's 100 million 1000 deployed around the world. Well, what you can do is start a dialogue between yourself and that company and tell them, Hey, I've discovered and there's an exploit into a router and put in very concise sentences. I have stopped my research because I have collected enough information that I feel like this could be detrimental to your company. And so I would like to see if you guys have a bug bounty program, which a lot of companies have this. Now. Microsoft has a Google has that they have bug bounty programs. And so you'll ask them, I would like to participate in a bug bounty program if you have one. And now that the DOJ has said they're not going to prosecute white hats, there's no worry that they can, you know, collect that information and get the FBI involved and see what they come I'm back with, but you have to remember that it is their right not to respond to you, it is their right to say they're not going to pay you for it, and can you give it to them for free, but there's a lot of companies that will be more than happy to give you a couple 100 or even a couple 1000. I know some bug bounty programs that people are making 50 $60,000 If not more off of these bounties. And a lot of times, they'll probably offered to give you a job to bring you in if you have that much knowledge and interest into their software. And so that's how you don't cross the line. Now, if the company responds back to you in a harsh tone that says, you need to erase everything off of your computer, if you disclose this to anybody, we will prosecute you to the full extent of the law. We work with the Department of Justice, and you know, all this legalese, right. If any of you guys have ever got letters from attorneys like I have, they definitely pass the weight test, you know, lots of information coming back at you. And so you read through all of this. And what you want to do is maybe reach out to them one more time and say, Okay, I understand that you don't have a bug bounty program. I'm going to just keep this knowledge between me at the time at in the future, if you feel like you need to reach out to me to get this information. Let's set up some means of compensation, whether it says a contractor under you, or if you would like to pay for this badly. But right there you have to stop. This does not give you the permission to go put this out on the internet and say, Well, I asked and they don't want to pay me so I'm putting it out there. No, you can't go out and say they didn't pay you. So I'm going to release this are right we are at the bottom of the half hour. And as always, I appreciate everybody that cruises along with me on the digital highways and byways of cyberspace. Thank you so much for listening and those that share. I would also like to say that whether you're a pirate sailing the Digital Ocean, or if you are a keyboard cowboy on the open range, or a keyboard commando in the battlefield, last week, was a great week for all of us. But just remember, because we're getting a little more freedom and our abilities to research and not have the burden of the Feds kicking in the door. This does not mean that it is open season on all computer networks. Remember, if you want to be clearly in the white hat category, your number one job is to increase security. Don't cause any damage and just be an all around good person. Alrighty, so if you want to reach out to me, you can find me Globalbob Show on Facebook, at Globalbob show on Twitter, or you can email me Globalbob show@gmail.com. And I'm sure we will all be talking about this at DEF CON in the summer, which for those that don't know DEF CON is one of the largest hacking conventions in the world, the largest hacking convention in the world, or summer camp for nerds, however you want to look at it. Until next time