Podcasts
The FAIK Files
Ep 46
The FAIK Files 8.8.25
Ep 46 | 8.8.25

How to Think Like a Hacker (with Ted Harrington)

Show Notes
Transcript

Mason Amadeus: Live from the 8th Layer Media Studios in the backrooms of the deep web, this is "The Fake Files." When tech gets weird, we're here to make sense of it. I'm Mason Amadeus. Perry Carpenter is out this week. He is again deep underground in a bunker complex searching for secret government operatives, or he's in Las Vegas. I can never remember. It's one of those two things. Either way, this week, we have a special episode for you. We're bringing you an interview that we conducted about a month or two ago with the one and only Ted Harrington. Ted is wicked smart. He's wicked cool, and he's got an upcoming book all about the hacker mindset, how a hacker looks at the world. And in this interview, we talk about that. We talk about how he and his team of ethical hackers have infiltrated all sorts of technologies ranging from your smartphone to vehicles to medical technologies. We talk about how security compliance isn't really anything, sort of. Ted puts it better than I do. This interview covers a lot of ground. It's a lot of fun. I'll give you some more details before we jump into it. We just got to get some housekeeping out of the way first. So stick around. We'll be right back. Sit back, relax. And if it ain't broke, why not figure out if you can break it? We'll open up "The Fake Files" right after this. [ Music ] So we had the privilege to talk the other week with Ted Harrington. He is the executive partner at Independent Security Evaluators where he leads a team of ethical hackers who do research into a variety of vulnerabilities across a bunch of different domains and technologies. They've hacked into iPhones, medical equipment, vehicles, all sorts of stuff. They do a lot of cool security research. Ted is also the author of the book "Hackable: How to Do Application Security Right." And at the time of recording right now, his new book, "Inner Hacker" is coming out in just a couple weeks. You can actually get a discount on it if you join the waiting list. There's a link in the show notes for you to do that. The book, "Inner Hacker," is all about the hacker mindset, how to look at the world the way the hacker does, to see through the sort of surface layer of the systems we interact with, to be curious and ask questions about how things work, to poke around at the guts of stuff and find interesting and unintended consequences and capabilities inside of the various technologies that we encounter on a daily basis. From things that are just part of your daily life to things that are mission critical, like, well, like medical equipment. You'll hear later in the interview that I particularly got curious about that one. He told us a cool story of how his team got his hands on some of that stuff and some of the things they did with it. But our interview focuses a lot on that hacker mindset and how it is a superpower to be curious and how what it means to be a hacker isn't necessarily to be someone in a basement typing away scripts on your computer trying to hack into bank accounts or whatever. It's a much more nuanced way of just being curious. And Ted puts it a lot better than me. So without any further ado, we're going to drop right into that. Here is our interview with the inimitable Ted Harrington.

Perry Carpenter: Alright. This is one we've been looking forward to. This is a great interview that we're about to have with Ted Harrington. Ted is a hacker extraordinaire, really kind of dives into the hacker mindset. And that's one of the things that I really want to get into because Ted has a book that's upcoming over the summer, probably just in time for DEF CON. And it explores really just the way that a hacker views the world and situations and is able to not always for the detriment of something or to do something malicious but really just to see opportunity and to flow from opportunity to opportunity to gain whatever advantage is needed. Did I characterize that right, Ted?

Ted Harrington: You did. You sure did, yeah. And including the important distinction that the hacker mindset is not bad.

Perry Carpenter: Right.

Ted Harrington: You know, that that term has so unfortunately become used to mean like a cybercriminal. And some hackers are cybercriminals, but not all hackers are cybercriminals.

Perry Carpenter: Right.

Ted Harrington: And I believe that the hacker mindset is a superpower. And that's why I'm kind of really been studying this concept and writing books about it and stuff is that I think it unlocks amazing things for anyone, not just security professionals, but anyone. It's, it's a superpower.

Perry Carpenter: That's, one of the things I talked about in my book too is this, this really the, the truth behind the fact that we wouldn't have an Internet if it wasn't for a hacker mindset. We wouldn't have either Apple or Microsoft computers if it weren't for, for hacker mindsets. You know, people in their garage that are tinkering with the status quo and pushing it in new directions is what it's all about.

Ted Harrington: Totally. I mean, you look at like, the street address for Facebook, Meta, is one hacker away.

Perry Carpenter: Right. Yeah, that's right.

Ted Harrington: It's like that- they build stuff. Hackers are, you know, creators, and hackers are. are people who just look at something and say, you know, can it do something different than what it currently does?

Perry Carpenter: You know, I think, the modern equivalent way of thinking about it is in tons of places right now, people are creating these maker spaces for people that want to play with 3D printing or CAD devices and CNC devices and so on. And I think that, the hacker mindset is very similar to like the maker mindset. And maybe if we were to build that parallel for people, then we might be able to undo some of the media damage that's been going on for the past couple decades.

Ted Harrington: I like the way you describe that, the media damage. That so succinctly summarizes what the issue is around this. Yeah. I think there is a lot of overlap between the hacker mindset and the maker mindset. Both are tinkerers, you know. Both, both see what something could be as opposed to what it is now. And, like people I think people are actually familiar with the hacker mindset if they don't necessarily realize it as such yet. We have life hacks. Right. So people are like, what's a more efficient way to get through the airport or organize my pantry or use an IKEA product in a way that it wasn't actually intended to be used, but now it creates this like very expensive furniture for less expensive money. And I think that comparing the hacker mindset to like a life hack almost makes it feel like smaller than it is. But, nevertheless, that is the hacker mindset, looking at something and saying, you know, is there a different way to approach this that hasn't been considered before, or that wasn't the intended use for this thing?

Perry Carpenter: The thing that comes to my mind is that everybody in the world has been a hacker before. I mean, it's as simple as if you've ever used a butter knife as a flathead screwdriver, you're a hacker. You've solved a problem using a tool that wasn't intended to solve that problem. And I think that that's really what we have to get across to people is if you've looked at life from a MacGyver point of view almost --

Ted Harrington: Totally.

Perry Carpenter: -- then you understand what it is to have a hacker mindset.

Mason Amadeus: I conceptualize it a bit as like a bottom up understanding of things rather than looking at anything as its individual like platonic ideal of an object. It is a collection of systems and functions that work together. And if you can just identify and break down those separate systems and functions and what each step of it does, you can use it to do other things. So, like, rather than looking at everything as a proper noun, you look at everything as like a stack of simple things working together in a complicated way. And for me, I was really big into "Destination Imagination." Are you familiar with that program? It's a thing they do in schools. Have you heard of it, Ted?

Ted Harrington: Not by name, but maybe conceptually if you explain it.

Mason Amadeus: It's a, it's a competitive problem solving tournament type thing that very much encourages kids to learn. They don't call it a hacker mindset, but I think that they should because it's very much that like you can solve problems using things that were not designed for it, creative misuse and repurposing of things. Just training you to look at the world that way. And I feel like that was the most valuable thing I did at that age that led me to where my career has gone.

Ted Harrington: You brought up a really interesting point, this idea that, like, a hacker looks at a system and can see the whole system, of course, but starts evaluating the individual components. And how, how do you, you know, what does that component do and how might you manipulate that, whatever. And this really interesting theme emerged as I've been working on this forthcoming book, "Inner Hacker." One of the things that's been so rewarding about it, and by the way, is like a reason to write books, is you get to go interview people that you admire and respect and all that stuff. So I got to interview all these different hackers and asked them, you know, what does it mean to you to think like a hacker? And it was so fascinating to hear all these stories. But one thing that kept emerging was so many of these hackers that I interviewed, they talked about the way that they take things apart. And many of them had these stories where they were like, oh, well, when I was a kid and I first saw a Rubik's cube, rather than try to solve it, I took it apart to see how it worked. And then once I knew how it worked, I could then try to solve it. And I was like, that's so- that's such a fascinating way to look at the world is not just immediately try to solve the puzzle but try to understand how the puzzle works. And that's the hacker mindset, and that's along the lines of what you're talking about, understanding the components and how they work together, and then attack a component at an individual level.

Mason Amadeus: I feel like it empowers you to think that you can do anything, right? Like, it, it takes away this barrier of, like, oh, I have to, I have to somehow know all of the parts of something to begin to understand it. I feel like the hacker mindset is, at the same time, like, an incredibly useful heuristic for like breaking things down and understanding it, but it's also permission to play and explore.

Ted Harrington: Dude, I, I love that you brought that up. Permission is such an important part of this because so many people limit themselves. All of us do it. I do it. I'm sure you guys do it yourself. We choose how big we're going to dream. We choose how grand of a plan we think we can go pursue or implement. And hackers are willing to give themselves permission to separate from that for a moment. I mean, everyone has some practical reality constraints about how they think or approach things, and that's totally fine. But the idea of being able to just say like- like when we look at a system, when our team of hackers ever look at a system, they don't say things like, oh, well, you know what, this system is compliant with XYZ framework. And since it's compliant, it must be that we can never, you know, be able to compromise it. They look at it and they say, all right, well, it says it can't, we can't do a certain thing. Let's see if we can do that thing. And it's that permission to try, like, wild things. And, like, when I think of the conversations that I have with, my business partner, Steve, amazing guy, one of my closest friends, just, just incredible hacker mind. And the favorite conversations that he and I always have with each other, they start like this. One of us will say to the other one something like, so here's a terrible idea. And the other person will be like, I'm putting down whatever I'm working on right now, I want to talk about that. Because it's that freedom to say like, like we can understand what makes a bad idea bad. Like, oh, well, we shouldn't do that thing because, well, that's illegal, you know, for example. But we won't, we won't discard exploring the idea just because we can see it's a bad idea, because in the bad idea, there's a good idea hidden in there somewhere, and we just have to give ourselves the freedom to explore it. And so you nailed it. I mean, it's the permission we give ourselves to think like a hacker is the first step and is a really critical step to this.

Mason Amadeus: I, really quick, I'll hand it back to you, Perry, because I don't want to dominate, but actually, I want to turn around the question you mentioned that you asked people back on you. Do you have a story from when you were little of taking stuff apart? Or, like, when did you kind of have the fledgling breaking into this idea that you would develop a hacker mindset?

Ted Harrington: It's interesting because when I think about like where I am in my profession right now and how I got here, I didn't realize it at the time. But as I transitioned into security, I used the hacker mindset. So many, many years ago, and I'm actually planning to open my book, telling this story. Many years ago, I was working in a completely unrelated field, and it felt pointless. Like the work that we were doing, I mean, I was good at it, but it just like, I wasn't becoming a, I didn't feel like I was becoming a better version of myself. I didn't feel like I was contributing to the world. I didn't feel like I was surrounded by smart people, and I knew I wanted to make a change. And so I tried all the typical ways that everyone tries to, you know, change their profession. I like applied to jobs. I networked. I like, connected with people on the Internet, did all this stuff. And it just- none of it was ever working. So then one day, I decided I was like, well, let's do the opposite. Instead of chasing opportunities that exist, let me try to trace an opportunity that doesn't exist. And when that reframe is really powerful because now it's like, well, how do you do that? What are opportunities that don't exist? Where are the rooms that those opportunities appear in? And so that really changed everything. Because now I was like, well, maybe instead of trying to, like, go find a job or network with someone, why don't I go meet investors? Investors invest in companies. They're a trusted advisor to those companies. Now if because an investor likes me, maybe they'll plug me into one of these tech companies I want to join. And eventually, that worked because investors, they're, they're busy, for sure, but they're always interested in, like, new ideas and new people and all that stuff. And so I met this company. They thought, like, hey, here's one of our portfolio companies. It's actually not doing great, but you should talk to them. I talked to them. Very long story short, I wound up being able to join that company. It was this company that does some green technology. It was pretty cool tech that they had. It was really, really cool. And then eventually that led to an introduction to the guy I mentioned before, my business partner, Steve. And now I'm in security. When I started that whole thing, I was not like I need to run a company of hackers. But I did this like really unconventional thing. I, you know, was very nonconforming in the way I thought about solving my problem. And because I was nonconforming and I was, I was really curious about the problem, like, how do you go about, doing this differently? How did this even work in the first place? It created these new pathways. These pathways were overlooked. Like, I don't think the average person who's trying to find a job or change their career, I don't think they're calling investors and being like, can I take you to coffee?

Mason Amadeus: Probably not. No.

Perry Carpenter: Right.

Ted Harrington: I think, I think I'm the only person I've ever heard of, who, who thought- I'm sure other people have done that. That was way arrogant of me to say it. But like it's an unusual thing.

Mason Amadeus: No. But I know what you mean. Yeah. wicked.

Ted Harrington: And it resulted in this, like, complete transformation. And now rather than a career that I was in an unrelated field, and it felt pointless, and I wasn't surrounded by smart people. Now I do work that is so incredibly meaningful. I'm surrounded by brilliant people. We do work that matters, and I'm like, I'm like inspired every day. And I was able to bridge that gap because I used this revolutionary mindset. Now I didn't know it at the time. It wasn't until, now I found myself in security and I was like looking backwards, and I'd say, oh, what I did, that, that was the hacker mindset right there.

Mason Amadeus: I love that. That's awesome.

Perry Carpenter: Absolutely.

Mason Amadeus: I also love, and I'm sure- I, I wonder if this is true, Perry, how many people in the security field you talk to where their origin story includes a line dot, dot, dot, and then suddenly I was in security. Because I feel like that happens.

Ted Harrington: Probably a lot, right?

Perry Carpenter: Yeah. I mean, especially with the older people in security, right, before it was a pathway that colleges were actively teaching and saying we have a cybersecurity degree. Everybody, I would say that's probably what over 30, 35, got into security kind of in a sideways kind of way. but not necessarily by going talking to investors and, and literally just trying to hack their career. I think a lot of people just like stumbled their way into security that are, that are my age. You know, one of the things that I always tell people is the best piece of career advice that I can give is to, where possible, pursue your passions, but then view life like an escape room. You know, as soon as you've seen, you know, I've unlocked this skill, and I've unlocked this other skill. What did those two things combined potentially let me do that was something that I might aspire to otherwise? And it might be things that are totally unrelated. It might be like, I understand philosophy, maybe got a degree in that, and I understand this other skill. What's the weird thing that is uniquely me that is at the convergence of those two? And then maybe you go learn design or you go learn technology or you go on something else to say, what's the weird way that I can put those things to use? There is, in psychology, there's a, a battery of tests called the alternative use, alternative uses test. Have you heard of that before?

Mason Amadeus: Oh.

Ted Harrington: I don't know. Maybe. Tell me.

Perry Carpenter: Yeah. So it's basically oh, go ahead, Mason.

Mason Amadeus: Is that the experiment where they give you a paperclip and say, come up with a 100 different uses for this and like, yeah. Okay, yeah.

Perry Carpenter: Exactly.

Mason Amadeus: So some people will say like pick a lock or, like, I'll make a hair tie, or.

Perry Carpenter: Or it might even be they give you three objects, and you have to like find interesting creative uses to put those three objects to use in unexpected ways. So it's. it's really interesting to see. And I think that what that, if I remember right, it started, or first came out in like 1967. But I think ultimately what it was pointing at is like, what types of people have this hacker mindset where they can look at a box of things or a couple of things and say, I can do these weird unexpected things with it. Or I can solve a real problem using these unconventional pieces.

Ted Harrington: I love that you brought up passion as well. One of the things that was apparent to me even before interviewing people for this book, just from observing the hackers that I get to work alongside every day, is that hackers are just they're so passionate about hacking. They just they love it. And a lot of people who come to work for us, some of them didn't realize that this was even a profession before, right. They were like, I was going to do this on the weekend anyway. Now I get to do this all day every day, get paid for it and not go to jail. And like, this is amazing. And so this theme of passion kept coming up. And so now as I'm writing this book, there's a whole chapter, I felt like it was such an important topic that I have to talk about passion. And then I realized, I'm like, am I about to write a chapter that is pursue your passion? Like, that sounds like some Instagram influencer nonsense.

Mason Amadeus: Yeah, very live, laugh, love of you.

Ted Harrington: Yeah, like how is that helpful to anyone? Like, my passion is sitting on a beach. Like, I like, how is that helpful? And so I thought that was kind of an interesting, like, but hackers are passionate, so I, I can't not talk about that. And so I started observing, well, how do, what are some ways I specifically see from hackers that demonstrate this concept, without it being too abstract of, like, if you love it, do it, you know. And some of the things that came out that were really tangible things were like pay out of pocket. So a lot of people in their profession, they'll only do something if their employer pays for that thing. And there's nothing wrong with that. Those people aren't wrong, like you're not wrong if you choose not to pay your own money to go fly to an industry conference and pay for a hotel and pay for the badge and all that stuff. Like you're not in the wrong for doing that. Nevertheless, when you go to DEF CON, you go to a hacker conference, a lot of those people paid their own money to be there. And if you're willing to pay your own money to do something, that is a clear indicator that you have found a passion that you are prioritizing. And I and I choose that word intentionally. So I think prioritize passion is a better way to say it than pursue. We're splitting hairs here, really. But when I think about things we prioritize, those are the things we make room for. and we make time for in our life. And spending your money is a great indicator of what you're prioritizing.

Perry Carpenter: I love that. When I think about the origins of DEF CON, it used to be really, really difficult to pay for DEF CON on a corporate credit card. And then all of a sudden they got it to where you could get your DEF CON pass at the same time as your Black Hat pass, and it got to be really easier. But it used to be like pay at the door.

Ted Harrington: Yep. Huge lines.

Perry Harrington: A couple hundred bucks. I forget what it was, but yeah, really, really long lines. You had to have passion, and you had to bring cash. And that's not something that most companies would say, all right, here's $200 cash or three or four hundred, $500 cash. You can just, you know, in good faith, give us a receipt because I don't think they gave receipts at the time either.

Ted Harrington: Definitely didn't.

Perry Carpenter: So, so yeah, I mean, I think the early days of DEF CON, for sure, anybody that was there, it was like a passion for them. And it was about learning. It was about the community. It was about exploring. And one of the things I think that drives passion, and I talk about this too when I talk about hacker mindset, is kind of an insatiable curiosity. What is that like for you and your company with the team of hackers that you work with?

Ted Harrington: So when I've been working on this idea and interviewing people, like, what does it mean to think like a hacker? Every single person that I interviewed, without exception, the first thing that they said is hackers are curious. And that's, that's so true until the point where I mentioned that I gave a TED talk on this idea. And I actually didn't even mention curiosity in the TED Talk because to me, it was so like table stakes. To be a hacker, you have to be curious. But then as you're working on it, it's like, well, you can't, you can't not mention the table stakes. And so like the four attributes that I've uncovered in pursuing this is that hackers are, curious, they're nonconforming, they're committed, and they're creative. And curiosity is the first one. Hackers are, they're just so inquisitive. They want to understand how something works and why it works that way. And when I think about what makes our hackers like who work for us at, my company is called Independent Security Evaluators, ISE. What we do is, like, companies will hire us to say, hey, we're building this software system. Can you look at it to determine where the vulnerabilities are so that we can fix those and, and make them better? Because we want to roll this out to the market, and we don't want to wind up in the headlines. We don't want our customers to be violated. We don't want our users to be violated. So that's what our business is. And so what that means then for our hackers is their job is to use that curiosity that is innate in them and let it just, let, let it run free, right. And so they're always asking these really powerful questions like why. Why is a very powerful question. Like, why is it set up that way? Why do you provide access in that way? What's the reasoning behind that? It's, it's not a combative why. Why can be perceived as combative. It's, it's not. It's curious and collaborative. Like, why did you choose to do it that way? There are three other ways you could have done it. What's the reasoning here? The question, what if. Like, for example, we'll be scoping out a project or the tech that's associated with a project, and they'll explain to us how it works and how users are provisioned and onboard and off board and how permissions work and authentication and all this stuff. And eventually, we'll start to formulate these attack scenarios in our minds. And that's when we start using these what if questions. We'll say, like, well, what if an attacker did X? You know, you're, you're supposed to do ABC. What if someone were to do C first and then B and then A?

Perry Carpenter: Yep.

Ted Harrington: And it's through that, really, that curious, inquisitive pursuit of truly understanding something, that is then how you figure out how you might actually attack it. Because if you weren't curious and you didn't really care that much and it was more of, like, this is why I think compliance isn't effective for security. One, there's many reasons compliance isn't effective.

Perry Carpenter: Right.

Ted Harrington: One of the reasons is there's no curiosity there. It's like, do you meet this control, yes or no. Do you meet this one? Yes or no. It's not like, why do you or do you not meet that control? What's the reasoning behind that?

Perry Carpenter: Yeah, what choices did you make, yeah.

Ted Harrington: Yeah, exactly.

Unidentified Speaker: This is "The Fake Files."

Mason Amadeus: Everybody loves a hacker story. And on your website, you feature a couple sections of like different sectors of tech type things that you have investigated. And I was wondering if we could fold into two, a hacking story, and also I'm curious about the exploits y'all found in medical equipment.

Ted Harrington: Yeah.

Mason Amadeus: Because that was a section you listed. >> Perry Carpenter; iPhones and other stuff that people think are un-hackable or shouldn't be hackable.

Ted Harrington: Yeah.

Perry Carpenter: One other thing, I'll throw this out right before you answer that question, is Ted is such the ultimate hacker that every talk he gives is a TED Talk no matter what stage he's on.

Mason Amadeus: This is a TED Talk right now. I'm so glad we're going to have a Ted Talk on "The Fake Files." That's pretty killer.

Ted Harrington: I love that.

Mason Amadeus: Could you walk through like the process of how, like how did that start with the, did someone approach you to say, can you hack our medical gear? And then like how did you find it? What were the hackers working on it excited about? Like, what was it like in the office while you were doing that, and what did you find?

Ted Harrington: Yeah, that was a that was a really, really cool project. It was the opposite. No, they, no one wanted us to do that. People, people, what's the opposite of wanted? People dis-wanted us to do that.

Mason Amadeus: Oh, boy. >>> So the origin to that was I mentioned the, the power of having this curious mindset and how hackers are always asking these like open ended questions. And there was this one moment we're all sitting around just one of the conference rooms at our office. You know, the proverbial like bouncing the ball off the wall, being like, well, what if this and what if that? We're just kind of thinking out loud. And one of the questions that was posed was, what is the worst possible outcome that could happen as the result of a security breach? Because most headline news, you know, is about, like, money getting stolen, data getting stolen. And we're like, there's got to be something worse now. What's the worst thing that could happen? And pretty quickly, we were like, death. Death would be the worst thing that would happen. So, you know, it was like once, whoever it was that said that, once that was said, everyone, you could hear like the squeaking chairs as everyone like leans forward and is like, okay, let's talk about that. And so now we're like, all right, what are the scenarios in which a cyberattack could result in hurting or killing a human being? And quickly that narrowed in on a few areas like connected transportation, like aviation or trains or cars, or healthcare. And, so we said, well, let's look at health care. That's, that's pretty interesting. Like, could you, because technology so central to the delivery of care. Could we manipulate the technology in a way that could cause fatality or injury to patients? Because if you ask anyone who works in healthcare, they will agree that the priority is to protect patient safety. They want to improve patient outcomes. The patient goes to the hospital. They want them at least to be able to go home, ideally, go home better. A few things were, really stood out as we started this research. So the first was that there had been a decent amount of research into active medical devices. So like an active medical device does something to a patient. So a, a pacemaker is an example. Like, that manipulates your heartbeat. Pretty obvious to think about how if you manipulate that, that could hurt someone.

Perry Carpenter: Yeah.

Ted Harrington: But there really hadn't been research into passive medical devices, which reacts to the patient. It'll do something to the patient. So an example of that would be the bedside monitor that sits in the hospital room that reports your oxygen levels and other vital signs. How would you hurt someone manipulating that? So that was a question we were interested in. So that was one thing that stood out. There was this whole area that hadn't really been looked into. Another thing that stood out was that being able to get access to do this type of research was difficult. So like if we want to access, if we wanted to do research, like Perry had mentioned, we were the first company to find an exploit in the iPhone when that first came out. To get access to that, we had to buy an iPhone. Reasonably achievable. Even it required, we didn't get early access to one. We had to like wait in line like everyone else. But you can buy an iPhone. You can't have access to, you really can't buy modern medical equipment, even secondhand. You can buy stuff that's, like, old. And you definitely, it's cost prohibitive to buy the big stuff. Like, we're not going to go spend millions of dollars on an MRI machine or anything like that.

Perry Carpenter: Right.

Ted Harrington: So to solve that problem, what we had to do was we had to get hospitals and medical device makers to let us do it. Now think about how crazy that request is. Like, hello. You don't know me. What I'm going to try to do is find problems that are catastrophic in your technology, and I want to talk about it. Can you give me access?

Mason Amadeus: Specifically ones that could kill a patient.

Ted Harrington: Yes. My mission is to find out if you can hurt people.

Mason Amadeus: Oh my gosh.

Ted Harrington: So needless to say, people were not enthused to return our calls as we were seeking this access. But one of the things, I mentioned one of the traits of hackers is that hackers are committed. Hackers are persistent and resourceful and resilient. And so we just kept at it. We kept asking and asking, and eventually, it took about a year. But a year later, we had about a dozen healthcare systems spread across the United States willing to let us perform this research, under the condition, of course, we don't exploit anything. That's what research does. We do not exploit. And then, we wouldn't name them. So that was fine. This wasn't about embarrassing anyone. This was about studying an issue. And so we set out, took us a year to get the access. And then in the following year, we did the research. And we looked at all kinds of things. We looked at bedside monitors, as I mentioned. We looked at blood working systems. We worked at the lobby kiosks that you, you know, check into your appointment, drug refrigeration equipment, just all kinds of stuff. And we came up with this scheme that we call the patient health attack model. And if you can imagine what a, like a bull's eye looks like that you, you know, play darts with, the middle of the bull's eye is the patient's safety. And then each ring out as you go further out is an attack surface that, like, if you get to an outer attack surface, can that give you access to something on the inner one to the next one and then ultimately to the patient? So if the patient's in the middle, the things immediately surrounding the patient were the things that deliver care. So that would be things like any sort of infusion pumps, anything that delivers medicine, and notably, the physician. So a surgeon is doing something to the patient. So one of the scenarios we looked at is like can we manipulate the behaviors of the physician, of the surgeon?

Mason Amadeus: Amazing.

Ted Harrington: And so now we circle back to this question about the patient monitor. And here's what we did. We discovered that you could remotely access the patient monitor, and you could bypass authentication. So that means that an attacker from anywhere in the world could log in effectively without logging in. Now once they're logged in, they can perform what's called remote code execution. They can issue a command, and the device will react to the command. So some of those commands that we could get the device to react to include things like we could get it to trigger a false alarm. So now imagine the scenario. We've got a patient, they're in their bed, and all of a sudden it starts alarming that they're having an irregular heartbeat. So now the nurse comes running over and is like, are you okay? Now this is the risk to the patient's safety is somewhat minimized because if the patient's conscious, they're like, I don't know what's going on. I'm okay. The nurse is going to ask them some questions. But even in that scenario that no harm is administered to the patient, it's diverted care from patients who need it to the patient who doesn't need it. A bad scenario would be if that patient is unconscious, the nurses start going through their, the diagnostic sequences. And imagine if, in that chaotic environment, the paddles, the electric paddles get administered to a patient who doesn't need it, that's going to be harmful or fatal. But the far worse scenario is actually the opposite, is where we found that you could actually disable authentic alarms. So now you've got a patient who is having that heart arrhythmia or whatever, needs the electric paddles, and the nurse is not notified. And the longer you go without that care, the more damaging or potentially fatal that is to a patient.

Perry Carpenter: Yeah.

Ted Harrington: So that's just one example of many. We found ways you could change people's blood working equipment so the wrong blood is administered, which is fatal. We found ways that you could, it was just, it was an endless array of issues. And what was really, really fascinating about this was that in healthcare, the thing that drives investment of dollars is what's called HIPAA. And HIPAA is regulation that drives for protecting patient privacy. Privacy is not patient safety. And --

Perry Carpenter: Right.

Ted Harrington: -- we discovered all these ways with that, if you can imagine that bull's eye of attack scenarios that would get us to the patient, a whole bunch of ways you could get to the patient, cause harm or fatality and never violate HIPAA at all. So the argument that would be like, well, if that system had been compliant with HIPAA, this wouldn't happen. That argument is actually null and void.

Mason Amadeus: Wow, yeah.

Perry Carpenter: You know, as you were talking through that, if you were to launch multiple types of attacks, you could essentially do, not to the same effect, but almost like a Stuxnet style attack within a hospital where you're sending false monitoring so that people think either something's going really right when things are going horribly. And then cause other devastation by targeting secondary devices. Or you could do the opposite. You could set off 15 alarms so that you've so distracted and done something to the staff to where they have no idea where to focus on that you could do something completely different that they're not ready for. That's, that's really interesting.

Ted Harrington: Absolutely.

Perry Carpenter: Yeah.

Ted Harrington: And by the way, I should characterize this whole story. Maybe I should have introduced this. That this is not an argument to not go to the hospital. People should go to the hospital.

Mason Amadeus: I hope no one would take it that way.

Ted Harrington: People are weird, man, sometimes.

Mason Amadeus: That's fair.

Perry Carpenter: Yeah.

Ted Harrington: I mean, there's enough reasons to maybe not want to go to the hospital to begin with, but I wouldn't want anyone to walk away from this feeling like, oh, there's security risk in the healthcare system. I just shouldn't go see my doctor. It's like that is way riskier to your health to not see the doctor.

Mason Amadeus: Yeah.

Perry Carpenter: Yeah. There's security risks everywhere.

Ted Harrington: Yeah. It's, I mean, this is why research needs to exist is to find the problem so we can now start doing something about it. And, to Perry's point about like how could you use this in a broader attack. Like what I don't think is the concern is that someone's going to go try and kill an individual. Like, even a high profile, like if you're going to try to target like a leading politician or a titan of industry, there's probably easier ways to attack them than this. But this would be a very effective technique paired with a traditional sea air or land based attack. So, like, let's say you wanted to attack a major metropolitan area in America. You pick that city. Before you deploy the missile, go make all the hospitals start going berserk. And then people, like, they're all distracted, and it's chaos, and who knows what to do. And all of a sudden, there's a more traditional strike.

Perry Carpenter: I'm glad you gave that example because I want to ask a question. Because a lot of our people that watch and listen to this show are not necessarily security professionals. They're more interested in AI or technology or society. The scenario that you just mentioned can be scary for a lot of people. And some people would say, why would you mention that because you're only going to give a bad guy some ideas? What's your response when you hear that? Because, I have my thoughts, and I'm pretty sure we're in alignment, but I just want to let it come from, from you rather than me putting words in your mouth.

Ted Harrington: I've been asked that question too, especially about my friends who are not in my field. They're like, wait, you get up on a stage and you talk about- you write books about what? And they ask exactly that. Like isn't that telling the bad guy what to do? And here is the reality. The bad guys are thinking this already. They're doing this stuff. So what people from the world of ethical hacking, which is the world that I come from and you come from also, Perry, is like our job is to be the counterbalance to the bad guys out there. We have to think like them in order to defend against them. And we're not giving bad guys any ideas they don't already have. In fact, we're making their life harder because we're now shining a spotlight on the things that they're trying to do in the shadows.

Perry Carpenter: Yep. Yep. I, I think that's, exactly in alignment with the, the point that I was assuming you were going to make when I asked that question, which is really good. Because I have, like, like all of us that live a little bit in this space, and you're deep in it. I'm kind of on the periphery of it and I'll show things and exploits and tactics every now and then. And just every so often somebody will say, why do you do that? Aren't you, aren't you just giving a scammer an idea or pointing them to a tool? And it's like, now there's entire ecosystems of telegram channels that people flock to to share tools for the scammer and hacker community. What we're doing really is helping people on the defender side who are already overwhelmed with 15 other things, start to figure out like what ideas or what technologies or what tools they can zero in on so that they can become better defenders faster.

Ted Harrington: A 100%, yeah.

Perry Carpenter: Does that seem right?

Ted Harrington: Yeah, absolutely. It's like, we're helping drive progress. Now imagine if it's the opposite. Let's say implied in that question is what we chose to do instead and say, like, let's just not talk about this, and no one will like know to do these things. All that we've done is allow the attackers to continue to do bad things without a counterbalance, without checking them. And that's- the world that we live in. those of us who have chosen this profession, every day, not just at work, but also in like our normal lives, we're constantly looking at how things could go wrong. How would you, how would that system be broken? Like why is this a bad way to do this thing? And that, it's kind of in, in the movie "The Matrix," right. There's, when you're in the Matrix, it's a beautiful existence, kind of similar to what we live today with, like, whatever you'd call it today, you know, a beautiful existence. When you unplug for the Matrix, you realize it's this, like, gross, cold, harsh dystopian world. And those of us who've chosen to live in the hacker world, we're unplugged for the Matrix. And it can be bleak because all we see are the ways that things can go wrong. But in so doing, I've observed some absolutely amazing, beautiful things about humankind.

Perry Carpenter: Oh, yeah.

Ted Harrington: Thing number one, people are generally good. People are, people are nice to each other for the most part. People generally behave ethically and morally. And that's why we need this counter mindset because people, most of the time, want to trust other people, and they want to do the right thing. And then the second thing I think that's really beautiful is that we can take this mindset, this, this hacker mindset, like, how can we be curious and nonconforming and committed and creative? We can apply those to anything. We can, you can apply that to how you get a job you're looking for, how you change your profession, how you start a company, how you raise money for the company that you've already started, how you start a charity. I mean, you could use it to like find love in your love life. I mean, it's just a different paradigm, and it's, I think it's a superpower, and it's a beautiful, beautiful thing. And I guess this is the full circle back to how we started, which is that hacker is not bad. Hacker is good.

Perry Carpenter: Yes.

Ted Harrington: And this mindset is absolutely a superpower for good.

Perry Carpenter: All right. I have one thing I want to end on. Most of our listeners are really, really interested in AI. So if I just throw those two letters out to you and let you riff for a second, what are your current thoughts on AI and anything else?

Ted Harrington: I am very positive pro AI. I think it's easy for a lot of people from the hacker world to see all the absolutely profound and catastrophic risk that AI introduces, and it absolutely does. But the ways that it's going to change civilization is it's, I mean, I'm not overstating, I think, when I say it could literally change society in such a positive way. We obviously have to be aware of the downside risks, but it's doing things that are making defenders' lives easier. It's doing things that's making defenders' lives harder as well. But I see a future where attacks are going to get more sophisticated, but defenders and defense techniques are going to get more sophisticated too. And I think this is similar to like when the calculator was invented, you know. Teachers at the time were like, well, you're not going to have a calculator in your pocket all the time, so you need to learn long division. Well, I don't think I can do, maybe I could do long, I haven't tried. But I don't think I could do long division right now.

Perry Carpenter: I haven't tried recently, yeah.

Ted Harrington: Because I literally have a calculator in my pocket all the time. But has that made me stupider? No. It's enabled me to use my brain power for bigger things. And I think that AI has that potential for us, that it will be like any tool. And I equate AI to, like, a knife. Imagine a knife, right. So depending on whose hand it's in and what purpose it's used for, it delivers different outcomes. In the hand of a surgeon, a knife saves lives. Of a murderer, it ends lives. And that's the way we should think about AI. Like, how can we use this tool to enable us to do amazing and big and beautiful things while recognizing that there are additional new risks that we need to think about?

Perry Carpenter: The way I talk about it in my book and my talks is that every tool will mold to the hand and the intentions of the person that picks it up. And I think AI is very similar.

Ted Harrington: I love that.

Perry Carpenter: What I've seen with AI is all the great stuff and terrifying stuff that you just mentioned, both of those. At the same time when it comes to the, the move of AI, the AI market, and the different vendors that are putting new tools and kind of competing in the arms race of the market the way that every company does, what I've seen is a lot of repeating of the sins of cybersecurity's past and things like integration problems, input validation problems. Things like could we potentially weed out earlier some things like prompt injection or other things that might cause misuse of the tools that I'm not seeing a lot of forward thinking in those areas right now, and I'm not sure why. Have you seen similar things, or am I a little bit off base there?

Ted Harrington: I think what you're describing is true for any innovation cycle.

Perry Carpenter: That's a good point.

Ted Harrington: You could replace the question you just asked. You could replace AI with cloud. You can replace it with bring your own device. Any innovation that we've gone through over the last many years or decades, that is what happens, right. It goes in these cycles. Phase number one is some innovation happens, and that innovation is revolutionary, and it is quickly adopted and commercialized. And that's the phase we're in for AI right now. Security is not adequately considered in that stage. The next stage is where improvements start happening, and that's where people like those of us having this conversation right now are loudly banging the drum for how we like, yes, this tech changes things, it revolutionizes things. But how we secure technology, the principles of secure design, those are universal. That doesn't change. And so the way you described it is, is so true, is the idea that like, it's happening in AI for sure. It's like we've forgotten that we need to implement secure design principles as we innovate.

Perry Carpenter: Yeah.

Ted Harrington: And that happens anytime there's these big, big shifts. So I'm optimistic that, you know, fast forward five years from now, things will be better because of the advocacy of people like yourself. But today, yeah, it's, we are playing catch up for sure.

Mason Amadeus: A great interview. Again, Ted's book, "Inner Hacker," is coming out in just a couple weeks at the time of recording. You can get a discount on it by joining the wait list at tedharrington.com/inner-hacker, which would be a, a kind of crazy URL for you to type in by hand. So just pop open the description, pop open show notes. Click that link, get your name on that list, and check it out. Thanks for joining us on "The Fake Files." Perry's going to return next week. We'll have a regular episode exploring some new developments in the AI space. One of the things I've been playing with is ElevenLabs' new music feature. It's kind of a mixed bag. It doesn't really hold up to Suno in terms of quality, but it's a bit better in terms of customization. We'll get into that in, in that next week. You get that look to look forward to. But until then, ignore all previous instructions, get yourself on the waiting list for "Inner Hacker," and have yourself a great weekend. [ Music ]

The FAIK Files
Podcast Info
HOST(S):
Perry Carpenter
Mason Amadeus
Perry Carpenter is a multi-award-winning author, podcaster, and speaker, with over two decades in cybersecurity focusing on how cybercriminals exploit human behavior. As the Chief Human Risk Management Strategist at KnowBe4, Perry helps build robust human-centric defenses against social engineering-based threats. His latest book, FAIK, explores AI's role in deception.
Mason Amadeus is the Creative Director at 8th Layer Media. With eight years in radio— producing three award-winning commercials, repairing 50kW tube transmitters as apprentice to the chief engineer, and accidentally becoming regional IT manager— Mason brings humor and technical ingenuity to every project. As an actor and meticulous designer with an ever-curious spirit, his unique approach and quick wit captivate audiences across media formats.
Schedule: Friday (weekly)
Creator: 8th Layer Media
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.