Episode 97 – Jack Rhysider (Cybercrime and Security)

This podcast audio has been transcribed by an automatic transcriber.

Fred Rocafort  00:07

Global Law and global business go hand in hand, but never seem to keep pace with each other. The importance on the global stage of developing and developed nations waxes and wanes, while consumption and interconnectedness steadily increase, all the while laws and regulations change incessantly, requiring businesses to stay nimble. But how do we make sense of it all? Welcome to Global Law and Business posted by Harris Sliwoski International Business attorneys. I’m Fred Rocafort.

 

Jonathan Bench  00:37

And I’m Jonathan Bench. Every week, we take a targeted look at legal and economic developments in locales around the world as we try to decipher global trends in law and business with the help of international experts. We cover continents, countries, regimes, governance, finance, legal developments, and whatever is trending on Twitter. We cover the important the seemingly unimportant, the relatively simple and the complex. Today, we’re joined by Jack Rhysider,   a veteran to the information security world. He gained his professional knowledge of security by working in a security operations center for a fortune 500 company, a place where threats are detected and stopped. During that time, he was exposed to hundreds of clients networks ranging from schools to government to banks to commercial organizations. In 2017, Jack started the podcast  Darknet Diaries. T he podcast amassed more tha n 18 million downloads in 2021, more than doubling 2020s numbers. Darknet Diaries has been featured in The New York Times,  The Guardian and Vulture. Jack, welcome to Harris Sliwoski Global Law and Business.

 

Jack Rhysider  01:42

Thanks for having me. Nice to be here.

 

Jonathan Bench  01:45

We’re very excited. I was joking with you before we started about personal information. So tell us a little more about your background. Nothing you don’t want to share. But we’d love to hear more about how you developed your skills. And why did you decide to jump into the media space?

 

Jack Rhysider  01:59

I think it comes back, if I want to look back, I’m going to say my grandma bought a computer for me well, for the family, when I was like I don’t know 10. And with that exposure at home, I think is really what got me interested in tech, you know, if if it would have only been not, you know, if I didn’t have a computer until I got to high school or college or something, I probably wouldn’t have had nearly half as much you know, interest or skills at it. So just getting that early age computer to be able to use it and have access to it, I think is really what what got me started in all this you know, you learn to type you learn to play games on it, you learn all these things. And there was never ending passion for it ever since then I’ve always been fascinated with it. So I went to university got a degree in computer engineering, and went off to become a network engineer. I wasn’t really sure about what path I wanted to take, but then the position open for a security engineer. And when I switched to that, it was perfect for me. Because in the university, they teach you one one topic on every piece of tech, right, they don’t really go in depth on any tech, they just say, here’s one thing on this language, one thing on an operating system, one course on this. And so it was all those things actually coming together to do security. So it became my passion. I was like, yes, all the all the little bits of information I’ve learned in all my life is now being used in it feels fantastic. So it was just right at home. You know, in this time, I was listening to podcasts, This American Life and radio lab and this kind of thing. And they were so fascinating to me to be able to just sit in the car, get to where you’re going. And you don’t want to turn the car off because you still love this show you’re listening to and so there’s something gripping about that. And at the same time I was getting into security and hearing how there’s some really high dramas, hacker stories out there, you know, people going to prison for life, there are people getting killed, you know, from online disputes and stuff. So the where’s the podcast that’s covering these high drama, cybersecurity stories. And of course, there’s nation states hacking each other. I mean, it’s crazy. And there wasn’t one. So I was like, I do I have to make this. I don’t really feel like I don’t know anything about making this stuff. But the idea stayed in my head for about six months. And then I finally said, Okay, well, I really want this to happen. So maybe I have to make it myself. And I got a book and read up how to tell stories. And do kind of journalism was something I had to learn to and yep, that’s how I got started with a podcast. And it’s I’ve been able to quit my job and do it full time and it’s kind of changed my life.

 

Jonathan Bench  04:38

I gotta say, I’m a huge fan in the episodes I’ve listened to. So my son took went to a cybersecurity camp this summer. And while he was there, at the university campus, the people were running it, put him on to the podcast, I think they listened to one or two episodes. And so he came home and told me about it. And I said that sounds fascinating. I’ve got to check this out. So We started listening to it. And it’s been fun. It’s like you said, I find it very, you know, very gripping it kind of satiate my need for the storytelling side of this right. One thing I love about what we do on this podcast is we get into the details of people’s lives. And I love the background. And I respect someone like you who says, hands off my personal details. But most people, including me, are more than happy to share our life stories to the world, right? We don’t we don’t work in the same space you do. And some of some of it is our currency. Right. And so I appreciate what you’ve done with the podcast to make it really, and obviously, I’m not the only one, right? I mean, your your downloads speak for but that’s fascinating.

 

Jack Rhysider  05:36

Maybe I should give a just a description of what the show is. So I’m kind of a slow news junkie. And I don’t really want the latest news, because that’s kind of a lot of hearsay. I like to wait until the story is complete, where we have, you know, the final verdict and the sentencing for the for this, you know, the attacker. And so if we know that, then we can go back and see the whole story, right? I mean, especially if there’s a sentencing where the person pleaded not guilty, because now we have a court. And in court, we have, you know, court records, and we can look up how did the FBI catch this person? What evidence did they have on and what were the victims, testimonies, all these kinds of things that you can look through? And from there, you can just keep going backwards and say, Okay, well, what was the reason why this person did this? And what is their background? And where are they from, and you could just keep looking up. So now you have this soup to nuts story, the entire thing of who this person was, who did this attack, all the way up till them getting, you know, all the damage they’ve done the arrest that the happened, and the sentencing, and that, to me is how to properly tell a good news story, right? It’s the whole picture. And that just wasn’t there in this space. And that’s why I started making that give me the entire story of you know, a cybersecurity story.

 

Fred Rocafort  06:51

Jack, I want to talk a little bit more about the podcast and the kinds of stories that you you cover. Perhaps one good way of doing this is by focusing on on one of your podcasts or one of your episodes. And and and how how that story crossed your path, how it came in how it showed up on your on your radar, and what the process was like in terms of reaching out to your guests. I greatly enjoyed the episode where you described an incident that took place with the lottery in Puerto Rico. I grew up in Puerto Rico, so that definitely caught my attention. And frankly, I had not heard at all about that that incident. And later, thanks for your p odcast, I saw that there. There had been indictments and ultimately, sentences handed down. So perhaps again, using that episode as a as a model how or as an example, how do you source your guests and your  stories?

 

Jack Rhysider  08:02

Yeah, there’s a few tactics, you know, there’s not one, but there’s many. And you know, at the beginning, nobody knew who I was. So I was going around and tapping on a lot of shoulders, people who I knew from the space people who have prominent blogs or whatever. And I’d go to a lot of conferences, and I’d listen to people and I’d say, Oh, wow, that’s a great story. You already told it on stage, can you come on my podcast and tell it so that’s how I kind of got started seeing news reports, and just knowing what the big stories are, and then trying to find who were the researchers that were doing these, you know, discovering these threats or something, and anybody that has their name tied to this, maybe they’d be able to talk. And so I went from there. But yeah, over time, I became known for just being being the one who tells these stories, and you go to them. So it’s been probably a handful of people, maybe five or six episodes now where somebody comes to me and says, I have this story. And of course, I don’t trust them. And so I’m like, Well, what do you have to prove it? And sometimes they show me their criminal record or their indictments or something, and I’m like, wow, that’s you. Okay. Let’s, let’s go. And then, yeah, in that case, that person brought that story to me. And I was able to validate that by calling Puerto Rico and asking around and talking to other people who know him. The person who gave him a story, and having them listen to this and seeing, you know, what they, what they thought of it and stuff like that. So yeah, I mean, that story is a wild one, and I think it was previously unreported, and he kept it close to his chest for so long. And that’s kind of one of the things I like to do too, is find these people get this kind of access, and then show the world this, this kind of stuff, because me going to these hacker conferences, I hear these stories all the time, and everyone goes to the hacker conferences, hears these stories, and they’re ridiculous stories and they’re wild. And I’m trying to capture those and show the world this stuff because it’s, it’s very common. It’s just crazy.

 

Fred Rocafort  09:56

Jack, you bring up a very interesting point how these conference assists are a place where stories get shared. I’ve had similar experiences in other contexts, perhaps. But this reminds me of something you mentioned regarding the how loathe sometimes companies and their leadership are to reveal cybersecurity incidents. And there’s probably good reasons for that. But I imagine that that these conferences, these events are critical, at least to to get a real sense for what’s happening out there. Even if ultimately there’s there’s a certain lack of transparency. But perhaps you could you could talk a little bit more about this what what might be some ways in which information can could could be could be shared in a in a more useful way, in a more wider way? And what perhaps, are some of the some of the reasons maybe, maybe go going back to that original question, you know, what, why exactly? Are companies reluctant to share some of the information? Again, some of it might be intuitive, but I’d love to hear your your perspective on that.

 

Jack Rhysider  11:11

Yeah, I think it, you know, weakens trust with the customers, if you say that we’re we have some insecure applications or whatever. So they’re worried about that worry about shareholders losing faith in the company and stuff. And they don’t want to look, you know, like they did something bad. So there’s always trying to hide. In Europe, oftentimes, if I don’t know which kind of companies it is, but some of them are required to disclose breaches publicly. I think Telecom, telecom companies are one of them, at least to to disclose it to the government, and certain watchdog groups and stuff, just to keep them honest. But I’m in the US, you don’t have to. So you can, you can get hit and keep it quiet, and there’s no law against it. But I think something that helps is, is sharing your story. Because when we go to these conferences, these hacking conferences or security conferences, we’re all looking to see who has a similar situation than us, and how are they figuring out the problems that we have. And if nobody’s talking, then, you know, it’s hard to make those connections. But if somebody is like, okay, here was the issue that we solved. And here’s how we solved it. And stuff like that really helps other people try to solve their problems. And it all it seems to make you look good, at least at a security conference, that you’re sharing this kind of thing. So I do appreciate people sharing their stories. And some people don’t like sharing it publicly. So there’s these things called ISAC, which is information security exchanges, where you have kind of a small group. So like, let’s say you’re a bank, and you want to share your threats that you’re getting hit with, you can ge t into ISAC with other banks, and say, here’s some of the IPs that are targeting us. And some of the attackers we’re seeing in the malware and those other banks might appreciate that, and then they’ll share what they’re getting. Right. So it’s kind of a small community. And that’s I-S-A-C is ISAC. And so yeah, there’s these things to join. And sharing is a helpful to kind of get a sense of what other people are experiencing and how to help solve your problems that are the same as theirs.

 

Jonathan Bench  13:22

This leads into a great topic that I think about quite a bit, which is, with the proliferation of electronic devices everywhere, you know, when we were growing up, we I think I got, we got our first computer, mid 80s, maybe five. And because we didn’t get connected to the internet until early 90s. And then I was tying up my parents only phone line. And so we’ve had a big changes in our lifetimes. Do you think that the world is getting more or less safe with proliferation of the electronic devices? And, you know, our security measures? Are they keeping up his privacy now, just totally relative, there is no absolute privacy unless you just don’t have a digital footprint?

 

Jack Rhysider  14:03

Well, I think, I think there’s an arms race going on. So this more secure something is, the more the attackers are trying to figure out a way around it. So it’s just it’s a constant battle. And there will always be that battle, because you’ve got nation states that need you know, you’ve got mission critical missions, whatever, that they need to get into their target, you know, whatever and get access and so they’re going to be paying perhaps millions of dollars to get into certain things and you know, nothing is a barrier they have the the people the time the money to do what they need to do and, and some nations even come over and blackmail or, you know, bribe or get someone in that organization to flip and be on their side and now you’ve got an insider in there. So, I mean, they’ve gone to extreme lengths to to get what they need to do. So um, you know, when you’re going against someone like that you might not have a defense because it’s just So, so they have so many resources, but you can still make it difficult for them by doing best practices and following the right rules on how to secure things. I think, right, I go, I go up and down and whether or not I think it’s improving or getting worse, I think when you have, you know, secure points, end to end encryption applications, like signal making all sorts of traction, then things are getting better. But then when you have major breaches, where you know, millions of people get their data stolen, that things are getting worse. And so it’s, it’s difficult to see exactly if things are getting better or worse every day, the technology makes it so that we can be more secure. But then every day more stuff just shows up on the internet that isn’t secure. And it makes things so it’s almost like, you know, filling, filling a bathtub with the with the drain open. It’s coming out at the bottom, but it’s also filling up at the same time. So it’s not quite going up or down. Right. It’s it’s tricky to gauge.

 

Jonathan Bench  16:02

I’m curious if you’re looking at the upcoming crop, and I think people are people are getting more and more technologically savvy. Do you think that we have, let’s take the US as an example? Or you can look at the whole world if you want to? Do you feel like that we have enough information security experts? Who are building apps the right way building programs, the right way to, to protect to do it, is that tide rising as fast as the the other side of the coin with people who are looking to manipulate data and to cause data breaches and gain that way?

 

Jack Rhysider  16:37

Well, I I have a feeling that their security team is sometimes inadequate, right? You could you could get some more people. But what I keep saying is like, it’s not the leadership that has the right security mindset, right? They, they think that they can just hire down and get the get the team in to fix these problems. But it really should start at the top where we’re if the CEO or whatever, is, has a very strong security mindset and is preaching that down the line saying, Okay, we’re gonna get a very, you know, security oriented CTO and CISO in here and all these kinds of things, then you’ve you’re not, you’re not pushing that boulder up the hill, when you’re just a security engineer trying to tell the CEO like, Look, our risk posture is really bad when you when you tweet about your political opinions, right and, or whatever the case is, you know, they’re just not getting it. And so, if you can’t push that boulder up the hill, when it comes to security, you can only go down the hill. And so if the see if it starts at the top, and that there’s a strong like the if the CEO is skipping out on the security, mandatory security training, and thinking like, yo, it’s not important for me, then that’s gonna reflect on the rest of the organization, right. But if they’re in that room, if they’re in the front of the room, if they’re teaching that room, right, it’s going to also reflect positive, more positively, like, look, this is a very important thing. And we’re gonna, I’m gonna test you afterwards. And I want you to report things to me, or whatever the case is, right? Just be that, that that kind of champion for security, then that goes a lot more further than just hiring enough people to do it. And I think that’s kind of the, the struggle that that I see.

 

Fred Rocafort  18:16

Jack, following up on this, I think most people, or at least most people who are regularly working with computers, and as Jonathan mentioned, we are seeing increasing knowledge regarding security issues. So So I think that there are certain things that I think by now have become ingrained, right, we understand the need to have passwords and the need for them to be something other than 1234. But I’m wondering, if you could perhaps share with us, you know, provide us with a couple of examples of, of less obvious risks, things that might not fit the typical idea that people have about cybersecurity risks, right? Because we, we all have, or most of us have this intuitive sense that that well, if you’re picking up a USB that that someone gave to you right and then you know, you don’t know who that person is right there. You’re you’re you’re physically connecting your computer to a device and there could be a virus and then that USB but but are there some some some other concerns out there that might not be as evident perhaps something you know, I’m I’m looking perhaps for something here that will get people thinking and maybe broadening their horizons as to as to what these risks are.

 

Jack Rhysider  19:41

So I think the thing that people are getting hit with a lot still is phishing emails. And you would think like, oh, yeah, I’ve seen those of Prince of Nigeria keeps emailing me saying I’ve gotten inheritance, but these are actually becoming a lot more sophisticated. You know, if somebody goes to your LinkedIn, they can see  where you work what? And from there, you could probably get someone’s email, right? It’s typically first name dot last name at, you know, business  .com. And you know, and from there, they can look to see, what’s your skills there, right. So maybe you’re an SAP back end developer, or you’re in HR, or you’re in marketing, right. And so from there, they might see what apps you’re good at, or something like that. And so from there, they can craft a very targeted email and just say, Listen, I’m from, I’m from the IT department, we want to give you a refresh on your on your laptop, we just need to do a quick diagnostic diagnostics on your computer, please open the attachment and run this so that I can make sure I understand the specs and we can get you a new one, right and something just very close to home. Because it looks like it’s from the IT department, maybe there’s just one letter off and your domain name in the domain name and email, it looks internal, whatever the case may be. And people will run this software on their computer. And that’s malware. And from there, somebody can take control of the computer, and then get to where they need to go in the network. I mean, it’s really scary how, how sophisticated a really good phishing email is. And if those aren’t working, people can call you on the phone. And we’re kind of savvy enough to know not to click certain things on on an email. But when somebody just sounds like they need a lot of help, and they’re like, look, I’m an intern, I just started here a week ago, I don’t know this person’s phone number, can you please help me out? Or they’re, what’s the password to this thing, whatever. And it just keeps going until you feel like, you know, you start with with like, I’m not sure. And then you just you kind of make a connection with them. And you’re like, Okay, I think I can trust them to give them this information, whatever. Right? So some people are really good at social engineering over the phone and, and sending good emails. And I think these two are still extremely effective. And when you see a lot of the major breaches out there, like how did they get into a nuclear power plant, or the Olympics, or whatever the case may be, it’s typically because of a phishing email that started at all and those are still just really, really hard to identify. Even people in the security industry can sometimes get fished. And it’s, it’s crazy.

 

Jonathan Bench  22:16

That reminds me of a post I saw on LinkedIn not too long ago from an information security expert. And they said, Can you tell the difference between the names of these two banks, and the only difference whether the letters were the same, or the URL was the same, except that one of the A’s that was swapped out was Russian Cyrillic a and not the English A right so so it was read differently? I guess when, you know, when the I don’t even know the language for this jack, you have to fill in. But the way the computer reads the IPS reads the domain name and and maps it to the IP address was you know, was different, right? It fooled. It fooled the eyes. And but on the back end, the IP was different.

 

Jack Rhysider  22:50

Yeah, exactly. Yeah, it’s very tricky sometimes.

 

Fred Rocafort  22:53

So Jack, look, let’s talk about hackers. These have become mythical creatures of our time, you’ve met many of them. So tell us about the interactions you’ve had with them. And what drives these these folks? And just just for people who might not know what’s, what’s the difference between a black hat hacker and a white hat hacker?

 

Jack Rhysider  23:13

Well, white hat has permission and anything outside of white hat, they don’t have permission. And so it becomes gray hat or black hat. Depending on how bad they’re doing things, I guess. So black hat would be like a cyber criminal just doing stuff without permission. I mean, I think the one common thread I’ve seen a lot of these is, you know, they’re they grow up with, with a computer in the room, they get into video games, and then they and we’re talking cybercriminals here, right? So and then they, they, they get bored with the game, and they try to figure out ways to cheat in the game. And so once once they start getting on that path, now they’re trying to figure out how to make the computer or the video game do things it’s not supposed to. And so you’re they’re installing malware on their own computer to like, you know, interact with the game in a way that they want to or, and then maybe that results in them, then their computer getting hacked, and someone else can get in. Because when you’re getting this kind of when you’re getting some of these cheats, it’s not, you know, the nicest software, you’re kidding in there. So now you got to figure out how to how to undo this and get back and try to figure out and it becomes kind of like this, this game that you’re playing of just the software game. And so I see a lot of common threads where people get started in that kind of scene. But uh, you know, I think there’s a few reasons why people do things. There’s, there’s hacktivism, right? So there’s just some sort of social injustice in the world and they want to do something about it. And they’re just frustrated with their own situation. Oftentimes, people will have their own school in high school or college or something, and it’s kind of like a feather in their cap, like, look at me, there’s people trying to teach me but I’m able to totally control the whole Schools Network. You know, so there’s just that kind of, you know, doing acting out kind of thing as well. But then there’s a lot of money I mean, You talk about some of the biggest crypto Heiser, and just, you know, cyber heist ever, I mean, billions of dollars have been stolen. And so you could really be very profitable robbing bank, all online. And that’s just a wild concept, right? So there’s a lot of money to be involved, as well as ransomware can be, you know, you can make a lot of money from ransomware. So, that’s another reason. And another reason after that would be to collect intelligence, I said this a few times, you know, you have nation states attacking each other, or sometimes attacking businesses. And so they’re collecting intelligence, they’re collecting intellectual property, they’re just collecting data that they can use for something else. And that’s another really big reason why you’ll see hackers out there is because they are just collecting data. Um, so I think most stuff falls into those categories on why people do what they do.

 

Jonathan Bench  25:57

So in your personal interactions with hackers with security personnel, do you run into any common themes in the way they see the world in the way they they view their their role behind the keyboard?

 

Jack Rhysider  26:10

Hmm, I mean, there is a there is the attacking team and the defending team, right. So you’ve got kind of two sides to this. And the defending team is trying to patch all the holes and button all the doors and windows and everything so that nobody can get in. And I do think that one of my favorite definitions of security is is just an InfoSec, being able to conduct business in a chaotic environment, and uncontrolled environment. And sure enough, the internet is very chaotic and uncontrolled. And you need to be able to do business in this, there was a time where we would not put our credit cards into a form and be and we actually laughed at this, like, look at this, they want me to put my credit card on this website, there’s no way I’d ever do that. And look, now we have like, everything is tied, digitally, and it’s easy to make purchases. But you know, that’s, that’s what we have to do is we have to do business in this environment. And security allows us to do that, it’s kind of like the brake pedal of the car is not really there to stop us, it’s there to allow us to go faster, we really want to go faster, we we don’t buy cars, so we can stop better. We buy cars, you know, fast cars, we can go faster. And that’s that’s what the brake pedals for is to allow us to go faster. And that’s what security should be looked at. And so the blue team, the defending team loves this kind of, let’s see how, let’s see how much risk we can have. But at the same time, keep it up at the same time. You know, like it’s, it’s a, it’s a difficult balance, because we don’t want to expose too much. But we do want to allow business to continue. And some people are like, No, take everything down. And that’s just not acceptable. We need to we need to do business. And so yeah, I mean, that’s kind of like what one side is doing. They’re, they’re defending. And then the other side is the red team, which is looking for the vulnerabilities to try to find things either legally or illegally, right? So there’s a security assessments you can get where you have a hacker come in and test the network to see what what am i What’s just hanging out, there is my zipper down, tell me and, you know, it’s it’s kind of a nice way of finding out versus having someone come in and steal everything. So yeah, you can hire someone to do that. And they, these people, I think have kind of a common thread of always being curious and pushing the limits on what technology can do. And finding, finding ways to do things like it shouldn’t like for instance, you might have gotten like an ant farm when you were a kid, and you get like this, this ant farm but you there’s no ants, you have to ship the ants to you, you have to order you know, to send a little note and say, please send me a box of ants or a package of ants. And when you get those ants. A hacker might think, Wow, this is a way to send ants to anyone. Like I could just send ads to anyone in the world. This is the weirdest thing. And so they have this kind of way of just not thinking the way that things are supposed to be done. But thinking like how can we do this in a totally different way. And let’s see if we can and trying it and they’re just constantly trying to do things that aren’t supposed to be done, just to see if it’s possible. And a lot of times it’s not possible. But then other times like whoops, somebody didn’t close this window, and we can get in this way. And I do think common kind of common with everyone across the board in security is endless curiosity. You can’t just follow the the rulebook or the playbook and think you’re done. You have to say, wait a minute, what if I look at these What if I, you know, look at these indicators here and that over there and just keep being curious on what could possibly do what you need to do. You just kind of have to have an endless and this curiosity for it all in order to be really good at what you’re doing insecurity.

 

Jonathan Bench  29:52

That’s really interesting. I would love to chase that thread a little more, but I want to turn to the topic of law for a minute. because Fred and I are both international business lawyers, and we think about the law as being somewhat helpful. And I tell my business clients that if you’re doing business the right way, you don’t need your contract at all right? The law, the law is irrelevant until you actually need the law. How do you feel like international national laws are doing it addressing hacking issues? How did nations do in cooperating on on dealing with this, which is obviously a It’s the essence of cross border issues? Right?

 

Jack Rhysider  30:29

Yeah, it’s, it’s, I mean, this is something that isn’t like kind of a long standing law, we’re just kind of like learning how to handle it as we’re going and making like new rules as we’re going because all this technology is kind of new to us in the last couple decades. So it’s difficult to a lot of judges that see cases where a student hacked their school, or their police department or something like that. This is the first time they’ve ever seen a cybercrime case before, right. There’s just, it’s, it’s crazy, just that they never had that experience before. And so it’s becoming more more popular, but at the same time, you have police who just don’t know how to respond to some of these things. I think one of the one of the problems is the the Computer Fraud and Abuse Act is what a lot of these people get charged with a violation of this, which was enacted in 1986. Like, think about how different technology was in 1986, when a law came that says you’re prohibited to using a computer in an unauthorized fashion, right? You have to have authorization to use this computer, like how many times have you used a computer without authorization, you’ve broken the law. It’s, it’s it’s a weird and obscure law. And one of the big, one of the big problems that’s happened as a result of this is, while a lot of people are have gone to prison for a long time, because of this law. And, and then there’s some gray areas where people have gotten in prison for this law that don’t necessarily have broken this law. Like, for instance, there’s a story of Aaron Schwartz, who was downloading scholarly research articles from JSTOR, which is kind of a document repository that colleges have access to, but you really can’t get it unless you have, you know, a subscription to the college. And so what he was doing was kind of taking these things behind, sign up sort of a not a sort of a paywall, and then exposing them to the internet, because they’re, they’re really research articles. And so he’s like, I think the world should have this. Right. So he was taking it and putting it out there publicly for everyone. Well, he was arrested and charged with violation of the Computer Fraud and Abuse Act. But really all he was in violation for were the terms of service in you know, that JSTOR had, right. So it was really JSTOR. That, I mean, he had, he had authorization to to get in there and see those documents, cuz he was, I think he was working at MIT or, you know, student   at MIT at the time. And so he was fine there. It wasn’t like he didn’t have authorization. But it wasn’t allowed in the terms of service to post that online. And so that’s where he really broke the terms of service. And if you’re breaking Terms of Service, and that’s the law, you broke, that’s not quite the law. And there’s so many times where people violate the terms of service in the computer world. And that’s considered breaking the law. And there should there’s a tried to be an amendment passed many times, to just say, anytime that there’s a violation of Terms of Service, that should not be considered a violation of the law. That should just be a disagreement between that business and that person who did it. And you know, in in handled in that way, but not like in a federal court kind of way. I’m not sure the difference in how that is, but I’m pretty sure you would, you would understand why there’s a difference there. And I think lawmakers have tried to widen the scope of what the Computer Fraud and Abuse Act can can do, which they think can combat cybercrime more like we need to make it even more broad, so that people aren’t, you know, doing other things. But this is dangerous, because then it just makes everyone pretty much violate this and then the police can just use that whenever they feel like they need to, and it’s not so clear anymore, right? So I think the scope needs to be narrowed on that particular law or revised in a way that you know, is more impactful for cyber criminals and not so wide that everyone would just fall into it if you just surf the internet for five minutes.

 

Fred Rocafort  34:37

So Jack, in addition to being a podcast host, you are also an avid consumer of podcasts. We we heard about that earlier. And by the way, I feel the same way that you do. I can’t I can’t count the times when I’ve taken the long route to a particular place or stayed in the car or or what have you just so I could finish listening to to a podcast? So perhaps you could you could share with us what some of your inspiration inspirations have been. Obviously they don’t have to to be cybersecurity related maybe just some some great podcasts that you could you could flag for us. And, and yeah, maybe some some some pro tips to do us here at Global Law and Business.

 

Jack Rhysider  35:34

Sure, I have probably over 200 some podcasts I’m subscribed to. So I don’t know where to stop stop with this one. But, you know, I think the classics for me, I’ve always been This American Life, radio lab, 99%, visible reply, all these kinds of things, really are just great storytelling. And that’s what kind of drew me in is, is being on the edge of your seat. And the story is, is just really exciting, especially when it’s a true story. I really like true stories. But I also like good conversation, when it comes to introducing me to knowledge or opinions or thoughts that I wasn’t previously aware of. And so it’s, especially in 2020, where I felt like it’s a time for kind of rebirth and revisit, like all all the fundamentals of what it is I believe in in the world and all these kinds of things. So with that I like listening to the Lex Friedman podcast, Tim Ferriss, the Huberman lab, Jocko podcast and Sam Harris. I think these people are challenging my, some of my thoughts and ideas and getting me to think in ways that I never thought before. And that’s really interesting. And then there’s some, there’s some, there’s some series podcasts that are pretty fun, like exit scam talks about what happened to a crypto exchange where the owner disappeared and took all the money. And so they that’s what happened there is pretty wild. And that one’s called Exit scam. And the missing crypto queen is interesting where another scam took place. It seems like and yeah, I could go on and on. But I think I’m just gonna stop there.

 

Fred Rocafort  37:28

Well, Jonathan, I think I think we can we can take this answer as at least partially Jack’s recommendations, he certainly gave us a lot to, to sift through there all. Unless that is Jack, you have any other recommendations, perhaps outside the podcast medium that you’d like to share with us?

 

 

Jack Rhysider  37:52

Like books and songs and stuff?

 

Fred Rocafort  37:55

Yeah, sure. Those are, those are definitely both good categories.

 

Jack Rhysider  38:01

Yeah, I think. I think there’s some really good cyber cybercrime books that are really fascinating, such as sand worm, countdown to zero day. This is how they told me the world ends, those are three that just come to mind which talk about some of the some of the bigger events that have happened in in cybersecurity, such as hacking the Iranian nuclear enrichment plant and integrating their systems and hacking the Ukrainian power grid and just everything there. So it’s a wild stories that are fascinating to get into.

 

Fred Rocafort  38:41

And following following this, this topic a little bit, if somebody wants, I mean, could you provide a, a recommendation or two for someone who wants to listen to your to your podcast and, and they they, they they’re spoiled for choice if you if you had to give them one or two episodes for for them to get started and and hopefully get hooked? Why would they be and I do know that this is a tough question, right? Based based on my own experience, right? Because I I’ve enjoyed recording all of our, all of our episodes, right? So I know it’s hard, but I’ll still ask you to try.

 

Jack Rhysider  39:24

Yeah, um, some audience favorites are one that’s called black duck eggs. And that is where a security team got together. And they they built a really amazing crack team of hackers basically. And then they were paid by a fortune five company to come hack the place. And how they did it was was really interesting. And what they discover is really fascinating. I think another one that is an audience favorite is called Project Raven, which is a the UAE hired some ex NSA people to come I’m over and do some hacking for the UAE government. And it all went bad. And the ex NSA person came on the show and explained what happened over there. And it’s just really fascinating to hear how how things unraveled and what they do over there. And yeah, it’s it’s wild to see this stuff.

 

Fred Rocafort  40:20

Alright, I’ll definitely have a listen myself. Jonathan, do you have any recommendations for us?

 

Jonathan Bench  40:28

I do. But it’s a it’s an unusual recommendation. So a few weeks ago, I attended the silicon slopes conference here in Salt Lake. And there was a company a Utah company called spark XR they built a what they call a sensory pod? It’s really a game, right? It’s an immersive game. But you standing in a pod on a rumble strip, you’ve got goggles on, you’re you’re holding sensors in your hands. And the this wasn’t just any game, right? They they had partnered with a Saudi Arabian company, to kind of make this immersive tour of a UNESCO World Heritage site called alula. In Saudi Arabia. And it’s not just a regular tour picture like your Indiana Jones, who also has access to a hovercraft. And you’re and you’re going through and while you’re going through, you’re pointing at different objects, right? Your goal is to pick up as many historical artifacts as you can, before the sandstorm rolls in, and buries everything in sand. And so I had the experience the opportunity to to try this, I’d never, I’d done a little bit of VR gaming, but not a ton. So this was great, because I was able to stand on the rumble pad, you know, it was it was 360. They had fans around. So it was really simulated. I mean, it was so realistic that I even screamed at one point, because I thought I was gonna run into a rock wall as my speeder was going, it was going really fast. Right? So it was it was fun. It just really cool. So I’ll try and find the link to the company because they’re going to be I think they’re still in fundraising rounds. They’re going to be building these pods and trying to get them placed in a movie theaters. I liked it because it it’s kind of the reason why I like historical fiction. Right, which is you like the Jacksons you get the reality into the story. And so I like, I like that, because, you know, I wouldn’t think about I’m going to, I’m going to play a game that’s going to teach me something. But I like those kinds of games, too. It’s the same kind of reason why I tell my wife that I like Assassin’s Creed, because I feel like I’m almost learning something while I’m playing it right. Now, Fred, what do you have for us?

 

Fred Rocafort  42:26

So earlier this week, I was attending a psychedelics conference in, in Miami and in the lead up to that I I wanted to, to inform myself as much as possible of the latest trends in the in the industry, and so spent that the good part of the weekend looking at, at information online, especially on YouTube, and there’s actually quite a bit of stuff that’s really interesting. But out of all the things I saw, I just wanted to highlight one of the videos. And for someone who really has no no no knowledge of what’s happening in psychedelics and wants to, or has some very basic knowledge and is looking to learn more, I think this was actually a very, very useful clip and very easy to digest. And it’s called it’s titled MDMA could help cure PTSD. This is a Vice News video, you can find it on YouTube and having later when I attended the conference, I was able to, to see some some parallels between the experiences described in this video and what some of the panelists at the conference shared. at the, at the conference, there were there were a lot of athletes who were sharing their experiences and how psychedelics helped them overcome some of the some of the trauma that they that they built up over the years. And in the case of this video, the the main protagonist is a is a journalist, so it’s someone who experiences PTSD from being in a war zone, or being in war zones as a journalist, not as a not as a soldier. So that was added a another dimension to it, and just overall helps highlight what the potential that psychedelics hold for different segments of the population that are looking for, for new possibilities in terms of treating their their conditions. So we’ll, we’ll provide a link in our in our blogs when we when we published the the episode. So on that note, Jack, thank you. Thank you so much for for joining us. Thanks for the recommendations definitely have You know my my work cut out for me. Next time I go into into podcast listening mode. So great, keep up the Keep up the awesome work and look forward to your stories in the future and new cool revelations that we’ll get from you.

 

Jack Rhysider  45:18

Thanks. I had a fun time being here. Thanks a lot

 

Jonathan Bench  45:26

We hope you enjoyed this week’s episode. We look forward to connecting with you on social media to continue discussing developments in global law and business. This podcast was produced by Harris Sliwoski music composed by Stephen Schmidt. Tune in next week for another episode. We’ll see you then.

Transcribed by https://otter.ai