A White Hat Hacker Imagines the Worst


In 2015, Oliver Stone traveled to Russia to meet with Edward Snowden for the making of his upcoming film, Snowden. He took furious notes and scribbled them in a notebook, but when he returned to the U.S., most of the technical stuff made no sense to him.

So he called on an expert to decode the hacking lingo, a man named Ralph Echemendia, also known as “the Ethical Hacker.” Echemendia started hacking at the age of 14, and then started using his powers for good, specializing in cyber-security—his clients include Google, Intel, IBM, and NASA, and the Twilight movies.

Though professionally he’s a white hat, he tends to wear an actual black bowler hat in public appearances, (some kind of meta-joke, perhaps?), like when he appeared on stage in June at the Money 20/20 conference in Amsterdam. The presentation he gave to a crowd of maybe 500 people was, quite simply, terrifying.

“Every minute, over a thousand people in the world get hacked,” says Echemendia, pacing the stage. “In 2015, over 123 million consumers suffered identity theft.” He reminds us that hackers are targeting the crypto exchanges, what he calls “crypto-jacking,” and implores us to “watch your wallets, people.” (Echemendia is also here to peddle his new product, Seguru, an app designed to make our personal data less hackable.)

Echemendia wears a sharp, pointy beard and dark jewelry on his hands, including a ring that’s a prosthetic of David Bowie’s eye. To his left is his collaborator, Mary Aiken, a cyber-forensics expert and the author of The Cyber Effect.

After their talk, the two sat down with BREAKER to talk about blockchain and hacking, cyber-warfare, “misogyny scores,” Oliver Stone, and why we’re closer to the apocalypse than you think. It was a real pick-me-up.

So you first got into hacking when you were, what, 14 years old?
Ralph Echemendia: I was told that if I had a computer and a modem, I would be able to find porn.

The beauty of the internet…
Echemendia: This was before the internet. [The porn] was on these things called BBSs. And so, obviously, I asked my mom for a computer and a modem.

Echemendia: But here’s what actually happened on those BBSs: I met other hackers, and this was the first time I came across something called “The Hacker Manifesto.” And when you’re a teenager, you’re trying to connect and to be part of something. A lot of kids who are into this tend to be socially awkward, or don’t feel like they’re part of the sports group.

Is that “socially awkward” personality trait part of what makes a good hacker? And what does make a good hacker?
Mary Aiken: A dysfunctional personality.

Echemendia: Dysfunctional…that’s a good way to put it. In fact, a good friend of mine once said, “The reason we’re this good with computers is because we are so vulnerable as humans.” We looked inward into our vulnerabilities as human beings, so this computer stuff is easy.

“Criminal behavior used to be driven by domains, by geography… But as all the neighborhoods became connected, now the criminal population has a reach that’s unprecedented.”

But there are many people who are bad with humans. Not all of them are good hackers. There must be something else?
Echemendia: Well, there’s a sort of reverse-engineering mentality. When you look at something, you don’t just look at it the way you’re supposed to.

Aiken: You don’t accept the thing for what it is. You’re just 360-ing around it to actually see, “Well, where is it vulnerable?” As Ralph says, it’s potentially a manifestation of your own awareness of your own vulnerability as a hacker. You look at the system, but you don’t take it at face value. Because you know embedded in that system is a vulnerability, similar to human vulnerability.

And you try and hack into that vulnerability?
Aiken: You’re looking for, “Well, it can’t be as robust as it seems. There’s gotta be a weak point.” And if you think about it, humans design tech. And therefore, absolutely there will be a weak point. So it’s a question of finding it.

The blockchain itself, allegedly, is unhackable, and doesn’t have a weakness. Do you believe that?
Echemendia: Well, first of all, everything has a weakness. Blockchain as a technology is certainly a very secure mechanism to log things. It’s a way of using encryption and cryptography so that the log is not easily modifiable, and at that level, pretty much the majority of blockchains achieve that. But you have to evaluate blockchain in the application that you intend to use it in. And that’s case-by-case.

How has hacking changed since those innocent days when you were looking for porn?
Echemendia: Right, the “good ol’ porn days”…[Laughs.] Back then, curiosity was the primary motivator. It was, “What can I make this thing do?” Because at the end of the day, even when I got the computer, it didn’t really come with a handbook. You turned it on and this thing blinked at you and you’re like, “Okay. What does this thing do? What can I make it do?” Now [for the hacking community], it’s not so much about curiosity. It’s almost entirely about financial gain.

I don’t quite get that. Is there more money out there today? Wasn’t there plenty of money around in the ‘80s?
Echemendia: Back in those porn days, if you were going to do something that was for money, you had to pick up a bag on the corner of the street, you know? There was very much a physical criminal element involved. And that doesn’t exist anymore.

Aiken: But also the connectivity. Criminal behavior used to be driven by domains, by geography. You know, here’s a “bad neighborhood,” and you may have more crime in that bad neighborhood. But as all the neighborhoods became connected, now the criminal population has a reach that’s unprecedented. We are all living in a state of ubiquitous victimology, where we are all high-risk victims, all of the time, in terms of our exposure to cyber-criminal activity.

How have crypto and blockchain changed the hacking game?
Echemendia: The definition of money is now changing. And the power is now behind money. Before, power was based on an army. You had physical power.

Might makes right.
Echemendia: Exactly. And that’s not the case now.  One person with the right amount of knowledge has the power to take down a country. Or change a country.

Aiken: That’s the thing. It costs a lot of money to be a superpower in a real-world context. You need an army, a fleet, an air force. To be a superpower in cyber-space, what you need is about a dozen brilliant scientists and lots of computing power. That’s it.  Anybody could be a player in this space. Literally anybody.

OK, before we get to the apocalypse, a quick pop-culture question. Ralph, you’re a consultant for Hollywood. When it comes to hacking, does pop culture get it right or wrong?
Echemendia: Well, in most cases, I think they’ve gotten it wrong. But even the wrong had a right to it. So you take things like the Hackers movie. You know, we think it’s a great movie.

Echemendia: There’s nothing right about it. But that’s why we think it’s a great movie, because so much of it is just made up. Even the dialogue was completely wrong.

That’s funny.
Echemendia: But we love that about it. And then think about movies like Sneakers

I love that movie. An overlooked gem.
Echemendia: Yes. And that’s very much a very accurate depiction of hacking back then.

How was Oliver Stone with the hacking stuff?
Echemendia: Well, Oliver, when he’s in movie mode, that’s all he thinks about. He doesn’t see anything else. I have no idea how his brain works. He puts everything in little a notebook. I think you would look at it and go, “This is crazy.” But it works.

How did your collaboration work on Snowden?
Echemendia: I was working with him from the very early beginnings. In fact, I took Oliver to DEF CON, the hacker convention in Vegas, before the Snowden disclosures happened. Oliver and the writer, Kieran Fitzgerald, would go to Moscow and basically meet with Snowden and come back with a ton of written-down materials. And then we would all sit together and go through that.

So you’re sort of decoding it all?
Echemendia: It was so immersive because Oliver didn’t know half the stuff he was writing down. He was like, “What does this mean? What does this mean?” He was writing it down, but he had no idea what they were talking about. So I would have to put it into context, and then ultimately that would be filtered down to the actual story.

Interesting. Speaking of Moscow… How nervous should we be about, say, Russian hacking?
Echemendia: I think what we should be nervous about is really the lack of awareness.

In what sense?
Echemendia: First of all, we’ve been hacking each other since before computers existed.  So spying and all these type of things have existed way before. What we’re talking about is influencing. Before, this would have involved gathering thousands of people in a square and giving a great speech.

Yeah, Mussolini style.
Echemendia: Exactly. Here, it’s no different. The only difference is that the square is this environment that we call “cyberspace.”

Aiken: The human senses that we have honed for hundreds of thousands of years can fail us in these lean environments. So basically, we can become more vulnerable because we don’t fully understand our behavior in these environments. Everybody talks about behavioral manipulation online. Very few people actually understand, “Well, what does that actually mean?” That’s [more important] than asking “Should we be worried about Russia?”

What does “behavior manipulation” really mean, and how scared of it should we be?
Aiken: There’s a myopia in taking the lens that we’ve had from the Cold War, and then trying to apply it in an age of technology. You’ve got to factor in cognitive dissonance. Cognitive dissonance [in this sense] is looking at something like, you know, you like to drink red wine with your dinner. You know that alcohol’s bad for you, yet you choose to drink it anyways. That’s a cognitive dissonance. When you look at cognitive dissonance with how we use technology, people offer up lots of their data. We say, “Oh, here’s a fun psychological test. I’ll do this just because I want to see what my score is.”

Echemendia: “What animal am I?”

What does my soul smell like?
Aiken: Exactly. It’s strange. So the point is that you say, “I’m fascinated by this, and I want the information,” and you’re not thinking about what could go wrong. So with the people who completed the Cambridge Analytica Psychometric test, that data was harvested. So, if you were on LinkedIn, I could look at your connections, all 2,000 of them, and I could give you a score on “misogyny,” and I could give you a score of “racism,” just looking at your network.

Please don’t do that!
Aiken: Say you use Facebook. I could look at how often you post, how quickly you react to something else on Twitter. How quickly you retweet, or how many things you like and the interval in between your likes. I could give you a score on “impulsivity” and how compulsive you are. Now I can build a profile, and then I can design into that.

The point is that when you extrapolate all this information, first of all, I’m not just profiling you. I’m profiling your network. And then I’m looking at your behavior, and I’m extrapolating lots of different data points. Now when I have all of this information, how easy is it going to be for me to engage in cyber psych-ops? To start gaming you and actually playing with you? And moving you along a line of what we would describe as almost Socratic reasoning, where you’re hauling somebody along this relentless line.

What does that mean exactly?
Aiken: Well, what I can do is begin to architect a filter-bubble around you that actually reflects some of your innate biases and dispositions that you may not even be aware of, and then begin to nudge you along this spectrum. Now, if you have all of this happening in an online context, and let’s just say, theoretically, you can get a political leader to stand up, and every so often say something that’s misogynistic, or something…

“I think that within the next ten years, a country is going to go down. A medium-sized country. And all of the financial institutions in that country will go down.”

Aiken: Hypothetically. And now you can orchestrate. That’s the ultimate hack. So you can have somebody pushing buttons out there in the real world, and now you react to it, and this echo chamber creates negative feedback loops. Now can you imagine somebody gaming that. Now can you imagine them doing this in the real world and in cyberspace, and doing it simultaneously. That’s where we are.

Yikes. Well, now I’m almost afraid to ask, but what are the other cyber-risks that we don’t think enough about?
Aiken: In my area, forensics and cyber psychology, we say, “Start at the apocalypse and work back.” So let’s think about the apocalypse. The apocalypse used to be an attack on critical infrastructures, right? Now we’re talking about IOT [internet of things], a trillion connected devices attacking all infrastructure.

Attacking all infrastructure?
Aiken: Yes. Attacks on all infrastructure. Now take that concept and you target a country, and attack all of its infrastructure.

How likely do you think this is?
Aiken: I think that within the next ten years, a country is going to go down. A medium-sized country. And all of the financial institutions in that country will go down.

Echemendia: Like Estonia.

Aiken: Now when a country goes down, it could send a shock through the financial services sector. And then we’ll have to go back and we’ll go old-school while everybody recovers. And then, out of that, we will have to rebuild, and actually rebuild properly.

I see. What can we do to prevent this dystopia?
Aiken: Well, first of all, and this is just my opinion, I would break down the internet and rebuild it. Really. That’s where I would start. Actually, fundamentally build a new internet. One that’s designed for security.

Okay, we can’t go out on that note. What advice would you give to young hackers starting out?
Aiken: Think about a career in cybersecurity. It pays really well.

Echemendia: We need them. Everybody needs them. And they can keep having fun with what they’re doing.

Aiken: And the bonus is no jail time.

Last question. If you had $1,000 right now, is it safer in a U.S. bank or safer in crypto?
Echemendia: None of the above.
Aiken: It’s safer under your mattress.