Ethical Hacker Ralph Echemendia: Transparency is a double-edged sword. Cyber ​​security

Translated by Google

Estonia known in the world of e-residency country. Since the launch of the e-residency program at the end of 2014, more than 60,000 e-residents have established around 7,500 companies in Estonia, employing over 1,300 people. The e-resident is also US-based Ralph Echemendia , an internationally renowned cyber security expert known primarily for his alter ego,  The Ethical Hacker .

Ralph has trained organizations and companies such as NASA, Google, Microsoft, Oracle, IBM, Intel, AMEX and Boeing on cybersecurity. In addition, Ralph has worked with award-winning directors in Hollywood and has been a technical director for films such as “Snowden” and “Savages.” We met Ralph and talked about cybersecurity, the challenges of the information age, and the birth of innovation.

How did you reach your computers and start using them for activities they were not designed for?

A deeper interest in computers grew out of a hobby that began with learning about amateur radio (or HAM radio). I was fascinated by how it was possible for me to talk to someone from across the world. I started to study frequencies. At one point, I got a newsletter in Miami called 2600. It taught me how to make a device called a  blue box . For example, you had to buy a specific type of crystal that generates the required amount of megahertz. I began to realize that telephone systems work with acoustic signals. Soon we were able to make free calls with friends.

How did you start applying the knowledge you gained?

I was 14 at the time. The first technological tool I used for non-intended purposes was the HAM radio. I lived near the airport and wondered if I could talk to the pilots. Tried! Soon I saw a US Federal Communications Commission car driving around. An attempt was made to capture the signal. Of course, my activities were completely illegal. I never tried it again.

On the other hand, I remember lots of fun situations. For example, I took over the drive-in kiosks owned by Burger King and McDonalds . I found out the right frequency and when people started ordering, I managed to talk to them. It was fun! Unfortunately, one of the managers finally realized which antenna car to look for near the kiosk. As time went on, I began to discover the potential of phones and computers. I have a friend with whom I grew up in a technological sense. His brother was an electrical engineer who worked on computers. That’s how it all started. I learned to do computer tricks that I had done on the radio before. At the same time, the level of computer security was not high. As there were no passwords, it was very easy to connect to other computers.

It seems like there was a lot of innocence in cyberspace at the time. By contrast, in today’s analysis of cyberspace, this innocence has disappeared. How and when did it happen?

The change is related to the shift in motifs. In the early days of cyberspace, curiosity was the main motivation for exploring it. People were curious about what would happen if one thing or another were put into work. Tried and tested to find out. There was no motive to get rich as a result of his actions. Another motivation, besides curiosity, was the desire for revenge. For example, after being abandoned, the young man wanted to hack as many things about the girl as he could. However, with the widespread adoption of the Internet, rapid changes were taking place. From the mid-1990s, financial motives began to become more and more apparent. An illegal cybercrime world emerged that was crowded with financial interests. At the same time, the cyber security industry was born.

What is a hacker’s everyday life?

There is no place for routine in Hacker’s everyday life, as tasks and activities are rapidly changing over time. For me, one of the many charms of hacking is that no day is like the previous one. A hacker will never operate in a completely familiar environment. Tasks and problem poses are always different. In addition, the situation changes every minute or hour.

It’s like a hacker who is constantly looking for new ways to create incentives that trigger a response.

In doing so, responses must be consistently evaluated and the incentives to send one or the other must be further elaborated.

How much of the stimulus discovery process takes place in the technical world in 2019 compared to the human world?

The incentive discovery process is active in both directions. However, it seems that the stakes are being redistributed in the scoops. While in the past most of the discovery of incentives in the technical world took place, today we see it much more happening in the human world. Take, for example, how much data manipulation or misrepresentation is taking place in the world. Techniques have little to do with this trend. The rest is very human-centered.

What does this mean?

A good example is that nowadays cyber campaigns are led by psychologists who are hired by large teams. In the past, collecting data and drawing meaningful conclusions from their patients required several hours of meetings and different types of activity by the psychologist. On the other hand, today, data is absolutely everywhere around us and can be easily obtained. As a result, it is psychologically much easier for people to be assessed and attacked than before the proliferation of computers and data.

Ralph Echemendia.

Which is the most exciting process for you to hack or detect an attack yourself?

The hacker’s job is to avoid getting caught. It must be like a ghost. As a true ethical hacker, I finally have to share what steps I need to take to catch me. This feedback is an input to the growth of cyber security.

The role of an attack detector is not as exciting as that of a hacker because there is no likelihood of being caught. Much of the fun and adrenaline is gone.

Yes, as an ethical hacker there is no risk of me being really jailed. Still, the idea that someone can hit me with the action is challenging. The task of the attack detector is to go through the list of actions and to delete lines that do not help the hacker. He looks for signs of specific activities. If one or another character is not detected, it is concluded that it cannot be a hacking method. I would argue that a true cyber security expert must have experience on both sides of the front line. A person who attempts to identify an attack but has never been hacked himself is unlikely to understand the various ways in which an attack can be used.

How much have you been influenced by cyberpunk literature? For example the work of William Gibson.

Huge. I consider “Hacker Ethic” and “Hacker Manifesto” as the most influential works that shaped my thinking about hacking and the wider cyber world. At a young age, I did not believe that hacking could become my profession. I only saw it as a hobby. There is a time in every young person’s life to try to make sense of their role. I, too, wanted to understand where I really belong. There are always popular kids, but I felt I was not one of them. Thanks to the computer world, I suddenly discovered a place where I fit in perfectly. There were no faces in this world or space. It lacked any physicality. It existed on machines. Thanks to cyberpunk literature, I came to the peace and recognition I belong to.

Let us briefly compare the world that William Gibson imagined to today’s reality. Are things better or worse?

I have worked with several writers, directors and directors. One of the most exciting conversations I had was with the director who founded the Science and Entertainment Exchange project . This is a program of the US National Academy of Sciences. He said, “Ralph, some believe that life mimics art, but others that art mimics life. The truth is, life imitates art, not the other way around. ” Thoughtful, isn’t it? Many topics exist in today’s science simply because they were created by artists, writers, or other creative people in their books, movies, cartoons, or other media. Therefore, we only think of these objects or themes as a result of their creation. It’s fascinating!

So cyberspace only exists because some people dreamed about it in the 1980s behind a typewriter?

In essence, yes. We have cell phones, for example, because in the 1960s Star Trek characters used devices that resemble modern cell phones. Children, whose imagination was activated, watched series and programs and read books. They were inspired. As a result, a number of outstanding scientists grew up. They did not invent objects. They were created by art and science tried to make them real.

Today, many people continue to be fascinated by the idea of ​​a teleporter. Why are we working on this? Because no one wrote about such a device in a science fiction novel. Someone imagined it in their mind’s eye. Such people are often not scientists. True, there are exceptions. The most powerful imprint is often left behind by people who are both dreamers and scientists.

I am acquainted with the history of Estonia. The more I read about Lennart Meri , the first president of the newly independent Estonia , the more he enchanted me. He was a director and writer who was fascinated by the film industry and the literary world.

Yet he became a magnificent head of state who, despite the nature of his dreamer, was able to speak convincingly about different areas of the “real” world.

It seems to me that Lennart Meri was constantly looking to the future, but he was able to build a journey to further afield so that people always had confidence. As a head of state, he was a dreamer by nature, carrying the ability to put his thoughts into practice in “real” life. The presence of these qualities in one person is amazing. On the one hand, such a person understands the creative process and, on the other hand, the mechanisms that make the idea a reality. Such people have a great responsibility in the development of society.

So don’t you sketch or verbalize things you don’t want to become a reality? After all, a fellow citizen might pick up an idea thrown in the air as an inspiration.

Exactly. My good friend is Bob Marley’s son Damian Marley. At the beginning of our acquaintance we were together in the studio. I realized that the music world was moving towards digital. There were no tapes in the studio anymore, but the music moved to the hard drive through the computer. I asked, “Damian, what happens if the hard drive fails?” He replied, “Be careful with words, Ralph!” I wondered what he meant. Damian said it’s one thing to think and another to put his thoughts into words. From the moment thoughts are verbalized and spoken, they begin to live their lives. Formulated thoughts become reality. “Ralph, please don’t say these kinds of things in the studio, because the moment a person verbalizes their thoughts, they become real life,” said Damian. So it is true that the person who imagines, sketches or verbalizes something has a responsibility.

Ralph Echemendia. I Photo: Borna Filic / PIXSELL

How to build an organization or even a country that is resilient in cyber security?

I often use the term resilience when talking about cyber security. I had an interesting conversation with a woman in Estonia. He asked, “Do you know where durability comes from?” “It comes from hatred,” he said. Such a statement was surprising. We talked at length and I accepted that position. A person, organization, system or state becomes resistant to what they hate. The hate emotion is so negative that we don’t want to experience it again. So we start looking for ways to become more resilient so that the hate emotion doesn’t repeat. Let’s explore how to protect yourself from the hateful thing. A conversation with that woman made me think that the concept of endurance is related to the term “hate”. We adapt and try to cope with the situations that turn life on.

As humans, we are only reactive. This brings us to today’s big cyber security challenge.

I often use the term “safe” when talking about cyber security. For me, “durability” and “security” are safety components. We tend to use the term “security” very lightly. Unfortunately, “security” is not a word with a positive connotation. In contrast, “safe” is. We all want to feel safe in our daily lives as well as in cyberspace. In a situation where the term “security” is used too often, people want to become detached from it. It is perceived that power is exercised over man in a bad way. This is an important issue for cyber security. It is important to change the narrative in people’s heads when it comes to security. I emphasize that cyber security is inherently a security issue.

What are today’s major cybersecurity challenges?

Developers and programmers need to understand that, like electrical or railway engineers, for example, mistakes must be constantly learned. Safety is a priority in the physical world. Otherwise, there would be an increased risk of an accident and derailment, with disastrous consequences. The problem we face in the digital space is that the consequences of action are often not visible. No blood or tears. Unless we are individually concerned. Because of this we are sort of disconnected from cyberspace because it is not physical and consequently “real”.

How did you become an Estonian e-resident?

I have always thought that e-residency is a great idea. I appreciate that everything related to e-residency is transparent and controllable to me.

When speaking about the Estonian business environment in general, Estonia has a much higher level of transparency and control than other countries I have visited. I am also interested in the e-residency program in support of the Estonian start-up ecosystem. In addition, the e-residency program is pioneering in the world.

Before deciding to apply for an e-Resident, however, I did some thorough groundwork. Exploring different materials further increased trust and interest. The idea of ​​being able to set up a company in Estonia as an e-resident, use Estonian e-services and run a business wherever you are is immeasurable. Taxes, contracts, and other such everyday companions for the entrepreneur are electronically managed and conveniently executed anywhere in the world. Estonia has built a state that is not bound by its physical borders. That’s great. I’ve never seen anything like this before.

What is your relationship with Estonia and what has the e-residency program brought to you?

The e-residency program opened the door for me in Estonia. You have created something in the form of an e-residency program that no other country in the world has. This is Estonia’s business card on the international scene.

The people of Estonia should be very proud of the opportunities that the e-residency program has created for many people around the world.

It also creates opportunities for Estonian people and local businesses. I fell in love with Tallinn right now. Today, I have lived in Estonia with varying success for over two years and have visited most of Estonia. I’ve learned a lot about your wonderful country and its people!

From the point of view of cyber security, what are the important activities that Estonia has to do in order to maintain or increase the level of cyber security today?

It is important to remember that transparency is a double-edged sword. On the one hand, transparency brings certainty and comfort. On the other hand, there is a lot of information about our different activities everywhere.

One aspect that has to be constantly emphasized when it comes to transparency is that, if we can apply transparency wisely, it will reduce the value of data misuse. Value exists only if there is something secret in the game. If there is no element of mystery, there is no value. A piece of information is not valuable if everyone has access to it. Transparency is therefore really a question of creating value. Thinking about the Estonian government, I have never felt that the Estonian government is anything but a service organization. I feel that the government’s goal is to provide people with a service. This is the opposite of, for example, Russia or the United States, where governments have a very firm agenda in addition to serving the nation.

A good example is the case of Edward Snowden . If the government knows of my movements or services, it is called the United States the Big Brother ‘ iks  perhaps great brother. Even though Estonia has an ID card with tremendous potential, I have never heard the Estonian government associate it with the Big Brother. As an Estonian e-resident, I have never had the feeling of a Big Brother in Estonia. Rather, I admire the way Estonia provides services to its people through technology.

As a former civil servant, I must say that this is probably the best compliment I have ever received.

You are welcome. This is exactly how I think and think of the Estonian e-state. I have traveled a lot and experienced how things are going around the world. In Estonia the feeling is quite different. Your e-government is up!

How dangerous can we view technology in today’s information age?

In most cases, the problem lies with the person, not the technology. Figuratively speaking, technology is like a hammer that we can use to build or demolish. Technology is just a tool. As it is an economically profitable tool – I come back to the motives – I ask who the real offender is. Is the cybersecurity or cybercrime community? The cybersecurity community is, by its very nature, somewhat criminal, making cybersecurity a multi-billion dollar cost that we, as individuals and consumers, pay for. Unlike the cybercrime community, they do not have to sell the value of the data to anyone. They simply get the data. At the same time, the idea that cybersecurity is important and people do not realize it until they get hacked is constantly being sold.

“Snowden” director Oliver Stone was interested in cybersecurity. I brought him with Defcon, a hacker-friendly gathering in Las Vegas. Oliver asked questions to about a dozen people in the room. Among others was a gentleman in the room, who Stone inquired, “Is it true that the US National Security Agency can listen to our phones?” The man replied, “You see, there’s a metal bin. On closer examination, you notice that everyone here has phones. ”Stone continued,“ So can the US National Security Agency listen to our telephone conversations? ”The gentleman replied,“ Yes. I was one of those who wrote software that made it possible. I work for the US National Security Agency. ”Stone stopped. He wondered how it is possible that someone who has said at a meeting that he wants to promote decentralization has created a program that lets you listen to speeches. Stone inquired, on whose side the gentleman was, in fact. The man replied, “You probably have a hard time understanding it. The community I grew up in has no strict boundaries. We are just people and we are constantly commuting between different parties. My principle is that I don’t let bad things happen to good people. This is my personal ethical choice. I am not on anyone’s side, but only for humanity. ”

A few months later, Snowden’s revelations came to the public. I note that the gentleman with whom Stone spoke was not Edward Snowden. Yet this is a vivid example of how someone makes a decision that will change their lives. Snowden saw something was wrong and decided to tell the world. Has this event brought about major changes? Probably not. However, awareness of such incidents will hopefully help humanity to interact better with technology.

When we talk about technology, we often talk about right and wrong. I once talked to a technology friend of mine. We came to realize that it is people’s short-sighted arrogance that makes us value the previous, present or next phase for better or worse. In reality, for better or worse, there is no such form. We’re just evolving. We will continue to develop regardless of the decisions we make. All decisions are driven by evolution. The same goes for technology. It is not possible to speak clearly of good or bad decisions, but the choices made shape humanity.

Andres Kütt

Andres Kütt

Andres Kütt is a long-time IT architect with a degree from Massachusetts Institute of Technology (MIT)