had bin laden stands on all the billy budd how's that for irony? but after that, things kind of changed in the world trade center bombing and september 11 of course we all know what happened that day. i was actually flying that morning. we had come back from the middle east, from another rotation, and a monday, september 10 was her first day back. ..

>> we want to introduce to you robert o'harrow who is an investigator reporter at "the washington post" and has been writing an occasional series on cybersecurity threats for that newspaper. mr. o'harrow welcome to "the communicators." >> guest: thank you for having me. >> host: what is a zero day? >> guest: a zero day is the name that hackers give to a gap or vulnerability in the software that lets a bad guy into computer system. these gaps take a lot of forms. they have not been previously discovered and so there is no way to block them. when a hacker has zero day with the right tools and skills, that hacker can break into a system and take control. is zero day also known as an oh day. >> host: how would you describe the series you have been writing for the post?

>> guest: it's really the mission i should probably describe. we were looking into cyberin cybersecurity and cyberwar. the pentagon had declared cyberspace the environment of people and machines and networks as the new domain of war and yet, we realized that maybe one in 1000 people really understood what cyberspace was and the degree and depth of the vulnerabilities. so what we are trying to do in the zero day series is to take pieces of it and explain the fundamentals and the platonic idea is that everybody from my mom and dad to congress and people around the country can understand, and so maybe start the process of coming up with ways to defend cyberspace better. >> host: mr. o'harrow if you look at cyberspace in the united states right now, how would you describe security overall?

let's just describe maybe break-ins in the neighborhood. >> guest: in the spirit of explanatory mission we have to can't really talk about cyberspace and the united states. a computer user in washington d.c. or in wichita or san francisco is effectively working shoulder-to-shoulder with a computer worker in beijing or in moscow. there there is literally milliseconds of difference in space and time in cyberspace. so i thought i would point that out. as for the security, the reality is that it's almost remarkable how vulnerable computer systems are. cyberspace is not what most people think it is. most people now a quite cyberspace with the internet, but if they want to be clear about what cyberspace is i think it's important to note that it's the gps system on the new cars. it's the iphone and the droid.

its jet fighters and jet planes. and anything anything that is driven by computers -- excuse me, by computer code and is linked to networks can be a part of cyberspace. the vulnerabilities are almost stunningly pervasive. >> host: can you give an example of? >> guest: well, sure. charlie miller charlie miller who is a former government hacker who worked on the good side is now a security specialist. the great hackers of the world. he last year decided to explore vulnerabilities and he found a vulnerability in the iphone that's when he deployed it the right way, this was for a contest, enabled him to take over a portion of that iphone. industrial control computers run water systems and electric grids and so on.

last year, a disgruntled hacker of broad went into a water system and in south houston, in texas and got control of those computers. the list goes on and on. there are hacks of google and rsa. there are millions of attacks, literally millions of attacks around the world and intrusions on computer systems every day in the world. probably the most phenomenal attack involved a warm called stuxnet and in that case, the united states government i think working with israel that the united states government developed a computer worm that went into the nuclear process facilities in iran and disrupted the centrifuges. >> host: so it was developed by the u.s. government? >> guest: yes according to the reporting.

>> host: what was its purpose? was at a defense mechanism by the defense department? >> guest: no, it was a purely preemptive effort to slow the nuclear weapons processing capability of iran. >> host: you mention charlie miller and mr. miller is in st. louis and he joins us today on "the communicators." mr. miller, what was your goal in breaking into the iphone? >> guest: in that particular case it was for a concept like robert mentioned. they had hackers across the world and they had various devices. if you break into a device you can wind some cash in the device also. i won the contest a few times. earlier my career was more about showing things like iphones or you know, apple software were vulnerable because it really was an believe that it was but now

it's just -- i have shown vulnerabilities in the iphone and attacks where i can send a text message to the iphone and taken over. all these are fixed now. part of the contest is all these vulnerabilities being fixed. a fun way to show off your skills and so everyone gets protected by the attacks it. >> host: how long did it take you to break into this iphone and from where did you do at? an office or where? >> guest: okay, so the iphone -- i mean at the time it only took a few seconds but the preparation took time so it probably took me you know maybe a month of preparation with an accountant of mind. a few weeks of looking for a vulnerability in a few weeks of taking a vulnerability in making it into an exploit to attack the phone. the actual attack, the security conference in vancouver so i was actually physically in vancouver and they had an iphone bear

and i attacked it and stole a bunch of data off of it and that was the proof. >> host: charlie miller could you do this from your living room? could you break into a bank, break into other devices from your living room? >> guest: that's the amazing thing about cybersecurity. we are all connected, mostly so any device on your phone, your computer. in the future your refrigerator anything that's on the internet you can get people basically anywhere. that is one of the things that makes defense difficult. you don't just have to defense -- [inaudible] >> host: robert o'harrow described you as a good guy hacker. what does that mean and what is the motive of some of the lack hat hacker's? >> guest: okay, so the white

hat, the good guy hacker's was explained so we we are the guys who you know, we develop the skills to do the same things that the bad guys can do so we can break into computers but instead of actually breaking into and stealing information and causing problems, we tell everyone what we did and try to work with vendors to make their products more secure and give talks about security and how to make it better so while we can break in and do harm we dealt. we show how you can break in to improve security. on the other hand there is the actual bad guys and they have motives from just teenagers goofing off and trying to impress their friends to actual organized crime, trying to steal money and credit card information to governments trying to commit espionage and cyberwarfare so there's a whole range of hackers on the black

hat side. >> host: we didn't get a whole lot of your bio, but we understand he worked at the national security agency for a while and are now with twitter. what did you do with nsa? >> guest: i worked there for five years. i worked in their computer security group and i can't say a whole lot more than that. >> host: and you are with twitter now, correct? >> guest: yes, so between that time basically for the last seven years before twitter i just started a couple of months ago -- i was as as a candidate the consultants of the company i work for we become men and basically take the role of the bad guy and break-in and show how they can do better where the real bad guy can do that. >> host: robert o'harrow were you able to get in contact with any bad guy hackers and learn why they were doing this and what their motives were? >> guest: i have talked to

that hackers and the motives are as charlie said, all over the place. i have watch details about that hackers and we know for example that some of them are prepping, infiltrating systems with long-lasting threats in the event that there is ever a cyberconflict or a cyberwar about -- power grids and national labs in corporate systems all over united states the united states have already been intruded on and it is believed that there are present -- lots of espionage is occurring. we know that groups in russia and china for example that work regular hours breaking into systems and stealing information. so the motives are the same

motives that you might find with any array of bad people, money, manipulation, intelligence and prepping for cyberwar. >> host: charlie miller, for casual users or regular users of the internet that may use them for on line banking, surfing the internet and sending e-mails, what kind of protection would you recommend to those people? >> guest: well, the regular -- are in a pretty good place. we have, by we i mean the security industry, has been working for quite a few years in trying to make that sort of thing secure and it's pretty good so if you just use your browser and you have an antivirus, you can go to random sites and download things, you're in pretty good shape. the biggest risk of say like your phone, we talked about the

phone -- iphone attack earlier. you arm way more likely to lose your phone in a bar and have a bad guy attack your phone. the one side is if your attackers are in organized crime, you can play it halfway safe and you're not a big target you will probably be okay. more interesting i think is when you are the u.s. government or google or the white house and no matter what you do do you are still a target and your attackers are going to be teenagers, whole branches of government, military and other countries and there we don't really know. there are a lot of open questions there. >> host: we are going to follow up on charlie's remarks. one of the things that is really interesting is cyberspace is a collection of machines and people. people are part of the network. the very very worst bad guys have taken on something called social engineering is a way of

attacking and you may not be as inherently interesting target but you may be vulnerable to social engineering because essentially what they are doing is trying to pretend to be your friend, family member. after doing homework they may send you an e-mail or direct you to a web site that is loaded with the attack code and a few if you are related to someone, that they are targeting or if you work at a company that the bad guys want to target, you may fall prey to this social engineering and there's almost no way to stop it because of the clever nature of it. recently, we did a story about chinese hackers who were going after gas pipeline companies, intelligence, contractors here in washington, security consultants and others and it was all part of the same campaign and it looked like part of an espionage effort. it was based on social

engineering messages that look like they were coming from in house but they were really coming from hackers. >> host: charlie miller we talk about chinese hackers or iranian hackers. who are these people? are they employed by the government? where? >> guest: we don't really know. we can trace it somewhat but it's difficult. if a computer here in washington d.c. is attack, we can trace back, oh that came from a computer in china but that is not to say there is a person sitting at the computer in china. maybe the attack came from the computer which came from mike computer in korea which came from a computer in germany which came from a computer in moscow so we don't really know. is difficult to trace those attacks in its one of the major differences between cyberwar in conventional war. if someone drives a tank across your -- you know they did but if you get attacked you may think it's a chinese but you're not really sure and you don't know was this

a teenager, was this the chinese army and it's difficult to ascertain where the attacks are coming from and who is doing it. we have guesses but we don't know for sure. >> host: . >> guest: charlie is alluding to the sort of core nature of what cyberspace is. its networks of networks and because of the fundamental architecture of these networks, data bounces from computer to computer all the time and when he describes somebody in germany who might be sending something through a computer in south korea that might be going through china, that is hop skip and jump data for cyberspace. it brings up a really interesting issue not just the cybersecurity but with cyberwar because if you don't know precisely who is attacking you, what they are calling attribution, then how do you respond in kind to prevent

hackers and that is one of the great dilemmas that our military has. how you hold do you hold them accountable for stealing, damaging and what not? one belief and hope that the nsa and i do actually has cracked this problem to some degree but the attribution problem, corporations, and many government agencies is a difficult problem in this digital age of ours. >> host: robert o'harrow in your serious you write about a company called tritium. what is that? >> guest: tritium is a company in richmond that came up with a really interesting idea not long after the web browsers were released and the use of the world wide web, which lays over the top of the internet makes it real easy and we all take it for granted now. it was becoming common. what they did was they realize

the web browser could be like the universal control that could direct devices anywhere in the world that were connected to the network so for example the security camera. you could use your mouth to have the security camera look left or look right. sitting in washington and controlling the camera. heating systems all over the place. you might be controlling five buildings, high rises, elevators, medical devices to some degree and also access control for security. let's say the pentagon facility which is a real example but it turns out that tritium became so popular and moves so quickly -- >> host: is a profitable? >> guest: one assumes they were acquired by honeywell several years ago but they are very popular and they grew very

quickly and it is used in 52 countries now. but it turns out that it was vulnerable to a very well-known, rather old, vulnerability that the hackers knew about and everybody knew about for years. so i thought the story was valuable and instructive because it showed that the gee whiz component had sometimes blinded software makers and manufacturers that lay within reach and sometimes crowded their view of risk so that they rushed forward with tech knowledge he secure as it probably should be. charlie has given some terrific talks about the infected structures for software makers and whether or not they are properly probably in balance to make sure that they are secure with their software before they

release it. i will let him speak for himself. >> host: mr. miller if he would speak to that. >> guest: sure. we are in a situation where we all run codes that was written by a vendor like microsoft or apple or whoever and the problem is very difficult to write secure code, secure code that is -- from vulnerabilities and it's hard to measure so even an expert like myself, it's difficult for me to tell you what given to programs which one is more secure than the other. so it's hard to measure and people don't want to necessarily pay for that so we all want to buy the latest gadget when the iphone comes out or whatever and we don't really think to ourselves that, how secure is this and maybe i shouldn't buy this. companies, they are out to make money and that is what they are therefore, so they want to push products out the door and they want to beat their competitors and have the newest features but they don't necessarily want to take the time to make sure their

products are written securely. consumers so far haven't really demanded it. so we all use the software and we are all vulnerable because software is written in a way that was intended to process features and not maximize security. >> guest: consumers, people have not asked for more secure products for the most part. that is related in part to the fact that very few people really understand cyberspace and how it all works. we all love the benefit. it's miraculous. i would venture to say that charlie is among those who are thrilled with the miracle of the internet and all the networks and the computing power in the benefits to all of us in society, but the fact is, many people are afraid to actually confront the trade-off that comes with all these benefits

and one of the things we are trying to do today is not to screen the sky falling because it's not to try to make clear those trade-offs so that people can start making better decisions. and can start asking about security and in some ways maybe eventually asked the companies that are making technology and writing the code to shoulder the full cost, which i would argue involves creating a secure product. >> host: charlie miller what about when it comes to social media and the sharing of information that we as consumers do with google, facebook etc. etc.? does that lend itself to less secure networks? >> guest: it doesn't affect the network per se but what it does is, it puts a lot of our information and some of that prior information out there so if you never connected to the internet no one would know what you would do doing, if you are

dating someone but with facebook information is there. it's still out there on a server somewhere so some back i could get to it if you wanted so i think if you consider that you know it well ago, no one would ever agree to carry around a tracking device, but now we all carry around cell phones and no one would have ever let anyone read your e-mail but right now a lot of us use e-mail and all of our e-mails are stored on it server at google so it's interesting we as a society of given our information out and whether we wanted to be for everyone or just a few people, it's out there or on on someone's server so people can get to it. that sort of change the whole way of -- >> host: so are you finding as a security consultant that the social media so the world, the

twitterers and the facebook in the googles etc., that they are leading and security precautions are not? >> guest: well, some of them certainly are. google makes a show the show for sure for having web browser and from and that but right now not too long ago they were attacked by the chinese and they were able to get into their networks and get to a lot of data. that's about to get hit and it never example 10 years ago they started a program to produce newer software so back when windows 98 was around it was awful but now the new version is quite good. a lot of times they are trying to make it better but still every month when you download a new patch that is because someone has found a vulnerability so we have a long way to go and we are all vulnerable because of it. >> host: robert o'harrow?

>> guest: a couple of thoughts. one is the threat i'm pursuing right now is part of my series. it turns out that a lot of people have gotten into the electronic health record. i'm just now learning that a lot of those records that are being created as part of health care reform are being kept on remote servers. in fact doctors who have your electronic health record don't have the records any more. they are being kept by contractors and charlie figured out. the other thing that's really interesting is i think that the software makers and the vendors really get credit or ought to get credit for improving security. things are much better on a lot of products of software than they were five years ago or 10 years ago certainly. what i've been hearing lately over and over again is that the bad guys are getting --

in the good guys are getting better. the attack, the cleverness and the way of evading tax are improving faster on the good side of things. and of course that is very troubling in part because when you boil it all down, no one still fully understands what happens when billions of people and billions of devices interact in cyberspace and the bad guy takes advantage of those clouds. >> host: charlie miller what is your message to congress to the department of homeland security and to dod? >> guest: well, i guess it would be that we spend a lot of time, we are a lot better than we were 10 years ago. we are less vulnerable in the software is a lot better and we have a lot more protections built-in so if you want to run a company and keep out damage we know how to do that but we don't know how to do is secure via no military systems against attacks

by other governments. so well funded, very very smart hack or is still can do that and we don't going to do with that right now. we need to figure out whether it's vendor attacks are building defenses and we need to figure out how to defend against sophisticated tax which is something we don't going to do right now. >> host: your series which by the way is linked to our c-span web site if you would like to see mr. o'harrow's series, has gotten some response from dhs and often when you write the next day, there is an official announcement. >> guest: writes. there has been some reaction to it. that is more typical of the investigative series but i'm trying to urge the hallmark with mentors like charlie miller and officials in the government, officials out, hackers, these young guys that are breaking into things, so there has been some response and that is gratifying. i think that our mission at "the

washington post" here is to come is somewhat platonic in the sense that we really want to teach people so that everybody is on the same page generally speaking so good policy can grow out of that. we are really not in a position of offering policy suggestions because it's so complex and so difficult but i do think that congress, if i had one recommendation, it would be really good if they immerse themselves in the subject and then came up with some plans for making it better. may i know that we are trying to contribute further to the education and the post post has a conference with some very senior former intelligence officials, hackers and others coming up at the end of the month and they can find out more at "washington post".com. >> host: will it be up into the public? >> guest: it will be open to the public.