Ken Buckler, Author of Hacking of the Free: Understanding Digital Threats to Democracy in the 21st Century

Hi I’m Len Epp from Leanpub, and in this Leanpub Frontmatter podcast I'll be interviewing Ken Buckler.

Based in the Washington D.C. Metro Area, Ken is a risk management professional and cyber seucirty specialist who was worked for public and private clients for over ten years.

You can follow him on Twitter @CaffSec and check out his website at kenbuckler.com.

Ken is the author of a number of Leanpub books, including his latest in-progress book, Hacking of the Free: Understanding Digital Threats to Democracy in the 21st Century. The book will be about the concept of digital warfare, broadly construed not just to mean conventional hacking, but also attempts to influence people through propaganda, particlarly propaganda that threatens democracy.

In this interview, we’re going to talk about Ken's background and career, professional interests, his book, and at the end we'll talk about his experience using Leanpub to self-publish his book.

So, thank you Ken for being on the Leanpub Frontmatter Podcast.

Ken: Thanks for having me, Len. I really appreciate it.

Len: I always like to start these interviews by asking people for their origin story. So, I was wondering if you could talk a little bit about where you grew up, and how you first became interested in software and programming, and how you got into cybersecurity?

Ken: I've actually lived in the Washington County, Maryland - which is really close to Hagerstown, Maryland, if anyone's ever heard of that - in the greater area around the D.C. metro area. I'm just a good old country boy, and I live out here in the middle of nowhere.

I've always had a fascination with computers. My first computer was actually a VIC-20, which had a BASIC software programming interface - I forgot exactly what it stood for now. But anyway, it had a whopping 5K of memory.

My first experience with computers was actually writing programs for that VIC-20. Because back then, you couldn't go buy Windows. You couldn't go actually install software, you would actually get a book - and some of them were pretty cool. They were actually like choose-your-own-adventure books, where you'd get to certain points in the book, and it would say, "Okay, now, type in this computer code to continue the book." That was when I really started getting interested in computers.

But then I realized that some of the programs that I was typing in, actually had some flaws in them - I could cheat the programs pretty easily. Funny story - when I was in elementary school, I actually impressed my teacher with a 200 word per minute typing skill. And I actually don't type at 200 words per minute, but I found a flaw in the typing software when I was in elementary school. And yes, I hacked the software, and I tricked her into thinking I was typing at 200 words per minute. The teacher didn't question it; I got an A. But that was really what really got me into cybersecurity initially. Really, even before cyber security was really mainstream.

All through school, I always focused on computers. I went to Mount Saint Mary's University here in Maryland. When I was there, I took a major in - not cybersecurity, because cybersecurity wasn't even available as a major yet. I took a major in Computer Science. And looking back, I am very glad that I took the major in Computer Science, since the major in cybersecurity wasn't available yet.

Taking the major in Computer Science really taught me a lot more about programming than I would have had, had I just gone cybersecurity. And that programming understanding has helped me tremendously throughout my career.

After college, I actually got hired on as a federal contractor, and I've been doing cybersecurity, information assurance, software testing, and software programming services ever since. I've been doing that for actually about 12 years now. I absolutely love it.

Len: Thanks very much for sharing all that. I've got a couple of questions that I'd like to ask you about that.

The first one is - it's a really interesting thing when I talk to people on this podcast who are in tech, and how they were first introduced to computers. Did your parents buy your computer for you spontaneously, or did you ask them for it?

Ken: My dad bought it. I think he bought it and just kind of set it there in front of me and he was like, "Here, you figure this out." He never really played with it a whole lot. I think he might have initially bought it for himself, but then I would never let him on it. So my parents definitely encouraged me. But I've actually done a lot of research on my own as well, outside of higher learning, and also outside the workplace.

I actually run a cybersecurity blog - it hasn't been as active as I'd like in the past few years. But I've actually run my own cybersecurity research, especially around honeypots. That's actually been really interesting - because I've managed to capture brand new malware samples that way, and analyze them, dig deep into them, find out where they come from. I've always been curious about this stuff, but yes, my parents definitely were an influence on that.

Len: And I'm sure, I know you've listened to a couple episodes of the podcast, and so you're probably expecting this question. But one thing that often comes up is, when people have studied Computer Science - I like to ask them, if you were starting again now, would you do a formal four-year Computer Science degree? Particularly with such high tuition, but also with so many tools and learning mechanisms available online now?

Ken: Absolutely. Absolutely. And one of the main reasons for that is - so, a great example - with me being a federal contractor, a lot of the positions that I would apply for - and even the position I'm in right now, you have to have that degree. You absolutely have to have at least a four-year degree. Some of the positions even want a Master's degree. And that's really a requirement that the federal government is putting on these contracts, to make sure that you're getting high-quality contractors. You're not just getting the lowest=cost bidder.

I absolutely support that approach - because, yes, there is a lot of stuff you can learn online. However, there's also a lot of programming theory that you learn at a higher education environment, that you absolutely don't get by trying to learn on your own. Can you learn the programming theory on your own? Sure. But at the same time, it's just so much of a better experience.

Len: Thanks for sharing that. I've heard that type of response from people in particular areas of tech before. I've got a little joke about how a lot of the stuff we have online is designed by people who couldn't go to jail for making a mistake. And Gmail, in particular, is something I often sort of complain about, because it hides the email address from you, of the person you're sending it to. And the reason I bring this up is that if you're working - if you're hiring for a government agency, or department where stuff might really matter if you get it wrong, you just have standards in place. And sometimes those standards, yes, mean someone needs to have a full university degree showing that they spent four years being trained, and sort of vetted in their own way, by that process.

Ken: Yeah, absolutely. Well, it's not just the federal sector on that. It's also the private sector. I've never personally worked in the banking industry, however I do have friends who've worked in the banking industry in the past, and they've told me it's actually even worse in the banking industry, in that one mistake and, let's say a deposit doesn't get put into an account - and that's like a couple million dollar deposit that's supposed to be going into somebody's savings account. Well, even just one day - you're talking hundreds or even thousands in interest that that deposit is not collecting, because it's in the wrong account. So there's zero room of margin of error in an industry like the banking industry. And you have to have strict standards to make sure that the people understand what they're doing, and they're not going to screw up.

Len: That's exactly right - yeah, that's exactly right. Having worked a little bit in banking myself, the thing is that - for anyone listening - we're not saying that you can't learn all this stuff and be a genius programmer unless you go to university. It's just that, if you're on the other, the conservative side of things, and you're making high-ranking decisions - often there are just going to be constraints that your organization has, in order to be very careful.

I want to ask you about honeypots and about cybersecurity generally. But before we do that, one thing I like to do in these interviews is get to know the person a little bit. And you mentioned in your LinkedIn bio that one of your biggest accomplishments is becoming an Eagle Scout.

Ken: Yes.

Len: I was wondering if you could talk - many of our listeners are not from the United States or from Canada, and might have heard of the Boy Scouts or the Scouts from movies and TV, but might not really know a lot about the organization itself. So, I was wondering if you could talk a little bit about what the Scouts are, how you got involved, and why becoming an Eagle Scout is such an accomplishment.

Ken: Yes, absolutely. So, the Boy Scouts of America is a national organization which is really focused on developing young men into leaders. And you'll hear a lot of people say, "Oh well, they go out camping a lot," and, "They learn how to tie knots." And I definitely learned how to tie knots - I can tell you how to tie 30 different knots.

But it's not really about the camping. It's not really about the knots. It's about engraining into young men - and I actually, I started with Cub Scouts - which was in elementary school - it's about engraining into us - and I'm so glad they allow women into it now, as well, because it's a wonderful program, regardless of whether you're male or female - it's all about engraining into you a work ethic, a leadership ethic, and really a caring and understanding for not just yourself - but for everybody else.

And so, the reason that Eagle Scout is so important to me, is because that is the culmination of my entire time through the scouting program. I believe it's only about 3% of people who actually join the scouting program, who end up getting their Eagle Scout.

Now, I was actually in a Cub Scout group where, I think it was - I want to say six or seven of us, out of nine of us from the original Cub Scout group, not only went onto Boy Scouts, but then actually all of us got our Eagle as well. So I had some tremendous leadership and mentorship going through the scouting program, and I just can't say enough good things about it.

Len: And so the way you sort of advanced to the Eagle Scout status is by getting merit badges?

Ken: Yes.

Len: In various different things. Obviously knot tying might be one of them, but there's a lot of community service as well, isn't there?

Ken: Yes. Actually, in order to get your Eagle badge, you have to actually do a community service Eagle project. My project was, I remodeled the entire kitchen for a local church. And that was completely going through - painting the entire kitchen. I think we resurfaced the cabinet doors, and I also actually built a stand-alone mop closet that we built offsite, brought in, and then put in there, as well as a trash and recycle bin. And it just absolutely transformed that kitchen from the old, outdated, like sixties-style kitchen, to a more modern kitchen that was much more useful for the entire church, when they had their social gatherings. It was absolutely phenomenal.

So yes, the community service is a huge part of scouting, and that's also part of the mindset, that they like to engrain into you - is, help the community. And that mindset is still in me.

Len: And is there a religious aspect to the Boy Scouts?

Ken: One of the pillars of Scouting, basically, is reverence. Now, it doesn't necessarily say you have to believe in a certain God, or you have to believe in God - period. But you have to have a kind of a religious mindset to you, in that you believe in something. You believe there's a higher power out there.

But it's not necessarily a Christian organization. It's not necessarily geared towards any certain denomination. It's absolutely just very generic in - and I never actually had any real religious push in my entire time during the organization. There wasn't a whole lot of that other than, if you wanted to - like when we were at Scout camp, they had mass. We could go to the mass at Scout camp. It was completely optional and - put it this way, if you were an atheist in scouting - you would not feel ostracized, you would not feel excluded. You would still feel like one of the boys.

Len: And is it something that typically stays a part of your life, after you become an adult?

Ken: Oh, absolutely. I look to eventually probably end up getting involved with scouting again. Now, that may be volunteering to help out with Scout camp sometime. That may be volunteering, become a leader. I don't know. But they always tell you, once you get your Eagle badge, "Be prepared, because it will sneak up on you sometime, and when you're least expecting it, scouting's going to come back into your life." I fully believe that. I fully think that that is going to end up happening to me, and I welcome it. I absolutely welcome it.

Len: Thanks very much for sharing all that. It's something I've always been sort of interested in talking to someone about, and I think you're the first Eagle Scout that I - well, knowingly had a chance to talk to about it.

Going back to your career in cybersecurity, I thought a good way in would be maybe to ask you a couple of questions about things that people would hear about in the press, with respect to cybersecurity, and just ask your opinion.

So, for example, is the hacking of autonomous vehicles something that you would be concerned about, as an expert in the field of cybersecurity?

Ken: Absolutely. Well - I'll even take a step backwards on that, and say I'm concerned about hacking of the non-autonomous vehicles right now. Great example - my vehicle I have right now, alright - I have a Jeep Wrangler. It is one of the newer Wranglers, and I am somewhat terrified by how much of it is computerized. There's actually been one or two times that I've had to turn the engine off completely and then restart the engine, because the computer just glitched out and lights up every single light on my dashboard.

Len: Oh, wow.

Ken: And it won't go anywhere. But then if I turn the engine off and turn it back on, it runs like a dream. And if you look at some of the options - I've actually got a dongle that I can plug into my vehicle, and monitor every aspect of the engine - and it's terrifying to know that some of that stuff can actually be controlled by the computer. Your accelerator - I think about the only thing that isn't actually computer controlled would be the manual steering, as well as your brakes.

But even then, you could get warnings that, "Oh hey, your brakes are failing," or something like that, and send you into a panic and make you crash, even if there's no actual problem.

So, do autonomous vehicles worry me? Yes. Absolutely, they worry me. Because now we're talking about vehicles where everything is being controlled by the computer. And the fact that we've already got vehicles that are vulnerable now as it is, and now we're going to let the computer completely control the vehicle - yes, that does absolutely worry me.

One of the things that I've actually looked on that is, for example - Tesla's vehicles. Tesla's vehicles, even though they aren't fully autonomous, they still have the stuff built in that theoretically, if somebody goes in and they compromise the computer system - yes, they could take over your car.

A lot of the vehicles now receive over-the-air updates through a cellular modem or something equivalent. If you've got like the OnStar, it'll actually allow updates through some of those cellular modems to your vehicle. And what's to prevent somebody from hacking that signal, sending your vehicle malware, and taking your vehicle over? From what I've been told, the auto industry is improving, but I think they've still got a long way to go.

Len: Another thing that people often hear about in the media, with respect to cybersecurity, is the problems that might arise from not being able to access things. So for example, often there will be news about how someone in the US government wants Apple to open up a phone for them. What do you think about that, and the other side of things? So let's say like - if something is totally secure from being looked into, then that means that law enforcement can't look into it.

Ken: And there's a lot of controversy over this. India is probably a good example on how it could be done, however not how I would prefer it be done. In India, they actually require that manufacturers provide the keys to the kingdom - provide that universal key so that the government can decrypt those devices at any time that they need to.

Personally, I am a huge privacy advocate. I firmly believe that someone's right to privacy needs to outweigh the ability for the government or a third party to intercept and decrypt their communications.

One of the things on that, that you have to keep in mind, is - if the government has the back door - and we actually had just something in the news on this. If the government has the back door, and they don't try to fix that back door - they don't demand that back door get closed, somebody else might find that back door and exploit it.

A perfect example is the most recent Microsoft updates, that actually just got released this month - including a patch for a problem that the NSA found.

The NSA discovered that it was possible to modify software certificates so that the computer would actually trust your software installation as being from whatever party their claiming, for example - we'll say from Microsoft, and actually installing that software without giving you any warning that, "Hey, this software doesn't come from a trusted source." The real problem with that is then, somebody could actually write a theoretical Microsoft patch for the operating system, not actually issue it from Microsoft - but then your computer downloads that patch, installs it, and now your computer has malware embedded into the operating system.

Len: Yikes.

Ken: So thank goodness that the NSA actually disclosed that vulnerability to Microsoft when they found it. Otherwise, there would have been a serious risk that a private third party, or a foreign country - could then exploit that vulnerability as well.

Len: And, do have an Alexa?

Ken: I do. She's listening right now. I don't worry about it. If I absolutely need privacy, I will have to shut off my Alexa. But also more importantly - I have to shut off my cell phone, I'd have to shut off my computer. I have to shut off almost every single electronic device in proximity to me. To be honest, I'm not that interesting, that I'm that worried about someone listening to my conversations. Because I just - like I said, if they want to listen to me while I'm watching TV or streaming Netflix or whatever - more power to them, man.

But at the same time - if I want to send an encrypted email to a friend, and that encrypted email has information in it - like sensitive financial information, I want the assurance that somebody can't break that encryption. That's why I'm such a strong privacy advocate. Because the privacy part - being able to secure our information, when we know we want it secured - is absolutely critical to me.

Len: Moving on more into a little bit of the details of cybersecurity - so, you mentioned honeypots early. I'm sure many people listening have heard of honeypots from spy movies where you get an attractive person to seduce someone, but what's a honeypot in the context of cybersecurity?

Ken: Well, it's actually not much of a different concept. So basically - what you do is you set up a computer system or something similar online, that appears to be a vulnerable system, that appears to have security flaws. Now in my case, what I would actually do is I'd set up a virtualized computer that would pretend to be some sort of a web server, or something like that. And I would intentionally give it flaws that could be exploited. I'd intentionally give it a bad - or not bad - but a weak password.

And I'd open up my firewall and I'd set it out on the public internet, and I'd just wait. I'd wait and I'd watch it, and it would actually be completely isolated from the rest of my network. So there wasn't any possibility that somebody could use it to, to attack the rest of my network.

But it was very interesting to watch. Because here I am - I'm a real, real slow DSL connection, private home line - and I just open up my firewall ports. And sure enough, within a couple hours, somebody's starting to probe my honeypot already, even though I haven't advertised it anywhere.

So there are people out there scanning the dark sections of the internet - the sections of the internet that have private IP spaces - and they're just constantly scanning them looking for holes, looking for places to start exploring. The honeypot really shows how prevalent that is, that there's millions upon millions of internet addresses out there, and within just a couple hours of mine going live, somebody starts examining it? So that shows just how dangerous the internet actually can be.

And, like I said before, I've actually - when they would attack my honey pot, typically they'd leave malware on it for me. Some of the malware was completely unknown malware, that if I go to a website like virustotal.com and I upload the malware, Virustotal would be like, "We've never seen this before."

That's the really neat ones, when you start diving into them - because when you look at those brand new pieces of malware, this is something that not even the antivirus companies know about.

So then I go and I submit it to a couple of the antivirus companies, and eventually it gets a detection signature. But a lot of it is all custom-written stuff, where somebody thinks they've found some company's private web server that has a database of their customer list, or something like that. But then they leave behind this malware, in order to try to find more.

Len: That's really interesting. I had totally misunderstood the concept. I had thought of it from the perspective of the bad actor setting up a honeypot, rather than the cybersecurity person setting up a honeypot. And so is this, for example, something that say a large corporation would do? Would they set out these honeypots in order to see who's attacking them, or how they might be attacked by people who are out there scanning for weaknesses?

Ken: Yes, absolutely. There's actually commercial honeypot software that you can go out and purchase with that intention. A lot of it's open source though, and some of it is just completely virtualized, or somebody builds a system with that intention.

What some companies will actually do is they'll build a mirror environment, that completely mirrors their production environment. And they'll put that mirror environment out in front of their production environment, do that if somebody penetrates their firewall and manages to get in, they're attacking the fake network instead. That gives the network administrator an idea of what kind of data they're after, and what kind of techniques they're using. So the network administrator can then properly secure the production network.

Len: That's really interesting. So with respect to securing, there's like, putting out hooks and seeing who bites, and how they bite, and then trying to protect against that kind of attack. If you're, let’s say, doing cybersecurity for a large corporation, and you discover you're being attacked, you can - besides reporting the attack to the authorities, are you allowed to go after the attacker yourself to try and shut them - I mean, not just stop their attack, but actually like, shut them down?

Ken: So, from a legal standpoint, we are not allowed to hack back. We are not allowed to go back and start attacking the hacker. Now, we can block their attacks on us. That's absolutely doable. That's very encouraged, and in fact there's actually entire websites devoted to blocking bad actors. Spamhaus is actually one of the more popular sites for that, where they will publish block lists of, "Here's the guys that we've seen from these different internet addresses, going out and attacking computer systems. So, block these computers so they can't get to you." That's all defensive measures. We can't do offensive measures.

In fact, even the US government can't do offensive measures without certain approvals. I've never been in on any of that. But does it happen? Probably. And I've - we've seen examples that were possibly government-sanctioned attacks. The greatest example on that is going to be the Stuxnet virus, which was the virus that attacked Iran's nuclear centrifuges, and actually physically destroyed about 1,000 of their centrifuges by rapidly spinning them up and spinning them back down - but tinkering with the monitoring software, so that the monitoring software thought everything was fine.

Len: That reminds me actually - so, Iran is in the news these days, and one thing that, for people who are interested in this kind of thing, that came to top of mind when conflict seemed to be escalating between the US and Iran was - what if Iran retaliates with a kind of cyber strike?

Ken: Right.

Len: This is something that prominent journalists in the United States have - I forget who it was, Dan Rather maybe wrote a book about it? *[Len was thinking of Ted Koppel - eds.]

Ken: Okay.

Len: Is that something that keeps you up - I mean, not specifically Iran - but is that something that keeps you up at night? A sort of Stuxnet being done to the United States, through power stations or something like that?

Ken: Absolutely. I'm actually touching on that topic in my newest book, in the Hacking of the Freebook. Because that is actually a technique that could be used, not just to inflict physical damage against the United States, but also more likely its purpose would be to inflict psychological damage on the citizens of the United States.

Think about it for a second - you hear about some small town in the middle of nowhere, and they get hit by a cyber attack - and it completely shuts down their water system, or their natural gas system - or God forbid, their power system. And it's shut down for days or weeks, because it had an open vulnerability and some foreign government attacked it.

Now, think about the consumer confidence hit that causes. Because if they hear about this little tiny town, they're going to think, "Well, that could happen here, too." And it really messes with you psychologically. And a lot of cybersecurity is actually defending against social engineering. And really - just the thought that your computer systems could be attacked like that, and cause physical damage to critical infrastructure, is absolutely some of the best social engineering you could do. So, do I worry about that actually being able to happen? Yes, absolutely.

A great example, the SCADA systems - the systems that are similar, like the same systems that were attacked in Iran - those similar systems are present throughout the United States. They control power, they control water, they control natural gas. And those systems are very finicky, alright? Those systems are very delicate in that a lot of times, system administrators don't like to install security updates on those systems, because they've custom-tailored them so much that there's a chance the security update might undo those customizations, and might actually break their software. So they have to walk a very fine line between keeping things secure, and actually ensuring that they don't break their critical applications.

It's very interesting and I don't think anyone's actually come up with a real good, rock solid solution yet - other than possibly putting a third party device on the same network as the SCADA Systems to monitor for tampering, but even that wouldn't be fool proof.

Len: Thanks for going into that detail. For anyone who hasn't read about the Stuxnet virus, I would recommend reading about it. It's a fascinating story, and also very scary, particularly because the other side of Marc Andreessen's saying that "Software is eating the world," is that everything is a computer now, and they're embedded in systems that we typically associate with being hardware rather than software, in ways that make things very vulnerable.

On that note, you've got a book on Leanpub that's about identity theft*), and I was wondering if you could talk a little bit about that? Let's just be kind of cheesy - like, if there was one thing that you could tell our listeners to do to protect their identities online, or just generally from identity theft - what would you suggest that they do?

Ken: The number one recommendation I always provide to everybody to help reduce their identity theft impact - okay, not the chances of them becoming a victim, but reduce the impact of becoming a victim - is to have your bank account, and then have a credit card that is not actually tied to that bank account. Use that credit card to make all of your online purchases, all your store purchases, all your gas station purchases. And then use your bank account to pay off that credit card every month.

The reason I say that is that, if you use the credit card, and your credit card gets compromised - the worst thing that can happen is, well - you dispute the charges and your credit card company holds those charges as invalid while they conduct the investigation, which can take up to 30 days. If you use your bank card, if you use your actual bank account for those same transactions, and your bank card gets compromised, now you don't have any money in your checking account.

It's a lot harder to fix not having any money, compared to fixing invalid charges on your credit card. That is the number one piece of advice I always give everybody when it comes to identity theft. And let me tell you, following my own advice has saved me several times. In that I get a call up, "Hey, your credit card's been compromised." "Okay, thenk goodness it's just a credit card and somebody didn't empty my bank account."

Len: Thanks for that advice, I've actually never heard that before, that's really great.

On that note, I'm pretty careful, and I actually had a credit card compromised once. It seems like my bank was able to contact me about all kinds of sales and offers over the years - but then when my credit card got compromised, they just blocked the account from working. That's how I found out, when I was trying to buy a plane ticket. How do credit card numbers typically get compromised?

Ken: There's two main methods that happen right now. The first main method is through malware. And a lot of that is actually going to be either malware that infects your local computer, where you get a virus on your computer and you don't realize it. Or the malware might infect a company's remote server somewhere. Target was actually a perfect example of that, where they got their cash registers compromised by malware. The malware stole those credit card numbers, transmitted it back. That's the first way.

The second way is actually a very low tech method, and that's through credit card scrapers, I guess is basically what you'd call it, where they go to the gas pumps and they put this little device over top of the card reader at the gas pump. When you slide your card into the gas pump, it reads it - and at the same time the device they put on the gas pump reads your card, captures the credit card information that's stored on the magnetic strip - and then later somebody comes back and they pick up the device.

That's the second way. That one's actually extremely popular across the entire country, and probably in other parts of the world as well. That's why there's a big push towards using the chip cards, instead of the magnetic stripe cards.

But the problem there is, even when you put the card in the reader - even if you're using the chip at the gas pump, it still has the magnetic stripe. The magnetic stripe reader is still going to read that card number off the card. So it's not going to ultimately matter.

Len: That's really interesting, thanks for sharing both of those answers. It's curious - so for example, one way that your credit card number can be stolen if you've been compromised locally - as I understand it, is keystroke readers? So something might just look for you typing 16 numbers in a row?

Ken: Yeah, so that's one of the possibilities. Actually, a more common one now is called "Banking Trojans", where they'll actually monitor for you logging into your bank account website, or logging into your credit card website, and actually steal - not just your card number, but your login credentials. So they can actually go in and they can change your credentials, or whatever they want to do.

One of the defenses against that, that I always have my wife do, or I do, is, I typically - if I'm paying something directly with my bank account and not my credit card, I'll actually call up and I'll make the payment over the phone. Because it's a lot harder for them to intercept that phone call, compared to intercepting what I'm doing on my computer.

Len: It's interesting - just as a user of things and not an expert in this, I've noticed that the banking services that I use online have become much more conservative over just the last couple of years. For example, one bank - I guess I shouldn't probably name it - that I use, based in the UK, I can't actually log in online anymore without using an app on my phone that I've logged into, and asked for a digital activation key that then has a 60 second countdown timer, like I'm now a spy or something like that. It feels like I'm trying to break into my own account.

Ken: Yeah, well, and what's funny is, so - some of the larger gaming companies have been using that technology for over a decade now. Blizzard, World of Warcraft - they've actually got an authenticator similar to what you just described, that secures your account from being stolen just through that method. How hilarious is it that the gaming industry has actually been outdoing the banking industry in their security measures?

Len: And why would that be, actually?

Ken: Well, the gaming industry is extremely valuable. Think about this for a second. Alright, so yes, I play World of Warcraft, alright? I have been playing ever since the game was released. I have like 15 years' worth of stuff on my account.

Somebody comes in and they get to my account, they steal my account. Now they can sell that account for a couple hundred dollars on eBay, or the dark web, or wherever. And they can actually - like I said, they've stolen my account - they can sell all the stuff, they can sell all the gold, whatever they want to do.

And I'm helpless to fix it, unless I know certain information that I can call up Blizzard and say, "Hey, my account got stolen, blah blah blah." And even then, it's not guaranteed that they'll restore everything. So, that's why they've taken those additional steps, because it became a huge problem for them, where people would come in and they'd steal Warcraft accounts, and sell them on eBay.

Len: This reminds me of something that I imagine is kind of like one these high-level insoluble issues, but you mentioned chips in cards and bank cards. I think a lot of people listening from outside the United States might be surprised to hear that chips aren't universal. And one of the reasons for that is that there's a lot of fragmentation in US banking -

Ken: Yes.

Len: Compared to other places. So, like a local person might own the bank in the town.

Ken: Oh yeah.

Len: And so - having everybody switching to chips isn't as simple as sort of telling six banks, like we might have in Canada, "You guys needs to change. Here's some regulation."

Does fragmentation make things safer? Or does unification make things safer? Because I - just from an outsider's perspective, if everybody's following all the same rules, then if someone finds an exploit, that exploit applies to everyone.

Ken: Right, yeah. Absolutely. That's actually one of the dilemmas that a lot of organizations face, is, "Okay, hey we've got this standardized baseline for our computer systems. Now, if every computer system follows that baseline, and somebody finds a flaw in that baseline - now you have access to every single computer system."

So can diversification be a good idea? Absolutely. I actually think that having non-standard computer systems would greatly help a lot of organizations prevent themselves from being attacked. Because now you don't have an attacker knowing what every single system's going to look like, when they try to remote into it.

Len: On that note, actually, I guess this is a good opportunity to move on to the subject of your latest in-progress book, Hacking of the Free: Understanding Digital Threats to Democracy in the 21st Century.

I asked you straightforwardly, "Do you have an Alexa?" I guess another question I might ask just as directly is, "Do you think voting machines should be computerized?"

Ken: Personally, I think it's a mixed bag. I absolutely - so I will say, first off - I absolutely never, ever think a voting machine should ever touch the internet. That absolutely terrifies me, because it introduces a lot more risk by having the voting machine connecting to the internet. But do I think that - should we even use electronic voting machines at all? Kind of. I like the idea of having the voting machines be able to rapidly process the votes, so that we have a quicker view of how an election has gone.

But at the same time, we need those machines not to be a black box. We shouldn't be relying on proprietary software where we don't know what's going on behind the scenes. Because when we do that, then what's to prevent the company that created that software from manipulating the votes directly, and nobody would ever know?

A great example of how we do some of the elections here in the United States - so here in Maryland, what we actually do - we have paper ballots. We will go to the polls, we'll fill out this paper ballot that has boxes you fill in with a pencil. And then you take that paper ballot over a scanning machine. The scanning machine scans through the paper ballot and records all the vote numbers. But, you've still got the paper ballot there, so that they can compare and audit that scanning machine, to make sure the scanning machine hasn't been tampered with.

Maryland actually did the first run of that here in, I think it was either 2014 or 2016. And they had - it was less than a 1% margin of error. So they felt pretty confident in the technology. However, they're still going to do the audits - because that way they know that the voting machine isn't being tampered with.

Len: And so when it comes to the concept of hacking elections, there's obviously this sort of literal sense in which you've just been sort of describing the possibility of - if something's touching the internet. But there's also hacking in more of a metaphorical sense, that might even be the one that's most popular nowadays, and that is invoked in your book when you talk about the concept of "digital warfare." I was wondering if you could talk a little bit about what you mean by that?

Ken: Yeah, sure. As I mentioned previously, there's a large degree of cybersecurity which involves social engineering. And really what that is, is that's people-hacking.

Alright - you're figuring out how somebody's brain works, and you're figuring out how to tinker with that brain by sending them certain text or images, to get them to think the way you want them to think.

That's why the Cambridge Analytica scam was such a big deal, where, I believe it was Trump's organization actually got a hold of a large amount of data from Cambridge Analytica - that actually let them build psychological profiles on Facebook users.

Now, I'm not going to say that - was it good or bad, could they do that? But I'm going to say - they're not the only ones that have ever done that, they're just the only ones that got caught. There absolutely are lots of organizations out there who are dedicated to building psychological profiles of people out there to figure out, "Well, what's the best way to market a product to somebody?"

They take those same techniques and, "Well, what's the best way to get this person to vote for somebody else? What do we need to make them think it's going to happen? Do we need to blame problems on illegal immigrants? Do we need to tell people that a certain political party is going to take their guns away?"

That's how you get into someone's psyche. You figure out what those trigger points are, and you use those trigger points to convince them, "Unless you vote for this candidate right here, then something bad is going to happen." And it works remarkably well.

So what will end up happening is - then we've got private organizations that will come through, and they will actually take this information. And it could be a lobbyist or whatever - a lobbyist organization that wants to make sure people vote a certain way. It could be a political party that wants to make sure people vote a certain way. They'll take that information and they'll just start creating fake accounts on different social media sites - and they'll use those fake accounts to push this information, push this propaganda towards people to get them to vote certain ways.

Now, this is actually completely outside the realm of fake news, actually. Fake news is actually a completely separate problem from this. And it's a very hard problem to solve, because unfortunately, we as a species tend to be very trusting, in that we believe a lot of things that we see at face value.

The greatest example on that - and we get the stuff stuck in our head and we don't even know where it came from. A great example on that is Sarah Palin during the presidential election, where she was running as vice president. Saturday Night Live did a skit where someone was pretending to be Sarah Palin and they said that, "Oh, I can see Russia from my house," while pretending to be Sarah Palin.

That image has stuck in a lot of people's minds in that, if you interview people, if you do a poll and you ask them, "Who said that they can see Russia from their house in Alaska?" Then there's a large percentage of people who are going to say, "It was Sarah Palin that said that," not Saturday Night Live. So taking that same concept and putting it digitally, where you've got rapid content coming over and over from all of these fake accounts, it just amplifies it so much more.

Len: Thanks for going into depth there, and for that particular example at the end. It's an example that felt like - I'm sure many people listening to this right now had this same experience I just did, which is like, "Hey, wait a minute - wasn't Tina Fey making fun of Sarah Palin actually saying that?" And I don't know. [Here's an article about this on Snopes - eds.] And I trust you. But there's this inherent uncertainty when it comes to information like that, that we ought to keep in mind all the time, but we kind of can't - because at a certain point, you just kind of have to move on.

But one thing I wanted to ask you about is - it's not very troubling to most of us to think about a machine being hacked. I mean, we're worried about the consequences of it - but there's nothing inherently troubling about the idea that a machine could be manipulated. That's what machines are for; we build them.

But the idea that a person can be hacked and manipulated that way - and as you say, this isn't new to the 21st century. But what do you think about that? I mean, I think most of us have a sense of ourselves, we might think of - even if we adopt the idea that other people might not possess the kind of free will we wish they did, we mostly think of ourselves as invulnerable, which is probably a big part of the problem. What can you do to monitor yourself for being hacked?

Ken: The big thing is, check your sources. Is this truly something that is real? Is it truly something that is credible? Is this from a trusted source? And that's all too often a problem on social media - period. Now, whether we're talking propaganda or fake news, is, people believe stuff at face value way too much.

So going a little bit into the outside of the cybersecurity realm, outside of the political realm - I run a local satire site. It's a little satire blog similar to Babylon Bee or The Onion, and I will make up all sorts of wild, crazy claims.

Okay, so now, keep in mind, I'm in Maryland. And here in Maryland, it gets really, really cold in the winter. Right now I think it's like 20 something degrees - maybe even lower. I managed to convince people, completely by accident - because I told them upfront it's a satire article - I managed to convince people that the local government in one of the towns around here purchased an alligator from Florida, and trained it to only eat geese, to control the geese population. The local government has actually gotten phone calls -

Len: Oh my god.

Ken: Complaining about them purchasing this alligator and putting it in the city park. So how do we protect ourselves from that? Ultimately, we have to take a step back anytime we see something online, and analyze it. Okay, for one thing, is this even within the realm of possibility? But also, is this being reported on anywhere else? And it's absolutely terrifying that so few people do that.

Len: One thing - so there's protecting yourself - and thank you very much for sharing that story about the alligator. that's a really good lesson in how people will just believe what they see.

I've had the experience that I think a lot of people have had, of seeing friends and family get caught up in propaganda. And one of the signs that I see is the, people sort of repeating pat phrases and clichés.

Ken: Right.

Len: Like parroting exactly what they've seen, and spreading it that way. And there seems to be something that a certain type of person actually finds enjoyable about kind of going along with the current, if you know what I mean? Like, being part of the group.

I'm the kind of person - for example, I hate crowds. If there's a wave at the sports game, I won't stand up for it. Because I just find it sort of creepy. But a lot of people love that. They love being in unison, and being offered a way of signaling that you're part of a group - it seems to be very attractive. What do you think - if you're concerned about someone you know having been hacked, what can you do?

Ken: Well, I mean the best thing is to try to get them to research it. Okay, so this is a book podcast. So I'm going to send out an absolutely great book for everybody to read. How to Win Friends and Influence People. An absolutely amazing book. One of the great lessons that I've learned in that book is - never, ever tell someone straight up that they're wrong. Because you're now contradicting the information that's inside their brain, and they're going to immediately reject that information that you just provided them.

A better way to approach it is to get them to better research the topic on their own. So, one of the questions that I'll use would be, "Oh, that's really interesting. Where did you see that at? Because I haven't seen that anywhere else?" And if they come back and say, "Oh, well, so-and-so said it." "Well, where'd they hear it from?" And get them thinking. Get them trying to research it on their own.

Now, with that said - social media is typically often an echo chamber, in that we have preconceived notions of how the world is. And because we have that preconceived notion, anytime that we see information that matches that preconceived notion - we automatically want to assume that information is true and share that information. So the only way to get over that, the only way to get people to get out of that mindset - is to get them to challenge their own beliefs. You can't challenge that belief. You have to get them to challenge their own beliefs. Let me tell you, it's hard. It's extremely hard.

Len: Thank you very much for that. I couldn't agree more.

One thing I've found is that definitely, just telling someone, "You're wrong," or even worse, "You're stupid," doesn't work. But asking people to reflect - one thing I've tried is asking people to reflect on what they've just done. Like, "Why did you just say that? I've heard that phrase before in exactly those words, are you repeating it on purpose?" And somehow just setting off self-reflection, seems to at least put people down a path where they're not captured anymore. They're out of the stream; they're out of the current - at least for a moment.

Ken: Right, exactly.

Len: Speaking of social media, one thing I wanted to ask you about - I saw recently, it might have been even just yesterday - that Jack Dorsey, the CEO of Twitter was having a big employee meeting. And he called up Elon Musk and asked, "If you were CEO of Twitter, what would you change?" And I think Elon Musk said something like, "I would like to be able to know if something's a bot or a person." If you were CEO of Twitter, Ken, what would you do?

Ken: Gosh, that is a really good question. So, as a cybersecurity professional, I get a lot of my news from Twitter, I get a lot of my data from Twitter. At the same time, I'm a little terrified by how much data I can actually scrape off of Twitter using its API. So - once again, this comes as a professional - I would ask Twitter to maybe restrict their APIs a little bit more - maybe restrict a little bit more, how much data I can actually pull from their service.

Because it's terrifying that I can - there's services out there, I can go in there and I can find every single tweet that a certain account created. And I can get it almost in an instant. And then I can go back, let's say I can go back 15 years - I don't know how long Twitter's been around, but let's say I can go back that far - and I find some sort of a Tweet from that long ago, that I can take completely out of context - and now put that person in a negative light. Don't be surprised if that becomes a more popular method of attacking people, especially political figures.

Len: Why does Twitter allow that?

Ken: Because they want to be open with their data platform to encourage more use. But at the end of the day, something to keep in mind is, we're all only human. We all make mistakes. We all say stupid things sometimes, especially when you're younger.

Len: I've got to say, I'm so glad none of this shit was around when I was a teenager.

Ken: Amen.

Len: Because I was - not that I'm not a dumbass now, but boy was I a dumbass back then. And you would definitely have found me saying dumb shit.

Ken: Yeah, Absolutely. I think we're all guilty of that. The only difference between now and then, is that now everything gets recorded. And as one of my friends like to always say is, "The internet is forever. The internet never forgets."

Len: Actually, that leads me to the last question I want to ask you about this subject, before we just move onto the last part of the podcast, where we talk about your work as a writer.

You talk about a new kind of crystal ball in your book. What do you mean by that? Is it related to the amount of data that's out there on people.

Ken: So, it's absolutely terrifying what kind of profiles you can build on someone - just based upon the data that's available for them. In this case, the new kind of crystal ball that I was speaking of, is how you can actually infer aspects of someone's life based upon, basically, the metadata of their life.

This actually goes back to - when you look at the whole stuff where the government was found looking at the metadata of phone calls, or internet sessions, or whatever, of US citizens.

People don't realize just how powerful that metadata really is. Target actually found that they could, based upon shopping habits of people going in and using their loyalty card or whatever - Target found that they could actually successfully predict when someone was pregnant, just based upon the stuff that they purchased. Even if it's not stuff related to being pregnant directly.

For example, they found that when someone starts purchasing a lot of unscented lotions, and then maybe some extra multivitamins at the same time, if they start doing those purchases regularly - Target was actually able to predict that not only are they pregnant, but they could figure out what stage of the pregnancy they're in, and actually figure out, within - I think it was about within a week, if I remember correctly - the actual due date of the pregnancy.

So, if you look at that and then you think about all the information we post on social media, all of the information that your grocery store has about you, the information your gas station has about you, the information that your phone captures - you realize that everything you do is absolutely being tracked, and can absolutely be used to build a profile of you.

Every January, Google sends me an email, and that email gives me a map of everywhere that I have been, because my Android phone tracks that, and Google happily shares a map with me and says, "Okay, in fact, not only here is the locations you've been, but here's the roads that you drove."

Len: That's a really interesting topic. And that Target story in particular, I believe that one of the sort of interesting details of it is that - there was a father of a woman, who got mad at Target for targeting his daughter with stuff for pregnant women, because the father himself didn't know that his daughter was pregnant.

It sort of ties into identity theft stuff - pprivacy can be violated in various ways.

Did you ever see the reboot of Battlestar Galactica?

Ken: Yes, I absolutely loved it.

Len: So a huge, huge spoiler alert. Turn this off if you haven't seen Battlestar Galactica and you think you're going to watch it.

I ended up hating the show because of Gaius Baltar. But anyway, I did watch it for a while - and there was one wonderful episode where a bunch of the heroes discover that they're actually Cylons. And the reason I bring up that image is because, Target being able to figure out that you're pregnant when you know you are, is one thing. But what if it could figure out from you behavior that you're pregnant when even you didn't know yet?

Ken: Yeah, yeah.

Len: Is the kind of next level of this stuff that - these are very deep questions about human nature and human identity. So is someone being predictable, does that - should we question our free will, basically - because of these kinds of questions? Are these things we're going to have to confront as more and more data is picked up about us, and analyzed over time by more and more sophisticated machines? I mean, are we going to come to a point where we realize we're metaphorically Cylons?

Ken: Yeah, it really speaks to how much we get influenced by outside forces, as far as our behavior goes. Because a lot of our behavior is conditioned, based upon certain circumstances in our lives. And all that data's being collecte, yes, it's absolutely terrifying to think that - could a computer predict when someone's pregnant before they know? Absolutely, it could.

And actually, it's funny you mention Gaius Baltar. Gaius Baltar was actually one of my favorite parts of that series, because Gaius Baltar was actually the best example of someone who understood social engineering. Gaius Baltar, he understood how the human mind worked, and he understood how to manipulate others to act the way that he wanted them to. And it speaks volumes that, if you understand how the human mind works - if you understand how to hack that human mind, you can use that knowledge to get whatever you want - including becoming president of the thirteen colonies.

Len: Well, I now have a newfound respect for Gaius Baltar, the character from Battlestar Galactica. I always thought that he sort of like - I'm actually going to think about that, that's really interesting. Because I always viewed him as like the writers had a commitment to keep that actor on the show, and so were always inventing new things to keep him around. But it's interesting to think of that - to think about it from the perspective you just described, that one of the things he represented, was the way that people could be manipulated. I never thought of it that way before. So thanks very much for that. I really appreciate that.

Moving on to the last part of the interview. So, you decided to write some books, and you decided to write them on Leanpub. Why did you choose us as your platform?

Ken: Well, so first I'll get into why I actually decided to start writing books. So, as a cybersecurity professional, I actually have to have certain continuing education requirements to maintain my cybersecurity certifications. And I'm looking through all the different requirements that are available to me, and one of the requirements is - or one of the options that I have available that gets me ridiculously large number of continuing education credits - is to write your own book.

I was like "Okay. So I can go, I can spend thousands of dollars and go to a couple different training classes - and I'll learn what's in the training classes, and possibly never even apply that to my daily life. Or, I can write a book. I can still get credit for writing the book, I can possibly make a little bit of money - I'm not too worried about the money, to be honest. But I can actually go in, I can then teach others the knowledge that I've learned, and at the same time I'll also be researching some new topics." And every one of my books here, I've had a lot of research with. And I'll be able to then share that knowledge with others." So that's why I started writing the books, is to further my continuing education, maintain my cybersecurity certification at the same time.

Why did I pick Leanpub? Well, because you all make it so freaking easy - to be perfectly honest. It's - I absolutely love Leanpub in that I can go on here, I can start writing the book, I can actually make the book available as I write it, alright? I can set the price, you all earn some money off of it, so I'm supporting your site every time somebody buys the book. I love that about it. There's no upfront cost for me, and I can actually go on there, and I can control the formatting using the markup language. And of course, as a programmer - oh hey, I'm all sorts about that.

But also, I love how it enables and empowers small authors like myself, whose books would probably never see the light of day otherwise. Because, let's face it - a lot of publishers, if I go to a publisher - one of the big-name publishers out there, and I say, "Hey, I want to write this book on cybersecurity." And they'll be like, "Well, who are you?" "Well, I've worked cybersecurity for ten years." "Yeah, that's cool, so have a lot of other people."

And I understand that. I don't fault them for that. Because when you're talking a traditional, mass-marketed book, there's a lot of upfront investment that has to take place to get that book printed. I have actually printed my Death by Identity Theft book. I've actually printed physical copies of that. That was not cheap; that cost me several hundred dollars just for like 40 books. And I completely understand why large publishers would not want to put an investment into somebody who's a completely unknown author. So that is why I'm with you guys. And that's why I absolutely love Leanpub, because you enable and empower people who would otherwise not have that voice.

Len: Thanks very much for sharing that. I've got a question about what you did with the print version of your book, just for the "in the weeds" nerds who stick around for this part of the interview, who are interested in self-publishing. But yeah - and I thank you for saying that about enabling projects that otherwise might not be done. That is actually very core to Leanpub and it's there, in what we think of as kind of systemic ways, like paying an 80% royalty rate, for example. It makes certain types of book projects profitable that otherwise wouldn't be.

And another thing in the whole Lean Publishing idea is like, get your book out there and start building an audience in a way that the conventional publishing process won't let you do - because you have to wait until you're done. But also - and this is something that I've done a little bit of research into - but a lot of people get really excited about book ideas, and get really depressed and quit when they discover how hard it is to get a conventional publisher.

Ken: Yeah.

Len: And especially when you start - one thing they might say to you, "Hey, what audience are you bringing?" And I think a normal person would be like, "Wait a minute. Isn't that your job?" But nowadays, publishers do not think that way. They've been cutting their marketing budgets and they go, "How many Twitter followers do you have? How many people are you bringing to the table?" And often, what they have left to provide you - and they might even not even really provide you with a proper editor anymore. And so what you're left with is, an advance - if you're if you're lucky enough to get one, and prestige. And legitimacy. But often little more than that, which is one of the reasons that self-publishing has become quite a bit more popular. Particularly for - I mean, I would venture to say - for professionals like yourself. People who are really smart, and really know what they're doing - and they're like, "Why would I bang my head against the wall of this weird industry, when I could just get my book out there?"

And also, a conventional publisher is not going to publish a book that might only appeal to 1,000 experts around the world, because they can just do the math on how much money they're going to make from it. But for an expert - like many, many Leanpub authors are in various areas - if they can reach 1,000 people and get 10,000 bucks, that's worth it.

Ken: Yeah, absolutely.

Len: My next question is, you mentioned print. What service did you use to get your book into print?

Ken: I actually used a local publisher that we have up here in Blue Ridge Summit, Pennsylvania. I don't even remember the publisher's name now, honestly. Actually, a friend who works for the Chamber of Commerce hooked me up with it. They were a small-time local publisher, and they were absolutely great to me. I sent them the PDF - of course, this is before you guys even had the print-ready PDFs. So I sent them an exported PDF. And they said, "Okay well, hey, this isn't quite formatted properly." And I was like, "Okay, so, what's it going to cost to fix it?" And they were like - I think they charged me like 150 bucks or something.

And I said, "Okay, well, I was originally planning on ordering this number of books. Let's actually increase the number of books I'm ordering, and then that way the amount that I'm investing per book is lower." I did it that way because they're actually promotional giveaways that I'll actually just give away - all of these books that I had printed to promote myself as a cybersecurity professional, as someone who understands identity theft. So that was really why I got the books printed in the first place, was so that I could promote myself better instead of going up to somebody, "Oh yeah, hey I published a book - here's the URL." No, no. "I published a book. Here, have a copy."

Len: Thank you for telling me that. That's actually a really popular reason for Leanpub authors to get their books into print - it's kind of like a calling card. It's kind of like this physical proof that, "Yeah, I know what I'm doing. It's for real." And particularly for people who do consulting work, having a book can be a really great way of finding new clients and improving your profile.

Ken: Yeah, and it positions you as an expert in your field. It's one thing to say, "I'm a professional." It's another thing to say, "I'm a professional. Here's a copy of the book that I have." I think of it as an extra-large business card, to be honest. An extra-large business card with a lot better call back rate.

Len: So the last question I always like to ask in these interviews with Leanpub authors, is, if there was one thing we could fix for you, or one thing we could build for you - one magic feature, what would you ask us to do?

Ken: You're going to laugh at this one, and I've been ready for this question - and you're absolutely going to laugh.

Len: Okay.

Ken: The only thing that I would absolutely love to have with Leanpub is the ability to integrate my browser spell-check. That's my only complaint, is I can't get my browser to work very well with Leanpub as far as spell-checking. I have to copy it out, paste it into somewhere else, run the spell check there, and then paste it back in. And that's actually just some HTML settings, if I remember correctly. So, if you guys could fix that, I'd absolutely love it.

Len: Thanks very much for sharing that. You know what? After all these years, I think you're the first person to mention that. But I've got to say, it's something I've thought about myself. I think it's a feature of the fact that you're - so you use our writing in the browser feature?

Ken: Yeah.

Len: And I think you've been using that for a while. Our writing in the browser thing used to, like - in addition to the lack of spell check, used to suck to use. We made what we hope was a big improvement to it, relatively recently. And we've actually now been getting more people using it. And so, making improvements like that - I mean, obviously, copying and pasting out of a browser into like Word to spell check is good for a sanity check. But not ideal. There are all kinds of tools that can be used for spell checking in browsers, and it's definitely something that we will think about adding. And if it does come down to a few lines of code, hopefully that will make it really easy for us to provide that.

Well, thanks very much, Ken, for taking time out of your day to do this interview. And thanks for being a Leanpub author.

Ken: Thank you, Len. I really appreciate it, and I've really enjoyed the interview.

Len: Thanks.

And as always, thanks to you for listening to this episode of the Frontmatter podcast. If you like what you heard, please rate and review it wherever you found it, and if you'd like to be a Leanpub author, please visit our website at leanpub.com.

Episode Notes: Ken occasionally appears on The Hub Show, which you can find here: https://thehubshow.com.