A

Crime is probably the most social activity in the whole world. So these offenders are, in most cases, going to connect with each other. No one is able to hack into a large organization alone. And so that's where you strike. You need to be able to monitor these conversations.

B

The dark web is one of those terms we throw around a lot, usually linked to a crime, hacking or shadowy marketplaces. But many people don't really understand what it is, how it works, or why it matters to cybersecurity. Today we're going to dig into that world with someone who spent his career studying it. David Dicarihtu is a criminologist at the University of Montreal, one of Canada's leading experts on the dark web and online criminal networks. His research looks at how these markets form, how they operate under the COVID of anonymity, and how they adapt when law enforcement tries to shut them down. But I want to start with the basics, what the dark web is actually, and then dive deeper into the economics, the players, and the cat and mouse game between investigators and criminals. And at the end, we'll look at where this is heading next. Here's my conversation with David dicari Hitu. Good to meet you, first of all.

A

Likewise. Likewise.

B

Again, I'm consistently surprised at what's happening in Montreal. You're a professor at the University of Montreal, but you're affiliated with the International center for Comparative Criminology. I was looking at the website. That's a pretty large enterprise sitting there. Can you tell me a little bit about it?

A

Yeah, it's the biggest research, francophone research center in criminology. And basically we're interested in anything related to crime. So you have people looking at offenders, people looking at regulators, people looking at law enforcement. How do criminal laws get changed? So across the whole gambit, everything is interesting to our researchers. We have, I believe, 80 of them now. Yeah, pretty big center and known throughout.

B

The world, the partnerships across the world.

A

Yeah, of course. Yeah. It's been around for 60 years and we try to stay active and. Yeah, so we connect with people in Europe, the States, other places in Canada. Yep, it's. So I'm the director for the center for the. For this year, the director is away on sabbatical and yeah, so it's, it's proven a fun challenge to handle and to manage this big thing.

B

I have to ask, how did you get into criminology? What was, what made you so interested in it?

A

Actually, I was on a leap year and one of my friends, she had one of her homework. She had to Go to the library and watch interviews with serial killers. And I was like, that's what your professors have you do at night. I'm like, juliet. I was like, okay, maybe that's something that I could like doing. And so I applied to it, got in and I was lucky just because now in our undergrad program we accept fewer than 10% of the people who apply. So we have maybe 1500 applicants. We take about 120. So the students who get in are amazing students now a students. So it's really hard to get into criminology now. It's one of the most difficult program to get into at the university.

B

But the need was never greater for people in that area. We.

A

Yeah, it's. We're never going to run out of crime. So that's. And crime keeps changing. Cybercrime, everything. What we'll be talking about today, also, I think there's a.

B

Sadly, I feel the same way about doing a cybersecurity show is I'm not going to. I always thought you're going to run out of things to say. Nope. No, I'm stuck.

A

I was going to say it's many of the same stories that are repeating, but there's a few new nuggets here and there.

B

There's always a creative twist. And I invited you on to talk about the Dark Web and I. One of the reasons I wanted to do that, a lot of our audience is fairly sophisticated and I think they probably know about it, but I think it's one of those topics that people don't know what they don't know. If. So can you. Can we start with just a description of what the Dark Web is?

A

Yeah, sure. So the Dark Web, many people think it's a place that you go to, but it's really not. You really have to see it as a communication channel. So basically it's something you use to communicate with someone else anonymously on the Internet. That's pretty much all it is. The great thing about the Dark web is that you can connect to websites, chat rooms, any online service without having to disclose who you are, where you come from. But these services can also use the dark web to hide their identity, their location. So I can, for example, host a website and say only people who go through the dark web are going to be able to connect to my platform. And so this means that I don't know who my visitors are and my visitors have no idea who I am. And that's been one of the big challenges for law enforcement because there's all These websites selling illicit drugs, firearms, and other things like that. And you can connect to the platform very easily. The and yet there's no way for you to know who's behind it, where is that server located, and how do you take it down? So that's been the big challenge of.

B

It, and that's largely the technology for the. And I think most of our audience will know, but there's a Tor browser and I think the Onion. Can you just explain a little bit about the technology for those who don't know what powers this?

A

So the Dark Web, or the Darknet, whatever name you use, is the label that we apply to a number of technologies that can be used to stay anonymous online. So we've all heard of the Tor network, which is probably the biggest part of the Dark Web, just because the Tor network has the most funding. It's been around for over 20 years. And they were lucky because they were actually funded by the US Government, who still funds the operations to this day. And because they got this funding, they were able to develop, for example, what you mentioned, the Tor browser. So when you use a Dark Web, there's a whole lot of cryptography that's happening, a whole lot of things that are happening in the background. And the Tor people, because of this funding, were able to hire programmers who could make it absolutely seamless to use. So that's how they've developed the Tor browser, which is a modified version of the Firefox browser, which enables you to connect to resources that are only accessible through the Dark Web. When you're using this, it looks like just another website, but it's actually a lot of crypto hiding everyone's identity, the other dark web. So i2p, for example, they don't have the same budget, so they don't have the same number of developers. And it's very easy to say we're going to take Firefox and then we're going to modify it so that you can connect to these platforms. Problem is, Firefox gets updated every week, if not every day. So every time there's a change in Firefox, you have to update the browser that you made that allows you to connect to your network. And so that requires a lot of engineering time if you want to stay safe and anonymous. So that's been the main challenge.

B

And who you said that the American government initially funded this whole. Supports this now? First, I'm shocked that I didn't know that. But the second thing is, who supports it now?

A

So to the best of my knowledge, the US Government, maybe it's changed since the last administration, maybe these budgets have been cut, but traditionally it's been donations. And the US Government, who paid the majority of this. And this network was developed so that the US Military and the Navy could communicate with their spies all over the world anonymously. And so if you have a spy in Iran and he's connecting to a server in the States, the Iranian government is going to see this connection, and they're going to say, maybe we should go and knock on that door, see what that person is doing. If they're using the Tor network, there's no way for these governments to know to what website you're connecting. So that's great. But at the same time, if only spies use these networks, then it's very easy to just flag them in your network and go and see the people who use this Tor network. And so that's why the Tor network was funded by the US Government, but also open to everyone, because basically, we're providing a cover for spies all over.

B

The world, inadvertently creating a network that would come back to bite us in many cases.

A

But doing that.

B

Hide spies.

A

Exactly. And provide a tool for freedom fighters and journalists and whistleblowers. There's many use cases for this, of course, but that was the reasoning for creating this network.

B

So where does the onion fit into this?

A

Yeah. So basically, what you have when you're using the Tor network in this example is you have multiple layers. So they've updated a protocol, and now it's not as simplistic as this, but in the original kind of design, you had three computers between you and whatever platform you wanted to connect to. And basically, the first platform that you connect to knows who you are, but they have no idea where you want to go. The last platform in this chain knows where you want to go, but they have no idea who you are. And you need someone in the middle that connect your entry guard and your exit relay. And so you tell the first relay, I would like to go somewhere, but I'm not going to tell you where. The second relay passes on your information to the last one in the chain, and then this exit relay is going to go and fetch the content for you. So that's why we have this peeling of layers, basically, where when I send my request to the first relay, all they know is they have to forward my request to someone else, but they have no idea what my packets contain because that's all encrypted. So that's why you have this layer.

B

Interesting. So, for all intents and purposes. And I tell our listeners, if you don't know what you're doing, you shouldn't be there. Anyway. So many of us have not been on the dark web, but how do you find your way around? There's no search. Is there a search? The regular Internet?

A

Yeah. So no one is indexing the content that is accessible through the dark web. So once again, you can't really go on the dark web, even though I say it all the time, but you can't really go on it. You can just use it to go somewhere. And the traditional search engines are not really interested by the content that's accessible through the dark web, because in most cases it's going to be sex, drugs, illicit firearms, whenever. So nothing that you can monetize that easily. So there are some search engines, but the whole point of the Tor network is word of mouth. So basically, you shouldn't publish the URLs for these resources openly on the Internet. You're supposed to share it among friends, small groups. And so this is where you go back to the good old days of the 90s and the search engines where we have directories. And so basically you have all these websites that you have to know, and they have lists. If you want to buy drugs, here's a list of markets that you can connect to and they're going to provide to you the service. If you're looking for porn content, here's a list. So it's the good old days of the directories that have to be maintained and just taken care of by individuals on Tuesday.

B

So it's actually a lot like the old days where you had. You don't have search, you had lists. Yahoo. Yeah, you think Yahoo started as a list. So that's how they circulate these addresses between the people who want to be on the dark web.

A

And so the URLs, anyone can just set up their own URL. You don't need to register it with a registrar. You just create your own, your own domain name and then you just publish content through it. I sometimes teach.

B

Wait a minute. You don't have to. You don't have to put it through a registrar, but you still have your domain name.

A

Yeah, because if you have to register your domain, then you know, you have to show who you are. So that would create its whole host of problem. So you basically just publish on the Internet. There's this URL, and if you guys are interested by it, go to this relay and they'll feed you and I'll get your request and and they're going to be my proxy or my presence online so that you can find.

B

So the relays are like our DNS servers.

A

Is that things? Yeah, and yeah, and sometimes I teach to law enforcement and within 15 or 20 minutes all the law enforcement officers in my class, they can be hosting drug dealing website that's hosted or accessible through the dark web. I usually go through fake watches, so I just clone a website that's selling counterfeit watches and everyone in the room is hosting their own fake watch website. Of course we're not shipping or selling anything illegal, but yeah, it's extremely easy to do.

B

And that's the concept. That's how you can have a server that is operating out there that people can't find and or law enforcement can't necessarily tackle.

A

Yeah. So basically the whole point of the Tor network is it's going to hide your IP address. If I don't have your IP address, I cannot locate you in the world. So the server that's distributing child pornography can be five feet from now for me, or it can be 5,000 kilometers from me and I have no idea where it is in the world.

B

And people rent these servers. If I want to be out there, people, somebody must be have data centers that provide these things that we've seen.

A

This content hosted in many large data centers. Sometimes it's going to be computers that they run at their own home. So you can host it from a place, from a data center, no matter where you want to. There are a series of people who will not look too closely at what's on your hard drives. And because everything is encrypted in transit, it's more difficult for them to realize that you're running this thing within their infrastructure.

B

And who are the main players? Who are the people who are out there? You've mentioned drugs, certainly sex and drugs. No rock and roll. But that the rock and roll stay on the main web.

A

There's a lot of debate as to what is the Tor network or the Dark One in general being used to. There was a study over 10 years ago which was really interesting because they looked, they indexed as many websites as they could that were accessible through the dark web. And what they found was that these websites were being used for many things. Illicit markets to buy drugs, whatever this thing you want. But when they looked at the traffic and so the flow of packets and what people were actually using this platform for, I think like 95% was full child pornography. So basically just downloading child porn. And then Tor network came back and they said we are only analyzing part of our flow. You can't really say that. But the point is, many services are accessible through the dark web. Facebook, for example, you can use it through the regular Internet, or you can actually just go through the dark web to log into Facebook. You can connect to the CIA's website. They have a version of it that's only accessible through the dark web. But I would say I would not be surprised if a large portion of the network was dedicated, used by people who want to exchange child pornography, just because these people have a vested interest in remaining hidden.

B

We all think about the hackers. We all think about hackers. But then hackers have their disclosure sites are pretty much on the regular web, and then you. And. But they have their own sites as well for recruiting, I would guess, on the dark Web.

A

So it's difficult to say, is something on the Internet or on the dark Web, because a lot of the websites that you can access through the dark web, you can also access just through the regular Internet. So it's not like there's two sets of content. There's just two methods for accessing the same content. In most cases, as I said, Facebook, for example, you have exactly the same experience. But in one case, Facebook knows where you're connecting from. And with the other, Facebook has no idea where you're connected. So these are just two methods to access the same content. But of course, in addition to child pornography, I would say the Dark Web is mostly known for the ransomware blogs. So basically, all the ransomware groups, that's where they host their content. And because it's only accessible through the dark web, it adds a layer of difficulty for law enforcement to determine where these servers are and to take down the content that was stolen by these ransomware.

B

Yeah, no, and I don't want to. I don't want to fixate on it because the. The visceral reaction I have to child pornography is, I think, like everybody. But how do you steel yourself if that's what you're studying? How do you deal with that?

A

I don't watch, so I'm not too interested into the content. I do a lot of social network analysis, and in that case, you don't really care what people are saying. You're more interested in who's talking to whom, who's connected to whom. So looking at actors and ties rather than actual content was probably a very good decision on my part. But some people are interested in the content. And even then, one of my students, for example, she looked at the child Porn forum where people were just discussing feelings, strengths and everything. And we couldn't really, for ethical reasons, go through all the content, but we could use tools, for example, to determine if these messages, they were they happy, sad, angry. And we looked at before and after Covid to see. We all said Covid isolated us. If people were isolated, they were more sad, more angry. And maybe that led to more childs being abducted, attacked, raped and everything, and abused. And basically in this case, we found no difference. It was the most boring master's thesis ever because everything was flat. So you can analyze pretty much anything and there are tools that will just read the content for you, give you out numbers, and then you can play with these numbers pretty safely.

B

Look, let's focus on our hackers, which are really the bane of our corporate existence. And so they gather on the darknet or Dark web. I understand the nuance, but it's so much easier to just conceive of it about they gather on the Dark Web. How do they find each other?

A

These. Yeah, it's these directories, it's links that are going to be shared on X, on Discord, on Telegram. So it's basically just knowing where to go. And the hacker forums are still very active. Most of them are accessible through the Internet or through the Dark Web. And you often have the same content. But once again, it's mostly word of mouth. It's just talking to people and people are going to say, hey, there's this new platform, you should try it. Here's the link. You can't really guess the Tor URLs because they're what, 64 characters long and they're all kind of random numbers and letters, so it's very difficult to just guess them. You actually have to have someone take you by the hand and bring you there, which is the whole point of the network, to keep it more secure.

B

But that's the thing that just I you pointed out there's so many police on the Dark web or watching in these forums. I'm sure that every forum has at least one officer. But how do they build enough trust to talk to each other?

A

That's a big question. So trust doesn't come easy, that's for sure. And there's been many studies on this. I would say One of my PhD student, Asmus Mungs guard, did his PhD thesis on this very topic. And that was very interesting because, for example, he looked at people who sell drugs and he showed that when someone would buy drug from someone else, they would buy a very small amount and then they would see, can I buy drugs through this website? And am I going to receive this drug in my place by the mail? And if they do, then they maybe order another time, but this time it's twice as much. And so you would see this trust building where people would say, I'll trust you for $5 of illicit drugs, then I'll trust you for $20 of illicit drugs, and then maybe I'll trust you for a hundred dollars if everything goes well. So it's a lot based on people's experience as well as their friends experiences as well. And it's the same for restaurants. If you go online and you can see, for example, on Yelp, it says, that restaurant is great. Are you going to trust that Yelp number? Maybe not so much. If you ask me and I'm like, we have to try this restaurant because you know me, then maybe you got to trust this even more. But if you've been to this restaurant before and you had a great time, then you actually know that it's a great restaurant. So you have these three layers that build towards trust, and you're using all these signals. Your own experience, your friend's experience. And then if you have nothing else, just a regular Internet, and you're like, you only live once. Let's try. This place has great Yelp review, probably bad, but you never.

B

Yeah, YOLO gets you into trouble. But right now, I know, for instance, that a lot of young people are being recruited. And particularly we've done stuff on the ransomware gangs, and they really do focus on younger people, particularly unemployed. Unemployed young people who have computers, are computer savvy as well and manage to recruit them. But have you studied the structure of how that happens?

A

Not so much, because a lot of. So some of it happens quite simply, people going on upwork and other platforms where you can just advertise your services. And in some cases, either people turn a blind eye, they don't ask too many questions. They'll be recruited to develop malware, develop graphics for certain things. So they'll be enlisted into these criminal gangs, and they'll get paid without necessarily knowing what they're getting into. And so that happens. And there's also the people who see all these blog posts that we publish in the cybersecurity industry. This ransom gang, they infiltrated that hospital and they got a $15 million payment. And it looks easy enough, and it looks like so much money, like you can earn so much money. So we're creating our own problem, I feel, many times, because we make it look as this dream job where you're going to be making so much money. It's going to be so easy. And today, with AI, you don't even need to know how to code. You can just vi. Code your malware or yourself into an organization. So all of this discourse draws people in who perhaps don't have other opportunities, or even people who are just curious to see, hey, could I do that as well? So we see a lot of people just flowing in just because they're curious, they want to try it. They're like, hey, maybe it's an easy way to make a few bucks. And in many cases it is. Especially with cryptocurrencies today, if you target people who are active in that community, you're very likely to be able to get your hands on large amounts of Bitcoins or other currencies. So, yeah, just people reading the news and saying, hey, maybe I should try this.

B

Are the concepts of the hackers and the people who are selling drugs and all of that, do they intersect? Is this one big business, or do they have their own little enclaves?

A

So what we've seen is it's very divided by type of activity. So you're unlikely to see platforms which are going to advertise malware as well as illicit drugs. That happens, but there's usually more dominant activity in there. But we even see groups based on, yes, the type of activity, but also the places that they're from. And we've seen, for example, on Telegram, you're going to see channels, and it's going to be, for example, Montreal hackers. And then you're going to have Toronto hackers, you're going to have New York hackers. So even in the name of the channel, you're going to have what these people are doing and where they're from. And it's pretty easy to understand because if you put me in a room with German hackers, we don't speak the same language, we're not going to be online at the same hours, and we don't have the same culture. So we have some point of connection because we like hacking. But this is going to be a difficult mix between the two of us. So I would much rather hang out with hackers from Montreal, which have the same references, the same culture. So that plays a very big role in how these communities connect to each other.

B

Interesting. Now you train police officers yourself, but what's the difference between what you do in research? What. You obviously have a different approach to it than the officers you train.

A

Yeah. Of course. So I see our work in research. It's trying to understand the changes that these technologies bring. For example, the first research I ever did on this Dark Whip thing was looking at how this technology was going to change drug markets and violence. So we know that drug markets can be violent. And so if people start buying drugs online through this Dark Web thing, it's very difficult to shoot someone if you don't know where they are in the world and if you're not even in the same city as they are. So I wanted to know, so are we going to see changes in the levels of violence associated with drug dealing? We've also looked at the effectiveness of police operations. So basically, how do these offenders react when one of their platform is seized? And the landmark study that we did showed that even if you take down the biggest platform there is that's accessible through the Dark Web, about six weeks later, there's going to be a new platform. It's going to be very similar. It's going to be up and running, and everyone's going to be back to business. Because basically, if you attack the platforms, someone's going to create a new one and they'll be just back to what they were doing just in a matter of weeks. So trying to understand this, it's more kind of understanding the impact of technology on crime as well as how people network and connect with each other. Yeah.

B

And I don't want to wonder, I want to stay back on the point. But you just tweaked something with me. The imagination that most of us have is that most of these people are in Russia or North Korea or someplace where they can't be extradited. But if you're going to run a drug business, you actually have to have physical presence in places that are quite close to us, in Canada, in the U.S. or nearby.

A

So it is very different depending on what type of activity you're talking about. But even then, I would be curious to know if there are more hackers in the States or in Russia. Not really clear on what the answer is to that question. I wouldn't be surprised if there was more people in the States just hacking into the States rather than Russian hacking into the United States. That's still up for debate. But one thing for sure, even though there are international networks, even in the hacking world, even if you gave me credentials to log in once again to a German bank once I'm in, I don't speak German, so I have no idea. Am I in a big bank, a small bank, a regional bank, how do I pivot? I, what do I search for? Your password files that be called password. It's going to be Einstein. So there's all these things, which means that when you're hacking into systems, you have to speak the language, know the culture. Once again, that makes it much easier.

B

Which is one of the reasons why so many young people are recruited, because they're obviously, they've got English speaking people working in the US They've got French people speaking people working in Quebec. And as you are well aware, it's not just because you speak French doesn't mean that you're going to fit in to a community in Paris. There are different dialects, there are different cultural norms that you have to, if you're, especially if you're going to be doing things like trying to do social engineering, you have to understand the culture as well.

A

Exactly. Yeah, exactly. So that's why even though we're always focusing on these international groups and there are many of them and they're very effective, but depending on what they're doing, if you have social engineering, you have to have someone who's local or it takes time for you to really be good at it in a different culture. So that's for sure. And that's why I think that's the hope for law enforcement. So sometimes we feel like all we're doing is investigating these Chinese, Russian, Brazilian, German gangs hacking into our systems. Tr, True. But there's also a lot of their partners who are local and they need those partners. And maybe we go after these guys rather than the main ring. Not as effective, but at least it gives us something that we can actually use and a way to prevent some of these attacks.

B

We deal with the problem that we have, which is it's like playing whack a mole. You knock out one of these groups, they're back again in three weeks, six weeks, with a new name and the same players and back at work. How do we tackle these?

A

Very big question. Very big question. The technology for the Dark Web, for example, I don't think anyone's really broken the technology, the encryption, that problem has pretty much been solved in that you can create secure connections online, you can hide your identity. Now, if you're the NSA and you have a bird's eye view of a whole country's network becomes a bit more easier to track people than if you're a single ISV or a single law enforcement agency, for example. But I think that the human aspect is still the most important one. So these offenders are in most cases Going to connect with each other. No one is able to hack into a large organization alone. You need to get malware from other people. You need to learn some tactics, some techniques from other people. So you have to connect. Network crime is probably the most social activity in the whole world. And so that's where you strike, where you need to be able to monitor these conversations, see who's interested in what. And that's where you have to. You best handle things as well, perhaps as the cryptocurrency. So everyone's just stealing cryptocurrency, asking for ransom. In cryptocurrency, I can give you a million bitcoins. There's not much you can do with that. What you want is US Dollars or Euros, and you have to convert those at some point. And so if I'm able to track you down to the exchange that you're using, that's also a very effective method for identifying people.

B

In some of your work. And I admit to just glancing through it, there was a concept of conditional deterrence. Can you explain that?

A

Yeah. So basically, so you can take down one platform. And as I said, there's not going to be a lot of impact because everyone's going to be back up to their own practice with just the different platforms. So what you want with deterrence is to have kind of more lasting impact. And so we've seen police operations that were very well designed in the past. So, for example, law enforcement was running the biggest market that was accessible through the dark web for a number of weeks. And then they came out and they said, hey, guys, you didn't know this, but we were actually running this platform. And while we were doing it, we were collecting all this information on Yale. And for example, they erased all the images from the website and they told everyone, hey, we lost all the images. Your icon, you know, your picture with your profile is gone. We need you to re upload it again. Here's a website where you can do this. This website was actually tracking everyone's IP to see where they were submitting their images. So when you do that and then you make it public, then everyone starts to freak out and everyone's wondering, what do they know about me? Do they know who I am? Do they know what I've done? So this is where you're trying to deter people by doing the operations which show that we could be coming to your door at any point in time and we could be just arresting you. So maybe it's better if you quit while you're at it, is basically the message law enforcement is sending.

B

Interesting. Yeah. Because one of the techniques that I'd heard about from another officer that I was interviewing was to that they try to sow distrust in the group to make it more dysfunctional and to slow them down, if nothing else.

A

Yeah, so. So one thing that we, another student of mine, we worked on police operation where basically the police were seizing drugs, but they were making no arrests. And so people were ordering cannabis through the Dark web and they would never get their packages. But the people, the drug dealers, they were sending packages, but the police was at the police at the Canada Post and he was just seizing the packages. So the customers thought, hey, this guy is just not sending the drugs. And the drug dealers were thinking that the customers were stealing from them. Create huge distrust. And it just crashed the cannabis market in Canada for cannabis. That can be done.

B

The other thing you could do is legalize it and then you reprint you.

A

But it was super interesting because it's a very low cost. If you know what these packages look like, you just take them with you. You don't have to build evidence, you don't have to arrest anyone, which takes large resources. Just by doing that, you just destroy the market and people have to go and do something else, basically.

B

Interesting. Tell me more about where. What your experience has been. And I know as a researcher you have different ethical approaches. Only so much you can do. What are the things that my listeners would be most surprised about?

A

There are some really dark things that are being hosted on this Dark Web thing. The red rooms, the torture chambers. There are some dark sides of humanity that perhaps shouldn't exist and should not be shared online. But I would say, I think that the most surprising thing is how unimportant in many ways the Dark Web has become. Over the past, I would say 10 or 15 years, a lot of the enforced law enforcement has focused on the dark Web. And this means that perhaps it's much more risky to be using this technology because law enforcement have been targeting, monitoring, and looking at all the actors that are using this technology. So more and more what we're seeing is people are saying, using the Dark web, yes, it provides me some level of anonymity, but because anyone's going to be clicking on the link, uploading pictures, they can actually find my identity pretty easily anyways. Maybe it would be better for me to be using other networks, technologies rather than the dark Web. And unfortunately, we've seen the dark web become more and more boring over the past decade. And I say unfortunately, just because I had invested A lot of time energy to develop monitoring infrastructure, trying to understand these networks that we now have to redeploy to other platforms like Ham. But even that's dying down. So looking more at discord and just just plain old web forums, basically.

B

So where does the future go for criminals on the web?

A

I honestly don't know. I honestly don't know. Ham seemed to be the new place where everyone was, but then the French people ruined everything by arresting the owner of the Telegram. And now there's been a lot of debate as to can you use Telegram now? And many people in the community, in the hacking community are against using it. They're saying we should be using Signal, we should be using other apps. But fun fact, who was the seed money and who paid for the development of the Signal app? The US government. Once again, it's just fascinating to everyone's, hey, let's use this thing. So the US government created it or the government funded it. I don't know that one platform is going to be ruling them all, because they're all vulnerable, basically. But the things that will be interesting to look at. I think one of the big things that I'm looking at is cryptocurrency, because cryptocurrency changed the whole game for hackers, for ransomware. If we didn't have cryptocurrencies, it would be so much harder for people to buy and sell malware, to buy and sell identities, access to networks and to companies. And cryptocurrencies are perhaps, and I'm going to be making a lot of enemies by saying this, but it's perhaps one of the few technologies that have very few useful use cases and a lot of problematic use cases. It's very useful for speculation, but for buying a sandwich, it makes little to no sense.

B

Yeah, it's hard to justify. Nobody carries cash in Canada. We all use electronic currency now. You don't need a Bitcoin to transact anything.

A

Yeah. And I know in some countries financial services are hard to come by, and it's not like us in Canada where everyone has 20 different credit cards. Credit is easy to get, so there are some use cases, but besides speculation, having people getting their funds stolen, facilitating the exchanges of illicit goods and services. And so it's going to be very interesting to look at how these cryptocurrencies evolve. Do they stay relevant? Do we have quantum computers that just great blockchains, so we can't use cryptocurrencies anymore? I think that's perhaps the biggest change that the cremon De Gras has seen, and it'll be interesting to see do they keep that tool or do they lose it in the coming decades?

B

It's interesting. There's a trial going on in New York. I don't know if you've heard of it, but two MIT students, they basically ripped off people for $25 million in cryptocurrency. And they're being hauled into court and they're saying, you. You can't touch me. Why? This is a blockchain. Anything permitted by the blockchain is inherently legal within there. And you have no law that affects blockchains. They might actually get off.

A

We'll survive. It's like at the beginning of the Internet, there was nothing. The first case that was tried was people who were. They had the hotel database and basically they copied the database with all the employees information in it. And basically they were charged with theft. But they said I didn't. Theft means if I take something from you and you don't have it anymore, in this case, I just copied the list of employees. So you still have it. So it wasn't theft. And so I believe they walked. And that's where we need to say, okay, maybe we need new laws. Like, what does theft mean in the digital age? It means that I can take something from you, but you get still to enjoy the thing that you have. So we will need new laws, that's for sure. Because the reality is just different.

B

This drives me crazy, especially since we have places like the University of Montreal that have so much knowledge on this document. Law enforcement or do regulators and legislators come to you to try and find out what they should be doing?

A

Well, we. All the time. All the time. And. And we don't have all the answers. People on the ground, law enforcement officers, they're in there 24, 7. They're looking at these networks, they're monitoring them. So they've the sophistication of law enforcement operations as really impressive what they've done in the past decade or the past 20 years. And in terms of laws, we know regulations and laws, they always tried behind by a decade or two. We'll get there at some point. But when you have these cases where people say, I didn't really steal 25 million bitcoins, they just flowed through me and I didn't do anything wrong. I'm sure we're going to see new laws around that in the coming years, that's for sure.

B

And two pieces. If you were going to give advice to policymakers or legislators, what would you say? What would be the thing, the biggest thing that they should be looking at?

A

As I said, I think how we use cryptocurrencies, it always comes down to money in most cases. How do we handle ATMs with Bitcoins? How do we handle the place of bitcoins? So I would say that trying to make laws that make sure that we can actually track and know who these offenders are because of their payments, that would be one thing. The other thing is to say that no technology is inherently evil. Sometimes we try to say encryption is bad, so we need to get rid of encryption. We need to have backdoors into everything. The Darkwood is bad. Like I would say, all technologies have a purpose. And we've seen over the past few weeks, months and years people trying to put backdoors into everything. And so we just see, we just saw the EU proposal to monitor, to measure pretty much everyone except EU lawmakers, which would be protected against any monitoring. Of course, I would say that's possibly a very big threat because we've all seen that if you try to monitor, surveil people and break the, and attack the technology, that's always the wrong way to go. And we have to fight this again and again. And it's going to happen, I think, in the future.

B

And why do you say that? Why is it the wrong way to go?

A

Just because when you're creating backdoors and when you're trying to outlaw technology, the only thing that happens is the bad guys can access the technology and the good guys cannot. Nothing new here, but that's always what we see. If you say Tor is illegal, all the bad guys are going to use it. And people who would actually benefit from using it because they're whistleblowers, because they want to communicate securely with their loved ones in oppressed countries, they lose that ability to do because they don't want to get arrested. So I would say that, yeah, we need to take a different route.

B

Yeah. And the reason I asked that was the whole idea of backdoors and creating those is attractive to law enforcement. They always want it, but then they're not as good at guarding it as they might be. And we found that in the US where the backdoors that they'd created into the telephone system, guess what? They leaked. And we had, I think we probably still have hackers going out through our telephone networks or digital networks for telephony.

A

I have a to do the SS7 network, even the Apple chips that had a backdoor a few years back. That backdoor was so hidden. There was no way for a random person to just discover it. Except I think it was Kaspersky who saw it now being used and they were like, okay, now that we've seen someone use it, now we know how to replicate it and now we can use it as well. So that's always a problem, is you can put a hidden backdoor somewhere, but the second you use it, you just burned it, basically. So there's ways to do effective backdoor. Only problem is you cannot use them. And so what's the point adding backdoors in the first place? Wow.

B

Yeah. Just in terms of my audience, which is largely people who are involved in corporations and security, is there any things that you've learned from what you're doing that would be that they should be paying attention to?

A

I think that they should have a program and services to monitor what people are saying about their company, but also their industry. So we're seeing, as we said when we began this conversation, there are new things in cybersecurity from time to time, but very often it's just the same history that repeats itself. So trying to understand, okay, so if I run a hospital, how have hospitals been hacked in the past? Trying to understand, what are people saying about me? Are people selling accounts with my employees? So trying to understand what your threat is, but also just how your industry is being threatened is also extremely important. And I think that being aware of this, keeping an eye on, okay, so there's been like a wave of two or three hospitals have been hacked. How did this happen? Can we talk with each other? And trying to understand how people are bridging into these networks? I think that people should spend more time trying to understand what the real actual threats are, rather than just go through compliance and trying to find, okay, we're using X, Y or Z software. We're trying to understand what are the real use cases and the original. And innovators in terms of criminals, they do exist, but most of the time it's just the same thing that happens over and over.

B

And where would be the best place for them to educate themselves on this? Because I know people sell this as a service and things like that. I don't know what's reliable. Where should a company be looking to if they want to become more educated on what all the things that you.

A

Talked about, there's so much, so many conferences, so that's always a good place to start. Many of them put their content online, many of them free, so you don't need to pay millions of dollars to for this. So I think that just watching the content that's been produced online podcast like this one, I do listen to a lot of podcasts and once again, sometimes it's a bit boring because you're like, okay, so yet another human who clicked on the link. But it tells you you get a sense for what's going on, what are the big trends? So I think just podcasting conferences are the easy way to go. And then if you have the money and millions to spend, there's going to be a whole pack of companies and I'm sure they're already knocking on everyone's door to sell them services. So really let them decide who's good, who's bad, that's they're going to find you. You don't have to offend them.

B

I noticed you posted something on LinkedIn to BSides, which David, my other friend David has told me about. And that seems to be a really accessible place for people to start getting more educated in terms of what's happening in terms of cyber threats. Anyway.

A

Yeah. So if you're in the Montreal region. So BSIDES is just this brand for conferences. I believe there's now over 200 BSIDes events all over the world and each of them is run independently. So they range from 40 people to 4,000 people in Vegas. So in Montreal we have about 300 people. It's one Saturday in September every year. It's our fifth year. We've been lucky enough to be sold out for the past five years, which is pretty awesome. And we have almost three half day workshops, there's two of them. We have treasure hunts, we have some great talks. And for 40 bucks you get a T shirt, breakfast, lunch, dinner, open bar at the end, and some pretty great talks. So, you know, it's a no brainer.

B

And you learned something too.

A

I was going to say that's on top of everything, so not so bad.

B

David, this has been fantastic. I'm so glad to have had this chat with you. I hope I could come back to you when we have some other. Especially if you have other research that comes out. I'd love to hear about it. I think our audience would as well.

A

Thank you for having me. Great talk. And yeah, when there's a divergence in the dark web, we can talk about that.

B

Okay, thank you very much. I will talk to you soon. Thanks a lot for doing this. Appreciate it.

A

My pleasure.

B

And that's our show. Love to hear what you think about this. I hope we bridge the gap between those people who don't know a lot about this and maybe some of you who may know a lot more. I hope it was interesting, but let me know. I'd like to get some feedback from you so I know how to plan these shows better. You can reach me@technewsday.com or ca take your pick. Just go to the Contact Us tab and leave us a note. If you're listening to this on YouTube, just put a comment under the video. I listen to them all. David Shipley will be back Monday morning, and I will talk to you again Wednesday morning. I'm your host, Jim Love. Thanks for listening.