WEBVTT

00:00:13.480 --> 00:00:13.480
<v Speaker>Imagine a town built around a single, deep well.

00:00:28.260 --> 00:00:32.359
<v Speaker>Every morning, the people in this town walk to the well.

00:00:32.359 --> 00:00:34.659
<v Speaker>They lower their buckets.

00:00:34.659 --> 00:00:36.979
<v Speaker>They draw the water.

00:00:36.979 --> 00:00:38.939
<v Speaker>They take it home.

00:00:38.939 --> 00:00:40.820
<v Speaker>They drink it.

00:00:40.820 --> 00:00:43.700
<v Speaker>They give it to their children.

00:00:43.700 --> 00:00:45.659
<v Speaker>They don't test it.

00:00:45.659 --> 00:00:47.659
<v Speaker>They don't question it.

00:00:47.659 --> 00:00:52.939
<v Speaker>They just trust it because the water has always been clean.

00:00:52.939 --> 00:01:02.740
<v Speaker>But what if one night someone crept to the well and poured poison into the dark water below?

00:01:02.740 --> 00:01:05.620
<v Speaker>The next morning the water looks the same.

00:01:05.620 --> 00:01:07.500
<v Speaker>It smells the same.

00:01:07.500 --> 00:01:10.819
<v Speaker>The bucket feels just as heavy in your hand.

00:01:10.819 --> 00:01:14.819
<v Speaker>But everyone who draws from the well is compromised.

00:01:14.819 --> 00:01:19.260
<v Speaker>And no one knows until it's too late.

00:01:19.260 --> 00:01:22.939
<v Speaker>Every website is just a string of numbers.

00:01:22.939 --> 00:01:25.980
<v Speaker>Human beings can't remember strings of numbers.

00:01:25.980 --> 00:01:29.780
<v Speaker>So decades ago, engineers built a directory.

00:01:29.780 --> 00:01:33.219
<v Speaker>You type a name, gives you an address.

00:01:33.219 --> 00:01:36.379
<v Speaker>That directory is called DNS.

00:01:36.379 --> 00:01:41.700
<v Speaker>It stands for Domain Name System.

00:01:41.700 --> 00:01:45.299
<v Speaker>It is the well that we all draw from.

00:01:45.299 --> 00:01:53.299
<v Speaker>Until a 29-year-old named Dan Kaminsky realized that the well had no lid.

00:01:53.299 --> 00:01:55.140
<v Speaker>I'm Daina Bouquin, and this is Lore in the Machine.

00:01:57.420 --> 00:02:04.939
<v Speaker>Dan was the kind of person who broke things just to see how they worked.

00:02:04.939 --> 00:02:10.780
<v Speaker>When he was 11 years old growing up in San Francisco, his mother got a phone call.

00:02:10.780 --> 00:02:14.740
<v Speaker>It was a security administrator for the United States Military.

00:02:14.740 --> 00:02:20.060
<v Speaker>Her son, the administrator, explained had just hacked into their network.

00:02:20.060 --> 00:02:24.500
<v Speaker>And they were going to cut off the family's internet access.

00:02:24.500 --> 00:02:26.460
<v Speaker>Now his mother didn't panic.

00:02:26.460 --> 00:02:36.500
<v Speaker>She told the government that she would take out an ad in the San Francisco Chronicle to announce that an 11-year-old had defeated the military's computer security.

00:02:36.500 --> 00:02:42.539
<v Speaker>So they negotiated a three-day internet timeout for the boy instead.

00:02:42.539 --> 00:02:44.180
<v Speaker>Then Dan grew up.

00:02:44.180 --> 00:02:47.740
<v Speaker>He became a professional security researcher.

00:02:47.740 --> 00:02:52.180
<v Speaker>And in 2008, he was looking at the internet's directory.

00:02:52.180 --> 00:02:56.419
<v Speaker>He noticed something that made his stomach drop.

00:02:56.419 --> 00:03:19.860
<v Speaker>Not a simple bug, a structural weakness baked into the very foundation of the internet, a vulnerability that would allow an attacker to quietly slip false information into the central directory, to rewrite the map of the web, to redirect your email, bypass your passwords.

00:03:19.860 --> 00:03:27.500
<v Speaker>So that when you typed in the name of your bank, the well would send you somewhere else entirely.

00:03:27.500 --> 00:03:31.379
<v Speaker>We call this type of attack cache poisoning.

00:03:31.379 --> 00:03:42.659
<v Speaker>It's a security vulnerability where attackers can insert fraudulent entries into a cache, causing the system to return incorrect and malicious data.

00:03:42.659 --> 00:03:52.699
<v Speaker>What Dan Kaminsky found was a specific type of cache poisoning that we now call DNS poisoning or DNS spoofing.

00:03:52.699 --> 00:04:00.180
<v Speaker>When Dan brought this to one of the original architects of the system, the response was chilling.

00:04:00.180 --> 00:04:04.500
<v Speaker>Everything in the digital universe was going to have to get patched.

00:04:04.500 --> 00:04:12.740
<v Speaker>The loneliness of knowing a secret that enormous.

00:04:12.740 --> 00:04:23.180
<v Speaker>You are holding a match, standing in a room, drenched in gasoline, and you cannot tell anyone why you're afraid to move.

00:04:23.180 --> 00:04:25.180
<v Speaker>Dan couldn't go public.

00:04:25.180 --> 00:04:30.019
<v Speaker>If he did, the bad guys would figure it out before the good guys could fix it.

00:04:30.019 --> 00:04:34.779
<v Speaker>Instead, he convened a secret meeting.

00:04:34.779 --> 00:04:51.939
<v Speaker>Picture a windowless conference room at Microsoft headquarters, 16 people sitting around a table, executives and engineers from the biggest tech companies on earth, fierce competitors who had no reason to trust each other.

00:04:51.939 --> 00:05:00.259
<v Speaker>And Dan Kaminsky, the kid who once got a three-day time out from the military, walks to the front of the room.

00:05:00.259 --> 00:05:02.660
<v Speaker>He opens his laptop.

00:05:02.660 --> 00:05:05.579
<v Speaker>He connects it to a projector.

00:05:05.579 --> 00:05:09.339
<v Speaker>And in about 10 seconds, he breaks the internet.

00:05:09.339 --> 00:05:16.860
<v Speaker>He compromises a server running the software that controls 80% of global web traffic.

00:05:16.860 --> 00:05:24.579
<v Speaker>He looks at the people in the room and tells them he is giving a presentation at a hacker convention in August.

00:05:24.579 --> 00:05:27.420
<v Speaker>They have until then to fix it.

00:05:27.420 --> 00:05:29.980
<v Speaker>And the crazy thing is they did.

00:05:29.980 --> 00:05:35.980
<v Speaker>Competitors worked in absolute secrecy to build a synchronized global patch.

00:05:35.980 --> 00:05:40.019
<v Speaker>On July 8, 2008, the patch went out.

00:05:40.019 --> 00:05:42.699
<v Speaker>The well was locked down.

00:05:42.699 --> 00:05:46.339
<v Speaker>The world had no idea it was ever in danger. A few weeks later, Dan gave his presentation at Black Hat.

00:05:50.939 --> 00:05:52.980
<v Speaker>He wore a sharp suit.

00:05:52.980 --> 00:05:59.579
<v Speaker>And as someone who always wore sandals, he had promised his mother he'd wear closed-toed shoes.

00:05:59.579 --> 00:06:02.620
<v Speaker>He wore roller skates.

00:06:02.620 --> 00:06:08.500
<v Speaker>A reporter asked him later why he didn't use the flaw to steal millions of dollars.

00:06:08.500 --> 00:06:10.779
<v Speaker>Dan said it would have been morally wrong.

00:06:10.779 --> 00:06:15.779
<v Speaker>And besides, he said, he didn't want his mother to have to visit him in prison.

00:06:15.779 --> 00:06:19.779
<v Speaker>His mom, Trudy, was a legend in her own right.

00:06:19.779 --> 00:06:23.339
<v Speaker>She would show up to these hacker conventions carrying homemade cookies.

00:06:23.339 --> 00:06:34.899
<v Speaker>Dan Kaminsky passed away in 2021 at the age of 42 from diabetic ketoacidosis.

00:06:34.899 --> 00:06:41.060
<v Speaker>When the tributes poured in, people didn't just talk about the time he saved the digital universe.

00:06:41.060 --> 00:06:44.420
<v Speaker>They talked about his staggering empathy.

00:06:44.420 --> 00:06:47.819
<v Speaker>He bought plane tickets for heartbroken friends.

00:06:47.819 --> 00:06:51.060
<v Speaker>He built apps for the color blind.

00:06:51.060 --> 00:06:58.579
<v Speaker>He used to say that the internet was never designed for any of this, just to move pictures of cats.

00:06:58.579 --> 00:07:04.379
<v Speaker>Nobody planned for humanity to drop trillions of dollars into it, but we did.

00:07:04.379 --> 00:07:12.660
<v Speaker>And when people asked what we were supposed to do about that terrible reality, his answer was simple.

00:07:12.660 --> 00:07:16.860
<v Speaker>Some of us got to go out and fix it.

00:07:16.860 --> 00:07:19.220
<v Speaker>Dan didn't just prevent an attack.

00:07:19.220 --> 00:07:26.139
<v Speaker>He forced the architects of the web to build a heavy cryptographic lid for the well.

00:07:26.139 --> 00:07:33.939
<v Speaker>A lock, so vital, that's securing it would eventually require an elaborate physical ritual.

00:07:33.939 --> 00:07:35.819
<v Speaker>But that's a story for another day.

00:07:35.819 --> 00:07:42.379
<v Speaker>Sometimes soon, you will open your browser.

00:07:42.379 --> 00:07:48.100
<v Speaker>You will drop your bucket into the deep, dark water of the internet.

00:07:48.100 --> 00:07:51.779
<v Speaker>And it will be clean.

00:07:51.779 --> 00:07:53.540
<v Speaker>I'm Daina Bouquin, and this is Lore in the Machine.