About Ralph Echemendia

Ralph Echemendia, widely known as "The Ethical Hacker," is a cybersecurity expert, entrepreneur, and keynote speaker with over two decades of experience in the field. Renowned for his unique approach to security, Ralph has worked with global corporations, law enforcement, and the entertainment industry to bridge the gap between cybersecurity and real-world application. Ralph’s work has helped protect organizations from cyber threats and educated the public on the critical importance of cybersecurity in today’s digital age.

Read the HYPERSCALE transcript

Briar: Hi everybody, and welcome to another episode of Hyperscale. I've got Ralph with me here on the call. How are you, Ralph, today?

Ralph: I am great. It's a pleasure to be here.

Briar: It's nice to have you and Ralph is going to be teaching us all things hacking today. So I'm hoping by the end of this podcast, I have a good understanding as to how I can hack into some bank accounts. Is that what's going to be happening today, Ralph?

Ralph: Not exactly. That would be illegal but you'll certainly have a better idea of what hacking is all about.

Briar: Yeah. And you have such a colorful career. I think we should start there. Tell us about how this started, because you were quite young when you started hacking, weren't you?

Ralph: Yes, I was around 13 or 14 years old when I started hacking. It really was more of a hobby than anything else. This is at a time where the internet really hadn't happened yet. I told this story before, I know it might be a bit controversial. I had a friend in the neighborhood that I hung out with all the time. He's the one that originally got me sort of into wanting to understand how things worked, that's really where hacking kind of begins, is getting down to how does something work? It started with radio. His father and his brother were heavily into ham radio, and so was he. It was interesting to me, well, how does this all work?

Ralph: How is it that we can listen in on the police when a call is being made for service? And listen in on the airport, we used to live next to the airport, so be able to listen in on that and how does that work? And wait, can I talk back and wait, that's illegal. All of these different things around, really it started with, like I said, ham radio and that sort of technology. Then a little bit later, he came along and said, Hey, if we had a computer and a modem, this of course is back in the modem days, then we could actually dial into these BBSs in California that have porn. And as you can imagine, at 14 years old, what, in computers?]

Ralph: So long story short, as I asked my mom for a Commodore 64, and she knew no better than it was an Atari or some kind of playing, some gaming console is what she thought it was, but it was a computer. And that's how it started with the Commodore 64, with the intent of connecting to these BSS in California. And the funny thing was, this is at a time where it was very slow. So you would connect, you would do something called war dialing, which is dialing through a lot of different phone numbers until you hit a computer. Back then, as soon as you connected to a computer you were in, there wasn't a username or a password, it would just connect. And these had like maybe 20 people or 30 people that were also connected, that's about it.

Ralph: And you start communicating with these folks. And really that's kind of where it started because there was no handbook or anything of the like as to how to use this thing. You turn this computer on, and it just was a blinking cursor and you had to figure out how to use it. You didn't have Google or anything to be able to look up how to use this thing. So you kind of had to teach yourself. And luckily, my friend's brother was also a computer engineer, so we could bounce some questions off of him. But a great deal of the knowledge then came from others on these bulletin board systems they were called that were of course, much like I was, again, the word hacker didn't really come up until a little bit later.

Ralph: But that's kind of how it started, it was really more of a hobby to figure out how to connect to these computers. It was funny because then, like I said, the initial intention was because, this 14-year-old boy has been told that there's nudity on BBSs, and you're looking for that. But the truth of the matter was, there was a lot less time spent actually looking at that, because you would hit download to an image, for example and first of all, your screen was monochrome, meaning green and black, or orange and black. And it would take, 30 minutes for an image to come down in orange and black. And so that didn't really happen all that often and it ended up becoming more of this communication, sort of like a chat room between these 20 other people.

Ralph: And then you start actually talking tech with a lot of these folks about how does this work? How does that work? And this is what I know and this is what you know. So it became more of an exchange of information and that's how it got started, really. And again, I never thought that would end up being a career in any way, shape or form, much less the colorful career, as you mentioned that I've had. So it really just started like that. It was just a teenager kind of just playing with this thing that again, not many people had at the time.

Briar: And in terms of your jobs, tell us about the jobs that you've held down. What have been the most exciting?

Ralph: Well, like I said, I never thought it would amount to a job. So it's kind of interesting how it led to a job. I was about 19 years old, 18 years old and I actually answered an ad in the paper for a secretarial position. I went in and got the job and this was a public relations firm. At the time, I really didn't know what that meant. What is public relations? So this gentleman, gave me a handwritten letter of notes, if you will, and said, here's the public, here's a press release, make it look like this. And again, this is the days before Windows even. So I sat there, I did it, and he said, you're hired.

Ralph: I said, okay, great. What is it we do here? And he said, public relations. And I said, what the hell is public relations? So then he told me and interestingly enough, he did PR for a technology company, Lexmark, I mean, printers. They had just broken away from IBM and they handled their Latin Americans press. So I ended up going to a number of events in Latin America for the release of these printers. And it was there that I began my technical career, if you will, because at that point, I was the secretary. I didn't know that any of my skills had any value other than, hey, I knew how to use the word processor and dos and these technologies that were being used at time.

Ralph: So I think it was an event in Columbia, if I'm not mistaken, where we were doing this launch and there were some engineers from IBM who were setting up the printers for the show, if you will. I came up and started talking to one of them and said, did you know that there's no security in this and I can make the printers print whatever I want? And the guy looked at me, like he had no idea what I was talking about. I said, let me show you and then I showed him, and then the guy was blown away. He thought it was magic, and I was like, no. I explained to him this protocol, blah, blah, blah. And he said, where do you work? I said, I work at the PR agency.

Ralph: And he said, and what is it you do there? And I said, I'm a secretary. And he was like, why? I said, what do you mean why? He said, yeah, why are you not working for IBM? What, you just showed me even, I don't know and I'm an engineer for IBM. And I said well, that's big blue and I didn't graduate from high school and I didn't go to college, and you can't work for IBM. And the funny thing was, he said to me, I'm going to give you a recruiter's number and just do what the recruiter says. I said, well, what about all this stuff with school? He goes, that doesn't matter, because the truth is we don't know how to use this stuff yet. So the fact that you know more than we do it's not going to matter.

Ralph: So I did, and immediately I was shortly thereafter hired by Oracle, and I didn't know what Oracle was or what Oracle did, but it turned out to be one of the biggest companies in the tech sector. And again, this is pre-internet. So I walked into an office that was an entire floor and wondered, what is it that we do here? They said, databases. I said, what do you mean databases? And so next thing you know I had access to, if you put it in car terms, the Ferraris and Lamborghinis of technology, because now I had access to all this gear, all this equipment, all this technology that you just don't have access to as a consumer. It was there that sort of the security aspect of it.

Ralph: There was no cybersecurity. In fact, that term didn't really exist at this point. And basically I was showing them in my mind, very simple tricks that were just kind of funny to me and they found it to be like, wow, wow. Simple one was, I sent a programmer, very highly paid, highly regarded programmer at Oracle. I sent him an email from his boss saying that he got a raise. And of course, it was not his boss, it was me. I'm sitting in front of him showing him, check your email. See, look, you just got a raise. And he was like, how did you do that? To him, again he thought it was magic in some way. And the crazy part to me was the stuff he was doing was just way beyond my comprehension.

Ralph: But it sort of started that way. I showed them that there was quite a number of issues on the networks that they had. I had access to things I shouldn't have access to. And that's kind of where it began. Still no mention of the word security yet but that's how my career began, was working at Oracle. Then I realized shortly thereafter, that the more I hopped around, I just needed to be was one year at one place, and boom, go to another place, and I make 30% more. And so from there, I jumped around to a couple of different companies and made more and more and more. And eventually the internet happened. And when it did happen, I was actually at a hospital. I worked at a children's hospital in Miami, and that is actually where the word security first came up.

Ralph: So I was responsible for the medical charting system. So it was the first hospital in the entire world outside of NASA, which at the time was using this software. Everyone else was still using paper. And this hospital now computerized medical charting system. It was my job to deploy this system at the hospital. Of course, in the process of doing this I had to ask a lot of questions because again I'm not a doctor, I'm not a nurse but I'm working with doctors and nurses, and I'm asking, well, what if this happens? And what if that happens? What if this happens? For a lot of those questions, I got my answers, but one of the ones that really created the term security for the first time in my career was because I found a problem with the software that allowed me to change a medical record even after a patient had been discharged, which is a big no, no for many reasons.

Ralph: But I asked that question, what happens if you change a medical record after a discharge? And they said, “you can't do that.” That's impossible. At the time, the software was made by Motorola, and I said, no I can do it. In fact, watch here, give me a name of a patient that's been discharged and I'll go change the record right now and he's deceased and I did. They were like, that can't be done. So that caused them to send me to the headquarters of the company and for the first time work with these engineers to figure out what the problem was, which was an interesting process. And at the end of that, I came back from Arizona where this company was based and they said, congratulations, we're giving you a new title, a bit of a raise, and you are now the security officer.

Ralph: That's literally the title they gave me. And I thought, isn't it the same title of the guy who's at the door wearing a security uniform with a gun? And they said, well, yes, but you're a security officer in the technology department. And I thought that was kind of funny that I had the same title as the security officer at the door. But from that moment on and then again, it's just kind of pre-internet, then the internet happens, the firewall comes out. That technology didn't exist at the time until all of a sudden this new technology comes on and now I'm responsible for the security of the entire hospital, as far as cybersecurity. Again, cybersecurity was still not being used. It was IT, information technologies and the word security for the first time had been thrown into that. But my thing was always to sort of play with whatever the technology was and make it do something different, that it wasn't intended to do. And that's in a way, kind of a brief of how I would describe what hacking really is. It's not necessarily about breaking something.

Briar: And do you work with a lot of high net-worth individuals now and celebrities? Like, how is this different? What kind of challenges are you finding that these people face? 

Ralph: It is quite different. I mean, I'll tell you, I spent the majority of my early career in corporate security and working for companies. Then I end up working for a private intelligence company as a contractor handling some cases. And one of those cases, the earliest of those cases happened to be a well-known rapper from Detroit that happens to sound like Candy. It wasn't the first time he was hacked but in this case, music had been released that was not intended to be released. So it was the first time where now I was not dealing with a company, I was dealing with individuals and famous individuals at that. So it was quite different because number one, they're a big target. They're more of a target in many ways. 

Briar: Who would you say targets them typically?

Ralph: Well, the crazy part about it, it tends to be crazy fans. Fandom is something very interesting psychologically because fans don't really think they're doing anything wrong. They think that there's a connection between you and the artist and it tends to be some crazy fans. And in this case, it was a crazy fan who just wants more access, who in this case really just wanted an autograph? That's really ultimately what they wanted but they think that, in this case, he thought that getting access to your email and music and releasing some of this was a way to get your autograph. So it's crazy. In most of these more celebrity cases, it tends to be some kind of a crazy fan. 

Briar: And what about for like really rich people?

Ralph: Well, that's a little bit different than the crazy fan. We have a saying that the rich are rarely famous, and the famous are rarely rich when we talk about real money. The great difference is that the famous are rarely that rich, in the sense of, if you even look at, for the most part, their physical security, the bodyguards for the famous, they tend to be paid by someone else, not they themselves. It's paid by neither the studio, either the label, either the touring, whatever. It's not, they themselves, it's not coming out of their direct pocket in most cases, for their physical security. So you can imagine that their cybersecurity is something that they even take or put somewhat less attention on.

Ralph: Because they can't see coming out of pocket for that. And of course, in most of those cases, the companies they do business with, they certainly don't pay for this because you're a temp if you're an actor, you're a temporary worker. You're not necessarily owned by Warner Brothers or Universal or any of that. You're literally there for a movie, and then you're gone. So their intellectual property concerns are only around that movie. They're not worried about you, per se. So with rich people, didn't want to put it that way, with high net worth individuals and families, which is what I tend to do a lot of these days, and also advise companies, but with them, it's a bit different because they have been active, very active for a very long time in maintaining their privacy and have a better understanding of privacy than believe it or not, even the famous folks do.

Ralph: They have had mechanisms in place for dozens of years, if not hundreds of years, depending on the family, to ensure that information is kept secret or kept outside of the realm of anyone being able to access it easily. And usually that's done through financial means, through legal means. What's happened now is because of the amount of access that we have on the internet that has changed it even for them. And now you're dealing with a high net worth family that has a 11-year-old, granddaughter who's on Snapchat, on Instagram, and this and that. And of course, she doesn't know that by posting a picture, you're giving your location and that sort of thing. Again, these are also families that tend to have a pretty robust physical security team, bodyguards and so on and so forth. So there are quite some differences because if they are targeted, they are typically targeted for very specific reasons, not just by a crazy fan. It's not that sort of thing. It tends to be for very specific reasons, either to have an effect on a existing deal that the head of the family may be making or it could be for purposes of kidnapping, any of those type of things, it gets a lot more serious.

Briar: Which is so scary, isn't it, when you think about it, kidnapping and all of these things, especially with kids?

Ralph: And it just become a lot easier, become a lot easier for people to do that. I mean, they can easily be fooled to show up somewhere. They can easily be fooled because we trust technology so much. We trust the phone, we trust what we see on a computer, whatever it says must be true in some way. So it wasn't as much the case in the past. 

Briar: And I guess it's even becoming easier as well with the likes of Facebook, where we so readily share our information and data. And it's been following us for so many years now.

Ralph: Oh, yeah. I mean, it's so much so that you could argue that these type of companies that we give our data to know more about us than we do and that's why, I'm sure that you've experienced it and many watching this and listening to this have experienced it, where, you go, how did my phone know that I was looking for a new toilet?

Briar: Oh, yeah, it's creepy isn't it?

Ralph: It is and some of that people say it's because the phone's listening, and in some cases it is, but in some cases it's not even that specifically. It's just that they know that you just recently searched for something. They know that, again, all of your behavior is being looked at. And again, with the intention, of course, that's what technology tends to do, is that it's supposed to make our lives better, easier, convenience. I often say, well, have we ever really thought about the price of conveniences? And it's something that we're not really going to truly understand the impact for a while. It takes many, many, many, many years for us to really understand and see the impact of us giving so much information up.

Briar: So if someone wanted to say, hack me, they were like, oh my God, I just really want to hack Briar. They could do it, right, like, that's how easy its become?

Ralph: Yeah, I mean it's not a matter of easy. I think that using the term easy has more to do with, if right you know, you know. And when you don't know, it's hard, but when you know it becomes easy.

Briar: Oh, yeah, I'm sure. I definitely couldn't hack you all of a sudden, like, sit at my computer I can barely turn it on sometimes.

Ralph: But if you spent a great deal of time in front of a computer and learned a lot about computers, it starts to some degree with that, with understanding the tools you're using, to a very deep degree if of understanding. But then it becomes a matter of understanding as much as I can about Briar, if I'm targeting Briar, anything and everything that I can find out about you. So when I say that, how much could I find out about you? 

Briar: Oh, so much. 

Ralph: That's a lot that's already out there. There's so much I can find out.

Briar: We're hardly private.

Ralph: And I mean, it gets down to do you have pets? Do you like to smoke? All of these different things that matter about you as an individual are going to become a factor in how I devise an attack against you and what means I use to attack you? Whether it's sending you an email, whether it's getting you in some way to come to a website, whether it's making a phone call, whether it's making several phone calls, down to whether it's physical, whether I literally follow you and bump into you at a Starbucks or some coffee shop. All of these things, it's all a matter of information gathering. The very first thing that a hacker does is that, is called passive intelligence gathering.

Briar: It is true that Facebook, I remember at some point of time, and I think that's still out there, but there's a lot of Facebook quizzes and I heard through the grapevine that some of these Facebook quizzes were collecting information, what was your first job? What's your mother's name? Or something like that, as a way to collect information on people to hack them. Is this true?

Ralph: Well, yes it is to a degree. I mean, consider it, we use the word marketing as you well know. And marketing is based on getting a lot of this data. There's a term that you won't hear very often in the regular world called Dark Marketing. And dark marketing is using some of these techniques and technology to gather information and then sell that information to, in most cases, companies that are trying to target demographics and certain people. But like you said, it gets pretty deep. You're talking about pretty personal information in some cases. But yes, there has been many, many cases of pretend to be legitimate applications on very well known platforms that are just gathering information on you and helping to target you.

Briar: It seems like it's become a lot more prevalent. I think every second day or so I get some kind of text message saying, Hey, it's the police here, you have to pay a fine or some kind of email from a staff member or you've had a package delivered, here enter your details, like, click here. It's amazing almost how diligent you have to be at really spotting little tweaks and emails or random capitals or a gap before a full stop. Would you say it's a lot more prevalent these days or is it just where I live?

Ralph: Well, yes and no. I mean, I'll say this, I mean we had spam, 10, 15 years ago I think the number was something like 90% of the email in your inbox was all spam. And yes, there have been a lot of technology innovations that make it where spam doesn't get into your inbox as easily as it used to. And so as that happened, they had to move to other ways to get your attention, including some of the ones we just discussed with using what looked like legitimate apps or games on social media platforms. But it has become a lot more prevalent because every company that you know of and don't know of in some way has already been hacked but I often say, we've already been hacked. Every single one of us has been hacked in some way.

Briar: Every single one of us?

Ralph: Every single one of us, either directly or indirectly. What I mean by that is directly you would know. Your computer did something, it's something that you go, oh, what's going on here? By the time that happens, it's too late. They've already had access for a long time. Indirectly there's no doubt that almost the entire world has been hacked because companies that have databases holding our information have been hacked. And some of them know it and some of them don't. From government institutions to corporations all over the world, they've all been hacked in some way or another. I'm sure you've heard, there's more than enough news you can gather up, for example. 

Briar: 23 and Me, I think that's a crazy one that's been happening, the fact that all of this data, that genetic data that people put into 23 and Me, and it's been hacked and now what happens to it, like, who owns that data?

Ralph: Well, whoever pays for it. I mean, that's the thing I'll say, Briar, is, it used to be that when I got into hacking, it was more about curiosity, what if, what happens if I do this? And it tended to be something that was a security problem, but now it's really much more. I mean, that was the primary motive, was curiosity. The motive today is money on all sides, on every single side of this. It's all, whether the criminal side of it or whether the other side of it. It's all driven by money. It's become such a lucrative business, whether criminally or legally. I would argue that even the legal side is just still doing it for money and in some cases, not for the right reason, but just because it's very lucrative.

Briar: How much would you say if someone hacks into, say, like a corporation, like what kind of amount of money are we talking, like what's on the line?

Ralph: Well, the most effective recently, especially in the last 5 to 10 years has been ransomware, using ransoming as a mechanism to monetize and using cryptocurrency as the mechanism to get paid. These were things that didn't exist before. In the old days, there'd be a bag of cash that you'd have to pick up somewhere. And again, especially on the criminal side of things, nowadays, it's all done digitally. So, I'm sure you've heard of some of the ransomware attacks that have taken place across the world, and they want, in some cases it's just a few thousand dollars and in some cases it's hundreds of thousands of dollars, and in some cases they want millions of dollars.

Ralph: So it's very lucrative to the criminal and it's again, also lucrative for the legal because in an incident response case, if I have to handle a hack, a company has been hacked, you are talking about, it could be, especially a larger corporation, millions of dollars in fees for me and people like me and legal and so on, just to handle the hack. That's the cost of the hack to the company. That's aside from the potential of them having to pay ransom for getting their data back. So it's extremely lucrative

Briar: And these days it's becoming even more easier, I guess to trick people in this digital world we live in with deep fakes as well. Where do you sort of see the future going when someone can literally look and sound like you on both the phone and also via Zoom?

Ralph: Oh, it's going to be interesting. It's going to be really interesting because the emergence and adoption of AI and its use as a tool is very interesting where it can go. Almost always in some way, technology is initially used again, by thinking, well what can you do with it? But in general, criminals will tend to immediately look at technology and see how to use it. The emergence of deep fakes and that sort of thing is going to be, it already is but it's going to become an even bigger problem, I think. You mentioned before my work with some high net worth families and imagine if you could just literally send a video to dad saying, Hey dad, I'm in a situation. I need you to wire me X amount of money, or I need you to, whatever I need you to do.

Ralph: The point is, there's a high likelihood that they're going to respond to that or that they're going to do it because it's a video of you, Briar, saying, I need some help. And that's just one example of ways that can be used. You got to keep in mind that, hacking, there are sort of two sides to it. There's a technology side and then there's the human side. We often say, there's hacking hardware, there's hacking software, and there's hacking wetware and the wetware is us because we happen to be wet on the inside. So that is what we call social engineering and hacking, which is manipulation of people. And that is what's become a lot more prevalent. To your point to what you were saying before about the text messages coming in and all that. 

Ralph: The reason for that is like I said, all these databases have been hacked. So your phone numbers are already out there. Everybody's phone number is already out there. Technology can easily, now with AI even further automate, we get into the issue of AI. I say it's actually IA, it's intelligent automation. We've been automating from the beginning of any technologies, going back to the industrial revolution. So now that we have this intelligent automation, you can automate these types of attacks. You can sit back and say, do this, and it'll come up with all the different ways of doing it. Imagine when it can use things like AI in video and so on. It makes it for a very realistic type of attack that can accomplish what the attacker wants to accomplish pretty easily.

Briar: So, Ralph, how do I know that you are actually Ralph and not a video or a deep fake, someone trying to be you? How do I know this?

Ralph: Well, that's a good question. A very simple way is ask to see the back of my head.

Briar: Ah, okay. You've got to look at the back of your head, interesting.

Ralph: You can't see that in AI because it doesn't have enough data to generate that. So some very basic things really that need to be thought through as the technology is being used. But again, when you're talking about using it in a way that's sort of setting up a person, it usually means that there's timing involved. So you're not even going to have a chance to ask to see the back of my head, because I'm going to basically script it in such a way where I'm going to get you to need to do something quickly or respond quickly so the idea is to not give you enough time to think about that.

Briar: And what would you say has been a point in your career where you've been dealing with a situation where somebody is being cyber hacked or maybe you are even hacking someone ethically? Tell us about this kind of scripting, this planning that goes into say, tricking them.

Ralph: Okay. Well, I'll give you a story is the best way. So yeah, I used to do a lot of what's called penetration testing in our field and I know it sounds dirty, but it's not. It basically means that I'm, I'm getting paid to buy the company to break into the company, whether it be a bank, whether it be whatever type of company it is. In this case, it was a company based in the US, a very big company, a brand that I would say most of your viewers and you know, I'm not going to get into what kind of brand or what it is and what they did, but they're a very, very big company. I had to do a penetration test across multiple of their locations from manufacturing to executives.

Ralph: And their main location was in a high rise in Chicago. The only information they gave me was, these are the two floors they're in. Now that's it. With only two floors, company's name, my job is to get in there. Physically break into this company and to get a backdoor, what we call a RAT, a remote administration tool into this company. Now, I'll give you kind of the story because you'll see, oh, okay, I see what you mean about how you social engineer. So I landed on a Monday morning and I showed up at the building where, as much as I can put it up so you can't really tell who I am, which is a little bit difficult having this thing.

Briar: Your beard sticks out, for sure.

Ralph: Yeah, that'll set you apart. But showed up on the first floor, elevator opened, looked and there was just doors with badge access and then popped up to the next floor. There was a reception area, there was a conference room and doors again with badge access to get through them. So my first thing was just to scope out the place. The next thing I did was go back to my hotel pull out a pad and paper and start writing down who works there. I'd have nothing. So I have to figure out, and they did not have much on the internet that I could find out about this location and this company. So I call and the receptionist picks up the phone and I now say, great, Hi, I'm calling from Office Depot and we have a great offer for your office manager. If you could please put me on with your office manager, it would be great. 

Ralph: And the girl's response was, if you don't know who you're calling and they're expecting your call, I can't transfer you. That tells me that they have policies and procedures for security purposes. So I write this down, okay, so now I know they have some level of training and so on. And then I keep call, I call at 5:00 I call it 5:10, 5:15 until basically I get voicemail. And once I hit that voicemail system, I now start dialing around so that it transfer me to different voicemails. And what happens when you get transferred to someone's voicemail? Hi, you've reached the office of Ralph Echemendia, extension, blah, blah, blah.

Ralph: And now I can go down this list and extensions one by one and write down the names of people who work at this company. And also, by the way, they leave their messages. I could tell in some cases, are they traveling? Are they in town? Do they have an assistant that tells me how high up they are and so on? After doing this for a while, I've now got a list of people, I've got some ideas of who I think are good targets based on their on their message, meaning, being that they're executives, I think and then I'm thinking of different ways to physically get into the place. One of the ways I've done this before is just follow the cleaning crew. The cleaning crews at these offices don't work for the company.

Ralph: They don't really care. And if you look the part, you can just walk right in. They think you work there. That has worked many times. But in this case, it was a big long building, big tall building and the cleaning crew comes in a different entrance. And it was a little bit complicated. I had scoped all this out and thought, well, that's not the best way to go about it. So the next day, I sent a friend in. I sent a friend in again, so my face wouldn't be seen when it's time for me to physically do whatever it is I'm going to do. And I sent this friend in to the reception to basically just go and flirt with a girl, get some information, what is her name? How many people are at the reception desk, so on and so forth and he did.

Ralph: And now I had, okay, Maria is the receptionist. Now I have her name and so on. So I start to devise a plan. I start to, like you said, script it. I start to create a scripted sort of way that I'm going to do this sort of like playing chess. I'm thinking about what the responses are going to be, what my response to any of their responses are going to be. There's some sort of unspoken rules in social engineering to make sure that you don't burn any bridges and so on and so forth. So ultimately, to make a long story shorter on a Friday, by then I used all this information and I devised this plan, I'm going to pretend to be an employee of the company from a different location. And I'm going to, first, what I did was use one of those people that I found from the extensions who happened to say that they were traveling, that they were overseas, and to please contact my assistant. 

Ralph: So now I know that person has an assistant. I know that they're overseas, which may be more difficult to get ahold of them because of time and so on and so forth. So I called in Friday morning, changed my voice slightly enough and made it so that it sounded, there was some background noise on purpose. And now I said, Hey, Maria, this is Mr. So-And-So. And on purpose, when I said my name or this person's name, I made background noise so that she couldn't clearly hear it, so she would've to go, oh, I'm sorry, who is this? And this is all very psychological. And I said, this is Mr. So and So, I use Mr. Smith. This is Mr. Smith. And she goes, oh, yes, sir. How can I help you? And I said, as you know I'm currently overseas, it'll be difficult to get a hold of me, but I had a call from one of the other executives at this location, and there's some very important business process reports that I need to be uploaded to a server.

Ralph: And there's an engineer who's currently in town. This is his first time in Chicago and I need him to come by the office. So I'm going to have him contact you. You give him directions to the office and when he gets there, please sit him down at a desk where he can upload this report for me. Of course, sir. Yes, no problem. Boom, a few minutes later, I now call in as this engineer, hi, I'm so and so. I'm currently here. She said, oh, this is how you get to our office. I said, oh, I have a flight that leaves Chicago at this time. How long does it take to get from there to the airport? Again, all of this is scripted psychologically to, like I told you, create a situation where timing is key.

Ralph: And long story short, I now show up, I'm downstairs doing all this. I'm just timing this. And so when I show up, I'm wearing, oh, a few little details in between, I made some fake business cards. I found out what their business cards looked like. I'm wearing logo, t-shirt, or polo shirt with the company's logo on it. All these things I could buy, right there while I'm in Chicago. So by the time I showed up and I said, Hi, I'm so and so, we spoke on the phone. She said, yes, of course, da, da, da. And then she starts making some small talk about the fake name that I've come up with. Oh, is your last name spelled like this or said like this, or like that? Oh, some people call me this, some people call me that da da da.

Ralph: And as we're doing the small talk, I go how long did you say it will take to get to the airport? Again, all of this is all psychologically planned. Oh, that's right. You need to get to the airport. Now, I did this on a Friday at noon. Why Friday at noon? Nobody comes back to work. It's a ghost town. It's Friday at noon. There's nobody there. And I've walked it. This is an entire floor on the sky rise in Chicago. And then I'm just walking around seeing what I can get access to. One of the things I was asked to see if I can get access to is the data room, the room where you have all the routers and servers and so on I don't know where that is, whether that's on the floor below me or the floor above me.

Ralph: I have in cases in the past, had to even crawl through the roof to find these places. I didn't really feel like having to do that. I'm just walking around and here comes a different girl is now walking towards me, and I'm ready for the challenge. That's what we call it, a challenge, for somebody to say, what are you doing here or something of that nature? And she just goes, hi, you must be so-and-so from the Plano office. I'm like, yeah. She was like, can I get you some chips and water? Oh, you know what, I'll have some lemonade and oh, I'll bring it to your desk. Where are you? I'm over there. Great. So at this point, I like work there. And as I'm walking around, I see a door that's open.

Ralph: It has a sign that says, this door must remain closed, but the door is slightly open and you can hear the humming of the computers. And I'm like, no way. So I just opened the door, and sure enough, that was the data room. I go in there and I put my business card, I tape it into the CD rom, the CD decks on the servers. And I go back, I gather everything that I need to gather, and I leave. I put my report together, I present it to the board of directors of this company, which they couldn't believe had gained this level of access. And in fact, so much so that the IT guy who was on the call was like, I don't believe that you were in the room, that you were in that data center room.

Ralph: I said, well we are on the phone. Keep me on the phone, send somebody over to the room and go open the CD rom on each one of these servers. And sure enough, there's my business card. So that's one example of using both social engineering and the tech side. The tech side was really secondary. It was only after I physically got in there that I then plugged my computer in and did all this stuff that I couldn't be able to do outside. I had to be able to be inside of this place. But that's just one of dozens of stories I can tell you about pretending to be somebody that we're not. In that case it was difficult because it was just me. And normally I would need a team of people because of what I mentioned, they can't see my face and so on and so forth.

Ralph: But that's just one of many examples of this kind of social engineering attacks. Now before, it used to be that physical social engineering, what I just explained to you, was the most effective or on the phone, you could fool somebody very easily to pretend. You say the right things, the phone number that you see on your caller ID is the right one, you could fool somebody very easily. Interestingly enough, that is no longer the case. Now it's all online. It wasn't that email was the primary way to fool somebody but now it's almost entirely completely online. And you can get away with getting so much accomplished without even being physical at all.

Briar: What are some platforms that they typically use for deep fakes?

Ralph: Well, I mean, it tends to be not really platforms, because when you say platform, you're thinking something along the lines of a Facebook or somewhere you go to create the deep fakes. But for these types of attacks, they tend to be more software, AI software that can generate deep fakes. So it's not that they're going to a platform. They're actually using usually a combination of different technologies, different pieces of software to accomplish what they want to accomplish. For example, you mentioned something like Zoom. If I was going to be you on Zoom, first of all, I'd have to have enough imagery.

Briar: You'd have to dye your beard ginger.

Ralph: Red. Yeah, I would have to be a ginger version of me but it would take quite a bit, because I'd still have to have enough of you, enough footage of you to be able to feed the software view. And then your voice I need enough of your voice and all that. And then once I've got all that and I'm using a couple of different pieces of software to do that, then I need to figure out how do I get that into the zoom stream that it's just me here talking but what you see is you. So it's not really a platform, per se. What attackers tend to use is software that is being used for, let's say other reasons or for research, stuff that's being used in universities, things that are not really that accessible to everyone.

Ralph: And then putting those things together to use in whatever means they want to attack. If it was just a matter of recording something as you, again, I would still need enough of you to be able to do that, but from your own podcasts and from other things that you've done, there would be enough there for an AI to build that. If I'm just going to record it and then throw it up and replay it, that's different than if I had to do it in real time. So there isn't yet a platform, per se, that people are using to do deep fakes. It's more a matter of getting your hands on the right software.

Briar: Some people talk about how in the future there might be this terrible situation where somebody has hacked like the global internet servers and suddenly we're in this like, I don't know, dark world where we're not able to communicate. Is this something that could be a possibility?

Ralph: Well, I mean, you'd have to say that anything is possible is a probable no. The way the internet is set up, it is not probable. I mean, other than a massive power outage that with time, of course, even major data centers, which I've worked at, have their own power plants. So even without power, but let's just say it was something, where just anything electromagnetic would not be able to work. In a case like that, we would be in the dark, but it would be something that's a lot more physical than anything else. With the exception of something like that it'd be very hard to really kind of take down the internet.

Briar: Well, that's very reassuring. I'm happy to hear that answer.

Ralph: Yes, it's true. I mean, you can take out pieces, like a country. You could take down a country, and this has been done before. In 2007, the first cyberattack against the country was by Russia, who hacked Estonia, doing a distributed denial service attack against all of their services. And that was the first time that you saw, let's call it a politically motivated attack on a country.

Briar: And what happened?

Ralph: Very interesting, what happened was that they basically went all tech. Estonia is the most advanced country in the world when it comes to the use of technology. So what they did is they went fully distributed. They were the first to make everything now technology driven. And they did that by distributing their systems. So now if say Russia was to physically invade Estonia, the systems that hold the data for the banks and all that are not necessarily in Estonia. So it wouldn't really affect, for example, the ability to take over their banking. All of that is now distributed and they use something like even before this was kind of the norm with cryptocurrency, they use something like everything is digital identity there. And they use something very similar to blockchain, from voting to taxes, to everything that you can imagine.

Ralph: It is literally based on a digital card. Even the way you log into your services is all based on this digital card that you carry. Public transportation, if you're a resident, you don't pay for it. All you have to do is put this card in. So, interestingly enough, the cyberattack caused them to really look at technology and say, well, how do we build our country technologically in a way that a physical attack against our country would not actually affect the actual information associated to our citizens? So it's very interesting to say, they're actually called the Tallinn papers for anybody out there who wants to look it up, it's kind of the framework for a cyber attack against the country.

Briar: So what can we do? We live in this world now with deep fake, active listening, all of our data on online, from almost when we were children now to adults. And as you said, social media somewhat knows us better than we know ourselves. The algorithms know what to feed us. How can we be protecting ourselves? Like if someone's listening to this today and they're thinking, oh, gee, wizz, if someone wants to hack into me, I'm screwed. What can they go away and do to help secure themselves?

Ralph: Well, really the truth to a lot of this Briar is in educating yourself. I often say, who do you trust? Well, you should trust yourself, but the truth is you can't trust yourself with what you don't understand. And a lot of these issues really are around that. We don't understand what we're doing by using these technologies. They're just, did you hear about this new app that does this, boom and you go download it? I mean one of the simplest examples of that was the flashlight app, which was really not a flash. Yeah, sure it turned your phone light into a flashlight, but it was actually gathering information on you. So the thing is that we should not trust any of this. So let's start with a no trust policy. Don't trust anything at all that you're buying and get into what it is that you're using on it.

Ralph: And then really understanding what it is that you're giving up. We all hit the, okay, on the terms and conditions of every app, not understanding or knowing anything about that. You have to define as an individual what you would say should be private. And what I mean by that is, is your name private? No, your name is Briar. It's right here. It's all over the place. So your name is not private. Is your email private? No, you give it up all the time. Is your phone number private? No, you give that up too all the time. What does a business card have on it? A lot of this information, right? So, is your password private? And you're going to say yes. Well, I know a lot of people who give their kids their password for Netflix or whatever, you know what I mean?

Ralph: So even some things that you would assume to be private, they're not. You'd be surprised, one of those questions I often ask people is, do you think your browser history should be private? And then you'll start seeing people go, yeah, that should be private. Because what you look at on the internet may be questionable to others. So you believe that should be private, and it doesn't mean that you're doing anything wrong. I like to say that, hey, we all use the bathrooms, but there's a door there and there's nothing wrong with what we're doing in the bathroom, is there, but we decided that should be a place that has a door. Therefore, we've decided on some collective global level that should be private time in some way, that you should have some level of privacy when you're going to the bathroom.

Ralph: Well, we've never done that with technology. We haven't even defined a bathroom situation when it comes to technology, not really, not collectively, so it's not that simple. It's not as simple as saying, okay, guys, use a antivirus and VPN to make yourself more secure, will that help? Sure, it'll help, but it will make no difference if I fool you into giving me that information, or if I get you to click on a link, if I get you to come to a website and think that I'm tech support. And that's why, like you said, you see a lot more of these text messages, these type of scams emails, whatever. There's just so much going on out there that is targeting the individual. The human flaw, the weakest link in all of this isn't the technology, it's us.

Ralph: It's us who use the technology and because we're using very powerful technology with very little knowledge of how to use it. It's like you can ask anyone about a microwave and say, well, how does a microwave make food warm? Most people aren't really going to be able to answer that. So do we need to know how the microwave works to warm up food? No, we don't really. But this is one area where you do have to have a little bit more knowledge about what it is that you're doing with the technology in your hand. When you consider that, your phone has the power of what used to be a supercomputer is now in your hand, it's pretty powerful. And how you use it, it's supposed to be something that you use for you. And the problem is it's more often being used in some way against you.

Briar: And what about like, in the future as well, when we perhaps start to see the merge of our physical and virtual worlds, where say perhaps our phone becomes, I don't know, like a brain computer interface?

Ralph: Yeah, well, that gets interesting. I mean, it's something that has been thought about, has been worked on. The biggest issue is from a hacking point of view, is that computers of any kind still to this day process, what's called machine instruction. Assembly is a programming language that the hardware can then, when you are a programmer and you're telling the hardware what to do. Hardware is dumb. It just does whatever you tell it to do. So the software is what tells the hardware what to do. So if we had an implant for example that is everything in our phone could do, but now it's somehow in our brains, there's a bit of a missing link there, that we still don't have technologically in the way that something that is hardware would talk to our nervous system.

Ralph: Is it doable? Yes. There's already the use of implants, for example, for treating PTSD in soldiers that is already been used in the US for example. But that's like saying, okay, if I see this happen, then send this stimulus to the nervous system which would act the same way as a drug would supposedly. But when you're talking about the type of functionality in the future of, like you said, what our cell phones allow us to do now, which by the way, the last thing we use them for is a phone. It's literally a computer. The last thing we use this thing is to talk on. So when you consider that level of technology being implanted, the risks that we run are that, one project I did on this subject specifically Briar, was called Implant.

Ralph: It was a short film that I worked with in Hollywood, as you know I've done a lot of work in film and television. And this was a short film project that I did with a filmmaker, where the idea here was that in the near future, this person had an implant and that they killed somebody. And now they're being interrogated by an investigator in a room. And this person basically says, yeah, I saw everything. I can see but I had no control over my body, so the body is literally doing whatever the implant is telling her to do. And the implant was saying, kill this person. And there's nothing you can do to stop it. That's sort of the scary scenarios of what could happen when you have an implant of that nature in the future.

Ralph: Is that you may not even be in control of yourself, even though you may be completely aware of what you're doing, you're not in control of your body to be able to do anything about it. It's a computer, like I said, at the end of the day, I can talk to the computer in machine language and it'll do exactly what I tell it to do, regardless of what you may think otherwise because at that level of programming, there's no logic there. Logic is something that's at a higher layer of software.

Briar: It's interesting to think about as you're describing this. So it's also making me think of algorithms and how we can be so influenced by the information that even just our phones are feeding us. I think of the flat Earthers who I remember this documentary, they came out and so many of them were like, well of course I thought the earth was flat because everywhere I read or watched or everything I saw literally told me the earth was flat from many, many different sources because they'd just been fed this information via the algorithms.

Ralph: Yep. In fact, that's the danger with the amount of data that we're dealing with nowadays. I still use this analogy, that you could walk into a, let's say Hippieville, everybody's one love. Everybody in this place is all loving, all caring, so on and so forth, and you walk in with an attitude and start pushing people. And you push and you push and you push and you call them names, and everybody's loving people, they don't want to fight, but eventually somebody's going to hit back. You can't get away with pushing and pushing. And this is the same with data, meaning with the amount of data we have. I worked on the film Snowden with Oliver Stone and one of the things around the Snowden disclosures, that was a concern is that with the amount of data that is being gathered, you can paint whatever picture you want, even if it's not true.

Ralph: So Briar, I want to make you look like, a very bad person. I can either generate and create that over a short period of time and then just infuse that into the rest of the information in the world to your point of flat earth example or I can just look at how much data I can gather on you and connect the dots in a way that makes you be a bad person. Is it true? No, but the data will allow me to paint that picture, even if it's not true. And that is the big concern with the amount of data that we have out there. The amount of data we've already given is that it can be used to paint any picture. Now, pair that with the AI and deep fake stuff, you have given enough data, we have all collectively given so much data to all of these different systems that if somebody had access to that data, they could just be you. Who are you? How do you prove you're you? Because every element in proving who you are is now digital. So if I have access to all that digital data, then Briar, you don't exist. I'm Briar

Briar: Well, it's all quite interesting to think about, isn't it? So someone listening to this podcast and we're just wrapping up now, what would you say is something that you would really want them to take home, your one sort of lesson, whether it's a lesson from your career or a lesson in how they can keep themselves diligent and hacked free for want of a better way to describe it?

Ralph: One that I'm proud of is start with the TED Talk I did a year ago on the issue of privacy. 

Briar: Yeah. Tell us about that. 

Ralph: It was a very interesting thing. TED is a very interesting platform because while I have been doing public speaking and keynotes and so on for 25 plus years, the TED format is different. You're paired up with someone who is going to make sure that it's put into a TED format and made easy to understand from a 12-year-old to an 82-year-old. So it really kind of was a challenge for me because I had never really had to sit down and sort of script what I'm going to say. I always just kind of said, okay, who am I talking to and what is the subject that we're talking about? And in this case, it originally started with a concept of be the hacker and not the hacked.

Ralph: Which one do you want to be Briar? If you got to pick one, then you'd want to be the hacker, right? And to be the hacker, this is what it would mean. It would mean that you have to sort of understand better yourself in that process. And then slowly in the development of this talk, it turned into us realizing that the key word around that was the issue of privacy. And the more that I was writing this, it took months to actually put together that 15 minute talk, was the realization that we don't really know what the hell that is, like we have never defined it. You can really tell people, Hey, don't you care about your privacy? And the truth of the matter is no, most people don't really understand and for the most part, don't really care. 

Ralph: What they care about. And what I would say the great majority of us care about is our safety and our privacy is a component of that. Our security is a component of safety, but there are other things that are also components of us being safe, the availability to something, if we didn't have access to water. So access is actually part of safety too but the right access, and the wrong access and all these different things to understand them at a level that doesn't require you to be technical because the idea is that to be a hacker, you have to be technical. I mean, that's what everybody thinks. But in my mind and the way I I explained it on there was that it's really more hackers is a term that is too much associated and thought it was just being a technical thing.

Ralph: But you've heard of people doing life acts. And that term is really used to, how do you make something do what it wasn't intended to do? How do you think about something outside the box? That sort of thing. And I think that's really it, the takeaway from this should be that more people should do a little research. You have Google, I could argue that everyone in the room is the smartest person in the room because you could go and look it up. I didn't have that as a young kid with a computer. So now you have that. Anyone can research and dig as deep and go as far down the rabbit hole as they want to on any subject matter. So I can't put that out in a blanket statement and say, oh, this is what security means or privacy means to you.

Ralph: It's something that you sort of define and then you can kind of go down that rabbit hole to make yourself safer. Some people will be, tinfoil wearing hat type people who are just going to be, oh, okay, well this is what it means to me so I'm going to use a burner phone. I'm not going to use anything with apps. I'm going to use a machine that's never connected to the internet. That may be what you defined to be the way that you operate but that's not how most people operate because they want the convenience of all the things that technology brings us. So with that convenience, understanding the price you pay and being okay with the price you pay, that's all defined and up to you as an individual. So I would say check that out. And then depending, at least that should open your mind up to, well, the truth is anybody can do it. If I can do it, you can do it. It is not a matter of being smarter or anything else. It's just a matter of knowing or not knowing.

Briar: Well, it's been so wonderful to have you on the show today. Very interesting. And yeah, may we all stay hack free? Oh, well wait, that's completely wrong. You told me that everyone's been hacked, so we're all screwed. 

Ralph: No. Well, I think the thing is that if anything is we can all be safer.

Briar: We can be safer, yes.

Ralph: It's not really the hack thing. I think it's a matter of us really taking something we do care about is safety. So how can we be safer? So stay safe and be safe. 

Briar: Stay safe out there everybody. Thanks, Ralph, see you later.

Ralph: My pleasure.