Transcription performed by LeahTranscribes[FULL TRANSCRIPT]
JACK: There’s a TV show called Mr. Robot. Elliot Alderson, he’s the main character. He’s a hacker. He says stuff that always gets me thinking about life, like this, “Every day we change the world but to change the world in a way that means anything, it takes more time than most people have.”
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Okay, so I like hanging out on Twitter. It seems to be the hot spot for all the people in security. One guy keeps coming across on my Twitter feed; his name is Elliot Alderson. Hm, that’s the same name as the main hacker guy on the TV show Mr. Robot, a fictional character. He has the same Mr. Robot image in his avatar, too. His username is @fs0c131y. Is this some sort of gimmick account? No; he’s posting real and useful information about reverse-engineering. Whoa, Elliot Alderson on Twitter has 120,000 followers? Jeez, who is this guy? I had to find out so I called him up.
ELLIOT: [SPEAKING FRENCH]
JACK: Well, he’s French and he said his name is Robert Baptiste.
ELLIOT: You can call me Baptiste, Robert, Elliot.
JACK: Or we can call him Elliot. He’s got a double identity and this double identity is really fascinating so I think it’s time we get to know Robert Baptiste, or Elliot Alderson on Twitter.
ELLIOT: [MUSIC] I tried to be good at Android and especially reverse web application and finding vulnerabilities on web application.
JACK: Hm. Robert is from Paris and sometimes a little hard to understand so I might have to step in and sort of translate for him. Basically, Robert’s expertise is in Android applications and he loves reverse-engineering them.
ELLIOT: When I see something cool, a new application, I’m trying to find some vulnerability or some issue with the app.
JACK: Robert likes to pick on Androids since that’s what he’s most familiar with.
ELLIOT: I started my career as a…
JACK: He started his career as an Android developer and spent years creating Android applications. Then he dug deeper and started working on the Android open-source project.
ELLIOT: OSPs.
JACK: This allowed him to create custom variance of Android itself. But as his career went on, he eventually switched to security, specifically looking for vulnerabilities in apps.
ELLIOT: In order to find vulnerabilities everywhere.
JACK: Then he actually started his own company and he has clients who make apps and then he tries to reverse-engineer them to make them do things that they shouldn’t be doing. All this is fine and good for Robert; not a big deal at all. But sometimes he gets bored and becomes Elliot Alderson and decides he wants to hack into something. He starts grabbing anything that looks interesting from the Google Play Store and just starts testing the apps himself. Now, one of the Twitter accounts that Robert likes to follow is the Fox News account. Don’t ask me why. One day they tweeted something that caught his attention.
ELLIOT: I saw a tweet from Fox. It was right after the release of Donald Daters.
JACK: The tweet was talking about a new Android application called Donald Daters. Basically, it’s a dating app specifically for people who like Donald Trump. [MUSIC] So, Robert turned into Elliot and downloaded this app to see if he could have some fun with it. Android apps are bundled in what’s called an APK file. It’s sort of like a ZIP file. In this, it contains the executables, the graphics, the sound, the whole app. It’s all packaged in this file. Elliot moved the APK from his phone to the computer, then he extracted the files from the APK and decompiled the app. This showed him a file called [00:05:00] AndroidManifest.xml. In there he saw what database they were using.
ELLIOT: Yeah, I just looked at Android app on the – in order to create a database, they used Firebase database, which is a service offered by Google.
JACK: Firebase is an online database. For this app, all user data was stored in this online database. Okay; good to know. Next, Elliot looks at values/strings.xml. This file might contain some extra information about this app. Sure enough, it contained both the Firebase URL and the keys used to access it. Now, Elliot knows Firebase really well. He’s created a few apps using this and is familiar with it. He knows that Firebase doesn’t really require a key or a password to read or write to the database. Instead, Firebase is configured with a set of permit-and-allow rules on the Google side. Only people matching these conditions can read or write into the database. Right away, Elliot took this Firebase URL that he found in the app and tried to see if he could see what’s in the Donald Dater’s database.
ELLIOT: It took me like, five minutes to get the old database because they keep the debug settings. They kept the debug settings on so it was pretty easy to get everything.
JACK: Whoa, what? Within five minutes, Elliot has gained access to the entire Donald Daters database.
ELLIOT: I had access to everything; all the messages, all the people’s details.
JACK: All usernames, all private messages between people, and all the user details. This is crazy. The database had no security on it at all to keep anyone from just reading through the entire database. Elliot was seeing everything. Now, to you and I, this might have been a big moment for us; we got in, whoa! This was a rush. But for Elliot…
ELLIOT: This one, it’s fine. I mean, I have better moments than this one.
JACK: I think that might be because this app was so new. It was only one day old at the time when he broke into it so it didn’t really have that many users yet. It just wasn’t that big of a deal, you know? Maybe this is typical because he’s seen a lot, too. Since it wasn’t that hard, the feeling wasn’t that great but Elliot was curious anyway and looked through the database to see what’s in there. [MUSIC] There were 1,607 users at the time and out of them, there were only 128 matches that had taken place so far. Okay. He looked at the messages between the matches that were sent between each other. The longest message exchanged he found was sixty-two messages sent back and forth between two people within the Donald Daters app. But as he looked closer, he learned it was a conversation between two developers of the app. Elliot started downloading some of the content from this database.
He grabbed all of the profile pictures that users had for their dating accounts and started posting them to Twitter. His tweet said, “Hi Fox News and Donald Trump supporters. You should not use this app. Within five minutes I managed to get a list of all the people registered, all their names, all their photos, personal messages, and a token to steal their sessions.” He then went on to post a bunch of slightly blurred photos of the users of the site, proving he had access to it. Now, Elliot is known for stuff like this. This is why he has such a huge Twitter following and of course, tech journalists watch what he’s tweeting too, and they saw this. [MUSIC] Within two hours of his tweet, VICE’s Motherboard wrote a story about this and how the Donald Daters app is exposing its user’s data. Shortly after that, TechCrunch wrote an article saying the database has been leaked. For any respectable company, this would have been a huge problem.
This is what we call the ‘b’ word, a breach. A hacker broke in and took the database but what’s more is that anyone can get in and see the database with just a single URL. Seriously, this entire hack is just visiting a single URL. Here’s the actual URL: donalddaters2018.firebaseio.com/.json. If you went to that URL you would see the entire database. There was zip for permission and security there. No key was needed, you didn’t have to bypass anything, there was no authentication that was defeated; just the URL extracted from the strings file in the APK. You know, the developer didn’t ask you to find vulnerabilities in this but you went and you found a vulnerability. Did you feel like that was crossing a line?
ELLIOT: No. In my opinion, no because I’m not looking for this vulnerability with malicious intent. [00:10:00] My goal is never to use these kind of vulnerabilities as a malicious actor. What I’m doing, I’m trying to help them and I’m trying to help their users. Engineer, the contact, he’s quite good with the companies and because they understand they have an issue and they want to fix this issue, so everybody’s happy to discuss and it’s fine. You don’t cross a line when you find a vulnerability like this because you try to help the company but if you use this vulnerability to earn money, if you use this vulnerability to, I don’t know, because you want fame or something like this, this is bad and you are crossing the line.
JACK: Now, I’m confused because you – when I saw this news it looked to me like you were trying to make fun – trying to embarrass this company, right? Now you just told me that you’re here to help this company and to help these users. Did you like this company or did you not like this company?
ELLIOT: I don’t have an opinion on the company’s – on where I’m looking for vulnerabilities. I don’t like Donald Daters but I’m not…
JACK: You see what I mean, right? You’re not quite helping the users. You’re really making fun of them.
ELLIOT: Well, you can do both. People need to understand that you can help a company, you can protect the user’s data but at the same time, you can sort of – public shaming the company. You can do both. For me, it’s not a problem. You can publically say okay, this company has a big issue. This is a scandal because they kept the debug sitting on Firebase. This is stupid. But at the same time, you did your job; you protected the data of the user. Yeah, that’s fine.
JACK: This is quite fascinating to me. Let me pose some rhetorical questions for you, the listener. He claims that it’s okay for him to do this because he doesn’t have malicious intent. Is the intention enough to consider this to be okay? Do you think he’s embarrassing them or helping them? Maybe a little bit of both? After all this exploded in the media, the owner of the application decided to have a chat with Elliot.
ELLIOT: I discussed with some members of the company and they thanked me in private. They thanked me in public with an official handle on Twitter. They were quite happy because they said oh, yes, we made a big mistake. We are happy that it’s happening right now and not when our database will be bigger.
JACK: That was that. Everything got cleaned up and that story is over. After the break, we’ll hear some other adventures that Elliot got himself involved in. Stay with us. For this next part we need to understand what Aadhaar is and to do that, I’m going to call up a listener of mine in India. [BEEP] Hello, can you hear me?
TERABYTE: Am I audible to you?
JACK: Yeah, I can hear you.
TERABYTE: What’s up? How’s it going?
JACK: I’m doing a story about somebody finding security weaknesses in Aadhaar so I want to understand more about Aadhaar.
TERABYTE: [00:15:00] Yeah, you talking about that guy Elliot Alderson on Twitter?
JACK: Yes.
TERABYTE: Of course. Why not? He’s famous in India.
JACK: Jeez, of course. Elliot is famous worldwide; France, the US, now India. Okay, so Aadhaar. This is a card that everyone in India carries with them in their wallet or purse. It’s sort of like a social security card in the US.
TERABYTE: Kind of same thing as Aadhaar. Aadhaar is basically an identity which now our government is linking to each and every document that we have, each and every – if you’re going to get a SIM card, you need to have your Aadhaar linked to it. If you’re opening a bank account…
JACK: Wait, so if I want to get – oh my gosh, so you’re saying if I want to get a cell phone or a bank account, I have to show them my Aadhaar card which then links that to me.
TERABYTE: Yeah, exactly. Whatever thing you’re using nowadays, like if you talk about the cell phone service, internet service, you have a credit card, you have your bank account, or maybe you have a gas connection; even that counts in it. I mean, with the things you’re getting from the government or maybe semi-government bodies, you need to get your Aadhaar linked to it. That’s what they’re doing. Since it is linked to really sensitive information, that’s why they’re able.
JACK: Alright, I think we know enough about Aadhaar now. Let’s go back to Elliot. You’re in France, Aadhaar is in India; why do you care about this issue?
ELLIOT: At first, I didn’t know about Aadhaar two years ago and one of my followers – multiple followers came to me and say oh, you should look at the Aadhaar web application. You will find some issues, and I did. I found five or six different issue in their application. I started to learn more about the whole program. I was like, this is not possible. This is horrible in terms of security. The biometric data of people are in danger. They don’t care. Also, it’s not because I’m living in France that I should not care about this because we will have something like this pretty soon in France. I was discussing with someone in the French government and they want to implement something pretty similar in France. It either will give some idea to European countries so this is why we need to stay vigilant and we need to advise government to tell them okay, if you want to have a number, be careful because as you can see in India, they have a lot of issues and they made these mistakes. Don’t do the same mistakes.
JACK: As Elliot learned more about Aadhaar, the more he didn’t like it. He started reading up on it more and more and learned everything he could about it. One news article stood out for him.
ELLIOT: That someone with a fake card only with the correct photo and the other number managed to open some new phone line, managed to use some service, phone the other person.
JACK: Someone created a fake photo and used another person’s Aadhaar number and opened a credit card for that other person. This story made it clear to Elliot that Aadhaar numbers should never be posted publically because someone can assume your identity and do things in your name. But more so, your phone is tied to this number and your bank account, and other things. Maybe your house, too. If the underlying system to Aadhaar is weak and exposes too much information about someone, this can have horrible consequences.
ELLIOT: They have to be very careful about this. This is like a you have these sort of things in the US, a social security number. You don’t publish your social security number online. In France you cannot find your identity card, it’s super complicated in France to find another identity card. In India you can find thousands of Aadhaar cards. They have to consider this Aadhaar number, this Aadhaar card like an identity card, like a social security number. This is personal data and they shouldn’t share it publically.
JACK: As Elliot is researching this, he decides to challenge himself. He decided to see how many Aadhaar numbers he could find publically in three hours. These would be numbers that maybe someone tweeted about or posted or [00:20:00] put on a website. He wasn’t sure how he’d find them or where he’d find them but he wanted to know how many of these were exposed to anyone on the internet.
ELLIOT: [MUSIC] It was pretty easy to find Aadhaar cards online because everybody was asking to Indian; are they Aadhaar cards? Nobody secures the data. What I did is, with some pretty good search query, I found a lot of Aadhaar cards. After that, I created an automatic scraper in order to retrieve all the data automatically. Like this, I managed to find thousands and thousands of cards.
JACK: Keep in mind, not a single one of these Aadhaar card numbers should be publically exposed, yet he was finding a bunch. He was live-tweeting this entire challenge. His first search, he found twenty-five cards. Then he refined his search and was able to find a huge list of 18,000 Aadhaar numbers. Then he tweeted that he found a few more here and a few more there, then another dump of five hundred more cards, then he found seven hundred more. Within three hours, Elliot found 20,000 Aadhaar numbers listed publically online for anyone to see who would just do this simple Google search. This was bad.
ELLIOT: Yes, if I remember correctly, there was another center of the government – one of the instances I found was owned by the place where people are going in order to create an Aadhaar card. This is why there was so much cards in it.
JACK: Jeez, even the place that makes Aadhaar cards was leaking information. After this challenge, Elliot put his Google searches and Python script onto his GitHub account and published it for everyone to see how they can find their own Aadhaar numbers online. At this point, the Indian government started to take notice of Elliot’s tweets.
ELLIOT: Yes, they did. They removed everything at least, I think two days or three days after that.
JACK: Crazy. Elliot is sort of like an internet vigilante helping a little there, embarrassing a little here. Wherever he goes, security does seem to get better. Elliot kept poking around in India, checking out the scene, learning the culture. The Prime Minister of India is Narendra Modi and he has his own website, narendramodi.in. Elliot went to this website and inspected it a little. [MUSIC] He discovered a vulnerability on it which allowed him to upload whatever file he wanted to their site. This was definitely not good for the Prime Minister’s website to have a vulnerability. What’s Elliot do? He tweets it. His tweet said, “Hi @narendramodi. A security issue has been detected on your website. An anonymous source uploaded a text file containing my name to your website. He also has full access to your database. You should contact me in private and start a security audit ASAP.” Elliot posted a screenshot of the text file that magically appeared on the Prime Minister’s website.
ELLIOT: After that, the office of Narendra Modi contacted me and these guys were pretty friendly and the contact was cool. They tried to understand what was the issue.
JACK: You hear that? This absolutely boggles my mind; Elliot apparently hacked into the Prime Minister’s website and then tweeted about it, and he was called by their office. Elliot describes the experience as they were friendly and it was cool. Other hackers might have had a really hard time doing this. I just wonder why Elliot is able to get away with this. Is it because of so many Twitter followers he has or the intent that makes it okay? His history of doing this? It’s just so strange to me. Hacking into someone else’s websites and apps should be illegal, right? But he’s perfectly fine doing it and being open about it. I mean yeah, he goes by Elliot online but you heard him at the top of the show say his real name; Robert Baptiste.
He’s not hiding from anyone while he does all this. No wonder it’s so exciting to watch his Twitter account. As you might have guessed, there are factions within India. Some people like the Aadhaar system and think it’s great. Others don’t. There’s a government official named R S Sharma and he’s the Chairman of India’s Telecom Regulatory Authority. This isn’t the agency that handles the Aadhaar numbers but instead it deals with telecom stuff. Okay, fine, but one day R S Sharma, a government official, got tired of hearing people complain [00:25:00] about Aadhaar and he tweeted something. R S Sharma wrote quote, “My Aadhaar number is 762177682740. Now, I give this challenge to you; show me one concrete example where you can do any harm to me.” Oh my gosh; R S Sharma, you are about to meet Elliot Alderson.
ELLIOT: [MUSIC] People helped me. A lot of people sent me information and we did it and we managed to find almost everything on him pretty easily.
JACK: Like what?
ELLIOT: Like his personal details so his address, his name, his personal photos with his wife, with his kids, his phone number, everything.
JACK: Elliot started posting a flood of tweets; first, this guy’s phone number, then the phone number of his secretary, then his e-mail address. Then Elliot checked his e-mail in haveibeenpwned.com and yep, the e-mail was in a breach as well. Then Elliot used the Aadhaar number to figure out his WhatsApp profile picture and posted that. Then his date of birth and his home address, and Elliot somehow checked to see if there was a bank account tied to this Aadhaar number but there wasn’t.
ELLIOT: Doxing is very, very bad and people shouldn’t do it. I only published a redacted screenshot and I tried to remove all his personal details. I just wanted to show him that we had his info, that’s all. The goal was really not to publish his details. This is not doxing. The goal was not to dox him.
JACK: Just in case you didn’t make that out, Elliot was blacking out the actual details on these tweets. He’s just showing enough information to prove that he had the info. Elliot and his followers were using a combination of open-source research like Sky and Google but also exploiting some of the weaknesses in Aadhaar itself. At this point, R S Sharma saw Elliot’s tweets.
ELLIOT: I think this guy was surprised because he was convinced that nobody will manage to find something. I think he was surprised. A few days after that he tried to say no, you shouldn’t publish the Aadhaar number but hackers didn’t manage to find my personal data through my Aadhaar number so it means they find my personal details because I am a public person, so it means Aadhaar is safe which is partially false because there was – some of the information has been found with other vulnerability.
JACK: From the looks of R S Sharma’s tweets after this, it doesn’t look like he learned his lesson. Just to give you an example, his tweet where his Aadhaar number is posted publically is still up for anyone to see right now.
ELLIOT: [MUSIC] I received a direct message on Twitter. A guy from India told me I think I found something interesting but you should look at this. I don’t have any details but just look at this. He sent me an URL.
JACK: The URL was a website called Indane. It’s a gas company in India and they serve ninety million families and have nine thousand distributors.
ELLIOT: When I looked at the URL there was Aadhaar number of Indane users. What I did is I managed to modify the URL in order to find all the different users of Indane and with that, I wrote an automatic scraper in order to do my request automatically. Like this, I managed to get millions of Aadhaar numbers.
JACK: By just tweaking the URL in the website to try different combinations, he found that one of the URLs exposed millions of Aadhaar numbers, all without authentication or using an exploit to bypass. Just, if you know the right URL, it’ll give it all to you. Elliot knew this was a big deal and this company should not be leaking possibly millions of Aadhaar numbers like this. He contacted a journalist to work together on this one.
ELLIOT: [00:30:00] My goal on – I was working with a journalist at the same time so we wanted to understand how big was this breach and I was looking regularly as a resort in order to find how many Aadhaar numbers were leaked. The goal was not to get the data; I didn’t retrieve the data. I just wanted to see how many Aadhaar numbers were available.
JACK: He created a scraper to go through the website to try to understand how many numbers were leaked. After this script ran, he had the total number of Aadhaar numbers exposed. It was 6,700,000.
ELLIOT: [MUSIC] Which is a big number.
JACK: What did you do with this information?
ELLIOT: I directly shared the information with a journalist and together we tried to contact Indane in order to fix the issue but the problem with this kind of very, very big companies; nobody’s answering you. We wait a little bit and after that, Zack from TechCrunch published the story and two hours later the problem was fixed.
JACK: Two hours later the problem was fixed. Whoa; this guy’s crazy. I’m sure he never is going to go to India. He’s ruined his reputation there.
TERABYTE: No, it’s not like that, actually, to be honest. He’s kind of a hero. I find him a heroic personality because he opened the eyes. He made us aware how vulnerable it is and how stupid this idea is also, getting an Aadhaar.
JACK: I actually got a chance to meet Elliot in person this year; at Defcon, of course, which I just realized is in Paris, in Vegas. Hm, right at home for him, I suppose. Together we sat and watched a conference talk together and then chatted for a while. He really does seem like a great guy with good intent; willing to give free security assessments to anyone he finds interesting and to help people understand the risks of poorly-built websites and applications. After talking with him, I do get a better sense of what all this is about. Elliot’s a busy guy, always looking for the next thing to do, and he’s endlessly curious.
He loves looking for problems but then when he finds them, he just wants to forget about them and move on. The easiest way for him to forget about it is just to publish it and let someone else deal with it. It’s like he’s transferring consciousness. Oh man, I sound hippy-dippy on that one but yeah, he finds this problem, it’s in his head, he tweets it and this lets him forget it and now it’s in someone else’s head to deal with. This lets him move on to the next thing more quickly. Earlier this year Elliot was where he naturally hangs out; on Twitter. He checked to see what Fox News was posting that day and he saw another interesting app.
ELLIOT: Like Donald Daters, I saw an ad I think, on the Fox News Twitter account and I was like okay, maybe I can try to find something on it. I downloaded the application.
JACK: [MUSIC] This was an Android app and it was called 63red. It was an app that’s exactly like Yelp but for people who like Donald Trump. I’m not exactly sure why they need their own apps like this; what makes them so special? But yeah, this is another one of those apps. Of course, Elliot decides to take a look at it.
ELLIOT: Very quickly I managed to find a big vulnerability in their API.
JACK: An Android app can be made two ways; you can write code for it and compile the program to run or you can just make the app in HTML 5 using JavaScript and it will run just like a website would. It’ll look like an app but it’s actually just like a website underneath. Because the app was made like this, Elliot was able to see all the JavaScript used to create this website app and in there he found the database URL and API keys to access it. This really is as safe as writing your password on a postcard. You just turn the card over to see the password or in this case right click, view source, and you see the password.
ELLIOT: There was no authentication process so everybody has the ability to modify, to do whatever they want. You were able to ban an account, to create some friendship between the accounts, to create as much accounts as you want. You were able to do whatever you want. Also, there was an accredited credential multiple times on the source code.
JACK: Elliot found this URL [00:35:00] and the API keys which gave him full read/write access to this entire database. You want to give yourself one thousand five-star reviews? No problem; done. You want the e-mail addresses of all the users? Okay, here. What Elliot found gave him full control of the database.
ELLIOT: When I found the vulnerabilities, I tried everything in order to see if I – to confirm the vulnerability and after that I didn’t contact the company. I directly published some screenshots of the vulnerability on Twitter. I tried to redact as maximum I could on the screenshot. After that, the guys from 63red were pretty angry and they threatened me to call the FBI. It was not good.
JACK: A-ha! See, I knew this was illegal. I knew this was gonna happen, right? You break into someone else’s stuff, you hack their database, you post it on Twitter. Yeah, sure, it’s redacted but it’s also proof that you were there. This is going too far. It’s breaking the law. Sure enough, the 63red team did see it that way. They claimed to have called the FBI to report a quote, “politically motivated attack.” They said they want quote, “this perpetrator will be brought to justice and we will pursue this matter and all attacks, failed or otherwise, to the utmost extent of the law.” End quote. Elliot put his hand in the fire too many times and now he’s getting burned.
ELLIOT: Yes and no; I mean, someone asked to do this job and people have to understand. They have to understand and people and companies have to understand that security researchers, hackers, are not bad guys. We are here to help, the InfoSec community in general is here to help companies. We are working in companies; this is what we are doing as a job. We are not here to destroy their business. It is never good to react like this, like 63red did because if you threaten a security researcher is very, very bad on – it’s giving a very bad signal to the community. If someone is finding a vulnerability in your system, in your company, you have to thank him and say okay, thank you for finding this. You’ve saved me some money because maybe someone with bad intentions will maybe already find it and will use it for another purpose. We are the bad guy. We are the good guy, sorry, in this story.
JACK: That was a Freudian slip in there. I think a lot of listeners are gonna wonder if you’re a good guy or a bad guy.
ELLIOT: This is very important. I tell you I’m a good guy and I don’t earn money with that. This is important because this work has to be done by – someone needs to do this work, yeah.
JACK: Yeah. It’s still funny to me that if you’re not a Trump supporter, you don’t like Trump, and you’re there to help people do security research for free, basically, you’re doing it on Trump’s – pro-Trump stuff. You know?
ELLIOT: Well, this is a partial view for me because yes, I found a vulnerability in two pro-Trump applications. You just have to give me other US American applications and I will be happy to find another vulnerability. It was just an opportunity but my work is way bigger than this. I’m not a political opponent of Trump. I’m not doing politics. I’m not even living in the US so I don’t care about Trump at all. Yes, I found vulnerabilities in pro-Trump apps but yeah, give me an application of Democrat and I will be happy to find a vulnerability in it. This is what I did in India, too. I managed to find vulnerabilities in application of both sides. I don’t care about the political side of the owner.
JACK: You don’t care – [00:40:00] you say your name. I mean, you told me you just – at the beginning of the show, Robert. You don’t care that that’s open as well?
ELLIOT: Yes, I mean, I’m a public person. For two years in a row I was on TV in the US and I was on national TV in the US, in Canada, in India, in France. I’m a public person so I’m not doing bad stuff. This is why I’m not a bad guy. I’m really trying to do good things. I’m doing good things publically and this is really my action. I’m trying to spread the message; security is important. Accurate InfoSec community is here to help. We are not afraid. We are not hiding. We are here to communicate about security, to find issues. We have no reason to hide. I did nothing wrong so I don’t have any reason to hide.
JACK: Well, I mean, from where the law is, you’re not allowed to access equipment that’s not yours.
ELLIOT: This is not black and white. In Europe, for example, if your intent is to find – if you want to find vulnerabilities, if your purpose is to find security issues, there is some exception. You have the right. What I’m doing is not – I’m not hacking stuff. I’m finding vulnerabilities but I’m not exploiting these vulnerabilities. There is a difference between finding a vulnerability and extracting data with these vulnerabilities. My goal is just to point a finger on these vulnerabilities and that’s all. I’m not getting the user data; never are. I don’t care about user data.
JACK: Do you ever get afraid when 63red said we’re gonna contact the FBI? Did that scare you or anything?
ELLIOT: I was not afraid but I was not happy because this is not cool. The goal is, again, the goal is to have a conversation on security. The goal is to help the companion. When the guys are angry like this, it’s a problem because we cannot discuss and I don’t like that.
JACK: Did anything happen after that? After they threatened with FBI?
ELLIOT: No, nothing happened. They removed the application from the store but yeah, three or four different applications and people find those vulnerabilities in it. They contact 63red but they did nothing.
JACK: You get an adrenaline rush when you find these vulnerabilities?
ELLIOT: You start to get used to this kind of thing. I published a lot of things and I managed to find a lot of cool vulnerabilities like this. You have a specific feeling; you know that you have something interesting, this is something cool, this is something you shouldn’t have, in theory. You are excited but at the same time you know that you cannot do – you have to be careful with that and you need to be responsible.
JACK: Yeah, it sounds like you have a lot of responsibility because of that, you know? You keep finding vulnerability after vulnerability from companies that don’t ask you to find these vulnerabilities. In a sense, you’re a little bit black hat.
ELLIOT: No, no. I would not say that. I am more grey hat in the community because a black hat is a guy who has malicious intent. I want this to be clear; I never earned money with the vulnerabilities I found, never ever. My intents are never malicious so this is why I’m not a black hat but as you said, I don’t have the authorization, the explicit authorization to find these kinds of vulnerabilities. You can consider me between the white hat and the grey hat, something like this.
JACK: Yeah. It sounds to me like you’re a vigilante. I don’t know. At this point, I’m baffled on what to think. I still believe [00:45:00] if a company does not ask you to do this and they don’t have a Bug Bounty Program and you actively go and search for vulnerabilities and then post what you found on Twitter? This is against the law. But maybe things are different in Europe. But even so, I’ve seen him personally in Las Vegas where he’s freely coming and going in and out of the US without being arrested or any charges against him. Typically, people commit computer crimes because of economic benefits, power, revenge, adventure, ideology, or lust.
But none of these actually match what Elliot is doing. He’s saying he’s helping people secure their apps better by hacking them and telling them he did it. He doesn’t ask for a reward of any kind or any special recognition. He just does it and tells the company how vulnerable they are. It’s rather odd to me but in the end, I do believe what he’s doing is good for everyone. Somebody needs to be doing this and it should be the companies who do this work but since they don’t, he sometimes takes it on himself. I’m still not sure if Robert Baptiste, AKA Elliot Alderson, is famous or infamous.
JACK (OUTRO): [OUTRO MUSIC] A big thank you to Robert Baptiste for sharing some of these crazy stories with us. Of course, you can find him on Twitter as Elliot Alderson and his name there is @fs0c131y. Good luck out there, Elliot. The devil is strongest when you’re looking the other way, like a program running in the background, silently. Also, a big thanks to Terabyte for being boots-on-the-ground for me in India and teaching us all about Aadhaar. That was really cool. This show is created by me, the dark rose, Jack Rhysider. Editing help this episode by our in-house rootkit writer, Damienne. Our theme music is created by DJ Mowgli’s apprentice, Breakmaster Cylinder. Even though the dark army starts following me for days every time I say it, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]