Navigated to Inside the Dark Web: Exploring Cybercrime with Expert David Décary-Hétu - Transcript
Get the app

Log in
Cybersecurity Today

Inside the Dark Web: Exploring Cybercrime with Expert David Décary-Hétu

Episode Transcript

\ We're taking some much needed r and r, , and while I'm away.

I'm posting some of my favorites from this year shared between both of our podcasts, Hashtag Trending and Cybersecurity.

today, so for some of you, this will be a repeat for others, it'll be an episode you didn't hear.

Now these shows are made possible by the generous support of Meter, the company that delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale.

And you can find them at meter.com/htt or me.com/cst.

That's M-E-T-E-R.

Dot com slash HTT or slash CST for hashtag trending or cybersecurity today .

Crime is probably the most social activity in the whole world.

So these offenders are, in most cases, going to connect with each other.

no one is able to hack into a large organization alone.

And so that's where you strike, where you need to be able to monitor these conversations, The dark web is one of those terms we throw around a lot.

Usually linked to a crime hacking or shadowy marketplaces, but many people don't really understand what it is, how it works, or why it matters to cybersecurity.

Today we're gonna dig into that world with someone who spent his career studying it.

David Decary-Hetu is a criminologist at the University of Montreal, one of Canada's leading experts on the dark web and online criminal networks.

His research looks at how these markets form, how they operate under the cover of anonymity and how they adapt when law enforcement tries to shut them down.

But I wanna start with the basics, what the dark web is actually, and then dive deeper into the economics, the players, and the cat and mouse game between investigators and criminals.

And at the end we'll look at where this is heading next.

Here's my conversation with David Decary-Hetu Good to meet you first of all.

Likewise.

Likewise, you, I, again, I'm consistently surprised at what's happening in Montreal.

You're a professor at the University of Montreal, but you're affiliated with the International Center for Comparative Criminology.

I was looking at the website.

That's a pretty large enterprise sitting there, and can you tell me a little bit about it?

Yeah, it's the biggest research, francophone research center in criminology.

And, basically we're interested in anything related to crime.

So we have people looking at offenders, people looking at regulators, people looking at law enforcement.

how do criminal laws get changed?

So across all gambit, everything is interesting to our researchers.

We have, I believe, 80 of them now.

yeah, pretty big center and known throughout the world and partnerships across the world.

Yeah, of course.

Yeah.

It's been around for 60 years and we try to stay active and yeah, so we connect with people in Europe, the states, other places in Canada.

Yep.

It's, so I'm the director for the center for the, for this year.

the director is, away on sabbatical and, yeah.

So it's, it's proven a fun challenge to handle and to manage, this big thing.

I have to ask, how did you get into criminology?

What was, what made you so interested in it?

actually I was on a leap year.

And one of my friend, she had one of her homework, she had to go to the library and watch interviews with serial killers.

And, I was like, that's what your professors have you do at night.

And she was like, yeah.

I was like, okay, maybe that's something that I could, Like doing.

And so I applied to it, got in.

and I was lucky just because, now in our undergrad program, we accept fewer than 10% of the people who apply.

So we have maybe 15, a hundred applicants.

We take about 120.

So the students who get in are amazing students now a plus students.

So it's really hard to get into criminology now.

it's one of the most difficult program to get into, at the university, but the need was never greater for people in that area.

we, yeah.

it's we're never gonna run outta crime, so that's, and crime keeps changing.

Cyber crime, everything but we'll be talking about today also.

yeah, I think there's a, sadly, I feel the same way about doing a cybersecurity show is I'm not gonna, I always thought, you're gonna run outta things to say, Nope, no.

it's, let's talk.

I was gonna say, it's many of the same stories that are repeated, but there's a few new nuggets here and there.

Yeah, there's always a creative twist and I invited you on to talk about the dark web and Yep.

I, one of the reasons I wanted to do that, a lot of our audience is fairly sophisticated and I think they probably know about it, but I think it's one of those topics that people don't know what they don't know.

Yeah, if Yeah.

So can you, can we start with just a description of what the dark web is?

Yeah, sure.

So the Dark web, many people think it's a place that you go to, but it's really not.

You really have to see it as a communication channel.

So basically it's something you use to communicate with someone else anonymously on the internet.

That's pretty much all it is.

the great thing about the dark web is that you can connect to websites, chat rooms, any online service without having to disclose who you are, where you come from.

But these services can also use the dark web to hide their identity, their location.

So I can, for example.

Host a website and say, only people who go through the dark web are gonna be able to connect to my platform.

And so this means that I don't know who my visitors are and my visitors have no idea who I am.

And that's been one of the big challenges for law enforcement because there's all these websites selling illicit drugs, firearms and other things like that.

And you can connect to the platform very easily, and yet there's no way for you to know.

Who's behind it?

Where is that server located and how do you take it down?

So that's been the big challenge of it.

And that's largely the technology for the, and I think most of our audience will know, but there's a Tor browser and I think the onion, you just explain a little bit about the technology for those who don't know what powers this?

Yeah, so the dark web or the dark net, whatever name you, you use is.

The label that we apply to a number of technologies that can be used to stay anonymous online.

so we've all heard of the Tour Network, which is probably the biggest, part of the dark web.

just because the Tour Network has the most funding.

It's been around for over 20 years.

and they were lucky because they were actually funded by the US government who still funds the operations to this day.

and because they got this funding, they were able to develop, for example, what you mentioned, the tour browser.

So when you use a dark web, there's a whole lot of cryptography that's happening, a whole lot of things that are happening in the background.

And the tour people, because of this funding, we're able to hire programmers who could make it absolutely seamless to use.

So that's how they've developed the tour browser, which is a modified version of the Firefox browser.

Which enables you to connect to resources that are only accessible through the dark web.

when you are using this, it looks like just another website, but it's actually a lot of crypto hiding everyone's identity.

the other dark web, so I two P for example, they don't have the same budgets.

They don't have the same number of developers and.

It's very easy to say, ah, we're gonna take Firefox, and then we're gonna modify it so that you can connect to these platforms.

Problem is Firefox gets updated every week, if not every day, so every time there's a change in Firefox.

You have to update the browser that you made that allows you to connect to your network.

And so that requires a lot of engineering time.

if you wanna stay, safe and anonymous.

So that's been the main challenge.

And who, you said that the American government initially funded this.

Who supports this?

Now?

I'm, first, I'm shocked that I didn't know that.

But the second thing is who supports it now?

so to the best of my knowledge, the US government, maybe it's changed since the last administration.

maybe these budgets have been cut.

but traditionally it's been donations and the US government who paid the majority of this and this network was developed so that the US military and the Navy could communicate with their spies all over the world anonymously.

And so if you have a spy in Iran.

And he's connecting to a server in the states, the Iranian government's gonna see this connection and they're gonna say, maybe we should go and knock on that door, see what that person is doing.

if they're using the tour network, there's no way for these governments to know to what website you're connecting.

So that's great.

But at the same time.

If only spies use these networks, then it's very easy to just flag them in your network and go and see the people who use this tour network.

And so that's why the Tour Network was funded by the US government, but also open to everyone, because basically we're providing cover for spies all over the world, basically inadvertently creating a.

A, a network that would come back to bite us in many cases.

but then that to hide spies Exactly.

and provide a tool for freedom fighters and journalists.

Yep.

And whistleblowers.

So there's many use cases for this, of course.

But that was the reasoning for creating this network.

So where does the onion fit into this?

Yeah, so basically what you have when you're using the Tour Network in this example is you have multiple layers.

So they've updated a protocol, and now it's not as simplistic as this, but in the original kind of design, you had three computers between you and whatever platform you wanted to connect to.

And basically the first platform that you connect to knows who you are, but they have no idea where you want to go.

The last platform in this chain knows where you want to go, but they have no idea who you are.

And you need someone in the middle that connect your entry guard and your exit relay.

And so you tell the first relay, I would like to go somewhere, but I'm not gonna tell you where the second relay passes on your information to the last one in the chain.

And then this exit relay is gonna go and fetch the content for you.

So that's why we have this peeling of layers basically, where when I send my request to the first relay, all they know is they have to forward my request to someone else, but they have no idea what my packet's contained because that's all encrypted.

So that's why you have this, this.

Interesting.

So you, for the all intents and purposes.

and I asked to tell our listeners, you, if you don't know what you're doing, you shouldn't be there anyway.

So many of us have not been on the dark web.

No.

but what, but how do you find your way around?

There's no search.

Is there a search?

What do you If regular internet.

Yeah.

so no one is.

Indexing the content that is accessible through the dark web.

So once again, you can't really go on the dark web, even though I say it all the time, but you can't really go on it.

You can just use it to go somewhere.

and, the traditional search engines are not really interested by the content that's accessible through the back web, because in most cases, It's gonna be sex, drugs, illicit firearms, whatever.

So nothing that you can monetize that easily.

so there are some search engines, but the whole point of the tour network is word of mouth.

So basically you shouldn't publish the URLs for these resources openly on the internet.

You're supposed to share it among.

Friends, small groups.

And so this is where you go back to the good old days of the nineties and the search engines where we had directories.

And so basically you have all these websites that you have to know and they have lists.

if you wanna buy drugs, here's a list of markets that you can connect to and they're gonna provide to you the service.

If you're looking for, Porn content, here's a list.

So it's the good old days of the directories that have to be maintained and just taken care of by individuals.

Interesting.

So it's actually a lot like the old days where you had, you don't have search, you had lists, Exactly.

yahoos, yeah.

You think Yahoo started as a list?

So that's how they circulate these addresses.

Between the people who want to be on the dark web .

Yeah.

and so the URLs, anyone can just, set up their own URL.

You don't need to register it with a registrar.

You just create, your own, your own domain name, and then you just publish content thread.

I sometimes teach, wait a minute, you don't have to.

You don't have to put it through a registrar, but you still have your domain name.

Yeah.

Because if you had to register your domain, then you know you have to show who you are.

Yeah.

So that would create its whole host of problem.

So you basically just publish on the internet.

There's this URL and if you guys are interested by it, go to this relay and they'll feed you and I'll get your request.

And they're gonna be my proxy or my presence online, so that you can find me.

So the relays are like our DNS servers, is that Yeah, And, yeah.

And in the, sometimes I teach to law enforcement and within 15 or 20 minutes, all the law enforcement officers in my class, they can be hosting, drug dealing website that's hosted or accessible through the dark web.

I usually go for fake watches, so I just.

Clone a website that's, selling counterfeit watches and everyone in the room is hosting their own fake watch website.

Of course, we're not shipping or sending anything illegal.

but yeah, it's extremely easy to do.

Yeah, and that's the concept.

That's how you can have a server that is operating out there that people can't find and or law enforcement can't necessarily tackle.

Yeah, so basically the whole point of the tour network is it's gonna hide your IP address.

If I don't have your IP address, I cannot locate you in the world.

So the server that's distributing child pornography can be five feet from now for me, or it can be 5,000 kilometers from me, and I have no idea where it is in the world.

And people rent these servers.

if I wanna be out there, people, somebody must be, have data centers that provide these things.

Oh yeah.

That, yeah.

And we've seen this content hosted and, many large data centers.

Sometimes it's gonna be.

Computers that they run at their own home.

So you can host it from your place, from a data center no matter where you want to.

there are a series of people who will not look too closely at what's on your hard drives.

And because everything's encrypted in transit, it's more difficult for them to realize that, you're running this thing within their infrastructure.

Wow.

And who are the main players?

Who are the people who are out there?

What are, you've mentioned drugs.

Certainly sex and drugs.

No rock and roll, but that, the rock and roll could stand the main web, But yeah, the, there's a lot of debate as to what is the Tour Network or the dark web in general being used to.

there was a study, over 10 years ago, which.

Was really interesting because they looked, they indexed as many website as they could that were accessible through the dark web.

And what they found was that these websites were being used for many things.

innocent markets to buy drugs, whatever this thing you want.

but when they looked at the traffic and so the flow of packets and what people were actually using this platform for.

I think like 95% was full child pornography.

So basically just downloading child porn.

yeah.

And then Tour Network came back and they said, you're only analyzing part of our flow.

You can't really say that.

but the point is, many services are accessible through the dark web.

Facebook, for example, you can use it through the regular internet or you can actually just go through the dark web.

To log into Facebook, you can connect to the CIA's website.

They have a version of it that's only accessible through the dark web.

but I would say I would not be surprised if a large portion of the network was dedicated used by people who wanna exchange child pornography.

just because, these people have a vested interest in remaining hi hidden.

yeah.

Yeah.

we all think about the hackers.

we all think about hackers, but then hackers have, their disclosure sites are pretty much on the regular web, and then you, and, but they have their own sites as well for recruiting, I would guess on the dark web.

So the, it's difficult to say is something on the internet or on the dark web, because.

A lot of the websites that you can access through the dark web, you can also access just through the regular internet.

So it's not like there's two sets of content, there's just two methods for accessing the same content in most cases.

as I said, Facebook for example, you have exactly the same experience, but in one case, Facebook knows.

Where you're connecting from and with the other, Facebook has no idea where you're connecting from.

So these are just two methods to access the same content.

but of course, in addition to child pornography, I would say the dark web is mostly known for the ransomware blogs.

So basically all the ransomware groups, that's where they host their content.

And because it's only accessible through the dark web, it adds a layer of difficulty for law enforcement to determine.

Where these servers are and to take down the content that was stolen by these ransomware groups.

yeah.

Yeah.

No, I, and I don't want to, I don't wanna fixate on it because of the.

the visceral reaction I have to child pornography is I think like everybody, but how do you steal yourself if that's what you're studying?

How do you deal with that?

I don't watch, so I'm not too interested into the content.

I do a lot of, social network analysis.

And in that case, you don't really care what people are saying.

You're more interested in who's talking to whom, who's connected to whom.

So looking at, actors and ties rather than actual content was probably a very good decision on my part.

but some people are interested in the content.

and even then, one of my students, for example.

She looked at a child porn forum where people were just discussing, their feelings, experience and everything.

And, we couldn't really, for ethical reasons, go through all the content, but we could use tools, for example, to determine if these messages, they, were they happy, sad, angry, and we looked at, before and after COD.

To see.

we all said, COVID isolated us.

If people were isolated, they were more sad, more angry, and maybe that led to more child, being abducted, attacked, raped and everything, and abused.

And basically, in this case, we found no difference.

It was the most boring master's thesis ever because everything was flat.

But so you can analyze pretty much anything and there are tools that will just read the content for you, give.

Give you out numbers and then you can play with these numbers pretty six way.

Yeah.

look, let's focus on our hackers, which are really the bane of our corporate existence there.

And so they gather on the dark net or dark web.

I understand that the nuance, but it's so much easier to just conceive of it about, they gather on the dark web.

How do they find each other?

These?

Yeah, it's these directories, it's links that are gonna be shared on x, on discord, on telegram.

So it's basically just knowing where to go.

And, the hacker forms are still very active.

Most of them are accessible through the internet or through the dark web, and you often have the same content.

but once again, it's mostly word of mouth.

It's just.

Talking to people and people are gonna say, Hey, there's this new platform, you should try it.

Here's the link.

you can't really guess the tour URLs because they're what, 64 characters long.

so they're, and they're all kind of random numbers and letters, so it's very difficult to just guess them.

You actually have to have someone take you by the hand and bring you there, which is the whole point of the network to keep it more secure.

But that's the thing that just, I, you pointed out there's so many police on the dark web or watching, or in these forums, I'm sure that every forum has at least one officer in it.

but how do they build the enough trust to talk to each other?

that's a big question.

so trust doesn't come easy, that's for sure.

and there's been many studies.

on this, I would say one of my PhD student, SMUs Skar did his PhD thesis on this very topic, and that was very interesting because, for example, he looked at people who sell drugs and he showed that when someone would buy drug from someone else, they would buy a very small amount and then they would see, can I buy drugs through this website and am I gonna receive this drug in my place by the mail?

And if they do, then they maybe order another time, but this time it's twice as much.

And so you would see this trust building where people would say, I'll trust you for $5 of illicit drugs, then I'll trust you for $20 of illicit drugs, and then maybe I'll trust you for a hundred dollars if everything goes well.

So it's a lot, based on people's experience as well as their friends' experiences as well.

and it's the same for restaurants.

if you go online and you can see, for example, on Yelp it says, that restaurant is great, are you gonna trust that Yelp, number.

Maybe not so much.

If you ask me and I'm like, you have to try this restaurant because you know me, then maybe you're gonna trust this even more.

But if you've been to this restaurant before and you had a great time, then.

You actually know that, it's a great restaurant.

So you have these three layers that build towards trust and you're using all these signals, your own experience, your friend's experience.

And then if you have nothing else, just a regular internet and you're like, you only live once.

Let's try.

This place has great Yelp review.

Probably bad, but you never know.

Yeah, Yolo gets you into trouble, but right now, I know for instance that a lot of, young people are being recruited and particularly we've done stuff on the ransomware gangs.

Yeah.

And they really do focus on younger people, particularly unemployed people, unemployed young people who have.

Computer or computer savvy, as well, and managed to recruit them.

But have, do you under, have you studied the structure of how that happens?

not so much because a lot of, so some of it happens, quite, simply people going on, Upwork and other platforms where you can just advertise your services and in some cases.

Either people turn a blind eye, they don't ask too many questions, they'll be recruited to develop malware, develop graphics for certain things, so they'll be enlisted into these criminal gangs and they'll get paid without necessarily knowing what they're getting into.

and so that happens.

and there's also the people who see all these blog posts that we publish in the cybersecurity industry or These Ransom gang, they infiltrated that hospital and they got a $15 million payment and it looks easy enough and it looks like so much money.

You like, you can earn so much money.

So we're creating our own problem.

I feel many times because we make it look as this dream job where you are gonna be making so much money, it's gonna be so easy.

And today with AI, you don't even need to know how to code.

You can just vibe, code your malware or yourself into an organization.

So all of this discourse draws people in who perhaps, don't have.

Other opportunities or even people who are just curious to see, Hey, could I do that as well?

so we see a lot of people just flowing in just because they're curious.

They wanna try it.

They're like, Hey, maybe it's an easy way to, to make a few bucks.

And in many cases it is, especially with, cryptocurrencies today.

if you target people who are active in that community, you're very likely to be able to get your hands on large amounts of Bitcoins or other.

Currencies.

so yeah, just people reading the news and saying, Hey, maybe I should try this.

are the concepts of the hackers and the people who are selling drugs and all of that, do they intersect?

Is this one big business or do they have their own little.

Enclaves.

Yeah.

So it's, what we've seen is it's very divided, by type of activity.

So you're unlikely to see platforms which are gonna advertise, malware as well as illicit drugs.

That happens, but there's usually a more dominant activity in there.

but we even see, we even see groups based on.

Yes, the type of activity, but also the places that they're from.

And we've seen, for example, on Telegram, you're gonna see channels and it's gonna be, for example, Montreal Hackers, and then you're gonna have Toronto hackers, you're gonna have New York hackers.

So even in the name of the channel, you're gonna have what these people are doing and where they're from.

And it's pretty easy to understand because if you put me in a room with German hackers, we don't speak the same language.

We're not gonna be online at the same hours.

and we don't have the same culture.

So we have some point of connection because, we like hacking, but it's still gonna be a difficult mix between the two of us.

So I would much rather hang out with hackers from Montreal.

Which, have the same references, the same culture.

So that plays a very big role in how these communities, connect to each other.

Interesting.

Now you train police officers yourself, but what's the difference between what you do in research?

what you, obviously you have a different approach to it than the officers you train.

Yeah, of course.

so I see our work in research, it's trying to understand, the changes that these technologies bring.

for example, the first, research I ever did on this dark web thing was looking at how this technology was gonna change drug markets and violence.

So we know that drug markets can be violent.

And so if people start buying drugs online through this dark web thing, it's very difficult to shoot someone if you don't know where they are in the world and if you're not even in the same city as they are.

So I wanted to know, so are we gonna see changes in the levels of violence associated with drug dealing?

For example, we've also looked at.

the effectiveness of police operations.

So basically, how do these offenders react when one of their platform is seized?

And a landmark study that we did showed that even if you take down the biggest platform there is that's, accessible through the dark web.

About six weeks later, there's gonna be a new platform.

It's gonna be very similar.

It's gonna be up and running, and everyone's gonna be back to business because basically if you.

Attack the platforms, someone's gonna create a new one and they'll be, just back to what they were doing just in a matter of weeks.

so trying to understand this, it's more kind of understanding the impact of technology on crime as well as how people network and connect with each other.

Yeah, and I don't wanna wander, I want to stay back on the point, but I just tweaked something with me is that the imagination that most of us have is that most of these people are in Russia or North Korea or someplace where they can't be extradited.

but if you're gonna run a drug business, you actually have to have physical presence in.

Places that are clo quite close to us in Canada.

In the US or, yeah.

or nearby.

So it is very different depending on what type of activity you're talking about.

but even then, I would be curious to know if there are more hackers in the States when Russia, not really clear on what the answer is to that question.

I wouldn't be surprised if there was more people in the States, Just hacking into the states rather than Russians hacking to the, into the United States.

that's still up for debate.

but one thing for sure, even though there are international networks, even in the hacking world, even if you gave me credentials to log in once again to a German bank, once I'm in, I don't speak German, so I have no idea.

Am I in a big bank, a small bank, original bank?

How do I pivot?

I get, I, what do I search for?

your password files?

That'll be called password.

It's gonna be, Einstein.

So there's all these things, which means that when you're hacking into systems, you have to speak the language, know the culture.

Once again, that makes it much easier.

Which I is one of the reasons why so many young people are recruited because they're obviously, they've got, English speaking people working in the us they've got French people speaking, people working in Quebec.

And as you are well aware, it's not just because you speak French doesn't mean that you're going to fit into a community.

in Paris there are different dialects.

There are different.

Cultural norms that you have to, if you're, especially if you're going to be doing things like trying to do social engineering, you have to understand the culture as well.

Exactly.

Yeah, exactly.

So that's why even though we're always focusing on these international groups and there are many of them and they're very effective, but depending on what they're doing, if you have social engineering.

You have to have someone who's local or it takes time for you to really be good at it in a different culture.

So that's for sure.

And that's why I think that's the hope for law enforcement.

So sometimes we feel like, all we're doing in is investigating these, Chinese, Russian, Brazilian, German gangs hacking into our systems.

True.

But there's also a lot of their partners who are local and they need those partners.

And maybe we go after these guys rather than the main ring.

Not as effective, but at least it gives us something that we can actually use and a way to prevent some of these attacks.

Now if, and we deal with the problem that we have, which is.

There, it's like playing whack-a-mole.

you knock out one of these groups, they're back again in three weeks, six weeks with a new name and the same players and back at work.

How do we tackle these?

Very big question.

very big question.

The technology for the dark web, for example.

I don't think anyone's really broken the technology, the encryption.

that problem has pretty much been solved in that, you can create secure connections online.

You can add your identity.

now if you're the NSA and you have a bird's eye view of a whole country's network becomes a bit more easier to track people than if you're.

A single ISB or a single law enforcement, agency, for example.

but I think that the human aspect is still the most important one.

So these offenders are, in most cases, going to connect with each other.

no one is able to hack into a large organization alone.

You need to get malware from other people.

You need to learn some tactics, some techniques from other people.

So you have to connect network.

Crime is probably the most social activity in the whole world.

And so that's where you strike, where you need to be able to monitor these conversations, see who's interested in what, and that's where you have the, you best handle things as, as well, perhaps as the cryptocurrency.

So everyone's just stealing cryptocurrency, asking for ransom and cryptocurrency.

I can give you a million Bitcoins.

There's not much you can do with that.

What you want is US dollars or Euros, and you have to convert those at some point.

And so if I'm able to track you down to the exchange that you're using, that's also a very effective method for identifying people in some of your work.

And I admit to just glancing through it, you, there was a concept of conditional deterrence.

Can you explain that?

Yeah, so basically, so you can take down one platform and as I said, there's not gonna be a lot of, Impact because everyone's gonna be back up to their old practice with just the different platforms.

So what you want with deterrence is to have kind of a more lasting impact.

And so we've seen police operations that were very well designed in the past.

so for example, law enforcement was running the biggest market that was accessible to the dark web for a number of weeks.

And then they came out and they said, Hey guys.

You didn't know this, but we were actually running this platform and while we were doing it, we were collecting all this information on you.

And for example, they raised all the images from the website and they told everyone, Hey, we lost all the images.

Your icon, you know your picture with your profile, it's gone.

We need you to re upload it again.

Here's a website where you can do this.

this website was actually tracking.

Everyone's ipd to see where they were submitting their images from.

So when you do that and then you make it public, then everyone starts to freak out.

And everyone's, wondering what do they know about me?

do they know who I am?

Do they know what I've done?

So this is where you're trying to, deter people, by doing the operations, which show that, we could be coming to your door at any point in time.

And we could be just arresting you, so maybe it's better if you quit while you're ahead, is basically the message law enforcement is sending.

Interesting.

Yeah, because it, one of the techniques that I'd heard about from another officer that I was interviewing was to that they try to sow distrust in the group to make it more dysfunctional and just to slow them down if nothing else.

Yeah, so so one thing that we, another student of mine, we worked on a police operation where basically the police were seizing drugs, but they were making no arrests.

And so people were ordering cannabis through the dark web and they would never get their packages.

But the people, the drug dealers, they were selling packages.

But the police was at the police at the Canada Post, and he was just seizing the packages.

So the customers thought, Hey, this guy is now just not sending the drugs.

And the drug dealers were thinking that the customers were seeing from them create huge distrust, and it just crashed the cannabis market in Canada for cannabis.

wow.

That can be done.

Huh.

The other thing you could do is legalize it and then you don't have a problem.

Oh, true.

But it was super interesting because it's a very low cost.

if you know what these packages look like, you just take them with you.

You don't have to build evidence, you don't have to arrest anyone, which, takes a lot of resources just by doing that.

You just destroy the market and people have to go and do something else basically.

Interesting.

Tell me more about where, what your experience has been.

And I know as a researcher you have your different ethical approaches only so much you can do.

What are the things that, that my listeners would be more, most surprised about?

there, there are some really dark things, that are being hosted on this darkwood thing.

the red rooms, the torture chambers.

There, there are some dark sides of humanity that perhaps shouldn't exist and should not be shared online.

but I would say I think that the, the most surprising thing is.

How unimportant in many ways the dark web has become, over the past, I would say, 10 or 15 years, a lot of the enforce law enforcement has focused on the dark web, and this means that perhaps it's.

Much more risky to be using this technology because law enforcement have been targeting, monitoring, and looking at all the actors that are using this technology.

So more and more what we're seeing is people are saying, using the dark web, yes, it provides me some level of anonymity, but because anyone's gonna be clicking on the link uploading pictures, they can actually find my identity pretty easily anyways, Maybe it would be better for me to be using other networks, technologies rather than dark web and.

Unfortunately, we've seen the dark web become more and more boring, over the past decade.

And I still, unfortunately, just because I had invested a lot of time, energy to develop, monitoring infrastructure, trying to understand these networks that we now have to redeploy to other platforms like, ham.

But even that's dying down, so looking more at discord, and just, just plain old web forms basically.

Really.

So where does the future go for criminals on the web?

I honestly don't know.

I honestly don't know.

ham seemed to be the new place where everyone was, but then the French people groomed everything by arresting the owner of the telegram.

and now there's been a lot of debate as to, can you use Ingham now?

And many people in the community.

In the hacking community are against using it.

they're saying we should be using signal, we should be using, other apps.

But, fun fact, who was the seed money and who paid for the development of the signal app, the US government once again.

it's just fascinating to see.

Gotta love it.

Everyone's Hey, let's use this thing.

It's oh, the US government created it, or the government funded it I don't know that one platform is gonna be ruling them all because they're all vulnerable basically.

but the things that'll be interesting to look at, I think one of the big thing that I'm looking at is cryptocurrency.

Because cryptocurrency changed the whole game for hackers, for ransomware.

If we didn't have cryptocurrencies.

It would be so much harder for people to buy and sell malware, to buy and sell identities, access to networks, and to companies and cryptocurrencies are perhaps, and I'm gonna be making on a lot of enemies by saying this, but it's perhaps one of the few technologies that have very few useful use cases and a lot of problematic use cases.

it's very useful for speculation.

But for buying a sandwich, it makes little to no sense.

yeah, it's hard to justify in a, nobody carries cash.

In Canada, we all use electronic currency now you don't need a Bitcoin to transact, anything.

Yeah.

and I know in some countries, financial services are hard to come by and it's stuff like us in Canada where everyone has 20 different credit cards, credit is easy to get.

So there, there are some use cases, but besides speculation, having people getting their funds stolen, fascinating.

The exchanges of illicit, goods and services.

and so it's gonna be very interesting to look at.

How these cryptocurrencies evolve.

do they stay relevant?

do we have quantum computers that just break blockchains so we can't use cryptocurrencies anymore?

I think that's perhaps the biggest change that the criminal underground has seen.

And it'll be interesting to see.

Do they keep that tool or do they lose it in the coming decades?

It's interesting.

There's a trial going on in New York.

I don't know if you've heard of it, but two MIT students, they basically ripped off people for $25 million in cryptocurrency, and they're being hauled into court and they're saying, you, you can't touch me why?

This is a blockchain.

Anything permitted by the blockchain is inherently legal within there, and you have no law.

That affects blockchains, they might actually get off, which would be, it's like at the beginning of the internet that there was, I think the first case that was tried was, was people, who were, they had a hotel database and basically they copied the database, with all the, the employee's information in it.

And basically were charged with theft, but they said, I didn't.

Theft means that I take something from you and you don't have it anymore.

in this case, I just copied the list of employees so you still have it.

So it wasn't theft.

And so I believe they walked, and that's where we need this.

okay, maybe we need new laws, like what does theft means in the digital age?

It means that I can take something from you, but you get still to enjoy.

the thing that you have.

So we will need new laws, that's for sure.

Because the reality is just different.

This drives me crazy, especially since we have places like the University of Montreal that have so much knowledge on this.

do law enforcement or do regulators and legislators come to you to try and find out what they should be doing?

Yeah, we all the time.

All the time.

and, And we don't have all the answers.

people on the ground, law enforcement officers, they're in there 24 7.

They're looking at these networks, they're monitoring them.

so they've, the sophistication of law enforcement operations has, it's really impressive.

But what they've done in the past decade or the past 20 years, and in terms of laws, we know regulations and laws, they always.

Dragged behind by a decade or two.

we'll get there at some point.

But, when you have these cases where people say, I didn't really steal 25 million Bitcoins.

They just, flowed through me and, I didn't do anything wrong.

I'm sure we're gonna see new laws around that in the coming years, that's for sure.

And just two pieces of if.

You were going to give advice to policymakers or legislators, what would you say?

What would be the thing, the biggest thing that they should be looking at?

as I said, I think, how we use, cryptocurrencies always comes down to money in most cases.

how do we handle ATMs with bitcoins?

How do we handle The place of Bitcoins.

so I would say that trying to make laws that make sure that we can actually track and know.

You know who these offenders are because of their payments.

that would be one thing.

the other thing is to say that, no technology is inherently evil.

sometimes we try to, say encryption is bad, so we need to get rid of encryption.

We need to have, back doors into everything.

The dark web is bad.

Like I would say all technologies have a purpose and.

We've seen over the past few weeks, months and years, people trying to put back doors into everything.

And so we just see, we just saw the EU proposal to monitor, to monitor pretty much everyone except EU lawmakers, which would be protected against any monitoring of course.

I would say that's possibly a very big threat because we've all seen that if you try to, monitor, surveil people and break the, and attack the technology, that's always the wrong way to go.

and we have to fight this again and again, and it's gonna happen, I think, again in the future.

And why do you say that?

why is it the wrong way to go?

just because when you are creating back doors and when you're.

Trying to outlaw technology.

The only thing that happens is the bad guys can access the technology and the good guys cannot.

nothing new here, but that's always what we see.

if you say tour is illegal, all the bad guys are gonna use it.

And people who would actually benefit from using it because they're whistleblowers, because they want to communicate securely with their loved ones.

In oppressed countries, they lose that ability to do because they don't wanna get arrested.

So I would say that, yeah, we need to take a different route.

Yeah.

And the reason I would ask that was, the whole idea of back doors and creating those, is attractive to law enforcement.

They always want it, but then they're not as good at guarding it as they might be.

And we found that in the US where the back doors that they'd created into the telephone system, guess what they leaked.

And we had, I think we probably still have hackers going out through our telephone networks or our now digital networks for telephony.

Oh yeah, they're going to do the SS seven network, even, the Apple chips that had a backdoor a few years back.

that backdoor was so hidden.

there was no way for a random person to just discover it, except, I think it was Kaspersky who saw it now being used, and they were like, oh, okay.

Now that we've seen someone use it, now we know how to replicate it and now we can use it as well.

So that's always a problem is, you can put a hidden backdoor somewhere, but the second you use it, you just burned it basically.

So there's ways to do effective backdoor.

Only problem is you cannot use them.

And so what's the point of having back doors in the first place?

So yeah, it just in terms of my audience, which is largely, people who are involved in corporations and security.

Is there any.

Things that you've learned from what you're doing that would be, that they should be paying attention to?

I think that they should have a program, and services to monitor what people are saying, what people are saying about their company, but also their industry.

so we're seeing you.

as we said when we began this conversation.

there are new things in cybersecurity from time to time, but very often it's just the same history that repeats itself.

So trying to understand, okay, so if I run a hospital, how have hospitals been hacked in the past?

trying to understand what are people saying about me?

Are people.

Selling accounts for my employees.

So trying to understand what your threat is, but also just how your industry is being threatened is also extremely important.

And I think that being aware of this, keeping an eye on, okay, so there's been like a wave of two or three hospitals have been hacked.

How did this happen?

Can we talk with each other?

And trying to understand how people are bridging to these networks.

I think that people should spend more time trying to understand what the real actual.

Threats are rather than, just go through compliance and trying to find, okay, we're using X, Y, or Z software, but trying to understand what are the real use cases and the original and innovators in terms of criminals.

They do exist, but most of the time it is just the same thing that happens over and over again.

And where would be the best place for them to educate themselves on this?

Because I know people sell this as a service and things like that.

I don't know what's reliable.

where should a company be looking to if they want to become more educated on what.

All the things that you've talked about.

Yeah.

There, there's so much, so many conferences.

so that's always a good place to start.

Many of them put their content online, many of them free, so you don't need to pay millions of dollars to, for this.

so I think that just, Watching the content that's been produced online podcast like this one.

I do listen to a lot of podcasts and once again, sometimes it's a bit boring because you're like, okay, so yet another human who clicked on the link, but it tells you, you get a sense for what's going on, what are the big trends.

So I think just podcasting conferences are the easy way to go.

And then if you have the money and millions to spend, there's gonna be a whole pack of companies.

And I'm sure they're already knocking on everyone's door to sell them services.

So we'll let them decide who's good, who's bad.

that's, they're gonna find you.

You don't have to find them.

I noticed you, you posted something on LinkedIn to BSides, which David, my other friend David has told me about, and that seems to be a really accessible place for people to start getting more educated in terms of what's happening in terms of cyber threats anyway.

Yeah, so if you're in the Montreal region, so BSides is just this brand for conferences.

I believe there's now over 200 b besides events all over the world and each of them is run independently.

So they range from 40 people to 4,000 people in Vegas.

so in Montreal we have about 300 people.

It's one Saturday in September, every year.

It's our fifth year.

We've been lucky enough to be sold out for the past five years, which is pretty awesome.

and we have, almost free half day workshops.

There's two of them.

We have treasure hunts, we have some great talks.

And for 40 bucks you get a t-shirt.

Breakfast, lunch, dinner, open bar at the end, and some pretty great talks.

So you know, it's a no brainer and you learned something too.

I was gonna say that's on top of everything, so it's not so bad.

David, this has been fantastic.

I'm so glad to have had this chat with you.

I hope I can come back to you when we have some other E, especially if you have other research that comes out, I'd love to hear about it and I think our audience would as well.

thank you for having me.

Great.

great talk and yeah, when there's some developments in the dark web, we can talk about that.

Okay.

Thank you very much.

I'll, I will talk to you soon.

Thanks a lot for doing this.

Appreciate it.

My pleasure.

And that's our show.

Love to hear what you think about this.

I.

Hope we bridge the gap between those people who don't know a lot about this and maybe some of you who may know a lot more I hope was interesting.

But let me know.

I'd like to get some feedback from you so I know how to plan these shows better.

You can reach me@technewsday.com or.ca.

Take your pick.

Just go to the contact us tab and leave us a note.

If you're listening to this on YouTube, just put a comment under the video.

I listen to them all.

David Shipley will be back Monday morning and I will talk to you again Wednesday morning.

I'm your host, Jim Love.

Thanks for listening.

I.

We'd like to thank Meter for their support in bringing you this podcast Meter delivers full stack networking infrastructure, wired, wireless, and cellular to leading enterprises working with their partners Meter designs.

Deploys and manages everything required to get performant, reliable, and secure connectivity.

They design the hardware, the firmware, build the software, manage deployments, and run support.

It's a single integrated solution that scales from branch offices.

To warehouses and large campuses to data centers, book a demo at me.com/cst.

That's METE r.com/cst.

Never lose your place, on any device

Create a free account to sync, back up, and get personal recommendations.

Create account