MDT2_ASSEMBLE_63_020216 ENDING 4

There are kingdoms and companies that are the Switzerlands of the Internet. These are data havens, and the information they host on the servers only they have access to are amongst the most secure, impenetrable, and inaccessible places on Earth. These kingdoms and companies offer cyber criminals the privacy to conduct unregulated information exchanges, malware attacks, spam dumps, ransomware breeches, and bulletproof hosting. Every cyber criminal walks these halls, here today, gone tomorrow. Emerging outside the reach of law enforcement and between international legislations. We're visiting some of the most dangerous places on the Internet to find out where cyber crime goes to hide. We were flying over the North Sea to see the world's first data haven. The Principality of Sealand, which considers itself a sovereign country, is an abandoned World War II gun platform. You're the prince of Sealand. I am, yeah. I mean, it was -- the fort was situated in international waters. And my grandfather decided why not declare it a principality? Yeah. So what is it about having your own kingdom that's so appealing? I mean, it's the element of freedom that we have out there. We can do what we want without prying eyes watching our every move. Why don't you want prying eyes watching your every move? Why wouldn't you, did you say? I mean, why do you shut your curtains at home? It seems like a long way to go to store your data. Yeah, well, somebody will go to long measures, won't they, to secure what is theirs. At the dawn of the Internet, an idealist named Ryan Lackey founded the world's first online sovereign state by creating a bulletproof data hosting facility. The idea of HavenCo was to have a place where people could host servers for Internet sites and the users would be located everywhere in the world, and these servers would be located on Sealand in a physically secure environment, and we would have very high technical quality of service, but we would also be able to let the customers pick which laws applied to them. So is Ryan Lackey involved in HavenCo anymore? No, he had a little bit of a falling out with us. No, no. What was the falling out about? Primarily, we sort of just disagreed, as I say, on the gray areas as far as when we were hosting for HavenCo originally. He wanted absolute cart blanche, do what you wanted. If someone wanted to come out there and operate a server selling firearms or missiles, he thought we should just offer a service to anyone that wanted it. We built the business, so we got to make our own rules. Anyone who creates something gets to define what that thing is, which is part of why we picked the kind of regulations we did. We found a story about another bulletproof host, CyberBunker, a Cold War nuclear bunker in the south of Holland, also able to withstand a 20-megaton blast. Have you seen a large black building, sort of like a nuclear bunker? [Speaking Dutch.] He knows the bunker? Yeah, he knows it. So they're telling me it used to be like a drug lab. [Right.] Oh, yeah. [Speaking Dutch.] You don't go to it. Oh. No. You don't -- It's forbidden. I'm not quite sure if this was a good idea. CyberBunker was a notorious hoster for illegal materials, especially spam. It was also rumored to be home to numerous hackers. A battle is waging across the Internet. It's under the worst ever cyber attack, so strong it's slowing down Internet access globally. It's allegedly a strike from a Dutch web hosting company called CyberBunker. Could somebody go to prison over this? Could somebody be fined? Is this going to be resolved? I am doubt that the people that did the attacks are in any country where doing a DDoS attack is legal or where they can even be found. You know it's illegal, what you're doing, right? After weeks of cryptic responses as to whether we could actually get into CyberBunker, I decided just to try my luck. There was a face scanner at the door. Denied? Yeah, denied. It was clear that someone had also been using the facility quite recently. There were fresh coffee grounds in the trash and an empty server rack seemingly recently delivered. It became clear that someone may have been inside at that very moment, watching us. We decided it was probably time to leave. Just when we thought getting inside was a lost cause, I managed to get in touch with a convicted black hat hacker who knew the owners of CyberBunker and a meeting was set. Raymond. Raymond, nice to meet you. Hi, how you doing? Roy. Roy, nice to meet you. Nice to meet you. How you doing? Fine, fine. So you're welcoming me into CyberBunker? Oh, that's the wrong name. That's, in fact, not the name anymore. Oh, what's the name now? It has a code. Right. Yeah. What's the code? ML01. This is the nuclear blast doors. Yeah. Of course, you're in a nuclear bunker, so -- What's the phone signal like down here? None. None. None. So these are your CCTV cameras you've got around the place. Yeah. Yeah. Yeah, we did notice them. I did try to get in the other day. Yeah? The only thing I would say is it does say dog outside the gate, but there was no dog. We have silent dogs. Access granted. It's incredible. It's straight out of Dr. Strangelove. So this was built to protect against Russian nuclear threat? Yep. And now we're in the cyber world, and it's again providing the protection. So you're doing a full circle. So we came here looking for CyberBunker. This isn't CyberBunker anymore. No. Our company is based upon trust. We want to provide high-end security for clients that are, well, trusting us with their most valuable data. And we are combining it with cyber security capabilities, and we're telling that it's not just concrete or an EMP shield that helps you out in terms of securing, but it's also in protecting the fiber and the cryptology and all those stuff from nowadays. Yeah. With all the trends like cloud and big data and Internet of things, that there is solely focused on cyber security and let's say the digital part of securing data. Yeah. But you're doing the physical part, as well. No, we're doing both. But why do you need the physical part? Who's actually going to break in here? Come on. Well, here, no one. If you're a company, you're storing your stuff here that you don't want anyone else to get their fingers on. Yeah. Okay, so -- So you don't store everything in a bunker. We don't have a concept that relies on one bunker. Because one bunker is no bunker. So you have at least two in one country and then other bunkers in other countries, which gives you also advantages from a legislation perspective, from data protection laws and what's more beneficent for clients to have their data in. So who are you providing data storage for? Currently, we're not entitled to say. Okay. Well, typical, let's say, in generic terms, governments, but -- So potentially governments might want to store their information here because it's a safe place from military attack from other governments who might want to launch cyber attacks. For sure. We don't brag about locations, we don't show pictures and movies from the inside, because, in the end, that's not what clients are looking for, ultimate security, high-end security. This will probably be the first and last time you will see this bunker from the inside. It seemed CyberBunker had evolved from a place where scammers and hackers go to hide to a place where governments and corporations go to do the same. There's different types of bulletproof hosting, and it depends on if you're a criminal or if you're legitimate or you just need your data in cold storage -- you pick the bulletproof hoster who is best for your needs. I wanted to see an active data haven, one that touted its ultrasecure hosting. Embedded in a nuclear bunker 30 meters below the hills of Stockholm is a hoster called Bahnhof. This facility hosted the WikiLeaks at the height of their notoriety. If ever there was a place to securely keep your data, data that people wanted to get their hands on, this was the place. Hi. Hi. I met the CEO, Jon Karlung. He gave me a tour of the impressive facility. It's a blast door. Is the physical impenetrability of this bunker even relevant? It's important. I mean, if you operate mission critical business, it's important to have it secured by physical means. You need energy, which is the diesel engines. Then you need Internet, which is fiber optic cables. And they are coming in from many ways. Is it a closely guarded secret where these cables are? Yes. Yeah, yeah. Jon showed me where WikiLeaks servers had been and walked me up to the control room It did indeed look like a James Bond villain's lair. Back in London, I met with James Ball, who used to be a data analyst for Julian Assange at WikiLeaks. James. Hey. How you doing? Good to meet you. Nice to meet you. How's it going? Assange's right-hand man. I wouldn't quite say that, but, yeah. So kind of WikiLeaks's famous server was this server in Sweden, a company called Bahnhof, which is essentially, you know, in an underground bunker and hyper secure. Was Bahnhof effective? I tend to think stuff like Bahnhof is a bit more theatre than anything else. You can have as secure a server nowhere near a bunker or an underground [unintelligible] and most of the stuff that's actually going to catch you out isn't going to be someone drilling into an underground vault James Bond style. Is there anything illegal down there? It could be, but -- Could it? Yes. But it's not my -- I mean, I don't [unintelligible] at any given moment, there can always be some illegal material on the Internet. But I don't open the boxes. I don't control what's on the boxes. And I think we are the [unintelligible] we are the bank. The hosters would like to see themselves as the post office. But if they really want to be a post office, they have to act on abuse complaints when they come in. A post office doesn't have -- like if a post office had a bomb stored in their post office and they didn't take action when they got a complaint, they'd be out of business. So bulletproof hosting is a term that's gone back maybe 10 or 15 years, and it refers to a hoster who will not take action to take down your website. So somebody discovers that your website at that hosting provider is bad and they go to the hosting provider, say can you disconnect this customer? Or can you give me information about what that customer is doing? Because they've stolen my data. And the company will just ignore those abuse complaints. I was told corrupt hosters in Southeast Asia favor smoke and mirrors over hardened datacenters. We found one such hoster, so we decided to track them down. Their registered address took us to a nondescript apartment complex in the suburban outskirts of Kuala Lumpur. This is a residence. Yeah. So this is just like someone's flat, right? The sixth level is all residences, so it probably is a residence office. Yes? Oh, hello. Hello. We were just wondering about your neighborhoods. Yes? [Cinepack]. You say they haven't been here for -- Three years. They haven't been here for three years? Yes. No. Since I stay here -- No one's there? No. We went to a place today called Cinepack. We went to the location, which is on their website, and there was no one there, and the neighbors said they hadn't been there for around three years. So there will be one specific group of people. They are very specialized in the web hosting business -- in the hosting business. So what they do is they set up different companies, they take different orders, and then once the company starts being criminal, they will start another company in other places, different provider, and then they will take new orders again until they got the same complaint. And then they will stop and then they will start another company. Right. Kind of like nomad hosting, in a way Just going from place to place to place until there are so many complaints they move on to the next one. Yeah. So what's the extent of cyber crime in Malaysia? Is it a big problem right now? I think the majority is on fraud and phishing attacks. So that is what we are seeing. I think mid last year, there's a bunch of claim to be a South African, which they managed to get access to the local ATM machines. So they managed to withdraw money, like 30 million ringgit from the different ATM machine throughout Malaysia. So they hacked the cash machines? The cash machine, yes. A company called Ecatel that was rumored to have ties to bulletproof hosting and cyber crime popped up on our radar. We had a line of sight on their location, so we boarded a flight to The Hague. Oh, hi, is that Ecatel? Oh, I'm just looking to host some data on a server. I'd heard Ecatel was a good place to do that. I've got eclectic tastes, so I thought Ecatel might be the place. Oh, well, it was just sort of in the ether, your telephone number. Their offices are in The Hague, okay? Oh, hi, I've got an appointment with Ecatel. Can you let me in? Oh. Hi. Could you buzz me in? I've got an appointment with Ecatel. Thanks. [Speaking Dutch.] What? You don't come in. Do you know Ecatel? No, never heard of them. Ecatel is not here. Oh. I'm so sorry. So how do you know -- I know they're in The Hague. Is this your building? Go away. Is it your building? Ooh. Please, go away. Is it your building? Please go away. Can I not come and see Ecatel if I've got an appointment? Yep. What do you want? Just wondering if they've got their servers here. Don't take any pictures of me. Okay. Okay. Don't make me angry. Yeah. We heard there was some nasty stuff on Ecatel's servers. If there is anything on the servers that's not normal, not right, it's removed. Any abuse they receive will be dealt with. By? By Ecatel. By Ecatel. Yeah. Oh, that's good, so they're policing themselves. Stay away from me. Okay, sir. I'm not your fucking friend. Okay, all right. Okay. I found myself talking to some of the most secretive people on the Internet to understand the magnitude of bulletproof hosting. A patriotic hacktivist that goes by the name Jester agreed to chat. He has been credited for taking down jihadist websites across the world and hacking the personal email accounts of Iran's president. I was seeing a giant up tick in jihadis using the Internet to recruit, radicalize, and even train online. I felt I should do something about it. Why would people want to use bulletproof hosting? I suppose hackers' tools are servers. They need places to launch attacks from. Bulletproof hosting is a valuable service for me. I'm under constant attack. I care more about the provider being impenetrable to cyber over physical attacks. Well, if I want to be a bulletproof hoster in a true sense of the word, I would distribute all my information all over the place. I wouldn't rely on a single server in a single bunker. I wouldn't rely on a single jurisdiction. All right? Basically, I want to distribute it to a point where a single takedown of a single location does not disrupt my ability to host or to basically put anything out there. So nowadays the most effective from of bulletproof hosting isn't necessarily being in a bunker. It's being in the cloud, hiding in plain sight. Yes, exactly. It's not necessary that you have a bunker or some very secure location. The idea is that you pretend like you're not doing anything illegal at all and you just sign up for regulator hosting like a regular customer. And then the task is to try and mask the fact that you're actually a criminal enterprise. And how do you mask? So the way they mask is they take multiple hops before a victim is sent to the final destination. And those hops are generally in different countries to make it difficult for law enforcement to get cooperation from all those countries in order to find out where the hosting is behind that. It's totally a war. Cyber space is the new theatre. We're seeing this more and more now every day. A Silicon Valley startup is caught in the middle of a cyber war between ISIS and the hacking group known as Anonymous. The company's called Cloudflare. It's a startup that protects websites against denial of service. Those are attempts to bring websites down. But it does not discriminate with its clients. It has come out and said that. Anonymous is lashing out at Cloudflare for shielding pro-ISIS sites from the hacking group's attacks. Cloudflare, it frustrates me. It frustrates all of us. Even though, you know, we do have to use it to protect our site, but it's an American company, and they're protecting many, many of the ISIS websites now. Now I work at a company, Cloudflare, which is the edge of the Internet. It connects between your browsers and your servers from multiple locations around the world. So is Cloudflare the future of bulletproof hosting? It is the future of how you reliably host Internet content without censorship. Anonymous have recently accused you of having two of the top three ISIS websites -- Yeah, that I can't really talk about. You can't talk about that? Yeah. Why? We have contacted Cloudflare directly, daily, alerting them to this, and just get no response. What gives Anonymous the right to say what should and shouldn't be online, to make judgments? Have you seen the ISIS material? When I see a head cut off because someone prayed the wrong way or they're gay, I think that gives me the right. I'll make that judgment call. Do hosters have a moral responsibility when it comes to what's out there on the Internet? I think it is very much their responsibility. Guides for homegrown terrorist cells on how to shoot up a room and successfully go carry out another attack before suiciding oneself should not be easily available to people online. If you just take the I will host everything, you're really facilitating some dark stuff, and you're actually endorsing it. I think you have to actually get in the weeds. You have to get in the case by case. And go there is a ton of stuff that I hate, that I would never do anything with. You're making hosters incredibly responsible for the content that they're hosting. I mean, hosters are incredibly responsible for what they're hosting [in law]. That's why they want to be blind hosts. So criminals need bulletproof hosting because they need to be able to keep their website up. Because if they're on your computer and they're stealing your credit card or your emails, they need to send that information somewhere. And those type of bulletproof hosters, they understand that there's criminal activity happening on their severs, and they just want to get paid. These guys have got billions and you don't. These guys have got hundreds and hundreds of computer scientists and most of us don't. You've got to know how not to be scammed. You've got to trust everyone you give your data to. So we have to actually just take personal responsibility for our own online security? It's -- I think we need to force companies to take responsibility for our data that they have, and we have to take responsibility for our data that we have overall. There's no absolute solutions, essentially. It's constantly give and take. Yeah. There's no magic bullet. There's no magic server. We are going to have to work this out for ourselves.