A Conversation With Jack Rhysider About How He Started His Hit Hacking Podcast Darknet Diaries—and What It Has Taught Him About Infosec
Jack Rhysider was working in a security operations center when he started Darknet Diaries, a podcast about hacking that blends the suspense and narrative style of Serial with the pedagogic zeal of The Magic School Bus.
Rhysider had no background in podcasting when he began the show. Like any good hacker, he quickly taught himself the tools of the trade. He read books about audio journalism, watched instructional videos from the Khan Academy, and studied podcasts he admired, like This American Life and Radiolab.
Three years later, Rhysider has established one of the most popular technology podcasts in the business. Darknet Diaries amassed more than 8 million downloads in 2019, received a coveted 5.0 rating on Apple's podcast app, and built a devoted—some might even say cultish—fanbase. It’s been featured in the New York Times, The Guardian, and Vulture.
Earlier this month, I spoke to Rhysider about why he started the podcast, what it has taught him about information security, and how he avoids glorifying the bad guys. I also asked Rhysider what lies ahead for his fans. But don’t get excited—he wouldn’t share many details.
His reason? It’s too dangerous for public consumption.
John Sakellariadis: Jack, take me back to the beginning of Darknet Diaries. Why did you feel it was so important to tell these stories?
Jack Rhysider: When I started the podcast, everyone was talking about hacker stories. My barber was talking about it, my doctor was talking about it, even my parents were talking about it! All these people who were not in tech were saying things like, ‘Oh, did you hear about the hack on this and the hack on that?’ And I would say, ‘Yeah, but there's a lot more to it than just the headline.’
People tend to think of hacking as this Dark Arts thing. But I wanted people to understand the mystery and magic of what happened. I wanted to explore both the how and the why. And I think that's what's important, you know, digging beneath the headline and getting a fuller understanding of the story.
One of the big things I'm always looking for is: Why did you do this? If we can understand the thought process from the hacker and understand why something happened, then I think we can get a much better understanding of how to protect ourselves and how to deal with these kinds of problems.
JS: You produced the first season of Darknet Diaries entirely on your own. At the time, did you have any background in podcasting or audio journalism?
JR: No. I mean, in high school I took an introductory class on radio. But that was pretty much it.
Listen, if somebody wants to be a writer, the question people always ask is, ‘Do you read a lot?’ Right? So to get to know how to write and produce these podcasts, I had to listen to podcasts. I mean, I became really, really addicted to podcasts for a few years.
Over time I developed an ear for the music in the shows, the talking, the cuts, how it all felt. I’d ask myself questions like how are the news clips fit in? How do they do the cuts? I was just really, really focused on how all that worked for like a year before even trying it.
JS: There’s a stereotype that those in the information security field have a better feel for 1’s and 0’s than heroes and anti-heroes. How did you become so good at storytelling? Have you always had that bone in you?
JR: So about eight years before making the podcast, I started blogging about technical problems that I would face at work. And I think that really helped because I had to practice explaining these complex technical issues in the simplest terms possible so that people who read the blog would get it right away.
I think Darknet Diaries would have been much worse if I didn’t have that experience. I put a lot of time into explaining things as easily as I could on the blog.
And then there were some storytelling techniques that I had to pick up. I read the book Out on The Wire: The Storytelling Secrets of the New Masters of Radio, for example. That had insights and formulas from people like Ira Glass and Roman Mars about how to tell great stories. And then there was this workshop called Pixar in a Box that the Khan Academy and Pixar put together. That taught me what a story arc looks like, how you do a proper character development, and all that kind of stuff.
JS: One of my favorite things about the show is that you aren’t afraid to geek out. You’ll pause the narrative for however long you need to explain the ins and outs of a hack. Why is it so important to you to go into that level of detail?
JR: Back in high school, I used to watch Discovery Channel and I was like, ‘This is cool, but it’s really surface-level stuff.’ They were just kind of fluffy about things. I wanted the equations. I wanted the deep scientists to teach me M.I.T.-level stuff.
That didn't exist on TV when I was a kid. I wanted a show that was captivating, but at the same time extremely educational. I wanted to go as deep as I possibly go. And I just always yearned for that kind of thing. When I started making the show, I kind of had that sense in my head. Let's go deep. Let's get really nerdy in there.
JS: In your previous job, you sat in the trenches. You saw infosec from a micro-level. Now, you take in the horizon. You can look back across a five-, ten-, or fifteen-year period and see everything that happened. How has that changed your understanding of infosec? Is there anything you learned working on the podcast that you wish you knew earlier in your career?
JR: There was an incident called Heartbleed that happened while I was at work. This was a vulnerability in SSL. And the vulnerability came, and then it was fixed and went away. And that seemed like the whole story. And I said to myself: OK, taken care of.
But looking back a couple of years later, I saw that there was so much more that happened behind the scenes. And that was really what drove me. A desire to go back in time and cover these stories from the beginning all the way to the end.
I'm a slow news junkie. I want to know everything that happened. And in order to know all of the things that happened, we have to wait many years for court records to come out and for the police to catch whoever did these things. It’s almost like being a historian.
In that sense, I've learned a lot about how companies handle incidents, how hackers get in, and how they conduct their operations. That information only comes out many years later. And it is valuable to see the entire timeline of how a major breach happens. It teaches you how to handle it and how to move forward.
JS: Yet even with the benefit of time, some of your episodes remain open mysteries. Someone or something is standing in the way of the truth. What has the podcast taught you about the limits of what we can and cannot know about cyberspace?
JR: It’s interesting. Hackers are more willing to talk about some of the stuff they've done. They kind of have an ego. They are willing to come forward and tell me some of what they have done. But I'm having a difficult time getting defenders to tell their story.
On a weekly basis, I get some CEO messaging me saying that they would love to be on the show. My first question is always, ‘Have you ever been hacked? And are you willing to talk about that?’ Because that's the story I want. I want a first-hand experience of the worst day of your life on the job. Tell me all about that. And nobody ever comes back to me and tells me that. I think they are embarrassed about their mistakes and want to protect their reputation.
I think that's kind of the last frontier that I'm trying to pierce—getting incident responders to talk about what they've had to go through. I think those are some of the most important stories because we're all trying to handle similar situations. But companies just aren’t sharing.
JS: You’ve interviewed some fascinating figures for the show, some of who have gotten into trouble for breaking the law. You've also had a number of episodes about bad guys that pull off breathtaking hacks. How do you avoid glorifying criminal behavior? Do you have any lessons for ‘white hat’ podcasting?
JR: When I’m picking a story, I always look for balance. If a hacker comes to me and he's done a million illegal things and gotten away with it, I have a hard time airing that because there's no other way than to tell the story of how he managed to get away.
I try to pick stories that have a clear arc. You follow this person, and they do some amazing stuff. As a listener, maybe you say to yourself, ‘Oh, that sounds great. You can make a lot of money doing that.’ It all makes sense to you, and just as you get into it, it all comes crashing down. The FBI comes and the bad guys end up in prison, or all these bad things happen to them. Often, I get the person to say that they regretted doing this, that it never made them happy.
That’s key, the storytelling arc. And it’s the lesson I want for young kids, teenagers, and whoever else is listening. It's all going to come back. Eventually, the chickens will come home to roost.
JS: Last question, Jack. What is your favorite story that has never been told on Darknet Diaries?
JR: There’s this story that’s so crazy, I just need to tell it. But I don't want to give it away, I don't want to put it out there because it might be dangerous. If I want to tell it, I have to sneak up on it. So I can’t tell you anything on the record.