Capital One gets hacked, critical vulnerabilities are found in iMessage, and data anonymization may not be as good as we hope. But listen up, we also discuss the Legend of Zelda, a biography of tech giants, offer advice for escaping an angry moose, and are introduced to… Penelope?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by technology journalist and broadcaster David McClelland.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Sorry to dive in here, guys, but I just feel as though I might be missing something. I know I've not been able to listen to the last couple of Smashing Security.
What?
But Penelope, who is that? Have I missed something? Smashing Security, episode 139. Capital One hacked, iMessage flaws, and anonymity.
Smashing Security, my ass, with Carole Penelope Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 139. My name is Graham Cluley.
Smashing Security, my ass, with Carole Penelope Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 139. My name is Graham Cluley.
Namaste, I'm Carole Theriault.
What?
Namaste? I just got back from yin yoga. I don't think I felt this relaxed in, I don't know, a decade.
It's like you're unrecognizable, Carole.
Oh, really?
I seem to remember a while ago you decided that you wanted to be a little less cat-handed and less like a drunken giraffe.
And you said that you were going to run rather than be clumsy, you're going to be your alter ego, Penelope. Is that what you're trying to do today?
And you said that you were going to run rather than be clumsy, you're going to be your alter ego, Penelope. Is that what you're trying to do today?
Do you know what? Thanks to my yin yoga, I haven't risen to that. So why don't we introduce our guest?
All right.
Oh, there's a little edge in my voice already. A little salt there.
We are joined this week by a super return guest. It's Mr. David McClelland. Hello, David.
Hola, hola. ¿Qué tal?
Oh, muy bien, gracias.
Oh, very good.
Where have you been? As if we can't tell.
Well, yes. You know, there's a bit of an irony to the whole thing. Normally when we talk about going on holiday or travelling abroad, it's to escape the British summer.
It's because it's the cold we're trying to run away from. But it was only 28 degrees by the coast in Catalonia last week.
Positively chilly compared to, what was it, 38 degrees or something you had here in the UK?
It's because it's the cold we're trying to run away from. But it was only 28 degrees by the coast in Catalonia last week.
Positively chilly compared to, what was it, 38 degrees or something you had here in the UK?
It was really, really insane. Most of us do not have air conditioning. I think last week's episode is really all about the heat. We didn't stop talking about it.
One of our rules when we started the podcast was we're never going to discuss the weather.
And I think we discussed it about 4 more times last week.
Yeah, that's true. That's true.
Well, I was very grateful to be by the water last week, but unfortunately my iPhone X took an unexpected dip in the Mediterranean. And it turns out that that's not cool.
I thought they were waterproof or water splashproof or something.
That's why they don't have a headphone socket, right?
Yeah, right. So you start peeling away beneath the surface on the water resistance claims that Apple makes.
And then you start looking at the warranty and the guarantee, and you realise that yes, while it claims IP67 dust and water resistance.
If there is any water damage detected within the phone, then that is not a warranty fix.
And then you start looking at the warranty and the guarantee, and you realise that yes, while it claims IP67 dust and water resistance.
If there is any water damage detected within the phone, then that is not a warranty fix.
David, I'm hearing a lot of frustration in your voice. Maybe you need to take up some yin yoga. Telling you, man.
I tell you what, when the Apple genius this afternoon said, "That's gonna be £550, please," I could have done with some yoga there. And the frustrating thing is—
You should have jumped into a tree pose. You'd have felt so much better.
This phone is what, 18 months old, 19 months old? Apple is going to announce its iPhone 11 or whatever they call it in 6, 7 weeks' time.
I'm not gonna splash out on a refurbished almost 2-year-old phone right now. So I'm slumming it on Android for the next few weeks.
I tell you what, I'm finding it tough because the rest of my family are on iOS. It's like I've been cast out from the family bosom.
I'm missing out on group chats, losing my Apple Music and all of the apps that we use. I've got real fear of missing out from my family right now.
I'm not gonna splash out on a refurbished almost 2-year-old phone right now. So I'm slumming it on Android for the next few weeks.
I tell you what, I'm finding it tough because the rest of my family are on iOS. It's like I've been cast out from the family bosom.
I'm missing out on group chats, losing my Apple Music and all of the apps that we use. I've got real fear of missing out from my family right now.
FOMO, come on, dude.
Were you not tempted to say to the Apple genius, do you not know who I am? I'm from Rip Off Britain.
We will get Angela Rippon and Gloria Hunniford and Julia Somerville onto this unless you sort me out right now with a replacement.
We will get Angela Rippon and Gloria Hunniford and Julia Somerville onto this unless you sort me out right now with a replacement.
So look, this might not be the last that we hear of this particular story, but these things take time. So watch this space. But in the meantime—
Oh, we got an exclusive, kids.
I am iOS-less for now.
Well, okay, we'll still put up with you for the length of the show.
Thanks. Carole, what else have we got coming up in the show this week?
Well, first, shout out to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free.
And on today's show, Graham, yet another data breach gets nitpicked by you.
David is yakking about malicious iMessages because he's using an Android, and I'm chatting about data anonymization. I promise it won't be boring.
All this and heaps more coming up on this episode of Smashing Security.
And on today's show, Graham, yet another data breach gets nitpicked by you.
David is yakking about malicious iMessages because he's using an Android, and I'm chatting about data anonymization. I promise it won't be boring.
All this and heaps more coming up on this episode of Smashing Security.
We'll be the judge of that. Hey!
I mean, namaste. Namaste. I'm staying cool. I'm staying cool.
Stay Penelope. Now, chaps, chaps, as Carole has just said, it's been another day and there's been another data breach, a big one.
This time, a breach has impacted customers of the financial services firm, one of the top 10 banks in America, Capital One, and any consumer or small business who's applied to take out a credit card with them in the last 14 years may well have had their personal details hacked.
This time, a breach has impacted customers of the financial services firm, one of the top 10 banks in America, Capital One, and any consumer or small business who's applied to take out a credit card with them in the last 14 years may well have had their personal details hacked.
Wow, 14 years.
So this breach saw personal details of around about 100 million individuals in the United States and approximately 6 million in Canada as well. Whoa, hold the phone. Yes, exactly.
That's the bit you care about, eh? Stolen from a cloud-based data server, one of those Amazon buckets.
And they grabbed names, addresses, phone numbers, email addresses, dates of birth, income. Some also had their credit scores and payment history and things like that taken.
And in the worst cases, there were round about 140,000 Social Security numbers, which is obviously a big pain point.
That's the bit you care about, eh? Stolen from a cloud-based data server, one of those Amazon buckets.
And they grabbed names, addresses, phone numbers, email addresses, dates of birth, income. Some also had their credit scores and payment history and things like that taken.
And in the worst cases, there were round about 140,000 Social Security numbers, which is obviously a big pain point.
You know, they keep on getting stolen, don't they?
Well, yeah, but fast hack, they already got stolen, so— Well, yes, darkweb hackers have already got those, I suppose.
People are probably going, "Ah, plus échange." And 80,000 bank account numbers linked to accounts, they were swiped in the States with a further 4 million social insurance numbers in Canada.
Who knew that Canada even had 4 million people in it?
People are probably going, "Ah, plus échange." And 80,000 bank account numbers linked to accounts, they were swiped in the States with a further 4 million social insurance numbers in Canada.
Who knew that Canada even had 4 million people in it?
Oi!
Well, I don't know. How many people are there in Canada?
30 million.
Oh really?
Yeah.
Oh, there you are. You're doing very well. Well done, keep on bridging. I'm impressed with you.
Now, the first that Capital One knew about this breach was when its little bug bounty hotline, or rather its email address, received a message from a member of the public tipping them off that some of their data had been leaked and published on GitHub.
And they basically gave Capital One the link and said, "I think you might want to check this out." So GitHub went to the link where indeed there were samples of this stolen data, and the account was in the name of someone.
It wasn't in the name of Black Skull or Phantom Menace, or typical—
Now, the first that Capital One knew about this breach was when its little bug bounty hotline, or rather its email address, received a message from a member of the public tipping them off that some of their data had been leaked and published on GitHub.
And they basically gave Capital One the link and said, "I think you might want to check this out." So GitHub went to the link where indeed there were samples of this stolen data, and the account was in the name of someone.
It wasn't in the name of Black Skull or Phantom Menace, or typical—
It was Graham Cluley.
No, no, it wasn't me. It wasn't me. Hey, watch it, not me. Instead, it was in the name of Paige Adele Thompson.
Can I just interrupt for a second? Do you not feel at this point that big companies should be aware that Amazon clouds need to be protected?
I just can't believe that this is still happening.
I just can't believe that this is still happening.
Oh, well, we don't know exactly how they got access to it. So it's not necessarily the case that this was an Amazon bucket which had been left open.
There is some suggestion that there may have been a vulnerability, maybe in a web application firewall or some other software which—
There is some suggestion that there may have been a vulnerability, maybe in a web application firewall or some other software which—
I apologize. You see, there I was jumping to a conclusion and I'm just—
You don't need to apologize at all.
You are right, there has been a big security problem with web buckets being left open and for anyone to access, but it's not necessarily the case that this is what happened on this occasion.
But as I said, the account name, the GitHub name was in the name of Paige Adele Thompson. And that GitHub account also had a CV and resume on it.
You are right, there has been a big security problem with web buckets being left open and for anyone to access, but it's not necessarily the case that this is what happened on this occasion.
But as I said, the account name, the GitHub name was in the name of Paige Adele Thompson. And that GitHub account also had a CV and resume on it.
Oh, this is like what was the virus?
You are thinking of a virus, a Word macro virus from the past.
Love Letter.
No, well, it wasn't the Love Letter. It was written by an associate of the person who wrote the Love Letter. It's a Word macro virus called Michael B.
And that was written by Michael Bowen, which included his CV.
And that was written by Michael Bowen, which included his CV.
That's right, yeah.
Good knowledge. Good history knowledge there, Graham. I like that.
I'll tell you what it did actually. It's one of my favorite viruses because it's one of my dumbest virus writer stories ever.
What he would do is at the end of the month, he would print out his entire CV asking for a job, including his name and address and phone number.
What he would do is at the end of the month, he would print out his entire CV asking for a job, including his name and address and phone number.
In the payload?
Yes, that's right. And he said if you don't give me a job, I'm going to release another virus. So it is similar.
Somehow it didn't work for him. I don't know.
I don't know.
It is similar, it is similar to that. But anyway, this had a CV and resume on it for a certain Paige A. Thompson.
Okay.
Interesting.
Including, of course, her employment history. Which said that her last previous employment was at Amazon working on the web business.
Oh, here we go, here we go.
Between May 2015 and September 2016. So it's a while ago, but interestingly, she had been working at Amazon in Seattle.
Now, CVs, of course, just like with Michael Boone, also include people's addresses and phone numbers, and this one was no exception.
So it wasn't that hard for the FBI to know whose door they should knock on. And so they knocked on the door of 33-year-old Paige Thompson in South Seattle.
Now, CVs, of course, just like with Michael Boone, also include people's addresses and phone numbers, and this one was no exception.
So it wasn't that hard for the FBI to know whose door they should knock on. And so they knocked on the door of 33-year-old Paige Thompson in South Seattle.
I don't know if that is the norm anymore to have addresses and phone numbers.
I think now you might have a Google phone number if you were in the States, for example, that's not tied to your address, and you would present yourself because of privacy issues.
You don't want to put all that stuff on a piece of paper that's going to end up God knows where.
I think now you might have a Google phone number if you were in the States, for example, that's not tied to your address, and you would present yourself because of privacy issues.
You don't want to put all that stuff on a piece of paper that's going to end up God knows where.
But they need some way of contacting you. Oh, you think so? They just put an email address?
Well, no, they can use a Google phone number, right? Which is not tied to your house or to your mobile.
Oh, good tip, Carole. Well, you know, to be honest, it's been, I don't know, 30 years since I applied for a job.
Yeah, quite. So I just love your CVs, of course, tend to include.
A curriculum vitae, of course, is normally wrapped around the leg of a pigeon. Anyway, did I say knocked on her door? Did I say the FBI did that? It isn't quite as simple as that.
And I'll include a link in the show notes. And I've shared with you both an image here.
You will see that the knocking on the door was more in the form of a SWAT team coming around with rifles.
And I'll include a link in the show notes. And I've shared with you both an image here.
You will see that the knocking on the door was more in the form of a SWAT team coming around with rifles.
With full army gear, camouflage army gear. What were they gonna do, hide behind the pot plants?
They've got a database, everybody. We've gotta take this seriously.
Crawling across the grass, pretending to be imperceptible? Oh my God, this is insane. Where is this?
This is in Seattle.
Okay, so not a place where, you know, middle of nowhere, where people are bored, where the military's been sitting there doing nothing for the last 3 years.
Maybe, well, maybe, I don't know, maybe Seattle.
Maybe, well, maybe, I don't know, maybe Seattle.
Well, police searched the house, which Page shares with a number of other people, and they seized drives, which contained files that referenced—
Not driveways, but—
Amazon. No, for God's sake.
Sorry.
Seriously, is that the best you can do after an hour of yoga? That kind of gag? Oh, you're not rising to it today, are you? You are being Penelope. This is amazing.
Wow, it's a whole different crowd.
Anyway, so they seized some thumb drives and they had files on them related to Capital One and Amazon and also her online alias, Erratic, where she'd been posting on Twitter and on other things.
Oh, but this is the interesting thing, and it may explain why the police were so well-armored and had all these guns and things.
Because she wasn't the only person of interest in the house. She shares a house with a few other people. And when the police were searching it, they found 20 firearms.
Wow, it's a whole different crowd.
Anyway, so they seized some thumb drives and they had files on them related to Capital One and Amazon and also her online alias, Erratic, where she'd been posting on Twitter and on other things.
Oh, but this is the interesting thing, and it may explain why the police were so well-armored and had all these guns and things.
Because she wasn't the only person of interest in the house. She shares a house with a few other people. And when the police were searching it, they found 20 firearms.
Okay, whoa, whoa, whoa. Is this Murder, She Wrote? I feel like you've just tricked us. You didn't mention that they had interests of people and that there were guns involved.
I just— sorry, I'm rising. I'm rising to it.
I just— sorry, I'm rising. I'm rising to it.
Well, they discovered assault-style rifles, handguns, scopes, grips, ammunition in another bedroom belonging to the chap who actually owns the house, a 66-year-old called Park Kwon.
And apparently he has previous regarding weapons. And in the 1980s, I think it was, he was actually indicted.
He got into some trouble with some co-conspirators about a failed contract killing where a truck bomb was made out of dynamite.
And apparently he has previous regarding weapons. And in the 1980s, I think it was, he was actually indicted.
He got into some trouble with some co-conspirators about a failed contract killing where a truck bomb was made out of dynamite.
Oh, wow.
Okay. I just want you to remember that you started with a Capital One breach.
Anyway, so maybe the authorities saw that he was also present in the property.
I now understand why they dressed that way.
Yeah. So I don't know. I'm just guessing. I'm just making the link. I don't know. I don't know, Carole. I don't know what's going on here in the States.
I'm sorry, people.
But even if Thompson hadn't posted her resume online, there were plenty of other clues. You know, she didn't really act like an elite hacker.
She didn't have good OPSEC.
No. And there's plenty of details in the indictment. For instance, remember that Capital One was informed by a member of the public about the data being on that public GitHub.
Well, it turns out that they may have been a friend, maybe not so much anymore, of Paige Thompson slash the hacker known as Erratic.
Well, it turns out that they may have been a friend, maybe not so much anymore, of Paige Thompson slash the hacker known as Erratic.
I think that's probably normally the way people get dubbed in.
Yeah. And there'd been private direct messages exchanged on Twitter.
There'd been a Slack group where they'd been having all kinds of conversations, and Erratic had been talking about other companies as well, which may have been plundered in the past.
So the arrest has only just happened this week. On Thursday, which is the day when this podcast will be released, Paige Thompson will be appearing in court.
She's been charged with a single count of computer fraud, faces possibly a maximum penalty of 5 years in prison and a $250,000 fine.
There'd been a Slack group where they'd been having all kinds of conversations, and Erratic had been talking about other companies as well, which may have been plundered in the past.
So the arrest has only just happened this week. On Thursday, which is the day when this podcast will be released, Paige Thompson will be appearing in court.
She's been charged with a single count of computer fraud, faces possibly a maximum penalty of 5 years in prison and a $250,000 fine.
Yeah, but that's kind of chump change for everything, 5 years considering that some people go in for—
Well, we'll have to see. I mean, I'm sure they're still gathering evidence and putting their case together on this one.
I mean, how many people again have been impacted, we think?
106 million. Okay, so yeah, 5 years, no biggie.
You're right.
But this is data going back how many years ago? But it's credit card application data. So the stuff that you are using to apply for a credit card and so on.
Why are they keeping that data so far back?
Why are they keeping that data so far back?
Absolutely.
I mean, do they need to? Is that a regulatory compliance thing there? Or actually, are they just being too—
Greedy? Well, yeah. So they can sell the data?
Perhaps, exactly.
Just wait for my story, I tell you.
Oh, okay. But that increases their attack surface, doesn't it?
It really does. I think there is this huge problem of toxic data.
Many organizations probably want to think, what is the minimum amount of data we can keep on our clients and our contacts and people who— 'cause some of those people won't have been given credit cards.
They won't have become customers of Capital One.
Many organizations probably want to think, what is the minimum amount of data we can keep on our clients and our contacts and people who— 'cause some of those people won't have been given credit cards.
They won't have become customers of Capital One.
Exactly, so they didn't get any of the spoils.
And yet that data has obviously now been snarfed up. Now, Capital One say, they have apologized by the way, they say that they believe the data hasn't been exploited.
They don't think it's been disseminated either, but frankly, how would they know?
The fact, however, that this woman was arrested quite quickly, although the original breach looked like it happened a few months ago, does suggest that maybe it hasn't actually been used in some fashion, but we'll have to follow the case to see what happens.
Now, I'll tell you something astonishing though.
The news of this breach has only happened as we're recording within the last 24 hours, but already the first class action suit has been filed.
They don't think it's been disseminated either, but frankly, how would they know?
The fact, however, that this woman was arrested quite quickly, although the original breach looked like it happened a few months ago, does suggest that maybe it hasn't actually been used in some fashion, but we'll have to follow the case to see what happens.
Now, I'll tell you something astonishing though.
The news of this breach has only happened as we're recording within the last 24 hours, but already the first class action suit has been filed.
Really?
Already?
Someone has already put it together and said, "We want millions out of Capital One because of this data breach." And you almost think that these class action suits must be prepared in advance with a gap for the companies to move.
Do you know what though?
Do you know what though?
I suspect that, you know, many, let's say 5 or 6 different companies do exactly the same thing. You want to be first out of the gate.
Right.
So I can understand people moving quickly.
I guess so. But Capital One has apologized.
Oh, well, that's fine then. Let's move on.
I think they're also offering credit monitoring.
But my thinking is, yeah, but with so many breaches that have happened, Carole, hasn't everybody, sorry, Penelope, hasn't everybody already got half a dozen credit monitoring subscriptions going on already in the States?
Because chances are this isn't the only place where your data has been breached.
But my thinking is, yeah, but with so many breaches that have happened, Carole, hasn't everybody, sorry, Penelope, hasn't everybody already got half a dozen credit monitoring subscriptions going on already in the States?
Because chances are this isn't the only place where your data has been breached.
Yeah, yeah, so don't worry about it. Put your feet up and away you go, listen to a podcast.
Yeah, well, that's not a bad idea.
Sorry to dive in here, guys, but I just feel as though I might be missing something.
I know I've not been able to listen to the last couple of Smashing Security episodes because I don't have my podcast app anymore, 'cause it doesn't work on bloody Android.
But Penelope? Who is that? Have I missed something?
I know I've not been able to listen to the last couple of Smashing Security episodes because I don't have my podcast app anymore, 'cause it doesn't work on bloody Android.
But Penelope? Who is that? Have I missed something?
Oh, sorry, sorry. Yes, Penelope is Carole's alter ego.
Well, she was, I don't know, 15 years ago.
Yes. If you can imagine Carole not walking into something, not tipping over a glass of water over a keyboard.
So Penelope is a less sweary Carole?
She's just gentler.
Is there any other kind? Probably a less swearing girl, I'm not sure.
Okay, okay.
Yeah, but she's more refined. She's refined.
David, what's your story this week?
Well, you know, I remember the days, don't we all, when iPhones were simple and safe.
He's lamenting it.
Yeah.
He's got that little bit of his brain that's throbbing because he misses his iPhone so much.
It's still there. It's still there.
You know, once upon a time you could give your mum an iPad or an iPhone and you know, she'd be sheltered from all the bad stuff that was happening on the internet.
Those days, alas, are long gone, it would seem.
And over the last few days, iPhone users, which I guess doesn't include me anymore, may have noticed that they've been encouraged to update their iOS operating system. Why?
Well, because apart from one or two new features, it fixes what Leo Keelyan from the BBC News Online website called A Fistful of Flaws in Apple's iMessage App. Good work, Leo.
So these were some vulnerabilities that were identified by bug hunters from none other than Google. Oh, who I suddenly feel a lot closer to now.
You know, once upon a time you could give your mum an iPad or an iPhone and you know, she'd be sheltered from all the bad stuff that was happening on the internet.
Those days, alas, are long gone, it would seem.
And over the last few days, iPhone users, which I guess doesn't include me anymore, may have noticed that they've been encouraged to update their iOS operating system. Why?
Well, because apart from one or two new features, it fixes what Leo Keelyan from the BBC News Online website called A Fistful of Flaws in Apple's iMessage App. Good work, Leo.
So these were some vulnerabilities that were identified by bug hunters from none other than Google. Oh, who I suddenly feel a lot closer to now.
Your buddies, my buddies at Google.
I know. And so the researchers at Google, they helpfully published details of these exploits, including examples of the code to create these malicious iMessages.
There are 6 potential hacks in Apple's over-the-air iMessage service, and they are what's called interactionless, which basically means that the victims of the attack, the people who are receiving the message, don't have to do anything really to have their messages exploited.
Just receive one of these weaponized messages and open it.
Literally, as soon as you receive this message and your phone opens it, then that's the point at which bad guys could potentially perform some remote code execution, run some dodgy stuff on your phone, and even read some files from your device.
Now, what I should say is that these disclosures were all done very responsibly by Google's Project Zero team.
They let Apple know about the exploits, and there's a kind of statutory 90-day period in which Apple has to develop some patches to fix the vulnerabilities before Google went public with it.
It's a bit embarrassing for Apple, but I think it's better that Google finds it than somebody with fewer scruples.
There are 6 potential hacks in Apple's over-the-air iMessage service, and they are what's called interactionless, which basically means that the victims of the attack, the people who are receiving the message, don't have to do anything really to have their messages exploited.
Just receive one of these weaponized messages and open it.
Literally, as soon as you receive this message and your phone opens it, then that's the point at which bad guys could potentially perform some remote code execution, run some dodgy stuff on your phone, and even read some files from your device.
Now, what I should say is that these disclosures were all done very responsibly by Google's Project Zero team.
They let Apple know about the exploits, and there's a kind of statutory 90-day period in which Apple has to develop some patches to fix the vulnerabilities before Google went public with it.
It's a bit embarrassing for Apple, but I think it's better that Google finds it than somebody with fewer scruples.
Well, yes, yes, I agree. And I think Google have done very well here.
I mean, I think it's fantastic actually that Google have fixed every single vulnerability in the Android operating system so that they're now able to spend time finding flaws in their biggest competitor.
I think it's really well done them because Android's perfect.
I mean, I think it's fantastic actually that Google have fixed every single vulnerability in the Android operating system so that they're now able to spend time finding flaws in their biggest competitor.
I think it's really well done them because Android's perfect.
So I'm grateful for them I feel a lot better about that now you've said that, actually.
You know I'm an Apple girl, right? So maybe that's why I'm getting twitchy. But while you're reading this, I keep wanting to go point out that it is potential. It is potential.
So they found potential vulnerabilities that could have been hacked.
So they found potential vulnerabilities that could have been hacked.
Yes. And these are proof of concept exploits.
Exactly. So of course, Google's Project Zero team are flexing its muscles, saying, aren't we smart?
Yeah, exactly.
They are. But they've written the code which demonstrates this. And published it, which demonstrates that this could be possible.
Yeah, so it's important people update to iOS 12.4 to protect against this.
Yeah, so it's important people update to iOS 12.4 to protect against this.
Exactly. Now, it was ZDNet, or ZDNet if you're in the US, which broke the story.
And what it did, apart from basically reporting what I've just spoken about, it went and spoke to some exploit vendors and bug marketplaces, and they valued these exploits in total at up to $24 million.
Wow. Yeah, that's an awful lot of money.
And you know, that's how much some, and I'm doing the big rabbit's ears, security firms might be willing to pay in order that they could then package up those exploits and sell them on to, well, who knows?
And that's the really scary thing about the whole black market.
And what it did, apart from basically reporting what I've just spoken about, it went and spoke to some exploit vendors and bug marketplaces, and they valued these exploits in total at up to $24 million.
Wow. Yeah, that's an awful lot of money.
And you know, that's how much some, and I'm doing the big rabbit's ears, security firms might be willing to pay in order that they could then package up those exploits and sell them on to, well, who knows?
And that's the really scary thing about the whole black market.
Do we know that Apple has a bug bounty program?
I'm not sure.
I don't know the answer to that. Doesn't seem like a very Apple thing to do, how you describe it, you know, to go out and say, hey, we've got a bug, you know, apple.com/bug-bounty.
Doesn't feel—
Doesn't feel—
Ransomware don't like to be told what to do.
I've just searched.
Okay.
I've just searched. Yes, Apple do have a bug bounty program and they can offer, I think their top prize on offer is about $200,000.
So that's a little bit nicer than what I've seen from Google. I think Google's was $30,000.
It can go all the way down to $25,000. $5,000 as well. It just depends on the severity of the bug.
I wonder if Google collect the money.
Well, I wonder.
Wouldn't that be a nice twist in the tail? And here's your invoice. Thank you very much.
But you're quite right, David. I mean, these sort of exploits would be very attractive to the NSA, GCHQ, FSB, etc., Mossad.
You know, they would all love to scoop up this kind of thing in order to spy on others.
You know, they would all love to scoop up this kind of thing in order to spy on others.
And we've had some very high-profile, some pretty horrible cases over the last 12, 18 months or so where allegedly smartphones have been bugged, you know, remote access trojans, whatever, running on devices and horrible things have been happening when these kind of exploits fall into the wrong hands.
So like I say, good work Google by disclosing this safely to Apple.
Apple developing for all except one of the vulnerabilities, and I understand that in iOS 12.4, it failed to fix one of the vulnerabilities, and Google has withheld disclosing the code and how that exploit works.
So hopefully that will also be patched in the next few weeks.
But something that's happening next week, one of the researchers, Natalie Silvanovich, who found these exploits, is actually talking about this at Black Hat in Las Vegas, which is the big security conference that takes place there every year.
And she'll be spilling the beans on even more potential ways in which iOS devices can be attacked, including visual voicemail and so on.
So there's a lot more to the iOS attack surface there, including these interactionless vulnerabilities, which are so highly prized.
So like I say, good work Google by disclosing this safely to Apple.
Apple developing for all except one of the vulnerabilities, and I understand that in iOS 12.4, it failed to fix one of the vulnerabilities, and Google has withheld disclosing the code and how that exploit works.
So hopefully that will also be patched in the next few weeks.
But something that's happening next week, one of the researchers, Natalie Silvanovich, who found these exploits, is actually talking about this at Black Hat in Las Vegas, which is the big security conference that takes place there every year.
And she'll be spilling the beans on even more potential ways in which iOS devices can be attacked, including visual voicemail and so on.
So there's a lot more to the iOS attack surface there, including these interactionless vulnerabilities, which are so highly prized.
I haven't heard that term before, interactionless. It's not easy to say. Interactionless.
Maybe if Penelope tried, she'd be able to handle it quite smoothly.
Keep working at it, Graham Cluley.
Carole, what's your story for us this week?
So data anonymization sounds pretty dull, doesn't it? And I get it. But it's an important factor that helps us feel secure when we share identifying information, right?
So say you have rickets, or say you were the victim of a milkshake attack, or say you suddenly found yourself broke or bankrupt because your partner spent all your cash, right?
You don't want any old Joe Schmo finding out about that stuff because it's private.
So say you have rickets, or say you were the victim of a milkshake attack, or say you suddenly found yourself broke or bankrupt because your partner spent all your cash, right?
You don't want any old Joe Schmo finding out about that stuff because it's private.
Yeah.
And you want to manage who knows and who doesn't know. So you might decide to tell the docs all the details but stay stum at work.
And you know what, I don't even care who you are, whatever your deal is, there is something private or embarrassing about you on a cloud system somewhere.
And you know what, I don't even care who you are, whatever your deal is, there is something private or embarrassing about you on a cloud system somewhere.
Okay.
You know, something that you'd very much prefer that no average Joe found out about.
I mean, remember, Clue, when you had problems and you went to the doctors and you got it checked out and then you got the for the dick because she was fucking while she was assessing your anatomy.
Okay, don't worry, I'm gonna beep all this out. I'll beep all this out. Okay? But my point is—
I mean, remember, Clue, when you had problems and you went to the doctors and you got it checked out and then you got the for the dick because she was fucking while she was assessing your anatomy.
Okay, don't worry, I'm gonna beep all this out. I'll beep all this out. Okay? But my point is—
It was a medical situation and I could—
But my point is the fucking problems are on record somewhere, right?
But you, like everyone else, you're probably not worried about this kind of thing because you know about data anonymization, right? And this is where information is sanitized.
And it's all designed to protect the privacy of the individual.
But you, like everyone else, you're probably not worried about this kind of thing because you know about data anonymization, right? And this is where information is sanitized.
And it's all designed to protect the privacy of the individual.
Can I just check, you're not planning to put that out on our Patreon, are you, as bonus content uncensored? I don't really want those stories. Namaste.
Do some yin yoga. You'll feel so much better. Now, it is either in the process of encrypting or removing PII from these datasets, right?
So that's what we mean by making it anonymous or anonymizing the data.
Like in the context of medical data, you would take out all the information that protects the patient from being identified by someone.
So, another medical professional, another hospital might be viewing this dataset, and they don't need to know who you are.
So that's what we mean by making it anonymous or anonymizing the data.
Like in the context of medical data, you would take out all the information that protects the patient from being identified by someone.
So, another medical professional, another hospital might be viewing this dataset, and they don't need to know who you are.
They don't need to know your name, your address, your date of birth, your National Insurance number.
Exactly. They don't need to know any of that stuff, right? In order to make an assessment or to look at the data and make a call on it.
They wouldn't even need to know your weight. They might need to know, you know, might need to know sort of, well, what they might need to know within a band or something.
They don't need to know precisely to the pound.
They don't need to know precisely to the pound.
It might depend on what they're working on.
Yeah, yeah, sure.
And when you go see your doctor, your accountant, or a lawyer, or bank manager, whoever you hang out with, Graham, they may need to deanonymize that data in order to assess your specific case.
And this is what deanonymization is, is the reverse of the same process.
It's where you cross-reference this anonymized data with another related data source, and then you can re-identify the anonymous data person.
And this is what deanonymization is, is the reverse of the same process.
It's where you cross-reference this anonymized data with another related data source, and then you can re-identify the anonymous data person.
Okay. Yeah. All right.
It's kind of complicated. But as a side note, you might remember that GDPR brought in this kind of nerdy term called pseudo-anonymization.
Yes.
And this is what— this is another term for it. So this is where you can kind of basically decrypt anonymized data or whatever, not decrypt, but reverse engineer.
Reverse engineer anonymized data to find out who a person is. Now, one last edu point here before we get into my story. It's a big, long segue, long segue.
Reverse engineer anonymized data to find out who a person is. Now, one last edu point here before we get into my story. It's a big, long segue, long segue.
Yeah. A lot of foundation here.
It's important.
Yep. Okay. Yep. I mean, I'm glad you include that bit about my shit. So that was really helpful. Yeah.
Yeah.
I'm glad that got in there.
No problem.
That was important.
Namaste. No, that was important.
That was important.
So here's a really important point. Anonymized data is not controlled like data which has personal identifiable information in it.
Anonymized data can and is regularly bought and sold without violating any privacy laws.
And the idea is that this useful info doesn't infringe on individual privacy and therefore doesn't fall under that law. So are we all with me?
Am I sounding like I knit with a single needle or am I making sense right now?
Anonymized data can and is regularly bought and sold without violating any privacy laws.
And the idea is that this useful info doesn't infringe on individual privacy and therefore doesn't fall under that law. So are we all with me?
Am I sounding like I knit with a single needle or am I making sense right now?
No, I understand. Yeah.
And that's a really important point, that last point you make, Carole. I think that's the crux of this, isn't it?
Yes, it is. So imagine my surprise when on a beautiful Sunday morning, I'm perusing my news feeds and I see an article in New York Times entitled, "Your data were anonymized?
These scientists can still identify you." Right? Now, before we get into it, I have a real problem with the word data being pluralized like that. Do you?
These scientists can still identify you." Right? Now, before we get into it, I have a real problem with the word data being pluralized like that. Do you?
If you are a scientist, if you come from a scientific background, then data is a plural. I've had this argument. Yeah, yeah, totally. Definitely.
'Datum' is the singular, 'data' is the plural. And if you come from that academic background, that is still very much enforced, dare I say.
'Datum' is the singular, 'data' is the plural. And if you come from that academic background, that is still very much enforced, dare I say.
I would argue it's the failing New York Times at this point. I find it quite offensive. It just seems wrong to me.
I find it offensive too. It's I can see data as the universe, you know? And there's a lot of components inside the universe, right? But we see the universe as a singular concept.
Just so long as it's not data, that's the most important thing.
So here's the upshot of the article. In any case, anonymized datasets often include scores of so-called attributes, right?
These are characteristics about an individual or a household.
You might remember that massive Experian-Alteryx cyber whoopsie from 2017, where the credit firm left the personal info of a whopping 120 million US households open on an Amazon bucket.
That means basically that if any of us knew the URL, we could just type it in and go and visit, and we would be able to see the addresses and the ethnicities and the interests and the hobbies, the incomes and the mortgage details and yada, yada, yada of 120 million households in the US.
In the Experian case, there were 248 different attributes or data points for each household.
So fast forward to the article, scientists at Imperial College London and Université Catholique de Louvain in Belgium. Excuse me, excusez-moi, monsieur.
These are characteristics about an individual or a household.
You might remember that massive Experian-Alteryx cyber whoopsie from 2017, where the credit firm left the personal info of a whopping 120 million US households open on an Amazon bucket.
That means basically that if any of us knew the URL, we could just type it in and go and visit, and we would be able to see the addresses and the ethnicities and the interests and the hobbies, the incomes and the mortgage details and yada, yada, yada of 120 million households in the US.
In the Experian case, there were 248 different attributes or data points for each household.
So fast forward to the article, scientists at Imperial College London and Université Catholique de Louvain in Belgium. Excuse me, excusez-moi, monsieur.
No, no, no.
Okay. They published that they devised an algorithm that can identify 99.98% of Americans from almost any available dataset with as few as 15 attributes.
So imagine you've got a wealth of attributes, but just let's use Experian that has 250 roughly.
You could take any of those 15 and I'd be able to go, I know who you are within a 99.98 percentile.
So imagine you've got a wealth of attributes, but just let's use Experian that has 250 roughly.
You could take any of those 15 and I'd be able to go, I know who you are within a 99.98 percentile.
Which means that there would only be 2 out of every 10,000 who you couldn't do it to. 2 people out of every 10,000.
I don't even know if you're right, but let's just hope you are.
Let's hope I am.
The researcher said, quote, "Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards of anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release and forget model."
It sounds horrendous.
There's more. I'd like to know if you guys think this is surprising. The scientists posted the software code online for anyone to see and use.
Yeah, well, that's what researchers do, don't they? Like, show off, say, aren't we clever? Never mind the implications.
Ordinarily, I would argue that when they discover a security flaw, they alert the vendor, government agency, whoever is hosting the data.
But because there are mountains and mountains of anonymized data circling worldwide, Dr. De Montjoye—
But because there are mountains and mountains of anonymized data circling worldwide, Dr. De Montjoye—
Which university is he at? Could you just remind me?
That's in Belgium. He says, well, everyone's at risk, so we had to put out the code. So I have a lot of issues with that.
I kind of understand, but at the same time, we know about the Experian and many, many, many other hacks where all these datasets have been taken, stolen.
And he's just made the job of those people much easier to search and use that and identify people.
I kind of understand, but at the same time, we know about the Experian and many, many, many other hacks where all these datasets have been taken, stolen.
And he's just made the job of those people much easier to search and use that and identify people.
Yes, but I mean, it's a bit of a quandary, this one, isn't it?
Because if they simply said, "Look, we have this ability," then it does kind of disappear from the headlines almost instantly, doesn't it?
And get forgotten, and it's yesterday's news. Whereas if you release a tool, that does have the potential for others to try it out and raise the alarm again and again and again.
And don't forget that every disaster movie begins with a scientist being ignored. And somehow we need to have them listened to sometimes with this and other important issues.
Because if they simply said, "Look, we have this ability," then it does kind of disappear from the headlines almost instantly, doesn't it?
And get forgotten, and it's yesterday's news. Whereas if you release a tool, that does have the potential for others to try it out and raise the alarm again and again and again.
And don't forget that every disaster movie begins with a scientist being ignored. And somehow we need to have them listened to sometimes with this and other important issues.
So an argument I heard in favor, right, and this is still, you know, I recommend everyone reads this article in the New York Times, but an argument they make in there is that other scientists like to double-check facts and figures, right?
So by having the code, you can do... Yes, that's true. So I can understand that restricting access to the code is challenging.
But at the same time, on the other side, you're also impinging on someone's privacy by letting anyone do this.
So by having the code, you can do... Yes, that's true. So I can understand that restricting access to the code is challenging.
But at the same time, on the other side, you're also impinging on someone's privacy by letting anyone do this.
So maybe if the scientists were only to share it with other people they had confirmed to be scientists— are they wearing a white coat?
Do they have a great big forehead and an egghead?
Do they have a great big forehead and an egghead?
This is why I'm so glad we do this podcast together, because sometimes you're just so smart.
Oh, thank you very much.
You don't have to restrict access to everybody, but you want to control it.
So you might say, hey, look, if you prove that to me that you're a scientist or that you have good intentions or you're going to further the cause in a good, healthy, ethical, moral way, then rock and roll.
Here you go.
So you might say, hey, look, if you prove that to me that you're a scientist or that you have good intentions or you're going to further the cause in a good, healthy, ethical, moral way, then rock and roll.
Here you go.
Here's the URL. We've put it on an Amazon bucket. We've given it a good password.
Anyone can get it. Don't share it. Don't, please don't share it with anyone.
Password 123. There you go.
So, yeah, so I don't think it was the right decision to make the code available anybody to fuck around with.
And I agree with you, they probably did it for the headlines, and that's probably why I'm talking about it. But, yeah, what do you think, David?
And I agree with you, they probably did it for the headlines, and that's probably why I'm talking about it. But, yeah, what do you think, David?
Actually, where my head was, I was just thinking of a sidebar to the power of deanonymization, and it reminded me when you were talking at the beginning in particular about a story that I saw last week, I think it was, while I was on holiday.
I don't know if you saw it too, but basically the Russian intelligence agency, the FSB, was the victim of a data breach.
I don't know if you saw it too, but basically the Russian intelligence agency, the FSB, was the victim of a data breach.
Oh, bless them.
You saw that the researchers who got hold of the data saw some of the internal projects that the Russian secret service had been working on, and one of them talked about de-anonymizing users of the Tor browser.
So Tor obviously is, you know, the Onion Router.
It's the way, a very, very secure, safe way that users are anonymized when they're visiting all kinds of places on the clear web and on the dark web.
And the ability potentially to de-anonymize users who are using Tor is really, really scary for so many reasons.
So Tor obviously is, you know, the Onion Router.
It's the way, a very, very secure, safe way that users are anonymized when they're visiting all kinds of places on the clear web and on the dark web.
And the ability potentially to de-anonymize users who are using Tor is really, really scary for so many reasons.
I think maybe something is right in GDPR. Maybe we shouldn't call it anonymization because it's not— it is pseudo-anonymization. It's a much better word.
It's more accurate because you think you're hidden, but all this information is floating. I mean, the mere fact that I referenced thingy, right? Your little issue.
It's more accurate because you think you're hidden, but all this information is floating. I mean, the mere fact that I referenced thingy, right? Your little issue.
I think that's the third or fourth time you've done it now. Yes.
Obviously I'll bleep it out in the final production, but it will forever live somewhere in the raw audio file on a big ginormous data cloud somewhere.
And now I feel bad because I've exposed you.
And now I feel bad because I've exposed you.
I mean, I didn't.
Well, yeah, you know what I mean.
You don't feel as bad as Dr. You examined me. I'm sure she's still probably having nightmares.
Hey Graham. Yes, there are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
Yeah, they do online training. They've gamified it.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
And best thing, it's not boring.
No, not boring at all. You learn everything. GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
On with the show.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we to call Pick of the Week.
Pick of the Week.
Pick of the Week.
He's such a professional.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
And my pick of the week this week is not security-related. It is something we've mentioned on the podcast before, although I don't believe it has been anybody's pick of the week.
It is a game for the Nintendo Switch. It is the game for the Nintendo Switch. Everybody knows it. It's Legend of Zelda: Breath of the Wild.
An extraordinary, incredible game, possibly the greatest game ever written. Absolutely unbelievable.
And the reason why it's my pick of the week this week is that my son, when we first got a Switch, we got it with Breath of the Wild.
He's 8 years old and he started playing Zelda and he was enjoying it.
He got a reasonable way through it, but just in the last week, because it's the summer holidays, he decided to start again from scratch.
And basically that's what he's done the entire summer holidays so far.
It is a game for the Nintendo Switch. It is the game for the Nintendo Switch. Everybody knows it. It's Legend of Zelda: Breath of the Wild.
An extraordinary, incredible game, possibly the greatest game ever written. Absolutely unbelievable.
And the reason why it's my pick of the week this week is that my son, when we first got a Switch, we got it with Breath of the Wild.
He's 8 years old and he started playing Zelda and he was enjoying it.
He got a reasonable way through it, but just in the last week, because it's the summer holidays, he decided to start again from scratch.
And basically that's what he's done the entire summer holidays so far.
While you've been working, you've had a nice little Switch babysitter.
Exactly. And he's nearly finished it. He is so close now to killing Ganon. It's unbelievable.
You know, I've played that game and I think I played that game with you, Clue, when I was still in my 20s.
Well, we played earlier versions of Legend of Zelda. Yes, obviously.
Sorry.
Of course. Obviously. We played Ocarina of Time, I think.
Ocarina of Time.
Which was— which probably was the greatest game at the time. And there've been others Wind Waker and Majora's Mask and—
That's the only one I played.
Yeah. Breath of the Wild.
It has just taken it to a whole other level.
So I thought, you know, if you've got a Switch and if you bought Legend of Zelda when you bought your Switch, why not give it another go?
Because I'm just astonished how huge this game is and how detailed and how much darn fun it is.
On those rare moments I've walked into the sitting room and seen how far he's got, it's truly amazed me.
So I thought, you know, if you've got a Switch and if you bought Legend of Zelda when you bought your Switch, why not give it another go?
Because I'm just astonished how huge this game is and how detailed and how much darn fun it is.
On those rare moments I've walked into the sitting room and seen how far he's got, it's truly amazed me.
Do you know what I think is amazing?
I think it's so great how you find these little known things that no one's ever heard of and you just bring them to the surface on the show and help people find out about things.
It's great.
I think it's so great how you find these little known things that no one's ever heard of and you just bring them to the surface on the show and help people find out about things.
It's great.
Sweet. That's a bit snarky for Penelope, to be honest, Carole, to say that.
It was definitely a sweet voice though.
Yeah, well, I don't think that's enough. I think it's the content as well as the delivery which matters.
Oh, you're managing me.
David, what's your pick of the week?
Well, I don't know if you read or listened to the official Steve Jobs autobiography—
Yes.
Not autobiography, biography, written by Walter Isaacson all the way back in 2011.
I still haven't read it. Isn't that awful?
I should totally read it. It was really good.
It is an epic tome. It's the best part of 600 pages, and the audiobook is just a little bit over 25 hours long.
So, long road trip. You were going to Spain and listening to it?
He was rowing to Spain.
I think, I mean, if you haven't listened to it or read it, whether you're on the Apple or the Android side of the fence, or both I am, then it's a fascinating insight into the mind of one of the most influential creative technologists of that era.
Now, Walter Isaacson's follow-up book to the Steve Jobs book is called The Innovators: How a Group of Inventors, Hackers, Geniuses, and Geeks Created the Digital Revolution.
It's quite a long title, but I think it kind of says what it does on the inside, really. It takes a big look at the digital revolution, not through the eyes of a single person.
And that's the key thing here, because so many books focus on Bill Gates. Well, actually, there isn't a decent biography of Bill Gates, and I've been looking for one.
If anyone knows of one, then please do let me know, because I've not been able to find one yet.
But obviously, there's the Steve Jobs book, there's stuff about Alan Turing and Ada Lovelace and so on, and Larry Page.
But there isn't anything that talks about the role of collaboration, of innovation, how different people actually work together to create these big innovations.
Because obviously, Steve didn't make the iPhone on his own, and Bill Gates didn't make Microsoft on his own.
But you could be forgiven for thinking that that is the case from, you know, the snippets that we get and, you know, the kind of journalistic abbreviations that we use.
So this book looks at major breakthroughs all the way back to Charles Babbage and Ada Lovelace, all the way through Alan Turing and John von Neumann, Bill Gates and Paul Allen.
It's the creation story of each one of the movements that they founded, and it goes all the way up more or less to present day. It finishes about 2014 or so.
But it covers the birth of Google, the birth of Microsoft, the birth of Apple, and all the way through to Jimmy Wales and Wikipedia as well.
I finished this a couple of weeks ago, just before I went on holiday, and I know it's a good book because I want to listen to it again straight away as a bit of a history geek, as a bit of a tech history geek.
Though I didn't realize quite how many holes there were in my knowledge. So I cannot recommend this book highly enough.
Now, Walter Isaacson's follow-up book to the Steve Jobs book is called The Innovators: How a Group of Inventors, Hackers, Geniuses, and Geeks Created the Digital Revolution.
It's quite a long title, but I think it kind of says what it does on the inside, really. It takes a big look at the digital revolution, not through the eyes of a single person.
And that's the key thing here, because so many books focus on Bill Gates. Well, actually, there isn't a decent biography of Bill Gates, and I've been looking for one.
If anyone knows of one, then please do let me know, because I've not been able to find one yet.
But obviously, there's the Steve Jobs book, there's stuff about Alan Turing and Ada Lovelace and so on, and Larry Page.
But there isn't anything that talks about the role of collaboration, of innovation, how different people actually work together to create these big innovations.
Because obviously, Steve didn't make the iPhone on his own, and Bill Gates didn't make Microsoft on his own.
But you could be forgiven for thinking that that is the case from, you know, the snippets that we get and, you know, the kind of journalistic abbreviations that we use.
So this book looks at major breakthroughs all the way back to Charles Babbage and Ada Lovelace, all the way through Alan Turing and John von Neumann, Bill Gates and Paul Allen.
It's the creation story of each one of the movements that they founded, and it goes all the way up more or less to present day. It finishes about 2014 or so.
But it covers the birth of Google, the birth of Microsoft, the birth of Apple, and all the way through to Jimmy Wales and Wikipedia as well.
I finished this a couple of weeks ago, just before I went on holiday, and I know it's a good book because I want to listen to it again straight away as a bit of a history geek, as a bit of a tech history geek.
Though I didn't realize quite how many holes there were in my knowledge. So I cannot recommend this book highly enough.
I've just put it into my bucket, so there you go.
There we go.
Your sales pitch worked.
Fantastic. The Innovators by Walter Isaacson. Go and read or listen to it now.
Sounds like a great Pick of the Week. Thank you very much, David. Carole, what's your Pick of the Week?
Well, I'm starting with a question.
Okay.
What knowledge do each of you possess that might save your life one day, or my life if you tell me?
Don't forget your towel.
Okay. Graham, you have any?
You put me on the spot here.
Okay, I'll carry on. And you, if you come up with one, you let me know.
Yeah, well, I'll let you know as you're choking or flapping around on the floor. I'll say, no, Carole, don't worry, it'll come to me in a moment. What I'm supposed to do.
Don't worry, it'll come to me.
Don't worry, it'll come to me.
I know that one. Okay, so basically my pick of the week this week is an Ask Reddit article, right?
So AskReddit is a subreddit, and the article is called "What Knowledge Might Save Your Life One Day," right?
And this is one of those clickbaity titles that occasionally I might fall for at 8:30 in the morning while I'm sucking back my first coffee of the day.
And I clicked on it, and what a treasure trove.
So AskReddit is a subreddit, and the article is called "What Knowledge Might Save Your Life One Day," right?
And this is one of those clickbaity titles that occasionally I might fall for at 8:30 in the morning while I'm sucking back my first coffee of the day.
And I clicked on it, and what a treasure trove.
Check it out.
Now, the thing is, I knew a few of them, and the ones I knew, I was like, yeah, I agree, good advice, right?
And the ones I didn't know sounded like good advice, but it could really not good advice. One of them, here's one, right? If you're ever charged by a moose, get behind a tree.
They have about a 10-inch blind spot and they'll lose you.
And the ones I didn't know sounded like good advice, but it could really not good advice. One of them, here's one, right? If you're ever charged by a moose, get behind a tree.
They have about a 10-inch blind spot and they'll lose you.
That actually is excellent advice.
If it's true.
Oh, I'm sure it's true. It's on Reddit, Carole. It's on the internet.
But the other thing is about the moose's blind spot, it's also well worth bearing in mind if you're ever on a motorbike and overtaking a moose, right?
To know about their blind spot as well. So make sure to be careful with that.
But the other thing is about the moose's blind spot, it's also well worth bearing in mind if you're ever on a motorbike and overtaking a moose, right?
To know about their blind spot as well. So make sure to be careful with that.
Okay, here is one I thought was quite good, right? If you fall into cold open water, resist the urge to swim and try to float.
Oh, I know this one, yes.
Until the onset of panic subsides.
Yes.
Once you've got your breathing under control— now, as a lifeguard, and I can say this is absolutely 100% true, and I have actually had to save people before in rough waters and currents.
Because people panic, don't they? And they're flapping around.
You almost want to punch them in the head so they stop trying to grab you and drown you in those situations. It can be really scary as a lifeguard.
And they've had the shock— sorry, Carole, I know you're a lifeguard, but let me speak. They've had the shock of falling into the cold water as well.
Yeah.
Which is obviously— so the thing to do is be like Penelope, right? Is to be calm, be serene. Namaste it out.
Yeah, do a little startle fish.
Namaste.
Yep.
And then once you've just got your composure, then start swimming to safety.
Now, listen to this, right? On this thread, so I looked at this this morning, this morning.
And I just looked before the show, and when the last time I looked, there were over 30,000 comments on this thread. Okay.
And I just looked before the show, and when the last time I looked, there were over 30,000 comments on this thread. Okay.
Oh my goodness.
So a lot of people, that's a lot of life advice. It's a ton of life advice. So check it out. It's on Ask Reddit, and I'll put the link in the Smashing Security website show notes.
Wouldn't it be good if we could get this as an audiobook?
Well, don't worry. I've already thought about that. I was thinking, who owns this content?
Couldn't I just slap this into a little book for Christmas, make it available to everybody, choose my favourites, as curated by Carole Theriault.
Couldn't I just slap this into a little book for Christmas, make it available to everybody, choose my favourites, as curated by Carole Theriault.
Just have a little legally saying you haven't actually tested anything.
Yeah, TM Carole Theriault. Nice.
All right, good. Well, Carole, on that life-saving note, I think we've just about wrapped up the show this week.
We have.
David, thank you so much for joining us once again. I'm sure lots of our listeners would love to follow you online. What's the best way to do that?
It is probably on Twitter @DavidMcClelland, all the L's, all the C's, and a few vowels chucked in for good measure.
But I'm sure you will mention me on the @SmashingSecurity Twitter as well this week. So follow me there.
But I'm sure you will mention me on the @SmashingSecurity Twitter as well this week. So follow me there.
There we go. And yes, you can follow us on Twitter @SmashingSecurity, no G. Twitter allows to have a G.
We have a G everywhere else, but not on Twitter, including on Reddit where we've got an active community as well.
And if you want to support the show, you can also go to our Patreon page.
We have a G everywhere else, but not on Twitter, including on Reddit where we've got an active community as well.
And if you want to support the show, you can also go to our Patreon page.
Yeah, and huge thank you to this week's Smashing Security sponsors, LastPass and MetaCompliance.
Their support helps us give you this show for free, so be sure to check out their offers.
As always, virtual hugs to you all, you wonderful listeners, and welcome to our brand new Patreon subscribers. My screen's frozen, so I don't know what else I say.
Their support helps us give you this show for free, so be sure to check out their offers.
As always, virtual hugs to you all, you wonderful listeners, and welcome to our brand new Patreon subscribers. My screen's frozen, so I don't know what else I say.
Until next time, cheerio, bye-bye everybody, adios! Hasta luego.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David McClelland – @davidmcclelland
Show notes:
- Woman arrested after Capital One hack spills personal info on 106 million — Tripwire.
- South Seattle woman arrested, charged in massive data breach of Capital One — The Seattle Times.
- Love Bug suspect speaks — BBC News speaks to the author of the Michael-B Word macro virus.
- United States vs Paige A Thompson (PDF)
- Ranji Sinha on Twitter: "Managed to get video of the raid in Seattle that lead to the arrest of Paige Thompson" — Twitter.
- Capital One Hit With First Class Action Over Security Breach — Bloomberg.
- Google reveals fistful of flaws in Apple's iMessage app — BBC News.
- Google researchers disclose vulnerabilities for 'interactionless' iOS attacks — ZDNet.
- Earn up to $200,000 as Apple *finally* launches a bug bounty — Graham Cluley.
- Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone — Black Hat USA 2019
- Your Data Were ‘Anonymized’? These Scientists Can Still Identify You — New York Times.
- Estimating the success of re-identifications in incomplete datasets using generative models — Nature.
- Hackers breach FSB contractor, expose Tor deanonymization project and more — ZDNet.
- The Legend of Zelda: Breath of the Wild — Wikipedia.
- The Making of The Legend of Zelda: Breath of the Wild – The Beginning — YouTube.
- Steve Jobs book by Walter Isaacson — Simon & Schuster
- The Innovators by Walter Isaacson — Simon & Schuster
- What knowledge might save your life one day? — Reddit.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
I take it that your sarcasm relating to the word "Data" is a knock at Troy Hunt and his use of the word, i must say not very funny and highly intolerant. I might go as far as to say that the childish squabbling between you Graham and you Carole that you use as comic relief in each episode is getting quite tiresome again, i don't get it, if you get on each others nerves so much , why work together. I am seriously rethinking of whether this podcast is worth listening to, if it weren't for guests like Maria, David, Mikko and others I probably would have done a while ago.
Huh? I have no idea how Troy uses the word "data". Whatever we said on the podcast that upset you was nothing to do with Troy.
If you'd worked in close proximity to Carole for 20 years you'd probably speak to each other like we do as well. It's not put on for comic effect, it's just how we talk.
Listening is not compulsory. If you don't enjoy it I'd hate to think that you felt you had to listen. Lots of other great podcasts out there.
The breach… So you say the data (or links to it) were published on gitHub?
Is that not owned now by MS?
Do they have it too?
Presumably they have at least weekly backups/archives and if this has been up for a month or two, who knows who else may have had access to this client database?
TL;DR: I would say not at all. Besides normal licenses (for the stuff published) illegal content they would not have a right to say they own. As for backups: that's a complicated thing indeed but it should be assumed that once something is public it will never be removed from all hosts because someone is likely to have downloaded it. Fact of life. Otherwise:
–
I don't know particulars but …
As an open source advocate (who has contributed to open source and have written my own OSS etc.) I was rather disconcerted when I first heard about MS involving themselves with GitHub. But I seem to recall (dimly – and I was sceptical) that they were not going to 'change' things in that way. Of course that isn't always how it happens in reality …
Still if there was a data breach published on GitHub I really doubt MS would get involved in that. Also there is the licensing issue even besides the fact that it's not the publisher's rights in this case. This goes for all things published there. So I don't see how they could 'own' it – especially not legally.
How they manage backups I do not know but one would presume it's nightly. As for your last question who can tell? It is an interesting question though isn't it? If someone publishes illegal content on a platform such as GitHub that is backed up how does that work? How is it verified that it is purged from their backups? And the longer it's there the longer people have time to download it etc. It also brings up a lot of ethical/moral and also philosophical questions and I personally believe there will ever be a fully satisfactory answer here.
I recall from years ago that it was the responsibility of the owner of a server (or say a web host) to make sure illegal content is not there but I think that things are so much more complicated nowadays (I thought at the time that that was also complicated and not necessarily right full stop as a black and white thing) – not to mention there being so many more people on the Internet. Even just back to the late 1990s there are so many many many more people on the Internet. Going back to earlier decades all the more. Before the early 1990s there wasn't the web but there were still ways to share data. In those days though there weren't really hat many people in comparison and as I have observed most people don't even know that it's that old (actually if you consider the predecessor it's decades older than that). As it is many people conflate the world wide web with the Internet when it's not at all the same thing. The Internet is what allows it to be 'world wide' but it's much more than the web.
Unfortunately if content is made public you should assume that it's going to have been downloaded by someone and thus never properly removed even if the hosts wipe it out. Of course for some things this can be good but when it comes to things like this it's not good. Of course it can also be good if it's used to find the perpetrators but that goes to show just how complicated things can be in this world…
You know Graham the interesting thing is that what attracted me to check the link is the reference to 'The Legend of Zelda'. I was hoping for the original two from the 1980s but still nice to be brought back to time in another world even if only briefly. The Love Bug reference also was interesting to me. It sounded like there was a new thing or maybe the author spoke up for the first time (or again). I almost want to say I knew the author but if so nothing more than brief chats. I don't know if I did though but I certainly knew some other infamous authors.
Actually there is a lot of content and despite how dead tired I am I think it's one I should listen to definitely. Besides I love your sense of humour (and punning of course).
And I am surprised that you refer to donkeys and anonymity (Obviously I am referring to the spelling) but hey why not? Not even donkeys are anonymous unless it be that they don't have names!
—
Otherwise enjoy your new HQ! I much prefer your name for your new building rather than 'shed' or such things as that. But add GCHQ and it's even better. A most amusing and ironic and maybe even sardonic name but it's so perfect too.