Smashing Security podcast #345: Cyber sloppiness, and why does Google really want to hide your IP address?

They claimed that they had celebs inside their bucket list, including Mark Zuckerberg, Elon Musk, Sergey Brin.

Hang on, so there's a bucket, you said, full of Elon Musk and Mark Zuckerberg's DNA slopping around somewhere? Smashing Security, episode 345. Cyber sloppiness and why does Google really want to hide your IP address with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 345. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we're joined today by a special guest, someone who's been on the show many times before. Introduce them, please.

Have you forgotten my name? Is that—

Everyone, please welcome returning guest Mark Stockley.

Hi, yes, thanks for having me back on.

Mike Starkey is in the building. Hello, Mike, Ringo's little brother.

Okay, before we kick off, let's thank this week's wonderful sponsors, Collide and Vanta. It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

I'm going to be exploring cyber sloppiness in the South China Seas.

Okay. What about you, Mark?

I'm going to be asking, who does your privacy need protecting from?

Ooh. And I'm going to be going from drool to data leaks.

Sorry, from—

Sorry, what?

I was trying to be clever. Maybe it's not that clever. We will find out when I do my story.

Can we do yours first?

All this and much more coming up on this episode of Smashing Security.

Chums, chums. Okay, what I'd like you to do is, can you both get hold of a pen and paper? I think we should play a little game of hangman. Do you both have a pen and paper to hand?

Yep. Back of an envelope. All right.

Yeah, that's absolutely fine.

Absolutely fine. I have a computer. Is that okay?

Computer, I suppose, will do. It's not the traditional way to play Hangman. I am thinking of 8 letters, okay, in this game of Hangman. So, I'm going to give you both different words, all right? And I'll let you both shout out letters. You can play along at home, by the way, but I won't be able to guess what letters you're shouting out, so that won't work quite so well. So, Carole, you go first. What letter would you like?

I would like an E, please.

An E? Sorry, there's no E. Mark, for your 8-letter word, what letter would you like to start off with?

I'd like an A, please.

An A? Oh, second letter.

No, no, I said an E, sorry. Oh, an E. Did you say A is second letter? Okay, I'll have that one too, thanks.

Yes, A is the second letter for you. Carole, would you like to have another go?

Yeah. Did the A get in or no?

You haven't said A. You said E. You've got different words. You've got different words.

Oh, yes, yes, of course. I thought we could work together.

No, not in this case. You can't. No.

It's a competition. Okay. X.

Sorry, Carole. There's no X. Mark, would you like to choose another letter?

I would still like an E.

No E for you, I'm afraid, Mark.

D?

D! Second character is a D. Well done. Okay. Let's speed this up a bit.

Is this your whole story? Honestly. This is not— I'm worried that you don't know what makes good radio anymore. I don't know. I'm worried. Nervous, nervous.

Can I have an O, please? An O?

Yes, you can. O is your sixth character. Mark, well done. So you've got something A, something something, O, something something. Carole, your turn.

O, please.

No O, I'm afraid, Carole. Not doing very well.

Okay, I'm bored of this game.

Can we—

Can I have a W?

A W? Yes, you can. That is your 5th character, Mark. 5th character. So you've got something A, something something, W. Something work.

Something work.

Could be work.

Yes, that's quite a good guess.

Something work.

Carole?

I'm not playing anymore.

You're not playing anymore? Okay, just over to Mark then. Over to Mark.

Oh, is it password?

Password! Very good. Password is absolutely right. Carole, would you like to guess? You at the moment have blank, D, blank, blank, blank, blank, blank, blank.

Yep, no idea.

I'll give you a clue. The last 3 characters are 1, 2, 3. Would that help at all?

No. I'm guessing it's a password.

Is it admin? Is it admin123?

Oh, Mark, you are really good at this. You have got elite hacking skills. And this would prove very handy if you were living in Manila in the Philippines right now, because there's been a report in the South China Morning Post all about passwords. Because earlier this month, hackers hit the Philippine Health Insurance Corporation with the Medusa ransomware, and they stole a whole load of data and they threatened the insurer. They said, you've got to pay up $300,000, otherwise we're going to release your data. They refused to pay up. And so the data was released. And this has been big news in the Philippines.

I'm just thinking, you just— I just— it's just a little brain fart here. But it makes sense to me that if you paid for insurance to cover your butt during this type of event, right? You would want them to pay these things so your information didn't get published.

Well, yeah. So I don't know. So this was the Philippine Health Insurance Corporation. I don't know if they cover ransomware as well.

So it's more about medical insurance. This is the national health insurer for the Philippines.

That is right.

So they provide universal health care.

Oh, I see. Yes, okay. Like the NHS might do, et cetera. Okay, sorry. All right, carry on.

So I don't know whether they had ransomware insurance because you're right, normally the insurers, I think, would may well say, well, look, you're covered for this much, therefore pay that much and we'll cover you. But maybe they didn't have ransomware insurance. What we do know is that they didn't have antivirus software because apparently the attack was helped somewhat because the organization hadn't approved a request to renew its antivirus subscription. So when McAfee or Norton or whatever it was popped up on their screen and said it's time to renew, they obviously said, oh, just ignore for now. We're not going to do that. But millions of people have been impacted as a result of this data breach, including obviously the people in the Philippines, millions of them, but also people working overseas. And it's not been the only hack going on in the Philippines. On Sunday, the homepage of the Philippines House of Representatives, their website was defaced with a drawing of this big troll face and—

Troll face?

Yeah.

Have you seen that internet troll meme, Kroll? It's like a—

No.

Have you not? Do you mean Pepe? Are you talking about Pepe the frog?

Not the frog, the other one, the ogreish one. You know, the sort of— I'm trying to do this. I'm trying to make the sound of a troll face. Make it look. Yeah. So just imagine.

No, I haven't seen it.

Anyway.

A group or a person calling themselves the Three Musketeers, albeit Musketeers with a Z at the end.

Cool.

They wrote in Tagalog and English on the website, "Have a nice day. Happy April Fools," even though it's only October. "Fix your flipping website," they said.

So they're basically going after sites that don't have enough protection.

Well, yeah, for some reason. For some reason, these official sites aren't properly protected. And there was another hacker who on Sunday was having a chat up on Twitter or somewhere, and he said that he'd broken into at least 5 major government agencies. He'd downloaded 500 gigabytes of data with the aim apparently of exposing security weaknesses. Now, he calls himself Diabolox, Diablo X. I think it's Diablo X. Diablo, Diablo X. Diablo with an X on the end. Diablo X Phantom. And he says he's 19 years old. I guess from the name he's probably 30.

What is it with all criminal hackers?

He's 19!

They all, they're all, they have, they're all trying to make out that they are these elite security, I'm just showing you where the security weaknesses are in your systems and I'm brilliant. And then they just act like 12-year-old boys and they put pictures of trolls and they call themselves Bitcoin 5000.

Oh yeah, much cooler if they stole all the money and destroyed the world in the process.

No, but they do that as well. They do that as well. And then they tell everybody that they're Robin Hood, but their name is actually Bitcoin 5000. And now it's just— they're all 12. They're all 12.

So in this particular case, this guy who claims to be 19— but I agree with you, Mark. He probably is a 13-year-old. He says he used to work in the government as part of their red team. Trying to find vulnerabilities and look up— and he says, I'm a hacktivist, I'm angry. These problems have been known about for ages. They've been pointed out to the government, but they've done nothing to address them. And he says he's hacked into these servers. He says he's hacked—

So hang on, hang on, hang on. So nothing's been done to address these problems.

Yeah.

So presumably the problem is that if something isn't done to address these problems, someone is going to break in and steal a load of data.

Yes. Yes.

That's the problem, right? We have to stop this kind of thing before it can happen. By raising awareness of these problems by breaking in and stealing all the data, so that somebody can't break in and steal all the data.

That's exactly—

They're 12. I'm telling you, they're 12.

Are they stealing data though?

Yes, 500 gigabytes. He's linked to it online.

Cybersecurity.

People are downloading it. He managed to break into— One of the servers he broke into belonged to the Philippine Air Force. And he grabbed all these documents, including material which was related to the creation of a national center of excellence for— well, can you guess what? Cybersecurity. Absolutely right. So he's got the plans for improving cybersecurity, which have leaked because of a lack of cybersecurity. And he says he's been able to break into these systems via a number of techniques. But one of the systems, when he broke into the Department of Science and Technology, was because of its password, which was admin123. If only it had been 123, that may have been a little bit trickier. But yes, admin123. And so there is this problem with— I mean, I know this isn't really breaking news. Lots of people still using really dumb passwords, including administrators. And in the last week, we've seen new research from the security outfit Outpost24. They've released some research where they were specifically looking into login credentials used by IT administrators. And they say they analyzed 1.8 million administrator credentials. 40,000 were using the password admin. That was the top one, followed by 123456, followed by 12345678, followed by 1234, followed by password.

Well, it's exactly the same as the annual worst password lists.

Yeah, it's nice to know that our show is making a dent in society. You know? That's what I'm feeling great about.

Come on, sysadmins. Maybe you should lead from the front, right? You're moaning at your staff all the time.

I'm gonna disagree with you here.

Okay, okay.

So, at what point do you stop banging your head against the brick wall? And just start shooting people? Maybe this wall is not gonna break. How long? So we've all been in the security awareness game one way or another for a very long time.

Too long.

I mean, I remember, Graham, you made a video about how to choose a strong password back in about 1904, filmed by me in black and white.

Yes, yes, that's right. Back in the old days.

We've been saying the same thing over and over again, and it doesn't make any difference as far as I can see. And I think the reason that it doesn't make any difference is that there's a fundamental misunderstanding about what the problem is. So I did some research a few months ago and all of the password manager vendors all reckon that their users have got somewhere around 80 to 100 passwords. Right. So the problem is that people have lots and lots of passwords. In the face of having lots of passwords, what do you do in order to make it so that you can remember them? Okay, you either write them down, which we've been screaming at people not to do for years, for as long as we've been saying choose strong passwords, or you make the passwords weaker or you reuse them. And my thinking is that password reuse and weak passwords are inevitable in an environment where people have to remember 100 passwords. There's a guy called Cormac Hurley who works for Microsoft Research, who does brilliant research around passwords. And he pointed out that just remembering which password goes with which website, if you have 100 passwords, is more difficult than remembering the order of a shuffled deck of cards. That's before you have to remember what the password is, just simply remembering the association between a given password and a website. So cognitively, we're asking people to do the impossible.

If only there was a thing called the password manager or something like that.

If only you had a piece of tech which helps you.

But then you fall into the same trap, which is you say, if everybody just listened to our advice. If they're not listening to your advice to make strong passwords, they're not going to listen to your advice to use a password manager. So the people, I bet you, the people who use password managers, which is something like 10% to 20%, it's kind of similar to the people that use MFA. And I imagine those people already have strong passwords, 'cause they're the ones who are switched on about security. And it's everybody else that didn't listen to the advice about strong passwords that we need to be talking to. And I think we are talking to completely the wrong audience.

Well, why don't you go on another show then, Mark?

Jeez. I think maybe we should make our advice simpler. Maybe we should simply say to everyone, put an exclamation mark on the end.

Oh, for God's sake. And?

Because you need different passwords, add a different number of exclamation marks, right?

Okay, no, don't listen to Graham. Don't listen to Graham.

How about this? How about this?

Yeah.

Instead of telling users to choose strong passwords, we need to tell the companies that operate systems where you type a password in not to allow bad ones. So it's very easy to look up the 100,000 worst passwords when somebody says, right, this is the password I want to use. All you have to do is say, right, I'm sorry, that's on the list. That's one of the 100,000 worst passwords. Choose something else. Or better yet, here, we recommend you use this password. This is a strong password. It's very easy to do those things. And it puts the security back in the hands of the people who actually should be in charge of security rather than just random users.

Or what if, as we're giving really bad advice about passwords right now, why don't we upload every password as people enter it, creating an account to some central server, and they can check the password for you? That sounds trustworthy. Maybe the government could run a server where it checks your passwords and make sure that no one else is using it. That'd be fantastic, wouldn't it? Anyway, stop using admin123, stop using password, especially if you're a sysadmin. And that is my pick of— no, it's not my pick of the week, but that is the end of my story.

That's how light in content it was. All right.

Mark, what have you got for us this week?

You know, I like to start with a question. So my question for you today is, what company would you trust least to look after your privacy online?

Facebook, maybe?

Yeah.

They'd be pretty untrustworthy, I suspect. The Walt Disney Corporation. Oh, TalkTalk. I don't like TalkTalk very much.

All right. Let me put the question to you another way.

Yes.

So who does your privacy need protection from online?

People that want to misuse that information for—

Any organizations spring to mind? Yeah, yeah.

Governments, advertising companies, cybercrims, organizations.

So let's think organizations. You mentioned Facebook. Any others? Any others spring to mind?

Google. Google's the big one. They're the biggest advertisers.

All the places that we give all our information to all of the time, basically.

Yeah.

Yes.

Well, I would think if you drew up a shortlist, it's going to be Facebook, it's going to be Amazon, it's going to be Google. And my story today is about the new thing from Google called IP Protection, which is an experimental anti-tracking feature for the Chrome browser. And as you probably know, Google Chrome is by far the most popular web browser in the world. And it is, of course, made by Google. And Google, as you know, is a behemoth online advertising company that tracks absolutely everything you do. And in case you've forgotten, let me remind you. So Google is so keen to know what you're up to that it provides the most widely used web browser in the world for free.

Yeah.

It also provides the most widely used smartphone operating system in the world, Android, for free. The most popular email system, Gmail, for free. The most widely used website analytics software in the world, Google Analytics, for free. The most popular maps application for free.

Yeah. Jesus.

It also runs the most popular search engine so that it can see everything you're looking for online. The most popular DNS resolver so it can see everywhere you go online. And one of the most popular payment services so it can see everything you've bought online.

So they're really charitable is what you're saying, Mark. They're great guys.

They're the real Robin Hood.

Yeah.

So when do they make any money? I don't know how they do it.

Me neither. What do they do?

Well, Google likes to track you. So how is Google, with its IP protection, suddenly the champion of privacy? Well, it's complicated. So before we get into that, we need to do a bit of a dive into online tracking and IP addresses. So buckle up because we're going to get a little bit technical.

I'll be back in a minute.

The purpose of IP protection is to hide your IP address. Okay. For the benefit of any listeners who don't know, an IP address is a unique ID and it's used as your address on a computer network. So it's normally—normally you see it written as 4 numbers separated by dots, and it works just like your physical address. And the network acts like the postal service. So if 2 computers want to communicate with each other, they send messages to each other's addresses. And the network makes sure that the messages get delivered to the right place. So in order for you to use a website, it needs to know your IP address. You can't use a website without giving it a working IP address to reply to. That's a really important thing to understand. Now, your IP address is normally assigned by your internet service provider, your ISP, and it keeps a pool of addresses and it gives one to you. And although they tend not to change very often, it's important to understand that your ISP can and does change your address from time to time.

Yeah.

You with me so far?

Mm-hmm.

Yeah.

Now, it doesn't change very often, so it's semi-permanent. Your IP address doesn't tell anyone who you are, but it can be used to build a profile about you over time. So let's imagine that there's an IP address and it's tracked signing up for a dating website in January, and then it's used to buy some condoms from an online pharmacy in March, and then it reappears to buy a book on pregnancy in May. So you can see how a unique ID, even though it doesn't say who you are, can paint a picture about somebody's life and what they're interested in and maybe what's happening in their life.

Yeah. And the requirement for diapers for the next 2 or 3 years.

Yes, exactly. Well, that person then starts seeing ads for diapers on every website that they go to. That's how the online tracking works, and that's why there's money in it. Anyway, that's the theory, but it doesn't quite work in practice because the downside of IP addresses from a tracking point of view is that they're dynamic. So you remember I said the ISP can change your address. Well, on any given day, although your IP address is likely to be what it was yesterday, it could be different. If it's different, what's happened is your ISP has given you a different address, but it's given your address to someone else, which is really going to screw up the tracking. So not only does your continuity end, but somebody else is picking it up, which messes with the whole profile. So for that reason, trackers have tended to rely on third-party cookies rather than IP addresses, because IP addresses have that potential to suddenly belong to someone else.

Yeah.

Okay. But all the major browsers, including Chrome, are phasing out third-party cookies, and that is probably going to make IP tracking more useful.

All the angels sing.

And the way that you overcome the problem with the IP address being assigned to somebody else is by using something called a fingerprint. So a fingerprint is where the person who's tracking you gathers, let's say, 10 to 15 bits of data about your browser. So it's IP address, the fonts it supports, the screen size, and a bunch of other stuff. And if you take all of those together, that makes a really powerful unique signature, which is actually quite resilient. So if one or two of those details change... So if the IP address changes, but everything else stays the same, the tracker can say, actually, that's probably the same person. Let's just update that fingerprint with the new IP address. So as tracking companies respond to the death of cookies, fingerprints are likely to become more popular, and therefore hiding your IP address is a good way to disrupt that form of tracking. But who, you say, could save us from all of this nefarious fingerprint and IP tracking? Google! Exactly, exactly. So how about the biggest tracking company of them all?

Think of the power we will have!

So in comes Google with IP protection, which is in its early phases.

Which I imagine they're going to offer for free, right? It's going to be yet another great free thing from Google.

I think it's actually just going to be bundled into the Chrome browser. I'm not even sure... At the moment when they test it, it's going to be opt-in.

Why wouldn't you want to turn it on? I mean, what if that's brilliant?

So let's just look at IP protection and actually what it does, because you're barking up the same tree that I was when I first read about this. So Google's IP protection uses a proxy. And what that means is that you send your traffic to the proxy, and then the proxy sends your traffic onto the website. The website replies to the proxy and then the proxy replies to you.

Check. Yeah.

And so what that means is the website sees the proxy's IP address and not yours. And since millions of people would be using that same proxy and the proxy would have its own pool of addresses, it becomes useless for fingerprinting. But as you probably worked out, that puts the person who owns the proxy in a really powerful position because although it's hiding your IP address from everyone else, it gets to see everything you're doing, 'cause everything you do gets funneled through its infrastructure. So it suddenly has a ringside seat on all of your browsing.

I wonder if Elon and Mark are losing sleep over this, you know, in the power play for world dominance.

So what if the person who's operating the proxy or the company who's operating that proxy happens to have a proven voracious appetite for knowing absolutely everything about you? How would you feel about that? I don't know about you, my first thought on seeing this new proposal was of course Google would want to do that. Of course they're going to want to funnel everything through a proxy that they own. But interestingly, Google has an answer to that. So it actually says in the specification for IP protection that one of the core principles is that it shouldn't be able to track you using this proxy. And the way it's going to do that eventually in sort of phase 2 or 3 is what they call a two-hop proxy. And a two-hop proxy puts your traffic through two proxies that are operated by different companies. So it's saying, well, we'll operate the first one and then the second one will be operated by some sort of CDN.

Yeah.

And then we'll buy them in about 5 years.

Which probably means, it probably means someone like Cloudflare. And yes, I mean, what's to stop them buying them? What's to stop them just having some sort of arrangement with them anyway? The plan for the two-hop proxy is, okay, two different companies. And what that means is that neither company sees the entire traffic communication. So one of them sees where the traffic's coming from and one of them sees where it's going to, but neither sees both ends. So it's not useful to them. Now, I actually interpret this as a good faith effort by Google engineers. I don't think that this is subterfuge. I think this is actually, this is how you would make it.

Well, yes, the engineers have probably got good intentions. Yeah, I agree with that.

What are you saying? What are you saying, Graham?

Not so sure that the engineer's boss's boss's boss feels the same.

So I agree. I think there are still shenanigans afoot, but this is how I see it. So I don't think Google needs this information because as I pointed out earlier, it's already in your browser. It's already in your searches. It's already on your phone. It's already in your web analytics. It's already in your DNS. It's already in your payments and it's everywhere else as well. How many ringside seats do you actually need?

What's the number for Google Support, actually? Because they seem to run a lot, right? So if one of these things goes wrong, who do I call?

Have you ever tried calling?

Yes.

When one of these things goes wrong? Yes.

And there's no answer.

Carole, I think Google knows when it's gone wrong on your computer. They just don't give a damn. They can see that it's gone wrong for you.

So this is my unfounded speculation, okay? So Google's already everywhere, right? I don't think they need this new ringside seat to work for them as a tracking mechanism, because remember, it's a feature of the browser and they already own the browser. So what difference does this make? Well, do you remember I said that third-party cookies are going away? Okay, well, all the browser vendors have essentially agreed that third-party cookies are going away. Third-party cookies are the sort of standard cross-site tracking mechanism. Well, because Google Chrome is the most popular browser, for most people, third-party tracking cookies are going to go away on a timetable that's dictated by Google, okay? Because it only changes for people when it decides that Chrome no longer supports them. And Google doesn't have any plans to give up its ad business. So it's planning to replace third-party cookies with something called Topics in 2024. Have you heard of Topics?

No, what's Topics? It was a chocolate bar, wasn't it? Or Topic? Wasn't it a coconut flavor one?

It was called FLOC until the middle of last year, Federated List of Cohorts or something like that, which is widely panned by organizations like the Electronic Frontier Foundation. Anyway, so the way that Topics works is instead of sending all of your browser data to Google and then having Google process it into, okay, well, here's all the raw data that means that Graham is interested in X, Y, Z. What's going to happen is that Chrome is going to rifle through your browser history, which obviously it already knows. And then Chrome itself is going to decide what topics you're interested in, and then it's going to send that list of topics to Google. So Google doesn't get the raw data anymore. It just gets the list of topics. Now, that is actually a good win for privacy. Because it means that Chrome is sharing much vaguer and much more generic data.

But maybe it's also a good win for Google because it's distributed computing. They don't need their computing power to do all that churning. Yes, everyone's browser is going to be doing it instead.

You are doing the work of Google's advertising computers on your computer. So yes, you're paying. You're paying for that bit of it. But also, I mean, Google's ad business is going to continue. It's not going to switch to topics, it's going to start testing them next year, but it's not going to switch over until it knows it can replace third-party cookies, okay? But other people's ad businesses don't have the same luxury. So they're going to have to find their own successor to third-party cookies. And those companies don't own a browser. So they're going to have to turn to other methods. And the obvious methods that they're going to turn to are things like fingerprinting, and IP tracking. Now, isn't it interesting that Google's newfound interest in privacy isn't going to impact its own advertising model, but it is going to throw a spanner in the works of its competitors if they decide to use IP tracking or fingerprinting.

Hmm.

It reminds me of when Apple brought out that new app tracking feature. Do you remember that? So when you install an app now on an iPhone, you get a little pop-up that says, this app wants to track you all over the place, do you agree? And of course, you say no. And famously, it cost Facebook about $10 billion in its first year because everybody said no, right? And so Apple is hailed as this protector of privacy. And then about a year after it brought this feature out, it went, actually, we're going to introduce our own advertising model into apps.

Yeah.

And it was kind of a, it was a Trojan horse for bringing out its own ads. It just made sure that it was a good sort of healthy time.

So is it fair to say the elevator message of this story is all these big companies are really in it for the money? And when they say we're going to do this for you, it's free, don't trust them.

Yeah, don't trust. I mean, that's the fundamental thing I think with people is stop thinking that Google is a search engine. That's just a little side project they've got on the side there. They're an advertising company. Just remember that.

So are you going to use this? Are you going to switch on IP protection?

Well, I don't have Chrome. I'm not using Chrome. What do you use? Mind your own business. I don't want to tell you and then find out you're targeting me with something else.

You don't want to tell me what your fucking browser is?

No, I don't.

Okay. Okay, Mr. I'm not paranoid. All right.

Carole, what's your topic for us?

From drool to data leaks. You let me know if that was a good little slogan. So this is looking back a few weeks. October 6th, news broke that 23andMe, that's the company that collects genetic material from millions of people for ancestry and genetic predisposition tests. Okay, so these guys had a massive data breach. According to Wired, at least a million data points from 23andMe accounts seem to be exposed on the breach forums. And this was reported quickly after. And so we weren't sure what was really going on at the time. The genetic testing company 23andMe, which earlier this year boasted to its investors that it had 14 million customers, confirmed that the data from a subset of its users had been compromised, and they blamed credential stuffing. So maybe one of you guys want to define credential stuffing.

Where you fling a whole load of passwords at a different service. So you have— you've had a breach somewhere, so you've got your little database of usernames and passwords, and then you fling them at another service to see if they work to log into 23andMe as well.

Right. So if you were using the same password on Facebook, for example, as you were on 23andMe and they'd breached Facebook, they could then try that and they might just get a win. So the attacker, once it got into 23andMe using this credential stuffing, and that's what they assume is the way they got in.

Yeah, it wouldn't have been a problem if they'd added loads of exclamation marks, of course, at the end of their passwords, as I was recommending earlier.

They were able to scrape more people's information from a feature known as DNA Relatives. Now DNA Relatives allows users to opt in to sharing their info through DNA Relatives of others to see. So it's kind of basically like you sign up and say, hey, I want to find people that have the same DNA as me. And someone else says, I want to find that too. And if there's a match, you guys then get to chat. That's how it works.

I think it's a pretty helpful way of finding out if your dad was sleeping around in the '60s.

Right.

And you know, that's what it's really for, isn't it?

You can identify relatives from any branch of your family tree. Anywho, the data thieves obviously wanted to make a buck. So they post the initial data sample on the platform breach forums. They start selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of purchase, reported Wired.

And what do you get? So if I spent, you know, a couple of bucks buying a profile, would they give me a little test tube full of some spit?

Oh, see, that's where the drool came in.

Oh, I see.

Okay.

So I was wondering. So, so what do I get?

So, okay, so it would include a profile ID, account ID, name, sex, birth year, current location. And there are these fields known as Y-DNA and then N-DNA. They claimed that they had celebs inside their bucket list, including Mark Zuckerberg, Elon Musk, Sergey Brin.

Hang on, so there's a bucket, you said, full of Elon Musk and Mark Zuckerberg's DNA slopping around somewhere. Leaking, see? Oh, oh, oh, this is grim.

Now, as you guys will know, and maybe we can discuss a bit about this, genetic information databases have a pretty notable feature. Firstly, anyone's DNA set also reveals the information about others who share part of their genetic code with them. So if my mom decides, hey, this is cool, let me go see if I can find my great aunt, that may impact me because I share some of her genetic code. So someone sends a sample to 23andMe, the company has genetic information about that person and all their relatives, even if those relatives didn't send a sample or consent to any data collection.

Yeah. Have either of you ever done this? Have either of you signed up? God, no.

God, no.

Have you had family members who've done it?

Yes, of course.

Yeah, my ex-wife did this, and she wanted me to spit into something, or I don't know, scrape something from behind the back of my ear or something. And I said, no, I'm not bloody well doing that. Why do I want to do that?

Should have taken the neighbour's and given it to her. Just see what happens.

No, I actually got the dog. I just got the dog to salivate over something. Sent that in. Got some very interesting results. Turns out he's quite—

He's been quite busy.

So it's a bit of a privacy shit show, right? Is that fair to say? To put it in short?

Yeah.

And get this, this actually surprised me. According to The Washington Post, the type of information genetic testing these companies are collecting is currently not protected by the Health Insurance Portability and Accountability Act. What a mouthful. HIPAA. As it's better known. This is the USA's national health privacy law, and 23andMe still allows for third-party data sharing in its privacy policy. However, apparently in the EU, 23andMe, in its own words, says it's committed to the robust data privacy and security protections enabled by GDPR compliance. I saw this on their website, and this may be why they keep underlining it. Honestly, in every single article I read about this, and let's say there was a dozen. Every single one had the, "This was not a breach. This was credential stuffing."

Basically saying, "Our customers fucked up, not us." So 23andMe is saying it hasn't done anything wrong, although I would argue it has done something wrong by existing in the first place. So—

I agree with them up to a point. So I have a different beef with 23andMe on this. Words have to have specific meaning, particularly in computer security. You know, we have things like exploit and vulnerability. Which are English words with a— they have a meaning in common language, but they have a very specific meaning inside cybersecurity. I think 23andMe wasn't breached. There wasn't a failure in their computer systems. There wasn't a vulnerability in their computer systems. The computer system did exactly what it's supposed to do in response to somebody with a valid login. To me, this is more about an unauthorized access rather than a breach. What is the system supposed to do if somebody authenticates correctly other than let them in?

I just wonder what 23andMe's password requirements are. I don't know because I'm not a member, but I wonder if they could be strengthened a little bit.

So that goes to exactly what I was saying earlier, which is that you can't blame the users, or you shouldn't blame the users, or even if you do blame the users, the fact is that users behave like users and their behavior doesn't change over decades. So nobody gets to be surprised about the fact that people are reusing passwords. So there are specifically things you can do to stop reusing passwords. But more than that, if you— the CEO of 23andMe was out there saying, we have been offering multi-factor authentication since 2019, just never insisted on it. Yeah, they're basically saying to everybody, if you had enabled MFA, this wouldn't have happened. So putting the blame firmly on the users, but it's within his power to make it mandatory. Yeah. In 2019, instead of saying you can use MFA if you want to, he could say MFA is compulsory and credential stuffing basically dies in the face of MFA. You can't do it.

Yeah. And you could say, you know what, because DNA is kind of serious, right? We really want to make sure this information is protected.

Yeah.

And the other thing is, I suppose they could have put systems in place to try and detect if credential stuffing was taking place. So if they saw—

Of course.

—the same servers, for instance, bombarding 23andMe trying to log into accounts, using passwords, they could, unless I suppose they'd used something like Google's IP protection to hide their origin. That would have, oh, it's quite good, this IP from Google, isn't it? It'd be quite handy for people. Okay.

And last tidbit today on the day of recording, according to Reuters, 23andMe are sending emails to affected customers. To inform them of the breach into the DNA Relatives feature that allowed them to compare ancestry information with users worldwide. And apparently they're working with federal law enforcement and forensic experts to investigate the breach. But in short, that's how you get from drool to data breach. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta. And it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.

Nothing of interest happened in the intervening 5 years.

Some of the same characters are in that. So if you enjoyed one, you will enjoy the other, I suspect. But beautifully shot. And because, of course, it's full of French actors, you don't recognize anyone. You know, there's no one going to put you off and think, "What's he doing turning up here?" No Thom Hanks? No Thom Hanks. Nothing unpleasant that's going to happen. And I'll also say, on the BBC version on iPlayer, very big subtitles. So you don't have to put your glasses on to read the subtitles. The subtitles are enormous.

Oh my gosh. I thought with your grasp of French that you wouldn't have needed the subtitles. I recall an earlier episode where it was almost— Yeah.

It was weird, wasn't it? Anyway, so, Paris Police 1905 is my— I'm sorry, what was that accent? Is my pick of the week. Go and check it out. I think you'll like it. I think you'll like it. Mark, what's your pick of the week?

Well, I've got a confession to make. I'm not sure, but I may have— I think I've picked this one before. Oh? I can't remember. But if I did, it was a while ago, so we're going to go again. So my pick of the week is the British Hen Welfare Trust. So you know that I am a bit of a chicken fancier. You said it.

I've seen the DNA results.

I'll translate. He has a few pet chickens at his house.

They're actually outside. They're in the garden. They're not actually in the house. But all of my chickens come from the British Hen Welfare Trust. And the trust is a charity in the UK that rehomes battery chickens. So battery chickens are the chickens that are brought up in cages, and when they get to about 65 weeks, the number of eggs that they lay starts to tail off slightly. And so they're replaced with younger chickens, not because they no longer lay eggs, but because they don't lay quite as many eggs as a younger chicken does. Now, normally they're taking it easy. Well, no, I mean, life in a battery cage is not what you would call taking it easy. But what happens to them at that point, typically, they haven't seen any daylight in their lives, they've never scratched in the earth, they've just lived in a cage, and then they're trucked off and they're turned into pet food. The British Hen Welfare Trust actually takes those chickens and offers them for rehoming. So instead of going off to become pet food, they become available for people to keep as pets or as working animals. Cool. Yeah. And so all of my chickens and I've got 5 at the moment, but over the course of time I've probably had 20 because, you know, chickens, they die a lot.

They die.

They do die a lot. Yeah. So over the course of several years, I've probably owned 20 and they've all come from the Hen Welfare Trust. And it's very easy. You sign up and they email you when there's a collection in your area. There's one in my area sort of once a year for the place that I go to. And I go along with a couple of pet crates and I pick up some chickens. And they ask for a suggested donation, which is very cheap compared to the price of actually buying a chicken. And what you get is a chicken that is not only very, very good at laying eggs— so I never buy eggs. All my eggs come from my chickens. But you get to watch what happens to one of these animals if it's no longer kept in a cage. So when they come to you, they've never seen daylight, they've never seen sunshine, they've never seen rain, they've never scratched in the earth, they've never eaten a worm, they've never eaten a bug. They really haven't had any kind of life at all. And they've only got about half the feathers that they're supposed to have. So through stress and through pecking, they look like oven-ready chickens with feathered wings. Yeah. Basically, and within about 3 weeks all their feathers grow back and their combs go bright red instead of being a dull pink color. And you can see the minute you take your foot off their neck, they turn into what you would recognize as being a chicken. So it's an extremely rewarding way to get and keep—

You're not putting your foot on their neck, are you, Mark? Generally to be avoided.

Right. Okay. But yeah, so if you're looking for chickens and you live in the UK, you could do a lot worse than going to the British Hen Welfare Trust. You can find them at www.bhwt.org.uk. Brilliant.

Absolutely fantastic. Well done. Carole, what's your pick of the week?

Okay, so my pick of the week is terribly exciting. I hope you're all sitting down and paying attention. I, Carole Theriault, am hosting and producing a brand spanking new podcast called Art Musings. What's that about? Art. It's art. It's great. We chat with local artists. So I teamed up with a local artist in Oxford called Sally Ann Stewart, and she does fabulous linocut prints and she's very funny and I like her loads. And she agreed to do this podcast with me. So we chat with local artists. Some are up and coming, some are really at the top of their game. And we just learn about their process and how they do art and try and figure out how they manage the challenges they have. We talked to somebody about how do you manage to do art when you have twins who are 5 years old and crazy? Or, you know, how do you sell yourself when you're kind of shy and don't know how? Actually, recently we were just recording an interview with the head honcho of Oxfordshire Art Weeks who was talking about how do you describe yourself as an artist, and I had just written an artistic statement that I had to hand in. So guess what? I did it really wrong, and I actually read my artistic statement that I handed in on air so she can point out how it could be improved. So there's all kinds of cool stuff, and I'm really proud of it. You guys have heard the first episode. I have, yeah. It was really fun listening to it.

And I'll tell you what I really enjoyed about it, because I was a bit of an artist, but I'm not anymore. And I think it's a good podcast. It doesn't really matter what it's about. I've listened to— there's a football podcast I quite like, there's a politics podcast I quite like, not because I'm particularly interested in those subjects, but because I'm interested in the presenters and the way that they talk. I think it falls into that category. You don't have to be into art to like this because interesting people can make any subject interesting, and I think it falls into that. I would encourage everyone to give it a listen.

He just called me interesting. Listeners, I would love if you go and check it out. A, because it'll give me a little boost that the last 6 months wasn't wasted. And it would just, it takes so much time to create new shows, right? And choosing everything. Anyway, so I'm proud it's out. It's called Art Musings. You should be able to find it wherever you get your podcasts. And if you don't know how to do that, just go to artmusings.co.uk. Brilliant. And that's my pick of the week. Fantastic. Well, that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would love to follow you online and find out what you're up to.

You can find me on X, formerly known as Twitter, @MarkStockley.

And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G. We also have a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app. Such as Apple Podcasts, Spotify, and Overcast. And don't forget to subscribe to Art Musings as well.

Ah, Graham, massive thank you to all our episode sponsors, Vanta, Kolide, and of course to our Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 344 episodes, check out smashingsecurity.com.

Smashing! Until next time, cheerio, bye-bye, bye-bye, bye-bye.

Do you hear that in the background now? You hear the clock? Yeah. So isn't that wonderful? Our neighbors are getting a new bathroom done and they stopped for a whole hour when we recorded this show and they've just started because we've run a little late. So yay to cool neighbors!

Well done to them. Thank you, Mark. Thank you very much, Mark.

It's a pleasure. Thanks for having me on again.

Always a rock star.