WordPress’s emperor, Matt Mullenweg, demands a hefty tribute from WP Engine, and a battle erupts, leaving millions of websites hanging in the balance. Meanwhile, the Internet Archive, a digital library preserving our online history, is under siege from hackers.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Tim Cook is not going to park outside your little lemonade stall and be happy about what you've done because you're trading.
I don't think he could give a shit. You don't think he'd care at all? Really?
Smashing Security, episode 389: WordPress versus WP Engine and the Internet Archive Ransomware Shavers Down with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 389. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 389. My name's Graham Cluley.
And I'm Carole Theriault.
Hi, Carole. How are you doing?
I have COVID.
COVID? That's so 3 years ago, Carole.
Yeah, well.
You're off trend.
I'm off trend. It's the first time in my life. No, so I may be a little bit less enthusiastic this week, but I'm here, right? I'm here. So huzzah to that. And how are you, Graham?
I'm all right. I went on a lightning dash to America last week for the Rochester Security Summit, where I was given a keynote.
Fortunately, I didn't come back with any unpleasant disease, as far as I know. That's all good news. First time to America since the big pandemic for me, though.
That felt like a milestone. And also great to meet some listeners to the old podcast.
Fortunately, I didn't come back with any unpleasant disease, as far as I know. That's all good news. First time to America since the big pandemic for me, though.
That felt like a milestone. And also great to meet some listeners to the old podcast.
It's not old.
Well, we've been going for about 8 years now, Carole.
Jesus.
Quite old for a podcast.
Okay, don't. I'm gonna fall off my chair. How about we kick this show off and thank this week's wonderful sponsors, 1Password, Vanta, and Flashpoint.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
I'm gonna be asking what the fork is going on at WordPress and WP Engine.
And we are going to see what's hitting the digital banks of the Internet Archive and the Wayback Machine. All this and much more coming up on this episode of Smashing Security.
Now, chums, the internet, ah, it's a wonderful thing, isn't it? Not just wonderful in technological ways, but also it's a place of peace, calm reflection.
The internet?
Yes. A safe sanctuary from craziness and drama. That's what I love about it.
Well, I think it depends how you use it, don't you think?
Yeah.
If I listen to some deep sleep music, right, on YouTube.
Yes.
It's pretty chill.
That is pretty chill. I'll tell you something else that's pretty chill, at least normally, is the very calm waters which are WordPress.
It's hard to imagine anything dramatic happening with WordPress. It's been there for years and years.
It's hard to imagine anything dramatic happening with WordPress. It's been there for years and years.
Maybe explain what WordPress is just for some people, because not everyone's, you know.
So WordPress is a free open-source web content management system, also known as a CMS. A lot of people think of it as a blogging platform, but it's much more than that.
It allows people to create and host their own websites. And lots of businesses use it for that as well, even if they don't have a blog.
And there's an almighty ding-dong going on between the founder of WordPress and a company called WP Engine that helps users host their WordPress websites.
It allows people to create and host their own websites. And lots of businesses use it for that as well, even if they don't have a blog.
And there's an almighty ding-dong going on between the founder of WordPress and a company called WP Engine that helps users host their WordPress websites.
Okay, so one allows you to create a website and the other one allows you to host. So these guys should be basically friends.
They should be friends.
And there are lots of companies which help you host your website because when you create a website with WordPress, with that software, you have to put it on a server and you can either put it on your own server, which means that you end up spending all your time maintaining the server yourself.
You're probably going to have to grow a beard and wear sandals.
Or you have to find a company to run the server for you, a company like WP Engine, and then they will run the free open source WordPress software on the server for you.
And because it's still WordPress, it can automatically update itself. You can augment it with plugins and add-ons to make the website do whatever you want to do with it.
My website runs on WordPress. Your website runs on WordPress, Carole. The New York Times runs on WordPress. Government websites run on WordPress.
Little mom and pop stores, they run on WordPress. 11 billion websites around the world. That's my number, by the way.
And there are lots of companies which help you host your website because when you create a website with WordPress, with that software, you have to put it on a server and you can either put it on your own server, which means that you end up spending all your time maintaining the server yourself.
You're probably going to have to grow a beard and wear sandals.
Or you have to find a company to run the server for you, a company like WP Engine, and then they will run the free open source WordPress software on the server for you.
And because it's still WordPress, it can automatically update itself. You can augment it with plugins and add-ons to make the website do whatever you want to do with it.
My website runs on WordPress. Your website runs on WordPress, Carole. The New York Times runs on WordPress. Government websites run on WordPress.
Little mom and pop stores, they run on WordPress. 11 billion websites around the world. That's my number, by the way.
They're the McDonald's of websites. Okay.
They are, but the Mickey D's arguably, arguably better quality. I would suggest that they're a success because it's a great platform.
It's the most popular content management system, CMS, in the world. It's used by businesses of all sizes and individuals. 43% of the web is reckoned to be using WordPress.
It's the most popular content management system, CMS, in the world. It's used by businesses of all sizes and individuals. 43% of the web is reckoned to be using WordPress.
See, that's surprising. I would never have thought that. If you had asked me that, I would probably gone 5 or 10. Isn't that interesting?
It's astonishing. WordPress is huge.
Okay.
And the big cheese, the head honcho, the benevolent dictator, some would say the supreme emperor of the WordPress galaxy, is a guy called Matt Mullenweg. And he's a genius.
He's brilliant. He's passionate. He's deeply committed to open source and the philosophy behind it. But Matt has gone nuclear.
He's brilliant. He's passionate. He's deeply committed to open source and the philosophy behind it. But Matt has gone nuclear.
About something specific, I'm guessing.
Yes.
Rather than actually exploding.
He hasn't combusted. No, he hasn't.
Good.
There's not a mushroom cloud over his—
It was going to be a weird segue for the show, I thought. Yeah.
That would have been interesting. No, there's some reality TV-style drama right now involving WordPress.
And what it comes down to is there's this humongous ding-dong going on between Matt Mullenweg, the millionaire founder of WordPress, the CEO of Automattic, which runs WordPress.com, which is a hosting platform.
Don't confuse it with WordPress.org. And a company which offers WordPress hosting to businesses called WP Engine. Right now, I'll put my hands up, full disclosure and everything.
I've been a customer of WP Engine before. I've hosted my website on WP Engine in the past, as well as other places. I'm not currently a customer of WP Engine.
WP Engine is not a cheap WordPress host. You know, it's not like these WordPress hosts which offer to keep your site up for $2 a month, and there are plenty of those.
And what it comes down to is there's this humongous ding-dong going on between Matt Mullenweg, the millionaire founder of WordPress, the CEO of Automattic, which runs WordPress.com, which is a hosting platform.
Don't confuse it with WordPress.org. And a company which offers WordPress hosting to businesses called WP Engine. Right now, I'll put my hands up, full disclosure and everything.
I've been a customer of WP Engine before. I've hosted my website on WP Engine in the past, as well as other places. I'm not currently a customer of WP Engine.
WP Engine is not a cheap WordPress host. You know, it's not like these WordPress hosts which offer to keep your site up for $2 a month, and there are plenty of those.
Mm-hmm.
If you use them, it's gonna cost you at least $20 a month for its most basic, simple offering.
Why are they allowed to charge so much more, do you think?
Well, they can charge what they. You know, it's market forces.
No, no, but why would you use it?
Because depending on how much traffic you get and how essential it is for your website to remain online, you may be prepared to spend hundreds of dollars per month.
If you were a business and your website was an important part of your revenue or a way of communicating with the outside world, you would want to make sure that those servers stayed up and that they had the support teams, they had the infrastructure to keep them up, keep them working all the time.
And if there is a problem, have a support team to go to.
If you were a business and your website was an important part of your revenue or a way of communicating with the outside world, you would want to make sure that those servers stayed up and that they had the support teams, they had the infrastructure to keep them up, keep them working all the time.
And if there is a problem, have a support team to go to.
And you thought your website was so vital to humanity that you need to pay an extra $18 a month to keep your site up and running?
More than that. More than that. More than that. I was, yeah. And to this day, I'm paying more than $20 a month with another host to keep my website up and running. So yeah.
Okay.
Maybe I have an overinflated sense of my website's importance.
No, no, shh, shh, shh, shh. I'm not sure.
Oh, hush. So organizations think it's important to keep their sites up and running, and you feel more confident if you're spending the money.
And WP Engine has done really, really well. It's making $400 million per year in revenue at the moment.
And WP Engine has done really, really well. It's making $400 million per year in revenue at the moment.
Well, I don't know what their outgoings are, but yeah.
Well, they are doing very, very well. And frankly, Matt Mullenweg of WordPress is pretty pissed off about it.
Well, he's pissed off that they're doing well.
Well, yes.
Okay.
And I'll explain why, because he has a company which is of a similar size called Automattic, which runs WordPress.com and some other services as well.
And they say that WP Engine isn't contributing enough to make the open source WordPress project, that free bit of software at the heart of their companies, any better.
And that WP Engine is enriching itself at the expense of the entire community. Amongst other things, he's claiming that WP Engine has violated WordPress's trademark guidelines.
So imagine, for instance, you set up a lemonade stall outside Apple HQ in California, right? In Cupertino. And you started selling iLemonade.
And they say that WP Engine isn't contributing enough to make the open source WordPress project, that free bit of software at the heart of their companies, any better.
And that WP Engine is enriching itself at the expense of the entire community. Amongst other things, he's claiming that WP Engine has violated WordPress's trademark guidelines.
So imagine, for instance, you set up a lemonade stall outside Apple HQ in California, right? In Cupertino. And you started selling iLemonade.
Mm-hmm.
Tim Cook, he's not gonna park outside your little lemonade stall and be happy about what you've done because you're trading.
I don't think he could give a shit. You don't care at all. Really? Really?
You know, there have been lots of little companies in the past which have got into trouble because they've had similar kind of names. Right? So it could happen.
Now, WP Engine, it has those letters, WP. And Matt Mullenweg says that his mum got confused. He says his mum thought WP Engine was somehow a WordPress company connected with her son.
And Matt Mullenweg says that WP Engine is in fact a cancer to WordPress. Those are his words.
He says they're making half a billion dollars in revenue on top of WordPress, but they're only contributing back every week 40 man-hours of effort to improve WordPress.
He says his own company, which is of a similar size, Automattic, contributes almost 4,000 people hours every week.
Now, WP Engine, it has those letters, WP. And Matt Mullenweg says that his mum got confused. He says his mum thought WP Engine was somehow a WordPress company connected with her son.
And Matt Mullenweg says that WP Engine is in fact a cancer to WordPress. Those are his words.
He says they're making half a billion dollars in revenue on top of WordPress, but they're only contributing back every week 40 man-hours of effort to improve WordPress.
He says his own company, which is of a similar size, Automattic, contributes almost 4,000 people hours every week.
So it's basically the argument is I'm a better guy than you. Yeah.
So he's saying, if you're going to make that much money, you should either be giving us some money so that we can pay for developers to improve WordPress, which you are benefiting from that software.
Or you should be putting in the effort yourselves because it's not proportionate to the amount of money they're getting.
Or you should be putting in the effort yourselves because it's not proportionate to the amount of money they're getting.
Okay. So here, can I have my tinfoil hat? My theory, theory, theory.
Yes, yes, yes.
Conspiracy theory, Carole Theriault. I suspect that Matt did not specify this in the T's and C's when they made a deal with WP Engine.
So there must be paperwork somewhere that says, you know, in exchange for X, you give us Y.
So there must be paperwork somewhere that says, you know, in exchange for X, you give us Y.
Well, it's open source, you see. So there's a GPL. The kind of license which you have is anyone can take the software and do what the heck they like with it. It's free. Go away.
Well, no, not if you want to. Not if they're demanding a certain number of hours, right?
He believes it would be under the ethos of WordPress. Sure. You should be contributing back. So there's no hard and fast rule. You are encouraged, but you don't have to.
Well, you do if someone's going to shame you publicly.
Mm-hmm.
So how do you feel about this as a WordPress user? Are you feeling happy?
And I'm going to tell you more first.
Okay.
Because the argument doesn't finish there, because legal letters are flying between these two companies and they're being very, very public about it.
There are letters being written. People are telling each other to cease and desist. So right now, WP Engine says that Mullenweg is holding their company to ransom.
They say that he's embarking on what he called himself a scorched-earth nuclear approach.
WP Engine claim that Mullenweg is demanding tens of millions of dollars for a trademark licensing deal.
There are letters being written. People are telling each other to cease and desist. So right now, WP Engine says that Mullenweg is holding their company to ransom.
They say that he's embarking on what he called himself a scorched-earth nuclear approach.
WP Engine claim that Mullenweg is demanding tens of millions of dollars for a trademark licensing deal.
Yeah, so saying, give us some kickback because you guys got too rich on us and didn't put in the hours. Mm-hmm.
And there's no resolution in sight. And now things are turning really nasty because what has happened is WP Engine customers are no longer able to update their WordPress plugins.
WordPress has blocked them from accessing the plugin repository, which exists on WordPress.
WordPress has blocked them from accessing the plugin repository, which exists on WordPress.
Oh dear.
So if your plugins on your website get out of date, they could have serious security problems, which hackers could exploit.
Geez, who peed in Matt's Cheerios, eh?
Right, now you're getting the story, right? So this is really bad and WordPress is publicly saying, well, if you've got a problem with it, speak to WP Engine.
Right.
Because WP Engine needs to play fair with us. So why should we continue giving them the access to our repository of all these plugins when they're not doing anything to benefit us?
Nasty.
Nasty.
Well, okay, is it possible that behind the scenes for the last X number of years, WordPress has been saying, hey, WP Engine, you know, it'd be really nice if you guys would give us a bit more hours.
They have.
And they're like, yeah, thanks, no thanks.
Those kind of conversations have been happening. WP Engine hasn't stepped up maybe to meet Matt's demands as to what they should do.
And so this, that's why this has now reached this level. And so you think, well, this is really bad for WP Engine's customers.
So it's not just bad for WP Engine, it's bad for their customers. And they are a big player in the WordPress hosting market, right?
They've got lots and lots of very big websites being hosted with them. But you may think, oh, well, it doesn't matter for us because we don't use WP Engine. Uh-uh.
Because one of the other things that WP Engine do is they make a plugin, a very popular plugin called Advanced Custom Fields. It's probably in the top 30 of all WordPress plugins.
I use it on my own site.
And so this, that's why this has now reached this level. And so you think, well, this is really bad for WP Engine's customers.
So it's not just bad for WP Engine, it's bad for their customers. And they are a big player in the WordPress hosting market, right?
They've got lots and lots of very big websites being hosted with them. But you may think, oh, well, it doesn't matter for us because we don't use WP Engine. Uh-uh.
Because one of the other things that WP Engine do is they make a plugin, a very popular plugin called Advanced Custom Fields. It's probably in the top 30 of all WordPress plugins.
I use it on my own site.
Really?
Yep. And under Matt Mullenweg's direction, WordPress has blocked WP Engine's coders from updating the ACF, or Advanced Custom Fields, plugin in the WordPress repository.
They've been locked out until all these arguments are resolved.
They've been locked out until all these arguments are resolved.
So he's effectively setting up a perfect storm for any badasses who want to go in there and take advantage of any vulnerabilities that can't be patched because of this stupid—
Yeah.
Spat they're having.
Which means not only WP Engine customers are now affected. So if a security hole were found in that plugin, it can't be fixed. Yeah. And what do you know?
Someone's found a security hole in that plugin. Can you guess who's found the security hole in the plugin?
Someone's found a security hole in that plugin. Can you guess who's found the security hole in the plugin?
No, I'm guessing not someone. I'm hoping it's someone good.
Matt Mullenweg. And his developers at WordPress have found a security hole in the Advanced Custom Fields, the ACF plugin.
The one that they're not allowing WP Engine to update.
That's absolutely right.
And tell me this, did they publish what they found?
Yes, they have.
You're kidding me.
So they've published, they've told WP Engine about it.
They've told the world that this vulnerability has been found and they say, if you've got a problem with this, you need to take it up with WP Engine.
They've told the world that this vulnerability has been found and they say, if you've got a problem with this, you need to take it up with WP Engine.
It's—
So there are now millions and millions of websites using a popular plugin. That's not great, right? And you must be thinking, why is WordPress shooting itself in the foot like this?
Because surely this is gonna rebound on them.
Because surely this is gonna rebound on them.
So what happens now if I or millions of other people using that particular plugin on our websites, regardless of whether we host with WP Engine or not, go to our setup and just check to see if it's out of date.
Well, what we find right now is that plugin has gone from our computers because WordPress has unilaterally taken it over.
They've replaced it with another plugin called Secure Content Fields.
They took WP Engine's code, they fixed the bug, they've renamed it, they've hijacked control of that plugin so anyone who was using that plugin is now using WordPress's version without the consent or prior knowledge of any users or indeed the owners of that plugin, which was WP Engine.
Well, what we find right now is that plugin has gone from our computers because WordPress has unilaterally taken it over.
They've replaced it with another plugin called Secure Content Fields.
They took WP Engine's code, they fixed the bug, they've renamed it, they've hijacked control of that plugin so anyone who was using that plugin is now using WordPress's version without the consent or prior knowledge of any users or indeed the owners of that plugin, which was WP Engine.
Geez Louise.
Now that feels to me like a supply chain attack because it is the kind of thing you don't want your plugin being taken over by someone unknown and changing the code.
You want continuity. Now, WP Engine have reacted to this saying, you know, basically, what the fuck?
They are saying to people, if you want the original version of our plugin, which has now been patched, go to our website, download it from there instead of from WordPress.
You want continuity. Now, WP Engine have reacted to this saying, you know, basically, what the fuck?
They are saying to people, if you want the original version of our plugin, which has now been patched, go to our website, download it from there instead of from WordPress.
But millions of people have been updated without their permission, without realizing what's happening.
And when you see the social media posts being made by Matt Mullenweg and by the official WordPress account on sites like Twitter, you begin to wonder if they've lost their marbles, because they are acting like spoilt brats.
And when you see the social media posts being made by Matt Mullenweg and by the official WordPress account on sites like Twitter, you begin to wonder if they've lost their marbles, because they are acting like spoilt brats.
Is it just him? Like, is there a board?
There clearly are thousands of workers there, and there are tales that some people are really, really disturbed about what is happening to the community, 'cause people love the open-source community.
They feel very strongly about it, as you can imagine. Typical developer types, you know, they feel very, very passionate about this.
And what they see is whatever beef Matt Mullenweg may have with WP Engine, it is innocent businesses and individuals who are being put at risk as a result of this.
They feel very strongly about it, as you can imagine. Typical developer types, you know, they feel very, very passionate about this.
And what they see is whatever beef Matt Mullenweg may have with WP Engine, it is innocent businesses and individuals who are being put at risk as a result of this.
And companies who are currently using WordPress as a platform, whether using WP Engine or not, are going to be thinking, did we make a good choice here?
Because this one guy who's done this this time and is acting erratically could he do this again? It's a really weird way to win friends and influence people.
Because this one guy who's done this this time and is acting erratically could he do this again? It's a really weird way to win friends and influence people.
Sounds to me like they're using him as an example. Unless it's just a complete war of vitriol that we don't know what's going on behind, because it's very weird.
But could this be a warning to other people saying, you know, under this new WordPress regime, everyone must put in the hours as dictated by me?
But could this be a warning to other people saying, you know, under this new WordPress regime, everyone must put in the hours as dictated by me?
Maybe that is partly it, but I think it was always really a sort of, it would be awfully nice if you did rather than a requirement that you had to.
And so WP Engine, you know, I don't want to completely say they're blameless. Maybe WP Engine should be contributing more, right? Maybe they should be supporting the community more.
I think that is a reasonable argument to have, but to—
And so WP Engine, you know, I don't want to completely say they're blameless. Maybe WP Engine should be contributing more, right? Maybe they should be supporting the community more.
I think that is a reasonable argument to have, but to—
Yeah, the strong-arming is a bit disgusting.
It feels like blackmail.
Mm-hmm.
And I'm pissed off that my website's embroiled in it because I use that plugin. I have to choose, do I use the WordPress version or do I use the WP Engine version of this plugin?
Who do I feel more comfortable with? And because WordPress powers, as I said, around about 43% of all the websites on the internet, this is a squabble which really matters.
And right now the future of WordPress hangs in the balance. It's fascinating to watch.
Who do I feel more comfortable with? And because WordPress powers, as I said, around about 43% of all the websites on the internet, this is a squabble which really matters.
And right now the future of WordPress hangs in the balance. It's fascinating to watch.
I don't think the future of WordPress hangs in the balance.
I think it does. I think there will be—
You think there's going to be a huge, huge outcry and it's going to— it's not on the— it's not in the stock market, right? Because they're not floated, so they're private.
I wonder what's going to happen with Matt Mullenweg, because I wonder whether his staff are going to revolt about this and whether people are going to say, we can understand why you did this, but we can't understand why you did it like that, because you've taken things too far.
Yeah, well, it's going to be interesting to see what comes out next. Crazy drama.
Who needs Married at First Sight when you have WordPress versus WP Engine? Grab your popcorn. Carole, what's your story for us this week?
So I am talking about the Internet Archive and the Wayback Machine, and they have been seeing some trouble.
You know what I mean when I'm talking about the Wayback Machine, because it's a cool endeavor, right?
You know what I mean when I'm talking about the Wayback Machine, because it's a cool endeavor, right?
Yeah. And the Internet Archive, it's unbelievable, isn't it? It's a great resource.
Yeah. I think I would kind of describe it as the internet's history book. Do you think that's fair? It's a digital library.
I've seen someone describe it as that, of the internet sites across time.
I've seen someone describe it as that, of the internet sites across time.
It kind of makes a backup of the internet.
That's the great thing I think about it is, if there's an article you really like, it may well have been preserved, or you can ask it for it to be preserved at the Internet Archive.
And you can always access a copy of it, even if the original site gets taken down. And you can go back in time and see old versions of websites, which is really fun as well.
That's the great thing I think about it is, if there's an article you really like, it may well have been preserved, or you can ask it for it to be preserved at the Internet Archive.
And you can always access a copy of it, even if the original site gets taken down. And you can go back in time and see old versions of websites, which is really fun as well.
First began archiving cached web pages in '96, right? So you can kind of go see the first or the very early Apple pages or Microsoft pages.
Yeah.
As of January this year, the Wayback Machine apparently archived more than 860 billion web pages. That was over 99 petabytes of data, which is ginormous, listeners.
And, you know, it's a really useful tool, not just because it's fun to go look at these web pages, but many investigative journalists, historians, and activists use it all the time.
And, you know, it's a really useful tool, not just because it's fun to go look at these web pages, but many investigative journalists, historians, and activists use it all the time.
Yes.
A Berlin-based researcher who trains people to use the tool says, you know, we face the challenge of websites and web pages being modified, altered, or intentionally taken down.
Sometimes it's to hide something that was previously published, or it now has a different connotation than was intended. So she calls it a precious tool.
Sometimes it's to hide something that was previously published, or it now has a different connotation than was intended. So she calls it a precious tool.
Right. Yeah, I would agree with that.
And so many were dismayed to hear that the Wayback Machine was successfully breached last week.
It seems the website was compromised with the attacker stealing a user authentication database. And you think, oh, okay. But the problem was it wasn't a tiny itty-bitty one.
It contained 31 million unique records.
It seems the website was compromised with the attacker stealing a user authentication database. And you think, oh, okay. But the problem was it wasn't a tiny itty-bitty one.
It contained 31 million unique records.
Right.
So how it started leaking out is visitors were going to archive.org, right?
And they were seeing this JavaScript alert created by the attacker stating that the Internet Archive was breached.
And it read, have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?
And they were seeing this JavaScript alert created by the attacker stating that the Internet Archive was breached.
And it read, have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?
Yes.
It just happened.
Oh dear.
See 31 million of you on HIBP.
Oh, HIBP.
What's that, Graham?
That's Have I Been Pwned, Troy Hunt's little initiative. Yeah. So yes, you get an alert from them whenever your details come out in a data breach.
Exactly.
Now, Troy told Bleeping Computer that he'd in fact received a data dump from the threat actors that included authentication information for registered members, including their email addresses, screen names, password change timestamps, bcrypt hashed passwords, and other internal data.
Now, Troy told Bleeping Computer that he'd in fact received a data dump from the threat actors that included authentication information for registered members, including their email addresses, screen names, password change timestamps, bcrypt hashed passwords, and other internal data.
Right.
Now, I'm wondering, and I'm sure listeners are wondering too, why would a threat actor want to send their data to Have I Been Pwned?
Well, to look like the big dog, to show off to your mates, say, look what I did. Because maybe there's not that much that can be done with that data. I don't know.
I mean, obviously you've got the email addresses.
You could forge an email claiming to come from the Internet Archive and email people, maybe phish them or send them somewhere malicious.
But it's not as though they're going to be raiding your bank accounts or something like that, is it?
I mean, obviously you've got the email addresses.
You could forge an email claiming to come from the Internet Archive and email people, maybe phish them or send them somewhere malicious.
But it's not as though they're going to be raiding your bank accounts or something like that, is it?
No.
So I think it's more to show off, probably. It's for kudos. Yeah, yeah.
Because otherwise people would be like, well, we don't believe you. And I suppose maybe it's better to send it to Have I Been Pwned than to leak it.
And it gets the attention of the site that's been breached. So hopefully they will improve their security and fix the problem.
Whereas a hacker just sending their own email to a service may get ignored.
But if Troy Hunt contacts you, then you think, "Uh-oh, you know, I'm gonna have to take this seriously because millions of people are gonna find out about it." Actually, as an aside, Troy started doing research, right?
Whereas a hacker just sending their own email to a service may get ignored.
But if Troy Hunt contacts you, then you think, "Uh-oh, you know, I'm gonna have to take this seriously because millions of people are gonna find out about it." Actually, as an aside, Troy started doing research, right?
Looking into this dump. And he said that 54% of the accounts were already in the Have I Been Pwned database from previous breaches.
Yeah.
So listeners, to maybe go check out your email address at these places just to see it's been included.
And maybe if you're reusing passwords, naughty, naughty, but you know, this could be a very good time to go and change those that have been compromised. Would you not agree?
And maybe if you're reusing passwords, naughty, naughty, but you know, this could be a very good time to go and change those that have been compromised. Would you not agree?
Oh yeah, you should always use different passwords for different services. And yeah, I'd recommend everyone sign up for Have I Been Pwned?
It's a good reminder, you know, it's a good alert when a service gets breached and if you have to take any action.
It's a good reminder, you know, it's a good alert when a service gets breached and if you have to take any action.
Now, at the time of recording, we're a little earlier than normal, but the Internet Archive, or sorry, the Wayback Machine is still offline, but it looks like the archived data is safe?
'Cause that was a big concern for a lot of people. Like, if you've screwed up that data somehow and it's no longer trustworthy, you wouldn't be able to use that.
Like, it's been used in criminal court cases before, right? The Wayback Machine.
'Cause that was a big concern for a lot of people. Like, if you've screwed up that data somehow and it's no longer trustworthy, you wouldn't be able to use that.
Like, it's been used in criminal court cases before, right? The Wayback Machine.
Oh, well, you've gotta wonder, right? If they've got petabytes and petabytes of data, how do you back up a backup of the internet? Right? You know, where do we—
Where do you keep that?
And how many copies of the backup do you have? So, hang on, I'm just backing up the internet to my USB stick.
It'll be done by tomorrow at 2.
Yeah. It's— has anyone got a bigger USB stick?
You know, it's— yeah, it's— so yeah, obviously the worst thing in the world would be if the backup of the internet were deleted and erased and there wasn't some way to recreate it.
That would be an enormous cultural and historical loss.
You know, it's— yeah, it's— so yeah, obviously the worst thing in the world would be if the backup of the internet were deleted and erased and there wasn't some way to recreate it.
That would be an enormous cultural and historical loss.
It would be. It would be.
The latest tweet, the latest message on X from the founders of Wayback Archive says the data is safe, services are offline as we examine and strengthen them. Sorry, but needed.
Internet Archive staff is working hard. Estimated timeline: days, not weeks. So that's interesting. So they think they're going to be online soon.
And it also says, thank you for the offers of pizza. We are set. You know that you're a loved entity when you're offered carbs and molten cheese in a crisis.
The latest tweet, the latest message on X from the founders of Wayback Archive says the data is safe, services are offline as we examine and strengthen them. Sorry, but needed.
Internet Archive staff is working hard. Estimated timeline: days, not weeks. So that's interesting. So they think they're going to be online soon.
And it also says, thank you for the offers of pizza. We are set. You know that you're a loved entity when you're offered carbs and molten cheese in a crisis.
And you know what? It is a loved entity. There will be plenty of people who would love to give their support and assistance to getting that service online again and secure.
Of course, it's, you know, the Internet Archive has to be careful that they're accepting help from trustworthy people.
But yeah, you would imagine there's a lot of people who would like to help them out.
Of course, it's, you know, the Internet Archive has to be careful that they're accepting help from trustworthy people.
But yeah, you would imagine there's a lot of people who would like to help them out.
Yeah, no, totally. Like, I'll finish with Kate Gibbs at Wired.
She wrote in an article on the Internet Archive, you know, it's no exaggeration to say that digital archiving as we know it would not exist without the Internet Archive.
Its most famous project, the Wayback Machine, is a repository of web pages that functions as an unparalleled record of the internet.
Without it, the world would lose its best public resource on internet history.
She wrote in an article on the Internet Archive, you know, it's no exaggeration to say that digital archiving as we know it would not exist without the Internet Archive.
Its most famous project, the Wayback Machine, is a repository of web pages that functions as an unparalleled record of the internet.
Without it, the world would lose its best public resource on internet history.
Yeah.
So what the hell are people, you know, attacking it for? But then why do people attack hospitals? You know, why do people—
You could argue that, but as far as I know, this wasn't done with any financial motivation. It wasn't done with any ransom demands as far as I know.
We don't know as yet. Things have been pretty tight-lipped because we know that there's been some DDoS, distributed denial of service attacks as well as this data breach.
Looks like they were getting hammered for a period of time.
Looks like they were getting hammered for a period of time.
Right.
But we don't know if those are related. If you're interested, watch the space. If you're a member, maybe change your password as soon as you can.
And that's me. This episode of Smashing Security is brought to you by Flashpoint. 2024 has been a year like no other for security.
Cyber threats, physical security concerns have continued to increase. Now, geopolitical instability is adding a new layer of risk and uncertainty.
Last year, there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches. The result?
Well, millions and millions of dollars in financial losses and threats to safety worldwide. That's where Flashpoint comes in.
Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?
By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place.
It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide. To access the industry's best threat data and intelligence, visit flashpoint.io today.
That's flashpoint.io.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I don't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Cyber threats, physical security concerns have continued to increase. Now, geopolitical instability is adding a new layer of risk and uncertainty.
Last year, there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches. The result?
Well, millions and millions of dollars in financial losses and threats to safety worldwide. That's where Flashpoint comes in.
Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?
By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place.
It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide. To access the industry's best threat data and intelligence, visit flashpoint.io today.
That's flashpoint.io.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I don't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related.
My Pick of the Week, in a way, is kind of associated with what you've just been talking about, Carole, the internet archive.
My Pick of the Week is a website called Dimmsdale, dimmsdale.co.uk.
My Pick of the Week, in a way, is kind of associated with what you've just been talking about, Carole, the internet archive.
My Pick of the Week is a website called Dimmsdale, dimmsdale.co.uk.
Dimsdale.
And I am a big fan of radio shows. Love radio shows. I mean, it's probably been brought up on Radio 4 from the BBC.
See, that's probably where we get on, actually, because I loved radio as a kid. Still love radio. Love podcasts. Love audio.
Yeah, right. Dimsdale has a collection of over 2,000 radio shows on it, thousands of episodes of them.
And if you go to that website and you create an account, which is free by the way, this is all free, you can access an RSS feed of archived episodes of your favorite radio comedy shows, sketch shows, panel games, audio dramas, documentaries.
It's also a forum where you can discuss your favorite shows with other fans.
And I'm using it in my regular podcast app because I've got those RSS feeds and I've plugged them into my podcast app to listen to old episodes of I'm Sorry, I Haven't a Clue, Knowing Me, Knowing You with Alan Partridge, Lord Peter Wimsey dramas, all kinds of things.
And if you go to that website and you create an account, which is free by the way, this is all free, you can access an RSS feed of archived episodes of your favorite radio comedy shows, sketch shows, panel games, audio dramas, documentaries.
It's also a forum where you can discuss your favorite shows with other fans.
And I'm using it in my regular podcast app because I've got those RSS feeds and I've plugged them into my podcast app to listen to old episodes of I'm Sorry, I Haven't a Clue, Knowing Me, Knowing You with Alan Partridge, Lord Peter Wimsey dramas, all kinds of things.
So these are mostly UK-based dramas, right?
It does seem to be a strong UK bias in it, I think, whoever's collating it.
I'm on the website, the Dimsdale Co UK website right now, and it says, links are down.
Due to the issues at archive.org, they have suffered a DDoS attack and are currently down whilst they fix the problems. We link to archive.org, hence the disrupted service.
Sorry, nothing we can do but wait. Oh, it says, it is expected to be back up in days, not weeks. We'll let you know once we have more news. So there you are.
Due to the issues at archive.org, they have suffered a DDoS attack and are currently down whilst they fix the problems. We link to archive.org, hence the disrupted service.
Sorry, nothing we can do but wait. Oh, it says, it is expected to be back up in days, not weeks. We'll let you know once we have more news. So there you are.
So it is true the Internet Archive has a huge archive of MP3 files.
That's where, for instance, I found old episodes of Hitchhiker's Guide to the Galaxy, which my son was listening to the other night.
Yeah, and so they will link to also places like BBC Sounds, and they will link to approved copyright owners' archives of some of these old things.
So if you're looking for some great old radio shows, it is a terrific place to create yourself an account, grab the RSS feed, and join in.
That's where, for instance, I found old episodes of Hitchhiker's Guide to the Galaxy, which my son was listening to the other night.
Yeah, and so they will link to also places like BBC Sounds, and they will link to approved copyright owners' archives of some of these old things.
So if you're looking for some great old radio shows, it is a terrific place to create yourself an account, grab the RSS feed, and join in.
Yeah, get your email address out.
Yeah, use a strong, unique password just in case. It's not the same organisation, Carole. They're just linking.
I'm just having a giggle.
All right, okay. Anyway, I love it, it's brilliant. And you know what, Crow, I think you would love this too, because I know how you love audio dramas.
You know, there'll be Sherlock Holmes and all kinds of things, things which haven't been repeated for years and years on the radio.
You know, there'll be Sherlock Holmes and all kinds of things, things which haven't been repeated for years and years on the radio.
I was just listening to an old, I think 1993, Iris Murdoch, The Sea, The Sea. Yeah, I was listening to an audio production from the BBC with all of— full star cast.
It was brilliant.
It was brilliant.
Yes.
So yeah, I'm all into that stuff.
Fantastic. Anyway, so Dimsdale, dimsdale.co.uk, is my pick of the week.
Very cool.
Crow, what's your pick of the week?
Well, my pick of the week stars my little heartthrob, Geoff Goldblum, or Gold Bum, as I like to call him.
Oh yes.
This is Netflix's series called Chaos. Have you seen this, Graham?
No, no.
Oh, well, shout out to Dave Bittner and listeners who told me to check it out.
So, you have this alternative modern world in which the old gods, including Zeus, played by Goldblum—
So, you have this alternative modern world in which the old gods, including Zeus, played by Goldblum—
Appropriately enough, he is a god.
Yeah. But you've got Zeus here, Goldblum dressed in white, crisp suits as he swaggers around happily amongst the palace and gardens of Mount Olympus.
Until there's a day, a new monument is unveiled in Crete for him, and it's a monument of him, but it's been desecrated by a gang of Trojans.
And so Zeus isn't happy and is worried that humans are getting a bit too big for their boots. And so you have our biased narrator, Prometheus.
Okay, this is played by Stephen Dillane. He's a former friend of Zeus, but currently a prisoner.
So, if you know your mythology, he's chained to a rock, and his liver is being internally pecked by an eagle.
Until there's a day, a new monument is unveiled in Crete for him, and it's a monument of him, but it's been desecrated by a gang of Trojans.
And so Zeus isn't happy and is worried that humans are getting a bit too big for their boots. And so you have our biased narrator, Prometheus.
Okay, this is played by Stephen Dillane. He's a former friend of Zeus, but currently a prisoner.
So, if you know your mythology, he's chained to a rock, and his liver is being internally pecked by an eagle.
We've all been there.
But he's our narrator, right? And he's so great. He is just so good in it. So there are 8 episodes. I watched them all in 2 sessions.
There's a huge cast of characters, and the plot whizzes along at a really good clip. It's fun, it's dark, it's thoughtful, it's action-packed.
So it's rare that something can get all those things, but this one seems to.
You know, it answers the underlying big questions like, "What's it to be human?" "What's it like to have power, to be desperate, or have free will?" And they explore these with pizzazz and heart.
So my pick of the week, Kaos, K-A-O-S. Graham, don't complain.
There's a huge cast of characters, and the plot whizzes along at a really good clip. It's fun, it's dark, it's thoughtful, it's action-packed.
So it's rare that something can get all those things, but this one seems to.
You know, it answers the underlying big questions like, "What's it to be human?" "What's it like to have power, to be desperate, or have free will?" And they explore these with pizzazz and heart.
So my pick of the week, Kaos, K-A-O-S. Graham, don't complain.
Oh, you know what? When you first said it's called Kaos, I thought to myself, I really hope it's not spelled with a K. Yeah, but why did they have to spell it with a K?
Because maybe originally it was.
It's all Greek.
So that's my pick of the week, Kaos on Netflix. Boom.
Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge shout out to our episode sponsors, Fanta, Flashpoint, and 1Password. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 388 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 388 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye!
God, I'm gonna go to bed.
Get well, Crow.
Yeah, well, I'll try. I haven't left the house in 3 days. I'm already starting to go stir crazy. I have no idea how we did this during lockdown.
Honestly, I was just like, it's much different when it's only you and everyone else is out having fun.
Honestly, I was just like, it's much different when it's only you and everyone else is out having fun.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- WP Engine is not WordPress – WordPress.
- Secure Custom Fields – WordPress.
- Tweet from Advanced Custom Fields.
- Advisory: Advanced Custom Fields changes – Tim Nash.
- WordPress saga escalates as WP Engine plugin forcibly forked and legal letters fly – The Register.
- Internet Archive hacked, data breach impacts 31 million users – Bleeping Computer.
- The Internet Archive is still down but will return in ‘days, not weeks’ – The Verge.
- Dimsdale podcasts – OTR radio drama comedy and more.
- Jeff Goldblum’s furiously fun Greek gods drama is a masterpiece – The Guardian.
- KAOS – Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Flashpoint – Access the industry’s best threat data and intelligence.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
