1 00:00:00,280 --> 00:00:02,960 Speaker 1: Brought to you by the reinvented two thousand twelve Camray. 2 00:00:03,160 --> 00:00:08,880 Speaker 1: It's ready. Are you get in touch with technology? With 3 00:00:08,960 --> 00:00:17,439 Speaker 1: tech Stuff from how stuff works dot com. Hello everyone, 4 00:00:17,480 --> 00:00:19,840 Speaker 1: and welcome to tech Stuff. My name is Chris Paulette 5 00:00:19,840 --> 00:00:21,959 Speaker 1: and I'm an editor at how stuff works dot com. 6 00:00:22,000 --> 00:00:24,639 Speaker 1: Sitting across from me, as always, his senior writer, Jonathan 7 00:00:24,680 --> 00:00:28,160 Speaker 1: Strickland be there. Yes, today we have sort of a 8 00:00:28,200 --> 00:00:32,239 Speaker 1: sobering topic to discuss. Yes, now, when we're recording this, 9 00:00:32,440 --> 00:00:37,400 Speaker 1: it's in August, early August. It's August t actually, and 10 00:00:37,760 --> 00:00:40,840 Speaker 1: earlier this week there was a news story that broke 11 00:00:41,040 --> 00:00:45,000 Speaker 1: throughout the Twitter sphere really first and then beyond about 12 00:00:45,520 --> 00:00:49,360 Speaker 1: a tech journalist named Matt Honan who has written for 13 00:00:49,600 --> 00:00:55,680 Speaker 1: various UH publications, including Wired, and how he had his 14 00:00:56,000 --> 00:01:00,160 Speaker 1: essentially his entire digital life hacked over the course of 15 00:01:00,240 --> 00:01:05,440 Speaker 1: about thirty minutes and UH and to kind of explain 16 00:01:05,480 --> 00:01:10,160 Speaker 1: what happened, first, we'll sort of talk about the way 17 00:01:10,200 --> 00:01:14,280 Speaker 1: he discovered this through his personal experience, and then how 18 00:01:14,319 --> 00:01:17,000 Speaker 1: the hackers did it, and then what needs to happen 19 00:01:17,120 --> 00:01:20,280 Speaker 1: so that we protect ourselves against such things happening in 20 00:01:20,319 --> 00:01:25,000 Speaker 1: the future. So to start, he was he was playing 21 00:01:25,000 --> 00:01:28,640 Speaker 1: with this kid and he noticed that his iPhone had 22 00:01:28,840 --> 00:01:33,000 Speaker 1: shut down, so it crashed essentially, and he thought, oh, well, 23 00:01:33,000 --> 00:01:35,840 Speaker 1: that's annoying. I guess I'll have to go and uh 24 00:01:36,040 --> 00:01:38,760 Speaker 1: connected to my computer, restore from back up, and just 25 00:01:38,880 --> 00:01:41,200 Speaker 1: get this thing going again. He didn't really think much 26 00:01:41,240 --> 00:01:45,280 Speaker 1: of it, because you know, technology occasionally fails. Yes, So 27 00:01:45,319 --> 00:01:47,760 Speaker 1: then he goes and he goes over to his computer 28 00:01:48,120 --> 00:01:52,320 Speaker 1: and tries to start that up, and that also isn't 29 00:01:52,560 --> 00:01:55,480 Speaker 1: loading up properly. It's asking him for information that he 30 00:01:55,480 --> 00:01:58,480 Speaker 1: doesn't have and it won't accept his password, and so 31 00:01:58,520 --> 00:02:03,400 Speaker 1: he's thinking, well, that's weird, but he doesn't again panic yet. Uh. 32 00:02:03,440 --> 00:02:08,440 Speaker 1: He then thinks about trying his iPad, which also isn't working, 33 00:02:09,680 --> 00:02:13,920 Speaker 1: and he tries logging into his Google account using a 34 00:02:13,960 --> 00:02:19,239 Speaker 1: different computer, and that also gives him a failure. And 35 00:02:19,280 --> 00:02:22,400 Speaker 1: it's at that point where he's thinking something seriously wrong 36 00:02:22,520 --> 00:02:26,480 Speaker 1: is happening. And eventually he starts noticing that his own 37 00:02:26,560 --> 00:02:30,720 Speaker 1: Twitter handle is posting stuff uh, and he's not the 38 00:02:30,760 --> 00:02:33,959 Speaker 1: one doing it, and so he can't access his Twitter 39 00:02:34,000 --> 00:02:37,639 Speaker 1: account anymore either. And there are these horrible Twitter messages 40 00:02:38,080 --> 00:02:44,080 Speaker 1: with various you know, uh inappropriate tweets going out things 41 00:02:44,120 --> 00:02:48,440 Speaker 1: that are racist or homophobic, or having lots of foul 42 00:02:48,520 --> 00:02:52,560 Speaker 1: language in it um and it's just, you know, it's 43 00:02:52,600 --> 00:02:55,880 Speaker 1: it's just beyond his control. He gets on the phone 44 00:02:55,919 --> 00:02:59,440 Speaker 1: with Apple trying to find out what's going on, UH 45 00:02:59,480 --> 00:03:04,000 Speaker 1: to explore Lane that his his account has been hacked, 46 00:03:04,600 --> 00:03:07,920 Speaker 1: and it takes him quite some time before they were 47 00:03:07,919 --> 00:03:10,520 Speaker 1: able to sort this out. Part of the reason is 48 00:03:10,600 --> 00:03:13,120 Speaker 1: that they for a while, we're looking at the wrong account. 49 00:03:13,720 --> 00:03:16,320 Speaker 1: They had his name wrong, and so they were looking 50 00:03:16,360 --> 00:03:18,240 Speaker 1: at an account that had none of the issues he 51 00:03:18,320 --> 00:03:22,520 Speaker 1: was explaining. And then when the Apple representative repeated his 52 00:03:22,600 --> 00:03:25,399 Speaker 1: name back to him, that's when he said, wait a minute, 53 00:03:25,440 --> 00:03:28,440 Speaker 1: that's not who I am. I'm Matt Honan. You've got 54 00:03:28,440 --> 00:03:32,079 Speaker 1: the wrong name. And then once they switched their focus, 55 00:03:32,200 --> 00:03:36,200 Speaker 1: then they started seeing, oh, well, before you called in, 56 00:03:36,400 --> 00:03:38,520 Speaker 1: and actually I think Honan had to ask about this. 57 00:03:38,760 --> 00:03:42,040 Speaker 1: They didn't, They didn't um volunteer this information. But before 58 00:03:42,080 --> 00:03:44,960 Speaker 1: Honan had called in, someone else had called in to 59 00:03:45,160 --> 00:03:48,840 Speaker 1: regain access. They said, to regain access. Really it was 60 00:03:48,880 --> 00:03:50,640 Speaker 1: to gain access for the first time. It was the 61 00:03:50,680 --> 00:03:53,520 Speaker 1: hackers who had called in too, because they had claimed 62 00:03:53,520 --> 00:03:56,640 Speaker 1: that they no longer had the password or security question answers, 63 00:03:56,880 --> 00:04:00,400 Speaker 1: so they could not get the password normally. They were 64 00:04:00,400 --> 00:04:06,560 Speaker 1: trying to get into his dot me email and the 65 00:04:06,560 --> 00:04:10,120 Speaker 1: the reason for all of this is probably the craziest 66 00:04:10,120 --> 00:04:12,920 Speaker 1: part of the story, although the pathway of how the 67 00:04:12,920 --> 00:04:14,720 Speaker 1: hackers got to the point where they were able to 68 00:04:14,760 --> 00:04:17,080 Speaker 1: do all these things. You know, once they got access 69 00:04:17,120 --> 00:04:19,240 Speaker 1: to his iCloud account, they were able to do things 70 00:04:19,279 --> 00:04:22,000 Speaker 1: like wipe his devices, which is what happened. They wiped 71 00:04:22,000 --> 00:04:25,680 Speaker 1: his iPhone, his Mac, and his iPad in part to 72 00:04:25,800 --> 00:04:28,240 Speaker 1: prevent him from being able to head them off. While 73 00:04:28,279 --> 00:04:32,240 Speaker 1: they were going down this trail of hacking his digital life. 74 00:04:32,480 --> 00:04:35,599 Speaker 1: They were also able because of the way he had 75 00:04:36,279 --> 00:04:39,320 Speaker 1: interconnected various accounts. They were able to do things like 76 00:04:39,400 --> 00:04:43,960 Speaker 1: reset his Google password, send the message to the dot 77 00:04:44,040 --> 00:04:47,400 Speaker 1: Me address, which they already had access to yes, because 78 00:04:47,520 --> 00:04:49,560 Speaker 1: they had gained it from Apple. Once they got the 79 00:04:49,560 --> 00:04:51,880 Speaker 1: password for the Google account, then they were able to 80 00:04:51,880 --> 00:04:56,200 Speaker 1: get the password for Twitter because that's where he had 81 00:04:56,240 --> 00:05:00,400 Speaker 1: his Twitter account attached to his Google account, So it 82 00:05:00,480 --> 00:05:02,720 Speaker 1: was kind of a leap frog thing, right he would 83 00:05:02,839 --> 00:05:05,120 Speaker 1: they could do a password recovery from one system. It 84 00:05:05,160 --> 00:05:08,240 Speaker 1: would send the message to one of the email addresses 85 00:05:08,279 --> 00:05:10,680 Speaker 1: that was already compromised, and then they would get access 86 00:05:10,720 --> 00:05:13,400 Speaker 1: to the next thing. Turns out what the hackers were 87 00:05:13,400 --> 00:05:16,800 Speaker 1: interested in from the very beginning was getting hold of 88 00:05:16,920 --> 00:05:21,800 Speaker 1: his Twitter account and posting these messages. That's really just 89 00:05:21,880 --> 00:05:24,160 Speaker 1: for laughs. That's all they really wanted to do. They 90 00:05:24,200 --> 00:05:28,479 Speaker 1: weren't really out to make a big show that you know, 91 00:05:28,560 --> 00:05:31,760 Speaker 1: it should be Matt Honan that should suffer for this. Uh. 92 00:05:31,880 --> 00:05:36,080 Speaker 1: Had nothing to do with Gizmoto, which Honan had written for, 93 00:05:36,320 --> 00:05:40,320 Speaker 1: and his account was linked to Gizmodo's account. It never 94 00:05:40,360 --> 00:05:43,800 Speaker 1: been unlinked, even though he no longer wrote for Gizmoto, 95 00:05:44,160 --> 00:05:46,720 Speaker 1: So they also had access to Gizmoto's Twitter account and 96 00:05:46,800 --> 00:05:50,640 Speaker 1: hijacked that for a while. Um so, you you know. 97 00:05:51,000 --> 00:05:52,800 Speaker 1: It turned out the only reason they wanted to get 98 00:05:53,040 --> 00:05:56,440 Speaker 1: his Twitter account was because he had one of the 99 00:05:56,480 --> 00:06:00,800 Speaker 1: most rare things in Twitter, a three letter Twitter handle, 100 00:06:01,760 --> 00:06:04,480 Speaker 1: you know, because most people had to go with a 101 00:06:04,480 --> 00:06:07,320 Speaker 1: longer Twitter handle because of course, once one's taken, it's gone. 102 00:06:08,320 --> 00:06:10,960 Speaker 1: So people who managed to land one of those three 103 00:06:11,000 --> 00:06:14,160 Speaker 1: letter accounts are rare, and so they thought, oh, this 104 00:06:14,200 --> 00:06:17,000 Speaker 1: is that's that's why they targeted this particular Twitter account 105 00:06:17,000 --> 00:06:20,039 Speaker 1: had nothing to do with him personally, had nothing to 106 00:06:20,040 --> 00:06:22,000 Speaker 1: do with who he worked for, and had nothing to 107 00:06:22,000 --> 00:06:23,520 Speaker 1: do with the fact that he was a tech journalist. 108 00:06:23,520 --> 00:06:26,000 Speaker 1: It was just because his Twitter handle was three letters long. 109 00:06:26,960 --> 00:06:32,200 Speaker 1: And that's crazy to me. First of all, that you 110 00:06:32,240 --> 00:06:34,200 Speaker 1: know that that was the that they were They were 111 00:06:34,200 --> 00:06:36,240 Speaker 1: willing to go through the steps that they had to 112 00:06:36,279 --> 00:06:40,160 Speaker 1: go through in order to get this one Twitter account. Well, 113 00:06:40,160 --> 00:06:42,800 Speaker 1: that's true, although it only took them a little less 114 00:06:42,800 --> 00:06:46,080 Speaker 1: than an hour to accomplish. Once they had, once they 115 00:06:46,120 --> 00:06:49,040 Speaker 1: had determined their route of attack, it was all over. 116 00:06:49,400 --> 00:06:54,480 Speaker 1: So the way they did this was not through any 117 00:06:54,600 --> 00:06:58,240 Speaker 1: kind of crazy sit down at the computer, type in 118 00:06:58,279 --> 00:07:00,480 Speaker 1: the password three times and then you may to get 119 00:07:00,480 --> 00:07:04,919 Speaker 1: in type thing. And it certainly wasn't a Hollywood style 120 00:07:05,120 --> 00:07:08,840 Speaker 1: hacker brute force attack where there was uh, you know, 121 00:07:09,240 --> 00:07:12,200 Speaker 1: some group of of hackers trying everything they could to 122 00:07:12,200 --> 00:07:14,720 Speaker 1: brute force their way in. Yeah, it wasn't like a 123 00:07:14,760 --> 00:07:17,800 Speaker 1: computer program that was just running password after password and 124 00:07:17,840 --> 00:07:21,440 Speaker 1: you see the little like digits flip up each time 125 00:07:21,480 --> 00:07:24,480 Speaker 1: you hit one. That's correct, that wasn't what happened. What 126 00:07:24,640 --> 00:07:29,239 Speaker 1: happened was much more simple really in a way, because 127 00:07:29,240 --> 00:07:32,600 Speaker 1: I had nothing to do with using code. It has 128 00:07:32,640 --> 00:07:36,000 Speaker 1: everything to do with manipulating systems. But from a person perspective, 129 00:07:36,160 --> 00:07:41,120 Speaker 1: not or or a policy perspective, not from a technological one. Yeah, 130 00:07:41,360 --> 00:07:46,480 Speaker 1: and it's it's also clear that although Apple's security procedures 131 00:07:47,040 --> 00:07:50,640 Speaker 1: are in part to at fault, um, they are not 132 00:07:50,720 --> 00:07:54,640 Speaker 1: the only ones the hackers targeted to get more information 133 00:07:54,760 --> 00:07:58,320 Speaker 1: on hone and and that Um, it just so happened 134 00:07:58,320 --> 00:08:04,360 Speaker 1: that uh, the information they needed coincided across multiple companies 135 00:08:04,600 --> 00:08:07,760 Speaker 1: with his accounts, and once they got some information from 136 00:08:07,760 --> 00:08:11,320 Speaker 1: a couple of places, they were easily able to go 137 00:08:11,400 --> 00:08:14,320 Speaker 1: in and fiddle with other stuff. There are really three 138 00:08:14,360 --> 00:08:18,920 Speaker 1: parties that are I don't want to say at fault 139 00:08:18,960 --> 00:08:21,080 Speaker 1: you don't blame the victim. There are three party There 140 00:08:21,080 --> 00:08:23,440 Speaker 1: are three parties that made this possible for the hackers 141 00:08:23,480 --> 00:08:26,040 Speaker 1: to get the access to to the accounts. One of 142 00:08:26,040 --> 00:08:30,000 Speaker 1: those is Honing himself. Yeah, and he greatly admits that. Yes, 143 00:08:30,200 --> 00:08:36,400 Speaker 1: if you he has written an incredible uh article that 144 00:08:36,559 --> 00:08:39,920 Speaker 1: that documents this entire process and what he went through. 145 00:08:39,960 --> 00:08:41,960 Speaker 1: He blogged about it when it happened, but then he 146 00:08:42,000 --> 00:08:45,240 Speaker 1: wrote up a much more comprehensive account of it. For 147 00:08:45,320 --> 00:08:48,120 Speaker 1: Wired and UH and it's a very interesting read. I 148 00:08:48,200 --> 00:08:50,840 Speaker 1: highly recommend you read it, especially if you're concerned with 149 00:08:50,880 --> 00:08:57,199 Speaker 1: your own potential security computer security. So he was at 150 00:08:57,200 --> 00:09:00,360 Speaker 1: fault and not at fault, he was he some of 151 00:09:00,360 --> 00:09:05,720 Speaker 1: his choices made this possible. Uh, the Amazon Amazon dot 152 00:09:05,800 --> 00:09:11,480 Speaker 1: Com also its policies made this possible. And Apple's policies 153 00:09:11,520 --> 00:09:15,600 Speaker 1: made this possible. So those three parties together made it 154 00:09:15,600 --> 00:09:19,800 Speaker 1: possible for the hackers to achieve this and UH, and 155 00:09:19,840 --> 00:09:23,680 Speaker 1: it's kind of interesting how how they came about it. Yeah, 156 00:09:23,760 --> 00:09:25,560 Speaker 1: and and some of the irony as we get into 157 00:09:25,640 --> 00:09:28,600 Speaker 1: this is that some of the very things that made 158 00:09:28,640 --> 00:09:34,800 Speaker 1: this possible are in place specifically to make it more 159 00:09:34,920 --> 00:09:40,400 Speaker 1: difficult for someone to steal identities. So it actually UH 160 00:09:40,520 --> 00:09:43,320 Speaker 1: some of these some of these procedures actually worked in 161 00:09:43,559 --> 00:09:47,320 Speaker 1: exactly the opposite way in which they weren't intended when 162 00:09:47,360 --> 00:09:53,240 Speaker 1: they were implemented. So the way this started off was 163 00:09:53,559 --> 00:09:56,800 Speaker 1: it was fairly clever. So they they first they started 164 00:09:56,800 --> 00:10:00,120 Speaker 1: to the hackers did a little recon work, and they 165 00:10:00,120 --> 00:10:04,360 Speaker 1: wanted to find out, um about how they would get 166 00:10:05,320 --> 00:10:08,920 Speaker 1: uh the access to the Twitter account. And then they 167 00:10:08,960 --> 00:10:13,960 Speaker 1: were able to find out Honan's UH email address because 168 00:10:14,160 --> 00:10:17,679 Speaker 1: he has a website. They went to the website, they 169 00:10:17,679 --> 00:10:20,040 Speaker 1: did a who is look up on Honan, which gave 170 00:10:20,080 --> 00:10:22,920 Speaker 1: them two things, like two things they needed. They needed 171 00:10:22,960 --> 00:10:27,679 Speaker 1: the email address and they needed his physical address. Yeah. Now, 172 00:10:27,720 --> 00:10:30,840 Speaker 1: if you register a domain name, you are required to 173 00:10:30,920 --> 00:10:35,000 Speaker 1: have contact information available. Um, and that information is publicly 174 00:10:35,040 --> 00:10:39,400 Speaker 1: available now um some well we could talk about that too, 175 00:10:39,440 --> 00:10:41,680 Speaker 1: but anyway, the the who is record for the domain 176 00:10:41,760 --> 00:10:46,319 Speaker 1: had his information in it. Yeah. So once they had 177 00:10:46,360 --> 00:10:50,480 Speaker 1: that information the Google account and the just the email address, 178 00:10:50,480 --> 00:10:53,600 Speaker 1: they didn't have access to the account yet. Um. They 179 00:10:54,120 --> 00:10:57,079 Speaker 1: figured out that the Twitter account was linked to the 180 00:10:57,120 --> 00:10:59,520 Speaker 1: personal website. That's what That's where they found the Gmail address. 181 00:10:59,520 --> 00:11:03,800 Speaker 1: That's where they on the physical address. And then they 182 00:11:03,840 --> 00:11:07,720 Speaker 1: started to look at the account recovery for a Google 183 00:11:07,840 --> 00:11:11,840 Speaker 1: and without actually sending in a recovery request, they saw 184 00:11:12,040 --> 00:11:16,439 Speaker 1: that the address, which was only partially obscured per Google's policy, 185 00:11:17,520 --> 00:11:21,960 Speaker 1: wasn't at me dot com email address. That was the 186 00:11:21,960 --> 00:11:27,800 Speaker 1: recovery address. Well that's an Apple thing, right, So that's 187 00:11:27,840 --> 00:11:30,840 Speaker 1: where they said, ah, now we know how to get 188 00:11:30,880 --> 00:11:35,920 Speaker 1: at him because it's because his Google address will go 189 00:11:36,120 --> 00:11:38,920 Speaker 1: back if we did a password recovery. Because that will 190 00:11:38,920 --> 00:11:41,439 Speaker 1: go to an Apple address, and because we know how 191 00:11:41,480 --> 00:11:43,680 Speaker 1: to manipulate the system so that we can get access 192 00:11:43,720 --> 00:11:47,200 Speaker 1: to his Apple account, it's all over. And the way 193 00:11:47,240 --> 00:11:51,280 Speaker 1: they got access to the Apple account was kind of interesting. Now, 194 00:11:51,320 --> 00:11:54,920 Speaker 1: they did not have the password, they did not have 195 00:11:55,040 --> 00:11:58,880 Speaker 1: the answer to security questions, So calling up Apple and 196 00:11:58,920 --> 00:12:01,560 Speaker 1: getting access to to this account would require that they 197 00:12:01,600 --> 00:12:05,000 Speaker 1: have some other information. What Apple requires is that you 198 00:12:05,080 --> 00:12:08,360 Speaker 1: have to have the building address and the last four 199 00:12:08,400 --> 00:12:12,560 Speaker 1: digits of the credit card you used to establish that account. 200 00:12:13,559 --> 00:12:17,640 Speaker 1: So what the hackers did was they said, well, there's 201 00:12:17,679 --> 00:12:21,720 Speaker 1: a good chance that the same credit card this guy 202 00:12:21,840 --> 00:12:26,000 Speaker 1: used to establish his iCloud account is the one that 203 00:12:26,040 --> 00:12:31,880 Speaker 1: he uses for Amazon. And so instead of calling Apple first, 204 00:12:31,920 --> 00:12:35,680 Speaker 1: they called Amazon first, and they said that they wanted 205 00:12:35,760 --> 00:12:41,360 Speaker 1: to add a credit card number to the existing Amazon account, 206 00:12:42,480 --> 00:12:44,280 Speaker 1: So they weren't trying to get the credit card number. 207 00:12:44,280 --> 00:12:46,320 Speaker 1: They wanted to add a credit card number, right, So 208 00:12:46,360 --> 00:12:49,480 Speaker 1: then they add a credit card number to the Amazon account. 209 00:12:49,960 --> 00:12:53,160 Speaker 1: Then they hang up. Then they call Amazon back and 210 00:12:53,200 --> 00:12:56,200 Speaker 1: they say that they have lost access to their account 211 00:12:57,280 --> 00:13:00,960 Speaker 1: and that they will provide the name the billing address, 212 00:13:00,960 --> 00:13:02,840 Speaker 1: which they already have from the who Is look up 213 00:13:02,880 --> 00:13:07,199 Speaker 1: of the website and then the credit card number they 214 00:13:07,240 --> 00:13:11,360 Speaker 1: gave at the at the call they made earlier. So 215 00:13:11,520 --> 00:13:14,960 Speaker 1: there's now this credit card number that is legit because 216 00:13:15,000 --> 00:13:17,800 Speaker 1: they provided it. It's not the same one that was 217 00:13:17,880 --> 00:13:20,720 Speaker 1: used to establish the account in the first place. So 218 00:13:20,760 --> 00:13:24,120 Speaker 1: then Amazon says, oh, all right, well, we'll send you 219 00:13:24,160 --> 00:13:27,199 Speaker 1: the password to the account. Here's which email I addressed 220 00:13:27,280 --> 00:13:31,920 Speaker 1: you wanted to go to. So they hackers give their 221 00:13:31,960 --> 00:13:34,680 Speaker 1: email address or an email address that they have created 222 00:13:34,760 --> 00:13:38,440 Speaker 1: for the purposes of this hack. So now Amazon sends 223 00:13:38,480 --> 00:13:43,160 Speaker 1: the log in information to UH to Amazon dot Com, 224 00:13:43,800 --> 00:13:48,800 Speaker 1: to that account, to the email they log into the 225 00:13:48,840 --> 00:13:51,920 Speaker 1: Amazon dot Com account, and then they look for the 226 00:13:52,000 --> 00:13:55,360 Speaker 1: other credit card number, the one that was actually used 227 00:13:55,480 --> 00:13:58,840 Speaker 1: to establish that account. So this is Honan's actual final 228 00:13:58,920 --> 00:14:03,240 Speaker 1: four digits because those are unmasked in the Amazon dot 229 00:14:03,240 --> 00:14:06,800 Speaker 1: Com system. Yes, they masked the rest of it, right, Yeah, 230 00:14:06,800 --> 00:14:08,520 Speaker 1: the rest of the numbers are masked. So it's not 231 00:14:08,600 --> 00:14:11,160 Speaker 1: that the hackers ever had access to the credit card, 232 00:14:11,200 --> 00:14:13,440 Speaker 1: other than they could have bought a whole bunch of 233 00:14:13,440 --> 00:14:16,720 Speaker 1: stuff on Amazon and had it sent somewhere. But that's 234 00:14:16,720 --> 00:14:19,440 Speaker 1: all that's. Yeah, that's what they could have done if 235 00:14:19,440 --> 00:14:22,320 Speaker 1: they had wanted to, but they could not actually pull 236 00:14:22,400 --> 00:14:25,080 Speaker 1: the credit card number itself other than the last four digits. 237 00:14:25,480 --> 00:14:28,240 Speaker 1: But those last four digits are what Apple needs for 238 00:14:28,400 --> 00:14:32,720 Speaker 1: account verification, right, So they take those four digits, they've 239 00:14:32,760 --> 00:14:35,160 Speaker 1: got the building address, They give a call to Apple. 240 00:14:35,480 --> 00:14:39,320 Speaker 1: They give that information, and because Honan used the same 241 00:14:39,560 --> 00:14:43,200 Speaker 1: billing address and the same credit card for both services, 242 00:14:44,000 --> 00:14:47,400 Speaker 1: Apple said, oh, well then you're clearly this guy. We 243 00:14:47,440 --> 00:14:52,720 Speaker 1: will send you the account retrieval information to your email address. 244 00:14:52,800 --> 00:14:55,800 Speaker 1: So then they now have the way to log into 245 00:14:56,040 --> 00:14:59,720 Speaker 1: Honan's iCloud account. They do that. That's where they then 246 00:15:00,080 --> 00:15:04,320 Speaker 1: disable his devices. They wipe them to help slow things 247 00:15:04,360 --> 00:15:07,680 Speaker 1: down so they can continue to do this stuff. Now 248 00:15:07,680 --> 00:15:10,280 Speaker 1: they have access to his Apple email, they have access 249 00:15:10,280 --> 00:15:12,960 Speaker 1: to his Amazon account. That's when they go to the 250 00:15:12,960 --> 00:15:18,040 Speaker 1: Google password recovery asked for the recovery information so that 251 00:15:18,080 --> 00:15:21,320 Speaker 1: they can access his Google account. Well, that goes to 252 00:15:21,440 --> 00:15:25,640 Speaker 1: his Apple address, which they already have access to. The 253 00:15:25,680 --> 00:15:27,760 Speaker 1: information comes to the Apple address, they go into the 254 00:15:27,760 --> 00:15:33,840 Speaker 1: Google account. They immediately delete the password recovery UH email 255 00:15:33,960 --> 00:15:36,000 Speaker 1: out of his account so that if he has any 256 00:15:36,000 --> 00:15:40,880 Speaker 1: other devices that would alert him that his password had 257 00:15:40,920 --> 00:15:44,000 Speaker 1: been changed. That he would not be aware of it, 258 00:15:44,200 --> 00:15:47,480 Speaker 1: so they they hide that, they change the password so 259 00:15:47,520 --> 00:15:49,840 Speaker 1: that now they've locked him out, they have access to 260 00:15:49,840 --> 00:15:52,160 Speaker 1: his Google account. They then were able to go and 261 00:15:52,200 --> 00:15:57,240 Speaker 1: get access to the Twitter account. Um, this is kind 262 00:15:57,280 --> 00:16:00,440 Speaker 1: of scary. And again it has nothing to do with 263 00:16:00,600 --> 00:16:04,440 Speaker 1: sitting down encoding stuff. It is hacking. You're hacking a system, 264 00:16:04,480 --> 00:16:08,560 Speaker 1: but you're doing it more through social engineering and manipulating 265 00:16:08,760 --> 00:16:12,400 Speaker 1: policies and systems. Right, So if you guys remember we 266 00:16:12,480 --> 00:16:14,480 Speaker 1: had that discussion and I think it was episode three 267 00:16:14,680 --> 00:16:17,560 Speaker 1: D ninety nine where we interviewed Brian Brushwood and we 268 00:16:17,600 --> 00:16:20,960 Speaker 1: talked about social engineering. Now with Brushwood, his approach to 269 00:16:21,000 --> 00:16:26,040 Speaker 1: social engineering is more about you know, having fun and uh, like, 270 00:16:26,080 --> 00:16:29,280 Speaker 1: you're in a social situation where you you know, you 271 00:16:29,320 --> 00:16:31,800 Speaker 1: never have to buy a drink because you're doing these 272 00:16:31,800 --> 00:16:34,360 Speaker 1: cool things and convincing other people to buy drinks for you, 273 00:16:34,520 --> 00:16:36,680 Speaker 1: or you know, you're doing something so that you can 274 00:16:36,720 --> 00:16:40,000 Speaker 1: get the phone number of someone you're interested in. So 275 00:16:40,160 --> 00:16:44,280 Speaker 1: you're still social engineering people, but it's not necessarily this 276 00:16:44,520 --> 00:16:49,000 Speaker 1: as nefarious as uh as what these hackers were doing. Yeah, 277 00:16:49,320 --> 00:16:52,440 Speaker 1: and it's not typically what one thinks of when one 278 00:16:52,480 --> 00:16:56,120 Speaker 1: thinks of identity theft. I mean again, UM, a lot 279 00:16:56,160 --> 00:16:59,360 Speaker 1: of us would look at the specifically maybe the Amazon 280 00:16:59,480 --> 00:17:01,880 Speaker 1: portion of this or an online retail portion of this, 281 00:17:01,960 --> 00:17:04,160 Speaker 1: and say, oh, well, they got access to his credit 282 00:17:04,200 --> 00:17:06,600 Speaker 1: card number, they can buy stuff. Well yeah, and in 283 00:17:06,600 --> 00:17:10,640 Speaker 1: a lot of cases that maybe what a hacker might 284 00:17:10,760 --> 00:17:15,200 Speaker 1: try to do. After all, we have talked about uh 285 00:17:15,280 --> 00:17:19,440 Speaker 1: online systems being hacked for financial information and financial gain, 286 00:17:20,040 --> 00:17:23,760 Speaker 1: but that's not the point of this. Um, the system 287 00:17:23,800 --> 00:17:25,719 Speaker 1: that I was speaking of a few minutes ago, when 288 00:17:25,760 --> 00:17:28,640 Speaker 1: I was saying that ironically, some of these things were 289 00:17:28,680 --> 00:17:33,040 Speaker 1: turned against him tools that would be used to protect him. Um, 290 00:17:33,080 --> 00:17:36,760 Speaker 1: if you're not in an Apple customer, you may not 291 00:17:37,119 --> 00:17:40,119 Speaker 1: be aware. There's a there's a uh an I cloud 292 00:17:40,240 --> 00:17:44,720 Speaker 1: system uh called find my and there're a couple of 293 00:17:44,760 --> 00:17:49,760 Speaker 1: them like find my iPhone. Yeah. Um, so let's say, uh, 294 00:17:49,840 --> 00:17:52,399 Speaker 1: you know, we're talking completely behind here. Let's say you 295 00:17:52,440 --> 00:17:55,520 Speaker 1: have an iPhone and your kid has run off with 296 00:17:55,560 --> 00:17:58,879 Speaker 1: it and stuffed it somewhere in some piece of furniture 297 00:17:59,080 --> 00:18:01,280 Speaker 1: or dropped it and or you left it in a 298 00:18:01,280 --> 00:18:03,159 Speaker 1: cab or you left it in a cab. Well, if 299 00:18:03,200 --> 00:18:06,800 Speaker 1: you're if you're Natalie Dell Conti well yeah, um, well, 300 00:18:06,840 --> 00:18:09,320 Speaker 1: I was gonna start with the the easy one. You 301 00:18:09,359 --> 00:18:11,199 Speaker 1: can make it. You can make your phone make a 302 00:18:11,240 --> 00:18:13,840 Speaker 1: noise so you know it's in the house, but you 303 00:18:13,840 --> 00:18:16,000 Speaker 1: can't figure out where it went. I'd like to have 304 00:18:16,040 --> 00:18:17,840 Speaker 1: one of these for my keys and maybe the remote. 305 00:18:18,240 --> 00:18:20,280 Speaker 1: But you know you can. You can make it make 306 00:18:20,320 --> 00:18:22,480 Speaker 1: a noise, or if you've left it in a cab, 307 00:18:23,400 --> 00:18:27,239 Speaker 1: you can have it tell you roughly where it is. Uh. 308 00:18:27,400 --> 00:18:29,359 Speaker 1: This is especially useful if you can't remember if you 309 00:18:29,440 --> 00:18:31,600 Speaker 1: left it in a cab, or if you at a 310 00:18:31,680 --> 00:18:34,360 Speaker 1: restaurant whatever, or you know, you were at a bar 311 00:18:34,720 --> 00:18:39,040 Speaker 1: and you had a prototype version of the newest iPhone 312 00:18:39,640 --> 00:18:41,119 Speaker 1: and it was sitting on the stool next to you 313 00:18:41,200 --> 00:18:42,560 Speaker 1: when you were sitting there at the bar, but then 314 00:18:42,560 --> 00:18:44,879 Speaker 1: when you turned around it was gone, and then it 315 00:18:44,960 --> 00:18:49,320 Speaker 1: ends up at some tech blog. Yeah, well that could happen. Yeah, 316 00:18:49,520 --> 00:18:53,200 Speaker 1: they're they're Twitter feed could be hacked to um. But yeah, 317 00:18:53,240 --> 00:18:55,000 Speaker 1: I mean, so you can find out where it is. 318 00:18:55,080 --> 00:18:56,600 Speaker 1: You can have it make a noise so that if 319 00:18:56,640 --> 00:18:59,080 Speaker 1: it is in the same location as you are, Uh, 320 00:18:59,119 --> 00:19:01,760 Speaker 1: you know you can you can track it down. Um. 321 00:19:01,800 --> 00:19:03,399 Speaker 1: If you don't know where it is, let's say you 322 00:19:03,440 --> 00:19:06,640 Speaker 1: did leave it in a in a bar somewhere and uh, 323 00:19:06,840 --> 00:19:09,400 Speaker 1: you say, oh, well, you know it's not I don't 324 00:19:09,400 --> 00:19:11,760 Speaker 1: know where that is. And you could see a location 325 00:19:11,800 --> 00:19:14,480 Speaker 1: it shows you on the map where where it might be. Oh, 326 00:19:14,480 --> 00:19:16,919 Speaker 1: it's no longer in my control. It's somewhere where I 327 00:19:16,960 --> 00:19:19,880 Speaker 1: don't know where it is. I'm I have sensitive information 328 00:19:19,880 --> 00:19:22,560 Speaker 1: on there. My my calendars on there, my contacts are 329 00:19:22,600 --> 00:19:25,359 Speaker 1: on there. Um as as Honan himself said, you know 330 00:19:25,440 --> 00:19:30,880 Speaker 1: he had um information from many other tech journalists. Um, 331 00:19:31,320 --> 00:19:33,760 Speaker 1: so he might just let's say he was still in 332 00:19:33,760 --> 00:19:35,960 Speaker 1: control of his accounts, but no longer in control of 333 00:19:36,000 --> 00:19:39,520 Speaker 1: the device. He could say, wipe this device. I don't 334 00:19:39,520 --> 00:19:43,159 Speaker 1: want anything on it anymore. You know, I want to 335 00:19:43,200 --> 00:19:45,520 Speaker 1: wipe it clean so that nobody else gains information in 336 00:19:45,600 --> 00:19:47,800 Speaker 1: my personal stuff. It's only a matter of time before 337 00:19:47,840 --> 00:19:51,200 Speaker 1: they figure out my my pass code. Wipe it clean. 338 00:19:51,520 --> 00:19:52,800 Speaker 1: You know, you can tell it to do that and 339 00:19:52,800 --> 00:19:55,879 Speaker 1: it will remotely do that. Apple has added that for 340 00:19:56,040 --> 00:19:59,600 Speaker 1: the Mac to find my mac. So in that case, 341 00:20:00,040 --> 00:20:05,640 Speaker 1: let's say he had corporate information. Many companies have have 342 00:20:06,040 --> 00:20:08,920 Speaker 1: this policy in place. Yes, you can check your corporate 343 00:20:08,920 --> 00:20:12,960 Speaker 1: email on your personal device, but if you do that. Um, 344 00:20:13,040 --> 00:20:15,919 Speaker 1: we retain the right to wipe the information on the 345 00:20:15,960 --> 00:20:20,320 Speaker 1: device if it should fall into somebody else's hands, or 346 00:20:20,520 --> 00:20:23,480 Speaker 1: let's say that you were to, uh, you were to 347 00:20:23,480 --> 00:20:27,240 Speaker 1: to either be fired or you you know, you left 348 00:20:27,320 --> 00:20:29,159 Speaker 1: or whatever. They might retain that right so that they 349 00:20:29,160 --> 00:20:32,400 Speaker 1: can protect themselves as a corporate entity. Yeah, so there 350 00:20:32,440 --> 00:20:36,040 Speaker 1: there are positive reasons to be able to do this 351 00:20:36,400 --> 00:20:40,800 Speaker 1: in this case. Once the hackers gained information about his 352 00:20:40,840 --> 00:20:43,159 Speaker 1: account and we're able to get access to his account 353 00:20:43,200 --> 00:20:48,200 Speaker 1: and lock him out, Um, they also chose to completely 354 00:20:48,240 --> 00:20:54,840 Speaker 1: wipe his phone, his iPad, and his Mac laptop. And 355 00:20:54,920 --> 00:20:58,879 Speaker 1: in doing so, they not only wiped out any you know, 356 00:20:59,359 --> 00:21:02,320 Speaker 1: corporate in formation. He's he's a freelance writer, so any 357 00:21:02,440 --> 00:21:04,040 Speaker 1: articles he might have been working on that were on 358 00:21:04,080 --> 00:21:07,760 Speaker 1: his hard drive gone. He also lost a year's worth 359 00:21:08,119 --> 00:21:11,440 Speaker 1: or more, I guess the photos of personal photos, personal 360 00:21:11,520 --> 00:21:17,680 Speaker 1: stuff that that he had created. And Yeah, Liz leads 361 00:21:17,720 --> 00:21:20,720 Speaker 1: us to the the thing that we have said a 362 00:21:20,800 --> 00:21:23,479 Speaker 1: billion times on this podcast that is an exaggeration, but 363 00:21:24,119 --> 00:21:27,600 Speaker 1: back up your data. Yeah, and he admits, he admits 364 00:21:27,640 --> 00:21:30,880 Speaker 1: he was not regularly backing up his hard drive. This 365 00:21:30,920 --> 00:21:33,280 Speaker 1: is not to to pick on him or anything else. 366 00:21:33,440 --> 00:21:36,120 Speaker 1: It's something that he wishes in retrospect he had been 367 00:21:36,160 --> 00:21:40,919 Speaker 1: doing on a regular basis because, um, oddly enough, this 368 00:21:41,000 --> 00:21:42,840 Speaker 1: is where this this is where this story takes an 369 00:21:42,920 --> 00:21:46,600 Speaker 1: unusual turn. He has been in contact with his hackers 370 00:21:47,000 --> 00:21:51,560 Speaker 1: and has agreed not to put in in return. They 371 00:21:51,560 --> 00:21:54,120 Speaker 1: were telling him how they did it. Yes, and uh, 372 00:21:54,200 --> 00:21:55,800 Speaker 1: I think first of all, the first thing we can 373 00:21:55,840 --> 00:21:59,880 Speaker 1: agree on easily is that Amazon has to change its policy. 374 00:22:00,240 --> 00:22:05,000 Speaker 1: Well yeah, because because that's the first step that means 375 00:22:05,000 --> 00:22:11,359 Speaker 1: that anyone could access anyone else's Amazon account. Well, um, 376 00:22:11,720 --> 00:22:14,159 Speaker 1: I wasn't gonna get there quite yet. I wanted to 377 00:22:14,200 --> 00:22:17,159 Speaker 1: make the point that this is where it kind of 378 00:22:17,160 --> 00:22:20,439 Speaker 1: gets a little weird, because they they shared all this 379 00:22:20,520 --> 00:22:23,000 Speaker 1: information with him, and this is how he was able 380 00:22:23,040 --> 00:22:26,399 Speaker 1: to write such a comprehensive, uh post on on Wired 381 00:22:26,400 --> 00:22:29,119 Speaker 1: about it was they they told him what they were doing, 382 00:22:29,240 --> 00:22:32,200 Speaker 1: what the point of it was. Um, they admitted, look, 383 00:22:32,240 --> 00:22:35,720 Speaker 1: you know, we weren't trying to to steal your your stuff. 384 00:22:35,760 --> 00:22:38,320 Speaker 1: We weren't really trying to wipe out your your personal life. 385 00:22:38,560 --> 00:22:42,800 Speaker 1: We have nothing against you personally. We wanted your Twitter account. Um. 386 00:22:43,240 --> 00:22:48,040 Speaker 1: The guy that that that he talked to primarily um 387 00:22:48,440 --> 00:22:52,359 Speaker 1: was saying, essentially, hey, uh, you know, my partner was 388 00:22:52,400 --> 00:22:55,399 Speaker 1: the one who wiped out your computer. And now that 389 00:22:55,440 --> 00:22:57,919 Speaker 1: you tell me all your personal files, your your the 390 00:22:57,920 --> 00:23:01,800 Speaker 1: pictures of your your kid were on here, I'm really sorry. Yeah, 391 00:23:02,040 --> 00:23:05,200 Speaker 1: I'm actually really sorry. I didn't mean to to cause 392 00:23:05,240 --> 00:23:08,959 Speaker 1: you personal harm as a result of this. And they say, now, 393 00:23:09,000 --> 00:23:12,480 Speaker 1: I don't know, you know, I don't know whether their 394 00:23:12,480 --> 00:23:14,879 Speaker 1: motives are are as pure as they say. You know, 395 00:23:14,880 --> 00:23:16,600 Speaker 1: they say part of it was that they wanted to 396 00:23:16,640 --> 00:23:20,080 Speaker 1: point out that it really is this easy to hack 397 00:23:20,119 --> 00:23:22,160 Speaker 1: into your personal account, and they wanted to draw attention 398 00:23:22,200 --> 00:23:25,880 Speaker 1: to that. Now, I took her say that all the time. 399 00:23:25,960 --> 00:23:29,560 Speaker 1: I suspect, based upon the messages that they posted on Twitter, 400 00:23:30,560 --> 00:23:35,359 Speaker 1: that that's something they they that's covering their tracks. I 401 00:23:35,359 --> 00:23:39,040 Speaker 1: think they were doing it for the kicks. Yes, well, 402 00:23:39,080 --> 00:23:41,280 Speaker 1: if you're looking at again, if you're reading the Twitter, 403 00:23:41,800 --> 00:23:45,040 Speaker 1: the Twitter posts that that we're posted under his name, 404 00:23:45,240 --> 00:23:47,920 Speaker 1: and there were a lot that he left there. He says, 405 00:23:47,920 --> 00:23:49,400 Speaker 1: I wanted to keep a record of it. He did 406 00:23:49,440 --> 00:23:54,600 Speaker 1: delete some because they were overly hurtful, patently offensive, and 407 00:23:54,880 --> 00:23:58,000 Speaker 1: he said, you know, these could actually cause people to 408 00:23:58,160 --> 00:24:00,960 Speaker 1: feel badly about themselves, and I don't want that. I 409 00:24:01,000 --> 00:24:03,000 Speaker 1: do want there to be a record of what had happened, 410 00:24:03,040 --> 00:24:05,199 Speaker 1: but not at that, not that, not at the expense 411 00:24:05,200 --> 00:24:08,840 Speaker 1: of someone else's feelings, um, other than my own obviously. 412 00:24:09,119 --> 00:24:11,160 Speaker 1: So then he went out and he deleted the ones 413 00:24:11,200 --> 00:24:13,639 Speaker 1: they felt were particularly offensive, and then the rest he 414 00:24:13,720 --> 00:24:18,120 Speaker 1: left up. If you read those, I think it's it's 415 00:24:18,160 --> 00:24:22,000 Speaker 1: pretty hard to defend yourself with I'm just showing how 416 00:24:22,600 --> 00:24:25,640 Speaker 1: the system can be hacked. It's more than that. It's 417 00:24:25,680 --> 00:24:29,320 Speaker 1: also hey, you know, ha ha, we did it, you know, 418 00:24:30,119 --> 00:24:32,320 Speaker 1: And and it's so it goes beyond that. And I 419 00:24:32,359 --> 00:24:36,560 Speaker 1: think it's very telling the the hacker he got in 420 00:24:36,600 --> 00:24:41,240 Speaker 1: touch with, assuming that the what he the information he 421 00:24:41,280 --> 00:24:44,679 Speaker 1: gave was accurate about himself, about the hacker himself as 422 00:24:44,720 --> 00:24:48,840 Speaker 1: a young guy nineteen years old, might not quite really 423 00:24:48,920 --> 00:24:52,439 Speaker 1: get be mature enough to realize, you know, what the 424 00:24:52,560 --> 00:24:57,040 Speaker 1: consequences are of those actions and what how they could 425 00:24:57,040 --> 00:25:01,800 Speaker 1: affect the target beyond on justus. Oh, you know, they're thinking, 426 00:25:02,119 --> 00:25:04,639 Speaker 1: we have a goal, we want to get hold of 427 00:25:04,640 --> 00:25:07,800 Speaker 1: this Twitter account. They're not thinking of what consequences are 428 00:25:07,800 --> 00:25:11,240 Speaker 1: going to be felt by the target beyond just the 429 00:25:11,280 --> 00:25:13,600 Speaker 1: fact that our Twitter handle has been taken over, and 430 00:25:13,680 --> 00:25:15,880 Speaker 1: so some of that may just be that they were 431 00:25:15,960 --> 00:25:17,960 Speaker 1: very narrowly focused on what they wanted to do and 432 00:25:18,000 --> 00:25:21,080 Speaker 1: they didn't really consider what could happen or how it 433 00:25:21,119 --> 00:25:23,159 Speaker 1: would feel for that sort of stuff to happen to 434 00:25:23,200 --> 00:25:27,800 Speaker 1: a person. Um. So that's that's something there too, And 435 00:25:27,880 --> 00:25:29,240 Speaker 1: we see that a lot. I mean, there are a 436 00:25:29,280 --> 00:25:32,280 Speaker 1: lot of hackers out there who because they can do something, 437 00:25:32,320 --> 00:25:35,119 Speaker 1: they'll do it and they don't realize or they don't 438 00:25:35,200 --> 00:25:38,159 Speaker 1: care what the consequences of that action are going to 439 00:25:38,200 --> 00:25:40,600 Speaker 1: be to the people who are also involved in that 440 00:25:40,880 --> 00:25:45,760 Speaker 1: whatever that situation is. Um. So maybe maybe now this, 441 00:25:46,280 --> 00:25:49,320 Speaker 1: you know, according to the article, it sounds like this 442 00:25:49,359 --> 00:25:54,480 Speaker 1: guy is at least a little remorseful, Yes, that he's 443 00:25:54,480 --> 00:25:57,440 Speaker 1: feeling some remorse for this, and you know, we don't 444 00:25:57,480 --> 00:26:03,560 Speaker 1: know if really like he was at all culpable in 445 00:26:03,680 --> 00:26:07,159 Speaker 1: the the actual deletion. He claims that it was the 446 00:26:07,200 --> 00:26:11,200 Speaker 1: other guy who did it, but you know, you never know. So, yeah, 447 00:26:11,240 --> 00:26:14,399 Speaker 1: it's it's interesting to look at that. And you know, 448 00:26:14,520 --> 00:26:16,480 Speaker 1: if if you kind of put yourself in the shoes 449 00:26:16,520 --> 00:26:21,000 Speaker 1: of the the hacker, um, you know, especially if you're 450 00:26:21,000 --> 00:26:24,160 Speaker 1: thinking of somebody who is doing it for for fun, 451 00:26:24,840 --> 00:26:27,479 Speaker 1: to mess with somebody, and and the person says, hey, look, 452 00:26:27,520 --> 00:26:29,320 Speaker 1: I'm not going to press charges against you, but I 453 00:26:29,359 --> 00:26:32,120 Speaker 1: want to know how how you did it. He started thinking, hey, 454 00:26:32,119 --> 00:26:33,560 Speaker 1: this guy is working with me. You know, the heat 455 00:26:33,560 --> 00:26:36,760 Speaker 1: of the moment's off, the sense of accomplishment you get 456 00:26:36,800 --> 00:26:40,600 Speaker 1: from uh hacking in and and gaining access to all 457 00:26:40,600 --> 00:26:42,960 Speaker 1: this information. You know, after the fact, you've had a 458 00:26:43,040 --> 00:26:45,360 Speaker 1: chance to cool down, they've had a chance to cool down. 459 00:26:45,400 --> 00:26:47,080 Speaker 1: You start thinking about it, like, well, you know what, 460 00:26:47,760 --> 00:26:50,440 Speaker 1: this guy is not angry enough with me to to 461 00:26:50,560 --> 00:26:55,040 Speaker 1: press charges with the cops. You know, we kind of 462 00:26:55,119 --> 00:26:57,239 Speaker 1: damaged this guy, and he's willing to talk to us 463 00:26:57,240 --> 00:27:00,520 Speaker 1: about it and share the story online. And you know, 464 00:27:00,520 --> 00:27:02,639 Speaker 1: they kind of got something out of it too. They 465 00:27:02,720 --> 00:27:07,000 Speaker 1: kind of got a little anonymity anonymous press, so they 466 00:27:07,040 --> 00:27:09,720 Speaker 1: get to point to themselves and say, hey, look he's 467 00:27:09,760 --> 00:27:13,280 Speaker 1: talking about us. He doesn't seem like such a bad guy. 468 00:27:13,440 --> 00:27:16,280 Speaker 1: I guess we kind of, you know, burned a lot 469 00:27:16,320 --> 00:27:20,800 Speaker 1: of stuff of his online. That kind of stinks. You know, 470 00:27:20,880 --> 00:27:22,520 Speaker 1: we were really kind of doing it for the fun 471 00:27:22,520 --> 00:27:26,720 Speaker 1: of it, and now it's not so much fun. You 472 00:27:27,040 --> 00:27:29,159 Speaker 1: like a decent guy now you know that there's a 473 00:27:29,200 --> 00:27:31,239 Speaker 1: real person on the other end of that account. That's 474 00:27:31,240 --> 00:27:33,960 Speaker 1: the other thing is there's a dehumanizing effect sometimes with 475 00:27:34,040 --> 00:27:36,800 Speaker 1: the whole you know, you don't really identify the fact 476 00:27:36,840 --> 00:27:39,280 Speaker 1: that there's a person on the other end of these accounts. 477 00:27:40,000 --> 00:27:43,760 Speaker 1: Sometimes you don't. It doesn't the concept isn't fully formed. Yeah, 478 00:27:43,800 --> 00:27:45,520 Speaker 1: for for a lot of us, we would have gone 479 00:27:45,520 --> 00:27:47,760 Speaker 1: out and if we had found out who did it, 480 00:27:48,280 --> 00:27:50,560 Speaker 1: we would have pressed charges. We would have wanted to 481 00:27:50,600 --> 00:27:52,960 Speaker 1: take them. Now some of us would have re enacted 482 00:27:53,040 --> 00:27:58,160 Speaker 1: the film taken. But well, but yeah, that that's that's 483 00:27:58,160 --> 00:28:01,920 Speaker 1: what makes this story more are interesting than other hacking 484 00:28:02,040 --> 00:28:06,080 Speaker 1: stories I think, is that that it's got a humanizing 485 00:28:07,400 --> 00:28:11,040 Speaker 1: character for both parties, the person who or people who 486 00:28:11,119 --> 00:28:15,679 Speaker 1: took advantage of of honing and honing himself. And it 487 00:28:15,800 --> 00:28:22,120 Speaker 1: does point to security issues. Now these are legitimate for um, 488 00:28:22,359 --> 00:28:25,880 Speaker 1: you think about your Amazon account. For example, Let's say 489 00:28:25,920 --> 00:28:28,159 Speaker 1: you don't have anything else except an email account in 490 00:28:28,160 --> 00:28:31,880 Speaker 1: an Amazon account, by and large, you probably wouldn't have 491 00:28:32,480 --> 00:28:35,080 Speaker 1: a lot of these security issues. The security issues that 492 00:28:35,119 --> 00:28:38,680 Speaker 1: Amazon would have in place would make it very difficult 493 00:28:38,720 --> 00:28:42,560 Speaker 1: for them for someone else to get that information from them. 494 00:28:42,600 --> 00:28:46,080 Speaker 1: But then you start sharing. You start using this um 495 00:28:46,280 --> 00:28:49,720 Speaker 1: email address with Amazon and every other company that you 496 00:28:49,760 --> 00:28:54,440 Speaker 1: do business with online. That makes your email address a 497 00:28:54,440 --> 00:28:59,080 Speaker 1: a key to getting information from other companies. And then 498 00:28:59,160 --> 00:29:02,600 Speaker 1: you start doing business with other pieces. You've got the 499 00:29:02,640 --> 00:29:07,320 Speaker 1: same credit card number across these different companies, and once 500 00:29:07,360 --> 00:29:09,520 Speaker 1: you have the last four digits of your social Security 501 00:29:09,560 --> 00:29:13,520 Speaker 1: number or a credit card number, that makes it possible 502 00:29:13,960 --> 00:29:17,240 Speaker 1: to use that information as a key across multiple entities. 503 00:29:18,000 --> 00:29:20,320 Speaker 1: And all of a sudden, if you do business with 504 00:29:20,360 --> 00:29:23,480 Speaker 1: a whole bunch of places, they get something like your 505 00:29:23,520 --> 00:29:28,360 Speaker 1: physical address, your name, your email address, a credit card number, 506 00:29:28,400 --> 00:29:30,480 Speaker 1: any of that stuff, and they've got the keys to 507 00:29:30,640 --> 00:29:35,560 Speaker 1: open lots and lots of accounts for for them to 508 00:29:35,560 --> 00:29:38,320 Speaker 1: get more information. And once they've hacked one, they can 509 00:29:38,360 --> 00:29:40,880 Speaker 1: get information that will let them into lots and lots 510 00:29:40,880 --> 00:29:43,120 Speaker 1: of other places. Oh, they have an Amazon account, I 511 00:29:43,160 --> 00:29:44,760 Speaker 1: wonder if they have a Barnes and Noble account. We 512 00:29:44,760 --> 00:29:48,000 Speaker 1: could find out in about ten minutes. So Honan admits 513 00:29:48,040 --> 00:29:52,200 Speaker 1: that his password was not the strongest. It was a 514 00:29:52,360 --> 00:29:56,400 Speaker 1: seven seven digit alpha numeric password, but that it was 515 00:29:56,440 --> 00:29:59,120 Speaker 1: one he had used for many years. But they haven't 516 00:29:59,160 --> 00:30:03,320 Speaker 1: They didn't really right right. So that's that's the point 517 00:30:03,320 --> 00:30:05,400 Speaker 1: of this thing, is that even if he had had 518 00:30:05,440 --> 00:30:07,920 Speaker 1: the strongest password in the world, it would not have 519 00:30:08,000 --> 00:30:12,240 Speaker 1: mattered because they circumvented that. They didn't they weren't attacking 520 00:30:12,280 --> 00:30:16,920 Speaker 1: through that direction. And this this demonstrates why security is 521 00:30:16,960 --> 00:30:21,520 Speaker 1: so tough, because you think about the most obvious point 522 00:30:21,520 --> 00:30:24,560 Speaker 1: of entry, which would be the log in right your 523 00:30:24,680 --> 00:30:26,960 Speaker 1: user name and your password. That's the most obvious point 524 00:30:27,000 --> 00:30:30,880 Speaker 1: because that's the way we access our information. Hackers are 525 00:30:30,920 --> 00:30:33,880 Speaker 1: looking at a system and saying, what's the best vulnerable 526 00:30:33,960 --> 00:30:37,000 Speaker 1: spot to go in at And if the front door 527 00:30:37,280 --> 00:30:40,040 Speaker 1: is heavily locked, you look for a window or a backdoor, 528 00:30:40,200 --> 00:30:42,000 Speaker 1: you look for something else it's gonna let you get 529 00:30:42,080 --> 00:30:45,760 Speaker 1: into there, and not even you just bypass the place 530 00:30:45,760 --> 00:30:48,080 Speaker 1: where you've got all the security and you go in 531 00:30:48,120 --> 00:30:50,520 Speaker 1: through a different entrance. So when I said that Amazon 532 00:30:50,560 --> 00:30:53,400 Speaker 1: really needs to work on its policy, mainly, the reason 533 00:30:53,440 --> 00:30:55,040 Speaker 1: for that is that the only thing you need in 534 00:30:55,120 --> 00:31:01,000 Speaker 1: order to get that that lug and recovery information was 535 00:31:01,200 --> 00:31:04,520 Speaker 1: the credit card number that's associated with the account, which 536 00:31:04,560 --> 00:31:08,479 Speaker 1: they did by adding in one the building address and 537 00:31:08,640 --> 00:31:12,800 Speaker 1: an email address, and that's it. Um uh and in 538 00:31:12,880 --> 00:31:15,600 Speaker 1: order to add the credit card number, all you need 539 00:31:15,720 --> 00:31:18,680 Speaker 1: is the building address and the email address that is 540 00:31:18,720 --> 00:31:23,640 Speaker 1: associated with the account. So you know, using some guesswork, 541 00:31:24,440 --> 00:31:27,800 Speaker 1: thinking that Okay, well he's got an Amazon account, He's 542 00:31:27,800 --> 00:31:30,800 Speaker 1: probably got an Amazon account. He's probably using this address 543 00:31:31,000 --> 00:31:34,000 Speaker 1: for that Amazon account. We know his address because we 544 00:31:34,040 --> 00:31:38,240 Speaker 1: looked it up from his website. We can fabricate a 545 00:31:38,520 --> 00:31:42,880 Speaker 1: a a credit card using a generator that creates a 546 00:31:42,960 --> 00:31:49,440 Speaker 1: realistic but not actually activated credit card number and assigned 547 00:31:49,480 --> 00:31:51,560 Speaker 1: that to the Amazon account and then use that to 548 00:31:51,600 --> 00:31:55,200 Speaker 1: get the entry point. So obviously Amazon needs to fix that, 549 00:31:55,320 --> 00:31:58,600 Speaker 1: because if all you have is a person's address and 550 00:31:58,720 --> 00:32:01,000 Speaker 1: you have a good guess at what email address they 551 00:32:01,120 --> 00:32:04,640 Speaker 1: use for that Amazon account, then you could do the 552 00:32:04,680 --> 00:32:09,080 Speaker 1: same thing. And so that's that's a that's number one. 553 00:32:09,560 --> 00:32:13,000 Speaker 1: Number two would be the fact that Apple uses the 554 00:32:13,440 --> 00:32:15,880 Speaker 1: last four digits of the credit card, the building and 555 00:32:16,160 --> 00:32:21,719 Speaker 1: the building address as a security recovery method. Clearly that 556 00:32:21,760 --> 00:32:25,720 Speaker 1: needs to to change in some way. Yeah, I think 557 00:32:25,760 --> 00:32:27,880 Speaker 1: I think this is a uh, they're there are a 558 00:32:27,880 --> 00:32:30,600 Speaker 1: couple of things. Now, if you read uh, there's an 559 00:32:30,640 --> 00:32:33,960 Speaker 1: account on Honan's tumbler, and if you want to read 560 00:32:34,280 --> 00:32:39,960 Speaker 1: some truly hurtful comments. I would suggest reading that um, 561 00:32:40,000 --> 00:32:44,160 Speaker 1: because some people blame him for owning Apple devices, which 562 00:32:44,200 --> 00:32:47,840 Speaker 1: is ridiculous. In fact, of the one that that bugged 563 00:32:47,880 --> 00:32:49,840 Speaker 1: me probably the most was the one that said, serves 564 00:32:49,920 --> 00:32:52,720 Speaker 1: him right for owning I crap. And I'm going you 565 00:32:52,760 --> 00:32:55,480 Speaker 1: know this, this really could have happened with pretty much 566 00:32:55,520 --> 00:32:59,960 Speaker 1: any manufacturer or Yeah, it's just I mean Apple had 567 00:33:00,040 --> 00:33:02,320 Speaker 1: policies that they were able to leverage. That's not to 568 00:33:02,360 --> 00:33:05,800 Speaker 1: say that other companies don't have those same policies, And 569 00:33:05,840 --> 00:33:07,880 Speaker 1: it's just that Apples were well known to them, so 570 00:33:07,960 --> 00:33:10,920 Speaker 1: that's how they once they saw the me dot com 571 00:33:11,160 --> 00:33:14,200 Speaker 1: addresses that all right, we know how to do this. Yeah. 572 00:33:14,240 --> 00:33:18,080 Speaker 1: And the thing is, I would say the vast majority 573 00:33:18,160 --> 00:33:23,120 Speaker 1: of online retailers or or companies that have that offer 574 00:33:23,240 --> 00:33:26,080 Speaker 1: services online um, I mean they knew how to get 575 00:33:26,120 --> 00:33:30,040 Speaker 1: into a Google account too, um. And and a lot 576 00:33:30,080 --> 00:33:32,280 Speaker 1: of them have the same policies. So if you can 577 00:33:32,320 --> 00:33:34,479 Speaker 1: get as they did, if you can get one piece, 578 00:33:34,960 --> 00:33:38,000 Speaker 1: then you can apply it to other pieces and get 579 00:33:38,080 --> 00:33:41,800 Speaker 1: information from them and put the whole puzzle together that way. 580 00:33:41,840 --> 00:33:44,760 Speaker 1: So it's not while while I've seen people singling out 581 00:33:44,800 --> 00:33:48,680 Speaker 1: Apple and Amazon and um, and they should to some 582 00:33:48,720 --> 00:33:55,040 Speaker 1: degree be uh considering new stuff. It's not just their fault. 583 00:33:55,160 --> 00:33:58,320 Speaker 1: The catch twenty two here is once you make an 584 00:33:58,360 --> 00:34:04,280 Speaker 1: account so locked down that it's extremely hard to get into, 585 00:34:04,520 --> 00:34:07,320 Speaker 1: it's also hard for you to get into when you 586 00:34:07,400 --> 00:34:11,200 Speaker 1: do forget your password, when you do forget what credit 587 00:34:11,200 --> 00:34:14,760 Speaker 1: card you used. Say you've got ten credit cards. Um, 588 00:34:15,040 --> 00:34:17,440 Speaker 1: let's say you h you shredded one of them because 589 00:34:17,480 --> 00:34:19,920 Speaker 1: you don't use that card anymore. But that's the one 590 00:34:19,960 --> 00:34:23,239 Speaker 1: that you set up the account with two years ago. Well, 591 00:34:23,239 --> 00:34:26,560 Speaker 1: now you can't get back in. And so if they 592 00:34:26,600 --> 00:34:29,960 Speaker 1: lock it down too hard, then you can't get back 593 00:34:30,000 --> 00:34:33,160 Speaker 1: in either. So that's why they make it. Yeah, that's 594 00:34:33,200 --> 00:34:35,920 Speaker 1: why they make those those pieces available. Well, can you 595 00:34:35,960 --> 00:34:39,239 Speaker 1: tell me the last four digits of your Social Security number? Oh? Yeah, 596 00:34:39,280 --> 00:34:42,000 Speaker 1: I know those. Well they got that from somebody else. 597 00:34:42,760 --> 00:34:46,000 Speaker 1: So there there's a catch twenty two here. How how 598 00:34:46,239 --> 00:34:50,440 Speaker 1: how secure is secure enough and not too secure to 599 00:34:50,480 --> 00:34:54,360 Speaker 1: lock you out forever? So so there there is that 600 00:34:54,520 --> 00:34:58,600 Speaker 1: is a challenge. Um. The part of it is to um, 601 00:34:58,760 --> 00:35:00,719 Speaker 1: when we're talking about the domain name, they were able 602 00:35:00,760 --> 00:35:07,200 Speaker 1: to get information from his domain name. Uh, and you 603 00:35:07,239 --> 00:35:09,759 Speaker 1: can there are things you can do there too. UM. 604 00:35:09,800 --> 00:35:11,920 Speaker 1: A lot of the services, the places where you can 605 00:35:11,960 --> 00:35:15,880 Speaker 1: register domain names offer a secure UH service where you 606 00:35:15,920 --> 00:35:19,200 Speaker 1: pay an additional fee per year or or per however 607 00:35:19,320 --> 00:35:22,400 Speaker 1: often you UH you renew your domain name, that will 608 00:35:22,719 --> 00:35:25,560 Speaker 1: lock it down so that it has a basically the 609 00:35:25,560 --> 00:35:28,960 Speaker 1: the registrar is responsible for it. So if you want 610 00:35:29,000 --> 00:35:31,800 Speaker 1: to contact the owner of the domain name to say 611 00:35:31,840 --> 00:35:33,920 Speaker 1: make them an offer, Hey, we want so and so 612 00:35:34,120 --> 00:35:37,600 Speaker 1: dot com. You've got it, Can we offer you ten 613 00:35:37,640 --> 00:35:39,840 Speaker 1: thousand dollars and buy the domain name for you? It 614 00:35:39,880 --> 00:35:42,319 Speaker 1: would go through your registrar and you would get contacted 615 00:35:42,360 --> 00:35:45,320 Speaker 1: for it. But your information is not the the information 616 00:35:45,360 --> 00:35:49,040 Speaker 1: out there, so there's a proxy between you and them. UM. 617 00:35:49,040 --> 00:35:50,719 Speaker 1: That would have helped him too, if he had had 618 00:35:50,719 --> 00:35:53,120 Speaker 1: something like that in place, it would have helped lock 619 00:35:53,200 --> 00:35:57,520 Speaker 1: it down Google. UM the UH. It's it's kind of 620 00:35:57,560 --> 00:36:01,319 Speaker 1: interesting because what Google showed them was uh M star 621 00:36:01,360 --> 00:36:05,759 Speaker 1: star star star star star n at, you know, the 622 00:36:05,760 --> 00:36:09,960 Speaker 1: the Gmail name. They were pretty right in guessing that 623 00:36:10,040 --> 00:36:13,200 Speaker 1: it was his first initial last name. He had that 624 00:36:13,239 --> 00:36:16,080 Speaker 1: address at at at several places. He points that out, 625 00:36:16,120 --> 00:36:19,200 Speaker 1: and that was that was easy. Could Google fix that 626 00:36:19,280 --> 00:36:22,640 Speaker 1: and make it more obscure so that it wouldn't be 627 00:36:22,680 --> 00:36:25,440 Speaker 1: so easy to guess. Maybe could he have picked a 628 00:36:25,520 --> 00:36:29,920 Speaker 1: more difficult name to use as his backup email address? Probably, 629 00:36:30,640 --> 00:36:33,319 Speaker 1: But these are there are lots of little stuff that 630 00:36:33,520 --> 00:36:37,120 Speaker 1: everyone involved could have done to make it more difficult. 631 00:36:37,280 --> 00:36:40,640 Speaker 1: And there's Google also has a a two step verification process. 632 00:36:40,640 --> 00:36:43,960 Speaker 1: That's exactly what I was going to mention nextel two 633 00:36:44,000 --> 00:36:49,120 Speaker 1: part authentication is um is a useful approach. It also 634 00:36:50,120 --> 00:36:52,879 Speaker 1: and I've used it, Yeah, I've used it. It's so 635 00:36:53,320 --> 00:36:56,000 Speaker 1: two part of authentication is kind of what it sounds like. 636 00:36:56,360 --> 00:36:58,920 Speaker 1: You need you need to have two different things in 637 00:36:59,000 --> 00:37:01,279 Speaker 1: order to be able to act as the account. And 638 00:37:01,920 --> 00:37:06,440 Speaker 1: a typical approach is that you register a phone number 639 00:37:06,480 --> 00:37:09,759 Speaker 1: with whatever the services of like a cell phone. You 640 00:37:09,800 --> 00:37:12,560 Speaker 1: register that cell phone with whatever the services, and then 641 00:37:12,560 --> 00:37:15,640 Speaker 1: when you try to access it, you have to be 642 00:37:15,719 --> 00:37:18,560 Speaker 1: able to provide not only the password, but then an 643 00:37:18,600 --> 00:37:22,560 Speaker 1: authentication code is sent to your device that you have 644 00:37:22,600 --> 00:37:27,360 Speaker 1: registered and you have to insert whatever that that number is, 645 00:37:27,840 --> 00:37:30,319 Speaker 1: and then then you can and then and only then 646 00:37:30,480 --> 00:37:34,520 Speaker 1: you can actually access whatever the account is. And that 647 00:37:34,560 --> 00:37:38,840 Speaker 1: helps a lot because as long as that device remains 648 00:37:38,880 --> 00:37:42,000 Speaker 1: in your possession and no one has been able to 649 00:37:42,080 --> 00:37:45,320 Speaker 1: intercept it in any way, you should be fairly safe. 650 00:37:45,520 --> 00:37:50,319 Speaker 1: So even if they try to reset the password, they 651 00:37:50,360 --> 00:37:53,239 Speaker 1: can't get access to it because they're trying through a 652 00:37:53,280 --> 00:37:56,160 Speaker 1: different device that has not been registered. Uh, and then 653 00:37:56,200 --> 00:38:00,520 Speaker 1: you get that that message. And we've seen very variations 654 00:38:00,520 --> 00:38:02,759 Speaker 1: of this as well, not just two part authentication, but 655 00:38:02,880 --> 00:38:08,600 Speaker 1: also registering devices with services like UM. Lots of them 656 00:38:08,640 --> 00:38:10,240 Speaker 1: do that so that you can look at the different 657 00:38:10,320 --> 00:38:13,680 Speaker 1: sessions that are logged in through a particular service and 658 00:38:13,680 --> 00:38:15,640 Speaker 1: then if you if you see that there's one there 659 00:38:15,640 --> 00:38:20,799 Speaker 1: that you don't recognize, someone might have access to your account. So, 660 00:38:20,920 --> 00:38:23,799 Speaker 1: for example, Facebook does this where if you try and 661 00:38:23,840 --> 00:38:28,440 Speaker 1: access your UM Facebook account through different devices, it may 662 00:38:28,520 --> 00:38:31,120 Speaker 1: tell you, hey, I don't recognize this device. This isn't 663 00:38:31,160 --> 00:38:34,640 Speaker 1: something that you've used to access this account before UM 664 00:38:34,760 --> 00:38:38,080 Speaker 1: and it'll send an email to you and let you 665 00:38:38,120 --> 00:38:42,759 Speaker 1: know if you are that that hey, someone's accessing this. 666 00:38:42,800 --> 00:38:45,120 Speaker 1: Is this you? Because if it's you, it's cool. But 667 00:38:45,160 --> 00:38:48,080 Speaker 1: if it's not you, then you need to look into 668 00:38:48,120 --> 00:38:53,280 Speaker 1: this now. Again, this is this is a good tool 669 00:38:53,719 --> 00:38:57,400 Speaker 1: for people who feel like they may have been hacked. However, 670 00:38:58,640 --> 00:39:01,640 Speaker 1: let's say that the person who is trying to access 671 00:39:01,640 --> 00:39:05,640 Speaker 1: your Facebook account. Um, you know where they're trying to 672 00:39:05,640 --> 00:39:09,359 Speaker 1: hack into your Facebook account also has control of your 673 00:39:09,360 --> 00:39:12,200 Speaker 1: email address. Then when they say that, hey, is this 674 00:39:12,320 --> 00:39:14,160 Speaker 1: you and they send that to your email address, well 675 00:39:14,200 --> 00:39:17,319 Speaker 1: they've got that email address, yes, yes, if it's gotten 676 00:39:17,360 --> 00:39:21,040 Speaker 1: to that point. It's this particular approach doesn't really help you. 677 00:39:21,160 --> 00:39:25,399 Speaker 1: But other things that that you can do, because there's 678 00:39:25,440 --> 00:39:27,640 Speaker 1: some things that you can't have any control over. It's 679 00:39:27,680 --> 00:39:30,399 Speaker 1: it's the pole, it's the companies you work with. Well, one, 680 00:39:30,480 --> 00:39:33,520 Speaker 1: you can choose which companies you you associate yourself with, 681 00:39:33,920 --> 00:39:36,040 Speaker 1: but beyond that, you know you have to hope that 682 00:39:36,080 --> 00:39:38,600 Speaker 1: they put in the right stuff in place to protect you. 683 00:39:38,680 --> 00:39:42,239 Speaker 1: What you can do one, continue to use strong passwords 684 00:39:42,400 --> 00:39:45,440 Speaker 1: and don't don't use the same ones across multiple platforms 685 00:39:45,480 --> 00:39:48,560 Speaker 1: because it just makes it way easier if one if 686 00:39:48,600 --> 00:39:51,280 Speaker 1: one account does get compromised, it makes it way easier 687 00:39:51,280 --> 00:39:54,319 Speaker 1: for all the others to get compromised. It's the domino effect. Yeah, 688 00:39:54,360 --> 00:39:56,880 Speaker 1: so you we wanna you want to start picking some 689 00:39:56,920 --> 00:40:01,080 Speaker 1: pretty tough passwords and and vary the across and change 690 00:40:01,120 --> 00:40:06,600 Speaker 1: them fairly regularly, because the longer they stay, the more 691 00:40:06,800 --> 00:40:11,680 Speaker 1: likely you're going to UM encounter a problem, use some 692 00:40:11,719 --> 00:40:14,200 Speaker 1: sort of password manager so that you can keep track 693 00:40:14,280 --> 00:40:16,640 Speaker 1: of them all because I know it is. You know, 694 00:40:17,400 --> 00:40:19,959 Speaker 1: the flip side of a strong password is it's really 695 00:40:20,000 --> 00:40:23,520 Speaker 1: hard to remember. So if you're if you've got lots 696 00:40:23,520 --> 00:40:27,080 Speaker 1: and lots of online accounts, then it's going to be 697 00:40:27,120 --> 00:40:29,439 Speaker 1: really challenging to keep all those straight. So some sort 698 00:40:29,440 --> 00:40:35,279 Speaker 1: of password manager is important. UM Also, think about what 699 00:40:35,360 --> 00:40:38,520 Speaker 1: you share before you share it online, because some of 700 00:40:38,560 --> 00:40:42,600 Speaker 1: the details you share may also serve as answers to 701 00:40:42,719 --> 00:40:47,520 Speaker 1: various security questions, or they may give off other information 702 00:40:47,560 --> 00:40:51,160 Speaker 1: that companies use to verify identity. So be careful about that. 703 00:40:51,680 --> 00:40:56,319 Speaker 1: You know, don't don't be too free with personal information 704 00:40:57,280 --> 00:41:00,759 Speaker 1: if that means that information could be used to circumventanced 705 00:41:00,800 --> 00:41:04,879 Speaker 1: security systems. One suggestion I've always heard is that when 706 00:41:04,920 --> 00:41:09,120 Speaker 1: you create answers to security questions you create, you're essentially 707 00:41:09,120 --> 00:41:12,160 Speaker 1: creating another password. You don't you don't answer the question 708 00:41:12,840 --> 00:41:14,560 Speaker 1: you and you put something else in there, and you 709 00:41:14,680 --> 00:41:18,600 Speaker 1: put something something unrelated but something you will easily remember, 710 00:41:19,200 --> 00:41:21,480 Speaker 1: all right, So something that doesn't have to be a 711 00:41:21,520 --> 00:41:23,960 Speaker 1: strong password. In other words, it just needs to be 712 00:41:24,000 --> 00:41:26,880 Speaker 1: a keyword that doesn't have anything to do with a question, 713 00:41:26,920 --> 00:41:30,080 Speaker 1: but it's a keyword you are guaranteed to remember. So, So, 714 00:41:30,120 --> 00:41:33,000 Speaker 1: for example, if you, uh, maybe I've seen something that 715 00:41:33,000 --> 00:41:35,319 Speaker 1: asked for the name of your friend model of your 716 00:41:35,320 --> 00:41:39,239 Speaker 1: first car, you could say something like grapefruit. Yeah, which, well, 717 00:41:39,239 --> 00:41:40,960 Speaker 1: I know if I'm asked about my car, I'm going 718 00:41:41,000 --> 00:41:44,640 Speaker 1: to say grapefruit. Somebody might go, oh, it's a Chevy. 719 00:41:45,000 --> 00:41:46,880 Speaker 1: They might have looked on your Facebook page and you 720 00:41:46,920 --> 00:41:49,400 Speaker 1: might have had a thing like this says man, I 721 00:41:49,400 --> 00:41:52,200 Speaker 1: have such great memories of my of my first car, 722 00:41:52,400 --> 00:41:54,759 Speaker 1: and then you have a picture of it on there. Well, 723 00:41:54,800 --> 00:41:56,640 Speaker 1: that's all they would need to be able to answer 724 00:41:56,640 --> 00:41:59,399 Speaker 1: that question if you use the right answer, the right 725 00:41:59,719 --> 00:42:02,759 Speaker 1: or a corresponding answer. So if you've done, say a 726 00:42:02,800 --> 00:42:06,760 Speaker 1: thing on on genealogy, and you've uh, you know, talked 727 00:42:06,760 --> 00:42:09,359 Speaker 1: about your parents and say, well, you know my mother 728 00:42:09,400 --> 00:42:11,160 Speaker 1: who was so and so, and it's like, what's your 729 00:42:11,160 --> 00:42:13,600 Speaker 1: mother's maiden name? Oh, well I know it was Steven's 730 00:42:13,640 --> 00:42:16,040 Speaker 1: because I saw it on the on their Facebook account. 731 00:42:16,840 --> 00:42:20,560 Speaker 1: Well that's pretty easy to track down. Um. And and 732 00:42:20,600 --> 00:42:24,480 Speaker 1: speaking of Facebook, Uh, it occurs to me that a 733 00:42:24,520 --> 00:42:28,799 Speaker 1: lot of sites these days are using Facebook Connect or 734 00:42:28,880 --> 00:42:31,719 Speaker 1: Google or Yahoo and you can say, hey, would you 735 00:42:31,760 --> 00:42:34,920 Speaker 1: like to sign in with your blank account? Some of 736 00:42:34,960 --> 00:42:40,080 Speaker 1: them exclusively do that where you cannot access it unless 737 00:42:40,120 --> 00:42:42,319 Speaker 1: you happen to have one of those are their accounts. Yes, 738 00:42:42,480 --> 00:42:45,359 Speaker 1: Like I believe Pinterest you had to log in through 739 00:42:45,400 --> 00:42:47,440 Speaker 1: Facebook when it was when it first started. I don't 740 00:42:47,480 --> 00:42:50,480 Speaker 1: know if that's still the case. And Spotify, Uh, Spotify, 741 00:42:51,160 --> 00:42:55,760 Speaker 1: you know, had had switched to requiring Facebook. Um, okay. 742 00:42:55,760 --> 00:42:59,200 Speaker 1: So if they gain access to your Facebook account, all 743 00:42:59,200 --> 00:43:01,720 Speaker 1: of a sudden, they've got access to every other account 744 00:43:01,719 --> 00:43:05,280 Speaker 1: that you've used that log in with. So when they 745 00:43:05,320 --> 00:43:08,960 Speaker 1: offer you an opportunity to create a separate log in, 746 00:43:09,120 --> 00:43:11,600 Speaker 1: maybe you should take that opportunity. Yeah, it's a pain. 747 00:43:11,920 --> 00:43:14,239 Speaker 1: Is a pain. And the whole point about the whole 748 00:43:14,239 --> 00:43:16,799 Speaker 1: Facebook connect is that it makes it much more convenient, 749 00:43:16,920 --> 00:43:19,239 Speaker 1: you know, you you know, Facebook loves it because it 750 00:43:19,320 --> 00:43:22,759 Speaker 1: becomes the platform for the Internet, and people love it 751 00:43:22,760 --> 00:43:24,880 Speaker 1: because it means that it's one less thing they have 752 00:43:24,920 --> 00:43:26,840 Speaker 1: to worry about when they want to log in. But 753 00:43:26,960 --> 00:43:30,279 Speaker 1: it does mean that there is this point of vulnerability 754 00:43:30,320 --> 00:43:33,120 Speaker 1: that is incredibly attractive to someone who wants to get 755 00:43:33,120 --> 00:43:36,399 Speaker 1: access to your stuff. Because it's going if they get 756 00:43:36,400 --> 00:43:39,399 Speaker 1: access to one thing, they get access to a dozen more. 757 00:43:39,880 --> 00:43:43,120 Speaker 1: And it doesn't I say Facebook, but like Chris was saying, 758 00:43:43,160 --> 00:43:45,520 Speaker 1: it's not just Facebook. Google is the same way. There 759 00:43:45,520 --> 00:43:48,640 Speaker 1: are lots of different services that if you have a 760 00:43:48,719 --> 00:43:55,040 Speaker 1: Google account you could potentially access. UM. Another another suggestion 761 00:43:55,080 --> 00:43:59,719 Speaker 1: I've seen is that there are a lot of services 762 00:43:59,760 --> 00:44:02,120 Speaker 1: out there that some of us will sign up for 763 00:44:02,920 --> 00:44:07,840 Speaker 1: and then stop using and then forget about UM. It 764 00:44:07,920 --> 00:44:10,480 Speaker 1: might not be a bad idea to if you never 765 00:44:10,640 --> 00:44:12,279 Speaker 1: use those services, it might not be a bad idea 766 00:44:12,360 --> 00:44:16,360 Speaker 1: to go back and check and delete those accounts, because 767 00:44:16,560 --> 00:44:19,399 Speaker 1: those are other points of vulnerability, especially if it's going 768 00:44:19,440 --> 00:44:21,440 Speaker 1: to you know, if you do tend to use the 769 00:44:21,480 --> 00:44:25,160 Speaker 1: same group of passwords over and over and hackers get 770 00:44:25,680 --> 00:44:28,800 Speaker 1: access to something, particularly if it's something that isn't terribly 771 00:44:28,840 --> 00:44:32,560 Speaker 1: popular anymore, and maybe as a result, the security measures 772 00:44:32,560 --> 00:44:35,520 Speaker 1: aren't as up to date as they could be. It's 773 00:44:35,520 --> 00:44:39,000 Speaker 1: a possibility you might want to get rid of that stuff. 774 00:44:39,160 --> 00:44:41,680 Speaker 1: So you know that my Space account that you haven't 775 00:44:41,760 --> 00:44:44,640 Speaker 1: checked in four years, maybe it's time to just go 776 00:44:44,680 --> 00:44:50,239 Speaker 1: ahead and close that out, you know that kind of stuff. Yeah, Uh, 777 00:44:50,280 --> 00:44:53,400 Speaker 1: And we've already mentioned back up your data. It's also 778 00:44:53,520 --> 00:44:57,400 Speaker 1: very important. Uh yeah, so basic basic tips that you 779 00:44:57,440 --> 00:44:59,880 Speaker 1: can follow to try and protect yourself and keeping in 780 00:45:00,040 --> 00:45:02,040 Speaker 1: line that you know, a lot of this also depends 781 00:45:02,120 --> 00:45:06,319 Speaker 1: upon the other parties involved. Yeah, and so looking back 782 00:45:06,360 --> 00:45:10,760 Speaker 1: at at at Matt hone and did he do something 783 00:45:11,040 --> 00:45:15,319 Speaker 1: wrong or you know, deserving of being you know, you know, 784 00:45:15,400 --> 00:45:17,640 Speaker 1: really he could have been any of us. And even 785 00:45:17,680 --> 00:45:21,000 Speaker 1: though he's a known tech journalist, he you know, sort 786 00:45:21,040 --> 00:45:23,719 Speaker 1: of succumbed to being human. You know, he had the 787 00:45:23,719 --> 00:45:25,680 Speaker 1: same password, he didn't change it for a long time. 788 00:45:25,719 --> 00:45:27,960 Speaker 1: He's probably told he didn't back up. And I'm sure 789 00:45:28,000 --> 00:45:30,120 Speaker 1: he's probably told people to do that a thousand times, 790 00:45:30,160 --> 00:45:32,440 Speaker 1: just like we have. You know, we're all guilty of 791 00:45:32,480 --> 00:45:34,960 Speaker 1: doing these little things because their pains in the neck. 792 00:45:35,040 --> 00:45:36,279 Speaker 1: We don't want to do it, we don't have time 793 00:45:36,320 --> 00:45:38,840 Speaker 1: to do it. I mean, he's got kids times of 794 00:45:38,920 --> 00:45:41,359 Speaker 1: premium for him, just like it is for so many 795 00:45:41,400 --> 00:45:44,880 Speaker 1: of us. Um, you know, is it is it Apple's 796 00:45:44,880 --> 00:45:47,880 Speaker 1: fault in particular? Is it Amazon's fault in particular? The 797 00:45:47,920 --> 00:45:50,680 Speaker 1: only people who are are really at fault of the hackers. Yeah, 798 00:45:50,719 --> 00:45:53,279 Speaker 1: it's it's it's the combination of all of these things 799 00:45:53,280 --> 00:45:56,399 Speaker 1: together that made it possible. It's the hackers that are 800 00:45:56,440 --> 00:45:59,680 Speaker 1: really at fault. Yeah, And the thing is, yeah, we're 801 00:45:59,719 --> 00:46:02,879 Speaker 1: all busy, and none of us really wants to make 802 00:46:02,960 --> 00:46:07,560 Speaker 1: up a new, you know, twenty four digit password for 803 00:46:07,600 --> 00:46:10,839 Speaker 1: each thing and worry about them. No, none of us 804 00:46:10,880 --> 00:46:13,880 Speaker 1: really wants to mess with that. But the truth of 805 00:46:13,920 --> 00:46:16,960 Speaker 1: the matter is that all these systems worked together to 806 00:46:17,080 --> 00:46:20,560 Speaker 1: make this possible. And and it's true for all of us. 807 00:46:20,600 --> 00:46:23,600 Speaker 1: I mean, these these vulnerabilities are vulnerable for all of us. 808 00:46:23,840 --> 00:46:26,239 Speaker 1: It's I know that Amazon and Apple both have thought 809 00:46:26,239 --> 00:46:31,959 Speaker 1: about this. It's still kind of fresh um as the recording, Yeah, 810 00:46:32,200 --> 00:46:35,120 Speaker 1: as they're recording this podcast. So you know, neither of them, 811 00:46:35,160 --> 00:46:38,600 Speaker 1: I don't think, have made some public proclamation about how 812 00:46:39,120 --> 00:46:43,359 Speaker 1: they're going to fix this going forward quote unquote fix 813 00:46:43,400 --> 00:46:47,600 Speaker 1: it again. How what do you do? It's not obvious 814 00:46:47,640 --> 00:46:50,000 Speaker 1: to do this, So I think the two part authentication 815 00:46:50,120 --> 00:46:54,440 Speaker 1: is probably one of the the more obvious approaches. And uh, 816 00:46:54,600 --> 00:46:58,960 Speaker 1: well we might see some other elements thrown in there too, 817 00:46:59,239 --> 00:47:01,480 Speaker 1: And and how of her I have seen people say, yeah, 818 00:47:01,480 --> 00:47:04,040 Speaker 1: and I turned this on and it was the point 819 00:47:04,080 --> 00:47:06,880 Speaker 1: I was making earlier. It made it so difficult that 820 00:47:06,960 --> 00:47:09,279 Speaker 1: it took me two weeks to figure out how to 821 00:47:09,320 --> 00:47:11,680 Speaker 1: get back into my account, and it was a real 822 00:47:11,719 --> 00:47:14,080 Speaker 1: pain in the neck. I got in, but it took 823 00:47:14,080 --> 00:47:17,000 Speaker 1: me a while because I kind of, uh laid myself 824 00:47:17,040 --> 00:47:20,680 Speaker 1: a trap. So it's it's one of those things where 825 00:47:20,719 --> 00:47:23,000 Speaker 1: I think you kind of have to work into it 826 00:47:23,040 --> 00:47:25,000 Speaker 1: and think about this stuff when you set it up 827 00:47:25,120 --> 00:47:28,120 Speaker 1: and go back and look at your accounts and see 828 00:47:28,160 --> 00:47:31,160 Speaker 1: how it's laid out to fix this for yourself. Yeah, 829 00:47:31,160 --> 00:47:33,440 Speaker 1: this is this is why it's really important for companies 830 00:47:33,440 --> 00:47:38,359 Speaker 1: to uh to hire white hat hackers who I mean, 831 00:47:38,400 --> 00:47:40,680 Speaker 1: all they do is look at systems and try and 832 00:47:40,719 --> 00:47:44,640 Speaker 1: find ways to to breach systems so that those systems 833 00:47:44,680 --> 00:47:48,080 Speaker 1: can be improved over time. And it's important to get 834 00:47:48,080 --> 00:47:50,520 Speaker 1: a third party to do it because when you design 835 00:47:50,560 --> 00:47:53,720 Speaker 1: a system again, you may be thinking of the obvious 836 00:47:53,719 --> 00:47:56,920 Speaker 1: points of injury, which is where you've really really put 837 00:47:56,960 --> 00:48:00,160 Speaker 1: in great security, right like you know, like there's no 838 00:48:00,200 --> 00:48:01,960 Speaker 1: way anyone's going to get through this, at least not 839 00:48:02,000 --> 00:48:04,279 Speaker 1: in the next five years. We require people to use 840 00:48:04,680 --> 00:48:07,640 Speaker 1: non alpha numeric characters, Well, that's great if they're going 841 00:48:07,680 --> 00:48:10,560 Speaker 1: to use the password in case they used a backdoor. Yeah. 842 00:48:10,600 --> 00:48:12,919 Speaker 1: So again that's why you want to have a third party, 843 00:48:12,960 --> 00:48:15,840 Speaker 1: because they're not thinking the way you think. They're thinking 844 00:48:15,960 --> 00:48:19,239 Speaker 1: how do I get into this system? Not not how 845 00:48:19,280 --> 00:48:23,080 Speaker 1: strong do I make this door? So yeah, there's certain 846 00:48:23,080 --> 00:48:25,279 Speaker 1: things companies can do, um, but there are a lot 847 00:48:25,280 --> 00:48:28,840 Speaker 1: of things we can do as customers, as users to 848 00:48:28,840 --> 00:48:31,920 Speaker 1: try and protect ourselves. And uh. And it's a great 849 00:48:32,000 --> 00:48:35,560 Speaker 1: responsible to you. Don't forget it's a cautionary tale. And uh, 850 00:48:35,600 --> 00:48:38,160 Speaker 1: I mean in a way it could have turned out 851 00:48:38,440 --> 00:48:42,919 Speaker 1: way worse than it did. Um. So I'm sure, I'm 852 00:48:42,960 --> 00:48:46,560 Speaker 1: sure there's some solace in that for Honan, But I 853 00:48:46,600 --> 00:48:49,799 Speaker 1: mean I can't imagine how and I really don't want 854 00:48:49,840 --> 00:48:55,640 Speaker 1: to imagine how how how he felt when all that happened. Uh. Anyway, 855 00:48:55,680 --> 00:49:00,719 Speaker 1: that wraps up this discussion about the cloud security, maintaining 856 00:49:00,719 --> 00:49:05,200 Speaker 1: your own security there and uh and and the problems 857 00:49:05,239 --> 00:49:08,520 Speaker 1: that exist in our digital age. So you guys, if 858 00:49:08,520 --> 00:49:10,759 Speaker 1: you have any suggestions for topics we should cover in 859 00:49:10,840 --> 00:49:13,600 Speaker 1: future episodes of tech Stuff, you can let us know 860 00:49:13,680 --> 00:49:16,200 Speaker 1: by sending us an email are adjust as tech Stuff 861 00:49:16,239 --> 00:49:19,319 Speaker 1: at Discovery dot com, or send us a message on 862 00:49:19,320 --> 00:49:21,440 Speaker 1: Facebook or Twitter, or handle it both of those is 863 00:49:21,560 --> 00:49:24,279 Speaker 1: text stuff. H. S W and Chris and I will 864 00:49:24,280 --> 00:49:27,960 Speaker 1: talk to you again really soon. For more on this 865 00:49:28,120 --> 00:49:35,160 Speaker 1: and thousands of other topics, visit how stuff works dot com. 866 00:49:35,320 --> 00:49:38,000 Speaker 1: Brought to you by the reinvented two thousand twelve Camray. 867 00:49:38,200 --> 00:49:39,399 Speaker 1: It's ready, are you