0:00

This is a very different scene scene

0:02

to last week in last week

0:04

in Dubai. listening to in

0:06

case you're listening to this later

0:08

on. I'm sitting in Oslo, I'm sitting

0:11

in front of a fireplace, not which

0:13

is scene. It my normal scene. scene the

0:15

certainly wasn't the scene the last

0:17

two weeks and I'm honored to But

0:19

yeah, back in in Oslo, here, get a here

0:21

today, George from South Africa. Yeah,

0:24

that's a long way from home

0:26

too, mate. from home too, mate. Back

0:29

home, the on the hemisphere, isn't it? isn't it?

0:31

Yeah. funny how many people people here

0:33

are like, we got yesterday, went got to

0:35

Oslo the security and the customs, and

0:37

and the guys trying to like

0:39

wrap his head around the fact that

0:41

wrap at home. the George knows all

0:43

about that at home. South Africa. all So In

0:45

we're here in So yes, we're here in Oslo.

0:47

First night, not in hotel for the last couple

0:49

of weeks, which was really nice, we're in

0:52

an It's really nice. We're tended to do when we

0:54

come back to Oslo, course, to do when we Norwegian,

0:56

to Oslo we come back to Oslo. is the second

0:58

home. But anyway, we're to get an Airbnb

1:00

to get we Airbnb here so we can like have

1:02

people ask for your room number

1:04

every single morning when you have

1:06

breakfast. morning when you have much fun as

1:08

travel is. travel is, Some things get

1:10

super, super repetitive and it's And it's

1:12

like, ask for your room number. Every

1:14

time you your room can I take your

1:17

bag? time it's very, very nice, but it's

1:19

starting to feel bag? Yes, it's very, hotel. but it's starting to

1:21

feel like a living hotel. So, this time of night,

1:23

of course of an Aussie. Yeah, but it's

1:25

an Aussie, but... but... in In Norway, What

1:27

time of night is it? Oh it's home. There

1:29

you go. There .m. at home. at home. So

1:31

no, it is 10 a .m. and

1:34

a little bit in in Oslo.

1:36

And apparently it is degrees as well. as

1:38

well, which is actually - a little

1:40

bit of a little this time of year. for

1:42

this time of year. But yeah, Yeah, apparently it's

1:44

a late snow season, which kind of

1:46

sucks we've got a week in

1:48

Oslo a a week Oslo before a week Scott

1:51

Helm as well. So I'm going to

1:53

try and do next week's video, probably exactly

1:55

one week from now with Scott Helm Scott

1:57

how I'm snow. a cabinet was All right, fun. All right,

1:59

do do sponsor and then I'll go on with

2:01

the other stuff before I go out

2:04

and get a little bit of, there's

2:06

a tiny bit of sun, actually, coming

2:08

through an Oslo, which is nice. Sponsored

2:10

by one password, extended access management. You

2:12

heard of these guys? Big big big

2:14

sponsors here, secure every sign in, on

2:17

every app, on every device. Now, of

2:19

course, this particular extended access management has

2:21

come by courtesy, the collide acquisition acquisition,

2:23

which is now well and truly a

2:25

part of one password. Modern security and

2:27

IT teams need to make sure every

2:30

identity device and application is secure. Only

2:32

one password extended access management checks every

2:34

box. And I think we're going to

2:36

do some other cool stuff with one

2:38

password in the year coming because it

2:40

turns out that so far not everyone

2:43

has either got a password manager or

2:45

as it relates to ZAM is actually

2:47

securing all of the devices. Now having

2:49

said that if people did do all

2:51

this stuff right I would be able

2:54

to a job and there be much

2:56

less interesting stuff to talk about. So,

2:58

be that as it may, what do

3:00

I have on the list today? Now,

3:02

I'm kind of looking all over the

3:04

place, because I'm holding my iPad here,

3:07

so I can read sponsor stuff, I've

3:09

got my PC there, so I can

3:11

see the messages, and this is the

3:13

joy of, I guess, being on the

3:15

road with this sort of gear. Oh,

3:17

fun story. When we flew into Dubai

3:20

two weeks ago, so I went to

3:22

Brisbane, Dubai, and then it was just

3:24

a transit in Moscow in Oman. Flew

3:27

in same deal as always collect

3:29

all the suitcases and we're walking

3:32

out through security and there's a

3:34

couple of I Think when you're

3:36

in the Middle East all the

3:38

security people look extra serious You

3:40

know and I mean there's like

3:42

the physical security people guys with

3:44

guns at airports and stuff they

3:46

all look extra serious and one

3:48

of them like points at me

3:50

and he's like come over here

3:52

because they want to x-ray my

3:54

bag as I left so I've

3:56

already collected my bag from the

3:58

carousel and everything So they want

4:00

to x-ray my bag and I

4:02

was like, oh, I was. must

4:04

just be a random thing. Go

4:06

through the x-ray my bag and

4:08

then, all right, put the bag

4:10

on the table, open it up.

4:12

And he's going through the bag

4:14

and he obviously knows exactly where

4:16

he's going and he pulls out

4:18

an audio recorder. So I took

4:20

with me one of these like

4:22

road audiovis, road? Oh, forget who

4:24

it is. You know, it's an

4:26

audio recorder. So one of the

4:28

dedicated units is about, yeah, big

4:30

size of, I don't know, fraction

4:32

of the size of a shoe

4:34

box. with a couple of mics,

4:36

it's in a plastic case, took

4:38

it with me, so Scott Helm

4:40

and I could record some stuff

4:42

next week. And then they're grilling

4:44

me on this and they're like,

4:46

what's this for? Recording, what do

4:48

you do? Cybersecurity? And anyway, I

4:50

think that they were worried that

4:52

I was coming there to like

4:55

record stuff? I don't know. So

4:57

anyway, I managed to talk myself

4:59

out of that, but I thought

5:01

that was an interesting thing. I've

5:03

never been pulled over before before

5:05

for having an audio recorder recorder

5:07

in my luggage. So yeah fun

5:09

times there getting grilled by Dubai

5:11

security. Any other comments here? James

5:13

is saying London I might be

5:15

getting more light here in the

5:17

middle of the night. Hip-o-box says

5:19

hello Troy do you know the

5:21

motive behind the internet archive hack?

5:23

Was it ever known why? I

5:25

don't. I only know the party

5:27

that I communicated with that sent

5:29

me data who I think it's

5:31

implied that they were the first

5:33

party to the breach, the person

5:35

who might have been responsible for

5:37

it. It's always a hard thing

5:39

where data comes to me by

5:41

everything from the first party to

5:43

a breach all the way through

5:45

to the FBI, you know, and

5:47

then in between is obvious to

5:49

find it on popular hacking forums

5:51

and infersek professionals and large infersek

5:53

companies you all know of that

5:55

might find this data and go,

5:57

look, this is useful, we want

5:59

to let people know. But that

6:01

party that sent it to me,

6:03

or rather I think the party

6:05

that was responsible for the breach,

6:07

might be the same party, is

6:09

also the one that did the

6:11

defacement. But it seems to be

6:13

different to the party that did

6:15

the dedos. Now, was it just

6:18

coincidental? Was there any coordination? I

6:20

don't know. And if I'm honest,

6:22

and someone please correct me if

6:24

I'm wrong, but I haven't seen

6:26

any decent information from Incenta Darko

6:28

at this. I certainly haven't seen

6:30

any disclosure notices go to the

6:32

tens of millions of people that

6:34

were in that bridge. And then

6:36

we're back to the same old

6:38

story again of data breaches. do

6:40

not mean, regardless of where you

6:42

are, and if you're in smack-bang

6:44

middle of GDPR territory, they don't

6:46

mean that you always have to

6:48

notify the individuals in the breach.

6:50

If it's not likely to cause,

6:52

what's the right word, if it's

6:54

not likely to jeopardize the rights

6:56

and freedoms of the individuals, or

6:58

in Australia under a notifiable data

7:00

breach scheme, if it's not likely

7:02

to cause serious harm, you don't

7:04

need to tell the individuals unless

7:06

it includes sensitive PII such as

7:08

health data. You do have to

7:10

tell the regulator, usually, as carve-outs,

7:12

usually, so you end up with

7:14

situations like with the Internet Archive,

7:16

they're in California, I'm sure that

7:18

under CCPA they did their reporting

7:20

to the, I know Governor General's

7:22

office or whatever it is, regulatory

7:24

bodywise in California, but they haven't

7:26

told the people, because if they

7:28

did send 30 million emails with

7:30

disclosure notices... At least 30 people

7:32

would then email me and go,

7:34

hey, here's the notice. So, that

7:36

hasn't happened. And it's unfortunate because

7:38

I think we all hold into

7:41

the archive in high esteem in

7:43

terms of being a non-profit for

7:45

the people. And yeah, so no,

7:47

look, I don't know the motive.

7:49

I do not know. It could

7:51

simply be because it was there.

7:53

This is very, very often the

7:55

motive. It's not necessarily financial because

7:57

it was there, because it was

7:59

there. James is in the US

8:01

the passengers that that have all

8:03

the guns. Geez, TSA grabbed 6,737

8:05

firearms last year. That number actually

8:07

seems small considering A, how many

8:09

people there are in America, and

8:11

B, how many guns there are

8:13

in America. So that actually, I

8:15

don't know, maybe that's good. Hippobox

8:17

says because a year ago the

8:19

internet archive Gitlob sub domain was

8:21

public and I assumed it was

8:23

open source code, but they closed

8:25

it due to the hack and

8:27

I'm thinking... I was in a

8:29

place that I shouldn't be. Well

8:31

look I wouldn't be right about

8:33

that if you weren't then going

8:35

on and doing nasty things with

8:37

the data. So I do have

8:39

a recollection of something to do

8:41

with get related secrets being exposed

8:43

somewhere that might have been the

8:45

vector for the hack. One of

8:47

the pipe dreams I have, among

8:49

many, is that we really don't

8:51

have a canonical source of data

8:53

breaches and attack vectors and all

8:55

sorts of categorizations and other metadata

8:57

attributes about them that would be

8:59

really useful in discussions like this.

9:01

It would be great if there

9:04

was the Wikipedia of data breaches

9:06

and it wasn't run by some

9:08

multinational who was using it to

9:10

make the big butts but it

9:12

was there as a community service.

9:14

It would be really interesting to

9:16

have that where people could then

9:18

contribute and go actually this is

9:20

what happened. Wikimedia breaches as James

9:22

Randall says. I'd be happy with.

9:24

Well, yeah, I just suddenly felt

9:26

a bit wicky leaks, which I

9:28

think is a bit more controversial.

9:30

But we don't have a canonical

9:32

resource, and that's a little bit

9:34

sucky. Let me tell you a

9:36

few more things about Dubai, since

9:38

we're here, because that was an

9:40

interesting experience, and one of those

9:42

posts in particular got a lot

9:44

of engagement on Twitter that was

9:46

mostly good. Some of that. I

9:50

think I figured I'd flown through Dubai

9:52

about three dozen times and never been

9:55

outside the airport. And this was the

9:57

first time I went out. And I

9:59

had heard from many people that they

10:02

either loved it or hated it. And

10:04

the impression I always got was a

10:06

bit like Vegas. So there's probably more

10:09

people listening to this that have been

10:11

to Vegas than do Bice. And maybe

10:13

this will resonate. But the first time

10:16

I went to Vegas. I flew in

10:18

late one night, I had to do

10:20

a talk first thing the next day,

10:23

and then I flew straight out. And

10:25

I just flew in and there were

10:27

like slot machines ever in the airport

10:30

and smoke, and then you go in

10:32

the casino and smoke and noise and

10:34

I was just like, this place sucks.

10:37

I really disliked it. And then the

10:39

second time I went there, I had

10:41

a bit more time and I made

10:44

one and took me out hiking in

10:46

Red Rock Canyon and it was like,

10:48

oh, this actually isn't too bad. And

10:51

then the third time. I was with

10:53

Charlotte and I was with Scott Helmin,

10:55

his wife as well, and we were

10:58

just like lambaginis in the desert and

11:00

shows and laying around by the pool

11:02

and command, like we just did all

11:05

of the Vegas stuff and I was

11:07

like, all right, this, you don't want

11:09

to live like this, but this is

11:12

actually kind of fun if you just

11:14

take that one week and you go

11:16

a little bit nuts. And actually my

11:19

fourth time of Vegas was only, like

11:21

two months ago, like two months ago,

11:23

and we did, like, really strikes me

11:26

is the yeah people say there's a

11:28

lot of excess and I knew to

11:30

expect that but not that much the

11:33

amount of money just on the roads

11:35

is nuts now one of the things

11:37

I learned is apparently there's no income

11:40

tax in Dubai so imagine depending on

11:42

where you are in the world how

11:44

much tax you pay and if suddenly

11:47

you had that to be able to

11:49

spend on Cars designer handbags houses nice

11:51

to like whatever it is that is

11:54

your thing and it starts to explain

11:56

it But the cars in particular were

11:58

just Just nuts now what I mean

12:01

by this is a car person and

12:03

if you're not a car person It's

12:05

only be a couple minutes. Maybe you'll

12:08

get some of it We see a

12:10

lot of nice cars where we live

12:12

in Australia, particularly at the schools where

12:15

those parents have got a bit of

12:17

money. There's a lot of range drivers

12:19

and things like this. But the equivalent

12:22

to buy is Rolls Royce's and gazillions

12:24

of G63, AMG, G. G. Wagons, very

12:26

often of the Brabris variety, which is

12:29

X number of hundreds of thousands of

12:31

dollars more. Going into a car showroom,

12:33

just seeing multiple Bugatti Sharans lined up,

12:36

which are multiple millions of dollars each.

12:38

To the point where in the showroom,

12:40

we're seeing that, we're seeing Aston Martin,

12:43

Valkyrie and Ford GT's, didn't see any

12:45

conics eggs, surprised me actually. Ferrari, Ferrari,

12:47

Ferrari, Ferrari, there, Lafayette, converter, the spider,

12:50

that they are asking, I think, in

12:52

US dollars, it was approaching 10 million

12:54

US dollars, US dollars, for the car.

12:57

I didn't even notice the normal McLaren

12:59

when I walked around there. So suddenly

13:01

everything just changed context, right? Like the

13:04

wealth and excess. And then we went

13:06

to another car show and it was

13:08

pretty much the same. And then we

13:10

were driving back to the airport yesterday

13:13

morning and I was like, gee, I

13:15

didn't see that car show. There's like

13:17

half a dozen spaghetti shorons just all

13:20

lined up. It's just, it is insane

13:22

money. surprised me to the extent of

13:24

the wealth. A lot of Russians there

13:27

as well. I asked JetGP too, like

13:29

why are there so many Russians in

13:31

Dubai? And apparently it's a combination of

13:34

the UAE being pretty neutral on the

13:36

current Russia situation, whereas most of where

13:38

most of us are from, including Australia,

13:41

it's pretty clear about how they feel

13:43

about the whole Russia situation. Very, very

13:45

easy to get visas as well. Apparently

13:48

for the Russian folks, I imagine it

13:50

would be quite hard for someone who

13:52

was Russian to come and visit Australia

13:55

and all that. And then of course

13:57

Russia is maybe not the best place

13:59

to be at the moment, so people

14:02

want to travel. Which meant particularly the

14:04

second place you stayed in Dubai, which...

14:06

was for those you the familiar with

14:09

the area was more around the Jamir

14:11

al-arab that's that building that looks like

14:13

a sale at six-door hotel I didn't

14:16

stay there but near there around that

14:18

area just don't like a lot of

14:20

Russian people as the as the as

14:23

three creepier says here no conics a

14:25

tragic there are quite a few of

14:27

them in those parts I'm sure we

14:30

just didn't go to the right showroom

14:32

there are a lot of it's kind

14:34

of like there's There's layers, right? So

14:37

we are very fortunate to have a

14:39

McLaren at home. We have a 720S.

14:41

We love it. To me, that was

14:44

like, my God, like, we have absolutely

14:46

made it in life. Be able to

14:48

have the choice to have this. And

14:51

then there's a completely different layer, which

14:53

is beguaddy shirons and Aston Martin Velkries

14:55

and that the hypercar level. And then

14:58

even around... Somewhere in between those, there's

15:00

like, well, there's a lot of g-wagons,

15:02

but then they're bravest g-wagg-wagons, there's a

15:05

lot of farraries, but they're Mansuri, or

15:07

Mansori Rolls-Royces, or... What's the farrion thing

15:09

of... Oh, I forget. There's so many

15:12

different things that you just... It's like

15:14

information, because it changes your perspective. Which

15:16

is good. Shiny dog says, morning from

15:19

the UK, just catching you live for

15:21

once, before dashing off my holes for

15:23

two weeks. Well, good on you. That's

15:26

a Christmas holiday. Good man. So, there

15:28

was all that in Dubai. It's, it

15:30

is, I remember hearing stories about Dubai,

15:33

let's say 20 years ago. Now, Dubai

15:35

has really only become what we know

15:37

of to buy today, I'd say in

15:40

the last 10 to 15 years, based

15:42

on... my reading, you know, massive hires,

15:44

they're very huge amounts of wealth. Obviously

15:47

massive investment by the UAE government, having

15:49

a lot of oil seems to have

15:51

helped and I just recall all these

15:54

stories about if you do the wrong

15:56

thing there, not so much tolerance. Now,

15:58

I say this having spent several years

16:01

as a kid growing up in Singapore

16:03

as well, as a teenager, which is

16:05

very, very similar, like you just know

16:08

as an expat living in a country

16:10

like that, their rules are different to

16:12

yours. For example, I remember being there,

16:15

someone who was in a larger group

16:17

of circle of friends, someone who didn't

16:19

know directly, but... A lot of the

16:22

time when your ex-patts there, you know

16:24

people who know people. Anyway, this guy

16:26

was 18, he spray paint some cars,

16:29

corporal punishment, got caned. Like literally, physically,

16:31

cane. Like, don't spray paint cars, it's

16:33

dumb, that's stupid. If you do that

16:36

at home, you get a proverbial kick

16:38

up the button, that's it. You do

16:40

it in a place like Singapore, they

16:43

pull down your pants and they whip

16:45

your ass. Like literally. It's a big

16:47

thing, this must have, this must have

16:49

been, this must have been, this must

16:52

have been, this must have been, 1992,

16:54

1992, 1992, 1992, 1992, 1992, 1992, 1992,

16:56

1992, 1992, 1993, 1993, 1993, 1993, So,

16:59

you expect that in places like Singapore

17:01

and like Dubai. And for the most

17:03

part, it feels very modern and open

17:06

and western. We're sort of conscious of

17:08

what will Charlotte, now 12-year-old daughter, Al,

17:10

wear. Like, do you have to cover

17:13

up your shoulders or your head, look?

17:15

And for the, yeah, hotels are pretty

17:17

much normal. No one really thinks too

17:20

much about it. Certainly you go to

17:22

the pool, and you wear what you'd

17:24

wear at the pool in Australia. And

17:27

I don't think we really did anything

17:29

different, Wandering around town. Maybe an Oman

17:31

or a little village is a little

17:34

bit different. Or alcohol. You can still

17:36

get a beer anywhere you want. Pretty

17:38

much anywhere you want. Certainly any hotels,

17:41

any nice restaurants. It costs a lot.

17:43

Every single meal we had in Dubai,

17:45

short of I think one place that

17:48

was in a much more local kind

17:50

of restaurant for lunch, was eye wateringly

17:52

expensive. Staggeringly expensive.

17:55

Like easily double what we'd pay

17:57

for the same sort of thing

17:59

at home. But for the most

18:01

part, it's a fairly modern liberal

18:03

place. And then you just get

18:05

these little glimpses where you're like,

18:07

I'm not in Kansas anymore. So

18:09

Charlotte was trying on some clothes

18:11

in a store in Dubai Mall.

18:13

It's the world's largest mall. Mall

18:15

of Dubai. Oh, Chevron. It's the

18:17

one near the verge cleaf of

18:19

the massive tower. And you know

18:21

when you go into a change

18:23

room anywhere. Normally there's like, you

18:25

know, there's like a front desk,

18:27

there's a long hallway, and then

18:29

there's all the doors, and all

18:31

the doors, you go into the

18:33

door, you lock the door, you

18:35

get changed, check your clothes, when

18:37

you're done, you come out. And

18:39

Charlotte calls me and she said,

18:41

hey, come and have a look

18:43

at this thing, I'm trying on.

18:45

So I'm like, you cannot come

18:47

in here. I'm like, I'm not...

18:49

Like going into the room, like

18:51

I'm standing in the hallway because

18:53

my wife is over there and

18:56

she's called me to come and

18:58

have a look. And like, they

19:00

said, yeah, they could get fined.

19:02

And that was when I decided

19:04

that's, you can't really argue that

19:06

anymore. Or sitting around the pool,

19:08

this was the one that actually

19:10

made me want to go home.

19:12

It's so minor, but it was

19:14

just a, just touched a raw

19:16

nerve. You go to the pool

19:18

at the hotel. There are nine

19:20

lifeguards. around a very small pool

19:22

that is 1.2 meters deep and

19:24

has nobody in it. Nine! Nine

19:26

lifeguards! And now our 12-year-old daughter

19:28

gets a mock tile in a

19:30

plastic cup like we do at

19:32

any swimming pool pretty much anywhere

19:34

in the world and sits in

19:36

the pool with the plastic cup

19:38

and the mock tile, which you're

19:40

not allowed to do. Very unhappy.

19:42

She took her plastic cup. And

19:44

I just like... I've been at

19:46

like a lot of nice pools

19:48

and a lot of nice hotels

19:50

and the thing you do... you

19:52

always end up like laying there

19:54

in the pool with a beer

19:56

or a glass of champagne or

19:58

something and it's it's nice and

20:00

it's a plastic glass because it

20:02

could break and all the rest

20:04

of it so anyway there's just

20:06

these little glimpses these little reminders

20:09

that things were very very different

20:11

I really enjoyed my trip there

20:13

I'll be happy to go back

20:15

to Dubai I am really now

20:17

enjoying being an Oslo which is

20:19

a lot more familiar for us

20:21

because of the Norwegian history as

20:23

well as just everything else to

20:25

sidely is I guess much more

20:27

on point with the way we

20:29

are at home. Now, last thing

20:31

before I go on with some

20:33

infosak bits. There was one set

20:35

of responses to one tweet that

20:37

I ended up doing a larger

20:39

threat on. When I went to

20:41

the first like ridiculously over-the-top car

20:43

showroom and I took some photos

20:45

and I took there was a

20:47

very very nice Pagani, there was

20:49

a baguetti devo. Sure. Dio. There

20:51

was, what else was in the

20:53

picture, there was a Valkyrie and

20:55

something else. Trying to remember what

20:57

it was. Anyway, put the tweet

20:59

on and I was like, you

21:01

know, shopping in Dubai, like which

21:03

one would you take kind of

21:05

thing. Now, it's not like I

21:07

was going there to buy one

21:09

of these cars. It was clearly

21:11

just window shopping. And so, it

21:13

was a little bit like the

21:15

Twitter of old. It made me

21:17

a little bit reminiscent actually, because

21:19

there was a lot of engagement.

21:21

This is freaking awesome, is that

21:24

a Valkyrie No Way? Cool. And

21:26

then there's just like 1% of

21:28

people who were very upset at

21:30

how much I was enjoying, looking

21:32

at cars. And it just fascinates

21:34

me why someone would be upset

21:36

with that. And I end up

21:38

doing a threat on it and

21:40

I sort of explained, for me

21:42

cars, they're an ambition thing. And

21:44

I actually had the... the tweet

21:46

that I put out in 2017

21:48

about that McLaren's having 20 is

21:50

like, wow, this is like, I'm

21:52

beginning to cover this, like this

21:54

is obviously a dream. And then

21:56

many many many many many years

21:58

later, finally having that ability in

22:00

life to go and buy that

22:02

thing that had been an ambition

22:04

and a driver and a motivation.

22:06

And I felt so good about

22:08

it and everyone that sees it

22:10

loves it and it's such a

22:12

nice positive thing. But there's keyboard

22:14

warriors. And I think what it

22:16

boils down to is it's this

22:18

tall poppy cinder and situation. I

22:20

think it's a very Australian term,

22:22

but it is the displeasure at

22:24

the success or perceived success of

22:26

other people. and the desire to

22:28

then go out and bash the

22:30

keyboard and rant and rave about

22:32

it. Now if you go and

22:34

have a look at my recent

22:37

tweets, I'll put a link to

22:39

it in the notes later on,

22:41

and you have a look at

22:43

some of those responses. You just,

22:45

no one's ever going to say

22:47

that to you in person. No

22:49

one ever says that in person.

22:51

It's kind of like, as it's

22:53

unless you teach the kids, I

22:55

don't say anything to someone or

22:57

about someone unless you be willing

22:59

to say it to their face.

23:01

Okay, let's do some data stuff.

23:03

Data infersick, data breach stuff. Failed

23:05

Microsoft account logins. Now, I got

23:07

up one morning a couple of

23:09

days ago, and I had an

23:11

alert that someone was trying to...

23:13

I just sent this from three

23:15

creepiers. If you're in Norway, you

23:17

have to respect Yanta. So Yanta,

23:19

I think Yanta Lovan is the

23:21

forward, isn't it? Which is like

23:23

the tall puppy syndrome. It's about

23:25

not showing success or wealth of

23:27

being demure. I think it's a

23:29

little bit of a Scandinavian behavioral

23:31

trait. Yeah, apparently I got that

23:33

right. I am practicing. My duolingo

23:35

lingo is going great. Thank you.

23:37

It's a personal thing. Where were

23:39

we? Filed Longin' Attempts. So I

23:41

got up one morning and I

23:43

had an email about Filed Login'

23:45

Attempts to a Microsoft account. It

23:47

took me a while to join

23:49

the dots, but it was, I

23:52

forget how I phrased it was,

23:54

unusual behaviour. observed on Ari's account,

23:56

my 15-year-old son, and it was

23:58

about 11 p.m. or something, which

24:00

was well after our bedtime, and

24:02

I said to him in the

24:04

morning, I said, mate, were you

24:06

like logging in or anything last

24:08

night? I said, no, I don't

24:10

know. And his account was pretty

24:12

locked down. I was pretty sure

24:14

that wasn't the problem. So we'd

24:16

go into his Microsoft account. Look

24:18

at failed login to his account.

24:20

There's kind of surprises me because

24:22

he's only 15 and he doesn't

24:24

do a lot of stuff online,

24:26

even though he's had the account

24:28

for years. That email address hasn't

24:30

really been a lot of places.

24:32

Now inevitably it might have been

24:34

enough places, but there was just

24:36

this constant flow of people trying

24:38

to log into the account. And

24:40

when you look at the information

24:42

that Microsoft gives you about the

24:44

login attempts as well, they're all

24:46

over the world. You know, it's

24:48

just like... jumping from summer in

24:50

South America to summer in Africa

24:52

to somewhere in Africa to somewhere

24:54

in the Middle East back with

24:56

the Fords. And then I went

24:58

into my Microsoft account and saw

25:00

exactly the same thing at the

25:02

same period. And I tweeted this

25:05

publicly and a lot of people

25:07

came back and said the same

25:09

thing, seeing the same behaviour. Now,

25:11

some of the responses to this

25:13

I think could kind of missed

25:15

what was going on here because

25:17

they would say things like, well

25:19

obviously you're using a username and

25:21

password, we're exposed and someone logging

25:23

into your account. No, that's not

25:25

what happened. Every single one of

25:27

these is a login attempt for

25:29

the correct email address and the

25:31

wrong password. Now keeping mind an

25:33

email address is pretty much a

25:35

public attribute. Your email only works

25:37

by giving it to someone else.

25:39

It is not a secret. Now

25:41

what that means is anyone that

25:43

knows your email address can create

25:45

those log events that we were

25:47

seeing for Ari's account and for

25:49

my account. Now of course on top

25:51

of that you have a strong password so if you have

25:53

that you're solid and then of course if you have Multifact

25:55

authentication as well you're even more solid and as many

25:57

Many people said he can turn on passwordless.

25:59

Now that's something that we have now

26:01

done for his account, so I'm

26:03

not sure if someone tries

26:05

to log on to that account

26:08

it will just jump straight to

26:10

passwordless, which will then send the

26:12

prompt to the multi -factor authentication

26:14

to the multi-factor the authentication

26:16

at the Microsoft Authenticator. I imagine

26:18

That's interesting. to check that did find

26:20

going in and setting that

26:22

up for him. going in the setting that

26:24

up for him. I do worry I do

26:27

worry about what happens with that authenticator

26:29

app up. if he's fine, phone disappears. we

26:31

have have other recovery options go

26:33

into go into detail on

26:35

for obvious reasons. I love that passwordless option,

26:37

but love that does it really matter if

26:39

you've got a But then again, does

26:42

it really matter if you've got a

26:44

strong password and multi -factor authentication anyway?

26:46

not. You can't be fished, Possibly if you can't

26:48

be multi-factor authentication, which But if you're using using authentication,

26:50

which is the same as using the Microsoft

26:52

what they do app, which is just what they

26:54

do for well then really you've just just taken away one

26:56

factor, haven't you? you? If

27:00

If someone like me who thinks a lot about

27:02

this stuff has to sit here and wonder

27:05

which one actually makes the most sense, right, the most

27:07

do you think it is for most people? for most

27:09

people? Hmm, Hmm, interesting. I didn't

27:11

see past key as an option. I didn't the past

27:13

an option. I do like the pass

27:15

keys. think If keys knows if you can a great

27:17

model. key in your If anyone knows if you

27:19

can use a pass key in your Microsoft

27:22

know. But please let me know. But I

27:24

think the options there are pretty much physical

27:26

key, SMS key, Microsoft Microsoft Authent Authentanticator

27:28

app. So, interesting. A

27:31

Couple of data breaches. I found time

27:33

this morning to process two data

27:35

breaches. part of the of the reason I

27:37

did these both together is is one of

27:39

the things we're noticing with with have I

27:41

been now that we're doing massive flare

27:44

at people query the such that as people

27:46

query don't know what hash is if you don't

27:48

know what that is, long Google it.

27:50

Long story, I won't get into

27:52

it now. But as But as people start

27:54

to search the email addresses, we

27:56

gradually build up a up model at

27:58

Cloudflare's 300 300 plus edge nodes. So what happens is

28:01

we load a data breach, we flush

28:03

everything out of the cloud for edge

28:05

nodes, instantaneously all the traffic goes to

28:08

the origin, after about a day, 50%

28:10

of the traffic is already cashed, and

28:12

then it takes many more days and

28:15

you get down to small single-digit percentages.

28:17

What it means is that every time

28:19

we load a data breach, and suddenly

28:21

a 100% of traffic goes to the

28:24

origin, we have to scale up in

28:26

order to support that. And it's costing

28:28

us. Looking the numbers the other day...

28:31

it looks like it's costing us hundreds

28:33

of dollars every single time because of

28:35

the volume of traffic that's coming through.

28:38

Now we do have some strategies in

28:40

the works to reduce that volume of

28:42

traffic. Largely to do with trying to

28:44

work with some subscribers who are just

28:47

hammering it in ways that are unnecessary.

28:49

But one of the things that... that

28:51

makes it more efficient is if I

28:54

can load multiple breaches sequentially, bam, bam,

28:56

bam, bam, bam, bam. Now, I don't

28:58

want to be like pushing stuff back

29:01

and holding it back until I've got

29:03

a corpus of it because the whole

29:05

value of getting a data breach in

29:08

their own partner is to get it

29:10

there early. I had a good meeting

29:12

with the company in Dubai and so

29:14

I used the term where they said

29:17

time as a multiplier. So small amounts

29:19

of time are valuable to the attacker,

29:21

large amounts of time are at risk

29:24

to the individuals. So I want to

29:26

get stuff as fast as possible. But

29:28

if like today, if these two reached,

29:31

I'll talk about in a moment, if

29:33

I can load one, and suddenly a

29:35

case shit ratio goes from 99% to

29:38

0%, but then it comes back up

29:40

to 1% and then I load the

29:42

next and it goes back to 0%

29:44

and then it eventually gets up to

29:47

99. That's much more efficient than like

29:49

loading it giving it a day case

29:51

shit ratio has gone up to 50%

29:54

And then I just flush the whole

29:56

thing and go back to zero again

29:58

But I don't want as well as

30:01

trying to explain to Charlotte say I

30:03

don't want a situation I think through

30:05

the right wording for this where there

30:08

is a financial incentive to delay loading

30:10

a breach and that that financial incentive

30:12

is avoiding cost. So we're going to

30:14

work that out. Stefan is coming to

30:17

visit us here in Norway tomorrow for

30:19

a couple days for our first ever

30:21

ever been poned team meeting. Now that

30:24

there are three of us and it's

30:26

not just Charlotte night. And this is

30:28

one of the things we're going to

30:31

be working on. So we're going to

30:33

spend a couple of days trying to

30:35

solve many of these problems which is

30:38

a little bit easier to do face

30:40

to face. Now, two data breaches. These

30:42

are not biggies by any stretch of

30:44

the imagination, but they were sitting there

30:47

on the to-do list, and I just

30:49

wanted to, frankly get them done. Now,

30:51

the first one just here is Tiber.

30:54

Tiber. Tiber. It's a German name. This

30:56

is a German electricity provider. And they

30:58

had 50,000 records. breach last month in

31:01

the news which makes it a bit

31:03

easier to deal with because at least

31:05

disclosure wise we know that that's already

31:07

happened. Name, email address, geolocation and the

31:10

total purchase value 56% of those were

31:12

already in have been poned. But yes

31:14

it's 50,000 records it's a very very

31:17

small incident and the answer before no

31:19

matter what the size of a data

31:21

breach is It's pretty much the same

31:24

amount of effort for me to process.

31:26

If it's 50,000 records or 50 million

31:28

records, it's not, I don't think it's

31:31

even, it's not like 1.2 times the

31:33

effort, even though it's a thousand times

31:35

the exposure to impact individuals. So I'm

31:37

always a little bit reticent to deal

31:40

with things. that are as small as

31:42

tens of thousands of records when there's

31:44

other ones that are millions of records

31:47

just pending. And to put that in

31:49

context, I've got three that I've just

31:51

been running the numbers on here that

31:54

I have to deal with. I've got

31:56

one here, that's 300,000, okay, that's not

31:58

particularly large. I've got another here. that's

32:01

two million. I've got another one here

32:03

which is taking a long time to

32:05

process but it's an aggregation of different

32:07

sources and that looks like it's in

32:10

the tens if not hundreds of millions.

32:12

There was a little bit trickier when

32:14

it's an aggregation of things because I've

32:17

got to figure out what to do

32:19

with it. Anyway, the point is is

32:21

that little stuff like this... It

32:24

kind of feels like a mental

32:26

wake, right? I don't want to

32:28

leave it. I don't want to

32:30

not notify people that they've been

32:33

in these breaches because I don't

32:35

think in either of these, the

32:37

individuals have been told by the

32:39

companies. But the ROI in terms

32:41

of the impact that they have

32:43

is just, yeah, it's not good.

32:45

Be there as it may have

32:47

loaded another one that's even smaller.

32:49

Now this one is from Senegal.

32:51

This may be the first Senegalese

32:53

data breach we've had, had to

32:55

check that with ChatGPT, it is

32:57

Senegalese. Senegalese payment platform, Jonima, had

32:59

36,000 unique email addresses. Breached and

33:01

posted publicly last month, that included

33:03

name, phone, and encrypted password and

33:05

date of birth, which is a

33:07

little bit unusual to encrypt a

33:09

password and not hash it, and

33:11

it's a little bit unusual to

33:13

do anything at all with the

33:15

date of birth, but, you know,

33:17

good on then, I'm not sure

33:19

I'm not sure. what the situation

33:21

is in terms of the exposure

33:24

of the private key is for

33:26

that, which of course would render

33:28

the encryption immediately useless, but who

33:30

knows? 52% of those already in

33:32

have been poned, which I thought

33:34

was a little bit high for

33:36

a Senegalese data bridge. They're not

33:38

exactly the biggest market ever being

33:40

poned, is Senegel. Anyway, so that's

33:42

up there now. I've quite tweeted...

33:45

Cyber Underground Feed, a Twitter

33:47

account here, because it was

33:49

picked up by them. The

33:51

post to a public hacking

33:53

forum, popular, public clear web

33:55

hacking forum, was Twitter. by

33:57

this Twitter account. And there's

33:59

probably a solid dozen Twitter

34:01

accounts that are doing a

34:03

really good job of finding

34:06

things published, particularly to one

34:08

hacking forum, but a few

34:10

others as well, and tweeting

34:12

about them very quickly. And

34:14

one of the things I'm

34:16

lamenting at the moment is

34:18

how public does a data

34:20

breach need to be in

34:22

order to make a reasonable

34:24

assumption that the company should

34:27

know that the company should

34:29

know about? Now that

34:31

the tibber one, there's press about

34:33

it in the press that said

34:35

there's a statement from the company.

34:37

So they know about it, that's

34:39

fine. In a lot of other

34:41

incidents, you might have, the data

34:43

has been published, it's either freely

34:45

downloadable, or put it for sale,

34:48

either way, news of the breaches

34:50

out there, and it's on a

34:52

clear web, popular hacking forum. And

34:54

then very frequently it's been picked

34:56

up by multiple different Twitter accounts

34:58

that have then shared this with...

35:00

Let's see how many people. How

35:02

many people see these? Because now

35:04

I can see your core stats

35:06

there. You know, the Senegalese one,

35:08

8,400 views. So I've had 8,400

35:11

instances of people having seen that

35:13

this particular organization set a breach.

35:15

Is that sufficient? This one is

35:17

a little bit different, I think,

35:19

being Senegal and frankly not expecting

35:21

to get a response at all,

35:23

should we do disclosure? And it

35:25

was there in multiple different forums

35:27

or forums or tweets. I

35:30

guess the point I'm getting

35:32

to is at what point

35:34

do you go this is

35:36

socialised enough publicly that it's

35:38

unnecessary to contact the organisation.

35:40

There's another one I'm trying

35:43

to do disclosure on at

35:45

the moment, it's over a

35:47

million email addresses, I verified

35:49

it, it's valid, it's an

35:51

American company, that's... tried to

35:53

reach out to them even

35:55

though they're there on the

35:58

Twitter timeline multiple times over

36:00

with claims of data breach?

36:02

When is it sufficient to

36:04

say that there is enough

36:06

information in the public domain

36:08

to skip the painful laborious

36:11

process of trying to contact

36:13

the organization? Part of the

36:15

problem as well in contact

36:17

in the organization is particularly

36:19

this year on multiple occasions

36:21

when I've done that, the

36:23

first response I get is

36:26

from a lawyer. And

36:28

look, we've never had any serious

36:30

legal incidents. Honest, we've never had

36:32

any serious ones. I think in

36:34

part, because I'm very nice, whenever they

36:36

contact me, but as soon as

36:38

you get contacted by a lawyer, particularly

36:41

after having reached out to say the

36:43

CTO or CSO or something like

36:45

that, the amount of effort that goes

36:47

into the communication with the organization

36:49

to... explain what the hell this service

36:52

is, why I have the data that

36:54

I'm not some shady bastard just

36:56

selling their company info and I'm definitely

36:58

not the person that hacked it.

37:00

And all the while this process goes

37:03

through often for weeks and that time

37:05

is a multiplier paradigm comes up

37:07

again where the data is out there

37:09

on the public hacking from, it's

37:11

being socialised, it's on Twitter, it's with

37:14

big red lights all over it.

37:16

And I'm not letting our impacted subscribers

37:18

subscribers know because this company is trying

37:21

to figure out what position to

37:23

take. It'd be very easy just to

37:25

go, I just load the data.

37:27

This one today. I could have just

37:29

loaded the data. All the notifications would

37:32

have been sent already. The individuals

37:34

impacted by it could have done the

37:36

things that they need to do

37:38

to protect themselves, changing passwords, for example,

37:40

looking out for phishing emails at any

37:43

theft or the rest of it.

37:45

And then the company could have done

37:47

the mop up after that. Now,

37:49

I don't want to leave the company

37:51

in that situation. But I lament that

37:54

saying the case is one I'm

37:56

now waiting for disclosure on that data

37:58

is out there circulating through who

38:00

knows how Who knows how many hands? news

38:02

Certainly, of news of the incident is in

38:04

front of thousands, if not of thousands of

38:06

people. I just don't know if the

38:08

company knows. don't know if the company knows.

38:11

that's something we'll fix in 2025. we'll fix

38:13

in 2025. I don't think it is. I think

38:15

I'll find better ways of dealing with it.

38:17

don't think I'll fix it, but don't think I'll

38:19

see. it. We'll see. Maiden Mohan says,

38:21

have you have you studied graph theory? No, I've

38:23

heard of it. I don't understand it, it.

38:26

haven't studied it. studied it. Alright

38:29

right folks, I've been been going about 40 minutes

38:31

now. I'm gonna wrap it up here wrap

38:33

it out and try and get a little

38:35

bit of sunshine try and in Oslo while

38:37

it lasts. in Oslo while at about a week, I

38:39

do this again to do this again with Scott Helm up

38:41

in the snow. up in the snow. It'll be be

38:43

Christmas a week from now. from now. Thanks

38:45

so much for watching I'll catch catch you again

38:47

again from Norway in a week. a See you.