Rik: Welcome back to Digital Citizen podcast. I’m Ricardo Signes, the CTO of Fastmail, the email provider of choice for savvy digital citizens everywhere. Here with me is my colleague Helen Horstmann-Allen. Helen, I’m sure listeners from last season know you well, but for new people, let me know who you are.
Helen Horstmann-Allen: Hey everybody, I’m Helen Horstmann-Allen, chief operating officer at Fastmail. I focus on product and strategy, and I’m so excited that we’re continuing our conversation about what it means to be a good digital citizen. So Rik, the podcast is going to be a little bit different this season. Can you tell us about it?
Rik: Yeah. We’re glad to be back to explore digital citizenship with more amazing guests this season. And we’re thankful for everybody who took the season one survey. After reading the responses, we decided to make our shows a little shorter and to split our longer conversations into two part shows. So don’t worry if you have more things to give us feedback on, we’ll have another survey at the end of the season.
Helen Horstmann-Allen: Great. Rik, who are you talking to today?
Rik: Well, I’m talking to Troy Hunt. Troy Hunt is a Microsoft regional director and most valuable professional for developer security. He wrote a bunch of popular security courses on Pluralsight. He created Have I Been Pwned, and Why No HTTPS?
Helen Horstmann-Allen: That sounds great. What conversation are you going to have with him?
Rik: Well, we’ll talk a lot about data breaches and what people and companies can do after their data’s been involved in one. A data breach is, it’s an incident where information is stolen from a system without the knowledge of the systems owner, right? So big companies like Facebook and Google have been in the news in the past for being subjected to these. But it can happen to all kinds of different companies. If you want more information about how Fastmail keeps your data safe, you can check our newest technical blog post, which is linked in the show notes for today’s episode.
Helen Horstmann-Allen: Why is it important for regular digital citizens to be aware of data breaches?
Rik: In a data breach, when somebody gets access to your private data, the data that they get is often the key to getting more private data. And this time they’ll use your passwords and your personal information from the first breach, instead of just hacking into some badly secured computer. So the more you ignore these problems, the worse they get for you. So we talk to Troy about Have I Been Pwned? Which is a website where you can go to find out if your data was compromised in a breach. And you can also sign up for alerts so that you get notified if it is compromised in a future breach.
Helen Horstmann-Allen: I really love Have I Been Pwned, that site got launched several years ago. And it was one of the first internet resources that instead of just being like horrible news stories about, “Oh, this big company had their data breach.” Gave people information that you could actually take action on. If you found out your data was in the breach, you could change your password, you could change your email address. So I think it’s such a terrific resource. I’m really glad you got a chance to talk to Troy about it.
Rik: Yeah, me too. Also, at the end of the episode, and at the end of every episode for the rest of the season, we’ll have some takeaways. Things that you can actually do to become a better digital citizen. You can also find them on the website, which is fastmail.com/digitalcitizen. Also, if you want to get involved with this season of the show, check out the survey linked in our show notes and send us a question. We will be randomly choosing some to answer in our end-of-season bonus episode.
Rik: So I’d like to start by talking to you about, Have I Been Pwned? which says it’s for checking if your email or phone number is in a data breach, can you tell our listeners what a data breach is?
Troy Hunt: It’s fairly recent about trying to define what a data breach is. In fact, this was because traditionally we would think of a data breach, as let’s say, there is a sequel injection vulnerability. Someone goes and runs an automated tool like SQL map over the site, they suck out all of the data, therefore it is now a data breach. That data is now in someone else’s hands, an unauthorized party. And they will then take that data, and very often they’ll either sell it or they’ll just Yolo, just chuck it out there and share it around with everyone. And then I grab that and put it and Have I Been Pwned? There are other situations which are a little bit more nuanced. So a good example of this is that the major platforms, particularly major social media platforms, Facebook, LinkedIn, clubhouse was another one in 2021, are often the subject of scraping attacks. Where someone will go through and they’ll go, “If I make an HTTP request to this page, I get someone’s personal data.”
Troy Hunt: So let’s think about LinkedIn, I make a request to this page, I get a whole bunch of information about someone. And then I’ll do it to another page, another page, another page. And they keep going, going, going. And with both those services that can include pulling back an email address, or querying by email address. So if you have a big list of email addresses somewhere which is easy to get, you literally requesting the service, passing that email address as part of the query, getting a bunch of data back. Now, all of this is data which, let’s say LinkedIn, I have a LinkedIn profile. I put it there. The only way it works is if other people see it I literally put it there. So it’s publicly accessible.
Troy Hunt: So if someone goes and scrapes all of that out and aggregates it into this massive file with a hundred million plus results, is that a data breach or not? I think that is a data breach insofar as the data has been obtained in a way which, first of all is against terms of service, I care less about that. But secondly, it’s obtained and then used in a way in which I, as a customer, didn’t expect it to be. And now it’s out there aggregated around with all of this other information from the service, and used to better target me in a phishing attack, for example. Because it knows the industry I work in. And I think it, even the LinkedIn data even had things like a salary range in there, which it can derive.
Troy Hunt: So, you know, a data breach is not always circumventing a technical control, in a way that it exploits vulnerability. And to that effect as well, a data breach can literally be someone left a laptop in a car with a whole bunch of customer data. Someone took the laptop that’s not like Sql injection, that’s literally I took the laptop out of your car.
Rik: So a service suffers this data breach, and maybe it’s from a stolen laptop and maybe it’s from a SQL mapper being run against their site. How does Have I Been Pwned step to help this situation?
Troy Hunt: Well look, I think the main way Have I Been Pwned helps is that whenever there’s a breach where I can get my hands on data, I’m pulling that data, loading it in and notifying people as soon as I possibly can. So where it really helps a lot of people is that when they’ve been exposed in a breach, they hear about it. It almost sort of feels silly saying it because it’s like, “Well, of course they should hear about it. The organization whose breach should let them know.” But very often that just simply doesn’t happen. So Have I Been Pwned? almost becomes the de facto standard for notifying people. And the notifications go out to both individuals. So I’ve got a little counter on my desk here, this is just over 4.1 million individuals that have subscribed to the service. And they also go out to organizations monitoring domains.
Troy Hunt: So very often I load a data breach and I’m sending thousands sometimes 10th of thousands of emails to organizations monitoring domains. So they’ll get an email and say, “Hey look, you’ve had five people at example.com that have been in this data breach. Go and run another search over here, verify control the domain, and you’ll see who they are.” And that’s just led to so many fascinating cases where organizations have learned things about the people in their organization, and the sorts of services they’re using, and also the sorts of risk they create. And a really good example of risk is, well, due to password reuse. Are they possibly using the same password on cat forum.com, as they are their corporate VPN service?
Rik: It sounds like a lot of what you’re talking about comes back to a lack of industry standards. Does that lack of standards affect corporate response after a data breach?
Troy Hunt: I think one of the problems we have in this industry is that there is not a standard, or a spec, or whatever word we want to use, for how an organization should respond. Part of the problem is that you’ve got a mix of conflicting priorities. So there are regulatory obligations, and then depending on where you are in the world, they’re fundamentally different. If you are somewhere like the EU, there are fairly strict regulations under GDPR. So I guess the point I’m making here is that we’ve got this one track here, which its regulation is very different depending on where you are in the world. Which then makes it very tricky, because a lot of these services are global. I mean, let’s imagine for argument’s sake, if it was Have I Been Pwned? that got pwned, it’s possible. I’ve got one set of regulatory obligations in the jurisdiction in which I operate, but if I ran it in another part of the world, it would be different.
Troy Hunt: And then I think there’s just the general social expectations. So as an individual, regardless of your nationality, or your race, or whatever other variable there is out there, what do we expect of organizations? And this is what I’d love to get more consensus on as an industry. Well, I think a reasonable expectation is, if you expose my data no matter how big you are, no matter what the data is, I should know about it. That seems fair. It’s like when I talk to my kids and go, “If you do something wrong, apologize for it, mate.” That’s how it works. And then you’ve got this other thread as well, which really complicates things. And that’s lawyers, because they’re worried that if we have to go out and say, we’ve had an incident, what does it do to reputation?
Troy Hunt: What does it do to the potential for say, class action lawsuit? Because they really force organizations into behaving in ways that aren’t in individual’s best interest. And they make just about no money for those who join into the action. But it seems like an easy win for individuals. And as you just get greedy lawyers popping up going, “Hey, just fill out your details, join our class action.” So you’ve got all of these different conflicting things happening around the incident itself. And I fear that we end up losing sight of what’s really important. Which is that after a data breach, we’ve got to let people know what’s happened as soon as possible so that they can change their passwords, take out identity protection if necessary, yeah? Do the things that they need to do to minimize the impact on them, who are the innocent victims.
Rik: So it sounds like you think GDPR maybe is pushing people toward taking the right action, but through threat of lawyers and fines. And what we need to do is have a shift in our culture so that we accept this is simply the done thing.
Troy Hunt: I was so excited about GDPR. I had such high hopes, I really did. And the reason why is I felt that regulators didn’t have enough teeth to respond appropriately and commensurately to organizations that had breaches. And a really good example of this is TalkTalk in the UK. And they had an egregiously bad breach in 2015, which was ultimately SQL injection. 17 year old child, who was able to mount this against a multi billion dollar organization. And ultimately the fine they got for this was about 400,000 pounds. So I was really hoping that GDPR would drive change. But what I’m finding is that I’m certainly not seeing any decrease in data breaches, and I’m seeing over and over again people using GDPR more as a weapon than as something to change behavior. Examples of that are people just getting extraordinarily angry and obnoxious at an organization that has their data that may well have it legitimately. I get GDPR messages from people saying, “I’m unhappy that you have this data breach and I’m in there. Please remove all of this.”
Troy Hunt: I’m like, good luck. You go and ask the hackers to take your data out, see how that works. But there’s some funny stories as well. I heard a really funny story recently, where a friend of mine who’s a data protection officer for a large company in Europe. He said talking to the local police in the UK, he said, people misunderstand GDPR beyond your wildest dreams. And the example he gave is he said, people have literally been reaching out to the police and saying, “GDPR is here now. And under my right to be forgotten, I would like you to erase all my speeding tickets.”
Troy Hunt: All right, full credit for having a go, but it doesn’t work that way. And it’s a little bit like the assumption that people think that they have full control over all their data everywhere. And there’s all of these very, very valid caveats. In fact, this friend of mine worked in the airline industry and he said, look, as an airline, we are obligated by law to retain this data, I think for three years or something like that. Because of things like terrorism and other really good reasons why you might want to be able to pull a passenger manifest from a long time ago.
Rik: Well, the work you do in educating people about the importance of their data and their rights is so important, what do you do to spread the word about Have I Been Pwned?
Troy Hunt: Nothing overtly. I mean, I do talks like this. I do a lot of consumer facing media and press and that sort of thing. I think one of the things that helps a lot is when there are data breaches and they make the news, very often those stories will have a link through to Have I Been Pwned? Look, if you want to know, go here and check. But I think part of it, the joy of it, and I suspect part of the reason it’s become trustworthy in such a gray space is that there’s not an incentive for me to have 10 million instead of 4 million people on there, or make it the be all and end all. It just sits there and it ticks along organically. And that helps itself because it builds trust. More people send more data. There’s more stories about it, more just organic inbound traffic. And I just find that a fascinating thing, the way that’s kind of evolved. It certainly wasn’t something I set out and planned in advance.
Rik: When I say there’s no other clearinghouse that also makes me wonder, Have I Been Pwned obviously it is a trusted source for this dating to go to. It seems like something like it will always have to exist. Do you think this is sort of a forever service that’s going to exist?
Troy Hunt: I would love it not to exist. And this is maybe the greatest possible outcome I could have is for it to be redundant. So what would make it redundant? Well, one of the things that would make it redundant is that every service that got breached actually let people know quickly. Wouldn’t that be great? That’d be such a cool outcome if it just became useless. Certainly the email address part of it. There’s other parts that I think would have ongoing use. I would love that just not to be a thing, but failing that while it has sort of become the de facto standard.
Troy Hunt: But I’m one person running it in my spare time. So I’d love to be able to actually go through and process that massive backlog or data breaches I have. The reason it takes so long is because I actually have to go through and do disclosure as well. I don’t just chuck stuff up in Have I Been Pwned? and the first thing an organization knows that they’ve been breached is their customer start sending angry emails. I reach out and I try to disclose, and I try to do things the right way. But that’s enormously taxing on my time. I’d love to be able to scale that more.
Rik: Well, I wish you luck in getting through your backlog. I want to ask you about another kind of data breach. Some kinds of data breaches, they’re obviously harmful, someone who gets into my bank account and steals my money that’s some kind of real harm. On the other hand, if someone gets control of the light bulbs in my house, they can annoy me, but it’s an extra leap to think these things in our homes are sitting on the internet collecting data. Really, I think the internet of things, the IOT has presented a new hurdle for me to come to grips with. Do you agree that breaches of this kind of data are something we should think about differently than other breaches?
Troy Hunt: It’s a good question. I think for the most part it’s like the same but different, right? And we are seeing data breaches of IOT things. I mean, the example that comes to mind the most is cloud pets, Teddy bears. So these are connected Teddy bears. And a few years ago, someone sent me all their data. And this is a Teddy bear that would record children’s voices, store it in the cloud, send a message to a parent. They’d play it back on the phone and then vice versa go the other way back. And the Teddy bear’s got a little microphone and a speaker, and on the one hand, okay that’s an IOT device by definition. On the other hand, it’s just talking to APIs. APIs are just HTTP requests from a web server somewhere. They store data somewhere online, that data was in a Mongo DB. It was left publicly facing.
Troy Hunt: Now that’s the same problem that we’ve had forever in a day independently of IOT. But what IOT tends to change is that we didn’t have talking Teddy bears before. Not Teddy bears that would actually store your data, and that were priced at a point where you would buy them for your children without thinking about it and then chuck it in their bed. So what I’m finding with IOT is that it’s many of the same flaws that we’ve known for a very long time. It’s just massively expanding that surface of risk. And it’s exposing classes of data that we never had digitized before. And I think this is really the way to think about IOT. It’s like, look we’ve had lights for ages, I’m good with lights. I know exactly how to use lights, no problems. But now I know I’m probably one of the biggest culprits with this ’cause I’ve got, I don’t know, I must be a hundred plus lights in my house with connected. Now we’ve got a situation where there is an internet footprint of these things, which creates a completely new risk.
Rik: Right. This is maybe the part of some of the conversations I have in this show where I say this all sounds scary. And can I still go ahead enjoying the internet? Do I have to feel afraid when I’m using the internet or do I just have to start from a position of understanding what the heck I’m doing?
Troy Hunt: I think it’s more that. And I think that there also some very simple little things that all of us can do. And I’ll give you a good example of this, it’s data minimization. So do we really want to connect that thing? Do we really want to provide this piece of information? Do we really want to sign up on that service? And I fear that very often, we are not really thinking through the consequences of that, but part of the problem as well is that we’re sort of being preconditioned to provide much more information than what we need to. And I had a perfect example this week, where I opened up my TripIt, and I opened up my iPhone and it was prepopulated with my first name, my last name, and my location, not my address, just the city I live in.
Troy Hunt: And then there was a field for date of birth. And I’m like, well, I’m not going to give TripIt that matter. There’s absolutely no reason next. No, mandatory field. It’s like, what? So I can’t use TripIt until I give you my date of birth. Apparently, it has to do with lawyers and regulations and things, but now they need your date of birth because they need to verify your identity. And I actually logged a ticket with TripIt and got the same response. And I’m like, but it’s a free text field. I can put whatever I want in there. How is this verifying my identity? How many people in there are born on the 1st of January? That would be an interesting thing to look at. So as much as I’d like to say, look just hold back anything that you don’t need to provide. We’re sort of being led down the path where we also don’t have a lot of choice a lot of the time, because TripIt’s a valuable service for me.
Rik: Do you have one last piece of advice for people who are building the internet to help protect ourselves and our users?
Troy Hunt: I think to sort of wear these two hats simultaneously, the one about how do we protect people, but also how do we make these services usable for them, and try and find those places where we can win on both fronts. I really like security, which is invisible to the user. And examples of that are, I love the way authentication is getting smarter. So rather than just going… Think about how password authentication works. You’ve got two strings in your head. One’s a user name, one’s a password. The two strings also exist in the service. If they match, you get led in and that’s it. I really like seeing services that are trying to be a bit more intelligent about it. Things like user behavioral analytics look, Troy is in Australia, he uses this device. This is his usage patterns. There’s a recognition that there are degrees that we can apply here in order to try and give people doing the right thing, that the happy pathway security isn’t seen; and those doing the wrong thing, we make it increasingly hard for them.
Rik: Well, I think you give a lot of good advice and a lot of interesting information. I want to thank you for your time. I really enjoy talking to you and thank you for everything you’ve done to help keep us from getting pwned, to help keep us a little safe out on the internet.
Rik: How do you feel about internet of things, Helen? Do you have internet of things, stuff in your house?
Helen Horstmann-Allen: I’m sure I do, but I try to have as few as possible. You know, I think what you and I know as email professionals is that a lot of spam and other kinds of attacks come from badly secured computers. Internet of things is just, should I put a computer in my thermostat? Should I put a computer in my washing machine? Should I put a computer in my refrigerator? And realistically to me that it is a place where a future attacker can find a vulnerability and use it for things that I won’t even know is happening. So, I mean, I definitely have security concerns around them. Rik, how about you?
Rik: Yeah. I mean, I have smart light bulbs in this very room I’m sitting in, and I have maybe managed to keep that as the only thing in my house. As you say, like the last thing I want to find out about is that I spent my day dealing with a run of spam at work and all of it was being sent by the washing machine in my own apartment. That would be a big downer, but we’re going to see more of that going on is computers get smaller and cheaper and easier to put into everything. Pretty soon there’s not going to be as much of an option to have your things be, or not be part of this collection of computers. So we’ve got to start thinking about security implications now.
Helen Horstmann-Allen: Yep. And hopefully lots of groups do talk about this already and I hope it will continue to be a topic of concern. So what do you think the key takeaways were from your conversation Rik?
Rik: I’ll go with this, first off you should use Have I Been Pwned? It’s great. If you’re worried that your data has been in the data breach, you can go and look and see what’s been reported and you can sign up for alerts so that you don’t have to keep going back and hitting reload. You can just get an email when something happens that affects you. And when you get that email, you can take actual steps. And it’s always nice to have something that says, “something went wrong and here’s what to do.”
Rik: Another one is we talk about data minimization. Data minimization is a really important step that everybody can take to keep your data more secure. And again, all it means is don’t give everybody every piece of information they might possibly ask for, right? If a company asks you to fill in a bunch of fields about yourself and you don’t have to do it, maybe don’t do it. And if you have to do it to use their service and you think it’s totally inappropriate, consider whether you really want to use that service. If you want to sign that to get a joke of the day, and they want to know your social security number or your mother’s maiden name, you can probably find that joke of the day someplace else.
Rik: This is also a place where sometimes the personal information they’re asking for doesn’t need to be the same personal information you give everywhere else. Some people talk about they don’t really use their actual secret information for the security questions, but a real simple one is don’t give everybody the same email address when you get all of your information leaked from six different places. And each one has different information about you all with the same email address they can correlate. They, attackers, can correlate all the data that has been leaked about you with your email address is the central coordinating thing. So why not have a different email address to use everywhere, like Fastmail masked email?
Rik: And finally talk to your friends and your family about why it’s important to keep their account secure. This is one of the first things we ever talked about at the end of one of these podcast episodes. Not everybody is the kind of person who spends their time thinking about what they have to do to keep themselves safe or listening to a podcast, talking about these questions. And as someone hearing this conversation, who is that kind of person you should think about sharing the things you know, that are easy to do and helpful with the people who you care about, who aren’t spending the time thinking about this. Just to help them take better care of themselves out there on the internet.
Helen Horstmann-Allen: It’s the truth. I get to hear all the time about, “Helen and I ignored you the first time you talk to me about a password manager, but the fifth time I realized maybe I should go ahead and do it.” So I hope that, like with every episode, we’ve given you some actionable steps you can take towards better digital citizenship.
Rik: Thanks for listening to Digital Citizen. Digital Citizen is produced by Fastmail. The email provider of choice for savvy digital citizens, everywhere. Our show’s produced by Haley Hnatuk. Special thanks to the incredible team of people behind Fastmail. Digital Citizen is hosted by me, Fastmail CTO, Ricardo Signes. You can subscribe to our show on your favorite podcast player. For a free one-month trial of Fastmail, you can go to fastmail.com/podcast, and for more episodes, transcripts, and my takeaways, you can go to digitalcitizenshow.com.