S1 Ep2: Data Breaches, DNA & the Future of Privacy

In early 2020, a team of researchers from antivirus software supplier Safety Detectives was performing routine searches for unsecured databases. This day though, was anything but routine. They stumble across an unsecured public facing elastic search database, which was seven terabytes in size. Now that is the equivalent of 14 million photos or about 800 hours of HD video.

However, they didn't find photos or videos. But instead, roughly 10 billion records from the adult video streaming website CAM4. This data included first and last names, email addresses, password hashes, country of origin and sign-up dates, gender preference and sexual orientation, device information, languages, usernames and chat logs, payment logs with card type and currency, transcripts of email correspondence, and correspondence with other users and CAM4 support.

In other words, a lot. Now, while the cam four breach is one of the biggest, if not the biggest, we've seen, there are tons of data breaches occurring all the time. Many, many more than you might think. In this episode, we talk about what authentication and privacy means for us in the real world, how it will change in the future to hopefully keep us more secure, as well as investigate some of the technologies used to do this.

My name is Lars Klint. This is TECHnically Possible, a show that investigate future technologies' impact on us humans and our connections in the world. Whether that is good, bad, or just plain weird.

If you're new to the podcast, let me give you a quick rundown. In each episode we discuss an emerging technology and invite an industry expert to help us break down where we are currently at, and more importantly, where this tech could possibly, or impossibly, take us. All the while keeping it grounded in what exactly that means for us humans, and maybe even some fun along the way. To help me with that I am talking to someone knee deep in the data breach world. He has all your password. 

So Troy Hunt is a world renowned security expert that has testified on just that topic in front of the American. He works from his home on the Gold Coast in Australia and is the creator of the Have I Been Pwned breached website among many other projects.

He is also the current Australian record holder for most destroyed jet skis. Hi, Troy. 

G'day mate. Always nice to talk to you. Thank you. 

You're welcome. Uh, so, um, tell us a little bit about Have I Been Pwned. Let's start there just because some people might not have heard about this project. 

Well, it's, it's funny actually, we're, so we're coming up with the ninth birthday and I think you probably remember when it started it.

Maybe that just makes us feel really old, but I didn't realize, it's like getting towards the decade. I think we'll have to do something special December next year, but it look in simple terms, it's just a data breach aggregation and, and search service. Heard some people sort of say it's, you know, it's like Google for data breaches, so you're chuck in your email address.

There's just a big text input box on the front page, and then it trawls through 600 plus something data breaches and 11 billion plus records and finds each of the places that your email address has appeared. And for many people, this is sometimes the first that they learn about actually being in a data breach.

In fact, very often the first I learn that I'm in a data breach is I load data and then my service sends me an email. And I hate getting emails from me. Well, I do too. I'm the last person I wanna get emails from. 

Um, Almost, almost. Yeah. Well, how many subscribers have you got so far? How many people actually using the service?

Ah, good question. I, in fact, I have a little, uh, LaMetric counter sitting here in my desktop, so it's about 4.26 million subscribers to the service. Wow. So 4.26 million people have said, Look, let me know if you find my data somewhere. So every time I load a data breach, now it's, it's just getting more and more laborious actually notifying everyone, because if we take the intersection between my 4.26 million subscribers and then whatever data breach it is that I load it, it can get quite sizeable.

In fact, the, I told you I've gotta finish this call on time, I've gotta speak to a company because there's, uh, more than a hundred thousand people, uh, that are my subscribers that are in a particular alleged breach. So, Wow. I'm starting to send a lot of emails every month. 

Yeah, no kidding. 

Um, and it's all free, right?

You don't have to pay or anything. 

As a consumer. 

Yeah. So you can just go and uh, and sort of say, you know, let, let me know tick a box. Your email address goes into a database table, and then I'll, I'll let you know. And, and it's the same for people that monitor domains as well. So a lot of the emails I send these days are to organizations that have said, Look, if there's anyone within our acmicore.com domain, then please let us know.

And that's interesting too because particularly the, the nature of some services, uh, that, I dunno if we wanna talk about the one I loaded this morning or not later on, but some of these services, an organization gets an email and is like, Why do I have employees using this particular service. That's maybe not within the scope of what we consider acceptable 

use.

Humans gonna human. All right. Well that's really awesome. I just wanted to touch on that cause I think it's such a valuable service and obviously you've been running for nine years, um, so people find some value in it. Um, now before we get to the meat of this episode, which is authentication and privacy, um, and we'll try and make that feel a little bit more interesting that maybe what those words sort of gives you first impressions of, um, I just wanna challenge your moralities a little bit.

Now don't worry, this is just sort of a bit of fun. There are no wrong answers and the points don't matter. But it is to get you warmed up, get your brain waves on track, and make sure that we prevent any future side fumbling on the show. In a segment we like to call Moral technicality.

A new technology has come into light that will make sure people never have their passwords breached, leaked, or garnished in hot chili sauce. It's great news for all consumers, but of course there's a catch. In order for this system to work, people will have to give up control over lots of their personal details, including your mother's maiden name, car registration, any old passwords used on websites, access to email accounts, and a whole lot more.

This will make privacy even less certain for consumers, of course, but is it worth it? What do you do? 

For me personally? I've got a password manager, so I wouldn't give that up. I wouldn't give up all that personal data because I know that I can create strong, unique passwords and at least silo all of my risk.

One site gets breached, doesn't mean that everything else comes down. For other people, it's, I mean, that's, that is a, that is a moral dilemma, isn't it? Um. Maybe? Sometimes. Yeah. You know, I think most people don't really think too much about handing all of that information over anyway. And maybe the question then becomes, who is the custodian of that?

And, hey, you wanna get into moral dilemmas? If it was Apple, would that be okay? Oh, well, okay. They're very sort of privacy-centric company, or they're certainly trying to carve out that niche. Uh, they're from a, what we might call a friendly country, us as Australians call it friendly. Without naming names, what if it was from another country, you know, another massive platform, another service from a country that maybe we trusted less privacy-wise, a country where maybe their government might lean on the people who had access to the data under certain circumstances. It gets murky. 

It does get murky. That's the whole idea of the question.

No, that's excellent. And it's, it is one of those questions, and we do this on every episode of the show. We, we try and find a question that's relevant to the show, but it gives you, you try to explain that not everything is so black and white. Um, and a lot of the technologies, even though the technology implementation itself is very simple, the ramifications in social and political things are just vast.

Right. So interesting. I like that answer though. It's very good. Um, alright. Enough morals for one episode. Let's dive into what authentication and privacy looks like today.

All right, so if we're talking about authentication and privacy, and we're talking about current status of, of what it is today, can you explain to me what is authentication and not make me fall asleep? 

Look at authentication I guess in a basic context is just proving that you have...I'm choosing my words carefully here because it's not necessarily proving identity, you know, like mm-hmm.

There are plenty of people out there that go and create, uh, accounts on services like the one from this morning that may not want to actually be identified as, as an individual, but do want to prove that they are the person who came through and registered in the first place. So I think we've gotta sort of recognize that authentication is not always tied directly to identity.

Rather it's the ability to recognize the same account holder on subsequent visits following registration. That was a very nuanced answer. That's a good question actually. I don't think I've been asked that quite, quite that strictly. There's definitely a difference between identity and authentication. 

Oh, absolutely.

And it's, it comes from mainly the, when we were researching the episode, it was sort of like, well, we wanna talk about authentication cause it's such an important part. But me as a technologist kind of have an idea of what authentication mean. If I ask my parents, they're like, Well, I'll just show my driver's license.

Like, that's how they authenticate right? But that doesn't work online. So how do we explain that without making it completely boring? 

A driver's license is very much identity, right? So that is a legal document. If you try and fabricate that, there are some fairly serious consequences.

Yep. It does identify you as a named individual. It also doesn't include information that we would consider a secret, so there's information that we don't necessarily want to willingly share. But it is not a secret such as a password, which is used as a way of you and in theory, you alone identifying yourself or proving that you are the account holder.

Yeah, I think that the proving part of it is really critical, isn't it? I think that's where the conversation's gonna go on this show is that proving that identity with authentication is, is how does that relate to privacy right? So, because what is the problem today? Like, or not the problem necessarily, but where are we at with authentication today?

What are some of the, the hurdles maybe that you're seeing in authentication implementations today? 

So I, I think a lot, lot of the sort of the heart of the problem is, is that we make the assumption that if someone can successfully authenticate, then they are the person who they say they are. So if we put it in really simple terms, I'm looking at a site at the moment where you can, where you can sign up and buy whiskey, right?

Yep. For upcoming events. Anyway, so you go there, you register an account, email address, password. Now someone comes back to this whiskey site and they enter that username and password, the assumption is it's the same person who registered there in the first place. The problem is, is that, where's the confidence in that?

So for example, not, not me, because I've got a password manager, but for the masses, they're gonna reuse the same password. So they come back, they enter this username and password, which really is just two strings, right? And for most people, it's two strings that they store in their brain. The username is often their email address.

The password is the same one they use everywhere. So when they come back and they enter those two strings, the, the service that they're authenticating to makes the assumption that they are the person that they said they were. And this is where it gets really, really messy because that has just become such a weak way of doing authentication due to the prevalence of things like data breaches.

Yep. Uh, credential stuffing lists are massively prevalent. And credential stuffing lists are pairs of email addresses and passwords from data breaches, sometimes numbering in the billions. Now when you've got billions of email address and password pairs, how confident can a service be that someone comes along and uses one of those pairs, is actually the person who they say they are?

Yeah, that's the key, isn't it? Cause you know, 20 years ago when you only had a login for your net bank, it was okay cuz you only had one set, maybe three. Right. You weren't logging into very many places, but now it's absolutely everywhere. 

Yeah. Hard to reuse your password when you've only got one place you ever use it.

Exactly. It was a, it was a simpler time before, and much of the, the constructs that we created in that simpler time have prevailed into the modern time and they just don't scale well. So a really good example of that is, is things like password complexity criteria. You know, back in the day we said, well, to stop people using passwords like the word 'password', literally we will ask them to create a password that has at least one uppercase character, one number, one non alpha numeric character, at least eight characters on, yada, yada, yada. And that was, I guess mathematically good because you increase the entropy, you increase the character range, the length, the, the mathematics of that were great.

But what the mathematics don't cater for is the fact that humans will then take that memorized string and they'll go and use it everywhere. And then suddenly we no longer have uniqueness. Yeah. And we have like one set of keys just floating around the web and they get picked up in one place and they open everything.

How many, um, how many users in Have I Been Pwned have 'password123' or in breach data, in breach passwords? 

A stunningly large number. I don't have an exact number to hand. Yeah. But what I do know is in things like pwned passwords, which is just a list of, I think we're up to 800 million something passwords now.

Uh, there is an enormous prevalence of precisely that sort of password. 

So it's doesn't work? 

Well, it, I think we've gotta be careful about absolutes in terms of saying, does something work? Yes, no, good, bad, black, white, et cetera. And what I find really interesting about this industry is very often it is so, so nuanced and I think we've gotta sort of ask the question if, if passwords are so flawed and to use your term doesn't work.

Why are they still everywhere? If they're so terrible, why aren't they replaced by something else? Because we do have better ways of doing this, you know? Oh, yeah. Everything from simple two factor authentication through to things like U2F keys and YubiKeys and things like that are fantastic. But the, the thing that works really, really well with passwords is they're very low cost and everyone knows how to use them.

So that bit actually works really well. The usability side works really well, 

And that's why a password manager is not a bad thing. It's very low friction, I would say, to solving this problem. But most people don't understand how they work and how to implement them. Now, when we were talking about doing this episode, you had a very interesting way of, you know, sort of combining the authentication versus the privacy or, or and privacy aspects of it. And you used PayPal as an example of how much privacy do you want to give up to be authenticated? 

Well, PayPal was interesting cause a few years ago I was proxying mobile traffic from various apps on my iPhone.

And just looking at what is the data these apps send back to the provider. And what PayPal was doing is when you log on, it wasn't just sending your username and password, you'd expect that. But it was sending other information such as the name of the wifi network that you were connecting to. And I thought that's, I feel a little bit icky about that because first of all, the app can access that without needing to request access. So if it wanted access to my photos, my contacts, my geolocation, you get that prompt, right? Yes. Where it says, Hey, this app is trying to access these things. Would you allow it? Didn't need to do that. And then I sort of thought, well, it's a wifi, it's an SSID, so how much do I need to worry about that?

And then it's like, well, there's two things that immediately came to mind. Number one, you can go to a service like Wigle, that's wiggle with A one G, W I G L E, and it literally maps out network names against geolocations, because all of these have been indexed and crowdsourced and uploaded into this big database. The other thing is sometimes that SSID discloses something that could be quite sensitive. Yep. Now, I mean, use your imagination here, but imagine the sorts of places you could go that you wouldn't want other people knowing that you'd gone to, which then reflect their name in the network name. 

I dunno what you mean. Like car dealerships or what are you talking about?

Let's just say dealerships. We'd use your imagination from there. But you know, in a way it kind of doesn't matter because I think what was sort of more significant to me was, was sort of two observations here. So, so one is that it was happening without me knowing it. So it wasn't like an informed decision that I got to make, make rather, But the, the other thing is, is that I can see from a fraud perspective why that's actually useful.

Because if I'm consistently logging in from one particular location, one network name, exactly, and then I do that again later on, the confidence that PayPal could have in that being a legitimate authentication request would would be quite high. Mm-hmm. . If I was on a different network name in a different location, still could be legitimate, but the confidence would have to drop just a little bit.

And I think this is really interesting to start looking at authentication rather as, as a sort of a binary state, and saying well, there is a spectrum of confidence as to how legitimate this is. And then depending on where you are on that spectrum, you may or may not be able to do certain things. 

Hmm. Yes.

You know, that sort of covers the authentication part of it in some detail, but the privacy part of it, because every time you mention the word privacy, most people go, Yes, I want my privacy. Right? It's just an instinctive like, Yes, that's mine. I need to keep it secure, or whatever it is, however they think about it.

But what are some of the examples on like today of people actually giving up lots and lots of privacy to have a service? Uh, is it really. Are we really that worried about it? 

Well, I see your Facebook account. And in fairness, it's like your Facebook account is a bit like my Facebook account.

There's a bunch of stuff that we post on there. Yep. Because we like having social connections with friends, particularly in an era where we've all had less access to people. And we do, consciously, you and I consciously give up some privacy. Like we know that we're trading everything from mechanical things like our IP address and our geolocation, et cetera, through to inferred things such as, you know, what are the articles that we keep reading or the things that we like?

What are our personal preferences? So clearly we're comfortable doing that, but it, it does make you wonder just how aware most people are of how much privacy they, they do give up using services like that. And certainly everyone seems to be shocked when there's a Cambridge Analytica or something similar to that.

Exactly. And that's sort of my point is that we are so aware of the word privacy, but then on the other hand, we just don't pay any attention to it when we want a thing, or we wanna achieve a thing or talk to a friend or whatever it is right. It is, it's not part of the concern for most people. As an example, I had, um, I'm in a WhatsApp group with other parents of my son's class, which is a very common thing.

Some sort of, you know, messaging group. And there were people that when Facebook bought WhatsApp, they went, nope, we are not gonna use WhatsApp anymore. And they left. But it was two. The rest of all the other 30 parents or whatever it is, 25 parents, they sort of went, yeah okay. Like, just weren't worried about it. So because the accessibility and the ease of access to other parents and messages was just trumped it all.

And it's where the people are, right? So the number of times we've had people say, You should, uh, you should de platform Facebook, you know, like, you should go somewhere else. You should go to this other privacy-centric thing. And I'll be like, but I don't have any friends there. Like, all my friends are over on Facebook and I wanna see what they're doing.

Now maybe that sort of says something about monopolies and the need for some sort of an open platform or something like that. At, at the end of the day, platforms like Facebook run because they do have a huge nexus of people in one location, and then they, they monetize that and, and they do very well out of that.

And, and that's the trade off we make. 

Yep. Absolutely. I think that's enough about today and passwords and authentication, uh, and privacy for that matter. Um, so what does the future of privacy, passwords and authentication look like? What is technically possible? Okay, so if we can get more information about the individual and we can do better authentication in the future, do you reckon that will work?

Like what costs of privacy are we willing to give up to make this easier? Because you said passwords. Yes. We all know passwords, we all use them, but they're, they're flawed in today's world. Right? So how far can we go? 

I think where we'll go, and we are all just forecasting a very immediate term here. Um, first of all, to start with the easy thing and, and often I'll ask people this at events and things like that, but you know, I sort of say to people, Do you think you'll have more passwords or less passwords in 10 years from now?

I asked this actually in a, in event in Sydney last week to the audience and, and we had a live poll and I think we got something like 66% of people were like, We'll have more passwords. Uh, and then 33% of people were wrong. Because what's the thing about, the audience liked that too, but the thing about passwords is that they don't really die.

Like they, they just stay there. It's very rare for people to go and sort of clean up their digital trail, if you like, of, of accounts. So there's the first thing to understand, like we're still gonna have passwords for a very, very long time, partly for the reasons mentioned earlier about cost and simplicity and everything else.

And where we're going then is, is a combination of, of what you've been touching on in terms of better ability to establish who is legitimate or not, often through observable behaviors. I was talking about a company this morning I'm doing a webinar for, and they specialize in looking at things like user behavioral analytics.

So where do people normally log in from? What do they normally do? Uh, what is a behavioral norm versus a deviation, and when there's a deviation, then they can provide extra challenges or limit the things you can do, so on and so forth. So I kind of like that because it's, it's a very transparent layer of security.

Yes. And the challenge then is how much do you need to invade privacy in order to do that? Uh, some things like connect, collecting that SSI data I mentioned earlier on, does have a privacy implication. Uh, other things in terms of looking at the IP address you're connecting from. I mean, you, jeez, you send that to every single service you do, and if your IP is suddenly coming from a very strange location, well that's a signal.

And then of course we've got things like hardware authentication, and now that could be things like the YubiKey, which would become very popular as a, as a second factor. They're, they're enormously resilient, even to things like phishing attacks, which we're seeing increasingly successful against soft tokens or SMS-based one time passwords.

But also the, the mobile devices we have in our hands are becoming fantastic authentication channels as well. Uh, I was thinking just, just the other day, it's become so easy for me now, uh, to do things like pay for something with Apple Pay. I've been buying a bunch of stuff online lately, like everyone else has been, entering credit card details is painful, but I've got this device in my hand that can strongly authenticate me and then tie to my payment methods, you know, that's, that's fantastic. Yep. So yeah, we are getting better technology that we actually hold in our hands, as well as better things that we can imply from people's behavior. 

So you, are you implying that we are gonna have probably hardware that's gonna help us with this rather than just the software passwords that we so used to?

Uh, absolutely. We, we do already. And, and certainly, uh, that there's a lot of, a lot of services now where you can just, for example, log on with Apple. I just keep giving the exam Apple example because I've got an iPhone. Uh, we we're also seeing good support from browser manufacturers and device manufacturers for things like FIDO-based authentication schemes, uh, being able to use hardware tokens to, to help identify individuals because they do significantly mitigate the problems that we're having with things like account takeover attacks. 

Yeah, I mean, I've used YubiKey now for over a year I think it is, and I must admit I didn't understand why they did when I first got them.

I just knew that it was some sort of authentication that would improve my security posture, um, to sound technical and, and I, I don't leave home without em now at all. The one fear I do have is that if I lose a YubiKey, I'm screwed. And that's why I always have two, right? You always have a backup, but then you start actually tying a lot of your identity and a lot of your authentication, um, to a particular physical device, right?

And if you lose it, you, you're in trouble. 

I think your, your opening statement there is really telling as well, where you sort of said, Originally I didn't understand what they did. I was like, and you live in this world you know. Yep. Imagine, Imagine my mom and dad. It's like, Oh yeah, you're getting you a YubiKey.

A Yubi what? What does it do? Well, you, you stick it in the computer.Ah so it's a floppy, No. . 

Exactly. Oh, it's like for your mouse. Well, not really. Yeah. Um, and I have the same with my parents. They're in the late seventies and, and they're relatively tech savvy, to be honest, for their age, I'd say. And my dad has a password book.

He has different passwords. He doesn't have a different password for every service, but he does have different password. He writes 'em down. And I'm like, Yeah, I'm gotta let do that. I'm not gonna try and change that. Yeah. Cuz that's not terrible . 

No. And look, in the, in the realm of things, it, it's quite interesting to think about it, right?

Like if, if he's using that and inevitably if he's using a book, he's recording it so that he can recall it later on. And it sounds like he has a number of different passwords, which, which is good. And then people go, Oh yeah, you don't write it down. Shouldn't write it down. So well hang on a second. Look, if he doesn't write it down and he is not using digital password manager, the only way he's gonna be doing it is reusing passwords over and over and over.

Yep. Because even for someone in their late seventies who might be less technically savvy than the rest of us, they're still gonna have accounts over the place. 

Oh yeah. 

And by having unique passwords, albeit stored in physical form, you absolve yourself of all this risk where people compromise one account and get into all your other things.

And now your threat actor is someone who can break into your house and they're there to steal your computer. Right? Like they don't want the passwords, right? They want your whole computer. Yeah. And if they do break in and steal your password book, you come home one day and you go, Oh my password book's gone. It's very different to not knowing that someone has breached a website that you've used and that same credential pair you've used all over the place has been breached.

Yeah. 

Yeah. And yeah, I must admit there's, there's a lot less. The pool of threat actors, as you call 'em, is a lot smaller for breaking into your house than they are online. So 

Yeah, Right. I mean, think about what you need. You need proximity, you need a hammer, or something, you know, like you need somebody breaking in that.

I, I would a little bit off tangent here, but I would also argue that the sort of criminal that would break into your house is, uh, much fewer and farer between than the sort of criminal that would think nothing of just sitting at home on their computer and break into your things. 

For sure. 

And we did go a bit off tangent, but I think that's an important distinction.

Uh, when we talk about where this is gonna go, my dad's not gonna get rid of his password book, and you said password's gonna be around for a long time and we're gonna get more of them. Um, but if we can absolutely improve the process, um, and I I, I find it comforting that all these hardware things are coming along, but what about something way out there?

Like, would it be possible to use DNA at some point? Cos that's unique. 

I'm gonna need a bigger database.

Well, I, I guess a partial step towards there, if, if we talk about using something that you are as a form of authentication, is that we have a lot of biometric authentication. I unlock my iThings with my face and my PC things with my finger. Uh, and that's, that is a great way of doing authentication. And it's, again, this is sort of one of the fun things to discuss because occasionally people say, Ah, shouldn't use biometrics.

It's not like a password. You can't change your fingerprint if it gets compromised. It's like, well, actually firstly you can, It's not fun, but you can , you know, like that is that option. Yeah. But yeah, angle grinders and things aside it's also very, very different in terms of the ease of which it can be obtained and then the ease with which it can be used.

Now if you see someone enter their password somewhere, for example, you're shoulder surfing, you see that password, my 12 year old could then go to that website and log in. No problems at all. Conversely, I see your fingerprint on a glass. Now, I'm working this out as I go here. I've watched some James Bond , but I think I've gotta get like some glues and some sticky tape.

Yeah. And then a little saucepan and a lot of gummy bears, and somehow I might be able to create a prosthetic. But you see what I mean? Like the, the ability to actually reuse the secret, which is not entirely secret if it's attached to your finger, is fundamentally different. So I, I like the idea of things like this.

So I think going to the level of, uh, DNA is a, a very different realm to simple biometrics. So maybe the sort of part-step there, uh, is things like insertable devices. I mean, we, our mate Scott Helm has got a chip in his hand. I don't know if it's still there. He got a Defcon some years ago. Now, I think that's a bit of overkill.

He could have used his phone in his pocket, but that might be a partial step there. 

Yeah, possibly. 

I, I know a couple of people that have the, the chips as well. Um, and one of them is, is using it for opening the door and I'm like, but hang on. So if the chip malfunctions you can't open your door? Like it seems, it doesn't seem a good idea, but um, maybe that's what it is.

Implantable devices? Perhaps we're talking about current though, but it could become more, uh, relevant future-wise, I think cuz one of the things we always have, when you call up your bank or your insurance company or anyone almost, they go, Okay, what's your last name, date of birth, and address. It's always the way that you authenticate it. One way is the Australian tax office or the Australian government.

But the tax office way I've seen it, I've come across it recently, is they use voice. So you say a specific phrase and that phrase then identifies you or authenticates you, and that seems like a much better way than asking for last names, address and postcode. 

I was just, I was actually just gonna say the phrase, but I don't wanna say the phrase now in case someone was to use it.

Exactly. That's, I was just thinking the same thing.

From memory, and it's been a while since I've used it. In fact, I've found, most of the time now, because we, we have a service called MyGov in Australia. Most of the time I log onto MyGov, it's like username and password, and then I've got an authenticator app specifically for MyGov, which pushes a prompt.

Yep. And then you enter the number. All of these things, there's, again, it's a degrees question, right? It's like how easy is the technology to use? Well, for our parents, saying a phrase is very, very easy. It is harder to have an Authenticator app. So, you know, there's a plus on the usability side there. And, and then there's the question of, well, how easy is it to fool that service?

I'm not sure about voice. I know certainly for things like Face ID when Apple came out with that, they, they made lots of song and dance about it as 20 times stronger than, than a fingerprint, as an example. What, what I find really interesting, just thinking about things like Face ID as well is that a lot of these authentication technologies are getting intelligent enough that there's not just one thing.

You know, a fingerprint just looks at the patterns on your finger. Uh, something like face ID will look at a combination of an infrared image. Uh, a dot projector is projecting little dots on your face to try and figure it all out. And then, uh, then if you do start to combine that with other factors that might include things like geolocation and not saying face ID does this, but when we look at other services, like, where are you now?

Is this somewhere that we would expect you to be based in behavioral norms? Do we combine that with other things? Like, do you actually have the right device on you if we're talking about biometric access into a facility. There's lots of different ways we can combine these, and I, I guess in a way, this kind of makes an exciting time because there's so many things we can do that we just, just couldn't even five or 10 years ago.

Yeah. So what I'm hearing you say is that authentication is only gonna be better in a variety of ways, and we're not gonna have one way to authenticate people, but we're gonna find the best solution for the particular problem I guess. Like voice ID. 

It's certainly broader. It's certainly broader. I mean, that, that does make it really interesting as well because we, we always have this sort of game of one upmanship where we as defenders come up with the technology and then the bad guys come along and they find a way around that.

Yep. As I mentioned earlier, things like two-factor authentication with one time passwords are now par for the course of, of phishing kits. It's like, Yeah, of course. We've gotta also phish the, the one time password. Yep. Right. They're working that out. So we go towards things like U2F. It'll just be interesting to see what techniques are used to circumvent controls like that. 

For sure. 

Yeah. It's a, the target's always moving, that's for sure. So look, look at the other side of the coin. Is, is this gonna be more value in than something like identity theft? Because if we are better at authenticating people, if you can get access to it, suddenly you have a much stronger case of actually pretending to be someone else.

That is a good question. The, the other way of looking at it might be, do we become less dependent on particularly things like knowledge based authentication criteria, uh, you know, mother's maiden name, all this sort of thing, and even things such as your, your home address and knowing your phone number. Do we become less dependent on that if we can become more dependent on stronger forms of authentication? And again, things like, actually holding an unlocked device in your hand and knowing the, the pin as well as being able to biometrically authenticate is arguably a much stronger form of authentication than knowing your physical address.

We can do that now, but we couldn't reliably do that only a few short years ago. 

Yeah, absolutely. Um, but yeah, I can just see it if uh, adversaries that are trying to obtain all these details, if it's really difficult and it's, it's perceived as very secure, they get those details, they're worth a lot more suddenly, and that might be another incentive to actually just go harder at it.

Well, I see what you're saying. You know, does that affect the value? But I, I, I think in a way we're sort of conflating two different things where, where one is we spent most of the time sort of talking about how do you authenticate yourself and prove your identity. And then the other is, well what about all the data that's floating around and I guess like the best authentication in the world is not gonna change the fact that a lot of these services then just dump all of your data into a table somewhere and then they get SQL injected or they back up their website onto a website and someone sends it to me.

You know, like we still have that problem. 

Yeah, for sure. So if I'm as a, as a non technologist that might be listening to the show, what are your steps? Like, how do you make sure that you are as, you know, confident in your authentication and your privacy in the future as you can be. Cuz all of this, that could sound quite complicated to set all this up.

How are we gonna help people? 

Look, a combination of things. I mean the, the good old tried and tested advice is still very relevant. Use strong, unique passwords. Like that's kind of like the number one step. And if you don't have a password manager already go and get a password manager. It's easy.

So doing that, using multifactor authentication, we've, we've sort of touched on different ways of doing that. Uh, using SMS for two factor authentication is better than not having two factor authentication. I often get people say, Oh, I'd never use SMS for 2FA. It's worse than having no 2FA. No, it's not

It's like .A password plus something is always gonna be better than just a password. There's like an order of operations here, uh, sms. If not sms, then a soft token is even better. And if not that, then a hardware encryption key, like a YubiKey is even better again. Use these things.

Absolutely.

Just being, I guess, conscious about choosing how much you wish to share. It's amazing how many services you, you sign up for, and then it's like, What's your date of birth? It's like, well, why am I gonna give that to you? Well, we'll give you a voucher to get a free ice cream on your birthday.

Well, okay, well, what am I trading off for for that potential upside once a year. Being conscious just not to share that information is it's just amazing how much we put out there that we just simply don't need to. It's almost a little bit cliche now cause this is what people tend to get after data breaches, but identity theft protection is, is not a bad thing.

I've had, geez, for probably two decades plus now, uh, services and wherever you're in the world, there'll be a service that does this, which will let you know if, for example, there's a loan taken out in your name. You kind of wanna know that if there's an inquiry on your credit record. And every now and then I do get an alert because I've, uh, changed my credit limit or something like that.

And that, that's really useful information to know, particularly in an era where identity theft is so rampant. 

Yep. That's really good advice. And it's, I always kinda liken it to, like if, if you have a car, and if you put a steering lock on it, it's better than not having a steering lock. Right? It's not hard to get a steering lock off, but if there's two identical cars and one has a steering lock take, the thief is gonna go for the other one.

Right. So, you know, any, any little added, I guess, measure is gonna help.

 Um, very good. Um, is there anything you wanna add at the end here? I think we've, uh, sort of covered what we, uh, what we set out to do. 

Look, I guess I just, I don't want people to be scared about technology because it is very easy for us to be very doom and gloom about this.

And I think it is just such a, a wonderful, marvelous time that's so exciting that there's so much that we can do for so little and, and frankly, there is so much protection built in. I mean, it's amazing these days. You go and pick up a, you know, a new iDevice or any other mainstream device and you've got encryption by default, and then you jump onto WhatsApp you just mentioned you got end-to-end encryption. Yep. You never think about exchanging keys. No one's like manually PGPing their way into talking to the other parents about the kids' soccer matches. That would be interesting. Things like that. It just happens by default, and that's actually really, really wonderful.

So I'm, I'm very optimistic about the, the future of, of tech and privacy. And I think discussions like this, are really valuable because they just help us think more about, uh, not just the bits that we're giving up, but the new things that we're getting. 

Absolutely. Now, well said. Well put. Thank you so much, Troy, for your time.

If you like this episode, consider subscribing to the show and we are available wherever you find good podcasts. Also, give us a review, which will help others find the show too and learn more about Troy's jet skis. So tune in again next time for a conversation about what is technically possible. Thanks, Troy.

Thanks very much mate. Always a pleasure.