Announcer 00:05

You’re listening to the bar code podcast with your host, Chris Glendon, serving cybersecurity straight up with no chaser. Let’s hit the bar and grab a drink. Hey, welcome to barcode. 

 

Tony 00:22

Hey, Welcome to BarCode. Oh Chris, right? 

 

Chris 00:25

Hey, man, what’s going on? 

 

Tony 00:26

No much. Hey, man.

 

Chris 00:29

Good, man. I’m busy. 

 

Tony 00:31

I got something new for you to try. 

 

Chris 00:32

Okay, what you got. 

 

Tony 00:33

I got a Blue Monday. Pretty good. I think you’re going to like it.

 

Chris 00:37

Okay, what’s in it?

 

Tony 00:39

We use one and a half ounces of vodka, three quarter ounces of Blue Curacau, half ounce of Triple Sec, half ounce of vermouth, orange for your taste. It’s actually pretty good man. You should try it. 

 

Chris 00:55

Oh, man, that’s nice. Thank you appreciate that. 

 

Tony 00:57

Oh, no problem, man.

 

Tony 00:59

Hey, you said you’re in a cybersecurity or something like that. Right? 

 

Troy Hunt 01:03

That’s right. 

 

Tony 01:06

Well you should make your way down the other end of the bar there is guy down there. He’s talking all kinds of stuff about cybersecurity. 

 

Chris 01:12

I will check it out. Thanks, man. 

 

Troy Hunt 01:15

We’ll see you next time.

 

Chris 01:21

Welcome to BarCode. I’m your host, Chris Glanden and with me today from Australia’s Gold Coast, is the legendary Troy Hunt. Inspiring cybersecurity leader, plural site infosec author and instructor, Microsoft Regional Director, and MVP specializing in online security and development. He runs Troyhunt.com and is the creator of HaveIbeenpwned. For those that don’t know, is a tool that lets you know if your personal data has been compromised. I just read an article on Gizmodo; they name that number 83 in the top 100 websites that helped shape the internet. So, congrats, Troy. Thanks, for joining me.

 

Troy Hunt 02:02

I was in front of goatse. That’s good news, isn’t it?

 

Chris 02:07

That is good news. So, thanks for joining me, it’s an honor to have you on the show. I really appreciate it. So, we are certainly up against some challenging times right now and we are constantly as cybersecurity professionals readjusting our standard workflows and almost a day-to-day strategy because you don’t know what lies ahead. I’m curious to know, what kind of professional challenges have you faced since COVID-19 started? And what have you been doing to really overcome those challenges?

 

Troy Hunt 02:36

That’s a good question. I don’t often get questions I haven’t heard before. So, that’s, that’s a really good one. It’s kind of been fortuitous timing for me in many ways. I had a schedule and a cadence of travel, which wasn’t great for…. my kids weren’t great for me. So, in many ways, like I….. the last time I was away from this, home away from this bed was I think, as the 15th of Feb. So, you know, that is bang on seven months today. So, I have I have not traveled at all in seven months now I traveled I think was 240 days in 2019. And for the two or three years before that it was about 40 something percent of the year. So, that’s it in one way. It’s a massive difference for me. in other ways, it’s been really positive I mean it is not only for my, for my lifestyle, because of I get a lot for exercise. I’ve spoken the neighbors I’ve never spoken to before, that’s nice, but professionally as well because I had the opportunity to have So, much trouble and sort of I guess build up a name for myself going and doing stuff meeting people doing stuff in person getting opportunities, which I think it’d be hard to have without being in person. By the time we got to the pirates, like, look, we got to do everything remotely. Yeah, I was pretty well set up. I got a nice new camera, I got some nice lights in the office and so, I’m good to go. 

 

So, professionally, this has actually worked out well for me and I think we’ve now gone through this curve of organizations going, what’s going to happen, what’s going to happen, hold back on everything, let’s not do everything and this is what it felt to me like in I don’t know, let’s say March, April kind of timeframe and I feel like we got kind of third of May, June, and all these companies were like, well, I guess we better just adjust. Anyway, you know, like this is the new normal business has to go and of course, there are many companies doing very, very well. Out of the whole thing. We’re literally talking on zoom. I think there, I don’t know, say they’re happy about the pandemic, but I’m sure that their shareholders are happy about the outcome of the whole thing as well, right. So, there are companies out there that are investing heavily and I’m, you know, seeing things sort of turn around, but from the new normal, I get to do all this stuff without being jet lagged, which is good for me.

 

Chris 04:48

The fact that you go and speak at conferences, I mean, you deliver exceptional keynotes and the expertise that you share whether online or in person is always second to none in my opinion. In the face of COVID-19, you know, do you miss that human interaction with the cybersecurity community? Or do you feel like you have been able to increase the r&d within your own project space?

 

Troy Hunt 05:12

Oh, look, don’t get me wrong, that there’s definitely aspects of it. I miss, like, I miss the social engagement my social life, it’s just different now. To be honest, as much more normal now. It’s like I socialize with people who live around me instead of like, I socialize with people in Oslo in London. Yeah, like that’s what’s different. I miss sort of seeing new sights and all that kind of stuff. But by the same token, I feel like I’ve done So, much of it and I spent half my teenage years living overseas as well. So, I don’t feel like I’ve had any lack of international exposure, but now, I’m actually quite comfortable with this and for a whole bunch of other personal reasons as well, like, I’m very happy just not going anywhere and I don’t know when I’m going to feel differently. To be honest, I honestly don’t think that we’re going to be able to travel internationally for another year, I think we’re going to be…. We’re September 2020 now, for those of you listen to this in the future, I think it’s going to be a September 2021 propositional beyond and maybe I’ll feel differently than because it would have been like 18 months or something with night travel, my net feelings on the whole thing is net positive.

 

Chris 06:14

Yeah, I agree. I mean, you have to stay positive, you have to play the cards you’ve been dealt and approach it in the perspective of a new opportunity. Now, since you aren’t traveling as much as you were, for big conferences and other onsite speaking engagements, how can our listeners stay informed with you and stay connected? You have social media; you have your weekly update? You know, where else can you point us to?

 

Troy Hunt 06:41

Well, you know, there’s a heap of stuff online, I was actually just looking at my Pluralsight stuff, which you mentioned in the intro the other day, So, there’s 47, every prerecorded course on Pluralsight, still up there in the library. So, if you really want to sit there and spend five and a half hours hearing about SQL injection, good on you, that’s still up there. Everything that I’ve read, has been recorded, talk wise in the past, and I think pretty much everything was in person stuff is a Troyhunt.com forward slash recorded dash talks. So, that’s all there and then, of course, all the new stuff. As you mentioned that the weekly updates, I do every week, I’m still pretty active on Twitter. Monday, I was watching that show last night on Netflix, the one about how we’re all sort of really addicted to our social media and all that sort of stuff. And I felt kind of guilty as I sat there on my phone, like checking the tweets. So, you’re still finding balance there, I guess. Then there are a whole bunch of other talks and workshops and things like that I’m doing but I guess where I’ve found things have tended to differ a little bit is that when I could travel, I would go and travel and I do user group talks and I’ll do conferences and things that had just like no remuneration or anything of that whatsoever. It’s all just community effort because you got a lot out of it, right? Like he got interaction with people, you got to go and have beers with people get to meet people and now I’m finding that those events are much fewer and further between and if I do them, I’m just sitting here in a camera talking. 

 

So, and this sounds a little bit selfish but then what what’s the return on it? You know, I don’t really get much. It’s not like when you stand in front of an audience, and you see the lights go on in people’s eyes, and you see people laughing and smiling, and then you shaking hands on sort of stuff. Yeah, that had huge value, have no monetary sense whatsoever but now it’s like, if I do those events for what is in there. I’ve already got all this stuff online. So, I’ve tended to just focus more on the things which are commercial engagements. And there’s a lot of those now, because of course, like we said earlier, everyone’s like this is the new normal. So, we’ve just got to adjust to the new normal. So, yeah, less of those. But this will change in the future as well and I imagine that we’ll probably start off by having more sort of local or interstate kind of events. So, maybe people see me in Brisbane and Sydney and Melbourne and places like that and overseas, who knows, at least a year, and

 

Chris 08:54

I’m optimistic that the situation will eventually improve in terms of travel and speaking opportunities. Although when you look at the economy and cybercrime, there’s always been a link between the two and with COVID you have to assume we’re on the path to another global recession. With that I’m curious, do you see a cyber-attack methodology shift yet? Or do you see that shift slowly evolving?

 

Troy Hunt 09:22

Well, I think there’s a few things there and the you know that the easy one is certainly in Australia, where we’re already in a recession. We’ve had two quarters and at growth, unfortunately, we had a whole bunch of the country burned down over Christmas as well, which didn’t help and then we had this on the end of it. But inevitably, globally. Yeah, there’s obviously massive impact on the economy. In terms of impact on security. I mean, every time there is any momentous event, globally, and I use that term of mentors pretty broadly. We see optics and things like fishing focused around it. I mean, I think back to things like the disappearance of Malaysian Airlines, MH, whatever, whatever and we saw a bunch of phishing attacks designed to exploit people’s curiosity and the outcome of that. 

 

Now, whether it was that or whether it’s pandemic, we’re seeing phishing attacks the likes of, “hey, here’s an attachment. Would you like to see what who else in your organization is COVID, positive?” And because people are nosy bastards, they’re like, “Yeah, yeah, I’d like to see that attachment.” Now, that’s a very simple example. Think about other things that we really just didn’t even have a name for before six months ago, zoom bombing, I never heard the word zoom bombing before six months ago. So, that’s fascinating, as well. And then, of course, this entirely remote workforce almost entirely remote anywhere, who has suddenly been forced into working in an environment which would have taken years of planning for most organizations, and all sorts of services have been put on publicly facing network segments, because that’s the thing that people have access to and businesses Grambling to stay to stay open and functional. If this hadn’t been planned, in the best of times, we would have seen issues, but certainly now that it’s all happening under duress. 

 

Yeah, that’s creating a whole bunch of problems. I think that there’s all these really interesting things that are very hard to measure to know, I’ll give you a good example. So, we had a period there where the kids have to work from home and I just remember once like going into my son’s bedroom, son’s 10 years old, he’s remote learning. He’s got his laptop there, all the other kids are there and one of the screens, there’s a dad in the background, having like some business phone call, just talking really loudly about the business deal and I’m like, might you realize that you just get literally like disclosing your business deal to a roomful of 10-year-old, and whoever is listening in? Yeah, just out of frame. So, I think it’s like just lots of little interesting nuances like that. But also, this is the kind of stuff that will become the new normal, right? Like, we’ll get used to this and will adapt and yeah, maybe they’ll put the kids in the room and a desk or something like that, instead of the in the lounge room where dad’s doing business deals.

 

Chris 11:56

Exactly. Now, from an organizational standpoint, larger organizations, small businesses don’t matter. How would you prepare those individuals, and exemplify the need for enhanced privacy and data protection during these times?

 

Troy Hunt 12:13

I think for the most part, all the things that we’ve always espouse as virtues around security and privacy are still relevant, just much more so. So, when I think about things like data minimization, like how much how much data do we have? Do we really need to have that? Do we need to have it in all these places? Do we need to retain it for this long? I wonder how many people are sitting there now remotely with access to large troves of data that previously would have only been accessible within the corporate boundaries and now, of course, those boundaries are digital. So, data ends up in many places it didn’t before how much that data is actually needed. We see time and time again. And I’ll give you a good example, that the thing that I constantly lament is seeing data breaches with dates of birth and I’ll tweet, and I’ll say, like, this is crazy, let’s say hypothetically, and I don’t have any evidence, it’s just as the case let’s imagine is cat forum, right? Catforum.com. Now you can get a catforum.com and when you register, it asks you for your date of birth. Now, if they have a data breach, you’ve got this piece of knowledge base authentication, static knowledge, base authentication, sitting there for let’s say, a million people and I’ll tweet and I’ll go, this is ridiculous. 

 

Why don’t you know, why is this necessary? And then I always hear people, and then sorry, they usually American as well. They say you need it, because a copper. Yeah, child online protection, you have to ask whether they’re 13 or not and So, we’ll…. Why do you keep all the dates of birth? You know, why don’t you just have a button, and it says, I am 13. And then if you don’t click that button, you don’t get in? And then the funny thing is, like I’m telling and people say, “Because people could lie.” Do you know how many people are born on like the first of January 1990? It’s, it’s ridiculous. And then like, well, now you’ve actually got to enter the entire date of birth, because if you don’t enter the entire date of birth, it’s just too easy just to click the button. Okay. Here’s some sophisticated mathematics for you. Enter the date of birth? Is the total use greater than or equal to 18? Yes, let them in. No, don’t let them in either way, discard the data like this is not a hard problem. Now that’s somewhat of a trite example. But we see time and time again in organizations just way too much data collected in the first place held for too long used for purposes it wasn’t intended and I reckon If nothing else, this is the time where we go let’s clean this up because now the attack surface is So, much greater. Right?

  

Chris 14:36

Exactly and it’s the same concept when you’re looking at a liquor sale or gun sales, you have the same protection or mechanism in place where you know, it’s a checkbox So, that’s really all that’s betting you.

 

Troy Hunt 14:48

And that’s all you need and the problem is it So, this is really good quote that someone gave me before I went to the congressional testimonial asked for feedback and someone gave me this quote, which I used and they said, organizations look at our data as an asset and they fail to look at it as a liability. So, companies are just going, let’s siphon up all the data because the more data we have, the more we’re able to target, you market your products, sell your information somewhere else. But they never sort of go, Well, what is the risk not just to the individual, but even to the organization?

 

Chris 15:18

That’s a great point data is a liability. Let me ask you about Have I been pwned? [15:23 not clear] How have you seen the landscape change since you launched the service?

 

Troy Hunt 15:28

I think there are multiple things that have changed since December 2013, when it launched, and the first thing that came to mind is greater regulations around privacy. So, yeah, obviously GDPR is a big one. CCPA in California is big one. I don’t think much of the world really thinks about Australia, but we’ve had various laws passed in Australia and mandatory disclosure and things like that, as well. So, yeah, we’ve had that come into place and I think what that’s done is given people a greater awareness around personal data, and I think it’s given them a greater sense of ownership. I don’t think it’s actually made any difference to data breaches but I do think it’s made people a lot more aware. Now, on the flip side when I launched it, there were about 155 million records of courses. 10 point something billion today. So, clearly, there’s been a lot of data breaches since then and what I have seen in terms of trends is the one I think that worries me the most, is just the redistribution of data via aggregators. So, yeah, and aggregators, I’ll use a pretty broad term. 

 

So, aggregators could be anything from credential stuffing lists, where data just gets put into sometimes billion record plus username, password combinations, but also through to aggregators that then monetize their data at various levels of shakiness and in fact, this may be give two levels of shading, sometimes it’ll be spam lists that you can buy, that have been collected from all sorts of different locations, I’m quite sure a lot of them actually come from data breaches, because it’s a freely available information on. All the way through to the lots of experience, I was speaking with a reporter in South Africa yesterday, because Experian had a data breach down there, where they exposed 10s of millions of records of South Africans, now they’re their credit agency, they legally allowed to hold that data, and they legally allowed to sell it to people. But what’s happening is we’re just getting these massive troves of data which then appear in breaches like this. So, I think that’s, that’s something that especially concerns me, because we just have no visibility over it, no control over it, and it operates quite legally and, and that the uneasy bit of it is, is that credit agencies do actually have a role to play as well, or I like there is a legitimate purpose for understanding someone’s service ability if they want to go and get a loan. So, I don’t know the answer to that. I just know that we have a lot more data out there than ever before. And just by virtue of of those numbers, yeah, we have more data breaches and more records in them.

 

Chris 18:01

You recently announced, have I been pwned [18:02 not clear] is set to go open source, why did a decision to open source it now?

 

Troy Hunt 18:08

I guess if we scroll back a bit, the macro problem here is that I didn’t expect this to be popular. This is a really nice problem to have, right? Like I created this as a pet project. In my spare time, and I created it not just to be data rate service, but I created it because I wanted to play with as your and marks of cloud things like that was it was equal parts priorities and thing did get popular, and I got big, and they started to become a lot of dependencies on a lot of organizations are tied into their workflows, for example, obviously, a lot of consumers use it. There’s a lot of companies using the free domain search. Governments use it and all of that is like great. However, for one guy still running it like literally This is Have I been pwned HQ, like right here. This is all it is. And of course, whilst I was traveling, it was this and my laptop and that was it. So, really, that that to me, was concerning in terms of what’s the succession plan and I like I get, I can’t even joke about it. I used to joke and say, if I go out there and get eaten by a shark, like, what’s the succession plan and then for the first time in more than 60 years, a week ago, a guy went out there and got eaten by a shark but I feel bad, like making the anyway. If I go out there, and I get hit by a car, can’t go out the other side. You know, what’s the succession plan for that? So, I was concerned about that. So, early last year, things really, really spiked. 

 

So, January last year, I think the January I remember where I was in an airport, and things got especially busy when I loaded this massive credential stuffing list and to be honest, I was not only concerned about the succession planning and sustainability, because of so much dependency me, but I was worried about my mental health and I was worried that and I think I said at the time, So, I didn’t feel burned out but I could see a point where I would be and I didn’t want to get to that point. So, I was, I was concerned about that and I went initially down an m&a path, merger and acquisition path of trying to find a buyer for Have I been paying close, like, Alright, let’s just pick the whole thing up, go into a big company that’s well funded and that can your resource teams and things around it and basically got to the point earlier this year where there was really one organization who bowed down to that was a reasonable fit, and then the wheels fell off that dude, absolutely no thought of mine, just totally different change of business direction for them. So, I got to the end of that. And when I go, Well, that was a very expensive experience, learned a lot, but expensive experience, like what do we do now? And I sat on it for a few months, and then eventually, in August this year, decided that that looked, the right thing to do was to announce open sourcing it and that in itself is actually a hate for work. It’s not like you just go…. Okay, GitHub repository public and job done, go for it. 

So, there’s a huge amount involved and there’s like everything from the licensing terms through to breaking the project down into manageable components that people can contribute to, through to considering what a project that’s been run as a private repository with one guy in his spare time for seven years. How many API keys you don’t check into that thing, like, I don’t know, I’ve got to go through. Because I’m human as well, just like everyone else, I got to go through and figure out how to segment it. So, I path forward is starting to emerge. But I’m having to be cautious not to put a timeframe on a day that because this is still something I do on my spare time. I, I want to see my kids, I want to go wakeboarding and get into the beach, things like that. And I don’t want to be sort of forced into a position where I got to fast track this thing either. So, I’m proceeding gradually. But that is absolutely still the clear intention that’s open source, give people the ability to contribute to it, let it grow into something bigger and let there be community who can help run it.

 

Chris 21:59

Yeah, and that was going to be my next point is just asking the cybersecurity community and our listeners to help continue to grow and continue your vision because it’s helped So, many people. You also recently partnered with Nord VPN, as a strategic advisor. Would you mind sharing some information regarding this partnership, and, and how significant your role will be been?

 

Troy Hunt 22:21

Yeah, good question. In fact, I rushed off a call with my good night, Scott Helm, who does a whole bunch of TLS stuff in the industry just before talking to you. And I will mostly talk about the node situation. Because there’s really, really fascinating aspects his whole thing at the moment. And I’ll come back to those. But I guess that’s sort of the big picture. So, Nord is obviously really well-known brand in terms of the VPN product they run. I think that the VPN industry in general and Nord hasn’t been immune to this has had trouble clearly articulating the value proposition of VPN, and doing So, in a fashion that’s, that’s accurate, and not hyperbolic and, look, we’ve seen a whole bunch of organizations really go off the deep end in terms of making representations that that weren’t true. I’ve written about some of these in the past, I’ve seen promotions for VPN providers, which have been shady operators, and hey, great, you’ve literally just trusted your traffic to the devil. This is, this is not a good outcome. So, there are a bunch of things that attracted me to know too many things like the fact that they have had independent audits from PwC, to make sure that they’re not retaining logs. 

 

In fact, when I announced the Nord piece, I embedded a story in there about a whole bunch of APNs that that just got popped in and guess what, they had a whole bunch of logs in there, which is, of course, not what you want, after a VPN provider, they do have a massive collection of exit nodes around the world. They’ve got, like really cool people. So, one of the things that I’ve become increasingly aware of over the time is in the industry is like, “Who are the people behind these services?” One of the reasons I have really good relationships with people like Cloudflare, and one password, is that I’ve gotten to know the people behind these organizations really well. And this super, super cool, folks. So, this is what I’m finding with the Nord crew as well. Now what I’m finding interesting, and I’m literally writing something in this today, and as well as speaking to Scott to his, his This is almost like a good conference talk, right? Like, you know, in a world that is going secure by default in terms of encryption, where’s the remaining value proposition for VPNs? Because we’re having this chat. And we’re like, remember when we used to go to airports and every time we went to an airport, we’re worried about the network and we turn on a VPN. How do we feel now that there’s So, much TLS everywhere and it’s funny to look at how many sort of kinks we still have in the secure by default armor? 

 

So, things like one of the reasons talking to Scott as he does his crawl every night of the of the top 1 million websites, he pulls back a whole bunch of stats on them. So, one of the things I want to frame today is like how many websites are actually using HSTS About 11% of websites are using HSTS. So, even if they throw run from HTTP to HTTPS, we’ve still got the first hop. And then all the ones that are using HSTS. How many using preload? Well, apparently that’s about 2.3%. So, so all right, a very low single digit number of organizations actually properly doing encryption from client to some other point of termination and then we’ve got like, 97.7% of organizations are just not doing it right and then by pure happenstance. Yesterday, I got a Google alert for something related to HaveIbeenPwnd I thought, Oh, this is really interesting and I click the link. And then it’s like, Microsoft virus PC warning, you know, and it’s like flashy lights and I’ve literally got the audio again, this is the Microsoft Security Department Call this number now. It’s like a crap and it was all over HTTPS too. But HTTPS doesn’t actually give us any assurance of who you’re communicating to. Maybe you have a nice secure connection to the devil. 

 

So, there’s this whole other value proposition to discuss, which is around things like, what is a good site versus a bad site? How do we filter them out? Chrome safe browse and get some of it some eyes, please get some of as soon as I turned on Nord, in their cyber…. Effectively DNS black holing. It’s like the thing went away. So, there are a lot of a lot of other value propositions. In fact, Scott, certainly insightful today said, you know, as much as people are worried about the control that someone who sits in the middle of a connection has who’s malicious. The control that someone who sits in the middle of the connection and is good has is actually really, really positive. So, there’s a lot of good upsides. But I think we’ve got to sort of put it in the right context. So, that the argument about you know, you need this because otherwise your connection is encrypted. Here, frankly, isn’t quite right. We’ve got in the US according to Firefox telemetry, there’s over 90% of all web traffic is encrypted. So, that’s not the problem. The problem are all the other gaps around that and then the trustworthiness of the site and a few other things, too. So, to be honest, So, this is a bit of a fun challenge, right? How do we try and separate the hyperbole from the good, useful facts? And this is what I’m trying to do now. Hopefully, I’ll get it right in this blog post I’m writing. 

 

Chris 27:17

I’m sure you will and I’ll be looking forward to checking it out. Now, help me understand you have your typical average VPN home consumer who is evaluating VPN? Right? How would you advise those users to verify that the VPN they are looking at? Or will be purchasing is legit and not snake oil? 

 

 Troy Hunt 27:39

Well, let’s look to be honest, it’s really hard for the average consumer, like, how do you actually look at, you know, let’s say one of these reviews, and figure out Yeah, you got one of these reviews and very often all these reviews are like affiliate links to every single other providers and I’ll tell you what the number of reviews of certificate authorities are saying, and here’s all the best certificate authorities and Let’s Encrypt isn’t on there, because you can’t get an affiliate link to [laughter] It’s like, how much do I trust this? So, I’m really sympathetic to you to your average user. And I think we’re, we’re Nords carving out a bit of a niche for themselves is they’re getting better brand recognition than most organizations and frankly, they’ve done that by buying a lot of airtime as well. Now, fortunately, they’re also a good company. So, they have that supporting them but it’s very difficult for consumers and in the same way, it’s difficult for consumers of you know, what antivirus should you run? What is the right antivirus product for you to run? So, I look it’s I think it’s a difficult thing for consumers at the moment and I think the answer to this is a combination of things like TLS, and as many things as we possibly can, So, that they just don’t have to do anything. Plus making sure that there are products like node which have easily consumable cost effective and, and shouldn’t get in the way of what it is that they’re trying to do.

 

Chris 28:51

Definitely, because it can be complex and overwhelming for users that aren’t familiar with the tech. So, what do we all have to look forward to? Tell me what the state of cybersecurity will look like, in 2030?

 

Troy Hunt 29:07

Well, we’re still going to have passwords. This is normally the question, right? It’s like, when’s the password going to die? And I like I started getting really involved in infosec prob about 10 years ago and I just remember at the time, that listening to podcasts now, all of these projections about we won’t have passwords in 10 years. The only thing I can say absolutely, for sure now, it doesn’t take a psychic to do this, is to say that you will have more passwords in 10 years from now than what you will now and part of the reason is, is that old passwords don’t die like this still out there. You just get more and more services. So, I think we’re still going to have that challenge, where we’re still going to find that the human side of security is absolutely key and I mean that in everything from social engineering through to how do we make security consumable, and I’ll give you a really good example on second point to 2FA Fantastic. 2 FA, MFA, 2 steps whatever want to call it having say, soft token as well, fantastic additional layer of security. Absolutely woeful user experience. It’s terrible. Honestly, if someone’s listening to this, and you’re like, well, I stood up all the time, it’s fine. Try doing it for your parents, right? And then try supporting your parents, when they get a new phone, and they’ve lost all their soft tokens. It’s just like, it’s just an absolute nightmare. 

 

You know, maybe stuff like u2f is part of the answer for it, I can see u2f I mean, u2f is increasingly playing a role. So, in the enterprise, where it’s like, everyone already has a key card, plus, your captive audience, you work for us, we can make you do whatever we want you to do. But I just don’t see good imminent solutions for the masses trying to sign into websites, I see lots of incremental things, you know, log on with Facebook, kind of solves some problems with creates other problems. Apple’s making efforts around doing this? Well, it’s kind of the same answer in some ways, but I just don’t see anything. I just don’t see any sort of bullet on the horizon and I say, “HaveIbeenpwned getting much bigger?” This is like, there’s no reason for it not to. 

 

Chris 31:08

That’s true. Let’s switch to IoT really quick. Organizations are faced with many challenges in terms of IoT security, from device visibility to applying security controls. What is your take on securing IoT?

 

Troy Hunt 31:25

It’s extremely difficult because I think, competing forces and what I mean by that is that the competing forces we have is that IoT is getting exceptionally cheap and readily accessible to both consumers and enterprises. So, I’ve got, I’ve been putting things with these little Shelly relies literally in the wall behind light switches that small, same size as two Oreo cookies, you put it behind a switch in the wall and if we were to put it in US dollar terms, it’s what like, $16, or something for real and now suddenly, you’ve got an internet connected like, fantastic. Now they do a pretty good job. But there are loads out there that are just super cheap, very poorly tested, very poorly supported. And then you get to this situation where you’re saying, whether it be consumer or enterprise, how many people are equipped to update the firmware on their light bulbs in a regular cadence? I can I get like; I use my mom and dad’s examples. Can I imagine going to a mom and dad gang? 

 

So, have you updated the firmware on all the switches in the house lately? Maybe like, what’s firmware? Where do we even begin with that? But the competing forces here, it’s not just the price, but it is it is now organizations trying to put IoT into everything and again, whether that be something for consumer land or enterprise land, because this is now a point of difference. My washing machine has IoT. I’m not sure why I put it on the internet anyway, because I was curious. But it’s like, what is the point of this thing but when you look at the brochure, it is literally one of the headline elements, it’s like, washes your clothes connects to the internet, I’m not sure what else you can really do with the washing machine. So, we’re trying to push this stuff very, very quickly but all of our traditional concepts around everything from patching cadences through the any sort of automated update, through to any discrete device, testing suddenly becomes a whole lot more difficult when we’ve got all of these little devices all over the place. I realized, in fact, as well as talking to Scott just before this call, so, that the tab opens here, but I looked at my pihole, which is where all my DNS resolve and by a massive margin, the busiest device on my network, out of all of my PCs, my NAS, smart TVs, all this sort of thing, the busiest thing is this tiny, tiny little device sitting on my garage door, So, I can open up remotely. Now I don’t know why it needs to query Shelly cloud, literally every one second. This is what it does. So, it’s, it’s, it is a fascinating, fascinating time. thing, maybe that’s the nicest thing I can say about at the moment. And I’m conscious also like on the security guy, it’s like, hey, look at how much I have to just put in my house. But I think there’s probably another discussion about how to try and look that down a little bit in the home. 

 

Chris 34:08

So, pihole, I need to look into that I don’t have that running. I do have some IoT here but to my knowledge, there’s not many third-party tools out there, at least on a consumer side that you can implement to be able to have that type of traffic visibility or alerting.

 

Troy Hunt 34:22

This sort of brings us a bit full circle with node as well, because piehole is a DNS resolver. So, it’s typically run on a Raspberry Pi at the usually at the network layer inside your home network, you would set it up to resolve DNS from the router through the piehole and then at the moment, I’ve got block lists that have got 93,000 domains on them and they literally just blackhole the DNS query. Now that’s also what Nord does when you turn on the cyber sec feature. So, you know, I can’t see my mum and dad running a pie hole in the house but I can see them running something like a VPN on their device and then it just automatically gets the benefit of it but that doesn’t necessarily tell you where all your queries are going and even here When I look at my pihole, it’s like, what is it doing with Shelly cloud? old time? What are you doing, Shelly? And of course, So, the top committed domain is API dot Shelly cloud. The second permitted domain is a two-year domain when two years and other sort of IoT stuff. The third permitted domain is another shell a domain. That’s like, I saw Look at this. The fifth one’s another tree. Oh, my God, what are the devices doing? The eighth one is a Nano leaf. domain. Oh, and the one before that is a huge holy crap. It’s like literally probably 70% of my top hit domains are all from IoT devices. Curious? Yes, I’m going to look into. I’m sure it’s fun. 

 

Chris 35:44

All right. So, I have one more question for you. Since the name of this podcast is barcode, if you opened a cybersecurity themed bar, what would the name be? And what would your signature drink be called?

 

Troy Hunt 35:58

Just to ask questions I’ve never had before. I think it I think I’d do something on the beach and I’d call the bar the data beach. How’s that? 

 

Chris 36:09

Nice. I like it. 

 

Troy Hunt 36:12

I would call the signature drink beer.

 

Chris 36:17

That’s awesome. Troy, thank you So, much for joining. I really appreciate it. Stay safe. 

 

Troy Hunt 36:22

Yeah. Cheers, man. Appreciate that.

 

Announcer 36:31

Unfortunately, it’s time to shut the bar down for this episode. Thanks for stopping in. See you next time. We’ll save you a seat. Be sure to check us out at the barcodepodcast.com