“The cloud is just someone else’s computer” - Interview with Smashing Security Podcast Host: Graham Cluley
As an IT-security provider, one of our main challenges is keeping up-to-date with the developments in the industry and everything adjacent. And there is no more entertaining way of doing so than to listen to the Smashing Security Podcast. The hosts of the show, Graham Cluley and Carole Theriault, discuss a vast variety of topics that are concerned with security in the online world. From Blockchain to Fortnite – no topic is too scientific or playful.
Graham is an avid user of Boxcryptor and does not hold back on telling the world about the awesome security Boxcryptor is giving to you (and him, obviously). So when Graham was mentioning Boxcryptor on Twitter I took my chance and asked him for a chat to talk about topics that are interesting for our users.
In this interview, Graham and I covered a variety of topics, ranging from his take on (online) security and data protection in general, recommendations for users seeking to improve their security to political issues and a brief look into the future:
Jonathan from Boxcryptor: What was the first time you thought about protecting your data and how did data protection become such an important topic for you?
Graham Cluley: I have been working in computer security since the early 1990s, and actually even before having a job in computer security I had an interest. This was the days before the world wide web existed, or a lot of the internet wasn’t really that well-formed but I was a member of mailing lists for instance, related to computer security just when I was a student at university. I began to become aware of how malicious software, viruses and trojans are - some of them would delete people’s files and so that was yet another reason why you should have back-ups. And so obviously when I came to having my own computer, back-ups were an important thing for me. And then as time went on and on, one of the things which emerged was cloud based services like Dropbox, they became a real hit and when I tried it and I thought "Wow what an amazing piece of software" it works so seamlessly, it works so well and of course it became a huge hit.
But I didn’t really like the idea of my files being on someone else’s computer. One of my claims to fame, or maybe my only claim to fame is I think I was the first person ever to say the cloud is just someone else’s computer. And this is since caught on and everyone says it now, but it just seemed obvious to me. And that always made me very nervous. I did use Dropbox for a number of purposes and I have used other cloud syncing services as well. But I always had this concern. And that’s when I came across Boxcryptor and thought "Wow this a great solution and just like Dropbox it’s invisible, it’s seamless it just works". And so, I have been using it ever since.
How do you personally feel about discovering a new data protection scandal? Of course, for your business they are essential, but doesn’t it bother you, how ill-equipped lots of companies seem to be, with regard to data protection?
Graham Cluley: It is depressing and it is a worry. Because you see companies making the same mistake over and over again. And I accept that accidents will happen and that we are all human and we make mistakes and you know that’s just one of those things. We will make errors and sometimes we won’t be as secure as maybe we should have been. But WHERE I would really like to see improvements is not just in the security before an incident happens, but I want to see real improvement in how data security instances are treated AFTER they have happened.
I think for many companies the thing which your customers will consider most important is not whether you have had a breach or not but how well you handle it. I have seen examples of companies who have been hacked, who have handled it tremendously well and being very transparent and they have actually turned the potential public relations disaster into something which actually ends up with their customer loving them even more. And saying “Thank you so much you have handled this so well, you told us exactly what happened, you told us what you are doing fix it, you told us what the threat is to us and what we need to do”. And people love that.
Could you give an example of a company that handled such an incident very well?
Graham Cluley: Yes - I’ll give you an example: LastPass - the online password management service. Obviously, they are cloud-based. They had a few years ago a security incident. The way in which they responded, and their openness, and the level of detail they gave us to exactly what happened. And when you looked up the comments on their blogpost it was from all these users who were saying “Thank you”. They weren´t users who were saying “I am never gonna use you again”, “I’m not gonna trust you again”. They handled it really well. And so, there are companies who can do this extremely well.
And then of course we see other companies - I saw one just this week who I was dealing with. Who when I brought them evidence that they suffered a fairly serious data breach and that they not only not informed their customers – they decided it wasn’t their job to. But they weren’t gonna release any public statement, whatsoever. I asked them ´Do you have a public statement you can give me? ´ and their answer was just one word: “No”. And you just think: you are shooting yourself in the head. I said to them: “Look, you got a chance here to own the story a little bit, give your point of view explain what you are doing that is positive”. – “No. We are not gonna say anything”.
I think more and more companies are waking up now. You know in my personal life. I am not a perfect human being. I make mistakes in my life and sometimes maybe my wife is annoyed with me for some reasons. I have found over the years that the best thing to do is to put my hands up and say: “I am sorry. What I did was wrong, I should have known better”. It´s just to apologize, accept the responsibility and say this is how I’m gonna fix it. And that’s what you´d expect from a company too. And one would hope, with the introduction of things like GDPR and the consequences which companies can suffer now, following a data breach that they would get a bit more grown up about this. That’s what I would like to see.
Imagine you are on a party and it’s pretty boring: Is there any specific incident of data breach that immediately pops into your mind and what was so special about it?
Graham Cluley: I think cyber-crime has changed a great deal. In the last 25 or 30 years. And I certainly think that there were some more fun stories to tell in the early days – in the early 1990. When it was kids in their back-bedrooms. When they weren’t doing it for money when it was basically electronic graffiti. And there are some fabulous stories from way back then about people what they did and the mistakes that they made.
There is this story of Dr. Joseph Popp. He was, probably, the inventor of Ransomware, in round about the year 1990/91, long before Ransomware became the huge problem what we have today. An what he did was he send out to subscribers to a computer magazine, here in the UK, a floppy disk. And on the floppy Disk was something called the AIDS information and you installed it on your computer and it gives you information about AIDS and all this kind of thing. But there was a Trojan written inside it and if you kept it on your computer for too long, it will begin to cause problems and you had to send him money to a post office box in Panama in order to get the key to recover your data because he had encrypted your data.
So, this was the days before the web, before Bitcoin, before cryptocurrency where he was asking for payments to be send via the post and he had to infect you via the post as well. And he was eventually caught and was then claiming that he was mad. They knew that he was mad, because he had personally addressed all of these envelopes and stuck the stamps on by hand to send them to thousands of people with his floppy disk. So, I don’t think he ever made very much money but it certainly was a big problem. And there you are - Ransomware has been around for maybe close to 30 years. But not in its current insidious form. But back in those days the people who wrote malicious software were very strange people. Or they were kids. Because there was no reason to do it. They would just mess around – they were showing off. What has happened now, it becomes rather boring because it is always about money and it´s always just criminals or people trying to spy on you and steal information. But they are after your resources, after your data or in some fashion after your money. So, a lot of the artistry, a lot of the fun has in a way disappeared none of that stuff was ever good even way back then, don’t get me wrong, but you can´t even have a sneaking regard for the stuff now.
What do you recommend to users who are not very tech savvy: where should they start to improve their data security? Do you have a top 1, or top 3 advice?
Graham Cluley: This is a question I usually get, when I get into the back of a Taxi…
You need to get yourself a password manager of some kind. Your puny, human brain cannot handle the problem of passwords on its own it won’t be able to remember a password if it is complex and unique as it should be. You are going to choose a dumb password or you are going to reuse the same passwords. So, get a password manager. It will choose the passwords for you – it will store them securely. And normally people then say "Can I trust a password manager?" and I love it when they say that because then I think they have the right cynical questioning attitude. They are going to be safer because they are thinking about these things. Potentially a password manager could get hacked but it is a lot more dangerous not using a password manager I believe. And you are at much more at risk.
Another one is Two-factor authentication. So, protect as many of your online accounts as you can with multi-factor authentication which normally means that you will have an app on your smartphone which will generate a random six-digit number. So, when you log in you also enter that pin. And that means if the hacker steals your password, which they might be phishing, it is worthless unless they also have access to your smartphone.
And finally: Encrypt by default. Too many people think that encryption should be the exception. It is: “Woah do we really need to encrypt this” - And that shouldn’t be your thinking. Your thinking instead should be: “Is there any reason why this shouldn’t be encrypted”. And if it doesn’t have to be unencrypted it should be securely encrypted because you never know when a hard drive might fall into the wrong hands or when your cloud account gets hacked, or whatever. But on too many occasions we are seeing companies and indeed individuals who have left unencrypted data wide open on cloud-based services. And the result is yet another data breach headline.
There is the common misbelief of people who say "I have nothing to hide" - what do you say to them?
Graham Cluley: Well, that’s great: let me setup a video camera in your bedroom for the next 24 hours. We have all got something to hide. It is simply not true. We all wear clothes. If we were to scour through our search engine queries we would find out a scary amount of information about people. The search engines and some of the online services, some of the social media sites know more about us than our own loved ones know about us. And they have got the power of computers as well to corelate all that data and assimilate it and find out more about you.
So, I think we all have something to hide and you may not be engaged in criminality but there are many people around the world who find that they wake up one morning in a country, where the regime has changed, where they now have a totalitarian regime or the police begins to overreach in terms of the data which they begin to collect. And how do you know that governments, how do you know that intelligent services are going to keep that data secure. We have seen governments and others being hacked in the past. So, even when you think I can trust them to look after this, you can’t. Because everyone has been hacked. So, I would say you have got to look out. It’s sort of a fundamental human right is the right to privacy and I think don’t give it away to easily. Maintaining privacy and you’ll be safer.
In the dawn of BREXIT, can you identify any crucial difficulties British companies might face with regard to the GDPR?
Graham Cluley: I was about to say that the bad news for British companies is they can´t use BREXIT as a reason not to be GDPR compliant. Because GDPR is – I´m not saying it´s the be-all and end-all – but it´s a great target for companies and it should be a starting point for companies and British companies whether we are part of Europe or not need to have proper security and privacy in place because they will want to sell to people who are based in Europe and so we are going to have to be compliant. Sorry, we don´t get out of that one just like the United States is going to have to be GDPR compliant as well. I think that´s a good thing. I think GDPR is immensely positive and I hope it has been a wake-up call for many companies and I´m sure it will continue to be something which dominates the headlines for a long time to come. So, I think that´s good news.
Regarding BREXIT generally, I can´t think of anything specifically which relates to computer security. I hope that Britain continues to work closely with its European counter-parts in the intelligent services and in computer crime. Personally, on an economic level I believe BREXIT is going to be disastrous for the United Kingdom and that´s not good news. Because potentially that means we won´t be able to invest as much in computer security and privacy, amongst many other things but that´s something which the United Kingdom has foolishly voted for and we seem to be going through full speed ahead.
What is your opinion on the new Web Authentication (WebAuthn) standard? Will we ever live in a "password-free" world?
Graham Cluley: I think the death of passwords is something that has often being predicted but has never come about. I’m not sure we will ever entirely get rid of passwords. I think the various things, which people come up with trying to replace passwords, normally have simply not been as good as passwords. What we should do, probably, is not get rid of passwords but just harden our security to ensure that it’s not just purely a password that the multi factor authentication for instance, which we were speaking about, can work well alongside passwords. I think people are slowly getting smarter about authentication and recognizing the benefits of multi-factor but there’s a lot of people out there who are still using passwords like 12345 and reusing the same passwords. We have got a long long way to go and as we all know, any big change on the internet takes years and years and years to be agreed and to be swopped over it’s really baby-steps.
Do you think there will ever be a time where data protection won't be a concern anymore, because all data is secure?
Graham Cluley: It’s a nice dream isn’t it? But I think it is only a dream - I think we’re gonna wake up one morning and go “Oh no, I dreamt that was gonna be the case”. Maybe if we get rid of all of the people. Maybe if we get rid of all of the humans. Then the problem can begin to disappear. But no - data security is a problem which is here to stay, it may change it the nature of its attacks, there may be variety in the forms of which data security is exploited and broken, but it is a problem that is gonna be with us for many many many years.
But let’s not be to downbeat: The internet and computers provide fantastic ways for us to be creative and communicate with each other and we just have to be safe. We have to know how to use them securely in a safe way, and how to protect the data that people entrust to us, so that we don’t put that risk as well. It’s a small price to pay for the fantastic things the internet and the computers bring us.
What (trustworthy) resources do you recommend for people that want to stay updated on data breaches and security advice?
Graham Cluley: There are a few resources I would recommend. One is: I think everyone should sign up for a website called “haveIbeenpwned” which is run by Troy Hunt and that is a data breach notification service. So if you enter your e-mail address there you can receive an automatic notification when there is a data breach as to whether you had an account with a particular service. And sometimes you may not even be aware that they had information about you – that they had your e-mail address and so you receive an e-mail and then you can find out more about the breach and take any action on what is necessary. You can even sign up as a company as well, which means you can get notification if anyone inside your company has signed up for a particular service, which was later hacked. So, I recommend “haveibeenpwned”.
Another great resource is krebsonsecurity.com, run by cyber security blogger Brian Krebs: He is a great investigative journalist and he is often breaking stories of brand new data breaches and security issues. So obviously I would recommend that. He is a fellow blogger just like me.
And if I can wave my own flag if you want something a little bit different I do weekly podcasts called “Smashing Security” where we try not to get to bogged down in the technical side of computer security, we try to make it accessible to everyone. Because I have a strong believe that we can’t just be experts talking to experts. We can’t just be IT-security people talking to IT-security people. We need to communicate this to everybody, because everyone now has a computer in their pocket. They have a computer on their desk and they want to protect that data. So, we have to use simple language and make it fun, and make it interesting to get the message across.
I would like to thank Graham for talking to me and answering all my questions on behalf of the whole Boxcryptor Team.