Between Two Nerds: Hacking's first principles - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary
Episode: Between Two Nerds: Hacking's First Principles
Release Date: February 24, 2025
Host/Author: risky.biz

Introduction

In the February 24, 2025, episode of Risky Bulletin titled "Between Two Nerds: Hacking's First Principles," hosts Tom Uran and Gruk delve deep into the foundational concepts of hacking as outlined in Matthew Monte’s book, Network Attacks and Exploitation: A Framework. The discussion centers around three immutable first principles of hacking: Access, Humanity, and Economy, exploring how these principles manifest in recent cybersecurity incidents.

Understanding the First Principles

Access (00:37 - 02:02)

Gruk begins by explaining Access as the foundational principle. He emphasizes that if data can be accessed legitimately, it inherently becomes vulnerable to theft. Hackers exploit this by either impersonating legitimate access or coercing individuals with authorized access.

Gruk [01:21]:
"If there's a piece of data that can be accessed legitimately, a hacker can steal it, because at the end of the day, the only thing that they absolutely have to do is impersonate that legitimate access or coerce the person who has legitimate access."
(Timestamp: 01:21)

Humanity (02:02 - 03:05)

The conversation shifts to Humanity, highlighting human errors and inherent laziness that lead to security vulnerabilities. Gruk points out that humans often make systems insecure, whether intentionally or inadvertently, by simplifying processes or overlooking potential threats.

Tom Uran [02:16]:
"Humans fundamentally will make something insecure in some way."
(Timestamp: 02:16)

Economy (03:05 - 04:08)

Lastly, Economy refers to the balance between infinite security requirements and finite resources. Decision-making often involves prioritizing certain security measures over others based on cost-benefit analyses.

Gruk [03:10]:
"At some point the juice is not worth the squeeze. It ceases to be worth investing heavily in something when the reward is just not going to be there."
(Timestamp: 03:10)

Tom adds a personal anecdote from his time at ASD, illustrating the practical challenges of balancing secrecy and resource allocation.

Tom Uran [04:08]:
"The adversary intelligence agencies can seem all-powerful, but the trick is that they've actually got an infinite number of things that they want to do."
(Timestamp: 04:08)

Case Study 1: Phishing Attacks on Signal

Overview (04:47 - 09:06)

The hosts examine recent phishing campaigns targeting the secure messaging app, Signal. Dan Black from Google's Threat Intelligence Group reports sophisticated phishing attempts where malicious QR codes are masqueraded as legitimate Signal resources, such as group invites or security alerts.

Gruk [05:05]:
"Fishing, except they lie to people and make them do things."
(Timestamp: 05:05)

Tom relates this to a previous discussion on Paragon spyware, which could clone devices covertly to intercept messages.

The discussion highlights the difficulty humans face in accurately entering complex QR codes manually, making QR codes a preferred vector for phishing due to their ease of use despite their susceptibility to manipulation.

Gruk [07:16]:
"You're trusting humans to do something which humans are particularly bad at, which is copy random strings perfectly."
(Timestamp: 07:16)

Phishing Mechanics and Human Factors (09:28 - 19:20)

Gruk expands on the sophistication of phishing tactics, explaining that effective phishing requires crafting believable scenarios where victims are manipulated into taking specific actions without realizing they're being deceived.

Gruk [08:22]:
"There's a lot of work that goes into making effective phishing campaigns."
(Timestamp: 08:22)

They discuss the inherent challenges in mitigating such attacks, as recommendations like "exercise caution" are often impractical due to human error and the complexity of verifying legitimate QR codes.

Tom Uran [14:56]:
"There's always going to be this problem, right?"
(Timestamp: 15:00)

Case Study 2: Device Code Authentication Exploits

Overview (19:20 - 25:13)

The second case study focuses on the exploitation of device code authentication methods used by companies like Microsoft. This method typically involves input-constrained devices (e.g., printers, smart TVs) generating a code that users enter to link the device to their account.

Gruk explains how Russian threat actors have leveraged this system by tricking users into entering malicious codes, effectively granting attackers access to Microsoft accounts.

Gruk [21:28]:
"If you don't attend meetings, you're not vulnerable."
(Timestamp: 23:01)

The hosts note the high effectiveness of this phishing technique compared to traditional methods, attributing its success to the blending of plausible scenarios (like entering a meeting code) with malicious intent.

Economic and Human Factors (24:32 - 26:15)

The discussion touches on the economic aspect, where attackers find device code exploits more cost-effective than developing complex exploits. Additionally, the trend towards simplified device interfaces (e.g., touch inputs over physical buttons) inadvertently increases vulnerability, as it reduces the complexity needed for secure authentication without hindering usability.

Gruk [24:32]:
"A lot of effort and money and resources went into building out these ways of allowing you to connect a printer to your account..."
(Timestamp: 24:32)

Tom emphasizes the security implications of manufacturers prioritizing cost over secure interfaces, leading to second-order vulnerabilities that are easily exploitable by attackers.

Tom Uran [25:13]:
"Those drive from the manufacturers for economy... have these second-order security implications."
(Timestamp: 25:13)

Future Implications and Security Strategies

Growing Threat Landscape (26:15 - 27:10)

Gruk predicts that these types of phishing attacks will become increasingly common as more devices require account linkage. The proliferation of connected devices (e.g., cars requiring authentication) will expand the attack surface, making compartmentalization of accounts crucial.

Gruk [27:10]:
"There will always be these fundamental problems that you're facing as a defender and these fundamental problems that you're exploiting as an attacker."
(Timestamp: 27:10)

Compartmentalization as a Defense Strategy (27:46 - 29:43)

To mitigate risks, Gruk advocates for compartmentalization—using separate accounts for different levels of access and sensitivity. By isolating critical accounts (e.g., banking) from less sensitive ones (e.g., social media), individuals can reduce the risk of widespread compromise if one account is breached.

Gruk [28:32]:
"Compartmentation is the foundation of security."
(Timestamp: 28:32)

Tom and Gruk agree that while compartmentalization may seem cumbersome, it is essential for maintaining robust security in an increasingly interconnected world.

Conclusion

The episode underscores that the first principles of hacking—Access, Humanity, and Economy—are enduring and pivotal in understanding and combating cybersecurity threats. As technology evolves and the number of connected devices grows, fundamental human behaviors and economic constraints will continue to influence both offensive and defensive strategies in cybersecurity.

Tom Uran [29:25]:
"It's the way of the future."
(Timestamp: 29:25)

Gruk concludes by reiterating the importance of compartmentalization and proactive security measures to safeguard against sophisticated phishing attacks that exploit human and economic vulnerabilities.

Notable Quotes:

Gruk [01:21]:
"If there's a piece of data that can be accessed legitimately, a hacker can steal it..."
Tom Uran [02:16]:
"Humans fundamentally will make something insecure in some way."
Gruk [03:10]:
"At some point the juice is not worth the squeeze..."
Gruk [08:22]:
"There's a lot of work that goes into making effective phishing campaigns."
Gruk [24:32]:
"A lot of effort and money and resources went into building out these ways of allowing you to connect a printer to your account..."
Gruk [28:32]:
"Compartmentation is the foundation of security."

This episode of Risky Bulletin provides valuable insights into the persistent challenges in cybersecurity, emphasizing that understanding and addressing the core principles of hacking are crucial for developing effective defenses in an ever-evolving digital landscape.

Loading summary

Transcript115 lines

[00:04]
A
Hello everyone, this is Tom Uran and I'm here with Gruk for another between two Nerds discussion. G'day, Grok, how are you?
[00:10]
B
G'day, Tom. Fine, and yourself?
[00:13]
A
I'm well. This week's episode is brought to you by Nucleus Security, who make a top notch vulnerability management platform. It's good stuff. So, Gruk, like, more than once you've mentioned this book to me by Matt Monte. Matthew Monte. M O N T E Network Attacks and Exploitation. A framework.
[00:37]
B
That's great. Yep.
[00:39]
A
You've mentioned it in more than one podcast and I've always edited it out because it never quite fits into what we're talking about. So there's a particular page you sent me which is first principles, and it mentions three things, humanity, access and economy. And so today we'll expand on those, looking at a couple of recent incidents that have happened. I guess you'd call them case studies in a way. So do you want to explain your understanding of what those three things are? So Monty describes them as first principles that are immutable and fundamental.
[01:22]
B
Right. So basically, like first principles of hacking is how I look at them. And the way he puts them forward is basically you have access, which is, to me, that's the foundation principle, which is that if there's a piece of data that can be accessed legitimately, a hacker can steal it, because at the end of the day, the only thing that they absolutely have to do is impersonate that legitimate access or coerce the person who has legitimate access, or basically replicate what they can do. So because someone can access it, it can be stolen. So that's sort of the foundation.
[02:03]
A
So the words in the paragraph is there is always someone with legitimate access and a means to use it, which is self evident in a way, because there's no point having data that no one can access, is there? Anyway, go on.
[02:16]
B
Yeah, yeah, exactly. And then the reason that you can access it is humanity, which is that humans make human errors, or humans make things easy for other humans to do, or humans are lazy. Like there's. Humans fundamentally will make something insecure in some way.
[02:38]
A
Right, right. So we'll pick up on that one as we go through the examples.
[02:42]
B
I think in particular this will be relevant later. Put a pin in that. Yeah. And then I think possibly the more interesting one is that there's the principle of economy, which is so you know, here you've got access, you can gain access to something, humans are involved. So there will be a way through exploiting a human to get to it. But economy Means that you have infinite requirements and finite resources.
[03:06]
A
Right, right. So you have to sort of prioritize and choices.
[03:10]
B
Yeah, yeah. And so at some point the juice is not worth the squeeze. Like, it ceases to be worth investing heavily in something when the reward is just not going to be there.
[03:23]
A
Right, yeah. The way Monty phrases it is ambitions always exceed available resources. And he says this applies for everything. This is true for both computer offense and defense. There is a priority cost and benefit to every action and every outcome. So when I worked in asd, if you were doing something, you often encountered this almost nihilistic attitude of you're trying to do something that you want to keep secret. And people would say things like, well, probably our best team could get access to that, therefore the adversary's best team could get access to that. And it leaves you in this position of, well, do we do nothing then?
[04:08]
B
Do they really care that much about the carpool?
[04:11]
A
Well, exactly. And so that was the trick is that adversary intelligence agencies can seem all powerful, but the trick is that they've actually got an infinite number of things that they want to do. And, like, how much do they really care about whatever it is that you're doing? And if it's super important, then obviously you want to put in the best effort. But just because it's not perfectly defended doesn't mean it's not worth doing.
[04:36]
B
And. Yeah, well, like, just because it's a secret thing doesn't mean it's like an important secret. Yeah, to them. Right.
[04:43]
A
But anyway, let's move on to the kind of recent examples.
[04:47]
B
So for me, like, there's a few things that have been in the news recently and it triggered, I keep coming back to, like, he got these things. So. Right. Like he, he just, he hit the nail on the head with these principles they always apply. And there's the signal thing and the device code thing.
[05:06]
A
Okay, so the signal thing. Dan Black at Google's threat intelligence groups has just published, I guess, a kind of wrap up of several different ways that particularly Russian threat actors are targeting signal and trying to get access to signal. And it all boils down to basically.
[05:26]
B
Fishing, except they lie to people and make them do things. That's.
[05:31]
A
Yeah, pretty much.
[05:32]
B
But it's, it's, it's sophisticated in how they go about doing it, the trappings that they use.
[05:37]
A
But yeah, yeah, yeah. So that's like at the top level, that's the example. And we sort of spoke about this peripherally a few weeks ago when we spoke about Paragon, which was spyware. That allegedly, according to a random tweet that we talked about, had a method of secretly, I guess my understanding was secretly cloning a device without the original owner knowing so that any messages sent to it would go to a separate attacker controlled device.
[06:12]
B
Right. So it basically stolen, allegedly or according to an anonymous tweet, the technical details. Yeah. So it stole the authentication token via an exploit that didn't require user interaction. So there was some like, there was an exploit angle to it. But the end result was then you had a device that was linked to the account that could get all the messages.
[06:39]
A
Yeah, that was the goal.
[06:40]
B
This is the goal.
[06:41]
A
Different to that in that it's convincing people to basically link devices without knowing. And the reason I think this is interesting and relates to the three principles is that it's often using QR codes and because of the way signal is like typically on a phone, it's just not very practical. Like QR codes are very, very practical way to transmit basically links, I guess, share links. Right. That can be extremely, extremely painful to type in on your.
[07:16]
B
Right.
[07:17]
A
On your phone.
[07:18]
B
I mean they're painful to type in anyway because it's usually so long and it's so error prone, particularly because in order to make it secure you need to have enough bits. And if there's enough bits, you either have to make it case sensitive, in which case, you know, you type a lowercase L instead of a one, or you hit shift at the wrong time and the whole thing fails and you have to start over, or it has to be super, super long, in which case you've got the exact same problem. It's just you're trusting humans to do something which humans are particularly bad at, which is copy random strings perfectly.
[07:58]
A
Right. Yeah. So in terms of our three principles, we've hit on humans there. It's just not practical for humans to enter those kinds of URLs. And so the affordance because we're human is we'll use QR codes instead. Now there's also all those sorts of aspects that come with phishing, which is you've just fooling someone and you're, you're.
[08:22]
B
Yeah.
[08:22]
A
Presenting a sort of a reason to do this thing.
[08:27]
B
Yeah. So I like, I know I'm, I'm dismissive when I say, you know, it's just lying to people, but I honestly think that the, like the tradecraft that goes into lying effectively is actually very, very interesting. So much of human is about sort of creating these scenarios where things that are unusual become very plausible and normal. Right. So if someone says to you scan this QR code with signal, you're going to say no, that's just not a thing you would do. So crafting a scenario where that seems like, not only plausible, but sort of just natural, like that's obviously what you should do in order to continue this thing that you, this narrative that you're now involved in. So I, I think that there's like, there's a lot of work that goes into making those good and I, I make fun of it a little bit, but I seriously respect like the, the amount of effort that goes into making effective phishing campaigns.
[09:29]
A
Right, Yep. So like it says here, in remote phishing operations observed today, malicious QR codes have frequently been masked as legitimate signal resources, such as group invites, security alerts, or a legitimate device pairing instruction from the signal website. So it's taking advantage of basically signal features and you're just wrapping them up in adceptive.
[09:57]
B
Right. Communication or whatever, you're spoofing it in a way, or you're abusing the inherent legitimacy of someone else's process, like someone else's user path or whatever.
[10:10]
A
Yeah, yeah. So it's a legitimate signal feature you're taking advantage of as well.
[10:14]
B
Right.
[10:15]
A
So there's access, I guess in this case it's fairly straightforward if, if you've got access, like you're inadvertently, if you're fished, giving it away to someone else. Now, how does economy apply in this case?
[10:28]
B
Okay, so here's the thing I think is interesting is signal, like it's obviously been on the radar for a long time, but it became a very, very high priority in 2022, three years ago.
[10:43]
A
For the Russians.
[10:44]
B
For the Russians, sorry. Yeah. So this has been a top priority for three years and all they can do until now is these phishing attacks. And these are a fairly recent development as well. So it seems to me like they've invested a lot and in the end they fall back on just nicely asking someone to do it for them and hoping it works. And there's costs involved in that, but it's obviously a lot cheaper than developing the volume dev process, you know, developing an exploit and finding that stuff, which I think we could probably safely say they have not been able to do. If this is what, if this is what they're deploying.
[11:25]
A
Yeah. I was wondering, can we say that? Because in a way, as soon as.
[11:31]
B
I said it, I was like, no, that doesn't mean it, it means that when they're going after like Joe Schmo, the second lieutenant who just got promoted they're not going to be using their matic.
[11:42]
A
Right? Yeah.
[11:43]
B
Right.
[11:44]
A
Yeah, I think that's a safer thing to say. It means you and I are more likely to get phished than magically hacked.
[11:53]
B
It's actually a good thing if they target you with this. It means that you're so low priority that they're giving you like the El cheapo, the store brand version of attck. Right.
[12:05]
A
Yeah. Now, to be fair, it's not all just phishing. Sometimes if I'm reading this right, they modify group invites, so altered legitimate group invite pages for delivery in phishing campaigns. So there's a legitimate page, it's been modified. And so, yeah, I guess it's. I guess it's a variation. It's not. It's not. But it's still.
[12:31]
B
Phishing is such a bad term because it has so much baggage and it can get used in so many different ways. Because on the one hand, when we talk about phishing, we mean specifically an email that gets you to enter your credentials into a website, which then gets stolen. But I think about phishing more as the process of social engineering, manipulating someone into doing something. So it's like, I don't think it's a good term and I don't like that we don't have another one. But for purposes of this discussion, phishing is going to mean. Yeah, I'm going to define my terms. So for this, when I'm speaking about phishing, I'm speaking about the process of manipulating someone into doing something. So you could say it's lying, but it's not. Simply, I don't just mean getting someone to log into something so you can steal their credentials. I mean, anything in which you pretext and arrange for someone to do something that's beneficial to you.
[13:34]
A
Right, right.
[13:35]
B
Without them necessarily knowing about it.
[13:37]
A
Right.
[13:38]
B
Through online communications of some sort. Like, I feel that that's important. Basically, phishing doesn't go away. When I tweeted out, you know, give a man an O day and he'll have access for a day. Teach a man to fish and he'll have access for life.
[13:52]
A
Right? Yep.
[13:53]
B
Fishing, I think, adheres closer to those principles of humanity and access than exploits do. And because of that, while exploits are ephemeral in a way, there'll always be a technical means of achieving this thing. The human means of doing it is just always going to exist, no matter what, as long as there's people involved. And so I think that while we can come away from this discussion saying like, yeah, signal shouldn't have done this or whatever. There's no way around it.
[14:25]
A
Well, I don't even think that that is possible. Right, because, like, what's the alternative? Right. So I guess Signal, if you go. I think it's Signal settings, Link devices, it'll show link devices. So this.
[14:42]
B
Right.
[14:42]
A
These types of hacks, I guess, would show up as a linked device. And so maybe they could make link devices like a feature of the top ui, you know, number of link devices or something, I don't know.
[14:56]
B
And then. Yeah, but there's things of like, people.
[15:00]
A
Want to link devices. That's a thing that.
[15:03]
B
Right. And you have to make it easy, otherwise they won't do it and then they won't use your software and that's even worse. Right. But I think the other thing is if you make it super prominent, it's going to become visual noise and people will stop seeing it. And if you make it an alert that shows up, then either you make it very sensitive, like Apple has done, right. So if you have a laptop that's turned off for like a few months and then you reconnect it, you suddenly get an alert saying a new account has been added to your thing. And if that happens enough, you don't pay attention to them anymore because you just get fatigued by it. It's just an alert. So, yeah, I don't know what the solution is because there's humans involved, there's always going to be this problem, right?
[15:47]
A
Yeah. You can make an application perfectly safe and perfectly unusable at the same time. That's the solution. So there's other things that they're doing, which is like just getting access to the vice and stealing the database behind it or whatever. Which I think in the context of this discussion is a bit boring. I guess it goes to the. They've got priorities and they're pursuing all different sorts of avenues to get access. So, like, signal's clearly a high priority for them.
[16:23]
B
The way that devices are supposed to be secured when taking them to the battlefield is that you use a pin to unlock the device and then every app is individually locked by a biometric. And that's because if you lock every individual app by a pin, it'll be too frustrating to use.
[16:45]
A
Right.
[16:45]
B
Whereas if you use the biometric to lock the device, it can be unlocked if they have access to your body, whether through as a prisoner or through some other means. So the compromise is to make it that you need knowledge to unlock from the screen and then you use the easiest route possible to unlock Each individual secure app. That way the apps should be encrypted on disk. But there's best practices of what you should do and then there's what everyone does.
[17:17]
A
So at the end of Google's post, one of their recommendations which I think speaks nicely to the usability security. Is it a trade off? Usability security conundrum is enable screen lock on all mobile devices using a long complex password with a mix of uppercase and lowercase numbers symbols.
[17:44]
B
See, I like to use the year that St. Dominic was canonized, which was 1234.
[17:54]
A
Yeah. So this is advice that makes it harder to get into a phone to use it legitimately or illegitimately.
[18:00]
B
Yeah. I mean there's the one time it's going to be used illegitimately at most. Right, right. Versus the thousands of times that you're going to have to use it. So the trade off there of efficiency versus security is not going to happen. It's just, that's impossible.
[18:20]
A
So I think this advice runs into that first principle of humanity. Right. There are very few people who do that.
[18:29]
B
Memorize a 512 digit number and then use that.
[18:33]
A
Yeah. There's another piece of advice which is exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites or other notifications that appear legitimate.
[18:47]
B
And like, how, how are you supposed to do that?
[18:50]
A
Like, I don't know, do you just scan it from a distance or like.
[18:55]
B
That QR looks a bit. Susan.
[18:59]
A
Now my understanding is that there are apps that will show you what the QR code actually points to.
[19:06]
B
Right, Right.
[19:06]
A
But I think the problem is then you're like, well okay, I'm now looking at a link rather than a QR code.
[19:15]
B
Yeah. Like, and if you're trusting people to notice that a URL is fishy then.
[19:21]
A
And they have a list of IOCs which are like signal group site, for example. And it's like, oh yeah, that seems fair enough.
[19:30]
B
But that looks, I mean that looks good enough. I think all you're doing at that point, honestly is just you're translating from a QR code phishing attack to a regular phishing attack without the attacker loses nothing in fidelity, they lose no capability in that and you gain nothing.
[19:53]
A
Yeah. And I think this points out that we're laughing at these recommendations is that it's a difficult thing because the reason it's difficult is because of people. Like there are affordances that must exist because there are people using signal and you just can't get rid of them. Like it's Kind of not practical to get rid of them. And so, yeah, that's where we're stuck now. Let's move on to the second example, which is device code authentication. And Patrick and Adam spoke about it last week and I wrote about it. And the potted summary is that there's a legitimate oauth method to authenticate what's called an input constrained device, something like a printer or a smart tv, which doesn't have necessarily a keyboard or a good input method. And it basically links a device to an account. The device will pop up a code, and by entering that code, you link it to your account. And so the Russians have also been using this as a way to get access to Microsoft accounts. So they have a device, they generate a code, they give it to someone, they want to phish and they're giving the code to that person. That person then takes that code and authenticates. It's different from traditional phishing. It's like, oh, they've given me this. What implications could it have for my account?
[21:28]
B
Right, right.
[21:30]
A
So apparently that's super effective. But again, we'll step through the kind of different principles. So what leaps out to you about this one?
[21:39]
B
It's all three, really. It's, look, access. So someone has an account, you want access to that account. All you need to do is impersonate that someone. It's pretty straightforward. And then you do that by linking a device to their account. There's a super easy way to do that. You just get them to enter a six digit alphanumeric code. And all you need to do is find a way to convince them that this is a thing that they're doing for their own benefit.
[22:08]
A
Yeah. I think the examples I've seen are, you know, you construct a reason to have a meeting. Here's a code for that meeting, which is super plausible. And if you're, if you're buying the reason for the meeting.
[22:23]
B
Oh my God. Yeah. Not only is it super plausible, I'm pretty sure that that actually happens. Yeah, I can't remember, but I know that there's absolutely. There's. Oh, that's it. There's team codes, right?
[22:36]
A
Yeah.
[22:36]
B
Right. So, you know, like, not only is it plausible, I think it mimics how Microsoft Teams has this. You enter a meeting by entering like a meeting number or a meeting code, something. It's a screen that does come on. So it's.
[22:52]
A
Yeah. So Veloxity's report says that this has been more effective than years of other spear phishing campaigns.
[23:02]
B
Here we go. If you don't attend meetings, you're not vulnerable. That's, this is the, that's the solution right there.
[23:11]
A
Well, again, that falls foul of the humanity type thing. Humans are destined to attend meetings.
[23:20]
B
But also like because of the death, taxes and meetings.
[23:24]
A
Right now if you, if we think of a printer, most printers, it does seem plausible that you could like, plausible but not practical that you could enter a very long password just by pressing up and down. Like you don't need two buttons or three. It's just not practical to enter a very long password. So there's this authentication flow that's really because we're human.
[23:49]
B
And I think economy plays a role here as well. So a lot of effort and money and resources went into building out these ways of allowing you to connect a printer to your account or allowing you to connect a smart tv. And then the exploitation of those things is a lot cheaper to accomplish if you have to do actual phishing, as it was saying here. Exactly. Actual phishing is not very successful compared to this more targeted type of phishing vector. And I think that that's playing into. It's probably a lot cheaper to run this as well. Like once you've got it set up, you can just scale it very rapidly.
[24:33]
A
This becomes your number one priority because it works so much better. I mean the economy, to me, this plays into it in many different ways. One of the reasons that those printers don't have good interfaces is because it's cheaper not to have a good interface. And so everyone's trying button drops, super expensive.
[24:54]
B
That's why they like, there's a trend for a long time of just having like touch inputs, right? Yeah, that's because it's a lot cheaper. Like I was speaking to a manufacturer long ago and like they were stripping buttons off everything because it saved them however many cents per unit per whatever. And it's like a Tesla. Yeah.
[25:14]
A
So terrible. And I guess this drive from the manufacturers for economy, I guess has these second order security implications that for most people, most of the time are meaningless because most people are not going to be right by gru, by the Russians. And so it's totally logical and understandable, but at the same time that's the consequence.
[25:45]
B
If you're a target for the gru, you're not most people.
[25:47]
A
Yeah, that's right.
[25:49]
B
And that's the trade off. Like if you're a target for the gru, then yeah, you need to buy the printer that has the keyboard that allows you to type in the long password.
[25:59]
A
I mean, if you're a Target for the gru. It doesn't matter what printer you have. It matters what printer gru's pretending to be. So you can still buy a cheap printer. That's the good news.
[26:13]
B
That's the takeaway.
[26:15]
A
We've looked at two case studies which I think are very similar in that there's these affordances that are made because people are people. They actually have these security implications that get picked up on because they're very effective at as sort of phishing or targeted vectors to get access to particular people's accounts. What's your gut feeling? These kinds of attacks are going to be more or less common in the future?
[26:46]
B
So more, I think. Absolutely. This is like. What I think is fascinating about this is it's very much that, you know, exploits will come and go, volumdev will rise and it will fall. We will add whatever sort of defenses and security mechanisms and all that, but at the end of the day, you're still going to have access and you're going to have humanity, and it doesn't matter.
[27:10]
A
Right.
[27:11]
B
There will always be these fundamental problems that you're facing as a defender and these fundamental problems that you're exploiting as an attacker, and they're access and humanity. And your constraint is economy. But that's on both sides. The way I see it, there's going to be more and more devices that we have to link to our accounts, because that's the world that we live in now. You have to have your iCloud account or your Google account or your Facebook or whatever. It's one of these fiefdoms that controls your Microsoft account.
[27:46]
A
We're probably only three years away from having to log into our cars to get them to go.
[27:51]
B
Right. You know, I'm surprised that Tesla doesn't have a thing like that already, to be honest with you. Yeah. So, like, everything's going that way. Like, you need to. You need to log in and authenticate with one of your real accounts for one of these, literally any device. And I. So here's a tangent, which is a lot of the opsec stuff that I like to focus on of, you know, cover, compartmentation, concealment. I think compartmentation now becomes much more important for this, the Everyman, in that you need to start thinking about having the account that you use for authenticating to all your stuff, versus the account that has access to your bank or that interfaces with things that are actually sensitive and important to you, versus the things that you use to log into Notion or to Evernote or to whatever other service or application that you're using, like, that shouldn't be your main account. I strongly feel that it's exposing too much. It's placing too high a risk on that thing being secure and the processes of accessing that being secure. So if someone links a printer to the account that I use when I'm logging into my personal Gmail, that's a huge problem, which is why I don't use my personal email for things. I have another account that I use for all of these various interactions, and my recommendation to everyone is to start considering doing that. Like compartmentation, it's the foundation of security.
[29:26]
A
It's the way of the future.
[29:30]
B
Everyone will have 15 minutes of fame, and they will be James Bond. That's.
[29:35]
A
I think what you're suggesting is that everyone will have 15 minutes, minutes of fame and 15,000 different accounts.
[29:44]
B
Thanks a lot, Tom.
[29:45]
A
Thanks, Scott.