Risky Business Part 2 - Password1
February 16, 2021
Guests
Graham Cluley, Cybersecurity expert, host of "Smashing Security" podcast, public speaker
Troy Hunt, Information Security Author & Instructor at Pluralsight, Microsoft Regional Director & MVP, Founder of Have I Been Pwned
Description
From weak passwords to getting pwned, part 2 of our series "Risky Business" looks at the simple, yet critical steps we need to take to guard against identity theft with two IT & Security thought leaders, Graham Cluley, host of the hit podcast Smashing Security and Troy Hunt creator of the website haveIbeenpwned.com. We hope you can join us.
Transcript
DAVID CHAUVIN (HOST): Welcome to Engage: a Genetec podcast.
"A vast secret cyber underworld. It's called the Dark Web, and people aren't using it to buy shoes."
DAVID CHAUVIN: But is the surface web or light web any less treacherous?
"The reality of it is a huge amount of the content on “Have I Been Pwned?” is on the clear web. It's not behind Tor hidden services, it's linked to on Twitter. So, this data, frankly, is much scarier than the dark web, it's the clear web. It's even scarier because that data is circling around with such ease and reckless abandon." - Troy Hunt
DAVID CHAUVIN: That's my guest, Troy Hunt, talking about his popular website "Have I Been Pwned?" Spelled PWNED that gets between 150 and 200 thousand visits per day and is, in a nutshell, a pretty reliable way to know if you, yourself, have been quote-unquote "PWNED" that is to become an unwitting victim of identity theft, or worse.
KELLY LAWETZ (HOST): In this, the second part of our two-part Engage series, Risky Business, we talk to two leading lights in the battle against online risk to our business and personal, we hope private lives, both with some irreverent takes on some of the threats we all face. I'm Kelly Lawetz:.
DAVID CHAUVIN: And I'm David Chauvin.
Interview with Graham Cluley
KELLY LAWETZ: To kick off our show and one marked by themes, memes, and terms we may not all be familiar with on either side of the pond, I asked my guest, award-winning security blogger, researcher, and host of the hilarious podcast Smashing Security, Graham Cluley, why he thinks security needs smashing.
GRAHAM CLULEY: Well, smashing in the UK doesn't just mean destroying, of course. Smashing can mean wonderful. Some people also think it might be smash space in security, you get it. So, we're smashing, at any rate, you get the idea. We just wanted to give it a little bit of a British tinge, and that's why we chose the name smashing security. But generally, on the show, as you've noticed, we try and be quite lighthearted. And the reason is that we are trying to get normal people to care about what could be a boring subject if left in the wrong hands. So, we try and make it interesting and engaging, and relevant to everyone.
KELLY LAWETZ: You bring a good point because that's what appeals to me as you're appealing to normal non-security people. It's interesting because now, first, like a couple of years ago, it was ‘bring your own device to work’, right? And now we've brought work to home. In all this chaos, as chaos meets the rigor of security, have we evolved? Like, are employees now going to be less of a risk to their companies?
GRAHAM CLULEY: I try to be optimistic about these things. Actually, maybe we have evolved, because if you think about it now, compared to 15 years ago or 20 years ago, now everyone has got a supercomputer in their pocket and they're carrying it around with them, and they're on the web, and they're doing online banking. Things, which 20 years ago we, many of us, would be very fearful of. I think people have become more accustomed to technology, are more comfortable using technology, which has to be a good thing. Problem is, in some ways, those things have advanced so quickly, and our security capability hasn't necessarily evolved quite as quickly. And so, people are still using the same old password for everything, and they're still making the same old mistakes.
KELLY LAWETZ: You know, you said it well. Hackers and politicians, they're using this moment to either insert disinformation or viruses into our lives. How much security do we need?
GRAHAM CLULEY: It depends on what you're doing. Now obviously, as you've already mentioned, people are working from home more than ever before. And isn't it fabulous, by the way, that we have the infrastructure that makes it possible? If this pandemic had happened 20, 25 years ago, we would be in a completely different kind of a mess. You really begin by ensuring that your home computers and your smartphones are properly secured with the latest operating system, the latest patches. You have to make sure that other devices you're using to connect to the Internet, like your router, are properly patched as well, and that you're not using default passwords. As one mistake most people are making, is reusing the same password in multiple places. And the problem with that, as has been described many times before, is if you get hacked in one place, and your password is wrapped in one place, the first thing the hackers will try and do is use that password to unlock other things elsewhere. If you're only going to make one change, stop using the same password for different things. You need different passwords, and they need to be unique and hard to crack. So, once you've started using unique passwords, if you're feeling really cocky now and you think, OK, we've mastered that, we've got it, we realized we need to have different passwords in a password manager. My next piece of advice is to enable something called multifactor authentication, also sometimes called two-factor authentication. Many computer users will already be familiar with this because they will do online banking. And when you try and transfer money into someone's account that you've never given it to before, your online banking app may well pop up and say, we need to confirm you are who you say, and so go to your phone, and inside your banking app, it will generate a random number and that number changes all the time. The beauty of that is that if a phishing attacker steals your bank password or your Amazon password or anything else, they might have that, but they won't have that six-digit number, which changes every 30 seconds or so. It's not completely foolproof if I'm being really nerdy. There are sophisticated ways hackers can get around it. But if you enable multifactor authentication and have unique passwords, you are so far ahead in security from the typical Internet user that most hackers will not bother even trying to infect you.
KELLY LAWETZ: Speaking of nerdy... in doing my research, and I've heard this, it's a meme actually, the cloud is just somebody else's computer. You invented that, I learned.
GRAHAM CLULEY: Oh, my goodness. It does appear I did. The point of it was that people were describing the cloud as though it was something magical. That's just a computer connected to the Internet. You can't be certain that it is properly secured, or at least you're going to want some convincing to comfort yourself. Don't just assume because they've used that marketing buzz word of the cloud. You know, there are fantastic cloud service companies out there who do a terrific job. But so, I use cloud services, you know, things like Dropbox and Google Drive and all of those things. Even though I'm paying for some of those services, I don't necessarily trust them to always act securely. So, one of the things I do is I automatically encrypt everything before it gets put in the cloud. So, if there is a data breach or if someone were to work out my password or get past my two-factor authentication, or if indeed law enforcement or Dropbox wanted to snoop around my files, they would be absolutely gobbledygook and gibberish because they don't have the decryption keys for it.
KELLY LAWETZ: How would I encrypt my files before sending them?
GRAHAM CLULEY: So I run a program. In my case, I run a program called Boxcrypter, but there are others available out there, which basically runs in the background on your computer. Every time you put something into your Dropbox folder, your Google Drive folder, it automatically encrypts it before it gets uploaded to other people's servers. To me, it's entirely invisible. It looks like my files are unencrypted when I try to access them, but anyone else who tries to access them without my decryption key won't be able to see anything.
KELLY LAWETZ: You just brought up the trust. How can I trust those password protector providers? Right? I'm giving - I'm putting all my passwords with them. You're giving me a single password. How do I trust them?
GRAHAM CLULEY: Some of these companies have produced big security documents as to what they do to encrypt your data, to prevent it from being accessible even by them, including your passwords. Ultimately, you're right, you are putting some trust in their hands. You can look at the reviews, and you can look at their track record, and how long they've been around. All I can tell you, as a security professional, is I have more trust in them and that kind of software, looking after my passwords than I do trust in my puny human brain to remember passwords and to come up with good, complicated passwords. So, I'm not saying it's necessarily 100 percent foolproof, but I believe it's a better and safer thing to do than any of the alternatives.
KELLY LAWETZ: Genetec just surveyed peers in the physical security industry, and only 30 percent at this time said cybersecurity was a priority. What do you think non-IT executives are missing about cybersecurity?
GRAHAM CLULEY: What they're missing is the headlines because there are headlines just about every week of companies being fined tens of millions, in some cases hundreds of millions of dollars as a result of data breaches, as a result of sloppy security. And there are also headlines of chief executives losing their jobs as a result of that kind of lax behavior. So, I think absolutely it has to be a priority, and don't think if you're based in America that somehow you are not going to be affected by European legislation, data protection legislation that we have like GDPR, which can give you a very, very substantial fine because if you've got European customers, that's what matters, not where you are based in the world, but where your customers are based in the world. So, I think just a casual stroll through the security headlines, and you'll see that genuinely companies are having horrible experiences and are doing damage to their brand and their ability to do business because of devastating data breaches.
KELLY LAWETZ: GDPR, it's there, it's been there I think two years, has it changed the behavior of companies and individuals?
GRAHAM CLULEY: Oh, absolutely yeah. We see companies now reporting to the authorities that they've suffered a data breach much more quickly than they used to. We've also seen them be more transparent with customers as to what's happened. And I think also companies are considering how much data they really need to store and questioning it because there is toxicity about data. If you store too much data, which you don't really need to do your business, then that can be a liability, because if it did fall into the wrong hands, then the damage is done to you and your relationships with your clients as a result, and potentially financial implications as well.
KELLY LAWETZ: Do you think there is an opportunity for governments, for companies to really start to make people more aware of the cybersecurity risks?
Graham Cluley: I think there is an opportunity here, and I would, I've always said, I would love for that to be more awareness campaigns, just teaching people simple things, because in my experience, most people, they're not very nerdy, but they're using computers to make purchases, and that they're doing online stuff with their phones. They just want some simple advice on how to better protect themselves. I would love to see the government putting some money behind those sorts of campaigns and helping out. I feel some optimism that it is possible once people are given a little bit of training, once people are shown how easy something is, they will get over their initial reservations. It's human nature to want to behave the same way all of the time. But what has happened this year has been so momentous, has turned so many of our lives upside down. That I think we are maybe open to a little bit of change.
KELLY LAWETZ: Last question. I wanted your predictions for 2021 in cybersecurity opportunities, challenges.
GRAHAM CLULEY: I'm always a bit reticent of giving predictions. I suspect what we're going to see is more of the same. There will be headline-grabbing stuff, there will be attacks like we've never seen before, and we'll be surprised by the infrastructure or the organizations which get hit. But many of the attacks, which we see going forward, will be fundamentally based upon attacks that we have seen the likes of before. And if we manage to protect against the basics, the phishing attacks, the ransomware, not having backups, authentication, if we protect against some of those things, we will be well-positioned to fend off most of the attacks and the typical cyber-criminal, it's not trivial, but the typical cyber-criminal if they're faced with a challenge, if they're faced with a wall which is harder for them to jump over, they will often walk a bit down the street and find a lower wall to get over or someone who's left the door open. And it's a bit like running away from a bear, isn't it? They say, how fast do you have to run away to get away from a bear? You've just got to run a little bit faster than the other guy.
KELLY LAWETZ: Graham, thank you so much for joining us today.
GRAHAM CLULEY: Thank you.
KELLY LAWETZ: That was Graham Cluley, security blogger, public speaker, and host of the podcast Smashing Security.
“We're talking about cybersecurity today and how safe people's passwords are. What is one of your online passwords currently? It is my dog's name and the year I graduated from high school. What kind of dog do you have? A Papillon. And what's its name? Jamison. Jamison. And where did you go to school? I went to school back in Greensburg, Pennsylvania. What school? Hempfield area Senior High School. When did you graduate? In 2009. Ah great!” From - what is your password, Jimmy Kimmel
Interview with Troy Hunt
DAVID CHAUVIN: That rather frightening display of successful street-level social engineering kicks off in a series of NDC Oslo conference talks delivered by my guest, Troy Hunt, a cybersecurity expert, a trainer, an evangelist, an avid gardener, but more importantly, the founder, and creator of the website "Have I been Pwned." For any cybersecurity superhero hopefuls out there, Hunt's journey through the world of tech provides a good sense of the depth and background required. I started by asking him to give a little bit of the Troy Hunt origin story.
TROY HUNT: So my background is as a developer. I started playing, I guess like many people, playing around with computers as a kid. Went and did computer science at university. Started computer science at university, realized I don't like university, and left and started working. And so, I started building applications for the web in the mid-90s, went into various sort of roles, “.com” time and through a very large pharmaceutical company called Pfizer, where I stayed for many years and then started moving into an architecture capacity there. Then as I did that, just like the penny was dropping of how atrociously bad developers typically are at security. So, I thought, okay, that's some good content to be written there.
DAVID CHAUVIN: The website for those who are not familiar with the website, you go in, you type your email address, and it will tell you if it's been on a list that's been shared on the Dark Web. A list of email addresses, password combos that have been stolen or harvested. How popular is that website? How many visits do you have in terms of volumes and everything?
TROY HUNT: It obviously fluctuates a little bit, but typically 100 and 200 thousand people a day come to the service. On a really, really big day, it can be many millions, I think we have peaked at about 10 million in a day.
DAVID CHAUVIN: And outside of your circle of colleagues or techie friends. If you look at people that don't have a background in tech. When you talk about that website when you talk about what it implicates, what it means, how many people have no idea what you're talking about.
Troy Hunt: It's an interesting question because I think the masses do understand that there is this thing called a data breach because they read the news, you know. They see it on the news the whole time. And the majority of people who test an email address on the service do get a hit as well. So inevitably, they've been in you know, let's say it's the LinkedIn data breach or the Dropbox data breach or something that does actually span the mainstream public. So, in a way, like that bit is familiar to them, especially when they plug their email address in and they see a service come back in the list of pwned websites, which they've used before. I think it's a little bit more confusing to them, as is how does this happen? Like how did someone get my data? What are they doing with my data? Do I have to change my email address? Now, that's the sort of stuff I get back a lot.
DAVID CHAUVIN: When you testified for Congress a few years ago, you used the analogy of baseball cards trading between various people. Again, how surprised are people when they learn about that being a multibillion-dollar business?
TROY HUNT: I find that fascinating because I think the people involved in it see it as a bit of a victimless crime. You know, they're just holding bits and bytes about people. They don't realize that the spread of this causes real damage, so that is fascinating. Then, of course, there is a commercial market, this data does have a monetary value, and people do pay money for it as well.
DAVID CHAUVIN: So, if we look at the global landscape today versus, you know, let's go back three or five years, if we look at cybersecurity in general, whether it's people's practices online, again, people's knowledge of what's out there and what's available and phishing scams, etc., etc., companies building security within their own infrastructure, within their own websites, within their own products. As an expert, do you feel like we're in a better place today than we were three or five years ago?
TROY HUNT: I don't think we are from a data breach perspective. I always sort of describe it as a perfect storm of factors that are making data breaches worse. Now, this is everything from just the simple mathematics of there being more systems and more people. So yeah, like we've got more stuff that can go wrong than what we had before, and more people it can go wrong for. Then you throw in cloud, and the cloud is fantastic, I love the cloud. But the problem with the cloud is that as much as it lets you do wonderful things very quickly and cheaply; it also lets you screw things up pretty quickly and cheaply. So a huge number of breaches in “Have I Been Pwned” are from things like unsecured Mongo DBS or S3 Buckets or things like that, which were mistakes that would have been too expensive to make in years gone by.
DAVID CHAUVIN: Do you see that as a huge vulnerability with IoT? I mean, you talk about being able to open your garage door with your watch, get your light bulbs, air conditioner, pet food dispenser, right, all connected. Obviously, the goal, these companies to create products that appeal to the mass, that appeal to not just the early adopters, right. It's now mainstream products that are IoT. So, they're trying to make these products as easy as possible to connect to everything. But again, those products are owned and put online by people who for the most part, don't have proper cybersecurity practice. If I can use that term. Do you see that as a huge vulnerability, the fact that so many people are now putting devices online and don't take the proper steps to protect themselves?
TROY HUNT: You know, the education thing is tricky because we've got now lots of billions of people connected to the Internet. And the theory that we can somehow teach them all to use the Internet in a safe and secure way is just, it's a pipe dream. So as much as I want to sort of help educate people, particularly around things like phishing, which is a very human-targeted attack, we've got to do better with the machines as well. We've got to lead people into this pit of success, for a better term, because we just can't rely on humans in any foreseeable time to figure this out and get it right themselves.
DAVID CHAUVIN: Should we do a better job at telling people like unique passwords are the norm and other basic things? Be careful when you connect to public Wi-Fi networks. Is there at least a baseline that we could give to people, or is it just a lost cause? Like there are too many people, too many devices. We just have to limit the damage; we can't really prevent it.
TROY HUNT: This is just the way it works. There is a baseline of activity that is needed just to maintain equilibrium. If we say it's a lost cause and we give up, then things get really messy. And I think the question then is what are the right ways to change behaviors? Recognizing that humans seek out the path of least resistance and concepts such as password managers do impose barriers because it's like, hey, you need to do something different from what you did before. I thought it was really interesting when you said it's such a simple concept not to reuse passwords because you're spot on. It is such a simple concept but the execution of achieving that is very difficult in an era where we've got dozens, if not hundreds of accounts. When we started out putting guidance around things like arbitrary complexity rules and password rotations, the world was a simple place. You could get away with having three passwords because you probably only had three accounts. And we certainly weren't as connected as we were. There weren't as many people online, as many people trying to break into things. But what's happened now is as the Internet is scaled, our practices really haven't scaled to meet it. So, for something like a password manager, I think one of the best opportunities here is via the enterprise. And I'll say that for a couple of reasons. So one is that a corporate environment has a budget. They have money that they can spend, not just on the password manager itself, but on the training and other things that go along with it. Now, that's in many ways an easy proposition than if I had to say to this neighbor: hey you should go out and spend a few bucks and get yourself a password manager. Now they don't care about a few bucks, but they've got the barrier to entry, the learning curve organization can force that on people. And of course, an organization has got a better sense of ROI too because they know the cost of account takeovers. Now, the joy of sort of teaching people in this fashion is it's not something that's just in the interest of the organization. The individual now starts to develop a skill. One of the things, one person quite some time ago started saying, look, if you got an enterprise license, we'll give you one for home as well. You know, we'll give you a family account because we believe that the behavior sticks with the person, whether they're in the office or whether they're at home. So, if you can get dad to go home and get Mom on the same family account and the three kids on the family can as well, and everyone's using a password manager, each one of those people is going to take that into their place of work and that positive behavior will extend into there, too. So, I think that's a very practical way of moving in the right direction.
DAVID CHAUVIN: So with all those campaigns, all the data harvesting happening. Do you think or do you feel like the bigger risk is identity theft, trying to get the information of as many people as possible or just kind of broad identity theft? Or do you feel like the trend is more targeting specific individuals or individuals that work for specific companies for the sake of social engineering?
TROY HUNT: Well, it's really a combination of things. I mean, we are seeing masses of credential stuffing it takes. Credential stuffing is not personal, It's like you’re just on a list somewhere. Someone's going to take this list of potentially a billion-plus email addresses and passwords and just throw them at the authentication schemes of whatever. Now, that's not at all targeted, that's very spray and pray, large volumes, low value per account. But, you know, you hit enough of them and you've got X number of Spotify users or Netflix users you can sell. There's a business, but of course, we are also seeing very targeted phishing. And we often hear about terms such as, well phishing, where it is very, very specifically targeting individuals. And of course, now there's so much information out there about individuals that you can build up a pretty good sort of open-source intelligence overview of them. And then we've got the situation where you've got all these people trying to work from home as well. So, one would imagine the ability to amount to social engineering attacks digitally would be greater than ever before because the CEO is not going to come over and stand at the accountant's desk and say, please transfer this money. It's all going to be done via email, for example, which is much easier to impersonate than having to be there in person.
DAVID CHAUVIN: Have we seen a rise in these types of attacks specifically in the last seven, eight months?
TROY HUNT: Look, anecdotally yes, I'd actually love to see some good figures on this. If anyone has good figures on exactly what's happened with phishing attacks in the Covid era, please let me know. But look, we are seeing a lot of news around this. We are, of course, seeing things like the Covid situation itself being used as part of the fishing attack. Here's an attachment with everyone in the office who's tested positive. And because people are nosy, they're like, I'd like to know that.
DAVID CHAUVIN: The people behind these attacks, is it mostly organized crime specific individuals or is it a state actor level, right? We hear a lot of these in the news, China, Iran, Russia, do you feel like that's still the trend?
Troy Hunt: That's certainly concerning. Of course, we're recording this on the 4th of November for me, the 3rd of November for you, which is bang on election week. There is a lot in the news about Iran and Russia and so on, and then cyber-attacks. Look, it's a little bit like everything else in the news at the moment. It's enormously difficult to know which sources to trust and what to believe in. But it would certainly hold to reason that we would be seeing various sorts of online attacks that are targeted or rather came from state-based attackers. But by the same token, it's obviously no surprise whatsoever that we still keep seeing a lot of these attacks mounted by much smaller players, much less sophisticated actors going after smaller targets. And I think the reality of it is that its sort of spanning everything at the moment.
DAVID CHAUVIN: What are the top three things off the top of, your head that you would tell people? These are the easy things that anyone and everyone can do, even if you're not a techie person, what are the easiest things that someone can do to mitigate those risks that they face on a daily basis.
TROY HUNT: Yeah, well, hey, three no-brainers. So, one is what we touched on already around passwords. Use a digital password manager if you can. If it's too big a leap, just open a notebook, like physically having a notebook and writing down unique passwords is a better step forward. The other bit is maintaining software. So, you hear time and time again, and this sort of features and even a lot of our government guidance to individuals and organizations keeping things patched. Everything from Windows updates to iOS updates to self-updating software has flaws that this thing needs to continue to be updated. And then the third thing, and I just like this from a real sort of common sense, practical, easy to do perspective is to think about how much data you wish to provide other parties. One of the things I often lament is I see all of these data breaches with a date of birth in them and I'm looking at it again, like why do you need a date of birth? This is just a forum somewhere. There is no valid value proposition for date of birth. And it's quite funny actually because I'll tweet this and very often, I get, usually Americans, they say it’s because COPA, the Child Online Protection Act, you've got to be 13 before I can use this service. I'll go back to and I say, well, why don't you just ask them if they're 13? If they are, then they get in. If they're not, then they don't get in. I kid you not, the response I often get is they say people might lie. Can you not see the irony in that response? So, data minimization on a personal level is very important.
DAVID CHAUVIN: Speaking of the data minimization, GDPR came into effect a little while ago, do you feel like that made a big difference or is making a difference? And do you feel like it's a step in the right direction that other countries or other regions should follow?
TROY HUNT: Look, I think it's a bit of a double-edged sword, and to be clear, I had high hopes for GDPR in terms of, particularly around the penalties. So, I really want organizations who make egregiously bad mistakes, frankly, to feel the sting. I want them to feel the pain so that they don't do this again. Now, the problem that I'm finding with GDPR is that first of all, there's a lot of stuff outside Europe and right now people spitting out their coffee because they're like, yeah, but GDPR extends to everyone no matter where you are. So yeah, that's great in theory. But how do you enforce that in practice? I've seen people within EU member states contacting their local data protection authority and saying, hey, here's for example, this American data aggregator that's lost my data, I'm not happy about this, I want you to do something. I've got multiple replies from regulators saying, look, they're outside our jurisdiction, it's just too hard. Now, I'm sure if it was Facebook or Google or Microsoft and they're literally massive points of presence doing big business within that member state, it would be a different story. But the premise that you can somehow set a law in one country and then extend it to all these other countries in the world in a digital online capacity just doesn't hold water. And that is what I've been saying. So, I think the sentiments are very good. What I really would like to see is a lot more alignment across the world around the protection of personal data, because it's a ridiculous situation that also a mate of mine in the UK can go and use an online service and he gets a whole bunch of protection that I don't. That is just a ludicrous position in a digital online world.
DAVID CHAUVIN: So an alliance that extends to a lot more than just Europe would benefit all the users that go in, right?
TROY HUNT: If we had a reasonable baseline that we could implement across different countries, that would make a really big difference. I think the difficulty with things like privacy regulations and GDPR as well is you've got a couple of dozen member states in the EU that will implement this. Then you've got Australia, for the most part, operates pretty autonomously, as does the US, as do many other parts of the world. But look, I think it's just another piece of evidence of how the technology moves much faster than the legislation. We see this all over the place where we're seeing this come to a head now and things like end-to-end encryption as well. The technology has moved forward at a pace that law enforcement hasn't been able to keep up with. And now we're figuring out how on earth do we handle this sort of privacy by default world we have now?
David Chauvin: One of the problems I see is not just that the technology moves way faster than policies or regulations, but the people in charge of the policies and regulations are, for the most part, technologically literate. There's someone with a technology background in front of Congress and that includes you. Some of the questions that are asked, like are serious head-scratchers, are you like how are these senators and congressmen, congresswomen? How are they coming up with these questions? Like, how do they not understand the basics?
TROY HUNT: Yeah, so, I mean, one of the things to remember, and this is something that I realized when I did go under the congressional testimony, is that the congressmen and congresswomen that you're sitting in front of there, they are the face behind which there are many extremely smart people. So, I spent a bunch of time with the people behind the folks who you see on the TV. And they were wonderful and intelligent and fantastic at what they do. They had the most insightful questions and a really deep understanding of the technology. Then they have to bubble up enough that is consumable by people who are not technical, who then sit in Congress. Now, those same people were going from one hearing on data breaches to another, hearing on the opioid epidemic to another hearing on the price of avocados or something like that. So, in their defense, they have to be across a huge number of different concepts, and they rely on their staffers to be the deep subject matter experts. So, I'm a little bit sympathetic when you hear a politician make stupid comments and I'll tell you what, you reckon you've got some stupid ones, let me divert just for a second. One, our prime ministers, when he was quizzed by the press on how he's going to ban encryption when there are talks about how we handle A2A encryption. The journalist says, look, encryption is just laws of mathematics, how are you going to ban the laws of mathematics? And our PM literally said that the laws of mathematics are admirable, but the only law that matters in Australia is the law of Australia. Now, having said that, he was one of the smarter ones as well and is well known for being a much more technical sort of guy. But the problem is that we get these little soundbites and then we use that as an indication of the competency of the government as a whole, which is not really accurate.
DAVID CHAUVIN: So you are still you're still hopeful and confident that there are between staffers and, I mean, even legislators that are a bit more tech-savvy, you feel like there are enough people that know what's going on to actually push for the right policies and laws that will protect us.
TROY HUNT: I think the way I'd put it; I don't know how we measure whether something is enough or not. But the way I put it is that there certainly are a lot of very smart people behind them. And the other thing that I think is very important here is that for us sitting here on the sidelines observing based on what we see on the media, so many levels that these people have to play at, which are not immediately obvious to us, particularly when we get into geopolitical stuff and all the rest of it. So, I'm a little bit sympathetic to that. And I genuinely think, for the most part, people in government, whether they're in public office or the folks sitting behind them, are there because they genuinely want to make the world a better place to do the right thing. I don't think that's just rose-colored glasses. And I do lament the fact that there is often a negative view. I think that that is very much determined by the fact that the negative stuff hits the press, the positive stuff doesn't, and it skews our perception.
DAVID CHAUVIN: So to recap. Unique passwords to you, that's the most simple thing that someone can do to at least to at least secure their online identity.
TROY HUNT: Yes, I mean, that's sort of the immediate and present danger and uniqueness in passwords that solves the credential stuffing problem that we're just seeing so rampant at the moment.
DAVID CHAUVIN: Passwords, people, passwords. You've heard it before, and you'll hear it again. Troy, thank you so much for taking the time to talk with us today.
TROY HUNT: No worries. Thanks, David.
DAVID CHAUVIN: That's Troy Hunt, cybersecurity expert and the founder of the website "Have I Been Pwned?" We'll add the link in the show notes. That's it for this week's show. We hope you've enjoyed our cybersecurity series Risky Business. I'm David Chauvin:, wishing you a great rest of your week. Thanks for listening to Engage and we can't wait for you to join us next time.
Engage: a Genetec podcast, is produced by Bren Tully Walsh, the associate producer is Angele Paquette. Sound design is provided by Vladislav Pronin. Our production coordinator is Andrew Richa. The show's executive producer is Tracy Ades. Engage: a Genetec podcast is a production of Genetec Inc. The views expressed by the guests are not necessarily those of Genetec, its partners, or customers. For more episodes, visit our website at www.genetec.com or on your favorite podcasting app or ask your smart speaker to play Engage: at Genetec podcast.