Episode 441: Security With Tim Nash: The Day The Internet Broke
Show Summary
Tim Nash joins Rob Cairns for his monthly segment – Security With Tim Nash.
Show Highlights:
- What happened with Crowdstrike?
- It was not Microsoft’s fault.
- A long discussion about using 2FA.
- What types of 2FA would you use?
- Tim’s new workshop.
Show Notes
Hey everybody, Rob Cairns here and today I’m here for my monthly with security expert Tim Nash. How are you, Tim?
Hello, I’m good. How are?
You. I’m doing good. Doing good. It’s been a fun week. As they said in a blog post, in the security world, what they didn’t tell you before we’re chatting is my e-mail server. Fast mail did in great a couple of weeks. Ago and they had a performance problem the next day for about 8 hours where I was getting e-mail 3 hours after it was sent, and then we all know WordPress has been through a couple of updates right in the last couple weeks, 6/6 and 661. Nothing for security. And then there was last Friday, and I think we’ll start.
There I was going to say there were several updates for in six, six for security.
Yeah, there was some, but not a lot really. It was more a feature release, right? Just yeah. And then we had the day the Internet broke or the online broke due to a company that, as I said before, nobody’s heard of until now in their household name called Crowd Strike. What do you make of what happened last Friday?
I mean, perfect marketing team sitting there going no one knows about this. We need some brand recognition. What can we do to, you know, in front of people? Well, it turns out whoever pushed that release, well, it wasn’t a releasing ultimately.
Yeah.
Looking through the technical documentation, this seems as simple as effectively a change to a text document that got pushed up. There wasn’t any code in this, this was just a malformed bit in the text document. And you know, it did everything that crowd strike wants people to think about. It got their name out there, then something that clearly the marketing team were really keen on. And then their big sales pitch is that if you go down for even a short period of time. Thinking of all the damage that causes, that’s why you need to have crowd strike to protect you from bad actors. Yeah, well, they demonstrated that beautifully. I think that indeed, if we if huge parts of the Internet go down and huge parts of the infrastructure become unavailable everything.
Forced to ****. Yeah, so to speak and you know, it’s funny. I was. You know, in my previous life I was. A. A support analyst and assisted me and and all that wonderful stuff. And I was saying ohh, I’m so glad I’m not at healthcare. Today, because the hospital I used to work for it, it’s a crowd strike client. So I was kind of smiling and said I’m glad this is not my problem today and not my phone ringing and not my issue. But it also shows how interconnected the world is. I mean, we had. Thanks go. Now we had. Flights. We had all kinds of flight issues in the world, right, and we had hospitals and all kinds of insurance companies as a bit of a a mess, so to speak, right.
Our payments, in fact they because obviously it went down when it for the folks in sort of like the US and Canada, you were fast asleep when it first went. Down. For us, just dropped kid off at school, went to the supermarket. The entire payment system was down briefly for our contactless touch system, for our cards and then the self-service checkouts were all down because of the central processing going through it was combined as well with the fact that as your was having problems, really minor ones in the grand scheme of things. But these two things combined at just the worst time possible, so yeah, but certainly in the UK there was a brief period where you couldn’t take payments in most major supermarkets.
That’s a bit of an issue, just it says bad as when Canada, when Rogers Cable lost their Internet network a couple years ago and the half the payments in the world are either in Canada or go to Rogers and you know that’s just that. So it’s been.
Well, the the the TV, one of the TV stations couldn’t broadcast, they they had a, they got stuck and so on they they just were stuck in a loop cause they were there going well we we can’t fire up the computer to literally change the channel.
What? Yeah.
You and I are both F1 fans and we were talking a little bit F1. I don’t know if you know this, but during practice 2 Sky Sports couldn’t access onboard cameras and team radios because and they said it was because it’s cloud strike. So I’m not. I’m not surprised. I think what I I give crowds.
You know which team, which team is it? That’s actually cause of crowd strikes. Are sponsor one of the teams quite Mercedes.
Yeah, there’s no question, Mercedes, no question. Yeah, it’s right on the.
Say.
If you watch the inboard cameras, that’s right on the bezel. Right. So yeah.
Do you know the fun thing that those better, even though it looks like it’s on there? It’s not. They’re all digital. They’re all.
It’s virtual.
Added on afterwards.
Yeah, yeah, I did know that. That’s just really interesting. They they and they do virtual ads at certain sporting events in North America, where if you watch the US feed, you’ll see one set ads and you’ll see on the boards and the heartbeat and you’ll see what’s the Canadian feet. And you see Canadian acts like because they’re, they’re all.
Yes. One of the football channels, they actually have the adverts as hearing as if they’re on the football pitches. Yeah, and you’re going. But surely that can’t be the case. Cause like the person’s running along and it’s like looking down at the advert. That can’t happen. But yeah, it’s it’s all being added post.
Yeah.
So you and I have talked about him past securities all based on trust, right? Like to a point. And what I would say is I give crush like a lot of credit. They came out right away and said we have a problem. They came out within four hours and said we we know what the problem is. And then they fix the problem. So for me, as somebody who dabbles in security and has been assisted men, I don’t have much of an issue of how this was handled to you.
So I think they were very lucky in some ways in that initially everybody blamed Microsoft.
Yep. Yep.
And I’ve actually never really in my life felt sorry for Microsoft, but that morning I really did feel sorry for them, because every news headline was Microsoft was having a technical way, so they they got the initial wave, wasn’t really on them, which gave them a little bit of time having to come up before with a response.
We need.
I do think that the very initial responses from the CEO, in particular, he went out on Twitter and said and basically did that thing that you should never do, which is not apologize.
Yes.
But he didn’t even try one of those fake apologies. You know it. It wasn’t even. We’re sorry that things have cocked up. It it, but we’re not to. He just refused to give any sort of apology. Yeah, and that rattled a few people. And also thing that may be sending $10.00 gift cards for is possible.
By the way, when she when she cannot use because Uber flagged them as stolen fraudulent cards. And their system.
I didn’t know that. Yes, yes. Ohh dear yeah so.
As reported by Tech Crunch yesterday.
Yeah, it does feel a. Little bit like the marketing and the PR side have reached into the are currently racing for a book, trying to learn how to do. This whereas at least on the technical side, there is a technical team that they’re very smart people.
Yes.
Their system is used by an awful lot of places, as we discovered, and they have a lot of money and a lot of technology there and a lot of good people there and their incident response team worked and sorted it very quickly. So from a technical side, thumbs up. From PR side. No, I wouldn’t give them a pet too much of. A pass they they didn’t. Didn’t do brilliantly what they what? I did find that they did really well, was that post post mortem report they. About, it might have been yesterday or the day before yesterday, but really in depth, really good, really technical in nature, which is when you’re doing, if you’ve ever been had a vulnerability or issue overwhelmed with technical knowledge afterwards, because that’s the only way you’re going to regain trust is if people read that. And go ohh. Well, they they know what. They’re. Doing they they know what the problem was. Ohh good. I I I and that’s the really. I think the only way. You can keep trust is to. So show all. Your cards and don’t try to hold it and try and minimise it and they didn’t try to minimise it in that report. Even if their PR team.
And by the way, just for interest sake, as of this morning crowd strike themselves is reporting that their customers have seen a new phishing scam that target German customers. So just for fun, right? It wouldn’t.
Yeah. No, I I, I I think I so I I published a newsletter every so often I think yeah. One of the things I’ve heard in the the newsletter was, yeah, crowd strikes own documentation saying here we’re seeing increase in phishing attacks, social engineering. But the really funny part of this is that they are one of the attacks was that people phoning up to help people. Pics but of course the the bad actor has to talk them through fixing it first.
Yes.
So they they had to fix crowd strike to then take it off to then put their malware on. Which I I there was something quite pleasing to me about that even obviously unfortunately people were falling for and that’s the key and I think that there was one story where it was a hospital that fell for it and you, you know, that’s not on. There’s something you have to be a particular sort of person. Who thinks I know what? I’m going to target a hospital around somewhere and know it’s a hospital that that to me.
And I can’t. And I can tell you a hospital, IT staff having worked in that environment would have been very stressed with this going on because everything internally just grinds to a halt when you have to go manual. I can, I can remember days where we’d have an Exchange Server go. Down. And I was the team leader for one of Charles biggest hospitals in the call center. And I’d look up at the board that tells you how many waiting calls, how many missed calls and the missed calls would be in the houses. It would just go through the roof. It was like goodbye.
No, I don’t. Pictures. That going around on Twitter was an MRI scanner. With a blue screen. And you’re there going. There’s huge parts of me. They’re like. A that really cuts through to a yeah. No people’s lives. Were at risk, you know, but secondly. Should know my voice kinda. Really be connected to the Internet such that it could have received an update. From crowd strike. Yeah, that that feels like the sort of and, you know, you’re sitting there going well, I wonder whatever devices. And then once you go down that route, it becomes too scary and you should stop looking when you just start discovering the pacemakers.
Yeah.
They’re all online and connects via cell phone, network and encrypted.
It’s a bit of a.
Never.
Yeah, it is. And it’s interesting because in most hospitals, the IT staff doesn’t work after the medical equipment, even though they’re on the network very often. That’s usually look like in ours. It used to be a biomedical department. So we never touched medical devices. We just touched all the other stuff. So it’s it’s quite interesting. Also, we’re touching on this week’s meta. They’re back in the news again. They decided to remove 63,000 accounts off Instagram. Did you hear the story of him? Due to money.
That, to be fair, that’s that seems like a very small. Amount.
Yeah, 60 lbs due to Nigerian sex extortion stand.
Of accounts in the grand scheme of Instagram.
Hello.
That seems reasonable.
Yep. So they went, they.
I I I haven’t come across this, but based on the just sheer amount of these sort of scams that go around, this does not surprise them. The only thing that really surprises me is they actually took some action I think because it seems like both meter and X whatever we’re calling it this week.
Eagle.
Also stand this. And.
Yes. Yeah, it’s at the point knowing having done a lot of work with Toronto police and past and the high end and the Greater Toronto area, they actually have officers. That’s job is nothing to do but come social media all day to find out what stands are going on. What’s happening? How it’s happening and there’s and honestly, if people want to learn more about these scams, there’s enough good podcasts. Wonderly does one called. Stand Busters. I know AARP in the US, the seniors organization does one about scams. I would really suggest listeners and viewers go watch some of the stuff and educate themselves because some of this, it’s not just the romance scams. Some of them are pretty elaborate 1. I listened to recently where they flew the guy they were scamming to Dubai three times to get him to spend more. Money that bad?
Ohh plus I hear a nice trip to Dubai three times, so yeah, not sure how much it? I’m imagining that his net worth was a little bit more than mine if they were willing to send.
Yeah.
Him three times.
Or or my. And then in the states, you know, what happened to AT&T recently, they got hit with somewhere and then AT&T made the right decision to pay 375,000 U.S. dollars.
Can you hear me?
To get the ransomware removed, would you have done that?
Well, the really weird thing is that they probably didn’t necessarily have a choice. Most big companies I think this is particularly true for U.S. companies. It’s a little less. Depending on region, we’ll have insurance and they have cyber resilience insurance or there’ll be a variation on the theme of what it’s called, which is effectively ransomware and. Words and so it will often these sort of decisions aren’t made necessarily by the company. The company will fully know what would happen next, which is their the ransomware is a type of extortion and what happens is your your black veiler is not going to come back is going to say ohh thank you paid us that. Pay us some more sort of thing, that sort of amount. I reckon that would have been under the underwriting of the insurance company. Which just pay it. We we it the damage is less. Just pay it and. And so I I imagine it was the insurance companies decision to do that rather than AT&T’s and again.
And they start. They started off wanting a million U.S. dollars and they negotiated it down. And apparently from what I’ve read, somebody in the know. Saw the scammer removing the file, so he doesn’t have them, but here’s the problem. What’s to say they didn’t get out before AT&T paid the rent? And this was all client information. It was all calls that were made. It was all text messages that were made and it impacted every customer in the US.
Yep, and. And weirdly, when you put it like that, you’re like going oh. It’s almost like you you’ve you’ve gotta sit there and think, well, maybe the the team that ran somewhere team actually were bluffing. Because wouldn’t you ask for more?
Yes.
That seems like that’s not a lie. I mean, it’s it is a life changing sum, but it’s not a. Right. Let’s go fight. We you. You can probably fly to a country that doesn’t have extradition with the US, but could you live there for life on that? Depending on how young you are, maybe not. So that doesn’t feel like enough to truly risk it. I have, you know, turns out that actually, I would have had higher standards than. Would be looking for significantly larger payout. For that I would have thought but.
Yeah. My dad was a CFO when the insurance business when he was. Thought and somebody once said to him, what you ever. Ever think about? Taking money, I mean, he was the ultimate. Control and he said, you know what? I’d have to take, like $20 million and run away and find a cave for my family. Cause I’m not doing that and and then go hide and never see anybody again. That’s not much of A life. So you know. It’s just the way.
Yeah. But now I think the yeah, it seems.
Of.
Such a short, small amount. That’s the. That’s the sort of amount you’d expect for our feelings. That’s I. I’ve seen WordPress websites that have been running and hit with rent and where they have been asked for more.
Yeah.
I and by the way speak no WordPress website, so we came to this. I was perusing LinkedIn about an hour ago. And you post this something interesting this morning you were talking about a a friend site that you looked at that had been compromised, right. And he did. And he did all the right.
Things.
But then his FTP password was easy to find.
To to give him slight credit. He he he he declares that I I can only go with. Sure I believe you. He is quite a he’s a relatively smart guy. He does claim that was the client who left that price that FD user that’s one because when you say it it’s gonna sound particularly bad on them.
Hold on. Ohh, I’m not gonna say they can.
Go find your. Ohh. OK, alright. Well, the FTP user was had the name.
You’ll. Phone.
Of test and. It doesn’t take a genius to work out what the password was. Yeah, it was test as. Well, but he.
Yeah.
He cleaned that site up, I don’t know. He he says that half a dozen times. I reckon he probably did more. I came along and this is the sort of thing that, you know, if you do this. Stuff enough, this is. Just a check. You do? Yeah. But. I was in the room with him. So I could see the look on his face when it was like, yeah, this fact. And he’s just like, I didn’t look there. Why don’t I look there? And it’s that instant realization that that’s so obvious to him after that, that moment. Well, of course there’s other ways to for the site to be interacting and engage, but he was so sure because the effects were on the WordPress site that the back door must be on there. Well, so. So I thought it was. It made for an interesting precautionary tale for LinkedIn, but it was actually for me the the interesting thing was to sort of see that light bulb moment of oh, Oh my, my, my sights or he his client side in this particular case is in a wider context. It’s not there’s like. Old server and all the other bits that he’d sort of.
Forgot about and by the way, did he change his C panel password at the same time? I hope.
I actually it was on super, it was plastic, but I yes, I I thought sat there and made them go for it. He also to be honest changed hosting because it was just quicker and easier.
I’ve. Yes.
And one of the nice things is he’d actually. Had enough stuff beaten into him that he could quickly move hosts because that’s why. The easiest, easiest way if you’re gonna if you’re gonna have at this stage, he’d burnt this website down. So he he was rebuilding it each time rather than trying to find the individual hacked files. And so it was just easier to say, actually rebuild it over here, which completely guaranteed that because suddenly the other problem that was with that. Particular site was there was like I. Think it was eight or 9F. Be users that are managing know who they were and when he approached the client, the client didn’t know who they were. And I mean we have this problem with WordPress users, you know, and you log on to a site and it’s like hey. There’s 28 admins.
Yes.
Why are there 28 admins and who are 25 of these?
So.
I have the site the other day and we logged in and there was like OK so P engine have a user on here. And Cloudways have a user on here. And sight ground have a user on here. Which way round are they going? Are they? Going up or down the. Ladder as like. Three separate hosting companies had a user account on this site, so.
That means it’s like probably been on three separate hosting at 1:00 then.
Yeah, and had problems in all three of.
Them. Ohh great. I had a site I logged into that I.
Oh.
Just took over. 49 admin accounts.
Ohh that might be. A record for the numbers I’ve heard on.
So I I I went in and the first thing I did was made them all editors and I put my feet up and I sat back and I’m waiting for the screaming to start. We are now two days later and I haven’t heard one peep. Nope.
And this is my. Yeah, number one piece of advice when going into a new site, if you’re taking it over, just downgrade all the accounts to editor cause. What’s the worst thing that’s gonna happen? Someone is going to come and ask you to for to have a conversation about upping their privileges. Brilliant. You can have a conversation that way. Yeah, I I I would imagine that if you started looking at if you went and checked how many of those have active sessions, you’d find the answer was 0. And that the last logins are probably a year ago from vast majority if not more.
It’s true. So you know that kinda I it was just an interesting post and thanks for putting it out there because I think a lot of people don’t think to check things like FTP passwords, C panel passwords, Plex passwords, hosting passwords. And then my favorite topic and kind of we’ll leave it at that is, let’s talk 2A favorite. I was in a group the other day and. I said one of the things I insist on is all my clients have to have two. If they turn up, don’t care who they are, and this guy being a developer said that’s too hard on the client. I said. But the purpose of security is to be difficult and the purpose is to be difficult. But it’s always a cross between either of you for being difficult. Let’s be honest. Right. It’s like, how hard do we want to make it? And and that if you are turning to a fail, what methods would you use or not use?
Hmm, so I I’m gonna preface this with I totally agree to FA. I think is such a useful thing and I it’s. Also I think any. Two FA is better than none. Because quite often when we hear about two FA, someone will say I get an SMS text message and someone will go will know that can be easily spoofed in this way this way and this way it’s like. Yes, and particularly again in more US and Canada, where your telecoms networks into being incredibly insecure by default.
Thank you. Thank you. And by and by the way, while we’re talking about your telecom networks being insecure, don’t use voice validation to get into your account. Please and thank you.
I think we we we we’re too far backwards that I don’t think there are too many of our systems in the UK that have voice validation style ones, but. Even in the. US or and Canada, if I was. Like if I. Had the choice of SMS or nothing. SMS is a you we’ve got. It’s an extra factor. It’s the chances of you know, if I’m being targeted, I’m being targeted. They’re going to get in regardless eventually, so we’re just so again e-mail, I don’t mind sending me an e-mail link to. But for if that’s the only. Option. Now, would I like you to be using a nice shiny U2F key? Sure, a Yubikey or similar. There’s one literally lying here.
There’s one right here too, by. The way.
So yeah, that’s what.
Back you have a backup to that Uber teaching?
Yes, I do. Not here.
Yeah.
Yeah. So that was the the yeah, if you’ve got a hardware, if you’re taking hardware tokens. You. Need two of them and every time you ask, you put in the key. You need to put in one key and then have a second key, because if you’ve already got one and I’ve done that, actually have this happened to me. I in what can only be described. As if I was. In a film. I dropped my original UB key on the floor and drove over it in my car.
Ohh no.
It did not survive. This is a few years back. But so yeah, don’t do. Don’t do that. Have a backup as well. And then it once.
I’m buying.
I’ve had the backup.
Yeah. And by the way.
I also rotate them regularly, so I put the yeah, I’ve got one in one in a nice safe place and one that’s normally either on my keychain or in my wallet, and I take the one that’s in the safe place and swap them over. Yeah, just one regularly using both. But. If you want to use a authenticator app, Google Authenticator, I wouldn’t recommend using that particular one because it doesn’t have any real relative backup systems.
Ah.
They become more complex. They have a tendency to break a little bit more, but they’re still really valid systems. I wouldn’t use Google authenticate though. That’s the only sort of like one I’d say no to and I’d be really cautious about maybe using. Let’s say you run at a bit warden, one password, and they’ve got these. They they normally offer you one time password systems inside them.
You know.
Ohh, if you’re using that as your password and using it to get your one time token. Is that now multifactor?
No.
So I’d argue, yeah, I. And that’s what I would argue. Probably not. There might be scenarios where it could be. But yeah, generally I I’d rather people just use it than worry too much about. The nuances of hey, we could have these many hypothetical scenarios. If, however, you are being chased by a state actor and whatever is here is hypocritical. Please don’t use an SMS system. An e-mail and only use hardware token. And don’t be online and all the other things that you really shouldn’t be doing at. This stage so true.
And the other thing I would say is if you’re using an authenticator app and you choose to go that route, make sure you put it on two devices. Phones break. I know of one. I know one case for a a colleague of mine who’s a smart guy called me up and he said well.
I.
And he and the words that came out of his mouth on printables. So he his Pixel phone died. He was using arthy. And he didn’t have his authenticator app on another.
Ohh.
Yeah, I I have a a, a similar story where I had a friend who had convinced them password managers are the future. They’d moved everything into their password manager. They had set it up. And then I do not quite understand the chain of events that this happened, but they were basically using a service I won’t name which service it was and the service suspended their account.
Oh.
Ohh.
Now they were using that service for passwords and one time password codes. OK, we can recover these reset passwords, right? One time passwords where are the recovery keys. Stored in the password manager. That is an example of let putting all your eggs in one basket.
Which is not a good way to protect you.
Yeah. No, they, they, they. They ended up having to recreate huge parts of their digital footprint.
Oh no.
And it wasn’t even a case of, oh, well, just pay them. There was a long, complicated Chamber of reasons why they couldn’t gain access to this account again.
And the and the other thing worth mentioning while you talk about digital footprint is? Do you have a backup? If something happens to you? So what happens when you become incapacitated tonight? What happens if you end up in life threatening situation? Or worse, die. How do you deal with that? And that’s an issue in itself.
It is and I can talk about a little bit about how I manage it, which is the.
I’ve got here.
There are notes that certain people know where they are and that those will allow them to get to with two people. 2 two people will be able to recreate enough to get to a password vault that has that is got enough passwords to get into some very basic things. Mainly for banking, I’ll be honest. Because as somebody who you know has gone through the process of probate and having to deal with that sort of thing, just being knowing, just being able to be told. Oh, actually these are the bank accounts and the bank numbers and that sort of really basic information. A lot of my personal stuff, photos and documents are on on a machine here and there is a remote backup and they could gain access to those, but what they couldn’t gain access to, for example, is my e-mail. Because I don’t think that that’s necessarily the right thing for them to have access to and they couldn’t, they they they can. Yeah, they can actually get access you can a couple of the social media accounts that people like meta allow you to assign somebody to be to basically have access to. Say that you died on your account. I’ve forgotten the quite the term they use. You know, when they they memorialize the accounts.
Thank you.
And so there is a mechanism in place for that. But now a lot of my digital presence, they wouldn’t be able to get into and they would just fade away. But then on, to be fair, a lot of my digital presence has faded away anyway.
I’ve gone the opposite route. I have 3 trusted people in my life, not one is a family member, I will say. That no, if something happens where everything is, there’s actually an envelope in a safe. Buried under a pile of stuff that says in emergency openness in that envelope is a backup Uber key. I wonder what’s on it. You can figure that out. And everything they need to get anywhere they need to get to in an emergency. And.
One of the nice things about newbie keys over over UTF devices is that you can actually also store an actual SSH key. For example on there, yeah, which is very handy so that if you did need to give somebody. Access you can give them access via that token without necessarily even them. They they’d have to Google some technical knowledge, but ultimately they’d just have to push the button at the right point when in when in the SSH handshake. It’s a hard thing, though. Especially if we if we. Uh. Technologists are. Not just the we’re. We’re not just thinking about ourselves, but quite like you might be thinking your own infrastructure. You might be your families. Photos might be on. There.
Ohh yeah.
You you might manage their lives, their computer, that a really good example is you might have the admin password to their computer.
Me.
And all of a sudden they can’t. They haven’t got that person to come and help them do ** or Y. And so all these things need to be sort of like thought through. And I don’t think.
Think.
Many people really think about it and. Perhaps we should. That there isn’t really a really good way. I think everybody has to find their own path.
I think we’ve because of myself, we’ve had that discussion. I’ve my mom turns 80 in November. And I’ve sat her down and said we need to make sure. That. I don’t care if you give me access but give somebody. To the digital world, because if something happens, we have. And I think you need to. Kind of have those conversations. I mean, people don’t want to have these tough conversations. I think you need to. I really do.
See, my parents would have been much simpler. I’d just gone and got their password book out of the drawer. Just just opened that up.
You’re fine.
The world has moved on a little bit since then, but.
There’s the there’s the, there’s the password book, say, passwords on the outside too.
Yeah. No, it did, to be honest. The password book, I I I’m. I’m not a I’m not necessarily A I I I don’t mind password books like that not least because if you’d open this thing up. This had like 1520 years of their digital world since, like the the yeah, early 90s, it like had the first computers password and it sort of thing. And it’s scribbled out. Various bits and initials all over it. If you could truly decipher it. You probably deserved whatever was in it. And I’ll be. Honest your average feet if they’re breaking into a house.
Answer.
They’re going for the TV. They might go for the computer. Are they going to pick up that little black book that’s just sitting to one side?
Now.
Well, it’s very different having that in there, like your home to having a post it note on your machine in the middle of your workplace with your password on that, that, that that is a no and definitely shouldn’t be, whereas the password book is that.
Yes.
Of.
Less.
Safe.
Then an online password service. Is the when you start thinking about the threat. Yes, someone physically there doesn’t need another factor to open it and look through it, but they do have to be physically in place.
Yep.
Someone takes out a password service. Yeah, they have all your access to everything.
My mom actually has a file on her PC. The only compromise I could make is I made her password protect the file called codes. Same problem you know. It’s like why? Well, I can’t remember these.
OK.
And and I give you’ve got a file on the computer. I feel that you could probably stretch them too. OK, now this file is just in this application. You know you replace codes and you just basically when they double click on code it just opens up a password manager.
Yeah, that’s like.
That’s what I feel feel that’s a fair step. But you know, you leave it in the same spot. You still call it the same thing and it just opens up password manager.
Yeah, that’s funny. Hey, Ken. Thanks for the conversation. As always. It’s always appreciated you have another workshop coming up. Tell us about it.
I do and and funnily enough, it’s all about users, which is obviously something we’ve been talking about this evening. Yeah, so I’m running a workshop on the 29th. Basically it is going through WordPress user management, so we’ll be looking at how. To audit your users. Going through and downgrading all those admin accounts, but also looking at roles capabilities checking to see if somebody has capabilities they shouldn’t based on their role. We’re going to look at password. Encryption. We’re gonna be looking at session management. All sorts of other little bits and pieces also going and doing a huge amount of debunking of stuff, and hopefully it should have something for everyone. This I’m really excited about it because this is the workshop that a people have requested, which I was really pleased about cuz I wanted. I’ve wanted to do it for ages. This is the workshop I wanted. This is the workshop I think I wanted to give to pretty much every one of my clients and sort of have done drip. Feeding. And it’s the same workshop I’ve given wanted to give to developers because everybody can learn the same things. And even if you, even if the stuff I’m telling them is. Not new. It’ll be presented in a way that’s like. Ramming it down your throat basically so you will implement it so anybody who comes on the course, I’m pretty guaranteed that they’ll learn something. And if they don’t learn something, they’ll have been given them enough of a kick up the bat to implement it. And I’m sure they won’t have implemented everything they should have done. And actually I’m hoping that you leave think. Thing that the friction insecurity in users isn’t as harsh as you think it is, and that we can. We can simplify and we can make that friction relatively painless even with two factor authentication. So yeah, if people are interested my website istimmatch.com. Workshop and yeah, tickets are on sale now. Early bird finishes on the 7th of August.
That’s awesome and I would encourage you. You go. Watch the workshop and get to know Tim and his knowledge, because it’s what we’re seeing. So and there’s somebody else wants to talk to you. How’s the best way?
You can grab me or either LinkedIn or via my website, or if you fancy old fashioned e-mail hello at Tim. Nash.co.uk.
And Tim also has a newsletter on his website which you should check out just for random discussion, right?
Thank you very much. Yeah, strangely, Tim restock, are you OK? Slash newsletter comes out once a month. Ish. I tried to do it at least once a month and I I always get feedback which I’m think is a positive.
Thing. Yeah. Thanks, Tim. Have yourself a good day, my friend. Have a good weekend.
PocketCasts
Radio Public
Spotify
Stitcher
Apple Podcasts
Amazon Music
