Archive 8 min read

Toxicity & Security's Responsibility

Security is there to ensure that the systems you build work only as intended. Part of that is realizing the potential for abuse and ensuring that the system and users can continue to work safely...there's a LOT of work to do.

Toxicity & Security's Responsibility

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. How you doing today? Welcome to episode 90 of Mornings with Mark. Um Crazy. Thank you for um participating. Thank you for following along for 90 episodes of this today. A difficult one.

Um And I say that because a couple of things crossed my mind um this week as you can tell by um for those of you watching the vlog um by the poor lighting because it's pre dawn and the background.

I'm in a hotel room in San Francisco. I'm still out here for serverless comp. Um Pre conference activities have been kicking off the last couple of days and really start some great discussions and I'm on stage early this morning um talking about security.

Um So that was in my mind as I'm prepping for that talk as I'm adjusting. Um That talk is about um security culture. Uh And how um a lot of the stuff is going to collide in the serverless community, um traditional security culture and the serverless of ethos um really conflict and there's some interesting things there that I've been diving into over the last few months.

Um Actually, the last jeez two years already. Um uh research wise. Also, I read a very interesting article um online this morning um about uh toxicity sort of in, in social networks. Um And I got a really interesting extortion email last night.

Um Those three things kind of rolled together and started to brew in my mind. Um The challenge around security. Um And what security's role is now, any of you who have heard me speak publicly, you'll know that I have a different definition of cybersecurity.

Um The common held one tends to be something along the lines of stopping bad guys protecting systems from hackers, this kind of stuff, great activity, definitely part of security. I don't think it's its entirety.

If you ask somebody within cybersecurity, you're gonna get something along protecting the confidentiality, integrity and availability of data, which is the technical definition for me. It's really simple. I like the definition for cybersecurity that it's to make sure whatever you've built works as intended and only as intended.

Nice and simple. So if you're building a system to process lunch orders, that's all it should do. It shouldn't do dinner and breakfast, it should just do lunch orders. Um because if somebody's using it to order breakfast or to try to um you know, do something else, then that's running against what you intended.

So stopping hackers preventing data breaches, all that stuff's included. Um So very clear definition, but the flip side um is that that, you know, changes the culture. And that's part of what I'm going to be talking about today.

And I'm actually going to share my screen and I will show you. So this is the main slide, uh the intro slide from my talk today. Um You know, calling BS on security a cultural challenge.

And that's what started getting me down this path is thought process because obviously I was prepping for this talk. I like to be well prepared before I go on stage. Um But then I got an email.

Um And here's the text of that email. Um Now I passed this along to my team, not uh in any requirement to do anything but just wondering how many people will fall for this.

And we think it's actually a significant amount. So basically what it is, um, you know, I'm gonna read this email out for you folks uh on the podcast. Um It says I will come directly to the point I know and they had my actual uh an old throwaway pass here.

Um This is your password more to the point. I'm aware of your secret and I have proof of this. You don't know me personally and no one employed me to examine you. It's just your bad luck that I stumbled across your bad deeds.

Actually, I set up a malware on the adult videos, parentheses, porno. Um that and you visited the site to have fun parentheses. You know what I mean? While you were busy watching videos.

Your web browser began operating as an RDP A remote desktop, having a keylogger which provided me accessibility to your screen and also your webcam. Immediately after that, my software gathered all of your contacts from your messenger FB as well as mailbox.

Next I gave uh in more time than I should have digging into your life and created a two screen video. The first part shows you the recording uh you had been viewing and the other part shows the capture from your cam parentheses.

It's you doing nasty things. Now, the email continues to go on and says, uh essentially this isn't personal. Um You need to pay me 2600 as a confidentiality fee. Um If you ignore this, I'm gonna send out that two screen video to everybody, you know.

Um If you pay me, I'll erase everything right away. Um Hey, you might be thinking call the cops, don't? I planted a tracking pixel in this email. I'll know if you do anything.

Um You know, and then it goes on to, to go about um about payments. Um It's a nonnegotiable offer. Don't waste my personal time or yours. This kind of thing. Of course, this is all BS.

What happened is uh some enterprising cyber criminal has gotten their hands on a data breach that was either in the clear or they reversed the password hashing and they have a set of emails and a password.

So what they do is they write this up, they send it to the email with the subject line of the password they found in the data dump and they try to run this scam. There's no tracking pixel in the email.

I looked at all the source and they send it from Hotmail. Um They created this email in a word doc which on some level is a security professional sort of offends me. Um And they're trying to run the scam to get you to pay and now nobody's paid to the wallet that I was sent.

Um But I'm sure other people have paid because if you don't know any better, this is scary. Um If you had been watching adult videos, nothing wrong with that. But maybe you um you know, feel that you're vulnerable to this and maybe you pay so this criminal, it takes them no effort whatsoever to write a script that sends this email to everybody in the data dump, uh a very low cost crime for them.

Um And it comes off, it's another example of sort of toxicity in the system. Now, email has been around for 40 plus years. Um There's not much we can do about this, but I also stumbled across this fantastic article um from everywhere.

Um So Geraldine is the Everywhere at Everywhere on Twitter. Um everywhere.com online. Um and she posted an article called what happened when I tried talking to Twitter abusers. She posted this yesterday. Um And it's gut wrenching.

It's an absolutely gut wrenching article she goes through and explains that, um, she replied to people who were being, um offensive, who were being misogynistic, who were being aggressive and um near violent on Twitter.

Um And, you know, ask them flat out questions, like, would you say this to somebody in person? Um What did you mean by that? Uh what is your desired outcome from this type of thing?

And of course, the results are somewhat um expected. Uh people who are participating in this sort of toxic environment um are not um willing to engage in a productive discussion. So this is a great article, I'll tweet this out um shortly.

Um For those of you who are watching uh the, the vlog here, obviously, you can see the URL for those of you um on the podcast weist.com. Um It's a great, great piece.

Now, why I started thinking about this was because security has a role here if you go back to my definition, um make sure that systems work as intended and only as intended. Now, you're not going to be able to stop toxicity in tools that connect people.

It's just not gonna happen. I've talked about this ad nauseam on um with media um in relation to Facebook in relation to Twitter in relation to various scams on youtube, things like that.

Security requires people, it requires process and it requires products. Now, the products help enforce the process which helps amplify uh the people. Um And all three need to, to work together. Now, like I said, you're not going to stop toxicity on social networks, you're not going to stop toxicity on something like email.

If you connect um a billion plus people on a platform like Facebook, a good percentage of those are going to be good people. Um A unfortunately, you know, larger than we would like, percentage are gonna be assholes.

That's just the way it is and there's an entire spectrum of people within that billion. Um The challenge is creating a system that helps respond when things get out of um out of whack.

Um And one of the things that's really frustrating in the everywhere article and in other reports of abuse isn't the fact that the abuse happens, that's a people problem and we're not going to solve people with technology.

It's the lack of response from the platform when it's reported when it's very, when it's authentic. Um And I think that's a security failure. I think security has a big role to play in something like that where you need to build a system, if you're building a system to let people communicate or to let people do anything.

Um And there's the potential for abuse. So if there's humans, there's the potential for abuse, um you need to be able to create mechanisms that help get that back under control. Um And that's not censoring content necessarily, that's making sure that there's a process that's quick and efficient in place for that um bad content to be reported and for action to be taken when an incident occurs.

So it's setting up guardrails, it's setting up um additional work there. And I think from security perspective, um we in the community like to result back to resort back to technical solutions. Hey, we'll implement machine learning automatically, get all this stuff not gonna happen.

It's just not possible. Um With the technology we have at hand today. Um So there's a, there's a role there, it needs to be part of discussion. It goes to um episode 80 nine's topic on discussion at scale.

When anytime people are engaged, there's negativity there. Now, I know this has gone longer than usual and I appreciate your patience. Um Lots to think about here. Absolutely, lots to think about, lots to discuss, hopefully positively and constructively.

Let me know, what do you think um at marknca online um in the comments down below for the vlog um As always by email, especially for podcast listeners. me@markn.ca important critical topic.

What do you think? What are your experiences? What's your perspective? Have you thought of security in that aspect before? Um Let me know. I hope you are set up for a fantastic day.

I will be live tweeting a lot from serverless comp. Um I am speaking this morning, um, on security and security culture. Uh I hope you have a fantastic day. I will see you online and have that discussion with you and I will, uh, hopefully see you on the show tomorrow.

Take care.

Read next