Data hackers are like toilet ninjas. This is not a clean crime, you know
Think of the ones you leave behind
Something for the Weekend, Sir? This place is a mess. No, worse than that: it's a disaster area.
I hesitate to use the analogy "it looks like a bomb hit it" in this lively era of mischievous politics and religious fascism. Besides it's not an appropriate description of the sight before my eyes. No, not bombs. Wild horses, perhaps. Possibly a tornado. Or most likely of all, one really determined dickhead.
I am witnessing the aftermath left behind by a previous visitor to the shared office kitchenette facilities.
When I arrived this morning, everything was pretty much as the cleaners had left it last night: mugs and glasses sparkling in the cupboard, steel sink and chrome taps twinkling with glinty health, Formica surfaces wiped and reflective. At 11:00am, I return for a hot water top-up only to discover a scene of utter bedlam.
About 100 mugs – stained on the outside as well as inside and mostly still half full of miserable brown liquid – are piled up around the work surfaces and in the sink. Pools of milk have been liberally poured around the kitchen, including on top of the microwave and dribbling down the sides of the green metal fire extinguisher. Something orange has been proficiently exploded inside the microwave, entirely obscuring the little window; even with the door closed, it smells of fish.
Mostly dry and unused teabags are littered everywhere in an arrangement which, while not unartistic, suggests no obvious purpose, including in the sink and even a couple inside the fridge. Twisted shreds of dry kitchen paper are heaped on the floor around the waste bin, and a couple more are deftly balanced on top around its edge; the bin itself is empty. As I walk with trepidation towards the kettle, granulated sugar crunches unpleasantly under foot.
The fact that I am a temporary contract visitor to client premises does not hide the fact that I am sharing this kitchenette with a mere dozen employees. It is impossible, as I crunch back out of the disaster zone, not to gaze across the few rows of desks and play a mental game of Find The Dickhead.
Golly, it makes me so cross. Grr. See? If you are feeling sympathetic anger, feel free to manage it with the help of a little light music as you read on.
Then it hits me: how the heck did they create such wild disorder without being seen or heard in the act? Slip in, cause utter mayhem, slip out quietly. That's actually quite a skill. Even hackers don't escape unnoticed... or do they?
At the time, I was trying to detail the circumstances around the appearance of Collection #1, last week's massive data breach in which 773 million email users exposed themselves on a hacking site. As its name suggests, it's not a new security break-in but a big bunch of previous stolen lists gathered into one place for unrestricted use by the cyberspacernet's official Naughty Community.
If you haven't been following this story because it's about data security and therefore the dullest thing in human existence, here's the tl;dr. Go to Have I Been Pwned and type in your email addresses to see which of them are in the collection.
Reg readers almost certainly won't need to panic when they inevitably see at least one of their addresses returned with "Oh no – pwned!" You will already have changed your ID credentials long ago. Most of this stuff comes from classic ID list hacks over the last eight years, including famous ones such as Adobe's amateurish 2013 loss of 153 million poorly encrypted passwords, Dropbox's 2012 breach of tens of millions of IDs, and LinkedIn's loss of 164 million addresses and passwords which were apparently nabbed in 2012 but not exploited until 2016 and of course yet again last week.
For me, the amusing detail was in the work of now-celebrity security researcher, 1Password evangelist and founder of the Have I Been Pwned site Troy Hunt in condensing duplicates. From a total data dump of 2.6 billion email addresses, he brought this down to 772,904,991 unique ones. OK, that's not exactly hilarious until Troy Hunt notes that these correspond with just 21,222,975 unique passwords.
Er... 21 million passwords for 773 million email addresses? Strictly speaking (if statistically idiotic, I realise) this could mean on average that your unique password is being shared by 35 other people. More likely, your devilishly cunning password is probably shared only by a handful of people who bothered to use uppercase, lowercase, numbers and special characters while also having coincidentally named their pet identically to yours. The other 772.9 million email addresses are all using the same password as each other.
In theory again, if there are on average 36 email addresses for every unique password in the exposed IDs, this suggests to me that hackers could find it 36 times easier to guess your password than guess your email address. Yes yes, I know, but even if you factor in the usual uppercase, lowercase, numbers and special characters, I reckon it works out even in the end.
And even so, a common theme across a lot of the lists in Collection #1 is not how bad our passwords are, but how ineffectively and incompetently big companies bother to secure them. If I choose to use the password passw0rd for a dozen logins, that's a risk I take upon myself. But if my crap password turns up unsalted alongside my email address on a hacking site, that's down to the original list manager failing to protect it, plunging me into a world of shit as a result of their cavalier attitude to data security, not mine.
Talking of a world of shit, I have just visited the Gentlemen's toilet facilities at my aforementioned client's offices.
Oh. My. God.
Since my initial visit upon arriving at work, it appears that the office toilets have played venue to a mass brawl between an American football team (both offence and defence), a monastery of whirling dervishes, a band of anarchistic freerunners and a drug-crazed troupe of uncharacteristically violent Morris dancers. While shitting.
I stagger back into the open-plan office in horror, gasping for breath, as someone somewhere leans onto the keys of a church organ. Gaping at my dozen temporary colleagues in horror, I am filled with marvel and revulsion in equal measure at such stealth. Which of you filthy bastards...? And how...? When...?
Grr. See? I'm getting angry again. Put the music back on and we'll get through this.
Sponsored: Becoming a Pragmatic Security Leader