In the aftermath, when everything had been
started to recover and people had more or
less tidied up and the stock markets had started
to recover from the trillions of dollars wiped
off them,
Google's network engineers said that were
only five people in the world who are able
to approve changes to their most critical
code.
And each one of those five was entirely trusted.
July 4th. In Western Europe, it is Friday
afternoon, and office workers are looking
at their clocks and trying to work out if
it's okay to leave work early.
In America, they are gearing up for a three-day
Independence Day weekend.
Over at Google's headquarters in Mountain
View, most of the building is deserted; on-call
engineers are either at home, their phones
ready to buzz if anything goes wrong, or they're
pulling late-night shifts in datacentres located
around the world.
There is one well-lit office, though, hidden
away in a quiet corner of the building. In
it is Maria Christensen, one of Google's most
senior engineers and one of the Trusted Five.
She is, against all corporate procedure, rolling
out a change to Google's core infrastructure
code.
She's changed only one section: and it's the
very first part of the login code for Google
Apps. This should be an incredibly complicated
function that spins off more functions to
deal with checking passwords, two-factor authentication,
third-party password checks, suspicious activity,
hackers, phreakers, fraudsters, and all manner
of disaster prevention.
She's changed just one line of code, she's
put it at the top, and it says...
Return true.
She bypasses all the red flags from the software
that say this won't work, this is dangerous,
this is broken, and instead she marks it for
immediate rollout and commits it.
So Google's systems promptly roll it out across
their datacentres. From coast to coast in
North America; over to Dublin and over to
Europe; to the Far East and down to South
America. It takes about three minutes. And
what it means is this:
No matter what you enter as a Google password,
it will be treated as correct. There are no
password checks any more. If you type in the
username, you will get in.
And if this seems implausible, if this seems
like something that wouldn't happen, remember
Dropbox, the file hosting service used by
175 million people including, I'm fairly sure,
pretty much everyone in this room.
In 2011, they had exactly that security bug
for three hours. Now fortunately, the person
who discovered it -- who wasn't a Dropbox
employee -- disclosed it responsibly to them
instead of telling the world, so the damage
was limited.
Maria has no intention of responsibly disclosing
anything. Most of the engineers that would
get notified of a code change like that aren't
on call. And those that are have somewhere
between about one and three minutes before
Maria gets around to logging into their now
open Google accounts -- never mind the email
notification, they've got about three minutes
to, read it, understand it, and grasp exactly
what the change means before Maria logs in
and remotely wipes their Android phone by
reporting it as stolen.
None of the engineers work it out in time.
The rest of Google's Trusted Five are still
asleep as their phones quietly erase themselves.
So then Maria emails her manifesto to dozens
of news sites, posts messages on a few high-traffic
tech forums, then logs out -- which is ironic,
given that logging out doesn't actually mean
anything any more -- gets into her car, and
goes to catch a flight.
As soon as the first journalist tests it successfully,
the news goes ballistic. The first place to
break it of all the web, was oddly the Drudge
Report: and they said later that it was because
they didn't use Gmail themselves, and didn't
really get it, and just went with the story
rather than immediately going to protect themselves.
'Cos that's what most people did. In the hours
that followed, people tended to fall into
one of three groups:
First of all, the defenders. Desperately trying
to lock down their accounts, desperately trying
to delete anything that might be incriminating,
and to stop all their other accounts getting
compromised.
Because, remember, if you have access to someone's
email address, then you have access to every
web service they use -- because they can request
a password reset sent straight to your inbox.
How good you were at being a defender generally
depended on how good you were at getting all
your other accounts moved away from that compromised
address.
Of course, even the folks who were initially
smug that they didn't use Gmail realised that
other people they emailed did.
Facebook was the first big web service to
react, quickly enough that most commentators
suggested they actually had a plan in place
for this years before. Within a few minutes
of the story breaking, Facebook turned off
not just password resets but the ability to
log in at all, on the assumption that most
people would have their accounts compromised,
so they just turned it off. And since nearly
everyone was already logged in on their phone
and their computer, Facebook rapidly became
*the* trusted method to contacting anyone
-- and that was a new level of trust that
stuck around afterwards as folks looked warily
at email.
Then there were the amateur detectives. Those
that suspected that their partner was cheating
on them. Those that were desperate to find
out what their colleagues were earning, or
what their boss really thought of them. It
wasn't restricted to email, of course; because
if you have access to someone's Google account,
in most cases you have access to their full
search history and all the web sites they've
clicked on. For years, and years, and years.
Have you turned it off? Most people in this
room haven't. It was described by one writer
as "like looking into my wife's soul". And
the divorce rate had a notable uptick a few
months later.
Meanwhile, companies using Gmail, or companies
working with companies that used Gmail, just
had to assume that all their trade secrets
had been stolen: in the years to come, patent
and trademark lawyers would make an enormous
amount of money as allegations flew back and
forth between corporations.
Now the European stock markets, the only ones
open on July 4th at that time, went into freefall
almost immediately; the Asian and American
ones would do the same when they opened the
next Monday.
But the most obvious group, if not the largest,
were the burners. Everyone who had any sort
of prominent online presence got their account
destroyed, utterly destroyed, within ten minutes.
Any YouTube channel with any sort of audience
found all its work deleted and vandalised,
even worse than the new comment system that
YouTube had brought in. Some burners attacked
individual people thoroughly, hoping to wipe
everything as part of a vendetta; but others...
others just tried to destroy as much data
as they could from as many people as they
could as quickly as possible.
Google, of course, had backups. They did roll
everything back -- but a lot of third-party
sites, vulnerable through password resets,
weren't anywhere near so lucky.
(LAUGHTER)
Every blog with more than a few readers got
crude messages added to it, or code that redirected
to shock sites, or just torn apart and destroyed.
A huge number had no usable backups. This
was the final death knell for most third-party
web message boards, the old ones which had
been falling out of use for years and years.
As soon as one administrator account fell,
the whole site was quickly destroyed. And
not many of those ever recovered because not
many of them had backups.
Some things did work in favour of the "good
guys". First of all, the enormous rush of
traffic -- of people trying to fix and break
things meant that even Google couldn't quite
cope with the load: a lot of folks were frustrated
by slow loading times and falling servers.
But thirty minutes in, at least some of Google's
network engineers had worked out what was
going on and pulled the plug -- in one case
physically, literally pulling plug from data
centres and uncontrollably shutting down everything
they could. Someone finally managed to get
an actual shutdown command into the systems
that Maria had compromised about two hours
afterwards, and three minutes later, Google
fell off the internet for the first time in
a very, very long while.
In amongst this two hours of mess, this pandemonium,
were the people that Maria Christensen was
actually trying to reach. She was hoping to
be the next Chelsea Manning, the next Julian
Assange, the next Edward Snowden. More than
that: she was hoping to create a hundred,
a thousand, a million people taking that whistleblower
role, using the brief hours of "freedom" she'd
created to change the world for the better.
That was her manifesto:
Go out. Find the things that need to be leaked,
go through the files of the corporations and
governments that are destroying our world,
and show them the light of day.
Her view was woefully optimistic. And yes,
some people did. There were thousands of leaks,
some of international importance: a few people
remembered the Obama transition team, after
the 2008 election, used Gmail until they could
get their official whitehouse.gov email addresses
set up. And there were stories of billionaire
fashion CEOs putting stories about sweatshops
and burying them; stories of mining companies
exploiting workers and exposing them to incredible
danger; tale after tale after tale of people
putting aside human concerns and -- this phrase
got used a lot -- acting in the best interests
of shareholders.
But none of those stories made the news.
Because what Maria Christensen hadn't done
was manage the story. Wikileaks and its allies
always had: they'd drip-fed the stories over
months into a 24-hour news cycle that always
wanted more, more, more, but instead...
In this case, though, the story was about
the process, not about the information. The
angle that all the news took was that email
was suddenly insecure, that you were at risk,
that you should defend against it and this
is how you do it, that web sites are being
damaged, and that this is how you protect
yourself, and watch us because we will help
you.
So there were no stunning revelations plastered
on the front pages. There should have been,
given an infinite number of front pages, but
there were, simply, too many stories, and
all of them were much less interesting to
the public than the question of whether your
partner has seen your browser history.
And of course, for most people, there was
no long-term damage, at least not to them
personally. Statistically speaking, you'd
get away with it. And sure, everyone knew
someone who'd been affected, everyone knew
someone who'd got in trouble, but chances
are that you, yourself, had gotten away with
it. And while a lot of high-profile companies
suffered slightly, there were no world-changing
moments. If dumping untold gallons of oil
into the Gulf couldn't kill BP: what could?
So most small businesses survived unscathed
and the economy recovered, slowly, having
been damaged no more than by any natural disaster.
And Gmail, a year later, had just as many
active users as before. Because, after all,
what were the odds of that ever happening
again? And it's not like the government couldn't
read all your messages anyway. And no-one
really got hurt in the long run, and maybe
it was for the best that me and her broke
up, y'know? It all works out in the end. And
besides, it would be a real pain to try to
switch my email account somewhere else. I'd
have to change my email address!
It's amazing how much we trust to single points
of failure. And while this is a worst-case
scenario -- very much so -- everyone here
will have that one lynchpin on which everything,
at least in your online life, hangs. That
backup you haven't taken for a while. The
email account that you forgot had access to
everything. Or that password that your ex
still knows.
But my point is this: even in the face of
seeming disaster, when the world is falling
around you, you remember that eventually,
this too shall pass. Because it takes more
than just one single point of failure to change
the world.
Oh, and as for Maria Christensen? She got
arrested at the airport, after her flight
was delayed... because the airline ran on
Google Apps.
Thank you very much, I've been Tom Scott,
enjoy the rest of the show.