0:00:00.439,0:00:05.630
In the aftermath, when everything had been[br]started to recover and people had more or

0:00:05.630,0:00:10.919
less tidied up and the stock markets had started[br]to recover from the trillions of dollars wiped

0:00:10.919,0:00:13.169
off them,

0:00:13.169,0:00:18.370
Google's network engineers said that were[br]only five people in the world who are able

0:00:18.370,0:00:21.850
to approve changes to their most critical[br]code.

0:00:21.850,0:00:24.930
And each one of those five was entirely trusted.

0:00:24.930,0:00:31.930
July 4th. In Western Europe, it is Friday[br]afternoon, and office workers are looking

0:00:32.549,0:00:36.829
at their clocks and trying to work out if[br]it's okay to leave work early.

0:00:36.829,0:00:42.989
In America, they are gearing up for a three-day[br]Independence Day weekend.

0:00:42.989,0:00:49.219
Over at Google's headquarters in Mountain[br]View, most of the building is deserted; on-call

0:00:49.219,0:00:53.339
engineers are either at home, their phones[br]ready to buzz if anything goes wrong, or they're

0:00:53.339,0:00:57.679
pulling late-night shifts in datacentres located[br]around the world.

0:00:57.679,0:01:01.499
There is one well-lit office, though, hidden[br]away in a quiet corner of the building. In

0:01:01.499,0:01:07.760
it is Maria Christensen, one of Google's most[br]senior engineers and one of the Trusted Five.

0:01:07.760,0:01:13.510
She is, against all corporate procedure, rolling[br]out a change to Google's core infrastructure

0:01:13.510,0:01:15.780
code.

0:01:15.780,0:01:21.750
She's changed only one section: and it's the[br]very first part of the login code for Google

0:01:21.750,0:01:26.130
Apps. This should be an incredibly complicated[br]function that spins off more functions to

0:01:26.130,0:01:32.320
deal with checking passwords, two-factor authentication,[br]third-party password checks, suspicious activity,

0:01:32.320,0:01:37.890
hackers, phreakers, fraudsters, and all manner[br]of disaster prevention.

0:01:37.890,0:01:44.890
She's changed just one line of code, she's[br]put it at the top, and it says...

0:01:45.120,0:01:46.670
Return true.

0:01:46.670,0:01:51.560
She bypasses all the red flags from the software[br]that say this won't work, this is dangerous,

0:01:51.560,0:01:57.590
this is broken, and instead she marks it for[br]immediate rollout and commits it.

0:01:57.590,0:02:03.170
So Google's systems promptly roll it out across[br]their datacentres. From coast to coast in

0:02:03.170,0:02:07.570
North America; over to Dublin and over to[br]Europe; to the Far East and down to South

0:02:07.570,0:02:12.040
America. It takes about three minutes. And[br]what it means is this:

0:02:12.040,0:02:19.040
No matter what you enter as a Google password,[br]it will be treated as correct. There are no

0:02:19.670,0:02:25.560
password checks any more. If you type in the[br]username, you will get in.

0:02:25.560,0:02:29.730
And if this seems implausible, if this seems[br]like something that wouldn't happen, remember

0:02:29.730,0:02:35.910
Dropbox, the file hosting service used by[br]175 million people including, I'm fairly sure,

0:02:35.910,0:02:38.450
pretty much everyone in this room.

0:02:38.450,0:02:44.930
In 2011, they had exactly that security bug[br]for three hours. Now fortunately, the person

0:02:44.930,0:02:49.220
who discovered it -- who wasn't a Dropbox[br]employee -- disclosed it responsibly to them

0:02:49.220,0:02:51.550
instead of telling the world, so the damage[br]was limited.

0:02:51.550,0:02:57.650
Maria has no intention of responsibly disclosing[br]anything. Most of the engineers that would

0:02:57.650,0:03:02.680
get notified of a code change like that aren't[br]on call. And those that are have somewhere

0:03:02.680,0:03:07.520
between about one and three minutes before[br]Maria gets around to logging into their now

0:03:07.520,0:03:12.020
open Google accounts -- never mind the email[br]notification, they've got about three minutes

0:03:12.020,0:03:17.099
to, read it, understand it, and grasp exactly[br]what the change means before Maria logs in

0:03:17.099,0:03:20.730
and remotely wipes their Android phone by[br]reporting it as stolen.

0:03:20.730,0:03:25.540
None of the engineers work it out in time.[br]The rest of Google's Trusted Five are still

0:03:25.540,0:03:30.459
asleep as their phones quietly erase themselves.

0:03:30.459,0:03:35.540
So then Maria emails her manifesto to dozens[br]of news sites, posts messages on a few high-traffic

0:03:35.540,0:03:39.920
tech forums, then logs out -- which is ironic,[br]given that logging out doesn't actually mean

0:03:39.920,0:03:43.380
anything any more -- gets into her car, and[br]goes to catch a flight.

0:03:43.380,0:03:50.380
As soon as the first journalist tests it successfully,[br]the news goes ballistic. The first place to

0:03:50.840,0:03:57.370
break it of all the web, was oddly the Drudge[br]Report: and they said later that it was because

0:03:57.370,0:04:01.840
they didn't use Gmail themselves, and didn't[br]really get it, and just went with the story

0:04:01.840,0:04:03.780
rather than immediately going to protect themselves.

0:04:03.780,0:04:08.030
'Cos that's what most people did. In the hours[br]that followed, people tended to fall into

0:04:08.030,0:04:08.739
one of three groups:

0:04:08.739,0:04:14.470
First of all, the defenders. Desperately trying[br]to lock down their accounts, desperately trying

0:04:14.470,0:04:18.839
to delete anything that might be incriminating,[br]and to stop all their other accounts getting

0:04:18.839,0:04:19.329
compromised.

0:04:19.329,0:04:25.720
Because, remember, if you have access to someone's[br]email address, then you have access to every

0:04:25.720,0:04:30.570
web service they use -- because they can request[br]a password reset sent straight to your inbox.

0:04:30.570,0:04:36.080
How good you were at being a defender generally[br]depended on how good you were at getting all

0:04:36.080,0:04:41.250
your other accounts moved away from that compromised[br]address.

0:04:41.250,0:04:44.620
Of course, even the folks who were initially[br]smug that they didn't use Gmail realised that

0:04:44.620,0:04:49.730
other people they emailed did.

0:04:49.730,0:04:54.980
Facebook was the first big web service to[br]react, quickly enough that most commentators

0:04:54.980,0:05:01.020
suggested they actually had a plan in place[br]for this years before. Within a few minutes

0:05:01.020,0:05:06.470
of the story breaking, Facebook turned off[br]not just password resets but the ability to

0:05:06.470,0:05:10.830
log in at all, on the assumption that most[br]people would have their accounts compromised,

0:05:10.830,0:05:16.430
so they just turned it off. And since nearly[br]everyone was already logged in on their phone

0:05:16.430,0:05:22.490
and their computer, Facebook rapidly became[br]*the* trusted method to contacting anyone

0:05:22.490,0:05:26.600
-- and that was a new level of trust that[br]stuck around afterwards as folks looked warily

0:05:26.600,0:05:28.150
at email.

0:05:28.150,0:05:32.639
Then there were the amateur detectives. Those[br]that suspected that their partner was cheating

0:05:32.639,0:05:35.889
on them. Those that were desperate to find[br]out what their colleagues were earning, or

0:05:35.889,0:05:39.300
what their boss really thought of them. It[br]wasn't restricted to email, of course; because

0:05:39.300,0:05:45.430
if you have access to someone's Google account,[br]in most cases you have access to their full

0:05:45.430,0:05:51.419
search history and all the web sites they've[br]clicked on. For years, and years, and years.

0:05:51.419,0:05:56.639
Have you turned it off? Most people in this[br]room haven't. It was described by one writer

0:05:56.639,0:06:01.180
as "like looking into my wife's soul". And[br]the divorce rate had a notable uptick a few

0:06:01.180,0:06:02.479
months later.

0:06:02.479,0:06:07.330
Meanwhile, companies using Gmail, or companies[br]working with companies that used Gmail, just

0:06:07.330,0:06:12.509
had to assume that all their trade secrets[br]had been stolen: in the years to come, patent

0:06:12.509,0:06:17.110
and trademark lawyers would make an enormous[br]amount of money as allegations flew back and

0:06:17.110,0:06:20.240
forth between corporations.

0:06:20.240,0:06:24.840
Now the European stock markets, the only ones[br]open on July 4th at that time, went into freefall

0:06:24.840,0:06:29.100
almost immediately; the Asian and American[br]ones would do the same when they opened the

0:06:29.100,0:06:30.270
next Monday.

0:06:30.270,0:06:36.500
But the most obvious group, if not the largest,[br]were the burners. Everyone who had any sort

0:06:36.500,0:06:43.500
of prominent online presence got their account[br]destroyed, utterly destroyed, within ten minutes.

0:06:44.020,0:06:48.449
Any YouTube channel with any sort of audience[br]found all its work deleted and vandalised,

0:06:48.449,0:06:54.090
even worse than the new comment system that[br]YouTube had brought in. Some burners attacked

0:06:54.090,0:06:59.490
individual people thoroughly, hoping to wipe[br]everything as part of a vendetta; but others...

0:06:59.490,0:07:02.840
others just tried to destroy as much data[br]as they could from as many people as they

0:07:02.840,0:07:04.169
could as quickly as possible.

0:07:04.169,0:07:10.580
Google, of course, had backups. They did roll[br]everything back -- but a lot of third-party

0:07:10.580,0:07:17.380
sites, vulnerable through password resets,[br]weren't anywhere near so lucky.

0:07:17.380,0:07:18.229
(LAUGHTER)

0:07:18.229,0:07:24.310
Every blog with more than a few readers got[br]crude messages added to it, or code that redirected

0:07:24.310,0:07:31.259
to shock sites, or just torn apart and destroyed.[br]A huge number had no usable backups. This

0:07:31.259,0:07:36.300
was the final death knell for most third-party[br]web message boards, the old ones which had

0:07:36.300,0:07:41.570
been falling out of use for years and years.[br]As soon as one administrator account fell,

0:07:41.570,0:07:46.300
the whole site was quickly destroyed. And[br]not many of those ever recovered because not

0:07:46.300,0:07:47.770
many of them had backups.

0:07:47.770,0:07:52.770
Some things did work in favour of the "good[br]guys". First of all, the enormous rush of

0:07:52.770,0:07:58.419
traffic -- of people trying to fix and break[br]things meant that even Google couldn't quite

0:07:58.419,0:08:03.000
cope with the load: a lot of folks were frustrated[br]by slow loading times and falling servers.

0:08:03.000,0:08:07.680
But thirty minutes in, at least some of Google's[br]network engineers had worked out what was

0:08:07.680,0:08:13.460
going on and pulled the plug -- in one case[br]physically, literally pulling plug from data

0:08:13.460,0:08:19.430
centres and uncontrollably shutting down everything[br]they could. Someone finally managed to get

0:08:19.430,0:08:23.660
an actual shutdown command into the systems[br]that Maria had compromised about two hours

0:08:23.660,0:08:28.520
afterwards, and three minutes later, Google[br]fell off the internet for the first time in

0:08:28.520,0:08:32.700
a very, very long while.

0:08:32.700,0:08:37.820
In amongst this two hours of mess, this pandemonium,[br]were the people that Maria Christensen was

0:08:37.820,0:08:42.620
actually trying to reach. She was hoping to[br]be the next Chelsea Manning, the next Julian

0:08:42.620,0:08:46.730
Assange, the next Edward Snowden. More than[br]that: she was hoping to create a hundred,

0:08:46.730,0:08:52.570
a thousand, a million people taking that whistleblower[br]role, using the brief hours of "freedom" she'd

0:08:52.570,0:08:56.700
created to change the world for the better.[br]That was her manifesto:

0:08:56.700,0:09:02.000
Go out. Find the things that need to be leaked,[br]go through the files of the corporations and

0:09:02.000,0:09:06.529
governments that are destroying our world,[br]and show them the light of day.

0:09:06.529,0:09:12.459
Her view was woefully optimistic. And yes,[br]some people did. There were thousands of leaks,

0:09:12.459,0:09:17.860
some of international importance: a few people[br]remembered the Obama transition team, after

0:09:17.860,0:09:23.560
the 2008 election, used Gmail until they could[br]get their official whitehouse.gov email addresses

0:09:23.560,0:09:30.560
set up. And there were stories of billionaire[br]fashion CEOs putting stories about sweatshops

0:09:31.529,0:09:37.000
and burying them; stories of mining companies[br]exploiting workers and exposing them to incredible

0:09:37.000,0:09:42.459
danger; tale after tale after tale of people[br]putting aside human concerns and -- this phrase

0:09:42.459,0:09:46.360
got used a lot -- acting in the best interests[br]of shareholders.

0:09:46.360,0:09:49.430
But none of those stories made the news.

0:09:49.430,0:09:54.050
Because what Maria Christensen hadn't done[br]was manage the story. Wikileaks and its allies

0:09:54.050,0:09:59.550
always had: they'd drip-fed the stories over[br]months into a 24-hour news cycle that always

0:09:59.550,0:10:03.180
wanted more, more, more, but instead...

0:10:03.180,0:10:06.560
In this case, though, the story was about[br]the process, not about the information. The

0:10:06.560,0:10:11.300
angle that all the news took was that email[br]was suddenly insecure, that you were at risk,

0:10:11.300,0:10:14.440
that you should defend against it and this[br]is how you do it, that web sites are being

0:10:14.440,0:10:19.560
damaged, and that this is how you protect[br]yourself, and watch us because we will help

0:10:19.560,0:10:20.000
you.

0:10:20.000,0:10:24.220
So there were no stunning revelations plastered[br]on the front pages. There should have been,

0:10:24.220,0:10:30.490
given an infinite number of front pages, but[br]there were, simply, too many stories, and

0:10:30.490,0:10:34.360
all of them were much less interesting to[br]the public than the question of whether your

0:10:34.360,0:10:38.290
partner has seen your browser history.

0:10:38.290,0:10:44.610
And of course, for most people, there was[br]no long-term damage, at least not to them

0:10:44.610,0:10:48.680
personally. Statistically speaking, you'd[br]get away with it. And sure, everyone knew

0:10:48.680,0:10:53.740
someone who'd been affected, everyone knew[br]someone who'd got in trouble, but chances

0:10:53.740,0:10:59.130
are that you, yourself, had gotten away with[br]it. And while a lot of high-profile companies

0:10:59.130,0:11:04.700
suffered slightly, there were no world-changing[br]moments. If dumping untold gallons of oil

0:11:04.700,0:11:10.930
into the Gulf couldn't kill BP: what could?[br]So most small businesses survived unscathed

0:11:10.930,0:11:17.370
and the economy recovered, slowly, having[br]been damaged no more than by any natural disaster.

0:11:17.370,0:11:23.610
And Gmail, a year later, had just as many[br]active users as before. Because, after all,

0:11:23.610,0:11:27.870
what were the odds of that ever happening[br]again? And it's not like the government couldn't

0:11:27.870,0:11:32.670
read all your messages anyway. And no-one[br]really got hurt in the long run, and maybe

0:11:32.670,0:11:37.890
it was for the best that me and her broke[br]up, y'know? It all works out in the end. And

0:11:37.890,0:11:41.459
besides, it would be a real pain to try to[br]switch my email account somewhere else. I'd

0:11:41.459,0:11:47.070
have to change my email address!

0:11:47.070,0:11:52.100
It's amazing how much we trust to single points[br]of failure. And while this is a worst-case

0:11:52.100,0:11:58.440
scenario -- very much so -- everyone here[br]will have that one lynchpin on which everything,

0:11:58.440,0:12:04.440
at least in your online life, hangs. That[br]backup you haven't taken for a while. The

0:12:04.440,0:12:09.079
email account that you forgot had access to[br]everything. Or that password that your ex

0:12:09.079,0:12:09.899
still knows.

0:12:09.899,0:12:16.149
But my point is this: even in the face of[br]seeming disaster, when the world is falling

0:12:16.149,0:12:23.149
around you, you remember that eventually,[br]this too shall pass. Because it takes more

0:12:26.940,0:12:30.260
than just one single point of failure to change[br]the world.

0:12:30.260,0:12:36.300
Oh, and as for Maria Christensen? She got[br]arrested at the airport, after her flight

0:12:36.300,0:12:39.079
was delayed... because the airline ran on[br]Google Apps.

0:12:39.079,0:12:43.079
Thank you very much, I've been Tom Scott,[br]enjoy the rest of the show.