1 00:00:00,439 --> 00:00:05,630 In the aftermath, when everything had been started to recover and people had more or 2 00:00:05,630 --> 00:00:10,919 less tidied up and the stock markets had started to recover from the trillions of dollars wiped 3 00:00:10,919 --> 00:00:13,169 off them, 4 00:00:13,169 --> 00:00:18,370 Google's network engineers said that were only five people in the world who are able 5 00:00:18,370 --> 00:00:21,850 to approve changes to their most critical code. 6 00:00:21,850 --> 00:00:24,930 And each one of those five was entirely trusted. 7 00:00:24,930 --> 00:00:31,930 July 4th. In Western Europe, it is Friday afternoon, and office workers are looking 8 00:00:32,549 --> 00:00:36,829 at their clocks and trying to work out if it's okay to leave work early. 9 00:00:36,829 --> 00:00:42,989 In America, they are gearing up for a three-day Independence Day weekend. 10 00:00:42,989 --> 00:00:49,219 Over at Google's headquarters in Mountain View, most of the building is deserted; on-call 11 00:00:49,219 --> 00:00:53,339 engineers are either at home, their phones ready to buzz if anything goes wrong, or they're 12 00:00:53,339 --> 00:00:57,679 pulling late-night shifts in datacentres located around the world. 13 00:00:57,679 --> 00:01:01,499 There is one well-lit office, though, hidden away in a quiet corner of the building. In 14 00:01:01,499 --> 00:01:07,760 it is Maria Christensen, one of Google's most senior engineers and one of the Trusted Five. 15 00:01:07,760 --> 00:01:13,510 She is, against all corporate procedure, rolling out a change to Google's core infrastructure 16 00:01:13,510 --> 00:01:15,780 code. 17 00:01:15,780 --> 00:01:21,750 She's changed only one section: and it's the very first part of the login code for Google 18 00:01:21,750 --> 00:01:26,130 Apps. This should be an incredibly complicated function that spins off more functions to 19 00:01:26,130 --> 00:01:32,320 deal with checking passwords, two-factor authentication, third-party password checks, suspicious activity, 20 00:01:32,320 --> 00:01:37,890 hackers, phreakers, fraudsters, and all manner of disaster prevention. 21 00:01:37,890 --> 00:01:44,890 She's changed just one line of code, she's put it at the top, and it says... 22 00:01:45,120 --> 00:01:46,670 Return true. 23 00:01:46,670 --> 00:01:51,560 She bypasses all the red flags from the software that say this won't work, this is dangerous, 24 00:01:51,560 --> 00:01:57,590 this is broken, and instead she marks it for immediate rollout and commits it. 25 00:01:57,590 --> 00:02:03,170 So Google's systems promptly roll it out across their datacentres. From coast to coast in 26 00:02:03,170 --> 00:02:07,570 North America; over to Dublin and over to Europe; to the Far East and down to South 27 00:02:07,570 --> 00:02:12,040 America. It takes about three minutes. And what it means is this: 28 00:02:12,040 --> 00:02:19,040 No matter what you enter as a Google password, it will be treated as correct. There are no 29 00:02:19,670 --> 00:02:25,560 password checks any more. If you type in the username, you will get in. 30 00:02:25,560 --> 00:02:29,730 And if this seems implausible, if this seems like something that wouldn't happen, remember 31 00:02:29,730 --> 00:02:35,910 Dropbox, the file hosting service used by 175 million people including, I'm fairly sure, 32 00:02:35,910 --> 00:02:38,450 pretty much everyone in this room. 33 00:02:38,450 --> 00:02:44,930 In 2011, they had exactly that security bug for three hours. Now fortunately, the person 34 00:02:44,930 --> 00:02:49,220 who discovered it -- who wasn't a Dropbox employee -- disclosed it responsibly to them 35 00:02:49,220 --> 00:02:51,550 instead of telling the world, so the damage was limited. 36 00:02:51,550 --> 00:02:57,650 Maria has no intention of responsibly disclosing anything. Most of the engineers that would 37 00:02:57,650 --> 00:03:02,680 get notified of a code change like that aren't on call. And those that are have somewhere 38 00:03:02,680 --> 00:03:07,520 between about one and three minutes before Maria gets around to logging into their now 39 00:03:07,520 --> 00:03:12,020 open Google accounts -- never mind the email notification, they've got about three minutes 40 00:03:12,020 --> 00:03:17,099 to, read it, understand it, and grasp exactly what the change means before Maria logs in 41 00:03:17,099 --> 00:03:20,730 and remotely wipes their Android phone by reporting it as stolen. 42 00:03:20,730 --> 00:03:25,540 None of the engineers work it out in time. The rest of Google's Trusted Five are still 43 00:03:25,540 --> 00:03:30,459 asleep as their phones quietly erase themselves. 44 00:03:30,459 --> 00:03:35,540 So then Maria emails her manifesto to dozens of news sites, posts messages on a few high-traffic 45 00:03:35,540 --> 00:03:39,920 tech forums, then logs out -- which is ironic, given that logging out doesn't actually mean 46 00:03:39,920 --> 00:03:43,380 anything any more -- gets into her car, and goes to catch a flight. 47 00:03:43,380 --> 00:03:50,380 As soon as the first journalist tests it successfully, the news goes ballistic. The first place to 48 00:03:50,840 --> 00:03:57,370 break it of all the web, was oddly the Drudge Report: and they said later that it was because 49 00:03:57,370 --> 00:04:01,840 they didn't use Gmail themselves, and didn't really get it, and just went with the story 50 00:04:01,840 --> 00:04:03,780 rather than immediately going to protect themselves. 51 00:04:03,780 --> 00:04:08,030 'Cos that's what most people did. In the hours that followed, people tended to fall into 52 00:04:08,030 --> 00:04:08,739 one of three groups: 53 00:04:08,739 --> 00:04:14,470 First of all, the defenders. Desperately trying to lock down their accounts, desperately trying 54 00:04:14,470 --> 00:04:18,839 to delete anything that might be incriminating, and to stop all their other accounts getting 55 00:04:18,839 --> 00:04:19,329 compromised. 56 00:04:19,329 --> 00:04:25,720 Because, remember, if you have access to someone's email address, then you have access to every 57 00:04:25,720 --> 00:04:30,570 web service they use -- because they can request a password reset sent straight to your inbox. 58 00:04:30,570 --> 00:04:36,080 How good you were at being a defender generally depended on how good you were at getting all 59 00:04:36,080 --> 00:04:41,250 your other accounts moved away from that compromised address. 60 00:04:41,250 --> 00:04:44,620 Of course, even the folks who were initially smug that they didn't use Gmail realised that 61 00:04:44,620 --> 00:04:49,730 other people they emailed did. 62 00:04:49,730 --> 00:04:54,980 Facebook was the first big web service to react, quickly enough that most commentators 63 00:04:54,980 --> 00:05:01,020 suggested they actually had a plan in place for this years before. Within a few minutes 64 00:05:01,020 --> 00:05:06,470 of the story breaking, Facebook turned off not just password resets but the ability to 65 00:05:06,470 --> 00:05:10,830 log in at all, on the assumption that most people would have their accounts compromised, 66 00:05:10,830 --> 00:05:16,430 so they just turned it off. And since nearly everyone was already logged in on their phone 67 00:05:16,430 --> 00:05:22,490 and their computer, Facebook rapidly became *the* trusted method to contacting anyone 68 00:05:22,490 --> 00:05:26,600 -- and that was a new level of trust that stuck around afterwards as folks looked warily 69 00:05:26,600 --> 00:05:28,150 at email. 70 00:05:28,150 --> 00:05:32,639 Then there were the amateur detectives. Those that suspected that their partner was cheating 71 00:05:32,639 --> 00:05:35,889 on them. Those that were desperate to find out what their colleagues were earning, or 72 00:05:35,889 --> 00:05:39,300 what their boss really thought of them. It wasn't restricted to email, of course; because 73 00:05:39,300 --> 00:05:45,430 if you have access to someone's Google account, in most cases you have access to their full 74 00:05:45,430 --> 00:05:51,419 search history and all the web sites they've clicked on. For years, and years, and years. 75 00:05:51,419 --> 00:05:56,639 Have you turned it off? Most people in this room haven't. It was described by one writer 76 00:05:56,639 --> 00:06:01,180 as "like looking into my wife's soul". And the divorce rate had a notable uptick a few 77 00:06:01,180 --> 00:06:02,479 months later. 78 00:06:02,479 --> 00:06:07,330 Meanwhile, companies using Gmail, or companies working with companies that used Gmail, just 79 00:06:07,330 --> 00:06:12,509 had to assume that all their trade secrets had been stolen: in the years to come, patent 80 00:06:12,509 --> 00:06:17,110 and trademark lawyers would make an enormous amount of money as allegations flew back and 81 00:06:17,110 --> 00:06:20,240 forth between corporations. 82 00:06:20,240 --> 00:06:24,840 Now the European stock markets, the only ones open on July 4th at that time, went into freefall 83 00:06:24,840 --> 00:06:29,100 almost immediately; the Asian and American ones would do the same when they opened the 84 00:06:29,100 --> 00:06:30,270 next Monday. 85 00:06:30,270 --> 00:06:36,500 But the most obvious group, if not the largest, were the burners. Everyone who had any sort 86 00:06:36,500 --> 00:06:43,500 of prominent online presence got their account destroyed, utterly destroyed, within ten minutes. 87 00:06:44,020 --> 00:06:48,449 Any YouTube channel with any sort of audience found all its work deleted and vandalised, 88 00:06:48,449 --> 00:06:54,090 even worse than the new comment system that YouTube had brought in. Some burners attacked 89 00:06:54,090 --> 00:06:59,490 individual people thoroughly, hoping to wipe everything as part of a vendetta; but others... 90 00:06:59,490 --> 00:07:02,840 others just tried to destroy as much data as they could from as many people as they 91 00:07:02,840 --> 00:07:04,169 could as quickly as possible. 92 00:07:04,169 --> 00:07:10,580 Google, of course, had backups. They did roll everything back -- but a lot of third-party 93 00:07:10,580 --> 00:07:17,380 sites, vulnerable through password resets, weren't anywhere near so lucky. 94 00:07:17,380 --> 00:07:18,229 (LAUGHTER) 95 00:07:18,229 --> 00:07:24,310 Every blog with more than a few readers got crude messages added to it, or code that redirected 96 00:07:24,310 --> 00:07:31,259 to shock sites, or just torn apart and destroyed. A huge number had no usable backups. This 97 00:07:31,259 --> 00:07:36,300 was the final death knell for most third-party web message boards, the old ones which had 98 00:07:36,300 --> 00:07:41,570 been falling out of use for years and years. As soon as one administrator account fell, 99 00:07:41,570 --> 00:07:46,300 the whole site was quickly destroyed. And not many of those ever recovered because not 100 00:07:46,300 --> 00:07:47,770 many of them had backups. 101 00:07:47,770 --> 00:07:52,770 Some things did work in favour of the "good guys". First of all, the enormous rush of 102 00:07:52,770 --> 00:07:58,419 traffic -- of people trying to fix and break things meant that even Google couldn't quite 103 00:07:58,419 --> 00:08:03,000 cope with the load: a lot of folks were frustrated by slow loading times and falling servers. 104 00:08:03,000 --> 00:08:07,680 But thirty minutes in, at least some of Google's network engineers had worked out what was 105 00:08:07,680 --> 00:08:13,460 going on and pulled the plug -- in one case physically, literally pulling plug from data 106 00:08:13,460 --> 00:08:19,430 centres and uncontrollably shutting down everything they could. Someone finally managed to get 107 00:08:19,430 --> 00:08:23,660 an actual shutdown command into the systems that Maria had compromised about two hours 108 00:08:23,660 --> 00:08:28,520 afterwards, and three minutes later, Google fell off the internet for the first time in 109 00:08:28,520 --> 00:08:32,700 a very, very long while. 110 00:08:32,700 --> 00:08:37,820 In amongst this two hours of mess, this pandemonium, were the people that Maria Christensen was 111 00:08:37,820 --> 00:08:42,620 actually trying to reach. She was hoping to be the next Chelsea Manning, the next Julian 112 00:08:42,620 --> 00:08:46,730 Assange, the next Edward Snowden. More than that: she was hoping to create a hundred, 113 00:08:46,730 --> 00:08:52,570 a thousand, a million people taking that whistleblower role, using the brief hours of "freedom" she'd 114 00:08:52,570 --> 00:08:56,700 created to change the world for the better. That was her manifesto: 115 00:08:56,700 --> 00:09:02,000 Go out. Find the things that need to be leaked, go through the files of the corporations and 116 00:09:02,000 --> 00:09:06,529 governments that are destroying our world, and show them the light of day. 117 00:09:06,529 --> 00:09:12,459 Her view was woefully optimistic. And yes, some people did. There were thousands of leaks, 118 00:09:12,459 --> 00:09:17,860 some of international importance: a few people remembered the Obama transition team, after 119 00:09:17,860 --> 00:09:23,560 the 2008 election, used Gmail until they could get their official whitehouse.gov email addresses 120 00:09:23,560 --> 00:09:30,560 set up. And there were stories of billionaire fashion CEOs putting stories about sweatshops 121 00:09:31,529 --> 00:09:37,000 and burying them; stories of mining companies exploiting workers and exposing them to incredible 122 00:09:37,000 --> 00:09:42,459 danger; tale after tale after tale of people putting aside human concerns and -- this phrase 123 00:09:42,459 --> 00:09:46,360 got used a lot -- acting in the best interests of shareholders. 124 00:09:46,360 --> 00:09:49,430 But none of those stories made the news. 125 00:09:49,430 --> 00:09:54,050 Because what Maria Christensen hadn't done was manage the story. Wikileaks and its allies 126 00:09:54,050 --> 00:09:59,550 always had: they'd drip-fed the stories over months into a 24-hour news cycle that always 127 00:09:59,550 --> 00:10:03,180 wanted more, more, more, but instead... 128 00:10:03,180 --> 00:10:06,560 In this case, though, the story was about the process, not about the information. The 129 00:10:06,560 --> 00:10:11,300 angle that all the news took was that email was suddenly insecure, that you were at risk, 130 00:10:11,300 --> 00:10:14,440 that you should defend against it and this is how you do it, that web sites are being 131 00:10:14,440 --> 00:10:19,560 damaged, and that this is how you protect yourself, and watch us because we will help 132 00:10:19,560 --> 00:10:20,000 you. 133 00:10:20,000 --> 00:10:24,220 So there were no stunning revelations plastered on the front pages. There should have been, 134 00:10:24,220 --> 00:10:30,490 given an infinite number of front pages, but there were, simply, too many stories, and 135 00:10:30,490 --> 00:10:34,360 all of them were much less interesting to the public than the question of whether your 136 00:10:34,360 --> 00:10:38,290 partner has seen your browser history. 137 00:10:38,290 --> 00:10:44,610 And of course, for most people, there was no long-term damage, at least not to them 138 00:10:44,610 --> 00:10:48,680 personally. Statistically speaking, you'd get away with it. And sure, everyone knew 139 00:10:48,680 --> 00:10:53,740 someone who'd been affected, everyone knew someone who'd got in trouble, but chances 140 00:10:53,740 --> 00:10:59,130 are that you, yourself, had gotten away with it. And while a lot of high-profile companies 141 00:10:59,130 --> 00:11:04,700 suffered slightly, there were no world-changing moments. If dumping untold gallons of oil 142 00:11:04,700 --> 00:11:10,930 into the Gulf couldn't kill BP: what could? So most small businesses survived unscathed 143 00:11:10,930 --> 00:11:17,370 and the economy recovered, slowly, having been damaged no more than by any natural disaster. 144 00:11:17,370 --> 00:11:23,610 And Gmail, a year later, had just as many active users as before. Because, after all, 145 00:11:23,610 --> 00:11:27,870 what were the odds of that ever happening again? And it's not like the government couldn't 146 00:11:27,870 --> 00:11:32,670 read all your messages anyway. And no-one really got hurt in the long run, and maybe 147 00:11:32,670 --> 00:11:37,890 it was for the best that me and her broke up, y'know? It all works out in the end. And 148 00:11:37,890 --> 00:11:41,459 besides, it would be a real pain to try to switch my email account somewhere else. I'd 149 00:11:41,459 --> 00:11:47,070 have to change my email address! 150 00:11:47,070 --> 00:11:52,100 It's amazing how much we trust to single points of failure. And while this is a worst-case 151 00:11:52,100 --> 00:11:58,440 scenario -- very much so -- everyone here will have that one lynchpin on which everything, 152 00:11:58,440 --> 00:12:04,440 at least in your online life, hangs. That backup you haven't taken for a while. The 153 00:12:04,440 --> 00:12:09,079 email account that you forgot had access to everything. Or that password that your ex 154 00:12:09,079 --> 00:12:09,899 still knows. 155 00:12:09,899 --> 00:12:16,149 But my point is this: even in the face of seeming disaster, when the world is falling 156 00:12:16,149 --> 00:12:23,149 around you, you remember that eventually, this too shall pass. Because it takes more 157 00:12:26,940 --> 00:12:30,260 than just one single point of failure to change the world. 158 00:12:30,260 --> 00:12:36,300 Oh, and as for Maria Christensen? She got arrested at the airport, after her flight 159 00:12:36,300 --> 00:12:39,079 was delayed... because the airline ran on Google Apps. 160 00:12:39,079 --> 00:12:43,079 Thank you very much, I've been Tom Scott, enjoy the rest of the show.