WEBVTT

00:00:00.439 --> 00:00:05.630
In the aftermath, when everything had been
started to recover and people had more or

00:00:05.630 --> 00:00:10.919
less tidied up and the stock markets had started
to recover from the trillions of dollars wiped

00:00:10.919 --> 00:00:13.169
off them,

00:00:13.169 --> 00:00:18.370
Google's network engineers said that were
only five people in the world who are able

00:00:18.370 --> 00:00:21.850
to approve changes to their most critical
code.

00:00:21.850 --> 00:00:24.930
And each one of those five was entirely trusted.

00:00:24.930 --> 00:00:31.930
July 4th. In Western Europe, it is Friday
afternoon, and office workers are looking

00:00:32.549 --> 00:00:36.829
at their clocks and trying to work out if
it's okay to leave work early.

00:00:36.829 --> 00:00:42.989
In America, they are gearing up for a three-day
Independence Day weekend.

00:00:42.989 --> 00:00:49.219
Over at Google's headquarters in Mountain
View, most of the building is deserted; on-call

00:00:49.219 --> 00:00:53.339
engineers are either at home, their phones
ready to buzz if anything goes wrong, or they're

00:00:53.339 --> 00:00:57.679
pulling late-night shifts in datacentres located
around the world.

00:00:57.679 --> 00:01:01.499
There is one well-lit office, though, hidden
away in a quiet corner of the building. In

00:01:01.499 --> 00:01:07.760
it is Maria Christensen, one of Google's most
senior engineers and one of the Trusted Five.

00:01:07.760 --> 00:01:13.510
She is, against all corporate procedure, rolling
out a change to Google's core infrastructure

00:01:13.510 --> 00:01:15.780
code.

00:01:15.780 --> 00:01:21.750
She's changed only one section: and it's the
very first part of the login code for Google

00:01:21.750 --> 00:01:26.130
Apps. This should be an incredibly complicated
function that spins off more functions to

00:01:26.130 --> 00:01:32.320
deal with checking passwords, two-factor authentication,
third-party password checks, suspicious activity,

00:01:32.320 --> 00:01:37.890
hackers, phreakers, fraudsters, and all manner
of disaster prevention.

00:01:37.890 --> 00:01:44.890
She's changed just one line of code, she's
put it at the top, and it says...

00:01:45.120 --> 00:01:46.670
Return true.

00:01:46.670 --> 00:01:51.560
She bypasses all the red flags from the software
that say this won't work, this is dangerous,

00:01:51.560 --> 00:01:57.590
this is broken, and instead she marks it for
immediate rollout and commits it.

00:01:57.590 --> 00:02:03.170
So Google's systems promptly roll it out across
their datacentres. From coast to coast in

00:02:03.170 --> 00:02:07.570
North America; over to Dublin and over to
Europe; to the Far East and down to South

00:02:07.570 --> 00:02:12.040
America. It takes about three minutes. And
what it means is this:

00:02:12.040 --> 00:02:19.040
No matter what you enter as a Google password,
it will be treated as correct. There are no

00:02:19.670 --> 00:02:25.560
password checks any more. If you type in the
username, you will get in.

00:02:25.560 --> 00:02:29.730
And if this seems implausible, if this seems
like something that wouldn't happen, remember

00:02:29.730 --> 00:02:35.910
Dropbox, the file hosting service used by
175 million people including, I'm fairly sure,

00:02:35.910 --> 00:02:38.450
pretty much everyone in this room.

00:02:38.450 --> 00:02:44.930
In 2011, they had exactly that security bug
for three hours. Now fortunately, the person

00:02:44.930 --> 00:02:49.220
who discovered it -- who wasn't a Dropbox
employee -- disclosed it responsibly to them

00:02:49.220 --> 00:02:51.550
instead of telling the world, so the damage
was limited.

00:02:51.550 --> 00:02:57.650
Maria has no intention of responsibly disclosing
anything. Most of the engineers that would

00:02:57.650 --> 00:03:02.680
get notified of a code change like that aren't
on call. And those that are have somewhere

00:03:02.680 --> 00:03:07.520
between about one and three minutes before
Maria gets around to logging into their now

00:03:07.520 --> 00:03:12.020
open Google accounts -- never mind the email
notification, they've got about three minutes

00:03:12.020 --> 00:03:17.099
to, read it, understand it, and grasp exactly
what the change means before Maria logs in

00:03:17.099 --> 00:03:20.730
and remotely wipes their Android phone by
reporting it as stolen.

00:03:20.730 --> 00:03:25.540
None of the engineers work it out in time.
The rest of Google's Trusted Five are still

00:03:25.540 --> 00:03:30.459
asleep as their phones quietly erase themselves.

00:03:30.459 --> 00:03:35.540
So then Maria emails her manifesto to dozens
of news sites, posts messages on a few high-traffic

00:03:35.540 --> 00:03:39.920
tech forums, then logs out -- which is ironic,
given that logging out doesn't actually mean

00:03:39.920 --> 00:03:43.380
anything any more -- gets into her car, and
goes to catch a flight.

00:03:43.380 --> 00:03:50.380
As soon as the first journalist tests it successfully,
the news goes ballistic. The first place to

00:03:50.840 --> 00:03:57.370
break it of all the web, was oddly the Drudge
Report: and they said later that it was because

00:03:57.370 --> 00:04:01.840
they didn't use Gmail themselves, and didn't
really get it, and just went with the story

00:04:01.840 --> 00:04:03.780
rather than immediately going to protect themselves.

00:04:03.780 --> 00:04:08.030
'Cos that's what most people did. In the hours
that followed, people tended to fall into

00:04:08.030 --> 00:04:08.739
one of three groups:

00:04:08.739 --> 00:04:14.470
First of all, the defenders. Desperately trying
to lock down their accounts, desperately trying

00:04:14.470 --> 00:04:18.839
to delete anything that might be incriminating,
and to stop all their other accounts getting

00:04:18.839 --> 00:04:19.329
compromised.

00:04:19.329 --> 00:04:25.720
Because, remember, if you have access to someone's
email address, then you have access to every

00:04:25.720 --> 00:04:30.570
web service they use -- because they can request
a password reset sent straight to your inbox.

00:04:30.570 --> 00:04:36.080
How good you were at being a defender generally
depended on how good you were at getting all

00:04:36.080 --> 00:04:41.250
your other accounts moved away from that compromised
address.

00:04:41.250 --> 00:04:44.620
Of course, even the folks who were initially
smug that they didn't use Gmail realised that

00:04:44.620 --> 00:04:49.730
other people they emailed did.

00:04:49.730 --> 00:04:54.980
Facebook was the first big web service to
react, quickly enough that most commentators

00:04:54.980 --> 00:05:01.020
suggested they actually had a plan in place
for this years before. Within a few minutes

00:05:01.020 --> 00:05:06.470
of the story breaking, Facebook turned off
not just password resets but the ability to

00:05:06.470 --> 00:05:10.830
log in at all, on the assumption that most
people would have their accounts compromised,

00:05:10.830 --> 00:05:16.430
so they just turned it off. And since nearly
everyone was already logged in on their phone

00:05:16.430 --> 00:05:22.490
and their computer, Facebook rapidly became
*the* trusted method to contacting anyone

00:05:22.490 --> 00:05:26.600
-- and that was a new level of trust that
stuck around afterwards as folks looked warily

00:05:26.600 --> 00:05:28.150
at email.

00:05:28.150 --> 00:05:32.639
Then there were the amateur detectives. Those
that suspected that their partner was cheating

00:05:32.639 --> 00:05:35.889
on them. Those that were desperate to find
out what their colleagues were earning, or

00:05:35.889 --> 00:05:39.300
what their boss really thought of them. It
wasn't restricted to email, of course; because

00:05:39.300 --> 00:05:45.430
if you have access to someone's Google account,
in most cases you have access to their full

00:05:45.430 --> 00:05:51.419
search history and all the web sites they've
clicked on. For years, and years, and years.

00:05:51.419 --> 00:05:56.639
Have you turned it off? Most people in this
room haven't. It was described by one writer

00:05:56.639 --> 00:06:01.180
as "like looking into my wife's soul". And
the divorce rate had a notable uptick a few

00:06:01.180 --> 00:06:02.479
months later.

00:06:02.479 --> 00:06:07.330
Meanwhile, companies using Gmail, or companies
working with companies that used Gmail, just

00:06:07.330 --> 00:06:12.509
had to assume that all their trade secrets
had been stolen: in the years to come, patent

00:06:12.509 --> 00:06:17.110
and trademark lawyers would make an enormous
amount of money as allegations flew back and

00:06:17.110 --> 00:06:20.240
forth between corporations.

00:06:20.240 --> 00:06:24.840
Now the European stock markets, the only ones
open on July 4th at that time, went into freefall

00:06:24.840 --> 00:06:29.100
almost immediately; the Asian and American
ones would do the same when they opened the

00:06:29.100 --> 00:06:30.270
next Monday.

00:06:30.270 --> 00:06:36.500
But the most obvious group, if not the largest,
were the burners. Everyone who had any sort

00:06:36.500 --> 00:06:43.500
of prominent online presence got their account
destroyed, utterly destroyed, within ten minutes.

00:06:44.020 --> 00:06:48.449
Any YouTube channel with any sort of audience
found all its work deleted and vandalised,

00:06:48.449 --> 00:06:54.090
even worse than the new comment system that
YouTube had brought in. Some burners attacked

00:06:54.090 --> 00:06:59.490
individual people thoroughly, hoping to wipe
everything as part of a vendetta; but others...

00:06:59.490 --> 00:07:02.840
others just tried to destroy as much data
as they could from as many people as they

00:07:02.840 --> 00:07:04.169
could as quickly as possible.

00:07:04.169 --> 00:07:10.580
Google, of course, had backups. They did roll
everything back -- but a lot of third-party

00:07:10.580 --> 00:07:17.380
sites, vulnerable through password resets,
weren't anywhere near so lucky.

00:07:17.380 --> 00:07:18.229
(LAUGHTER)

00:07:18.229 --> 00:07:24.310
Every blog with more than a few readers got
crude messages added to it, or code that redirected

00:07:24.310 --> 00:07:31.259
to shock sites, or just torn apart and destroyed.
A huge number had no usable backups. This

00:07:31.259 --> 00:07:36.300
was the final death knell for most third-party
web message boards, the old ones which had

00:07:36.300 --> 00:07:41.570
been falling out of use for years and years.
As soon as one administrator account fell,

00:07:41.570 --> 00:07:46.300
the whole site was quickly destroyed. And
not many of those ever recovered because not

00:07:46.300 --> 00:07:47.770
many of them had backups.

00:07:47.770 --> 00:07:52.770
Some things did work in favour of the "good
guys". First of all, the enormous rush of

00:07:52.770 --> 00:07:58.419
traffic -- of people trying to fix and break
things meant that even Google couldn't quite

00:07:58.419 --> 00:08:03.000
cope with the load: a lot of folks were frustrated
by slow loading times and falling servers.

00:08:03.000 --> 00:08:07.680
But thirty minutes in, at least some of Google's
network engineers had worked out what was

00:08:07.680 --> 00:08:13.460
going on and pulled the plug -- in one case
physically, literally pulling plug from data

00:08:13.460 --> 00:08:19.430
centres and uncontrollably shutting down everything
they could. Someone finally managed to get

00:08:19.430 --> 00:08:23.660
an actual shutdown command into the systems
that Maria had compromised about two hours

00:08:23.660 --> 00:08:28.520
afterwards, and three minutes later, Google
fell off the internet for the first time in

00:08:28.520 --> 00:08:32.700
a very, very long while.

00:08:32.700 --> 00:08:37.820
In amongst this two hours of mess, this pandemonium,
were the people that Maria Christensen was

00:08:37.820 --> 00:08:42.620
actually trying to reach. She was hoping to
be the next Chelsea Manning, the next Julian

00:08:42.620 --> 00:08:46.730
Assange, the next Edward Snowden. More than
that: she was hoping to create a hundred,

00:08:46.730 --> 00:08:52.570
a thousand, a million people taking that whistleblower
role, using the brief hours of "freedom" she'd

00:08:52.570 --> 00:08:56.700
created to change the world for the better.
That was her manifesto:

00:08:56.700 --> 00:09:02.000
Go out. Find the things that need to be leaked,
go through the files of the corporations and

00:09:02.000 --> 00:09:06.529
governments that are destroying our world,
and show them the light of day.

00:09:06.529 --> 00:09:12.459
Her view was woefully optimistic. And yes,
some people did. There were thousands of leaks,

00:09:12.459 --> 00:09:17.860
some of international importance: a few people
remembered the Obama transition team, after

00:09:17.860 --> 00:09:23.560
the 2008 election, used Gmail until they could
get their official whitehouse.gov email addresses

00:09:23.560 --> 00:09:30.560
set up. And there were stories of billionaire
fashion CEOs putting stories about sweatshops

00:09:31.529 --> 00:09:37.000
and burying them; stories of mining companies
exploiting workers and exposing them to incredible

00:09:37.000 --> 00:09:42.459
danger; tale after tale after tale of people
putting aside human concerns and -- this phrase

00:09:42.459 --> 00:09:46.360
got used a lot -- acting in the best interests
of shareholders.

00:09:46.360 --> 00:09:49.430
But none of those stories made the news.

00:09:49.430 --> 00:09:54.050
Because what Maria Christensen hadn't done
was manage the story. Wikileaks and its allies

00:09:54.050 --> 00:09:59.550
always had: they'd drip-fed the stories over
months into a 24-hour news cycle that always

00:09:59.550 --> 00:10:03.180
wanted more, more, more, but instead...

00:10:03.180 --> 00:10:06.560
In this case, though, the story was about
the process, not about the information. The

00:10:06.560 --> 00:10:11.300
angle that all the news took was that email
was suddenly insecure, that you were at risk,

00:10:11.300 --> 00:10:14.440
that you should defend against it and this
is how you do it, that web sites are being

00:10:14.440 --> 00:10:19.560
damaged, and that this is how you protect
yourself, and watch us because we will help

00:10:19.560 --> 00:10:20.000
you.

00:10:20.000 --> 00:10:24.220
So there were no stunning revelations plastered
on the front pages. There should have been,

00:10:24.220 --> 00:10:30.490
given an infinite number of front pages, but
there were, simply, too many stories, and

00:10:30.490 --> 00:10:34.360
all of them were much less interesting to
the public than the question of whether your

00:10:34.360 --> 00:10:38.290
partner has seen your browser history.

00:10:38.290 --> 00:10:44.610
And of course, for most people, there was
no long-term damage, at least not to them

00:10:44.610 --> 00:10:48.680
personally. Statistically speaking, you'd
get away with it. And sure, everyone knew

00:10:48.680 --> 00:10:53.740
someone who'd been affected, everyone knew
someone who'd got in trouble, but chances

00:10:53.740 --> 00:10:59.130
are that you, yourself, had gotten away with
it. And while a lot of high-profile companies

00:10:59.130 --> 00:11:04.700
suffered slightly, there were no world-changing
moments. If dumping untold gallons of oil

00:11:04.700 --> 00:11:10.930
into the Gulf couldn't kill BP: what could?
So most small businesses survived unscathed

00:11:10.930 --> 00:11:17.370
and the economy recovered, slowly, having
been damaged no more than by any natural disaster.

00:11:17.370 --> 00:11:23.610
And Gmail, a year later, had just as many
active users as before. Because, after all,

00:11:23.610 --> 00:11:27.870
what were the odds of that ever happening
again? And it's not like the government couldn't

00:11:27.870 --> 00:11:32.670
read all your messages anyway. And no-one
really got hurt in the long run, and maybe

00:11:32.670 --> 00:11:37.890
it was for the best that me and her broke
up, y'know? It all works out in the end. And

00:11:37.890 --> 00:11:41.459
besides, it would be a real pain to try to
switch my email account somewhere else. I'd

00:11:41.459 --> 00:11:47.070
have to change my email address!

00:11:47.070 --> 00:11:52.100
It's amazing how much we trust to single points
of failure. And while this is a worst-case

00:11:52.100 --> 00:11:58.440
scenario -- very much so -- everyone here
will have that one lynchpin on which everything,

00:11:58.440 --> 00:12:04.440
at least in your online life, hangs. That
backup you haven't taken for a while. The

00:12:04.440 --> 00:12:09.079
email account that you forgot had access to
everything. Or that password that your ex

00:12:09.079 --> 00:12:09.899
still knows.

00:12:09.899 --> 00:12:16.149
But my point is this: even in the face of
seeming disaster, when the world is falling

00:12:16.149 --> 00:12:23.149
around you, you remember that eventually,
this too shall pass. Because it takes more

00:12:26.940 --> 00:12:30.260
than just one single point of failure to change
the world.

00:12:30.260 --> 00:12:36.300
Oh, and as for Maria Christensen? She got
arrested at the airport, after her flight

00:12:36.300 --> 00:12:39.079
was delayed... because the airline ran on
Google Apps.

00:12:39.079 --> 00:12:43.079
Thank you very much, I've been Tom Scott,
enjoy the rest of the show.