Ep. 77: The hackers will always win, with Kevin Mitnick
-- and don't.
Hello everyone welcome to reporters' roundtable our weekly show on a single tech topic each time of course right now this week today. --
On my securities in the news even more so than normal from the -- isn't very big way the Sony PlayStation network was hacked for weeks ago in the struggling to get back on its knees and then.
He gets hacked again.
And just says them.
As -- news is breaking we learned that there is no way a Mac. Online exploit targeting users of them OS-X.
How bad has security gotten on the Internet will hackers always win after we're gonna be talking about today and we are very very special guest.
Kevin Mitnick is joining us from his secure -- lair somewhere.
On the in the Western Hemisphere.
Now Kevin if you guys don't know more writing.
Kevin is a hacker he in -- used to be a criminal hacker in fact it's fair to say he was once the most notorious the most wanted criminal hacker on the planet.
He eventually because of this got nabbed and landed in prison as most notorious crime in the ninety's was hacking into the cell phone.
Companies in getting copies of the secret handsets source code.
To some Kevin was a symbol of the dangers hackers -- society needed to be locked up to protect us.
Two others he was a scapegoat for the lousy computer security practices and all of corporate America.
Nonetheless he's with us here today.
Released arguably rehabilitated he now runs his own security company in which he will probe -- or car company network security.
And try to break into -- and give you confidential reports he can use which you can use to mitigate the security flaws that you will have.
He also has a new book coming out called ghost in the wires which is now available for pre order on Amazon.
Kevin thank you so much for joining us on reporters' roundtable we're delighted to have you with us.
There are to be here are you -- it --
-- rehabilitated. On your show up did not know well Leo all play.
Here if you well -- like all in the past and in fact it's like today it's got a job you know companies.
Army knew exactly what I was doing back in the eighty's and ninety's.
And is -- -- kind of interest me because were.
You know at what point -- criminal activity -- and you know just.
One -- changes that authorization. And then yours yours appalling service and good service to help.
You know keep the bad guys up.
Is it -- fun now as it was when you were offline so far under the radar.
It actually -- -- because at this point you are run my own company so it's easy where I can just hire people to do the ethical and testing.
But I enjoy doing it myself.
So I actually get my hands dirty a lot of a lot of these assessments and I really enjoy it because it's -- -- like solving a puzzle figure and obstacles.
And it's it's really enjoyable it's almost like not work at some of silica playing a video game.
-- -- talk about your background a little bit and and some stores from the book and then get into your views on the state of security today so.
Let's start with that how did you get into trouble to begin with and tell us you know -- when -- first became dangerous.
Well on a day long long ago -- -- -- yeah.
-- -- I started. In a hobby call phone freaking back in the 1970s actually.
Bomb. I I was avid amateur radio operator this -- -- -- ham radio and and what it was not high school and at this chaired.
Who is really adopt with the telephone system.
And should we all these tricks -- can do with the telephone which kind of really impressed me and he was a phone breaker.
And at the time -- -- my -- was also master so all the things he could do with the telephone.
He was very magical. And I want to learn all about the telephone company and that was kind of body.
Foot in the door if you will sports my eventual career as a computer hacker.
Now when you when things start to get -- you. It became more game of social engineering -- a not mean a one point you've got a vendor.
To FedEx -- source code how did you manage -- Mac.
But the other aspect like you know be fast -- -- like the 1990s and now must've you know a lot of the attacks were hybrid.
So social engineering. And and doing some sort of technical magic her exploit would be -- -- always a hybrid attack.
On clearly wouldn't just be simply like calling up somebody on the call him.
And getting them to like give -- support for example is there really wasn't that simple in amateurish --
These type of what types of attacks can go from very simple -- very complex but in many and in this event I'm.
I think the story you're talking about in the book even though I did get -- -- actually.
FedEx -- source -- to -- of the cellular handsets back in the ninety's.
That actually wasn't in the book it was a story I looked up because were we were just way over H -- and but in this particular case there is this.
Cellphone company -- no but hell out of Calgary Canada and the developers were actually in Japan.
And so are around the it was around November December elective.
Or maybe it could've been in January 1991 when the recess. CES show.
In Las Vegas.
What we did is I leveraged the kind of the atmosphere of the show actually does the that you know actually I was at the conference itself.
It was very interested in getting its --
Which would allow me to change my electronic serial number because I can change -- electronic serial number I could become anyone and so I called.
No -- just the blue.
And I was transferred to an engineer and I asked the engineer right all the -- on the floor with no -- we have a Booth here.
On and they have different offices they -- fort worth Texas at Calgary Canada and wherever.
And I told the -- you know I need to be able to change -- yes then from the handset is -- like a secret.
Method I can do when he says absolutely not.
I'm that's against FCC rules and regulations and there is no way to you because I thought maybe -- was it a secret key sequence opens.
-- this is trying to Naspers you know getting into the salt and stuff.
And what he did is in the conversation he says well you know we have a special version of the software that we gave to the FCC that allows them to change that yes send via the keypad.
I -- -- Andy -- because yeah that's you know a special version one point 05 but it's not released in the market.
I said really -- And I know immediately my mind's eye need to get this the subversion. The the firmware.
So I estimate -- a -- no I'm I'm here at the conference you out there at the convention here at CES.
I kind of need to get a get a copy of the firmware because I needed to you know for demonstration purposes.
And he says will what I can do as -- -- -- you the the firmware on a chip and -- -- go ahead -- the -- and thought.
And this wasn't really easy to do it because to get the chip and a phone was really a process -- -- it just assembling the fountain.
Thankfully was a socket but even have to -- was as -- socket so basically you just plug it in -- that Apple the circuit board on the phone so.
It took about thirty minutes.
Believe it so now you're talking to an engineer. From pretending or act on the floor of -- competency and -- in full on geek in lock mode with this guy who now wants to help you and is going to the extra step of actually burning wood chip.
Well I actually estimates it is possible -- you could burn -- -- chip.
You inept. Two to the device and he said you don't sure actually it's it will as a matter -- -- -- paper -- spot.
Basically he was taking it was a birding spot chips -- -- at this version of the firmware.
So then the next step -- -- only gonna get the firmware. From this engineering Calgary.
And you know during the conversation actually knew who has a knock -- -- -- had engineer by the name of Fred walker.
That's atlas and you know I know spreading on different without the office -- this is what gave me the ability to kind of you know manipulate him in this --
And I said listen to me a favor or that ships and drop them off with I forgot the ladies -- where's Fred -- secretary.
So that way there's not suspicious not like he's taking the packaging and sending it to me.
But he's just thinking this package of -- you know the chips that he -- me and just -- you off the secretary. And I told me I'll just pick it up from her.
And Alan thinks I'm like you is get access to this you know this this package.
So course after.
I find out that he drops packets to the secretary what -- Oracle secretary.
I say hey ID as must be in the office today because I'm on -- it from Fort Worth but are supposed to be there but I had to go to Vegas.
Because he needed my help and see yes but as a Katie could be a -- that package that you know.
I forgot the guy's name.
The packet access on your doubts and I'm supposed to pick up -- -- -- just drop it in FedEx for so.
I you know that I think well the object ever FedEx that the government right so what I do -- that he that I -- with this -- simply does all the circus circus.
In Vegas made a reservation.
-- I mean and even carton in a reservation told her to FedEx at the circus circus and then I have a colleague actually does pick up the FedEx from the front --
And before even checking -- so that's how we were able to get to the --
Get to that get the chips for the special version of firmware that a lot has changed the BSN in the.
What a story.
Now is it also true that at some point you had an alert in the phone network system itself so you -- know if the FBI was wiretapping of.
Well there's ways that I can tell that the phone company ordered -- government was actually had an intercept.
-- -- linemen usually. In vault holding the a frame.
Which is -- It's the -- is located in the in the central office.
And having them and inspect certain inspect -- actually I'm afraid but I think what you're talking about.
Is when I was working when the Puget spies were campus law firm in Denver -- Oracle Roberts and Owen are obviously under a different name but he was using at the time --
Eric -- Erica -- -- -- because Eric Weiss was the real name for the of the famed magician Harry Houdini so it doesn't --
I actually. Was hired at this -- the you know as a computer.
And I placed on -- code in their telephone application tell your lawyers are.
-- really super paper clip brightens up the law firm and it's undergoing phone calls on behalf of a client -- -- a to a client matter number.
So basically I have access to the systems satellite program the system that if anyone in the law firm.
Called the US attorney's office -- the FBI and Secret Service in Denver or Los Angeles it would send me a page button so I was kind of like an early warning system and it actually was tricked twice.
Where somebody from the law -- calling US attorney's office in Los Angeles.
And then one night you immediately followed up on know what the hell's going on.
This is somebody figure out who I am it turned out to be civil division of the US attorney's office and there is no threat.
Them but it was kind of everywhere I went as a fugitive would set up these early warning systems so they were -- you know -- you don't like it escape.
-- a lot of work.
A lot of us are actually interest as well but think about all that what trip wires and I set up that if their -- you know we'll give me enough time to get -- -- there.
Now as. A hired gun now working on behalf of companies to go and -- their networks and find the security flaws have you ever found a company.
It was secure what's what's Kevin proof. Now.
-- are in fact every company that is our disparate security assessment we've always got it.
On and it in in in like one case we -- -- client that just wanted -- a network and west security assessment.
That's basically -- public -- any applications or wireless network and no physical assessment no social engineering but simply looking up their network.
The see what services. Were exposed by their computer systems that were on the perimeter.
And it turned out in this one case there is a couple others several boxes but -- early exposing or edu or or three.
Which is you know for web services there -- no web applications. -- simply static pages -- there -- there's really not much of an attack surface moves to attack.
But later on when the company actually you know.
Went and asked us to do further testing that -- -- applications social engineering and wireless and were able to get him.
But in every case across -- we have never failed.
Add -- -- breaching a client's systems I mean if we're pretty much of a 100% successor.
What's the most obvious or embarrassing on on the client's site that type of exploit the you've been able to take advantage -- and want to make -- the one to make sure they all my god we paid you for a matte.
Well now. -- one.
Be. How we got in as we found a bug in -- web server which allow which would allow customers upload pictures but we could upload code.
Okay so we can get a shell on their server on their you know company's server -- -- -- on this server we know employees go to the website you know several times today.
So we basically. Set up an exploit in in what they -- I frame so when they hit the web site that exploited.
Exploit it'll plug -- Adobe -- -- and done.
So now it's either network.
Way I've I've got access to this one user's machine has no administrator rights.
Was able to get out you know escalate your privileges to get rights on this one users --
But now I wanted to get to the IT department.
-- and you know over exam even where -- are able to figure out.
The internal IP addresses. Or be.
I T departments -- you figure those people obviously have administrator -- so now.
Pretty much the systems -- all -- against -- in a recent vulnerabilities. And what -- ended up happening.
You know is you know you don't -- resort to password guessing these days because usually after a -- tries to lock -- the account.
So you basically have a few drops so that's not around that we take but eventually.
When we were able to compromise one of the IT. Network engineers workstations. And we're able to.
Basically get access to the password hashes and crack the password the local app and password was password one -- -- it wanted to pull my hair out.
Because I was spending all this time.
Trying to exploit a vulnerability to compromise the box and the password was so damn simple it is like I -- to throw my hands up in the air.
But it wasn't something I would have tried because again.
In you know modern times you don't wanna sit there and do you know -- you know dictionary attacks or anything because it will -- -- -- the account.
So I imagine most. Or many of the X with that you find there are similar in that nature where -- -- slapper what happens next though you go to your client can say.
By the way here's how I found -- my way in.
Password one what do they do. Now.
That's not usually we find a whole bunch of ways. That -- problems in on the -- from low.
Well low risk iris. And then you know we basically prepare reportedly kind of you don't prioritize what they should experts on hand. You know it's it just.
We you know what it's a harder job because we have to find you know everywhere --
You know in a real attack earlier justified -- right we just don't stop -- law.
All you because. If there's other ways of getting -- we really haven't done -- -- at you know finding all the different doctors Wikipedia's.
Are so those let's talk a little bit about what's happening today we at the top of the show I talked about. The Mac -- exploit which is circulating now which is very similar to existing windows attacks except -- happens we target Macs switch and Mac users.
Have this feeling that they are somehow more secure safer than windows users. --
Well I mean this is -- -- I I read you're talking about the the fake AV software yeah exactly if you've been infected -- I mean this is like age ages old social engineering -- -- I mean it's kind of interesting because.
In most of the at -- today it always has a component of social engineering.
Back -- you know the old days you know back in the ninety's you know it's you know --
Most of the exploits were -- server side.
So you find a bug in you know it ftp server something like and exploit it but nowadays it's you know usually desktop -- -- -- yourself to trick the user into doing something making about.
Decision to get exploited.
And and so this this ages old attack you know posing. Saw her in opposing -- -- hear your machines -- your character -- -- download.
The software you have to pay a fee for you know.
Purchasing the -- yup yup -- -- has been you know you're -- and now so they're using -- against Mac users.
No it's not surprising -- -- and more secure operating system at all actually less secure than windows but let's -- right as you know Microsoft says.
Pretty much the majority of the market share out there are so if you're gonna write some malware they're gonna do it for windows because he can get you can get many more victims --
Now we've also heard about of course that the big news -- -- the big most important is the Sony PlayStation network attack where they actually got a database of credit card numbers that's terrifying news.
-- short because it was like not clear in the media Texaco card numbers but if they did.
There really goes to like what what what the stakes -- -- what what mistakes is something making.
For example -- they encrypting and customer credit card data -- our -- -- Mikey Shiite and what you know PCI.
On you think that they are at times in companies that -- been tested.
You know they either you some sort of -- encryption tool moment but what they do -- -- store the key.
They don't use a hardware security module.
-- store the key and some stored procedure or they store the key in -- place on you know it.
On the same server where the databases and then the -- early crust is finally here.
I mean I've done this umpteen times so.
You know they're complying because they're correcting the record data but the key is easy to rotate so you -- cracking the crypto you're just you know you're -- McCain.
The finding the -- because that's -- implementation my doors locked but the keys under the --
And I can tell you how many times we've found that in customer sites you know and they're using a flat file there you know usually stored in some stored procedure and -- MySQL database and or -- the keys are there so they Figueroa the he would have been rights over if you think it administrator rights are -- you know the database -- -- -- accessory. So.
Now there been other attacks in the news lately the the potential. Exploit of last -- which is a password that's security system.
I got nothing to be -- so you'll -- nick password site so people could get us.
The bacon does store their passwords at -- and united I can I can keep them safe for you know we can ever forget about undermined if you're new sort.
I mean come up.
I -- whatever store might you know.
Ridiculous you deserve to get.
Kevin the irony of -- setting up a password security system would be that of all the people I would.
In trust to write a secure password storage system it would be you.
Of all the people I should trust to store my password with it should not be new.
I mean this is a whole nature of ethical hacking is is the trust relationship that you have with your clients as an.
Yeah I mean and and my clients all about history I -- I -- I was one case in the last ten years were a law firm.
Who wanted to hire me to go on a forensic -- actually actually a missile search warrant and they had no idea you know they they just.
The name from some -- but they didn't know about my history.
But that was like one case and all -- so unfortunate you know that I do have points you and me.
That trust me -- -- nineties speaking engagements all around the world we -- the federal government orders me to do gotten that was kind of interesting and -- -- in --
We're all FBI agents so when you read it for permits speech and -- the -- -- criminal agents like walking on stage and like like glancing into my bags like -- -- looking for elective curriculum Coker --
-- it's like Alec ridiculously NFL and -- street I was kind of like an honor that -- note that they actually hired me because they that's the important stuff to say.
And -- so this was a few years ago so.
And I many government agencies army Ehrlich are conferences in -- consulting type work.
But the thing won't last -- to think like why in the world would you store your password with the third party.
I'll tell you why because -- are you hearing or can I know you can give us a lot of very good technical reasons why should not you being the biggest technical resort and should not.
However everybody is recommending this is this is question I get from from users all the time.
Everybody says you need to have secure and guess -- password so use a password generator which means you need to store them somewhere because you can't possibly remember that -- --
Get right so what used to limited by the -- that -- -- 150 sites that I use and they -- -- different und gets more passwords that are made up of random characters letters and symbols.
What is the solution.
I mean you could use a password manager and your local machine but it that machine it is attacked and yet some malware that.
Intercepts your your password you'll pass -- to unlock your your password database in fact I was doing it and -- for client.
Again this client happen to be using a password managers throughout the whole operation moon and you know if they had really. Say -- -- security.
So but there -- using password managers that are open source buttons or any party and was able to get domain admin rights here in this particular in this particular test.
So all they do -- back to world the all the -- -- -- they were using human anarchy and enable them unlock everything.
So you have to think about well yeah trust the software for the -- is open source all the attacker to do is get enough privileges on your machine to -- -- to steal your.
Get a cabinet whether or not the password that software is open source or completely proprietary whether or not the software's running in my local machines -- running in the cloud.
I still don't know what to trust it doesn't matter where I mean I could I could download -- go ahead.
There are several evils -- in this case if you put it on your local machine.
Then -- then it -- -- law.
Or I mean there's probably like -- retail like. A screen.
Type keyboard and it becomes you know or of people think the use -- don't -- using the art of it.
But for stuff that has a reasonable convenience factor there's always a risk so be stored in the cloud.
Well look what happened the last -- be stored on your machine.
You know what are the chances your machine's gonna get attacks but some sort of malware that secure longer and they're going after these type of you know password databases if you're running you know -- I don't know password gorilla.
All or whatever and and they're going you -- -- in your house -- stealing your your database whenever they can unlock it.
But then again -- -- I think NASA and trying to remember the company.
The -- the company actually solution work they repeat your passwords. But actually the company had half the key and -- the queue what's on your machine.
-- of the company itself can decrypt your passwords if they have wanted to -- you can do it either.
So maybe some type of solution like -- might be you know a better solution.
Now that's not what we're really looked for editors now that's not what people called two -- security you know there are two dual keys there but talk about that is that Cigna we -- things we didn't discuss with the recent I think with earlier this year or late last of that the the crack of the -- safe system which was terrifying because that's supposed to be two factor system we have a password and -- hardware thingy that is encrypted.
Is that the solution to true security.
Well before that question nothing like that let -- -- for managers if you just how malware.
-- on the machine that intercepts and API you could see actually.
The post of the information anyway -- you can intercept.
The password after either they've been in an encrypted but to go on with our assay and yet I was like I was kind of like taken --
That -- was hit but I wasn't surprised because the bigger target the harder they fall there in my gas in two.
-- least one of the methods that was used against our assay was obviously social engineering because in art.
Assessment appeal develop. Believes COR -- -- from pronouncing his last name correctly he actually.
In his blog you know what's really kind of immediate sounded like it was a social engineering attack because there were talking about.
You know mitigating social engineering movement as a form. Breaking into your interest your your company so.
Now I'm thinking well RC so that so many employees.
-- all it really take is this one employee making about decision.
Opening up a booby trapped video while using an -- version of the browser using an older version of flash an older version of Java.
I -- all it takes is one guy.
To make a bad decision and -- your network. So -- think about the thousands of employees but -- hit one.
Video network access the -- were to go from there.
And nowadays with everybody taking their computer so we are talking about this. Previously. Networks are becoming less security in your estimation is that right.
It's kind you know.
The old days when I was you know a blackout. I would say security was easier to compromise.
But then there was less security intelligence out there less public exploits. -- sharing and security.
You know a little less less sharing of hacking methodologies. And stuff like that was pretty much.
In the it was with -- minimal as compare today's subject to today.
Now today you know security is a really important.
Doctor at a lot of companies -- what you may get universities.
There are treating people and information security you know -- it's become commonplace but then again so companies.
Merely not become more secure it's -- let's error on the site that.
You know the -- industries are no more secure because -- much more aware of the deal of security issues.
But now you look at its adequate nothing attackers have become much more sophisticated than they have since the 1980s and nineties and -- go to sites.
That -- public know -- exports and this wasn't available in market.
You know now today and just -- -- backtrack.
And other Metasploit in these exploitation frameworks for absolutely free that weren't available back in the 80s90s.
So in your estimation are we --
Is the Internet or computers that are connected to the net are they -- more vulnerable or less vulnerable than say five or ten years ago.
Well it really depends on who's operating and managing those computers come up -- like you know just a general.
Estimation I would say that computers are more secure than they were back in the eighty's and -- because the operating system many manufacturers.
No better the security org -- to -- still would maintain their market. Competitiveness straighten himself.
You know -- -- market demand people are demanding better security so that they know so Microsoft and Apple and these other manufacturers to comply.
So it's a more secure but then again.
To break into these systems has become a whole lot easier than it was back in the eighties and nineties because there's much more security intelligence -- there.
From the sensitive.
Yet -- -- what you're what you're describing is a war of escalation where the targets get bigger in the attacks get smarter. There's more money.
On the Internet so there's more of a motivation to get it.
Telling -- right back in my day my motivation and purpose for -- -- -- to become really good at playing the game.
And now it's all about the Benjamin's -- it's all about money.
-- the trend you know today is clearly stealing credit card information bank information. You know it's it's become a huge underground business.
And I mean there's a there's a great book all -- and it was written by Kevin -- -- really speaks to the underground economy of credit card for a and this is were.
Unfortunately were happy as --
Well -- noticed the stuff.
Here's the fundamental question in your view.
Will the hackers always win.
I think there's always a way in and once an attacker compromises the company it's extremely difficult to get them --
I mean back in my day when I was compromising large companies.
-- the only reason that I was able to get back -- was because I was arrested.
Otherwise they they would never find.
You know these subtle things that I would do in the network to maintain -- continuous -- took a minute they were changed passwords and so on and so forth.
But. There is always a way and so it's extremely difficult once an attacker gets him.
You pretty much eradicate the problem.
Usually it's restoring. You know basically restore reinstall your operating systems and applications. And hardening -- the systems.
Doing you know trying to figure out -- they get -- in the first place so if I go through all this work every installing the operating system -- installing applications.
And doing it in hardening the box that I could eliminate the vulnerability that was initially used used to get it.
Now one of the things that I I read recently which is really resonates with me is to -- in the nicest -- possible way to always security experts out there is.
You have to assume I think if -- consumer incompetence complete and utter incompetence on the part of the network people who have your password data who have your Social Security number who have here -- bank account information is accurate -- it's kind of assumed that.
They are overmatched.
Well I --
Idea I mean here's the thing and it puts on a security expert have to be right all the time and like terrorism the bad guys only have to be right ones right.
The bad guys we have to be able to operate in the box -- and pick up but security experts obviously. A challenge here.
You know when they're protecting your organization they have to look at all the possibilities. -- all the different factors that an attacker could use to get yet.
And being in one recent patents test it wasn't an operating it was about social engineering a target of what's -- about finding a technical vulnerability.
In -- -- Internet facing web application there was simply picking a law.
Many simply down to the physical. Picking a couple loss got -- -- So.
You know you have to you know it's it's it's really -- these days or for good security controls to -- it.
But rather look -- security credentials effective security controls it -- me really well thought out.
And there's always a risk so the name of the game is not trying to protect yourself -- 100% because that will never work.
The need of the gain is -- risk mitigation.
To whatever acceptable risk you know that your you know whatever risk you're willing to accept.
Okay so that it it comes out to we've got a an audience here at CNET. Technology -- consumers and enthusiasts.
What should we be doing what should our listeners and readers do. In this very dangerous world.
You buyer beware I mean I mean there's technical others checked --
Controls the you know that users -- obviously the operators don't yet -- via your firewall.
But most of you know -- epic I think one. -- our relations updating. -- console war.
What people don't do that you know bill old -- is stuff that's exploit cable's having on the desktop and then.
And and unfortunately that's the -- let's say you know -- huge problem is you know.
Just surfing around the Internet you know -- there's a there's a hole in the browser there's a hole in something that's exploited.
So maybe you know -- -- and asking browsers and they in all this stuff but there's you know that.
Now there's there's mitigation strategies but there's always away somebody's able to exploit it -- at least what consumers can do.
Is trying to exercise some due diligence and do some of the recommended things that hopefully will mitigate the risks that Adobe that -- be victimized.
-- personally -- -- when I'm when I'm surfing around do.
You know when I'm using the Internet is doing research like I -- it from about a you know I do from VMware.
I -- I just have a guest machine that I don't cure for months.
But from my host system and effort is going around -- -- --
Now that's his personal wanted to but there's always a -- like for example there could be a bug in you know.
In my picture viewer on my -- somebody tweaks a picture and I look at it.
-- could potentially become become compromise.
So there's always that bounced between security convenience how are you willing to go how high is your paranoia level going to be.
San. Diego to actually.
You know enjoy. The experience of using Internet.
That in my case I got to be ultra paranoid because -- -- huge target but the average person there on the street you know.
You know it's it's a balancing test that do you believe in in security through obscurity now.
-- person you know is not gonna go through.
You know jump through the -- Any inconvenience themselves to a degree.
Because then using the Internet is not an enjoyable experience of your security expert -- -- in the presence of course builder but what about the average person on the street you tell them.
-- AB CD you need ABC do you mean.
To mitigate the risk but then they just don't want to do it just you know it's it's it's not the thing that's comfortable now of course you know it's it's not transparent and of course we're out what.
Of course were were by nature humans are our comfort seekers and lazy and on the Internet that it to me anyways reflecting itself in.
The fact it's becoming so much easier to log on to brand new systems by linking the following a lot -- to start up acts.
They say there's -- -- -- sign on with FaceBook or sign on with your Twitter going conservative efforts in linking those things together it is that's something that.
If there's an option to not do it we should -- the option to not do north and OK to use these links services.
Actually -- exploits personally know you know like for example what my Twitter account TO you know I -- upload pictures all intimately to the surface I actually think about.
-- well I really trust that.
-- up -- in some cases lino yeah yeah you just have to give in until they are -- trusted for this social network but.
You know there's always risk to -- so.
And I find like when I went into for example -- settings recently I was lead to a whole bunch of stuff and I just you know I just the authorized.
Because I wasn't even using those services anymore so why be a point but -- -- you're you're giving you're giving control.
He summed it up beginning controlled way to the other service. That -- the -- not yet bad actors at the service.
You know what type of what what type of risk are you dealing.
Well let's close here with that we're so we're talking about. We're -- -- other services and and who were giving control to.
Where there is in the news today there's FaceBook Google Apple all of which are companies that are collecting vast amounts of information on us.
And programmatic -- and otherwise sharing it with.
To other developers partners advertisers.
You should we be worried about using these big services. Eighties with regards the collecting our personal data well.
I mean if he can opt out of it do it and eatery usually -- recently in the news that.
There is a database on the iPhone that was stored all your previous location data -- talked a while. Ago I wasn't surprised. I was just annoyed.
That you know Apple opens as well as it.
But if you're gonna -- their services -- you're gonna use their products nobody reads the EU LA right.
I mean I install this and saw or the other day was 32 pages.
Write a car or something like an iTunes update or something and if you elect was 32 pages you think I'm gonna reach 32 pages so what rights are you giving up.
In exchange for using -- -- --
I mean and you know -- usually 99.9 2% of people are Mercury.
To giving up.
I guess their privacy rights if you will in exchange for using the services so tell -- about personal decision he ought to make.
I can't leave on that Kevin we've got an entire audience -- tireless leadership of the show is now quivering in their chairs in fear and anxiety what do we do Kevin help us with.
-- we -- another -- show yeah well maybe you'll have you back we're out of.
Fortunately there's just so much it's like I don't wanna go through and operators in stuff like that but I -- --
I mean you could take each individual problem and come up with ways you know of behavioral.
I guess behavior of -- ways that you should be interacting with the Internet that will reduce the risk.
But that there's not like it's simply a top five that I can -- view that's not gonna be the audience -- -- right now or does not Regina.
Okay I'll call -- up later little interview and I'll get those -- by about you you I don't think it's much more.
I mean -- if you look at you know these recent you know that's the Sony stuff that Mac.
I mean. What you know the fake AV software I mean it's like an operator -- you know you shouldn't fall for these things. You know.
People that I guess I guess the question of you know and we don't raise a child these days to not be street smart you know if you live in the city are you in the country than -- smart about.
Animals like -- operate at higher paranoia level and use the Internet and so.
Any time you.
Any any piece of software soliciting information from me I honestly don't yet know what they're looking for something well.
-- -- --
Keeping your desktop apps you know up to date is I think it's a good piece of advice.
When you're browsing around the Internet I use a virtual machine myself when you know maybe.
You'd be satisfied using something like Google Chrome that's supposed to.
In our -- and boxing technology and it really depends. On when you know your local paranoia and the local risk that you're going to accept.
Usually the idea being 800 pound gorilla companies out there the AV companies that are trying to upper -- you know -- all in one solutions.
Bomb that are helpful but they won't protect -- 100% you know I think there's assured that a -- moments that not even Norton protect your resentment and so yeah so.
There's it's just.
You -- we have to work with well over what what we have available in the marketplace it and of course you know.
Being careful not being manipulated into doing something don't.
Like downloading that new media application because you think it's gonna infect your machine along.
You know it's just it's it's it's a dangerous world out there it and there is you know.
Things that people can do obviously and you know whether or not gonna do -- -- remains to be seen.
Alright everyone we are at a time here Kevin hang -- a second the government.
Everyone thanks for watching reporters' roundtable Kevin's new book ghost in the wires will be out soon you can pre order on Amazon.
We'll be back in a week on reporters' roundtable and other great topic and we're gonna do a -- -- you lets you watch it's gonna be fascinating.
Stephen thanks -- producing Kevin thanks for being on everyone else thanks for watching and we'll see you guys all next week --