Hannah Clayton-Langton: 0:04

Hello world and welcome to the Tech Overflow Podcast. As always, I'm Hannah Clayton Ainten.

Hugh Williams: 0:09

And I'm Hugh Williams here.

Hannah Clayton-Langton: 0:11

And we're the podcast that explains technical concepts to smart people. And today we're coming to you from London.

Hugh Williams: 0:16

Yeah, here we are in the podcast room. It's so awesome. It's a very nice decor too. We'll have to post a couple clips, huh?

Hannah Clayton-Langton: 0:22

Yeah, it's a lovely studio and it's always a treat to record in person rather than virtually, as I'm sure we've said a few times before.

Hugh Williams: 0:29

Yeah, so so true. Next series, I think we uh we record the whole thing in person. We'll figure out how to do it.

Hannah Clayton-Langton: 0:34

Yeah, Hugh's making a pitch for Melbourne, and I'm really open to it, to be honest. Especially as we go into the UK winter. So um share the podcast with your friends, and if we get to enough listens, then I will get myself down to Melbourne.

Hugh Williams: 0:47

Fantastic. So I read, Hannett, that uh this month, which is October when we're recording it, is National Cybersecurity Awareness Month.

Hannah Clayton-Langton: 0:56

Yes, so I read the same. I'm not sure what that means and which nation it's national to, but it's a good segue into the episode topic today, which is hacking. Which is gonna be fun. It's super interesting, and I think it will pair really well if you've not listened to our episode on bugs and outages. I think there's like a really interesting common thread between these two topics because obviously being hacked is a massive P0 outage. So I suspect it uh ruins a software engineer's day in sort of a similar way.

Hugh Williams: 1:29

Yeah. I think uh, you know, search engine being down for nine hours, whatever your favorite example is definitely uh definitely is tough going, but hacking is worse because you've kind of lost control. That makes it an extra level of stress.

Hannah Clayton-Langton: 1:42

And there's blackmail involved.

Hugh Williams: 1:44

Often.

Hannah Clayton-Langton: 1:45

Yeah.

Hugh Williams: 1:46

Often, often. These hacks have become very, very sophisticated.

Hannah Clayton-Langton: 1:49

Yeah, there's like a whole subtopic I'd love for us to talk through on how AI makes this even more significant a threat. But let's start with the basics before we get into this.

Hugh Williams: 1:58

Sounds good.

Hannah Clayton-Langton: 1:59

So, as listeners will remember from our episode on outages, nine hours eBay search was down for. Yep, felt like 90, but yeah, that's probably like one of the worst days of your career.

Hugh Williams: 2:10

Definitely.

Hannah Clayton-Langton: 2:11

Okay, so we're gonna start the episode with a sort of case study. And in this case study, the retailer was effective for like 40-something days.

Hugh Williams: 2:20

Yeah.

Hannah Clayton-Langton: 2:21

Okay, so this past summer, which is we're in 2025, um, famously in October, Cybersecurity Awareness Month. Back earlier this year, there was like a spate of attacks on UK retailers. And there's a retailer called Marks and Spencer's, who were basically the worst hit. And we'll there's a lot we can take and learn from the case study. But if you're not familiar with Marks and Spencer's, is you may not be, if you're an international listener, it's like a, I would call it a darling of the UK high street. So they have like a super well-regarded food business, and then they have a clothing and home business, which has had like a real comeback in the last few years, particularly for women in their 30s, such as I am. So they did some super clever things with acquisitions and rebranding, and like they're a really, really much loved brand on the UK high street. Probably one of the key differences to bear in mind as we talk through this hack is that they are not an e-commerplay like eBay is. So whilst the fact that their online orders were down for over 40 days is is pretty horrific, wouldn't have been their only revenue source.

Hugh Williams: 3:25

And maybe for our US listeners, perhaps they're they're Nordstrom with an amazing, amazing food haul and uh maybe a little bit like David Jones in Australia.

Hannah Clayton-Langton: 3:34

Yeah, I think that's probably fair. So from a lay person's like customer perspective, suddenly the news is flashing headlines, MS hack. Sorry, and I will use Marks and Spencer's and MS very interchangeably in this episode, just to call that out. Um so Marks and Spencer's hack, this is huge. I understand that the first signs of a problem were that the tills or the like contactless checkout stops working in a bunch of the MS. I think it was the food stores, but the stores in general, right? Contactless payment goes down, but pretty quickly it emerges to be something much more significant.

Hugh Williams: 4:13

Yeah, absolutely.

Hannah Clayton-Langton: 4:14

And I also have understood, and and just to caveat, we've found a bunch of information on the internet about this, some of it from MS themselves and some of it from sort of critics in the industry. But I think it's pretty widely known that the hackers came in via what we'll call social engineering and they leveraged a couple of vulnerabilities in their processes. So there were hackers posing as employees. They pose as contractors. So they they weren't pretending to be permanent employees. Uh, and I think that probably if I'm a help desk operative and someone's calling asking for a password reset and they mention they're a contractor, that sort of immediately the story tracks in my head. Do you think that's fair?

Hugh Williams: 4:53

I think that's fair. The other thing that was well known about these folks is that their English was excellent. Um, they they'd done this before. They're very, very good at persuading people like help desk employees to do the things that they wanted to do. So these are very accomplished people, very crafty, very good at pitching the right story in the right way to the right people.

Hannah Clayton-Langton: 5:12

And they ring the MS help desk, which is also a third party, which I think that's not uncommon here, right?

Hugh Williams: 5:19

Yeah, and that's important, Hannah. I mean, you you are as weak as the weakest link. And so if one of your contractors or suppliers is a weak link, then that's the usually the vector that folks are going to use to get into your systems.

Hannah Clayton-Langton: 5:31

That makes sense. If I were a hacker, which is something I think I'm gonna say a lot in this episode, I'd probably be looking for stuff like that. And um, I don't know that means to say that by leveraging contractors or third parties, you inherently create a vulnerability. But I think if you don't set them up for success and integrate them correctly, then they could quite easily become one.

Hugh Williams: 5:51

Yeah, absolutely.

Hannah Clayton-Langton: 5:53

Okay, so the the hackers opposes these contractors, they call up the help desk, the people at the help desk are trying to help because that's their job. They reset their passwords, and these guys are in. They're in the systems. And from all accounts, so I think MS issued some official communication that they caught this whole hack pretty early days. But I think I think that's been somewhat debunked.

Hugh Williams: 6:18

Yeah, I don't think that's true. I think what is true is that once the ransomware was executed, and we'll talk about ransomware and what it does a little bit later on. Once that was executed, MS were very quick to explain that that's what happened and and begin a path that took a long time to towards rectification. But uh, I don't think they were quick to detect that the hackers were inside their systems. And some folks are saying they're probably in there at least a couple of months.

Hannah Clayton-Langton: 6:45

We can talk later about whether or not that's unusual. I think the answer is no. Not unusual. No. Okay. So hackers they get in, they exploit this vulnerability, and then they do like a few really key things that sort of set them up for success and taking things down.

Hugh Williams: 6:58

Yeah, that's right. I I think there's a couple of parts of the story that we'll never know the real details to, but what's certainly happened is they got in as fairly low-level employees, right, or in contractors. They've now got access to some system. It's certainly not going to be the absolute core of MS, but they're they're in. They're in the edges. They've made it into some of the outbuildings if you wanted to use an analogy. Somewhere along this track over the next couple of months, they've managed to what we call escalate their privileges. So they've managed to figure out how to get more access to, you know, more of the buildings to continue the analogy. Now, they might have done that in a couple of different ways. One way is perhaps repeating this thing that they've done. So they've now perhaps know a little bit more, perhaps they can do a little bit more social engineering.

Hannah Clayton-Langton: 7:44

So they're calling the help desk again to be able to do that.

Hugh Williams: 7:45

Perhaps or calling something in the finance department or whatever it is, right? So at some point they're they're getting more and more access.

Hannah Clayton-Langton: 7:52

And I think it that folks are trying to be helpful. Like I work for a tech company, and if you know, if you need access to something, yeah, I'm gonna try and help.

Hugh Williams: 8:00

Sure, I'll share the spreadsheet with you. As long as I believe you are who you are. And I guess because they're inside, they're able to do some research and probably build up a more credible story that they can then email about, talk about whatever else it is. But slowly but surely over this period of time, they're escalating their privileges, they're getting more and more access.

Hannah Clayton-Langton: 8:19

And the way in which they infiltrated helped them do all this undetected, right? Because they've just got a normal employee login at this point. So you'd have to be pretty sophisticated in your monitoring to know that they're doing anything beyond what any normal employee would be doing, right? Like getting access to systems, logging in, having a look around.

Hugh Williams: 8:40

Yeah, possibly. Possibly. I mean, I think uh I think the best of the best will certainly look for behaviors or patterns or unusual access by employees to unusual things and detect those. If you tried this out on one of the largest tech companies in the world, you you'd probably get detected a little bit more quickly.

Hannah Clayton-Langton: 8:59

Okay, because they'd be like, why has the contractor got access to the active directory or something like that?

Hugh Williams: 9:03

Yeah, yeah. Or why does this particular person um change their login from a particular computer and and come in as somebody else? Or who knows? Who knows? But I would say, you know, these patterns are it's very difficult to do these things without getting detected if you're really, really working hard on the detection.

Hannah Clayton-Langton: 9:20

Okay, and we we talked about this a little bit. I think it was in the product management episode when we were talking about like banks needing a certain level of security or user insight. And those are the kind of companies that are really going to be hot on like why have you suddenly logged in from a location in Australia or whatever it is.

Hugh Williams: 9:35

Yeah, exactly. Exactly. So anyway, this this story, right? So they're they're in, they're escalating their privileges somehow, they're getting access to, you know, game sticking with our analogy, more and more buildings on the compound. At some point, they get access to what's called the active directory, and that is effectively the list of usernames and encrypted passwords. We can talk about encryption in a second, but and encrypted passwords for everybody at MS who can access any of the systems at MS. And this is something that certainly should have been detected, they download this file.

Hannah Clayton-Langton: 10:10

Oh my god. Okay, wait.

Hugh Williams: 10:11

So take it off, they take it out of MS's system into their systems.

Hannah Clayton-Langton: 10:14

Okay, so Active Directory, I presume you normally would give like three people in the company access to.

Hugh Williams: 10:20

Exactly, yeah. I mean, look, I'll tell you a quick story. You know, when I was at Google Maps, I ran the whole of Google Maps, right? So I ran the whole of product and engineering, I did not have access to user data.

Hannah Clayton-Langton: 10:30

Well, and why why would you need that, right? If you think about your day job.

Hugh Williams: 10:32

So you want as few people as possible to have access to that data, and even the person who runs it doesn't need access to it. So I couldn't go and look up, you know, where you'd been in the world and how you'd moved around. I mean, it just simply was not possible, despite the fact that I'm the person who leads the whole organization. So the best of the best will lock down access to critical pieces of the infrastructure as hard as they can possibly lock it down. But somehow they've got this file and they managed to take it off site. And that should have been detected. And then again, look, some of this is speculation, right? We'll never, we'll never hear the true story. But they've got this file, and then I imagine what's happened next is they've used what's called a brute force attack, and they've gone and tried to figure out the passwords of some of those usernames.

Hannah Clayton-Langton: 11:17

Okay, so you said that the Active Directory has encrypted passwords, which means that it's not HANA.clate9 or whatever, plus my password. The password is like coded in some way.

Hugh Williams: 11:27

Yeah, that's right. And look, occasionally you'll hear of a company where passwords were stolen, and and that that's a company that's incompetent. So you should never ever store passwords in their plain unencrypted form. So no company should have a representation of your password that's actually your password. So all companies should be storing an encrypted version of your password. And maybe the simplest way to understand that, let's imagine that your password was an essay on a page, right? So you've got a 500 words on a page. The encrypted version might be every tenth letter off that page saved as a string in the file. Now that's not literally what's going to happen because we're gonna we're gonna scramble it, we're gonna spin the dials, if you like, in in really interesting ways. But the encrypted version of your password is not the complete password. It's a sampling, if you like, of the password. So it's actually kind of one way, right? So if I only got every tenth letter off the page, I can't recreate BSA.

Hannah Clayton-Langton: 12:22

So I don't want to take us down a rabbit hole on encryption, although I am very interested in it. Marks and Spencer's or Google or wherever I'm logging in, they don't have my password written down anywhere. They have an encrypted version of it stored.

Hugh Williams: 12:35

Correct.

Hannah Clayton-Langton: 12:36

Okay. They, however, do know how to recognize the correct password.

Hugh Williams: 12:40

Yeah, because then, so let's stick with this uh essay analogy. If you provide the whole essay, they can again go and take every tenth character and see if it matches what they've got saved on their system, right? So if you provide the full password, they can run it through the same algorithm to produce the same what we call lossy version of the password. And then they can compare that sampling of the password to what they have stored. And they can say, oh yeah, great. This is this is actually Hannah because she's provided the same input to give us the same output.

Hannah Clayton-Langton: 13:08

Okay, and the encryption algorithm, it's like a standard rule that you put in for Yeah.

Hugh Williams: 13:14

So there's a bunch of different encryption algorithms, and some of them are easier to what we call crack than others. And maybe let's just talk about cracking for a second, right? You can pretty trivially, um, listeners might want to try it, but you can pretty trivially get lists on the internet of typical passwords. You can say, you know, I want a list of common passwords, and you can download files that have probably got hundreds of thousands, if not millions, of very common passwords.

Hannah Clayton-Langton: 13:38

I suspect this is one of those moments where we don't realize as individuals how similar we all are. And so there's probably like quite a lot of overlap in the types of passwords people have.

Hugh Williams: 13:48

Yeah, absolutely. I mean, people use, you know, dog's names, their birth date, the word password, you know, parts of their login name, you know, the street they live in, these kinds of things. So, you know, you're not original if you're having these ideas. And so you can get a file that contains a very large sample of all these typical ideas. And then, of course, what you could do is you could run each one of those passwords through the encryption algorithm that you know MNS is using and produce the password. And if the password matches what's saved in the Active Directory, then you say, bingo, the CEO's password is clearly this, because the encrypted version that you've created matches the encrypted version that's stored in the active directory. So if you've got enough time and enough energy and enough compute resources, you can keep running passwords through these algorithms and you can produce the encrypted password and get a match. And if you do that for long enough, then you can get the passwords of lots of people. So this is a this is a very, very valuable asset to have, especially if you can take it off-site and do this kind of what we call brute force attack.

Hannah Clayton-Langton: 14:48

First of all, I'm gonna ask you later why you know that you can buy passwords off of the internet. But do you think that's what happened? Do you think that the attackers in the Morrison Spencer's case figured out what the encryption algorithm was and therefore like unencrypted all of the passwords?

Hugh Williams: 15:03

Yeah, probably not all of them, but uh enough to give them some very serious access. So they probably at this point got admin access to the system, which effectively means sticking with our building analogy, they can get any any part of the building they feel like and do anything they feel like doing. So they've probably come in as a contractor, escalated enough to be able to get their hands on the Active Directory, taken the Active Directory away, spent some computing resources, and then come back with the admin password. Admin login and admin password, now they can do anything they like to MS. That is a couple of months of hard work.

Hannah Clayton-Langton: 15:34

Yeah. If you take out the contacts that it's crime, it sounds quite interesting, sort of intellectually, but obviously the impact of that in for real customers and for the business is pretty catastrophic.

Hugh Williams: 15:46

Yeah, I mean, you know, terrible, terrible thing that happened to to MS and their shareholders, employees, the customers, everybody, right? This is a disastrous outcome.

Hannah Clayton-Langton: 15:55

Yeah, I think I saw that there was like 300 million pounds worth of impact that someone had assessed. And they were like reverting to pen and paper to replicate some of the processes that were downed by the systems being out.

Hugh Williams: 16:08

Yeah. And maybe that's a good time to pause and say, well, what did they do next, these hackers? So the hackers used this ransomware program called Dragon Force. It's not important that it's called Dragon Force, good name, nice name for a bit of ransomware. And basically what they did is they effectively detonated this thing inside of MS. And what this did was it encrypted every single computer that they could possibly get to across MS. So now your computer doesn't work anymore. It's it's effectively been turned into a giant password. Unless you know the password, you cannot use this piece of computing equipment. So they did this to as many computers as they could possibly get their hands on, roughly simultaneously. And so every computer effectively at MS became locked.

Hannah Clayton-Langton: 16:50

That's the point that MS say we become aware of it and we immediately start managing it, which is true from the point of the ransomware deployment. But what was happening possibly up to two months prior, and sounds like what happens in a lot of cases with hacking is these folks get in the back door through the window, and then they set up all the different component parts of their plan, and then they hit the big big button. Yeah.

Hugh Williams: 17:14

Yeah. And of course, you know, I'll say it again. I'm I'm speculating a little bit, I'm relying on what I've read, but this is a pretty common pattern, right? You get in as a low-level employee, work your way up, eventually get admin access, and then let rip. It's really terrifying. Yeah, it is. It is.

Hannah Clayton-Langton: 17:30

I think I read also, and I can talk about this from a customer perspective in a minute, but that whilst they were in there prepping, they stole a whole bunch of customer data as their like blackmail materials. So they're thinking in a situation where Marks and Spencers can like revert the encryption and get back up and running really quickly, we also now have something to hold over their heads, I assume to basically just like get some money out of them. Yeah.

Hugh Williams: 17:54

I think they call it a double blackmail. We can now say, look, you know, pay us and we'll restore your computers. And if you don't pay us or you do restore your computers, then we're going to release all of your users' data anyway.

Hannah Clayton-Langton: 18:03

So I, as a customer of Marks and Spencer's, because I'm a big fan, by the way, of Marks and Spencer's and we're too very disappointed that I couldn't order anything online for over a month. But I got an email saying that like some manner of my customer data had been like exposed, but that it wasn't payment data or like passwords. They were like, you may have read that this data has been stolen, and if it were, it's not like anything you need to worry about. That's my memory of the email. I tried to find it yesterday, but I think I've deleted it.

Hugh Williams: 18:31

Yeah. This happened to uh my favorite airlines, Qantas. It's what I fly back and forth to London on. All of their uh frequent flyer data was stolen recently and uh actually released on the on the dark web because Qantas, I guess, didn't pay the ransom they needed to pay. And um, so all of my data's out there now and my meal preferences, you know, what seats I like to sit in, all those kinds of things.

Hannah Clayton-Langton: 18:51

Interesting, because my husband, just to talk about how common I think this stuff is at the minute, my husband's Eurostar account was like somehow hacked for the frequent flyer equivalent, like the points. And someone had then used his points to book like a free London to Paris journey. I guess it's like the same thing, like someone goes in, finds something worthwhile, and they basically they might be selling it to someone on the dark web who wants a cheap ticket to Paris or something like that.

Hugh Williams: 19:16

Yep, exactly. I mean, this is uh it's a whole industry.

Hannah Clayton-Langton: 19:19

Okay, so they basically down the whole thing. MS, I assume. Well, MS, let's be very clear, publicly state that they've never paid any ransom to the hackers. So on that basis, I can only assume that they rebuilt from the ground up over that 46 days, I think it was that their online systems were down. And by the way, it's all back up and running. I go into MS regularly to buy stuff, contentless works, I've got an online order brewing.

Hugh Williams: 19:45

So, like for all intents and purposes, they even told a story that you know they brought forward a whole bunch of system upgrades and whatever else. And while they were down, they quickly went forward to the next version of their exciting new systems rather than take two years, it took them, you know, no time at all because the systems were down, so they were fast to update. So they definitely spun this.

Hannah Clayton-Langton: 20:01

Isn't the inference there that the systems were overdue a massive update? Uh yeah, you do you think so.

Hugh Williams: 20:08

Yeah.

Hannah Clayton-Langton: 20:09

I need to be clear, this is all conjecture. Yeah, yeah.

Hugh Williams: 20:11

And look, you know, it's very hard to get to the bottom of these stories, right, for lots of very good reasons, both both, you know, safety and legal reasons and also, you know, reputational reasons. But you know, let's talk about why it took them 40 days, though. Let's imagine Utopia, right? So let's imagine you you and I work at the best run company in the world, and this happens to us. Bad luck, bad management, you know, really sophisticated attackers. And imagine you're running the IT team. First thing I'm gonna do, Hannah, is I'm gonna go, uh, so you can just restore from backups, right? You've been backing up all of our machines and all of our important software, and you've you've stored that, right? So can you just get that those backups uh out of the cupboard and uh get all our machines up and running? How long is that gonna take? And you're gonna say, oh, hours or a day or some fairly short amount of time. And that didn't happen here, right? So something's gone horribly wrong. If I were to speculate, I'd say it's one of two things. It's either the folks that hacked the system encrypted the backups or deleted the backups.

Hannah Clayton-Langton: 21:07

And that's because the backups weren't, I'm gonna use your like building analogy. In a world where this is a building, you want your backups like off-site somewhere. Yeah, yeah, yeah.

Hugh Williams: 21:16

Maybe you dig a motor around the building that you can't swim through with full of alligators, exactly. Yeah. Yeah, we call that air gapped. So what we'd say is that the backups shouldn't be on the same network, shouldn't be connected to the main infrastructure, right? Because if they're connected, so if you've got a bridge across to the outbuilding, the the thieves can just wander across the bridge and into the outbuilding and do things to your backups. Whereas if you don't have a bridge, you've got a you've got a moat full of crocodiles, you know, you've very literally perhaps stored them on tape and put the tapes in a safe somewhere else, then there is no way these folks who've got into your systems can actually mess with your backups. So something's gone wrong here. The backups have been deleted, or the machines that have the backups have also been encrypted in the same way as all their other machines.

Hannah Clayton-Langton: 22:00

Because there's not enough of a break in the circuit of systems.

Hugh Williams: 22:03

Just simply not, I mean, you simply should not connect wherever your backups are stored to the network, right? Like it should not be connected. So that's one possibility. The other possibility is more of a competence question, which is lots of companies, and I know some of our listeners are going to work at companies that are in this situation. Lots of companies do backups, but they don't actually practice restoring the backups. So you think you're doing a great job of backing up, but it turns out when you go to restore them, you're like, ah, you know, we've never tried this before. We didn't back up something we needed to back up, we didn't back up a critical system, we backed up only some of the systems. Restoring it's really hard, doesn't work. So often competence gets you here.

Hannah Clayton-Langton: 22:43

Well, that's like my friend once gave me her spare key to water her plants while she was away for a month. And then when I went to her flat, the key didn't, it didn't work properly because it hadn't been cut right. And she'd never use that key. Well, she'd gone and got it copied and then given it to me. But it's, I mean, it sounds so obvious, but it's you think you've done the job by doing step one. But as you say, if you don't practice utilizing it, then you don't know how strong your backup is.

Hugh Williams: 23:05

100%. Yeah. 100%. So something's gone horribly wrong here. Backups weren't able to be restored. And so I guess once they've realized this, they've gone, okay, uh, there's no other way to get our systems back up and running except start from scratch. So we need to go machine by machine, re-image the machine, reinstall the operating system, get the software on there, get it running, you know, test them, get them on the network, whatever else it is, and slowly but surely, you know, work through every single computer that's affected at MS to get the systems back up and running. And and they've chosen for good or for bad at the same time to do some upgrades.

Hannah Clayton-Langton: 23:41

Okay. So that sounds like a really difficult 46 days for a lot of folks on the teams and Marcus Spencer.

Hugh Williams: 23:48

Yeah, I don't think it would have been a lot of sleep. I mean, what a what a terrible thing to happen to these folks. Look, there may be some questions of competence and detection and backups and whatever else, there's some processes that need improving, but what a terrible thing to happen to, you know, an engineering team and a and a whole company.

Hannah Clayton-Langton: 24:04

100%. And I am sure that they are not the only company with these vulnerabilities. One of my global takeaways from prepping for this episode is this stuff's like a lot of work. But at the same time, I could see that if you're in a high growth phase or you're budget constrained, that like your security engineer is coming in and saying something needs to take a certain amount of time or requires a certain amount of investment will just immediately get squeezed and challenged because it's not sexy. It's not deploying cool new AI or product features, it's like the plumbing behind the scenes that is probably pretty dense and complex to even explain to like the executive team.

Hugh Williams: 24:40

Yeah, absolutely. You know, probably goes in the same bucket as um should we work on accessibility for people with vision impairment? You know, you sort of say, Oh, we'll do that later.

Hannah Clayton-Langton: 24:47

Yeah.

Hugh Williams: 24:48

Yeah. And wrong, wrong choice. Wrong, wrong choice.

Hannah Clayton-Langton: 24:51

Yeah, definitely. Okay. And to round up the MS story, the criminals were arrested, or at least some of them. So there was a group called Scattered Spider. I think I read somewhere that it was like an offshoot of that group, but there's like these hacking groups and communities that exist. And like the craziest thing about this one was that they arrested three people in the UK, or sorry, four. And they were all like between 17 and 20 years old.

Hugh Williams: 25:17

Yeah, yeah, yeah, yeah. Which is probably uh I mean, I don't think there's any mathematician who's invented anything interesting past the age of 30. So maybe one of our listeners will correct me on that, point out, point out something. But yeah, no, it's definitely when your brain is uh perhaps best at these things as uh, you know, teens into the 20s.

Hannah Clayton-Langton: 25:32

For me, it's not like their intellectual capacity to do this, it's their nefarious intent at that age. Because that this is a really serious crime.

Hugh Williams: 25:42

Yeah, the folks are gonna potentially get locked up for a really, really long time for this, right? Enormous, enormous damage. And and let's be clear, these groups are not nice groups of people, right? They're up to all sorts of things. So this is these are dangerous individuals uh doing very unpleasant things and uh there'll be consequences.

Hannah Clayton-Langton: 25:57

If anyone is feeling super nerdy, I sometimes listen to this podcast that I think is called Darknet Diaries.

Hugh Williams: 26:02

Yeah, very good.

Hannah Clayton-Langton: 26:03

Yeah, and it's like they interview hackers. They're mostly hackers that have sort of seen the light. But the way that the most recent episode, this guy, you know, they don't reveal their identities and they're they I think they like being really candid and open about all their crimes, but it's it's really dark.

Hugh Williams: 26:19

Yeah, it is. We should get somebody on the uh series two.

Hannah Clayton-Langton: 26:21

Yeah, if I keep promising things in series two, maybe if anyone is a hacker, ethical or otherwise, and wants to talk to us, we would totally love to talk to you. Although I would say ethical hackers preferred because I'm not sure like the moral argument around interviewing a hacker and them telling you about all their criminal intent and what you do. What you do with that as a podcaster.

Hugh Williams: 26:43

No, we'll go we'll go to the ethical white hat and uh hacker on the show for sure.

Hannah Clayton-Langton: 26:48

Okay.

Hugh Williams: 26:48

We need a series two.

Hannah Clayton-Langton: 26:49

We need a series two, guys.

Hugh Williams: 26:50

So Yeah, listen, share, subscribe, get me to Melbourne. Get Hannah to Melbourne.

Hannah Clayton-Langton: 26:55

So this particular example felt relevant because it's quite recent. Like the arrests were made fairly recently. The hack itself happened in the last six months. And there's definitely some generic learnings that are interesting and insightful to talk to.

Hugh Williams: 27:09

There's been a few in the news, Hannah. I was reading about one uh company called Colonial Pipeline. I don't know if you've bumped into those folks. They're a major oil and gas pipeline company in the US, and they had a ransomware attack, you know, similar sort of story to the MS story, and they're unable to, you know, make fuel travel around in the east coast of the US, and it caused panic buying at gas stations. So, you know, these these attacks can be pretty serious. I mean, here in the UK, obviously it's affected the food suppliers, but you know, this example in the US affected uh another piece of critical infrastructure. So, you know, these things are uh pretty dangerous.

Hannah Clayton-Langton: 27:39

Yeah, I guess in the the UK example, customers being worried about their data being exposed to me is probably the biggest concern, particularly with such a well-known, trusted, respected retailer. And I this to me, and the the colonial pipeline example is just a reminder that like the hackers are going for vulnerabilities that they believe are valuable. Like in the UK a few years ago, they went after our National Health Service computers, which was like clearly hadn't been robustly invested in from like a cybersecurity perspective, or at least that is my conclusion from what happened. But like people couldn't have their surgeries done that day. So that's when it gets pretty dark. Like you're trying to disrupt the gas supply to folks during the winter. I I don't know if that one was during the winter, but I assume it was it was a critical time. Yeah. That's where, you know, we got to remember that there's some really intellectually interesting discussions. But like all in all, these people are nasty operators looking to create quite significant threats to like infrastructure and well-being of populations to maximize the amount they get paid.

Hugh Williams: 28:42

So I think, you know, the the story on the street was that this colonial pipeline company paid $4.4 million to get this reversed by the hackers. Um, you know, they're going for critical infrastructure because they can hold these folks to ransom and get a lot of money.

Hannah Clayton-Langton: 28:56

Okay, so that MS case study has actually turned out to be a super rich case study that's teased out like quite a lot of interesting insight already. I reckon we cut it here and come back next week to get into some more of the like technical aspects of hacking more generally.

Hugh Williams: 29:14

I think that's a great idea, Hannah. I mean, there's so many more things to talk about, you know, viruses, worms, trojans, SQL injection attacks, how people can be more secure. How people can be more secure, you know, tips for companies. And I think I think the MS story sets it up super, super well. So I think a second episode would be fabulous.

Hannah Clayton-Langton: 29:32

Okay, so that takes us to the end of part one on hacking, the anatomy of a hack. And we'll see you next week for part two. If you've liked what you've listened to today, do subscribe wherever you get your podcast, give us a review, share with your friends, and you can find us on LinkedIn, Instagram, and X.

Hugh Williams: 29:51

Yeah, and we're also available at techoverflowpodcast.com. And if you do like, subscribe and share this uh episode and our series, there's a fair chance that Hannah will get to. Australia and there will be a second series.

Hannah Clayton-Langton: 30:02

Thanks for listening, and we'll see you all next week. Bye. Bye.