Browse content similar to 29/04/2017. Check below for episodes and series from the same categories and more!
Line | From | To | |
---|---|---|---|
Finally there is a box which is immune | 0:00:04 | 0:00:13 | |
Over the last few years, billions of e-mail accounts | 0:00:14 | 0:00:49 | |
Last year, Yahoo announced that over 1.5 billion e-mail accounts | 0:00:50 | 0:01:00 | |
were compromised between 2013 and 2014, the largest | 0:01:01 | 0:01:02 | |
Then it emerged that Russian hackers had gained access to 60,000 e-mails | 0:01:03 | 0:01:10 | |
from Hillary Clinton's presidential campaign. | 0:01:11 | 0:01:14 | |
Some believe the resulting leaks helped swing the election for Trump. | 0:01:15 | 0:01:23 | |
is something most of us already knew, | 0:01:24 | 0:01:27 | |
we send, each of us, all the time, hugely personal information | 0:01:28 | 0:01:30 | |
Information that we'd like to keep private, | 0:01:31 | 0:01:34 | |
but others are all too often able to see. | 0:01:35 | 0:01:36 | |
So how about something that guarantees to protect | 0:01:37 | 0:01:38 | |
Sounds like something you want to have, doesn't it? | 0:01:39 | 0:01:44 | |
Well, this is Nomx, a box which promises | 0:01:45 | 0:01:46 | |
It was at CES that we came across this device as it was introduced | 0:01:47 | 0:01:58 | |
I met the boss, Will Donaldson, who has impressive security | 0:01:59 | 0:02:03 | |
He's worked in computer security and worked on web applications | 0:02:04 | 0:02:08 | |
for the Pentagon, the Marine Corps and he was Chief Technology Officer | 0:02:09 | 0:02:15 | |
for the F35 joint strike fighter communications facility. | 0:02:16 | 0:02:17 | |
So does he think is wrong with bog standard e-mail? | 0:02:18 | 0:02:24 | |
Well, the Nomx promotional videos explain the problem. | 0:02:25 | 0:02:26 | |
When you send an e-mail, copies of the message end up | 0:02:27 | 0:02:29 | |
on several internet servers along the way. | 0:02:30 | 0:02:33 | |
Will says all of the recent big e-mail hacks have involved one | 0:02:34 | 0:02:36 | |
of these servers being compromised and what's more | 0:02:37 | 0:02:38 | |
So those vulnerabilities, we have identified six core ones | 0:02:39 | 0:02:45 | |
that encompass 100% of hacks that have occurred to date. | 0:02:46 | 0:02:51 | |
Will's solution is a $199 box that acts as your own | 0:02:52 | 0:02:54 | |
It'll talk to other e-mail services, but where it comes | 0:02:55 | 0:03:02 | |
into its own is when it connects directly to another Nomx box | 0:03:03 | 0:03:06 | |
at the other end, the pair of them replacing the cloud servers | 0:03:07 | 0:03:14 | |
that your message would usually flow through. | 0:03:15 | 0:03:17 | |
That means no copies are stored anywhere | 0:03:18 | 0:03:18 | |
The idea has caught the imagination of some in the security industry, | 0:03:19 | 0:03:28 | |
who've called it a "personal cloud on steroids" and Will himself has | 0:03:29 | 0:03:31 | |
become a bit of a star, being interviewed on US national | 0:03:32 | 0:03:35 | |
television and elsewhere in the media as a security guru. | 0:03:36 | 0:03:43 | |
So what you're pitching here is that you can make a black | 0:03:44 | 0:03:46 | |
box, that black box there, that is more secure | 0:03:47 | 0:03:49 | |
than a multibillion dollar company's servers? | 0:03:50 | 0:03:50 | |
It's been proved they're vulnerable, my question is to you is, | 0:03:51 | 0:03:58 | |
you're not a multibillion dollar company. | 0:03:59 | 0:03:59 | |
Not yet. Not yet. | 0:04:00 | 0:04:00 | |
Why should I believe that your security is any better | 0:04:01 | 0:04:03 | |
than theirs and why should I believe that there are no vulnerabilities | 0:04:04 | 0:04:06 | |
that you have accidentally left in your box? | 0:04:07 | 0:04:09 | |
What we've done is identify the categories of those | 0:04:10 | 0:04:12 | |
vulnerabilities and all of the hacks have occurred have been | 0:04:13 | 0:04:15 | |
By removing them from the equation, we have now negated them | 0:04:16 | 0:04:19 | |
So the theory sounds a good one - avoid making multiple copies | 0:04:20 | 0:04:24 | |
of your messages across potentially vulnerable servers on the internet. | 0:04:25 | 0:04:28 | |
You just have to rely on the Nomx boxes themselves not | 0:04:29 | 0:04:31 | |
You all know this man, Dan Simmons, one of Click's most experienced | 0:04:32 | 0:04:38 | |
reporters and famously, if someone says something | 0:04:39 | 0:04:40 | |
is unbreakable, you try and break it? | 0:04:41 | 0:04:42 | |
Well look, on this programme we look at new things and we are as excited | 0:04:43 | 0:04:48 | |
as anybody to see them, but sometimes just sometimes, | 0:04:49 | 0:04:54 | |
something seems a little bit too good to be true and absolute | 0:04:55 | 0:04:57 | |
security, I've never heard anyone in the cyber security industry | 0:04:58 | 0:05:00 | |
promise that, but that is exactly what this company are doing. | 0:05:01 | 0:05:03 | |
So to prove a point, you're going to try and hack this box? | 0:05:04 | 0:05:07 | |
I think I've found somebody who may be able | 0:05:08 | 0:05:11 | |
Scott Helm is one of the UK's most respected professional white hat | 0:05:12 | 0:05:18 | |
He's helped discover some big security flaws in the past, | 0:05:19 | 0:05:24 | |
including hacking home routers and electric cars. | 0:05:25 | 0:05:28 | |
Scott's had the Nomx box in his hands for just a few minutes | 0:05:29 | 0:05:35 | |
Hey, Scott. How's it going? | 0:05:36 | 0:05:40 | |
How'd you get on? Good, yes. | 0:05:41 | 0:05:42 | |
I have had a look over this device and I was quite surprised | 0:05:43 | 0:05:46 | |
So when I flipped it over, we saw what we call the Mac address | 0:05:47 | 0:05:51 | |
here, which is the device's unique identifier and these first three | 0:05:52 | 0:05:54 | |
segments identify the manufacturer, that tells you who builds | 0:05:55 | 0:05:56 | |
So I went away and I looked these up and they're actually registered | 0:05:57 | 0:06:00 | |
to the Raspberry Pi Foundation that make the Raspberry Pi computer. | 0:06:01 | 0:06:04 | |
That's the hobbyists' computer we've seen on Click. | 0:06:05 | 0:06:06 | |
The credit-sized device. But Nomx is the manufacturer? | 0:06:07 | 0:06:08 | |
So what I did, I went ahead and opened this up | 0:06:09 | 0:06:11 | |
Is there is in fact a Raspberry Pi inside this, which is white | 0:06:12 | 0:06:20 | |
There's nothing else they have done with this that we can see inside. | 0:06:21 | 0:06:25 | |
That is just a standard ?35 Raspberry Pi. | 0:06:26 | 0:06:27 | |
But what does that say to you when as a security guy | 0:06:28 | 0:06:33 | |
I guess, there are further things to be found here that | 0:06:34 | 0:06:37 | |
I've also asked Professor Alan Woodward, a well-known cyber | 0:06:38 | 0:06:42 | |
security expert, who's advised the UK Government and Europol | 0:06:43 | 0:06:44 | |
to take a look at the Nomx box to see how it works. | 0:06:45 | 0:06:48 | |
Well, already through the set up process, there is a few things | 0:06:49 | 0:06:53 | |
for a product that bills itself as being absolutely secure, | 0:06:54 | 0:06:58 | |
there's a few things that we found that give rise for concern. | 0:06:59 | 0:07:01 | |
And we certainly want to look a bit further into it. | 0:07:02 | 0:07:06 | |
Just plugging it in has sent alarm bells ringing for Alan. | 0:07:07 | 0:07:09 | |
The set up of the device is through a web application that | 0:07:10 | 0:07:12 | |
Now, that is a key port on his router he will need | 0:07:13 | 0:07:21 | |
to communicate with popular e-mail servers like Gmail | 0:07:22 | 0:07:23 | |
It's never going to receive e-mail from an external service. | 0:07:24 | 0:07:27 | |
Unless you know to go to your router and change port 25. | 0:07:28 | 0:07:32 | |
No, it doesn't, the documentation doesn't have it in there. | 0:07:33 | 0:07:37 | |
It tells you all these other ports, but not port 25. | 0:07:38 | 0:07:40 | |
So you're having a quiet life for a few years to come receiving no | 0:07:41 | 0:07:44 | |
Hotmail instantly knows that you're sending it | 0:07:45 | 0:07:47 | |
It's what's called a dynamic address, because it changes. | 0:07:48 | 0:07:53 | |
Every time you turn your router on you get a new one. | 0:07:54 | 0:07:57 | |
It spots that and says, we don't accept e-mails | 0:07:58 | 0:08:00 | |
Because they just assume nobody's going to be running an e-mail server | 0:08:01 | 0:08:04 | |
So this box can't send an e-mail to Hotmail? | 0:08:05 | 0:08:08 | |
To any Hotmail address? No. | 0:08:09 | 0:08:13 | |
And if you try and send it to something like Gmail, | 0:08:14 | 0:08:17 | |
then what happens is, because of things like the the way | 0:08:18 | 0:08:22 | |
Hotmail spots it, as you will see there, | 0:08:23 | 0:08:24 | |
Spam House, which is one of biggest spam filters, | 0:08:25 | 0:08:31 | |
Now, to be fair, Nomx doesn't open port 25, | 0:08:32 | 0:08:38 | |
But as we've seen, without 25 open, it's going to be | 0:08:39 | 0:08:42 | |
difficult to hear from the rest of the world. | 0:08:43 | 0:08:44 | |
Well, bearing in mind it has one job to do, | 0:08:45 | 0:08:47 | |
which is be an e-mail server, that's a pretty poor show. | 0:08:48 | 0:08:51 | |
And there were more surprises to come when Alan opened the box. | 0:08:52 | 0:08:54 | |
One of the simplest machines to break into is a Raspberry Pi. | 0:08:55 | 0:08:58 | |
Everything is on this one little card. | 0:08:59 | 0:09:04 | |
It is on one of these tiny little cards. | 0:09:05 | 0:09:06 | |
So all of your e-mails, all of your software, | 0:09:07 | 0:09:11 | |
everything is running on one of these tiny little cards. | 0:09:12 | 0:09:14 | |
Now, actually, if somebody did have physical access to this | 0:09:15 | 0:09:17 | |
what they could do is they could whip that card out, | 0:09:18 | 0:09:20 | |
copy it, put the card back in, put it all back together | 0:09:21 | 0:09:23 | |
and you'd be none the wiser and they have got a copy | 0:09:24 | 0:09:26 | |
of everything, including your e-mail. | 0:09:27 | 0:09:27 | |
Because one of the things about this is it's not encrypted in any way | 0:09:28 | 0:09:31 | |
This is not using any encryption? For storage, none at all. | 0:09:32 | 0:09:35 | |
And what we did was, you said the simplest thing to do, | 0:09:36 | 0:09:38 | |
because it is a complete Raspberry Pi, the simplest thing | 0:09:39 | 0:09:41 | |
to do was actually plug it into a monitor and see what came up. | 0:09:42 | 0:09:45 | |
HDMI cable. Here we go. | 0:09:46 | 0:09:48 | |
The first concern would be if it is actually running | 0:09:49 | 0:09:50 | |
Raspberry Pi as an operating system, which it is, it immediately tells | 0:09:51 | 0:09:53 | |
Postfix is the mail transport agent, that is part of the mail server. | 0:09:54 | 0:09:58 | |
It was just all totally standard stuff. | 0:09:59 | 0:10:02 | |
So how old is the software on there at the moment? | 0:10:03 | 0:10:04 | |
Well, that's another thing that we found, | 0:10:05 | 0:10:06 | |
In that it's so old we couldn't actually get hold of some | 0:10:07 | 0:10:12 | |
It's running Raspberry Pi's own operating system. | 0:10:13 | 0:10:15 | |
It's a version called Wizi, which you can no longer download | 0:10:16 | 0:10:18 | |
They have taken it off because they don't want people | 0:10:19 | 0:10:22 | |
Likewise all this Postfixed admin, there is another another piece | 0:10:23 | 0:10:28 | |
of software called Dovecot, all of which are free bits | 0:10:29 | 0:10:31 | |
of software, but some of it dates back to 2009. | 0:10:32 | 0:10:34 | |
It's inevitable that people will find bugs, | 0:10:35 | 0:10:36 | |
flaws, in any bit of software and what people do is they release | 0:10:37 | 0:10:39 | |
The problem with the way this is put together is there is no way | 0:10:40 | 0:10:52 | |
There is a whole series of things about the way this is put together | 0:10:53 | 0:10:56 | |
that make you think, absolute security is... | 0:10:57 | 0:10:58 | |
A stretch I think is the best way to put it. | 0:10:59 | 0:11:01 | |
Now, it is important to say at this point, | 0:11:02 | 0:11:04 | |
there is nothing wrong with the hardware or the software | 0:11:05 | 0:11:07 | |
that you're talking about per se, Raspberry Pi is fine, | 0:11:08 | 0:11:10 | |
the software used, Postfix, Admin, is just a piece | 0:11:11 | 0:11:12 | |
Yes, I mean the Raspberry Pi is a great bit of kit and Postfix, | 0:11:13 | 0:11:17 | |
as in the other programmes we have looked at, they do the job, | 0:11:18 | 0:11:20 | |
if you've got the latest versions of them. | 0:11:21 | 0:11:22 | |
They're still selling this box right now as a finished product? | 0:11:23 | 0:11:29 | |
It was being sold when you were testing it? | 0:11:30 | 0:11:31 | |
Absolutely, and as we're filming it is today. | 0:11:32 | 0:11:34 | |
OK, you've studied the box, what next? | 0:11:35 | 0:11:35 | |
Well, surprise, surprise, Scott thinks he can hack it. | 0:11:36 | 0:11:38 | |
So I thought, yeah, OK, fair enough, go ahead and we'll film it. | 0:11:39 | 0:11:41 | |
So to start with, we decided to get a second box in, | 0:11:42 | 0:11:45 | |
just to make sure this wasn't a prototype or there was anything | 0:11:46 | 0:11:48 | |
dodgy with it and that came along in the post. | 0:11:49 | 0:11:51 | |
Right, got a letter in the post from Nomx to say, Dear Dan, | 0:11:52 | 0:11:54 | |
as per your request I have enclosed another device for you to use | 0:11:55 | 0:11:58 | |
See what you make of it. Let's see. | 0:11:59 | 0:12:04 | |
So, we appear to have some instructions in this one. | 0:12:05 | 0:12:13 | |
Yes, the original device. They do appear, it appears the same. | 0:12:14 | 0:12:18 | |
So that, if it is the same, it is not going to be a prototype. | 0:12:19 | 0:12:22 | |
Yeah, so this is what we are looking for are the additional ones they're | 0:12:23 | 0:12:26 | |
Looking at the Mac on the bottom, it appears to be a Raspberry Pi | 0:12:27 | 0:12:30 | |
The hardware's identical, so Scott's using a programme called | 0:12:31 | 0:12:34 | |
Meld to check if the software is the same too. | 0:12:35 | 0:12:36 | |
It's showing us that they're virtually identical with a couple | 0:12:37 | 0:12:39 | |
of minor changes that don't change the operation of the box. | 0:12:40 | 0:12:42 | |
They're actually using the same user name and password on all devices, | 0:12:43 | 0:12:45 | |
which is printed just there in the manual. | 0:12:46 | 0:12:50 | |
So this is Admin and example.com and the password is "password". | 0:12:51 | 0:12:52 | |
Obviously they do? No. | 0:12:53 | 0:12:56 | |
It's not in the instructions and when I log into the device it | 0:12:57 | 0:13:01 | |
So all these high security boxes have the same admin | 0:13:02 | 0:13:06 | |
Yes. Which is password. | 0:13:07 | 0:13:11 | |
You cannot have a weak password and a default password, | 0:13:12 | 0:13:21 | |
and this is both, and leave it on the device. | 0:13:22 | 0:13:24 | |
You should force the user to set their own password so that | 0:13:25 | 0:13:27 | |
every device in the world has a unique password. | 0:13:28 | 0:13:30 | |
Because otherwise, because we'relazy, aren't we? | 0:13:31 | 0:13:31 | |
We would just leave that as password, because I'll remember it. | 0:13:32 | 0:13:34 | |
You have one of these at home, it is just a normal router. | 0:13:35 | 0:13:41 | |
This is 7F7F, a PIN on here that's unique to this device. | 0:13:42 | 0:13:44 | |
Here's another device that I might plug in. | 0:13:45 | 0:13:46 | |
You pick up one of these Nomx boxes, there is no PIN on here, | 0:13:47 | 0:13:52 | |
apart from the security through the web server, | 0:13:53 | 0:13:54 | |
And knowing that, has opened a door for Scott to deliver a package | 0:13:55 | 0:14:08 | |
If users haven't changed their password, then Scott's | 0:14:09 | 0:14:11 | |
malicious software will hand him control of their e-mails. | 0:14:12 | 0:14:13 | |
So this the picture of the cat, there is the picture of Steve Jobs | 0:14:14 | 0:14:17 | |
and those two things go in to this page. | 0:14:18 | 0:14:21 | |
All he's got to do now is to persuade unsuspecting users | 0:14:22 | 0:14:24 | |
Completely unrelated, I'm going to show you this funny | 0:14:25 | 0:14:32 | |
Top ten funniest pictures of your pet. | 0:14:33 | 0:14:35 | |
And what I'm going to do now is I'm going to go back to the Nomx device. | 0:14:36 | 0:14:39 | |
And if I scroll down, how many e-mail addresses | 0:14:40 | 0:14:42 | |
That one was placed there by the web-site with the pictures | 0:14:43 | 0:14:50 | |
of cats and dogs on that we just looked at. | 0:14:51 | 0:14:54 | |
But what this actually does is launch something called a | 0:14:55 | 0:14:57 | |
Now when I visit this web-site, while I'm reading this article, | 0:14:58 | 0:15:01 | |
I can do anything that I want on your Nomx device, | 0:15:02 | 0:15:06 | |
We then went back and looked at these older versions | 0:15:07 | 0:15:10 | |
of the software and this this is a fault that's been record | 0:15:11 | 0:15:16 | |
So they have in fact not just Nomx, but everyone's known about this. | 0:15:17 | 0:15:21 | |
Now, remember Nomx claim to have the world's most secure | 0:15:22 | 0:15:35 | |
protocol, offering absolute security and they even take issue | 0:15:36 | 0:15:37 | |
with with services like Gmail and Microsoft, saying everything | 0:15:38 | 0:15:40 | |
But we've just discovered how to hack these boxes | 0:15:41 | 0:15:48 | |
The things I found are in the OS top ten, they are and have been at one | 0:15:49 | 0:15:55 | |
time the most common vulnerabilities found in the web. | 0:15:56 | 0:15:58 | |
When you teach people how to develop web applications, | 0:15:59 | 0:16:03 | |
you say, these are the things you need to check for and it's | 0:16:04 | 0:16:06 | |
the top ten things you tell them to look for. | 0:16:07 | 0:16:09 | |
Yeah, for a company that's making claims about absolute security, | 0:16:10 | 0:16:17 | |
then they should have been aware of the the OS top ten and run that | 0:16:18 | 0:16:21 | |
I can't see how they can patch it and protect their consumers. | 0:16:22 | 0:16:32 | |
I can't see how they can look after the people that have been put | 0:16:33 | 0:16:38 | |
at risk and currently are at risk and always have been at risk. | 0:16:39 | 0:16:42 | |
I can't see how they can protect those people, | 0:16:43 | 0:16:53 | |
other than telling them to unplug the device and stop using it. | 0:16:54 | 0:16:56 | |
Now it's worth saying that users who had changed their admin password | 0:16:57 | 0:17:00 | |
wouldn't have been quite as vulnerable to this attack. | 0:17:01 | 0:17:02 | |
So Scott wanted to go further and found this key lying around | 0:17:03 | 0:17:05 | |
in the code - an identical key on both Nomx boxes. | 0:17:06 | 0:17:10 | |
These innocuous looking two lines are the master password | 0:17:11 | 0:17:12 | |
It shouldn't be in full view when analysing the code on the box, | 0:17:13 | 0:17:20 | |
Now, it looks like gobbledegook, because this is the master password | 0:17:21 | 0:17:24 | |
Scott's got some - shall we say - resourceful friends, | 0:17:25 | 0:17:37 | |
but the fact the master password is a five-letter word all in lower | 0:17:38 | 0:17:41 | |
A simple dictionary attack took less than ten minutes to decode | 0:17:42 | 0:17:56 | |
it, and now Scott has the keys to the castle. | 0:17:57 | 0:17:58 | |
It doesn't matter now if users have changed their admin passwords | 0:17:59 | 0:18:01 | |
from password, they just need to click on the kittens. | 0:18:02 | 0:18:04 | |
You don't have to visit this malicious web-site on the machine | 0:18:05 | 0:18:07 | |
that you're administering the box with. | 0:18:08 | 0:18:09 | |
It just needs to be another machine that's on the the same network | 0:18:10 | 0:18:12 | |
So your teenage daughter, for example, or anyone else, | 0:18:13 | 0:18:15 | |
granny or whatever, could get this message, | 0:18:16 | 0:18:25 | |
click on the cute furry kitten and it is kittens! | 0:18:26 | 0:18:28 | |
One of the scary things is if I know your e-mail address, | 0:18:29 | 0:18:32 | |
I can actually change the passwords for your e-mail address and then | 0:18:33 | 0:18:35 | |
immediately log into your e-mail account, so I can effectively | 0:18:36 | 0:18:37 | |
hijack your account and take full control of it. | 0:18:38 | 0:18:40 | |
I can effectively almost wire-tap the device and see everything that | 0:18:41 | 0:18:45 | |
Alerting a company quickly that they have a security problem | 0:18:46 | 0:18:49 | |
is best practice for ethical hackers. | 0:18:50 | 0:18:51 | |
So Scott sends an e-mail to warn Nomx its users | 0:18:52 | 0:18:53 | |
Right, so it's not absolutely secure then? | 0:18:54 | 0:18:57 | |
They say Scott's hack is a proof of concept. | 0:18:58 | 0:19:07 | |
Well, Scott says it is a proof of concept. | 0:19:08 | 0:19:13 | |
That's the only hole, they haven't actually | 0:19:14 | 0:19:15 | |
The idea of ethical hacking, white hacking, is to tell | 0:19:16 | 0:19:18 | |
the company first that they can do something about it. | 0:19:19 | 0:19:21 | |
Scott's given them 30 days to sort this out, | 0:19:22 | 0:19:25 | |
before he says he will publish the details of the hack. | 0:19:26 | 0:19:28 | |
But Nomx has no way of updating its boxes, | 0:19:29 | 0:19:31 | |
so how can it possibly patch this problem? | 0:19:32 | 0:19:33 | |
30 days are up and Scott is ready to publish his findings. | 0:19:34 | 0:19:41 | |
Nomx have told him that they have notified 100% of their users | 0:19:42 | 0:19:44 | |
and updated or upgraded any devices that could be affected by the hack. | 0:19:45 | 0:19:48 | |
I have two of the devices in my possession. | 0:19:49 | 0:19:50 | |
Neither of which have been updated and I also can't find a way | 0:19:51 | 0:19:54 | |
And in fairness, we have a box on Click, and we have not had any | 0:19:55 | 0:20:03 | |
notification of any problem with the box either. | 0:20:04 | 0:20:05 | |
Nomx also told Scott they have requested users not browse web-sites | 0:20:06 | 0:20:12 | |
So you as a user are responsible for behaving in a particular way | 0:20:13 | 0:20:21 | |
That's not really fair on the end user. | 0:20:22 | 0:20:25 | |
To show good will, Scott held off publishing the attack | 0:20:26 | 0:20:27 | |
We got in contact with Nomx to say, look, we are filming with Scott | 0:20:28 | 0:20:37 | |
and we need some answers if you wouldn't mind. | 0:20:38 | 0:20:40 | |
We gave them an opportunity to be interviewed. | 0:20:41 | 0:20:43 | |
But they did send us some responses to some of our questions. | 0:20:44 | 0:20:51 | |
One of which yesterday, the CO told me, Nomx security claims | 0:20:52 | 0:20:54 | |
don't apply in you're home network has been breached. | 0:20:55 | 0:20:57 | |
Now that's the kittens thing on the browser, | 0:20:58 | 0:21:00 | |
if somebody clicks on that you're infected and basically | 0:21:01 | 0:21:02 | |
Will Donaldson is saying that is nothing to do with us, | 0:21:03 | 0:21:05 | |
Well, that's a bit like saying if everything else in your home | 0:21:06 | 0:21:14 | |
is insecure, then we're insecure too. | 0:21:15 | 0:21:16 | |
So the box doesn't add anything to the weakest link | 0:21:17 | 0:21:24 | |
in your home, and that is I would say at odds | 0:21:25 | 0:21:27 | |
with what they're saying on their web-site. | 0:21:28 | 0:21:29 | |
Now, Will told me that no boxes have been compromised again. | 0:21:30 | 0:21:32 | |
He said, well we've asked some of our users. | 0:21:33 | 0:21:36 | |
And we have learned today that Will is removing the devices | 0:21:37 | 0:21:40 | |
from his web-site and he won't be selling them any more, | 0:21:41 | 0:21:43 | |
he won't be shipping them, in their current form, | 0:21:44 | 0:21:46 | |
He is going to wait for a hardware upgrade and then start again. | 0:21:47 | 0:21:51 | |
Although we have been on his web-site today and he looks | 0:21:52 | 0:21:55 | |
Now, he also says that all the major e-mail providers have been hacked | 0:21:56 | 0:22:05 | |
in the past and actually still Nomx hasn't. | 0:22:06 | 0:22:07 | |
Alan, we don't know whether there are tens, | 0:22:08 | 0:22:15 | |
hundreds or thousands of these boxes out there. | 0:22:16 | 0:22:17 | |
But what does this tell us about the wider security industry? | 0:22:18 | 0:22:24 | |
It raises that wider concern that anybody can make claims, | 0:22:25 | 0:22:27 | |
they can put a product out there and make claims, | 0:22:28 | 0:22:30 | |
even if they're really bold claims like this, | 0:22:31 | 0:22:32 | |
absolute security, that nobody's checking it. | 0:22:33 | 0:22:36 | |
There no is gold standard against which you can | 0:22:37 | 0:22:39 | |
To be fair, do you think this idea of end-to-end | 0:22:40 | 0:22:50 | |
Yes, you could make it work, but as is so often the case | 0:22:51 | 0:22:54 | |
with security, the thing that really lets this down is the way | 0:22:55 | 0:22:57 | |
So Scott, you are about to release details of your hack? | 0:22:58 | 0:23:01 | |
And this is not anything special that Scott's doing for us. | 0:23:02 | 0:23:12 | |
This is part of his ethical hacking procedure. | 0:23:13 | 0:23:14 | |
Yeah, the company's told us that they have notified | 0:23:15 | 0:23:19 | |
There is an update or replacement device available to fix this, | 0:23:20 | 0:23:28 | |
so no users are at risk any more. | 0:23:29 | 0:23:30 | |
I was kind of expecting a noise or something. | 0:23:31 | 0:23:35 | |
What would you say to anyone who owns one of these Nomx boxes? | 0:23:36 | 0:23:44 | |
If you have one, I would stop using it and repurpose the device. | 0:23:45 | 0:23:47 | |
I would not use it or recommend using it. | 0:23:48 | 0:24:03 | |
Scott, Alan, thank you for four time. | 0:24:04 | 0:24:05 | |
My friend I'm sorry, you're out of here! | 0:24:06 | 0:24:07 | |
Normal service is resumed next week and if you want more details, | 0:24:08 | 0:24:12 | |
including a link to Scott's blog, then check us out on Twitter at BBC | 0:24:13 | 0:24:16 | |
If you can't stay absolutely secure, then try and stay safe. | 0:24:17 | 0:24:19 | |
Thanks for watching and we will see you soon. | 0:24:20 | 0:24:26 |