The CyberWire Daily Podcast 12.21.18
Ep 750 | 12.21.18

Operation Cloudhopper and industrial espionage. Anonymous social network Blind server left exposed. Reputation jacking. Alexa shares too much, by accident. Hitman scam is back.

Transcript

Dave Bittner: [00:00:00] Hi, Jack (ph).

Jack: [00:00:01] Hi, Dad.

Dave Bittner: [00:00:02] It's the end of the year. This is the last CyberWire podcast of 2018. How do you feel about 2018 so far?

Jack: [00:00:11] Well, it was good, but I still didn't get that coat, that bicycle or those braces that you promised.

Dave Bittner: [00:00:17] Hmm, yeah, I know. If only more people had signed up for - well, you know.

Jack: [00:00:21] Patreon.com/thecyberwire?

Dave Bittner: [00:00:23] That's right. That's right. There's still time. Maybe you could...

Jack: [00:00:28] That's the one.

Dave Bittner: [00:00:28] (Laughter) Maybe you could still get some Christmas presents this year. We'll see. I guess it just depends on how generous a mood our listeners are in.

Jack: [00:00:35] Yeah. Everybody, go to patreon.com/thecyberwire.

Dave Bittner: [00:00:40] How much do you think they should give per month?

Jack: [00:00:42] I guess $10.

Dave Bittner: [00:00:43] Ten dollars a month? OK. That's good. That's good.

Jack: [00:00:47] Happy Holidays. And have a great rest of your 2018.

Dave Bittner: [00:00:51] All right. Thanks, Jack.

Jack: [00:00:53] Yup.

Dave Bittner: [00:00:57] The Five Eyes have had quite enough of Stone Panda's cloud hopping, thank you very much. And they want Beijing to put a stop to it. Beijing says it's all slander and that the Yankees are probably just as bad. Blind turns out not to be as blind as users thought. Reputation jacking comes to business email compromise. Alexa complies with GDPR but goes a little overboard. Author and podcaster Brian McCullough joins us to discuss his book "How The Internet Happened." And no, a hitman has not been hired to get to you, no matter what that email says.

Dave Bittner: [00:01:37] Now a word from our sponsors, Shape Security. Last year, 2.3 billion usernames and passwords were reported as compromised. It says everyone in America had passwords stolen for not just one but seven online accounts. And that's just the data reported last year. It can take years for a credential spill to be reported, if it's discovered at all. Why do these spills matter? Two words - credential stuffing. Attackers take those spilled usernames and passwords and try them on every login form imaginable. Because users recycle passwords, up to 3 percent of stolen credentials will be valid on a typical website or mobile app. Once they're in, attackers steal whatever they can get, from gift cards to frequent flyer miles. And it adds up. This year, credential stuffing will pull nearly $9 billion from our banking, travel and e-commerce accounts. But there's hope as consumers use unique passwords, as organizations join Shape Security's collective defense platform because, together, we can defeat account takeovers. To learn more, visit shapesecurity.com. That's shapesecurity.com. And we thank Shape Security for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, December 21, 2018. Authorities in the Five Eyes said yesterday in coordinated announcements that China's Ministry of State Security had attacked managed service providers with a view to using the MSPs as an avenue of approach into their customers' enterprises. The centerpiece of the coordinated naming and shaming was the U.S. Justice Department's indictment of two contractors working for the Ministry of State Security. But the words from London, Canberra, Ottawa and Wellington were clear and left no doubt that China has, in the eyes of the Five, abrogated its obligations to restrain industrial espionage.

Dave Bittner: [00:03:45] The announcements didn't say which MSPs and other targets were attacked in the long-running campaign known at least since last year as Operation Cloud Hopper. But Reuters reports that its sources say IBM and Hewlett Packard Enterprise were two of them. IBM told Reuters that it had no evidence that sensitive corporate data had been compromised.

Dave Bittner: [00:04:07] HPE says it could not comment on the Cloud Hopper campaign. The company also pointed out that it had spun off its MSP business last year. They told Reuters, we are unable to comment on the specific details described in the indictment, but HPE's managed service provider business moved to DXC Technology in connection with HPE's divestiture of its enterprise services business in 2017. DXC also declined comment.

Dave Bittner: [00:04:35] The approach the indicted hackers are alleged to have taken is disturbing in that it effectively transforms an MSP into an avenue of approach to its customers. And that avenue of approach would usually not be regarded as a particularly dangerous one. The indictment describes one instance in which the Cloud Hopper operators compromised a New York MSP and, through it, reached targets not only in the United States but in Brazil, Germany, India, Japan, the United Arab Emirates and the United Kingdom. The sectors involved in that incident show the breadth of economic targets - financial services, biotechnology and medical equipment electronics and automobile manufacturing, as well as the extraction industries of mining and oil and gas exploration.

Dave Bittner: [00:05:22] The group the Five Eyes are glaring at is APT10, Stone Panda, which has now clearly entered the premier league of named and shamed state hacking, right up there with Fancy Bear, and probably seeded higher than Cozy Bear or Charming Kitten. For its part, China has dismissed the allegations as slander and says it had filed stern representations with Washington demanding the charges against its two citizens be dropped.

Dave Bittner: [00:05:50] Beijing said, quote, "we urge the U.S. side to immediately correct its erroneous actions and cease its slanderous smears related to Internet security," end quote. China also complains that the U.S. gets a pass for its own electronic collection and that what's sauce for the panda should be sauce for the eagle. A mighty unpleasant meal that would be, too, but the cases aren't really parallel. The U.S. and its sisters in the Five Eyes are objecting specifically to industrial espionage - theft of IP and trade secrets for the advancement of national economic goals.

Dave Bittner: [00:06:24] Everyone does indeed know, as Beijing says, that it's an open secret governments collect against each other all the time. But that's not the point. The point the U.S. and others are making is that China is behaving differently. And that in doing so, in hacking on behalf of its companies' competitive advantage, is violating agreements it entered into back in 2015 to stop doing that. It seems increasingly likely that Beijing won't find many takers in the developed world for its claims of innocence and ill use. Sterner measures against Chinese government hacking are expected in the coming weeks, especially after the conclusion of Sino-American trade talks.

Dave Bittner: [00:07:06] Blind, the anonymous social networking app that had appealed to big tech whistleblowers, malcontents and others who wish to discuss their employers without fear of retribution, proves to be less blind than thought. One of its servers was left exposed without so much as password protection - unencrypted, too, according to TechCrunch. Blind says only one server was so mishandled and that the matter has now been fixed. But if you want to air the boss's dirty laundry, the wise troublemaker should probably seek elsewhither for an outlet. Consider a local bar and grill.

Dave Bittner: [00:07:42] Companies continue to suffer social engineering attacks from criminals working through Google Cloud. Its business email compromised, but it uses the Google service to lend credibility. The attackers park their malicious payloads in Google Cloud storage, whose wide use and good reputation lull the unwary into the trap.

Dave Bittner: [00:08:01] ZDNet calls the technique reputation jacking. The tactic not only lends credibility, but it makes it easier for the hoods to cover their tracks. The alert listener will have discerned a certain resemblance between reputation jacking and an attack that compromises an MSP so an attacker can pivot into a customer's enterprise with the agility of those Shen Yun dancers we keep seeing on YouTube.

Dave Bittner: [00:08:26] Alexa has done some oversharing but with the best of intentions. As Motherboard notes, following the German magazine Heise, a user requested, as is his right under GDPR, that Amazon send him all the data it held on him, and Amazon did. But they got some of the data wrong and inadvertently sent him 1,700 recordings from some other guy's Alexa, including some apparently made while the other gentleman was showering. Time out, Alexa. (Speaking German). Let it go at that.

Dave Bittner: [00:09:01] That tiresome hitman extortion scam is back, says HackRead. You get an email out of the blue from some joker who says, you don't know me. But I've been hired as a hitman and paid to kill you. But I'll agree not to kill you if you fork over four grand in - what else? - Bitcoin. It's no more plausible than it was the first time around. Ignore the email.

Dave Bittner: [00:09:28] It's time to tell you about our sponsor privacy.com. If you're a longtime listener, you've probably heard me mention privacy.com on the CyberWire before. In fact, when I was a guest on another cybersecurity podcast, privacy.com was my pick of the week one week for something that everybody should check out, and here's why. Privacy lets you buy things online using virtual card numbers instead of using your real ones. Think about it. You don't use the same password everywhere. So why would you use the same card number everywhere when you shop online? What's great is that it's super-fast and easy to use. Privacy.com gives you a brand new virtual card number for every purchase you make with just one click. And we've got a special offer for CyberWire listeners. New customers will get $5 for a limited time to spend on your first purchase - five bucks, free money. So go to privacy.com/cyberwire and sign up now. That's privacy.com/cyberwire. And we thank privacy.com for sponsoring our show.

Dave Bittner: [00:10:36] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back.

Joe Carrigan: [00:10:45] Hi, Dave.

Dave Bittner: [00:10:46] So we've got an article from Motherboard. This is called "How Hackers Bypass Gmail Two-Factor Authentication at Scale." And they're working off a report from Amnesty International.

Joe Carrigan: [00:10:56] Yep.

Dave Bittner: [00:10:57] Let's walk through here. What are they describing?

Joe Carrigan: [00:10:59] OK. So they're talking about the two-factor authentication that uses some kind of code that you either receive or is generated for you.

Dave Bittner: [00:11:08] OK, yup.

Joe Carrigan: [00:11:09] And this is a user-entered code.

Dave Bittner: [00:11:10] Right.

Joe Carrigan: [00:11:11] So there are two ways that you can get these. One is with an SMS messaging, just like a text message to your phone.

Dave Bittner: [00:11:17] Yep.

Joe Carrigan: [00:11:18] I'm sure we've all seen this.

Dave Bittner: [00:11:19] Yeah.

Joe Carrigan: [00:11:19] And another way is with some kind of time-based algorithm that generates a code based on a key that you've already shared between the two sides.

Dave Bittner: [00:11:29] Right, so, like, Google Authenticator would be an example of that.

Joe Carrigan: [00:11:30] Exactly. Google Authenticator's a prime example of the time-based solution.

Dave Bittner: [00:11:34] All right. So walk me through this. Let's say you're targeting me.

Joe Carrigan: [00:11:37] So I'm targeting you, so I set up a fake site that looks almost exactly like Gmail

Dave Bittner: [00:11:43] Right.

Joe Carrigan: [00:11:43] And I send you a phishing link that says, hey, Dave, log into your Gmail account.

Dave Bittner: [00:11:49] All right. I click the link.

Joe Carrigan: [00:11:50] You click the link. And I take your password - your username and password and I - on the back end of this, this is actually a web application that goes to Gmail and logs in under - for Gmail.

Dave Bittner: [00:12:03] So I'm logging into your fake version of Gmail.

Joe Carrigan: [00:12:06] Correct.

Dave Bittner: [00:12:07] But behind the scenes, you're...

Joe Carrigan: [00:12:08] I'm logging into the real version of Gmail using the credentials you sent me.

Dave Bittner: [00:12:12] Got you. OK.

Joe Carrigan: [00:12:13] The next thing I see on the back end is - or my application sees on the back end is that the page that says we just sent you a code - so I prompt you with the exact same page saying we just sent you a code.

Dave Bittner: [00:12:26] On the fake site.

Joe Carrigan: [00:12:27] On the fake site.

Dave Bittner: [00:12:27] Yep.

Joe Carrigan: [00:12:28] You look at your cell phone.

Dave Bittner: [00:12:31] Code pops up.

Joe Carrigan: [00:12:32] Code pops up. You enter it into my fake site, and I enter it into Gmail. And now I'm in your account.

Dave Bittner: [00:12:39] So now you own my account.

Joe Carrigan: [00:12:41] I own your account. This is how this works. It's a phishing scam, essentially. It's not really new technology. It's the same thing as when - as credential harvesting, except now I'm actually harvesting the two-factor, as well.

Dave Bittner: [00:12:52] Right. And I guess one of the things they're pointing out here is that this is completely automated.

Joe Carrigan: [00:12:57] Right.

Dave Bittner: [00:12:57] There's nobody...

Joe Carrigan: [00:12:57] And that's really the part that makes it terrifying - is that they can do this at scale and send it out to millions of people. And it's automated. And they can just compromise accounts because, like we've said before, it's a numbers game. If I send it out to a million people, and 1 percent of those people go through with it, then that's 10,000 people I've compromised.

Dave Bittner: [00:13:19] Yeah. So what does this mean? Should I still be using two-factor?

Joe Carrigan: [00:13:23] Yeah, you should still be using two-factor. Number one, there's a couple of ways you can protect yourself against this. First, never click on a link in an email.

Dave Bittner: [00:13:30] Right, right.

Joe Carrigan: [00:13:31] Go directly to the site...

Dave Bittner: [00:13:32] Of course.

Joe Carrigan: [00:13:32] ...Right? If you were using a password manager that checks the site before it enters a password, that would protect you against this, as well.

Dave Bittner: [00:13:42] Oh, right.

Joe Carrigan: [00:13:42] So it would say, this isn't Gmail. I'm not entering your Gmail account password into a site that's not Gmail. So that would stop that from happening. And this article recommends also using a hardware token, like a YubiKey.

Dave Bittner: [00:13:57] Oh, I see.

Joe Carrigan: [00:13:58] I'm not a cryptographer, so I don't know what the cryptography is that underlies these things. I have a YubiKey. I use it for things like my Password Safe. But if somebody steals it, they're never going to get into it because they can't actually enter the hardware-based token...

Dave Bittner: [00:14:13] I see.

Joe Carrigan: [00:14:13] ...Because they don't physically have what I have.

Dave Bittner: [00:14:15] Right. So they're saying that this hardware key somehow circumvents this or prevents this...

Joe Carrigan: [00:14:21] Prevents, yeah.

Dave Bittner: [00:14:21] ...Man in the middle kind of thing that's going on here.

Joe Carrigan: [00:14:23] And I'm not sure - again, I'm not sure what the cryptography is underneath. But...

Dave Bittner: [00:14:27] Yeah. According to the article, that's a good step to...

Joe Carrigan: [00:14:29] Yeah, exactly.

Dave Bittner: [00:14:29] I think it also - this is one of those things where if you are a person who needs this, you probably know it.

Joe Carrigan: [00:14:34] Right. You know, if you're a person who is being targeted by by a government organization, you would know - exactly like you said, you would know that you're a person that's targeted by a government organization. And you should probably already be taking extraordinary security measures.

Dave Bittner: [00:14:49] Yeah. All right. Well, the bad guys up their game, and they're doing it quickly - I guess....

Joe Carrigan: [00:14:55] Yes, they do.

Dave Bittner: [00:14:55] ...Is one of the lessons here. All right. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:58] My pleasure, Dave.

Dave Bittner: [00:15:03] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated, online, comprehensive view of all the day's tech news. And now they also produce the Techmeme Ride Home podcast. If you like the cyber wire and you're looking for even more technology news, Techmeme Ride Home is the podcast for you. We're fans. And we think you'll like it too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the Internet History Podcast. The Ride Home distills Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m., great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for Ride Home and subscribe today. That's the Techmeme Ride Home podcast. And we thank the Techmeme Ride Home podcast for sponsoring our show.

Dave Bittner: [00:16:08] My guest today is Brian McCullough. He's the host of the Internet History Podcast and the Techmeme Ride Home podcast. He's also author of the book "How The Internet Happened: From Netscape To The iPhone." Our discussion today focuses on the book. Here's my conversation with Brian McCullough.

Brian McCullough: [00:16:26] So I'm actually - I'm not a historian. I'm not a journalist I'm a three-time company founder. It always bothered me that there have been books about the deep internet, you know, going back to the ARPANET and the Pentagon and all that stuff, but there hadn't really been a history of the internet going mainstream and infiltrating all of our lives. So like every other startup idea I've had, the impulse was, well, that's a good idea. Somebody's going to do that someday. Why not me?

Brian McCullough: [00:16:52] I'm not used to writing a book. So I found it - I was getting all these great interviews firsthand from, initially especially the Netscape people. And I thought, well, five years from now two sentences of this interview will make it into the book. Why don't I just throw up all of the interviews unedited and see if people find that interesting? And so that's how the podcast got started. So the podcast and the book sort of fed on each other. And now the book is out. And it's been a wild ride.

Dave Bittner: [00:17:20] As you were making your way through the history of the internet, were there any things that jumped out at you as being surprising, things that were unexpected?

Brian McCullough: [00:17:28] Yeah, totally because, again, I sort of lived a lot of this. So there were so many things that I was surprised - just, you know, off the top of my head, like, I came up - most of my businesses were in the 2000s, when Microsoft was sort of in its lost decade. So it surprised me how much especially, as late as, you know, the early 2000s, as late as Google IPOing and not wanting to tell anybody how much money they were making, it surprised me how much Microsoft - everyone was thinking of Microsoft, was making moves in relation to what Microsoft may or may not do.

Brian McCullough: [00:18:01] There was a lot of times when I didn't realize what the theme of a section was until I was writing it. So I knew I was going to have to do something on eBay. You know, eBay's not a tech company that we think of as one of the big guys right now, one of the FANG stocks or anything like that. But when I was reading and researching eBay, it occurred to me that eBay is actually a way more influential company than anybody gives it credit for. We live in the tyranny of the five-star ratings now. You know, like, where would Uber or Airbnb or anything like that be if eBay hadn't pioneered the reputation system that allows us to do business with strangers on the internet?

Brian McCullough: [00:18:42] EBay trained a lot of people for the first time that you could do business with strangers halfway across the world that you would never meet and never even know their name. And then also, eBay was the first company that - you know, we think of social media platforms now. We know that they're incredibly valuable because of the content that the users generate. EBay was the first company that sort of didn't own anything. All eBay was was a platform for the economic activities of its users.

Dave Bittner: [00:19:10] Now, how much of the growth of the internet was linear versus fits and starts? Was it more of one than the other?

Brian McCullough: [00:19:17] A hundred percent fits and starts. And, I mean, that's always true for any new technology. You kind of have to throw stuff against the wall and see what sticks. But, you know, conceptually, it was harder because at the very, very beginning, people don't even know what was there. You know what I mean? Like, if you develop an internal combustion engine, you have a good idea that you're going to use it to move people and things around.

Brian McCullough: [00:19:44] But when the web takes off, people aren't really sure what it's for. Is it for doing business? Is it for commerce? Is it for just talking to each other? So many things in the 90s especially but even all the way up through today has been people trying to work out even at a base conceptual level what the business opportunity here was, what the use case was. And so I always found that fascinating because the whole book is just a bunch of stories of entrepreneurs feeling their way around in the dark.

Dave Bittner: [00:20:16] You know, I think it's interesting when you think about some of the unintended consequences. I've heard people say that, you know, the original sin of the internet was making everything free and having it being paid for by advertising. And that's what's led to all of these privacy and tracking issues. Do you have thoughts on that?

Brian McCullough: [00:20:36] One of the first interviews I did was with Lou Montulli, who invented the cookie - the browser cookie - or at least was one of the guys at Netscape that that helped invent that. Over the course of 200 episodes of the Internet History Podcast, that's come up a lot - the idea that the original sin was because the internet came out of academia, it wasn't commercialized. I think it wasn't until even 1992 that you legally could do business on the internet.

Brian McCullough: [00:21:04] And so there was this culture at the very beginning that there's no way we're going to pay for anything. Like, it was almost like - it was like an article of faith. So I don't blame the companies themselves or the entrepreneurs themselves from going towards an advertising model because it was the users and it was the culture that was inherent in the internet that required them to go that way. I actually have made the argument that it's only in the last five years or so that we have finally convinced people that things on the internet are worth paying for. And we can credit the Netflixes and the Spotifies of the world for that, I think. But it's not the company's fault. It was the culture of the internet as it existed right before it went mainstream.

Brian McCullough: [00:21:51] And so then when all the mainstream users come onto it, they just adopt the culture that was already there. But then again, at the same time, can you imagine how it would've been different had Bill Gates gotten his way and the internet from day one was something that you had to pay Microsoft for, you know, whatever fee they were going to charge you per month? I don't know that that would be a better internet. We got what we got. And it's an accident of history. And that doesn't mean that we can't change it. And I think we're evolving into an internet that's not just ad-based.

Dave Bittner: [00:22:21] I'm curious - when it comes to security, what's been the evolution of that? Was it baked in from the beginning or grafted on along the way?

Brian McCullough: [00:22:30] It really feels like nobody on the early internet was thinking too much about security because, again, remember, if you're using the internet in, say, 1978 or even as late as 1988, you're expecting that all of the other people that you'll be interacting with will be technically proficient, you know? I think - you want to talk about a real original sin of the internet - is that nobody ever assumed that normal people would be on it. And so there were a lot of design decisions that were made early on just sort of by default because no one was thinking about my mom using the internet, right?

Dave Bittner: [00:23:06] Right.

Brian McCullough: [00:23:07] And so I feel like it's been decades and decades of sort of cleaning up that mess. Certainly, if you were designing the internet today, you would, from the ground up, make it way more secure. So I think that what you've seen, essentially, in terms of how it's designed, that's - it was always baked in that it's not super secure. From the user perspective, from the mainstream perspective, I feel like - and maybe you can speak more to this. We go through these cycles where - you know, I was doing actual library research for this book, like, going back to finding articles from the late '90s and things like that.

Dave Bittner: [00:23:47] Yeah.

Brian McCullough: [00:23:47] And it was surprising to me the headlines that, you know, say a double click would make because they would do something with the cookies. And it would make the front page of The New York Times- oh, my God, privacy concerns. And, you know, if I told you what those details were today, you'd laugh because, you know, (laughter) everybody does way worse stuff today...

Dave Bittner: [00:24:07] Right.

Brian McCullough: [00:24:07] ...In terms of tracking people. And so then - so at the beginning, everyone was afraid. No one wanted to put their credit card online. People were convinced e-commerce would never take off because they - no one would share their credit cards. And then somehow, after the bubble burst around the turn of the century, everyone just forgets about it. And so we went through this 10 or 15-year period where everyone was just blase.

Brian McCullough: [00:24:28] And Facebook comes in and Google comes in, and they - we gave away everything. And so now I feel like the mainstream user concern trolling about data and security is ebbing back to, like, (laughter) a fever pitch, where, probably, it needs to be to correct some of these things.

Dave Bittner: [00:24:48] How do you think this Internet revolution compares to other huge shifts we've had in the history of humanity? I'm thinking of things like the Industrial Revolution. Is this on that sort of scale in your estimation?

Brian McCullough: [00:25:00] I think it's more profound in the sense that it's an industrial revolution combined with a media revolution. So there are a lot of things that are changing the way that we do our jobs, that we conduct commerce. You know, those are the obvious things you can point to. But as we've been seeing, especially last - these last few years or so, the Internet is fundamentally changing the way we think and interact with each other and our institutions. And that is - you know, there's a million different avenues we could go down talking about this, about, you know, how - content bubbles and things like that.

Brian McCullough: [00:25:40] But on a really fundamental level, I think that the Internet is atomizing all of us into these different tribes and into these different world views. And so while there is a big industrial revolution happening, there's a big commercial revolution happening, at the same time, I think the Internet is fundamentally rewiring society and our relationship with government. And the balance between the individual and the government and culture is kind of been tossed up in the air right now, and it hasn't quite settled yet.

Dave Bittner: [00:26:14] Yeah, that's interesting. I mean, I've heard people refer to particularly some of the online social media platforms as anxiety engines.

Brian McCullough: [00:26:25] And that's a design decision, too, because again - you know, I talk about this on the daily Techmeme podcast a lot. The success playbook for the last 10 or 15 years was always scale. Once people realized, you know, you can code up a chat app and have a billion users overnight, the only thing that anybody ever designed for was more usage. You know, Facebook is more sharing, more likes, more all these things, and - because it was taken as a given that more usage was inherently good.

Brian McCullough: [00:26:59] But there's a difference between designing for quantity and designing for quality. And I think that the next 10 years or so is going to be about - the successful companies and the successful startups and the successful products will be the ones that will design for quality of life, for quality of experience with the product as opposed to just more, more, more, more sharing, all that stuff.

Dave Bittner: [00:27:25] That's Brian McCullough. The book is "How the Internet Happened: From Netscape to the iPhone."

Dave Bittner: [00:27:34] And finally, this being our last daily CyberWire podcast of the year, a heartfelt thanks to everyone who's helped make our show possible. There's the tireless team whose names you hear listed at the end of every show, the writers, producers, technical staff and, yes, even the suits down the hall, who work long hours to bring you the shows you enjoy and have come to depend on. Thanks to their families, too. Thanks also to our sponsors for choosing our show and our Patreon supporters for directly contributing to our efforts.

Dave Bittner: [00:28:04] And last but not least, thanks to all of you for listening. 2018 has been one heck of a year. And we hope we've provided some worthwhile information, insights and clarity and have helped cut through some of the noise - couldn't do it without you. We'll be back January 2. Until then, merry Christmas, Happy Holidays and Happy New Year.

Dave Bittner: [00:28:27] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:28:54] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.