Security stories: lost phones, a compromised computer, and an unexpected keyboard cat

As a change of pace, Liz and Geoffrey take a look back at security incidents in their own lives and talk about lessons they've learned - why phone backups are important, an unintentional security hole, and a security key gone rogue. In security news, the GDPR results in mildly positive changes for web tracking, and Fortnite's installer has exactly the vulnerability we were afraid of.

Security stories: lost phones, a compromised computer, and an unexpected keyboard cat episode art

Timeline

  • 1:23 - Security news: Third-party cookies on European news sites has dropped after the GDPR
  • 2:38 - Security news: a detailed how-to about making a clone of a finger that can bypass Touch ID
  • 3:05 - Security news: T-Mobile breach
  • 4:50 - Security news: WebAuthN development for WebKit begins
  • 6:31 - Security news: Fortnite installer vulnerability
  • 7:28 - Security news: Fortnite incentivizes putting two-factor on your account
  • 9:41 - Lost phones
  • 17:36 - Laptop sending spam
  • 19:55 - YubiKey accidental taps

Show notes & further reading

Two-factor authentication zine

We made a zine on two-factor authentication, loosely based on the episode about it. Check it out and print a copy for your friends!

Backing up your phone

Our episode on two-factor authentication covered backup options in case you lose / break your primary device.

If you have a password manager, make sure you're logged in somewhere else or you know the information needed to log in on a new phone.

It's also a good idea to make sure your phone is backing up data if you want it to (and not backing up data if you don't want it to!). Phones with hardware security chips, like recent iPhones and the latest Google Pixel devices, intentionally make it hard to copy data from a disassembled phone without powering it up normally and entering the passcode, but that same protection makes it hard to recover data from a broken phone.

Accidental YubiKey OTP presses

The standard YubiKey models (everything in their current lineup except the Security Key) support multiple authentication protocols: there's U2F, but there's also "smart card" support (for digital certificates, SSH keys, and other specialized uses) and a one-time password (OTP) feature. OTP was Yubico's first approach to authentication, because it requires no specific browser or driver support: the device acts like a keyboard and types in a randomly-generated password every time you tap it. All you need is for the server to support the same OTP protocol and know what passwords to expect.

Unfortunately, YubiKeys ship with OTP enabled by default, even if you don't intend to use it and you haven't paired it with any server. And if you're using the Nano form factor - the small style that's designed to stay plugged in to your laptop most of the time - it's very easy to brush it by mistake if you brush the side of the computer. Yubico's recommended solution is to move the OTP functionality to "slot 2," which requires a three-second press. You can also use their command-line tool to disable the "fast OTP setting," or use a community-developed tool on macOS to turn off the YubiKey until you manually re-enable it.

In the news

Three researchers at Oxford University's Reuters Institute for the Study of Journalism analyzed changes in third-party content on news websites before and after the GDPR (PDF). Bleeping Computer has more analysis, as does The Register, which also discusses another recent research paper on GDPR differences (PDF) - this one mostly about cookie consent notices. Cookie consent notices are useful for awareness but less useful for privacy, especially since clicks on a third-party area of a website often signal to content blockers and tracking-protection code that you wish to permit that third party to access cookies.

Polish security researcher Wojciech Reguła has a detailed blog post and video on how to bypass Touch ID by cloning a fingerprint. The materials at home might not be materials you have at home - it involves a printed circuit board etcher, which you're unlikely to have if you're not an electronics hobbyist - but the materials aren't particularly difficult to acquire. If you think you're at higher-than-normal risk of someone wanting to get into your phone, and they can lift your fingerprint from something you've touched, you should definitely switch to a long passcode instead.

Transcript

Liz Denys (LD): Our last few episodes on web browser security were pretty dense, so we figured we'd do something a little different with this episode of Loose Leaf Security.

Geoffrey Thomas (GT): Sometimes we plan out episodes by looking at an important topic, like web security, and figuring out how to cover it from top to bottom. But other times we're inspired by specific security-related problems we're having, like, how do I backup my two-factor authentication codes.

LD: So, today, we're going to talk about some of our favorite security stories from our own lives and some of the lessons to be learned from them.

GT: When those lessons exist.

LD: Right, sometimes, the best you can do is just to be aware of things. Security, especially personal security, is a process rife with tradeoffs and often lacking in right answers.

GT: Either way, that day I thought you bought a cat without telling me was pretty great.

LD: As was the time, a couple weeks ago, when you kept needing me to send you two-factor codes to get into this podcast's social media.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

GT: We've got some news items to look at this week, because security news never sleeps. First, a group of researchers from Oxford has found that the number of third-party cookies on European news sites has dropped about 22% after the GDPR was passed, based on a comparison of 200 websites in April and June.

LD: The number of sites with third-party social media share buttons also dropped from 84% to 77%. We noted in our episode on the web security model that many of these buttons let social media sites track what you're visiting even if you don't interact with them, and our own website just uses regular links instead of share buttons to avoid loading third-party content.

GT: Almost everyone is still using third-party content from Facebook, Amazon, and Google, though. A noticeable but small number of sites dropped Facebook, but those three companies are still in the lead.

LD: I guess one benefit is that smaller analytics sites are often the ones that are least likely to have a well-thought security policy, so this does mean that the risk of a data breach or even just unwanted data sale from the smaller players is reduced.

GT: On the other hand, there was a lot of fear that the GDPR would put even more power in the hands of the major players, who could afford to comply with it, and this sounds like evidence for that fear - while the number of trackers is down 22% overall, the number of trackers from the big three sites is only down less than 5%.

LD: A pentester in Poland posted a deeply fascinating how-to post about making a clone of a finger good enough to bypass Touch ID. If you're interested in seeing how this was done, with just the tools the pentester had at home, no less, check out the link in our show notes because the photos and videos would be a lot more interesting than us talking about it.

GT: [laugh] Yeah, it's been done before but this is a pretty good video of the process.

LD: It's a great reminder that Touch ID and other biometric methods for unlocking your phone aren't as secure as a really strong passcode.

GT: T-Mobile disclosed a pretty huge security breach about a week ago. They say hackers accessed the personal data and encrypted passwords of two million customers, but no financial data.

LD: They originally didn't say that passwords were breached because only encrypted passwords were breached.

GT: I'm ... not sure that counts. Also, by "encrypted" they mean "hashed," right?

LD: Probably. People say "encrypted passwords" casually to mean a lot of things, and usually they mean it's been run through a theoretically one-way function called a hash. They haven't said what hash mechanism they were using, and there's no way to tell for sure if it's one-way, but it looks like it might be MD5, one of the first widely-used hash functions that's now generally seen as insecure.

GT: Also, if they designed their system back when MD5 was popular, there's a real good chance they're not using other techniques to make a stolen password database harder to use, such as adding a salt, a random value, into the hash to make it harder to compare across websites, and repeating the hash process thousands of times to make it take a longer time to guess potential passwords.

LD: So if you've got an account with T-Mobile, you should change your password immediately instead of relying on the hash to keep it secure.

GT: Make sure to change it both on T-Mobile's site, but also anywhere you've used that password or even a similar-looking password.

LD: Another thing to be aware of in light of this breach is that it included the same personal information that T-Mobile or another cell provider would use to verify your identity, so if you're at a high risk of social engineering attacks on your cell phone account, those attacks just got a little easier.

GT: In our episode on comparing Android and iOS security, one of the things in the news was SIM-jacking and other similar attacks, and we talked a little bit about how to defend yourself against them. But briefly, it's a good idea to call up your cell phone provider and ask them to put a PIN to lock it from changes. And pay attention if your cell phone service suddenly becomes unavailable, because it might mean your account has just been moved to an attacker's phone.

LD: Apple announced that they've started development of WebAuthn in WebKit, the web browser engine behind Safari on desktop and iOS. Web authentication, or WebAuthn for short, is the newest version of the standard for using devices like hardware security keys on websites, for either second-factor or even first-factor authentication. Someday soon, Safari users will be able to use the strong hardware security keys with the browser.

GT: As we mentioned when we were talking about two-factor authentication methods, WebAuthn and U2F (the current way of using hardware security keys) are by far the strongest form of two-factor authentication because your browser gets to communicate the name of the website. This prevents phishing attacks, where you might be convinced to type in a six-digit code from SMS or an authenticator app on a malicious website.

LD: WebAuthn doesn't strictly require a physically separate hardware key, and one thing they're looking at is using iOS's Touch ID or Face ID as the second factor - which isn't exactly a second factor in the technical sense, if your password is also saved on your phone's password manager, but it's certainly a lot more convenient and a lot more secure than entering a token from SMS or from an authenticator app.

GT: I'd actually say it's about as secure as a separate hardware token, because it is separate hardware inside the phone that won't complete the authentication unless it sees your Touch ID or Face ID succeed. There's no way to just copy the secret out of there. And I think many people who have a security key just carry it in the same pocket or purse as their phone, anyway.

LD: Yeah, it's interesting that we're moving a little bit away from the traditional definition of two-factor authentication. There are some plans to suggest using WebAuthn as the first and only factor, which could be cool: the separate security chip on your phone is much more secure than any password you have. And it's generally recommended to put your passwords inside a password manager anyway, which is protected by whatever you're using to lock your device.

LD: Remember a couple episodes ago when we talked about Fortnite, the popular online game that is circumventing the Google Play Store on Android?

GT: Yeah, they're doing something to incentivize two factor.

LD: Wait, no, there's bad news first. Their installer...

GT: Oh no.

LD: Their installer had a bug where any other app on the phone could overwrite the Fortnite app after it was downloaded but before it was installed, running silently and potentially with full permissions.

GT: Oh, no.

LD: It's a little subtler than a regular man-in-the-middle attack: it did verify the download, but it downloaded it to a place where any other app that's already installed could also write to. So it's a good way for a malicious app to gain permissions.

GT: So this is exactly what we were worried about with the non-Google Play distribution model: because your phone had the box checked to install non-Play Store apps, you could accidentally get anything installed on your phone if something went wrong.

LD: The bug was discovered by an engineer at Google, who disclosed it in accordance with Google's usual policy: seven days after it's publicly fixed. Epic Games, the maker of Fortnite, was not pleased about this.

GT: Should I still talk about their two-factor authentication incentive?

LD: Sure, it's kind of cool, although it probably won't make up for this mistake.

GT: Okay. So, if you set up two-factor authentication for your Fortnite account, your character in the game will get a special, uh, dance move, I think? It's an emote called "Boogie Down."

LD: I'm not really sure what that means either, but it sounds like it could introduce two-factor authentication to Fortnite's massive audience - more than 125 million players. If even a fraction of them start using it and start to think about setting up two-factor authentication for the rest of their accounts, that would be a huge boost to security.

GT: Fortnite supports two-factor authentication over either email or using an authenticator app. As we mentioned in our episode on two-factor authentication, we highly recommend using an authenticator app on a phone you trust over just email, and we also talked about backup options in that episode.

LD: Still, this isn't going to help you if you have malware on your phone. You're just entering your login credentials and your two-factor credentials into a compromised app.

GT: I sort of feel for the engineering team here. It sounds like they were pressured into doing something risky, setting up this non-Play Store installer, out of money-making concerns. And they do seem like they care about security in general: they added a nice giveaway for two-factor is a great idea if you can do it, and they did respond very quickly to Google's report.

LD: Yeah, now I'm wondering what other apps could do to encourage people to turn on two-factor authentication. Extra colors for the Gmail labels? Maybe Trello would let me use an extra power-up with my free account, so that I could both have repeating reminders and a calendar to view them in.

GT: Yeah!

LD: In a bit of news about us, Geoffrey and I are going to be at the XOXO Festival in Portland this weekend. If you're there, we'd love to meet you!

GT: We'll have some Loose Leaf Security stickers and pins, and Liz also made a special zine that's a two-factor authentication primer.

LD: And similar to how Fortnite is giving away free dance moves to people who enable two-factor, we're giving away pins to people who do! Come see us to get a pin once you've enabled two-factor on an account that didn't previously have it, or if you've already set up second factors for all of your accounts that support them.

GT: Honor system, and while supplies last.

LD: And, of course, we'd love to chat security and podcasting with anyone who's interested.

Transition music plays.

LD: And now for our main segment: a bunch of security mishaps and some other fun anecdotes. I mentioned at the start of our episode on securing your phone that I actually lost an iPhone I had in college.

GT: Oh yeah, losing your phone in college is probably kind of painful, if people are trying to call you or text you to get in touch with you.

LD: Actually that didn't really come up. Most people at my university were communicating over IM, and I was already carrying my laptop everywhere. That didn't impact my day-to-day life too much.

GT: Did you end up finding your phone?

LD: Yeah! So it was actually in a basement bathroom in one of my school's buildings. It was Mystery Hunt, and our team was in a big room in the basement. I guess at some point I put my phone down in a toilet seat cover holder?

GT: Like one of those things behind the toilet that's got... I guess it's got a shelf there.

LD: Well, it's actually to the left of the toilet for some reason.

GT: Oh yeah, OK.

LD: I don't really remember doing that because I'm pretty sure I was wearing jeans that had pockets all the time then. Anyway, I ended up finding it there a few days later when Mystery Hunt was totally over, and I was really relieved. It turned out that this is probably the first time that I really thought about security. I feel like I was following the rules on having strong passwords and trying to keep my data private on social media and stuff, but I didn't actually think about what would happen if I lost something, because I just assumed that would never happen to me. So this was actually the first time I had trouble accessing an account with two-factor on it.

GT: Oh yeah, if you don't have backups, then you're like, "I guess I don't have my phone any more, what am I supposed to do?"

LD: Yeah, it was a little embarrassing, but fortunately no one really found out because it was only a couple of days. You actually lost your phone a lot more recently though?

GT: Yeah, well, I knew where it was, but it slipped out of my hand when I was taking the elevator up to my apartment and it fell like ten stories down. I'm not actually sure it fell ten stories down immediately because I could see a blue light, which I think was my phone's background. I asked my roommate to send me a text and it showed up as received, like Signal shows you when a message has been received, so I think it was on. The building's super isn't around on weekends, so I emailed the super and said, "Hey, I dropped my phone in the elevator shaft, we should probably do something about this." The super came in on Monday. Monday I found it. It was at the bottom of the shaft and it was intact, which is kind of surprising -

LD: Oh, that's good!

GT: But it was bent and would not power on.

LD: Oh, less good.

GT: So I ended up switching to an Android phone that I had, which was kind of not great for security because it was a pretty out-of-date Android that I bought I think in 2015 and I don't think it got any security updates past 2016.

LD: That's so many years out of date!

GT: Yeah, I know. Well, I was careful not to install very much on there, do very much with it other than have it around as my cell phone.

LD: That's good.

GT: It was my phone I was using for two-factor backups, so, most things were okay - at least the things I had remembered to put my backups. The embarrassing part was I was like, "You know what I'm going to do this weekend? I'm going to make sure I have copies of all my two-factor codes on both my old Android and my current iPhone." Before I got to do that I broke my iPhone.

LD: Oh, so that's why you kept texting me and asking me to give you some two-factor codes for social media.

GT: Yeah, 'cause I had a couple of things like my personal email and so forth, so I was fine on that, but new stuff, like Instagram or Twitter for this podcast, I definitely had not copied over to my Android. So yeah, that was what happened.

LD: Have you done anything to make sure that all your two-factor codes are in place now?

GT: Yeah! So I'm using 1Password to manage my passwords and 1Password has this cool feature where it will tell you, these accounts support two-factor and you haven't enabled it.

LD: Oh yeah, that's in the Watchtower.

GT: Watchtower. Yeah. They have their own built-in two factor and that's how they measure this. And it's not super documented that you can do this, but if you add the tag 2fa to any saved password, 1Password will just assume that you've got 2FA set up somewhere, so you can use that to figure out what accounts you've set up 2FA on and what ones you haven't. And then I also started tagging it with like where the 2FA is, so I have 2fa_iphone, 2fa_android, 2fa_yubikey for the things I have on my U2F key, and so forth.

LD: Oh yeah, I do that too except that my Yubikey one is called chouxbikey because my laptop is named choux.

GT: Chew-bikey?

LD: I name everything after French pastries.

GT: Oh, okay, not like chewing, okay.

LD: No, that would be a little different.

GT: That would be a little weird. I did have most things covered, at least as far as I could tell, but I was really worried about losing access to one account which I hadn't put a backup on, which was my Amazon Web Services account for a couple of particularly secure files. It's a little complicated why I decided the cloud was the right place to put things, but I did. It turns out that Amazon Web Services has email and phone account recovery. So if you say, "I've lost my two-factor device," what they'll do is they'll send you an email, and then they'll also give you a phone call with the phone they verified when you set up your account, and they'll say, "Okay, sure, we disabled two-factor on your account, you can go set it up again." Which was incredibly convenient for me, because otherwise I would have permanently lost access.

LD: But probably not the best idea for "Here's my really secure information."

GT: Yeah, I'm now rethinking this. You know, if you're running a company on Amazon Web Services you should think about, is your phone secure enough, like your phone number, your SIM, secure enough that this isn't a realistic attack against your account? But, I guess you have to have access to both your email and your phone, so it's pretty okay.. We did talk about this a little bit in our two-factor episode that it's worth checking what happens when something goes wrong. And I know that I had checked the box with my email provider saying, if something goes wrong, block access to my account, don't even let customer service remove two-factor. And if I had done that and I hadn't had backups, I would be in a really, really bad position.

LD: Yeah, but Amazon doesn't even let you do that, so...

GT: Yeah.

LD: Did you lose any photos or anything?

GT: Yeah, I don't actually set up iCloud Backup because I've been paranoid about iCloud Backups ever since the, what was it, 2014, a bunch of celebrities got hacked?

LD: Yeah.

GT: I just don't back up anything on my phone unless I send it to a service, like unless I specifically say I want to put this photo on Instagram or copy it to my computer somewhere.

LD: Right.

GT: So, I know I lost a ton of photos but I don't really know that I care about any of those photos? I'm sure I just accidentally took some pictures of a bruise on my leg that I was texting to my doctor's office.

LD: Ewww.

GT: And I was like, no one needs backups of that.

LD: Yeah, you don't want that.

GT: The one thing I was kind of sad about losing that I didn't even think at all about backing up: there are a couple of mobile games, Japanese role-playing games that I play on my phone, and those, like, you go through progress in a story and you randomly get some characters and things, and I'd gotten like two chapters into one of these and now I just have no way to access that account.

LD: Aw. I hope it didn't have any, like, time-limited events.

GT: Yeah, I had gotten partway through one time-limited event and that was a little sad. I'm sort of curious now, honestly, because I have the phone intact, you know, what my recovery options are. I'm going to try to take it to an electronics lab and play around with it, but because of the Secure Element and all of that, like I think - unless I can wire the phone back together and get it to boot up, I don't think there's a way I can get the data off of it. Which, honestly, seems good, but it's a lesson for me to be more sure about what my backups are.

LD: Yeah, so you got a new phone? You're not still using that weird Android?

GT: No, I got a replacement, I honestly got the same model because I still think all the new iPhones are way too big, and one of the weird things about it was it does enable iCloud Backup by default. Even if you'd previously disabled it, it doesn't remember that. So I had to go in and say, oh, it just backed up everything, I'm going to undo that.

LD: Yeah, my iPad also tried to that pretty recently and I was really confused.

GT: So, I'm pretty set I think at the moment but now I'm very much more aware, I can't just say, "I'm not going to lose my phone, my two-factor is going to be fine." I didn't lose it - I knew exactly what happened to it - but it was not great.

Transition music plays.

GT: Oh, I got another completely random story from freshman year of college, or summer after freshman year.

LD: Oh, this is going to be good.

GT: OK, so, I was not quite as conscientious about security as I am now, and I was on a plane and I was using my laptop, and I notice that my laptop was like, the fans were turning on and it looked like it was busy. And I opened up a process list and tried to figure out what's going on, and I saw a bunch of processes running as the guest account that were trying to send email.

LD: How did you have the guest account doing anything on your computer while you were on a plane?

GT: I pieced together what I think happened, which is I made two separate decisions without realizing the other. One was that I wanted a remote login for my laptop.

LD: Okay... this was a very popular thing when we were in school.

GT: Yeah, like, I dunno, I want to leave my laptop in my dorm room and I want to be able to log into it from one of the campus computers somewhere.

GT: And then the other decision was that I wanted to enable the guest account on my laptop. So if someone, you know, wants to borrow my laptop for a second, I don't want them using the regular web browser, I'll have them use the guest account.

LD: Yeah, and I think that's generally before, like, people profiles existed.

GT: I didn't really think about the fact that when you combine these two I now have a guest account that is remotely login-able.

LD: Ahh.

GT: And, back until like a year or two ago actually, my college would give out publicly accessible internet addresses to anyone who was on the campus network. Which was kind of great - you just set up a web server in your dorm and it's just immediately accessible to the entire internet and you don't have to think about it - but I'm pretty sure at some point, someone was like, "I'm going to try logging in as guest to everything on the internet," because people do that.

LD: Well, or also even just everything on our school.

GT: At some point, someone was just, "I'm a spam network, and I would like more computers to join my spambots, and, oh, look, it's a guest account that I can log into remotely." And then when I got in the plane and I didn't have an internet connection, it just kept retrying to send spam and that's the only time I noticed, and I'm pretty sure it had been like that for, like, weeks at that point. And I only noticed because I had been offline for the first time.

LD: Did you ever figure out who it was spamming?

GT: I have no idea. I think I just deleted it and shut down the guest account and was like, "I'm stopping this as fast as I can."

LD: That seems like a good idea. Yeah, it's really tough to make sure that when you're making a security decision that it takes in the whole picture of what you're doing.

GT: Right.

LD: Speaking of unexpected consequences... remember when I got my new YubiKey Nano?

GT: And you kept sending me ... stuff.

LD: cccjq257... uh, yeah - so it turns out it has this feature to generate one-time passwords and it just generates a random string of characters and then hits Enter for you. Which, I'm not really sure actually when I'm going to use this, but I would just move my laptop around on my lap and I would tap my Nano and then all of a sudden all of my friends were getting ccvqj2 and it was just, no one wanted that.

GT: I honestly don't totally understand why this is on by default because I would think you need to set it up with some site and like coordinate it, and maybe you could just turn it on at that point? So I don't know why it ships this way.

LD: Well, it doesn't really seem to have a way to turn it off, at least one that's natively supported? I searched for a long time for different solutions to this. Some people wrote some really heavy software that I could have plugged into my Mac that would have given me a little button in the top that I could have clicked "Turn the YubiKey on now," click "Turn the YubiKey off now." But I wasn't really excited about kinda auditing this software. I haven't written all of those types of code in my life and I don't want something unintended to happen, just to, you know, disable a feature.

GT: This is some random open-source thing that somebody just put together, right?

LD: Yeah, it's just something on GitHub.

GT: It's honestly very great that we live in a world where people are doing this and just being like, "I fixed this problem, here is a bunch of code." I don't really know if I am super comfortable with the security implications of that.

LD: Exactly. I looked up and YubiKey had a recommended option which is to switch it from slot 1 to slot 2.

GT: What does that mean?

LD: I'm not entirely sure what that's supposed to mean, but what it means in practice is that, instead of just tapping it to generate that password, I have to hold it for three seconds. This still happens occasionally and it seems to only happen in group chat that I really don't want to be spamming people.

GT: Great.

LD: Because I guess I just like come home at night and settle in and I'm like "Group chat time," and I cross my legs and my laptop's in a whole new position and then I hold it for three seconds, and then, bam. And yeah, just like you said, literally everyone has asked me, "Did you get a cat? Why didn't you tell me? You should have told me! I love cats!" And I'm like, nope, I still don't think I'd be a good pet parent.

GT: Yeah, it is not a cat that's typing on your keyboard. Yeah. So I have the less-comfortable model of the YubiKey, the longer one that is like, you can't just leave it plugged in all the time, it usually sits on your keychain. So, like, I guess the same thing would happen to me if I tapped it, but usually I just leave it on my keychain, I plug it in when I need it and I unplug it immediately.

LD: Yeah, I'm not sure if I want to stick with this type of model. I kind of figured I should just try it out and in the worst case I would have this YubiKey Nano cat fun-time just become like my backup key, so I could just leave it where I keep my passport and my birth certificate and have all the things that I have two-factor via hardware key just on that in case I ever lose access on some other hardware key. But I figured I should give it a go first and see how it works, because I usually keep my laptop with me.

GT: And that's a good point, I should probably get a backup YubiKey at some point, or a backup security key in general.

LD: Yeah! Backing up your two-factor is probably the greatest thing.

GT: That's kind of the theme of today.

LD: It really is! Everyone should back up their two-factor!

Transition music plays.

LD: That's all the security stories we have time for today, folks.

GT: Come back again in two weeks for a discussion on how sharing your photos might accidentally leak location information. And if you're at XOXO this weekend, come say hi to us!

LD: One last thing before you go, if you're curious about the work of some other rad podcasters we're hoping to run into at XOXO, consider checking out Flash Forward, a podcast where Rose Eveleth that looks into a possible or not-so-possible future and discusses what that future might be like with today's experts, and also Lingthusiasm, a podcast that's enthusiastic about linguistics, hosted by linguists Lauren Gawne and Gretchen McCulloch.

GT: Flash Forward ran a live show at XOXO 2016, "Death Date," about a future where you could find out what day you were going to die. I didn't go to XOXO that year, and I'm sad I missed it.

LD: Rose put on this interactive show and let the audience choose their adventure stemming from whether or not they wanted to know when they'd die, and I was really surprised by how split the audience was! I definitely do not want to know when I'd die.

GT: Oh, I would.

LD: Really?

GT: Yeah!

LD: While you can't travel back in time to 2016, you can check out Flash Forward's episode on finding out your death date.

GT: Also Lingthusiasm's latest episode sounded pretty interesting, but I haven't gotten to it yet.

LD: Yeah! It's all about language's negative space, the silence in between sounds.

GT: Oh yeah, you're always telling me that I pause at strange ... points in the middle of the sentence, and you have to keep editing them out.

LD: Ugh, I'll have to edit out that one, too!

GT: Oh, sorry.

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.