Dead Folks Tell No Tales

okay so beast lights Pittsburgh would like to take a couple of moments and recognize our platinum sponsors trusted SEC SecureWorks checkpoint cyber crucible Brown tower ethical intruder cyber reason burrowed in' XM cyber area one is m CrowdStrike logarithm Optive and fire i thank you all for your support of the conference and helping to make this happen so the next speaker that i will be introducing is mr. Kevin Cody who will be presenting on a topic called ed folks tell no tales a little bit about Kevin Kevin Cody is a principal application security consultant with experience working at several fortune 500 enterprises all those particular experience is geared toward hacking web and mobile applications he's also experienced in the entire

gamut from mainframes to embedded systems kevin is adamant on helping build up developers through security which can be seen in his involvement with an O wasp we're all speaking of events like code mash or besides in his spare time Kevin B can be found attempting to repair something via online DIY videos reading tech books fishing or simply spending time with his wife and children without further ado let's welcome Kevin Cody thank so nothing is quite as awkward as standing 2 feet from someone reading your own bio it sounded a lot better on paper so uh yeah thanks for all coming I know it's three o'clock besides talks are usually much more well attended earlier in the morning I think

that's because it's pre lunch pre booze pre whatever you want to do at the end of the day on the Friday but you're all here I hope you'll be able to take something from this I thank you all for for coming in and supporting both besides Pittsburgh and myself so yeah we're gonna talk about dead folks tell no tales so quickly although the the intro was was excellent that's me last year I got the the the black badge of honor here at besides Pittsburgh besides Pittsburgh is my favorite conference bar none but yeah so he mentioned that I am a principal application security consultant about to start my next chapter I'm currently unemployed for today because I started something new on

Monday so that'll be fun I'm a walk sport guy if you haven't had a chance to go to the lockpick village I created a pretty fun game with white sand and gifts and all kinds of fun stuff so the lockpick village is all the way on the other side of the venue this year with the CTF room and we're gonna be doing one more competition where we're gonna be giving away some prizes so please join the the lockpick village if you haven't done that yet and after this talk I might even be able to give you a hand and show you how to do that if you haven't done a lot get and I'm an

eternal student mentee and hopefully mentor so if you're looking for a mentor you're interested in getting into AB 2nd you have questions concerns come to me I'm on slack I'm on Twitter I'm on LinkedIn hit me up happy to guide you in the right direction or even more if needham enough about me we're gonna get into some interesting topics so just a quick warning I am NOT a lawyer I don't even play one on TV I'm an app sec guy I'm a hacker that's me if you have any concerns questions comments about the subject of this talk please go consult an estate attorney this is some serious stuff things change quite rapidly in this space and I am not

liable nor reliable enough to tell you how you should handle your end affairs so please take some of this and move forward I am yeah it's kind of like a lawyer but half-half is good so I'm gonna be talking about death the the honest-to-goodness truth is I'm talking about giving away your stuff getting access to your stuff after your life so if this isn't a subject you want to talk about if you feel uncomfortable about it if you're dealing with something personally I totally get it there's an awesome talk next door there's booze there's drinks there's coffee help yourself but I certainly aren't here to bring up any bad memories or anything like that and

policies that I'm gonna be talking about may change in the future so you know if Facebook or Google or whatever decide to change how they handle things what's required you know unfortunately those things are out of my control but I can hopefully give you a nugget to take back and move forward so after all that why are we here what are we what are we doing here so I'm gonna start this off with a story it's a personal story but it's it's honestly where I started thinking about the subject so a few years ago actually about seven years ago I was in my mid-20s just started a new job was literally a weekend and felt something

off something was it wasn't quite right my wife happened to be in Germany visiting her brother at the time she was just me was FaceTime with my wife and said hey something's not right I think I think I need to go to the doctor you know there's an issue and of course she's halfway around the world and she's asking me questions what are we gonna do about this what's gonna happen here so well one thing at a time so I go to the doctor and sure enough I went on a Saturday and Monday morning my doctor calls and I've cancer I need to go have an operation first thing Monday morning they're actually I'm sorry Tuesday

morning because he called me on Monday and luckily my wife was able to get home from Germany and it was all good operation everything was set no chemo no radiation I'm as healthy as a horse now but during that time I started thinking I handle all of our finances I handle the taxes I handle all of that stuff and it started me thinking what would happen if I wasn't here tomorrow what would happen if my wife needed to get access to my password manager or my iPhone or what have you do are we properly planning for these events because it's it's it's very serious I'm gonna go over a lot of scenarios here that will hopefully have you thinking to

yourself what would I do in situation how would I handle this or I never even thought about that situation that's really all I'm here to prime and prepare you to do is to have those difficult discussions and have those conversations internally with your friends family and what-have-you but I am a technologist so I'm gonna break down some of the technical terms and hopefully do some education as well because I see a lot of familiar faces even faces who are calling me out for my spelling and a lot of people are coming here to me because you're used to the technical content that I deliver so I'm gonna hopefully give you a little bit of that but honestly this is more of a soft

skills this is more of a conversational type topic so yeah that's that's the story so yeah we're gonna go over authentication talk about some of the different paradigms that are widely in use today I'm gonna go over some password vaulting solutions and discuss some of the pros cons and and issues with those I'm gonna hit on federated authentication I'm gonna talk about why we need to be quest I think I hit hinted on that enough in my story but it should be pretty obvious after we're going through this stuff I'm gonna go over some policies terms and conditions and I'm gonna wrap up so authentication its core right is something you have no or are right those are the three pillars of

authentication so most of us are familiar with your username and your password right that's typical you know in the early days of UNIX you know and it was open system and and people just use time sharing option and didn't really have have usernames or passwords and then you know we evolved into this Multi multi user computing and we started equipping usernames of passwords and and private files and whatnot so that's really the tried and true as things continue to progress we went to using biometrics right something you are and I'll go into more about different types of biometric authentication we also have tokens or certificates those are things that we have they're not secrets per se but

they're objects that we hold on to so you might be familiar with you the keys or TLS certificates or SSH certificates or whatnot these are the things that you have in your possession very similar to a key to a house and then of course there's multiples of what I just mentioned and that's when you start talking about multi-factor authentication that's using one or more from those three groups it's something you have and know or something you are and have etc true multi-factor authentication is not - from one group so if you need a password and a pin that's not multi-factor authentication those are two things that you know so next is 2-step verification so this is

very very popular right now are folks familiar with 2-step verification where you log into your bank and then they text you a code and you put that code back into your bank that's 2-step verification it's not necessarily multi-factor although you do have access to something that lets you receive that code so it's kind of hybrid you have something but there are some problems with that thing that you have particularly with SMS so there's this thing called sim swapping it's very popular right now in in the hands of bad guys when it comes to Bitcoin or believe it not like Instagram accounts and getting getting access to you know basically things that are protected with with SMS short codes using this

two-factor verification and as always the weakest link in this scenario is gonna be the carrier right I happen to work for a carrier for four years I know many many calls many many situations where you try to authenticate someone you try to get their password you try to get you know whatever it is that you need for them to verify themselves and they don't have it or they forgot it or you're trying to write you know they're trying to rush you and you're trying to do everything you can do to resolve the call and the first time they call you or help them when they're standing in front of you and you forgot to verify who they were

you they didn't tell you the pin or you didn't do something in the right order well everything that has to do is 2-step verification hinges on the fact that you are the sole owner or person who has access to this device this phone this laptop that gets my messages whatever the case may be and it's to the point where NIST the National Institute of Standards and Technology in the special publication six 863 B has even said SMS to sub verification is deprecated the interesting part of that is they didn't even acknowledge SMS to factor verification until this publication so they introduced it and deprecated it in the same document what does that tell you it's just really not up to snuff

compared to the other two three factors that that we talked about now all of that said it's still better than nothing show hands who's heard of credential stuffing whoa that's a lot of hands really awesome all right well I'm not gonna take a long time on this though so credential stuffing is taking leaked creds from databases and putting them into into forms on different databases right so take your leaked creds from LinkedIn from 2011 put them into your Facebook account and see if those creds still work that's credential stuffing but 90% of you have already heard of that which is awesome it was not the case five years ago right so what is too fat two-step

verification stops it stops credential stuffing right your random attacker who gets your pone passwords from some dark web or some you know stale database on paste bin somewhere they're gonna run into this issue where up there's an SMS you know going out of band 90% or 99% of accounts aren't going to be worth that attacker then taking that and trying to do a sim swapping attack or trying to social engineer your rise in accounts to get them to switch the number into yours or what have you right so it's still better than nothing I'm not telling you to go home and disable 2-step verification to then back up to only passwords that'd be silly right but there's obviously better

better options out there one of those bitter options are totp and H OTP so who there better be less hands this time or I might just walk upstate who here is familiar with TOTP and H OTP all right less hands okay so time-based one-time passwords or H Mac based one-time passwords right OTP is the same across so one-time passwords are these codes that you see with apps like Google Authenticator or duo or authy there's these rolling codes and it's somewhat similar to if you've ever used an RSA token except for you don't have a token right that's being done on the application and the protocol that is with the exchange of those tokens and how the server matches up which tokens

you should have and allows you are T OTP and H OTP so the secrets to that exchange whenever you get the secret to start that that handshake that's everything if someone can get access to the secret key of your TOTP or H OTP initiation it's all over where do you think that secret is hint it's the large image on the screen right now where's where is that image at or where's that secret at where the QR code oh sorry the QR code QR codes everything I can tell you one time I was doing an application assessment and I saw a situation where there was a QR code that was generated and that QR code was generated from a

Google service and that Google service just accepted like okay this is the message I'm one of the QR code send it to me in the URL okay now here's a QR code back okay and then the client then scan the QR code in the application everything on the surface looked okay but what was actually happening was the QR the secret was sent in the URL so it's cached in a bunch of places in your browser not the QR code when it got back to your browser was cached locally in your browser so now anyone who has access to your computer could go out and scan that QR code and the Google service that did it all said right in the Terms of

Service don't use this for anything critical or secret and it was a deprecated Google service so it was like four strikes you're out it was it was terrible but what I'm trying to get at here is the QR code is everything in this process the transfer of the secret is everything when it comes down to TOTP versus h OTP I'm not gonna harp on that today ones time based ones H Mac based you can really tell the difference if you open up your google app or your duo app if it's rolling every 30 seconds it's time based if it's static until you submit it and then you get a new one it's H Mac based but behind the scenes

you're really just extrapolating that one-time password that out-of-band verification from the SMS portion which is inherently flawed right so TOTP h OTP infinitely better than SMS then there's this thing called Fido which is fast identity online the roots of Fido were in these protocols called UAS and u2f UAF was a universal authentication framework u2f was a universal second factor there's a lot of detail in here I'm going to show you a quick flow diagram here coming up but what you should know is the the protocol is typically rooted in some type of secure Enclave as Apple would call it your secure Enclave or a trusted platform module or HSM or basically this special chip that is read-only and does trusted

trusted computations and the let me skip ahead and I'll just show you how this works so you have an application and you're using Fido to use as a second factor or a secret conformation so the client is your app could be a web app could be a mobile app whatever the case may be the server is whatever business you're doing business with and the user of course is you so you log in to the application using your username and password the phyto service comes back and says hey this is what I know how to talk this is what I can do let's let's give you some options make sure you have all these different things and

if so let's start this thing so you can see here that the requirements and the attributes are this person has to have a TPM a place that I can do these these cryptographic safe operations in a safe way I offer the ability to do fingerprint off face authentication voice authentication basically biometric authentication I feed the response into the user and the user says hey this is what I want to do and they enroll and when that enrollment takes place some type of secret is generated at that first handshake and then it's sent over from the server from that point on there's this challenge response type handshake that happens every time you use the service and because you started

off with a known state you did a cryptographic operation and then sent back the response the server can repeat that process over and over again and confirm that it's you and there's a lot more detail that goes into this process but what you should know is there was basically two protocols that came out of that there's a universal two-factor basically a way for anyone out there to use this as a second factor authentication and then there was also the universal authentication framework which is basically using this as your identity this was you you could log into a machine without any type of extra auth and out of that process web auth end was born which now is Fido - and if you're

familiar with like Windows hello or actually even Twitter now offers web off and standard that is basically the evolution of the Fido protocol and the the underpinnings are the same things you see here in the flow chart but there are some additional handshake there's additional requirements or whatnot but this is the whole idea of Fido and you can see where we kind of took the idea of the the okay I get a code from some man or I put the code in you verify it and we kind of amp that up we took the process of not only are you or is the server sending you something in which you're verifying and sending back you're using a portion of you which

is unique to you being fingerprint or face or voice and we're doing a cryptographic operation on that and proving that it is the person who originally subscribed to this method right so Fido is really really interesting and cool so then I briefly touched on this before certificates right these are things that we have you might be familiar with certificates from SSH or mutual TLS certificates or pivot charts if you're from the government type right you had the old guv pip smart cards but basically there isn't much verification of who you are other than the fact that you have possession of this thing again it's not much different than a key if we take that a step further there's a key to our

front door the door is expecting this key if you put the key in everything lines up the door opens if we take that same thought and extrapolate that out to certificates and TLS if you could imagine an entity that had all the keys to all the houses on your street and in your city and that that entity said you're this person here's your key you're this person here is your key this your this person here's your key that's the trust that we're putting into our certificate authorities we're trusting that those certificate authorities are properly vetting who people say they are and giving out the proper keys and and saying that yes you are going to this

person you have that trust you're good to go mutual TLS is is basically with out the certificate authority this is where you have a TLS cert and you're presenting that to someone who's verifying that went on this before not going to go into into this in huge detail but of course there's all the biometric things touch ID Android fingerprint sensor iris scans face detection voice recognition hand prints combination of you know basically anything that you can do I just read or heard about a new laser that someone's using that detects your heart cadence and they can tell by your heart palpitations that you are who you are I don't know but these are things that you

can't change about yourself without some serious like plastic surgery and Mission Impossible or something okay who here uses a password vault keep your hands up keep your hands up I want you to look to your left or look to your right and if you see one of your friends or family who aren't using password vaults your homework is to help introduce password vaulting to that person you know you're getting homework today you're the TA I want you to check the homework and make sure that this is done all right so password managers there's two types of password managers there's online password managers and there's offline password managers of course it's however cloud comfortable you are with that

there's all kinds of security and mechanisms and and thousands of rounds of key derivation and all kinds of fun stuff that goes into protecting your identity and only you can open this and so on and so forth but the idea behind a password manager right is that you have a single key that unlocks all of your other keys so it's like when you go to the card car dealership and they have that box on the wall and they put a key in and they open that box and there are all the keys to all the other cars that's probably like an 80s reference I think they have a machine like a vending machine that Divis them out now yeah

I've seen them know anyway so that's the idea behind this you possess the key box you possess the key in your mind that opens the key box so of course knowing that password knowing that initial password is still extremely important but inside of that key box is a bunch of other keys you don't necessarily even need to know and one of the really cool benefits of a password vault or password manager is it can do verification for you to make sure you're putting the password into the correct site right so when you visit a site if you have the browser add-in added to you know your your phone or your browser what-have-you it'll actually pop up and say hey this

is Facebook this is your password for Facebook log in if someone sends you a fish or social engineering and they send you face but instead of the a it's the you know Punic code version of a with a little dot but you can't see the little dot because it's above the fold whatever the case is your password manager won't offer your Facebook password for you to log in with right so that's a huge benefit to password managers and vaults and the fact is I just ended my job yesterday with my consulting company I knew one password for all of the hundreds of systems and client systems and all the stuff that I logged into I

knew one password and that was to get into my password vault yesterday when I turned in my computer I can honestly say I have no access to anything and it's not because they revoke the access which I'm sure they did but it's because I never knew any passwords anything right password managers are awesome and they're even coming to the point of they have scraped the internet and and have confirmed what different password requirements are for this site and that site in this and they can help you create the most entropy rich password for a certain site so creating a bunch of unique passwords for every site you've ever visited creating really strong passwords that are unique based

on all the crazy-ass requirements that all these sites have and doing all of this and being able to verify that you're putting the password into the proper site how many of you can say that you can do all of that in here no one right we just can't do that where does not program to be able to make hard to guess unique passwords for everything we touch so password managers are absolutely crucial now there's also this thing about grandma's passbook that has you know it's a yellow manila or a yellow sheet of paper and has all of the passwords written on that don't knock grandma's passbook unless someone's breaking in to get into Grandma's house it's gonna take that and

go to her you know Medicaid and try to you know or Social Security and try to do stuff that's actually a lot better I'd rather see someone create a strong unique password or at least somewhat unique by writing it down and putting it somewhere that's secure then remembering all the crazy passwords right cuz if grandma has to remember all her passwords you know that's gonna be password one two three it is there's no doubt about it in my mind that's gonna be the password and then when she can't get into our site she's gonna call you and say hey Kevin I'm trying password one two three and it's not working and then you're gonna have to remember oh

its capital P and an exclamation point on the end grandma its password one two three exclamation right so don't knock the password books every few months this thing starts up on Twitter like oh my gosh have you seen this book they sell at Barnes and Nobles it's called the password book can you believe how ignorant they are in reality it's probably not that bad you still have to use your brain to come up with different combination it's not it's not as good as a password vault but it's not terrible as long as you can protect that and put it somewhere safe all right so we're 20 plus minutes in and I've hit you with a

lot of authentication protocols and standards and mechanisms and I hope what you've taken out of that is things are changing quickly right things are already keep up with attackers are doing new things we're combative them we're changing things up physical keys biometric codes they can't be remembered or verbally transmitted to someone or passed down to a loved one right so we have these things where at least the pass were like oh you know you know unfortunately so-and-so passed but we know that he always used smokey 877 for his passwords so at least we know how to get into the mortgage so that we can make this payment until the death certificate comes and we can get

absolved from that or whatever the case is right well do you think that works when the deceased person's finger isn't around anymore to open their phone or they have a voice as their password when they call the Social Security office quick story the big government offices like Social Security they're using what's called passive biometric software to confirm if you're out if the person who originally called is still the same person who's calling today so the days of you calling and collecting your significant others pension for life or benefits for life and you call and you just pretend to be them and you hope that someone doesn't pick up that's over they have enough data saved up an old

calls that they can create an identity that they know is you or is enough like you and once you variant out of that model they know hey something's not quite right send someone to their house or ask them for additional identification or something that's called passive biometric data it's a real thing it's being used to combat fraud today and it can't be faked maybe a twin brother or sister or maybe you know if you get really lucky you might be able to but in the vast majority of the cases it's rock-solid right and again the days of remembering passwords are over I'm not remembering passwords anymore one password I don't use that password anywhere other to unlock the box of keys

on the wall so what do we do like what are we doing today to recover if we lose our passwords so currently this is the flow that happens if you forget your password you choose a forgot password option you enter the answers to your secret question right which the secret questions aren't usually that great when I was was in there was this idea of out-of-pocket questions and what that means are if I get your wallet how many security questions can I answer from just having your wallet can I google your school's mascot can I look on Facebook and get your first car model etc etc right you have to have things that are out of

pocket out of so that's where the whole favorite thing came from what's your favorite restaurant what's your favorite book these are things that you can't really until you go to Facebook quiz and you pull out the quiz that's right but I digress out of pocket are the secret questions and hopefully everyone's using so you enter that you get a link in the email you create a new password and you're in it's pretty frictionless this is actually not a bad state you can swap the two things you could get the link in the email and then answer your secret questions it's probably a little bit better but overall that's really how things are done today this is this is

the standard so some things that are better than the standard right out-of-band SMS so although again SMS isn't the best if you can text someone the number that you have and have them verify it's better than everything else I just said right SSH key verification this is pretty cool does anyone ever lost your password have done the forgot password for github one person I am with you I lost access to my github for six months that's a different story anyway SSH key verification so github actually reached out to me like hey all else failed you can't you can't give me the key you can't give me the password you give me the recovery codes we can't

verify your DNA whatever the case is send us a challenge with SSH your public and you know we'll do a handshake and if you have the private key there's pretty good chance that you're you right so that's kind of neat that's that's it that's a different thing some do snail mail right this has been happening for a while right you just like wait for a password reset code to come in the mail and hope that someone doesn't steal it out of the mail right I'm not saying it's great but it's not Wurst and I don't know there's others can grab a coffee or a monster after this and we can chat about other mechanisms that you think I should

should be including in this right but regardless forgot password' mechanisms are pretty straightforward but what happens when we can't go through that process there's a locked code there's a locked phone we don't have access to this well we have some deceased recovery processes as well so Gmail actually has this thing called the nickname the Deadman switch which comes from trains okay I was gonna say military from from you know holding in the the detonator and when they would die they would release it and okay regardless the idea is that you have to actively respond to something and if you don't actively respond to something something else happens in Gmail has this this this method where if you don't actively

confirm that you're alive and you have access you can basically bequeath your access to somebody else Facebook has a couple interesting things as well they have these legacy contacts will they'll reach they'll allow certain contacts to do a limited set of actions on your behalf including the ability to set up memorials on your account and tributes which is something a little bit newer right but you know I don't know about you but Facebook and Gmail are pretty significant parts of my digital life right now and the fact that these at least these two have gotten to the point where they're trying to plan ahead of this process which is pretty you know it's it's it's not a fun process to go

through I think we've all been had at least grandparent aunt uncle friends someone who's passed away you're trying to pick the pieces back up and put things together and trying to find all of these odds and ends out on top of dealing with this kind of stuff it's it's it's really difficult password managers have also of course thought of this process and they've of course named it all emergency which isn't confusing at all LastPass as emergency access - lien has emergency and one password has emergency kit and they all do things a little bit different my favorites LastPass emergency access and basically you go in it's actually pretty similar to - Lane you go in and you designate basically

successors and you say I trust this person I know and whatnot and LastPass actually has this this neat thing where one single person can't take over everything you actually have to have you can set it so multiple people are basically entering the whole two keys to the missile sort of thing multiple people have to get together which could be an issue if those people aren't talking or something happens there's a rift of something but you know basically these password managers have come up with ways of allowing you to designate emergency contacts one thing to note this is kind of the nuclear option if something happens and the emergency access is invoked you lose access to

your password vault you key the owner are hopefully not around anymore hopefully not I don't whatever the case is you're not around anymore your LastPass access is gone because people have invoked the nuclear option one password doesn't quite have the cards in place yet they have this thing called emergency kit which is a piece of paper that has a recovery code printed on it and you're supposed to put that somewhere safe yeah and then key pass doesn't have anything it's just like an offline password vault hopefully you know someone who can recover that and get in and all that fun stuff so outside of the the leading edge of the providers think about everything else we do right

telecom email banks financials utilities postal shipping all of those are pretty much the same as they were two decades ago before the advent of the internet you have to get a certificate of death most of them we we'll change the ownership like as far as telecoms and in banks and financials obviously that a lot of this comes with with estate planning but we've changed the way we interact with these companies where we're interacting with them digitally so if you have to wait for a certificate of death or you have to go and prove that you are the successor to an estate just know you can't access these things in the same way that the person who was managing these were

before meaning they don't have any successor attributes or emergency access plans or ways around to help short-circuit that so if you don't know the password you can get access to their password vault you don't have their fingerprints you're not getting into these things at least digitally until you can provide a certificate of death and even then it usually has to be transferred into your name credit checks have to be done you have to wait for billing cycles and and and all that stuff so again just try to prep you maybe some things to think about when you go home might be some some conversations you want to have and and plan for these things so now what

Kevin's given us a bunch of problems a bunch of what-ifs some have answers some domme he talked to us for 20 minutes about how authentication systems work well I do want to give you some solutions so there's a couple high tech solutions there's a couple low tech solutions and maybe a couple novel ones thrown in there so high tech options if you're really savvy maybe you can come up with a distributed recovery system where portions of your vault are backed up to AWS and this one's to Azure and you give you know pieces you the sky's the limit you can come up with some really creative things the cool thing about technology is there's ways that

you can distribute things like you never had before right we never had the option to do that before there's also this idea of passwords sharding right shard means to break up so you like give pieces of your password or a key to certain people and hope they don't all come together it's like the I'm not a Marvel guy but like the Infinity stones you hope all come to the same place I think that's is that good all right that's good all right and you could use like multi layer encryption schemes same kind of idea right you encrypt something and then you put an envelope around that with a different key I don't know what that cracking is envelope around that

with a different key and envelope around that with an encrypting a different key right you can just keep adding more and more abstraction layers around it to where hopefully you can shoestring something together those are high-tech options some low-tech options like lock boxes right just go to the bank I showed you that that QR code earlier and the QR code is your secret for your totp e and h OTP accounts well you know what I do honest to goodness Tori I hope no one robs me when I go home I print those damn things off when I get in a QR code I print that QR code out and I put it in my safe you know what that allows me to

do when I get my new phone I just go to all those QR codes I just scan each of the QR codes and I add them right back in I don't have to reset anything I don't have to hope that I remember this remember that I can just back them all up and if something happens I can tell my wife hey if you need the codes the codes are in the safe just scan your phone and now you have access to my second factor you can do the same thing with Fido keys you bikies but a lot of sites don't have the ability to add multiple keys yet it's increasing but just know if you don't keep that key in

a safe place a lot of sites don't have multiple key adoption safe deposit boxes of course just truck people you trust with whatever the heck you trust them with passwords or you know whatnot you could use some like technology that isn't easy to actually obtain anymore like I don't know you know put your will or put your not your will put something sensitive on this medium and include that medium in the box with it and if someone finds it they're like I don't even know how this thing works and you give instructions in your estate planning on how they get this thing that sounds really convoluted I'm not gonna recommend that but it's something it's a

low-tech option or high-tech I'm not sure or just bury the damn thing in the ground somewhere and leave where your passwords are um all of that said there is the fact that all of the technology that we've talked about has progressed fundamentally just in the last decade right so you're doing all this estate planning and you're planning your password sharding you're doing all this stuff whose just say that that mechanism is even going to be there tomorrow or the next day or the next week right or that you didn't get a new phone and you had it throw out your old H OTP code and do a new you know so unfortunately the glass blow point here it's just gonna

get more complicated these are ideas that you should have on the top of your mind I don't have a silver bullet that's gonna solve all of your problems but I can't tell you how things work from a technical perspective if you come to me Kevin I don't get this I have this code and I have this key I can break down the nuts and bolts on how that work and if then you can take that and replicate a way that you can pass that along to friends or family or come up with an idea what you would do in a break the glass situation albeit and I'm happy to offer my time to do that right but you

got to start thinking about this stuff because if you're not here tomorrow your significant others not here tomorrow and you got to get into your bank account you got to do this this stuff is really really you know imperative and you know an ounce of prevention really is worth a pound of cure if you've ever had to deal with these cleanup situations where you're trying to put the pieces back together and there's just sitting on on hold and dealing with with social services and getting certificates and proving you are who you are it's really really complicated so if you can cut even a portion of this off at the pass it's certainly well worth your time and

our digital lives are just increasingly increasingly more dependent on these things so talk with your friends or family talk to a lawyer not a lawyer layer talk to a lawyer and start your plans for bequeathing I mean if you run your digital lives the way I know I run my digital life it's extremely important to at least broach that subject get some of your basis is covered and know what you're gonna do next one final plug before Q&A my buddy and co-worker John Callahan he's gonna be talking about crypto miners versus machine learning in the next track next door if you don't know what machine learning is you think it's some blackbox magic some vendors trying to shut sell

you something please go to his talk he's gonna be talking about crypto miners because it's sexy and people are you know in Basel by what is a crypto minor but in reality he's gonna break out what machine learning is into words and and statements and nuance that I personally have never seen anyone do it's math it's basic math and he does a really good job of explaining it and he does it in a really cool way where he can find these crypto miners that are going up against these AWS instances and he pulls that data out of the flow log traffic so it's really cool anyway we'd open up for questions if you don't want to ask me

here hit me up I'm at keV Cody on Twitter I'm Kevin Cody on LinkedIn I'm Kevin Cody on every other social platform I'm not keV Cody underscore on Instagram that's a rapper he wants keV Cody and I get a lot of his I actually I get contracts for it anyway question

I am NOT a lawyer no so the question is what's the legality of trying to use forensic software to recover data from the deceased I would say that legality really depends on your your right to interact with the deceased assets right so if you are the mailman you're probably not allowed to do that right now are they gonna come after you no but they're a state might so I that was a really roundabout as a politician's answer but I hope that answered your question any other questions yes sir so I gave you two four instances the the gmail one and the Facebook one I'm sorry his question was what about other services there are there are some they most

services will at least come out and tell you if you have a deceased family member and you believe you have the rights to interact with the appropriate documentation we will deactivate their account that's pretty much the extent of it there are very few service providers that you let you do other things as far as like getting access to their accounts and honestly if some if a service provider is gonna reset your data or give someone post humorous no human access post there you go post mortem access to your data it's a little concerning and most of the big guys won't they'll just they'll give a modified ability to do some actions others will just delete the account I

did look up whatsapp just cuz I was interested whatsapp tells you if you have a deceased friend or family member open their phone select the Settings button and click the delete account button I swear that's what their instructions are now that's an IM or SMS type app so it's a little different than like a social media but that's their instructions if you have a deceased member that's

so the question is getting getting access to their digital logs and records from from the estate so so a lot of companies will give you the especially with like the the different legislation will allow you to request your digital records chat logs and all that different stuff that's a good question I don't think they would release that outside of first party I think you can delete the account and you can remove most with it with the death certificate I don't think like the it's not freedom of information but the ability to get your data back as a gdpr whatever it is that doesn't apply to estates I don't believe I haven't seen anything resembling that any other

questions thanks for coming listen to me about death I'm sorry but we got to talk about it right [Applause]