BSidesMCR 2018: The Digital Entropy Of Death by Chris Boyd

Thanks yeah Digital interpreter yes so it used to be the case that when you know your your friends your family relatives were ever died you get all these heirlooms and bits and pieces and boxes full of stuff but now you're being left all these bits and pieces of digital Dave over leaving comments on websites they've got their blogs they've got online accounts that you may not know about and you know people continue to die using these services I think something like 30 million people on Facebook have died around 2012 that's like eight years since the thing was settle and cut an estimate so if you if you assume that Facebook continues to grow the way it will we're going to end

up at some point 2050 ish 2060 with more dead users registered on the site than alive and that's going to continue to be the case for all of these websites and pools we keep using and it got me thinking well you know how secure are these accounts how lockdown are these accounts what happens so the accounts of our dead relatives and friends you know once they've passed on are they are they secure they're going to get used for dodgy dealings and antics what can we do to re-secure these accounts if they're not already what can we do they control and ownership of them this before somebody else does and you know this is this is a big problem this

has been a problem for a number of years now you know you've only got to have a quick dig through the headlines a lot of these are Facebook centric there are people getting friend requests from people that have died their relatives accounts are being used for all sorts of scams online there's a camp cloning where salon hijacks the account and they will they will you know populate it with information from somebody else and go off scamming and you know if it's not there it's things like Facebook reminding you of you know here's this thing you did in 2013 and it's you know they're dead relative and you don't really want to think about it you don't to see it in

free to you on the screen and it's a big problem and you know the big worry is if for a lot of people is that you're gonna post something stupid on Twitter like I bought 10 bananas and then you're immediately going to walk off and be hit by a boss and that's as far as safety what the other is concerned the last thing you did online was tell everybody you went out for 10 bananas which is kind of embarrassing but they're not only there someone's gonna pop up and save all your dead which you it's kind of funny but it's also kind of terrible if you if you if you don't look at accounts of people who've recently

died died in an accident whatever natural causes there will always be someone who will pop up and say something about at the bottom and you know we can laugh but it's not very pleasant for the friends and family if there's not a lot you can do to remove these comments from you know these social networks and you know we're in a weird place where we often think about people's Twitter feeds as the you know they're they're sort of weird digital last will and testament yeah we're always raised to see their Twitter feed or what they post it and people would only go and see what they've done I think they post that they will filter it

to you know replies the replies to happen see what the last thing they said specifically to someone else was doesn't matter how you know how irrelevant it is for your days of their existence we want to know what they said and this is this isn't a screenshot from Twitter this is a screenshot from a website the the collects the last tweet that somebody posted before they died whether it was natural causes and accident to the extent that they will also list the time of the last tweet the time of the death and they will even mention you know the manner of passing so the guy in the middle is a cardiac arrest with a length

of the bio the guy of the top it was a car bomb the one at the bottom was a helicopter crash and it's really quite weird and ghoulish well people are fascinated by this and you know it's got to the extent that I'm starting to think that the technology is source of really passed us by we're not really a word how deeply embedded a lot of this tech is in fig you know our you know our after lives I mean hands up how many people knew you can get QR codes on gravestones we've got a couple I'm surprised we've got a couple you can you can go to these companies you can you know you can pay

for a specially-designed value on a QR code which goes on the gravestone it will be tied to a website all about that their relative you can go along for a nice family day out fire your you know your your laptop connect to the the Wi-Fi that's built into their headstone and then you can bring up the website you can bring up facts and figures information about their lives photographs you know if they wrote the song they'll be on there but it might link through through a youtube clear it's kind of weird to me but you know a lot of people are you know quite happy with their but then you start thinking about whether these things are secure if

they're insecure if the pages are HTTPS if they're not can they be you know master it and tampered with there's a great deal of potential for trolling with a lot of this technology and in terms of the current state of play you know if you like B being a bit obviously but it is incredibly traumatic for people when when accounts have been tampered with furro furro furro sees relative a lot of the time i find that it's too hard for relatives to access these accounts and take ownership of them but the flip side of this is it's very easy for attackers you know my friend or relative dies I don't really know what to do about

getting them access to the account I don't know who the contact I don't know what the customer support is I don't know if it's got two-factor authentication on it or if it's you know it's wide open someone who wants a high tech that account for something just cooking care less they're just gonna go in and take the thing and you know I found frequently that the ball versus the tech is misaligned that a lot of the the laws that have been written for you know everything from copyright to death and everything else they're you know they're 18th or 19th century if they're not really relevant anymore where whereas the the tech companies generally speaking don't really know what to do in

these situations when someone comes along and says well you know my my my dad's died or my aunt Einstein misuk has been compromised what can you do so in terms of actual number crunching what we've gone is a hundred and fifty thousand people dying a day we've got 55 million people roughly dying every year and in the UK alone we've got five hundred thousand per year dying men you think about how many of those people have you know some form of online account but almost all of them probably you're gonna have at least one online accounts on work that is permanently often the moment of the death so this is a lot of accounts that are just liner

for people to come along try and compromise and then make use on there's been some surveys and stats and number crunching done on nest in 2012 experienced survey lead through 3000 people I think and they found that most people who they surveys had on average 26 accounts each and they were sharing roughly five passwords between all of them in 2015 - lame I've got this this inbox all of it - they went through 23 thousands of / customers anonymously and fine weather you know all the emails coming in for logins and password resets and all the rest of a UK residents have a hundred 19 accounts each roughly the you know they were they were asking for password

resets and all the rest of it I think us customers have a hundred and thirty I've got nowhere near that many I can so I don't know what people are doing book it is painting very easy to rack up a huge amount of accounts it's easy to hit the wall double digits so again this was a lot of like hands lying around a lot of insecurities lying around and to tally or you know everything has got an expiration date on it you know cookies generally expire after two years websites have a at the mole and people asked to make the websites have an average lifespan of about three years before you know it's taken offline its

rebuilt whatever this will disruptive tax re has meant for a lot of big companies in Silicon Valley and elsewhere how about the life expectancy shortened from around sixty years to twenty years so you know people themselves have 80 70 80 years roughly before they before they die and all of these things are going down all of these things are just permanently are over thing but the thing there isn't are your passwords are you know we're always telling people to change the password every so often unless that this is slowly becoming a thing of the past people are starting to realize that the more you ask people to change their passwords there's an element of insecurity introduced so people just

start god I don't want to change this anyone sick of changing in every three months whatever it is so they just start using really stupid passwords all of a sudden all of these corporate accounts of password worn password one two three because they're sick of having to change them all the time so everything else has expiring password launch everything is going off and of course once you die you you know your password is effectively immortal fill the service goes on there or someone compromises it either by you know data breach or some other method so you know in terms of raising this is this is what people are calling the you know the resurrection of these these

accounts belonging to dead people there's three types there's accidental residence there's target addresses and there's non-target addresses and in terms of how these players we've got a few examples here this is an accidental one this is Roger but the you know the film critic who died couple years back his account was oh he died his account was completely dormant and then all of a sudden in 2015 he randomly tweeted that this account as anything up all of his data and he wants some of these to cancel it please respond which was a bit of a surprise given that he was dead so you know predictable response or you're dead right no that's extremely creep me yes it is I

what had actually happened here was his wife had access to his account and she thought she was sending a dying message to someone in support so you know to sort out the data plan and of course this went online she was completely confused as as the white people were sending her late husband these messages she made things even more confusing and it just became an absolute mess so you know there's this these are the kind of things that happen on a regular basis this is this is an example of a targeted res this is this is a really nasty troll unfortunately this is someone a posted one hour till the movie and it's going to be the best birthday ever and this is

a 20th of July 2012 and this unfortunately is an individual who went to see a showing of the Darnay and then he was caught in the the gunfire when someone turned up to the the the cinema showing whether gone and killed a whole bunch of people and people will treat these these last messages on Twitter as a sort of Memorial you know you can look at a post like this from someone every year every so often on their birthdays whatever and people will you know pester a would leave a comment which is you know is fair enough so line forward a couple years of in activity 18 to March 2017 I'm alive someone had gone to all of time and

trouble and efforts of compromising this thing so they could post this troll and you know this this was pretty upsetting for the people and we receive an end and that's still there now that hasn't been removed don't assume anything about food still there and then you get these non targeted attacks these are very common on dormant Facebook accounts so you know this is this is from winces from three years ago my husband passed away six months ago tonight many people received friend requests from him I don't have his password to log on to the account what do I do and this this is the question that always always comes up what do I do and nobody ever seems to

know here's another one this is from four years ago someone is posting pictures on my son's page and he passed away months ago we have tried reporting the page and nothing is being done you will find that this is very very common if you've got answer the the health portal on Facebook and you look through some of these messages it's just endless amounts of people running into a brick wall trying to get something done about these compromises his a final officers from three years ago a deceased friends profile has been hacked the hacker has changed the name and changed the profile photo to warn me none of the options on Facebook addresses this problem now this

is something that was very very big a couple years ago called cloning where you know they would hijack a dormant account change all the information to someone that's you know currently on the site using it and then they reduce it for social engineering they would use if you know conference and scams fall on lines things like that you know the old trick where you use on Facebook and someone says oh I'm in this city I'm on holiday but I've lost my wallet I've lost my passport please go why me some money so that's generally what people do when they clone these accounts in this manner and you know it's a it's a big problem here's a here's an untargeted attack on

twitter this is this is a famous journalist who's okay even though through couple years and his account was compromised changed into a porno spam bar so of course you know people who knew him very well David Carr were very you know perturbed by this and of course it's not your speed the Twitter feed bits compromised usually it's a whole range of accounts behind the scene that are compromised first and then it you know it spirals outwards so here's one of here's one of his contacts incredibly upset there of course there were suddenly receiving emails from from David Carr and you know I've I dealt with people who have been affected by problems like this and tried to help

them and I think it's an incredibly traumatic experience and a lot of this comes down to our digital assets and deficits because it's not just these these these these web accounts that you have it's everything that you have in terms those last wills and Testaments a lot of people don't really know what they are other people don't really think about it till it's too late and you know the one the last well investment is all about your you know your your finances the the stuff that you own what are you going to do with it when you pass on generally speaking most people don't include any of the digital stuff in their last wills and Testaments because

they don't know how to if they don't know if it'll be valid they don't know how to make the law interact with a company and so on and you have living rules which are similar but where they're designed to deal with your faith in the eventualities that you're maybe incapacitated or you're unable to you know interact with the everyday world anymore so it's more about healthcare and what to do with you while you're in you know potentially a vegetative state and again people will occasionally try and include things of a digital nature in these or nine times out of ten but they just won't because you know why would they and you have living trusts

which are similar to the other two they sort of deal with you at every stage of your life so you know when you're healthy when you're not so healthy and then when you're dead and smaller it will be account you know a portion as the trustee for one of these living trusts and they will you know micromanage the finances and everything else and you know again these these things don't generally tend to include digital assets and when I think of my own digital assets I've always reminded of my my console collection I've got loads of old Dreamcast's loads of old games consoles Neo Geo's turbo graphics you know what I've got them and I've got a

whole bunch of all computers Commodore 64's plus Falls amstrad's and I often think about this because you know the boat at the moment view the hardware is is obsolete the games on these platforms are rendered obsolete as well that's why so many people are fans of emulators and downloading roms because you know once once the hardware is done the games are gone completely and it made me think about you know the the digital games that I that I own or I think I own now rather than these these Hardware boxes which I can still you know bring back to life I've got I've got a steam account I spend stupid amounts of money in their sales when

they have the sale and you know you buy a whole bunch of games and you play maybe one of them and that's it and you end up with hundreds and hundreds of these games you've spent an awful lot of money on them and you can plug your steam data into various services online to find out how much you know your your digital assets for this gaming accounts are worth and in my case it's you know it's stupid it's ten thousand dollars I know it's not really worth ten thousand dollars and I know that in real terms all I've actually thought is is is buy a bunch of licenses to access these games and then at some point I'm not gonna

have this license to access these games anymore bull you know you think well that's an awful lot of money you've put into this do do I do I keep ownership of this when I when I die can I pass it on to somebody will the account still be secure you know it's it's it's secured at the moment it's - factored well well you know what happens after I die can I give this to somebody so you know you don't look at the wonderfully wonderfully long terms and conditions the user agreements for my Steam account for example doesn't get off to a good start you may not reveal Cheryl or otherwise allow others to use your

password or account except as otherwise specifically authorized by valve so that's not very promise and I don't think I'm going to be able to hand this on to somebody just yet maybe somewhere else in there though because aramis no your account is strictly personal you may therefore not sell or charge others for the right to use it or otherwise transfer your account or as otherwise specifically permitted by Father I'm just going to give up because basically they are not going to let me give this to anybody and you know if you think about it outside of me with you know the shift to streaming services you know you don't buy CDs anymore you stream stuff on the lathe the streaming

platform you don't you don't buy films anymore you just pay a subscription fee for Netflix or whatever and you sort of temporarily have access to it - you stop paying and then it's gone forever stuff like this where you pay for the license and you kind of open it in the weird gray area for a while and then you don't these fees are gonna go the way of the dinosaur basically because at some point an account like this ends up being any number of digital deficits that are tied to your bank balance and then you've got the spam sitting there they probably don't realize that you might have monthly billing on this thing or that

thing that you've got fees going out maybe for an eBay shop but you didn't tell them about so you know you end up in debt you end up with all of this digital content that's no longer your own and it's gone and you know these companies are eventually going to come up with a way to stop you from passing these these accounts on you know if I want it to pass on my Steam account for my son or my daughter or whatever in a bunch of years I thought points team are gonna wonder in 50 60 70 years why I'm still playing these games why this account is still active and I predict that they're gonna start placing

countdown timers on any account where you know you you acquire a license to access content you know it's possible that they'll work they're working out by estimated human lifespan in this country or that country it's possible that they may well make use of you know web analytics it used to be the case the you block ads or you block trackers so you know you bypass all of those stupid ads on the web pages that you browse where they say hey were you born between this year and that year you could have a claim for this thing or you know you could for that thing and those were annoying but it's gonna be even more annoying

when people use those kinds of analytics to establish you know roughly how old you are which which demographic you fit into when you purchased your steam account all that account and then they you know they sent you an email to let you know this this thing's gonna have a digital self-destruct appliance and it doesn't matter how you hand over your password or who you give it to it's gonna go the same way your can let go and all of this digital content that you thought you you owned at least is gone and I think this this method of ownership is is gonna go the way of the dinosaur I think everything's gonna move on over to streaming because if you

think about it it's ideal for these companies legal teams they don't have to worry about you know do we have to legally give them this stuff anymore because you know you never owned it in the first place so you know loads of people end up criminal with really gonzo DIY approaches to reclaiming ownership of this content I mean I ran into this a couple years back with with a relative who was you know not long for this world unfortunately and they had a whole bunch of online accounts some of them were secure some of them were some of them reuse passwords some of them didn't one of them used the ub King I think for

some reason but everything else was a mess and you know you sit down and you try and work out how you're gonna work in which accounts are theirs which ones are important which which might have important things in them and you know the the the legal terms and conditions never really match up to the last will and testament or everything else so you think about how many accounts you've got you know you've got your social media profiles you've got you know maybe five or six seven of those you've got your google and yahoo services which plug into you know email flickr all sorts of services you probably got an Outlook and a hotmail they may be registered on a

couple forums they may have some video game accounts you know and then if you've got a video game account it's probable that you've got multiple accounts orbiting those so you know if you've got a steam account you bought a bunch of games real-time strategy games will insist that you go off and register something else on their own website or you've got to register on their forum to unlock this content and that content so you know one login because three four five six logins just for one specific game and so have you will tangle lamp they've got work mail they've got work surfaces tied to the work now they're going to have a link dude get all cello

everything else and then there's going to be complications around those accessing those finding important things and know that you may need access to you know what if you need today an online-only p60 for something and if you know it's a lot down deep in their work mail somewhere dude view approach HR do you just discreetly try and grab the password which is probably a bad idea you know people don't know there is no clear path through resolving these problems so people will do things like fire LastPass and they'll just use something as basic as the the share password option so you can go into the LastPass you can fire off the shirt password option and you can specify the

recipient's email address and you can choose to keep the password hidden or not I wouldn't really make much sense to keep it hidden in this case where you actually want the password and you can give them access what my wants are some of your online accounts another way of doing that if they've got loads and loads of accounts you can share them in batches this has been moved over to a feature in LastPass called LastPass families so you can go out and check out less past families and it's actually kind of addressing some of these issues it's designed so that you know I think four or five family members all have access to these shared logins there's an

emergency procedure if if one of the family members on there dies you know they're it's one of the few that I've seen actually and it's quite interesting but there's a lot of services that have been online over the last maybe 5-10 years with started offers these sorts of digital Locker sites where you could place all your you know your cherished memories and logins this thing and that thing into these storage sites and they would promise never to go down and they would disseminate the data when they've been notified that the person that a lot of these sites have actually sort of turned into password management systems which is quite interesting I think there's maybe four or five that

have done that last three or four years and people LeFort these things you know these these password books where you write down your username and your password in the book and you know we all have a good chocolate because it's not very secure haha well for something like this it's actually ideal especially if the the person that you're trying to save all the theta4 knows the way around the web or has no idea about the security stuff they stick their password so they use names they will take them in the book hopefully when they've they change them and they they relate the password down correctly hopefully when they're John these things down in the books and you know people will scoff at

these things and say well it's not very secure is it but if the thing is stored in their house either in a drawer or a safe and you know someone's broken into their house and at 2 a.m. and boom run around looking for things to steal you've got more important things to worry about than someone making your password book frankly so we in our specific situation we ended up using a combination of very very basic LastPass send overs and one of these password box and you know when they died we went through the password book everything was correct all the passwords were correct they looked dated all of the information correctly I think out of about 35 logins

only two of them were broken so you know it worked everyone was happy and you know people could do what they needed to do in me you know the aftermath of the death and in terms of companies dealing with death they've actually a lot of the major players have actually stepped up there's a surprising amount of services you can call from some of the big players in in the absence of you know the wall being able to fully integrate properly with people's last wishes with regards to digital accounts so Twitter for example you can go on for their privacy policy page for some reason it's bury them in a bunch of dropdowns on the privacy policy section and you can you

can request with their account information you can report an underage account or you can request that the activation of a deceased or incapacitated persons account through Twitter so you go in you fill in some information you say which account it is the full name your tell them whether your relation to the person that's died if you're a legal guardian or a family member they do say that they're unable to provide access to the to the the login details so if you don't already have the login details you're never going to be able to use the account it's basically deactivated forever and we'll just sit there obviously in the rotary with film terrific cases wife already

had the login so it still makes some sense if if the account is particularly important to you to you know pass the logins on because they will not give them to you after they've died Google Google have a huge amount of services for this the slightly one excitingly named inactive account manager lets you make a plan for all of your digital data that's in Google so you know everything from the emails to the you know maps blogger everything that they offer it is all in there so you can decide when Google should consider your account inactive so in a nutshell the way this works is you you you give them a specified time so if you haven't logged

in for say three months six months or nine months they they correlate all the information from logins scions on your flow locational days of things like their and where house if you know yeah you're actually still using the service or not and at that point you can choose who Thanos a fight what you want to share with those people and decide if you want the inactive account to be deleted and they you know they really give you some function functionality here you can choose up to ten people to notify so if you go AWOL you can you can melt if I up to ten people you can give them access to the bits of data that you

want to give them access to and you can even set up an after death auto-reply so which is a bit weird whatever you know but it put it Rex you know it works in addition to all the people you've let know the clothes you know drink with up to ten people anyone many emails you after that points as long as you didn't deactivate the thing will at least know what's happened so you know you have you have autoresponders in the afterlife Facebook they have a very straightforward process I think they've they've done this since about 2012 2030 so you can report that the C's person or you can have them memorialized which is where you know you

effectively take ownership of the page you can't post any mean content to it where you can perform admin tasks and clean up spam or prevent people posting and all that kind of thing even LinkedIn has a similar service to this believable anoint you can actually go on LinkedIn and let them know if someone of you know you're your professional colleagues on linkedin has passed away and they will go off and do a similar process to this so you know if they're medically incapacitated but all their dead you can let them know if you want to report the hacked account you have to do something else you have to go and fill out the separate form so that's possibly where

people who are running into some problems with the account cloning from those earlier screenshots so see here it's all very straightforward it's all very simple you can tell them to memorialize it remove it remove it because they're incapacitated and you can give them a special request so if you have a very very specific request outside of that you know they the little check boxes because they know that might come up in some situations you can ask for it most of the other big platforms that offer these kinds of services don't do there so you know they get a thumbs up for that one and in terms of link rock you know it's not just the people

using the web it's the web itself you know we've got this idea on our head so you know everything you you stick online is permanent it's all there forever you know don't stick this thing on that website because you'll never get rid of it but really the the web itself is a swampy as anything else you know this is a site called death switch and this was one of those services were you know if you if you don't log in to this email of service for a certain amount of time they will mail blast your contacts telling them you know you're dead this accounts now inactive I know a lot of these services will say that we're here

forever we're never going to go away unfortunately deaths which is dead they are they are no more unfortunately so I hope nobody was signed up to that one because it's not gonna help and it's got me thinking about some of my own websites because you know I write a lot of blogs I write hundreds of blogs a yeah I've picked up a lot of press coverage for some of the research and some of the fines that I've made so you know it's good practice to collect these links to like them them because they're you know it's useful for future job opportunities if it's very useful for reference and security move so quickly that you have to write these things down

because you can barely remember what happened six months ago we'll never mind them you know 2008 2007 whatever so I've got me thinking you know a lot of these on on links to the major new services their major web platforms in theory all of these links should still be there in theory so I went through all of these links and have a look unfortunately things didn't turn out as planned a lot of these pages were broken they didn't work they went to the wrong thing and in one case one of my security fines went to an article about the HP TouchPad needing six or eight weeks for additional shipments put it under the same URL II had originally which is

favor distressing but never mind so I went through all of these links this isn't a scientific survey by any means this is literally just me looking at all of the other URLs on this web page from 2004 to 2010 so you can see the total links for each ear and blue links that were either broken or went to a dead URL or redirected somewhere else in orange and by and large it's it's almost 50/50 for the most part any of those given years you know eight of eight links in 2005 four were broken 19 and 2006 ten were broken 26 links in 2008 13 were broken interestingly the only the only size home only of those that

consistently had all of the links where they should be was the register the register just doesn't seem to purge links or content whereas a lot of the other major news providers you know either they think they've run out of server space or something or they were running out of your answer I don't know but they they just trash whole bunches of news articles and it's kind of weird because a lot of these these stories and things don't exist anywhere else because the blog that they were written on have long since gone you know if these things were written on a call for a thought a company blog the blog has probably gone offline or being discontinued or the

company's being bought out or they changed the URLs like one of these blogs have still got my articles on it but they change the URLs about two or three times and they removed you know all of the names like my name on the account that posted them and they just plant them all under at the Fox admin account so you know if when some of your work is still there and there's bits of it just falling off all the time and out of 163 URLs 91 of them work 72 of them didn't and you know if you didn't if you do this if you sit down if you if you pick up a collection of your

web links whatever else just going back maybe two or three years you'll be amazed how many of these things are already inactive and you know link shorteners there's a lot of link shortener so which which again also destroy the link so this is URL gone and they give you a URL you can specify how long you want this short no redirect to last four and then after the specified amount of days it goes bang and a lot of people don't either don't understand what that means in practice or they just don't care and these links that are really supposed to be for private use only end up out there on the web so you end up with all of these links that have

broke and all of these redirects that go nowhere so the extent that you have to go to internet archive and check out 301 Works dot org which is this sort of volunteer task force that's been settled between all of these URL shortener companies so on a daily sort of daily or annual basis they will pass over dumps of all of their redirect links into this this this path if you like so if one of the the services that's taking path on this ever goes down ever breaks ever goes offline all of their URLs the redirect the URLs will still work because 301 will take ownership and control of them and ensure that these these redirector still

continue to work which gos is kind of wacky really when you think about it it's so it's so empowering and we just saw the trust that all of this stuff is gonna be there and still work tomorrow and it very really does and in terms of the treachery of images you know we have a lot of you know image check and other types of tiny package sites like that where people will just throw up the image and people were finding that they were going back on old posts they were looking and a lot of these images have not only expired but they reuse the links like a lot of URL shortener services claim that they will never put

the URLs back into the pool because obviously if they do you're gonna wind up on a site that you didn't expect to and that would be great you know scammers malware authors so generally even the fly-by-night URL redirect services won't port the URLs back into the pool but that's not the case with images so this guy had a bunch of pictures have pictures on a cat picture thread all the pictures would expire them and you know the URLs have been reused so and so the cat pictures he had command interface commands for online games he had some ones very fetching selfie he had a scenario involving Bob making a historic day today he also had

his girlfriend replaced by a picture of a horse and another conditioning unit took the place of his three friends from college so yeah this these are really weird things these are really weird shifting sands and we just don't really think about and you know there's even a weird sort of money-making piranha style industry that's built up around the the Croft ecosystem so for the last year and a half two years our company and many companies that you know we speak to all the security bloggers that we know you know you stick a blog online you know they're eventually some of the links in your blogs I'm not gonna be there anymore but you don't go back to a blog

from you if you write hundreds of blogs in the age you don't go Blair go back checking these things every every five minutes because there's no point some of them are going to go so we find that we're getting these emails now from people where they're saying you know I I send you a couple of emails I wonder if the someone I can get in touch with to get this broken link fixed so they will show through your blog some of its manual some of it's always amazing they will fish out the broken links the read directors and then they will try and boost their own PageRank by offering all their spam blog as a replacement for

the link that you had on there and a lot of people will say you know don't use Wikipedia for a link or you know for information purposes when you talk about a subject and link to a subject or to be perfectly honest at least you have a reasonable degree of certainty that the Wikipedia page will be there and it might it might have been you know to face the best work but it will be there in some form whereas these you know everybody's company pages the websites a lot of them go bang and it's not just people asking together PageRank or people will try and charge you for the privilege of this as well so here's what we had blah blah blah we

will work to optimize your SEO PageRank we have sites of our own you can change the links to contact to discuss a possible business plan an introductory discount so these guys want me to pay them for them to send me their spam blog and boost their PageRank from my website which has a better PageRank than theirs and they're going to charge me a couple of hundred dollars for this hot mess and this is a very very popular thing now has anyone had any of those either on a blog and had any of these anything similar well we've got one we've got brilliant thank you thank you see I wasn't making it so we so we you know

these is a thing and there's a number of different variations on this and we've had a few of these that will come through and start off like this and then they will work their way over to a sort of social engineering attempt or a fish or something along those lines so it's quite a weird one are the instability of bits and pieces of the web are generating actual business opportunities for scammers and in terms of you know the end of the line it really isn't business there's a huge amount of tech out there that's devoted to you know your digital afterlife if you like AI chat bots are enormous ly popular as anyone know the Roman Mazarin Co anyone

okay so this is this is a guy who was very one of those stars of guy I moved to the states and he had the whole bunch of businesses that he was putting together they mainly around you know shooters tech AI and he was he was killed in a hit-and-run I think he was hit by a car and died and his friends who set up similar businesses to him and move to the states and we're you know obviously devastated they made this sort of AI tool that would resume it was designed to look at language used in restaurants and assist with you know with orders and different languages and restaurants so they thought you know

maybe we can do something with this so they a whole bunch of them plot this this AI into all of his you know his telegram messages his chances texts emails you name it and they were all jammed into this thing and they made some additional tweaks to see if they could pace that we've replicated this guy and you know in a really weird sort of way they did you can actually download Roman as an on the on the iPhone it's not on Android but it's on iPhone and if you just search for his name you'll see the outcome or you can download it you can find about his life as work the people who knew him have a

very mixed response to this app you know half of them loved it and you know it's like we were still talking to this guy from beyond the grave after we're a bit uncomfortable with it didn't really like her his family had a mixed response to it and you know it's we you know we people can't really figure it out at the moment if these are actually helping with the grieving process or you know it's a sort of weird digital crutch that we really need to throw away and you know make peace with the fact that they're gone and all the time in the back of your mind you think you know how secure are these I am secure on these platforms can

people mess with them can people temper with them you've got mind files and mind clothes mind files are basically these huge days that thoughts were similar to Romans chat bar you don't all of this information about yourself your life as much as possible and these neural networks piece of all together and try and replicate the person to a satisfactory degree and the mind clones are these sort of animatronic replicants of you with all of these memories and things dumped into the mind file and you know you can go online you can look at video footage of people talking to these things effectively talking to themselves and I've got to admit they're not very convincing they don't look very

realistic they kind of a bit scary some of them and you finally get the impression that the person talking to this thing is really convinced well they they do surprise and they do sort of replicate these people to an astonishing degree in certain situations and again you have to wonder about the tech you have to wonder how secure they are similar terms to videos that I've seen are often Internet of Things style though they're web connected or they're you know you we all know about my ot devices a lot of them just aren't that secure and it would be quite bad if someone got their hands on one of these things and tempered with it you know

really bad ways and you know VR I know a lot of game developers I know a lot of VR developers who are working with similar types of tech combined I know the AI chatbots the so-called mind files and they're looking to try and jam you know photographically precise replicants of these people that have into these VR headsets if you're a nice you know serene location to go and hang out with the mare oh you know it might clot whatever they like to do and a lot of this is limited at the moment by the hardware there's a lot of things that VR headsets can't really do very well you know the HTC vive they recently brought

out a replacement for the old unit let's go to better magnification and all the rest of it but you know if you look at it for a while you know in a sort of game a very traditional game environment the illusion persists but the moment you get dropped into something there isn't just feel you know high-definition film footage that you can look around in and you're trying to interact with the illusion very quickly falls away so those are the kinds of things that people I know are working on at the moment and again you know I've I've I've done talks on VR insecurity and the way that you know you can you can tamper with VR you can mess with you the optics

in front of people you can mess with the game space so you know again it does it does lead to sort of weird questions about how secure are these things gonna be you know it can be incredibly traumatic if you throw on the headset and then you know you're deceased and he tries to sell you out but I'm sure it might be through software you know so that that is basically where world - with regards how death could only functions with the online world and how it bleeds back into the real world and how you know these wills and Testaments these local laws these outdated ways of doing things really don't mesh with the technology that we use on a daily basis

and you know some of the efforts of these the bigger platform providers are trying to make it you know the legal absence of process really so there is the end of my talk I'm quite happy to field any questions on it if you've got em thank you give it up for Chris coy

does anyone have any questions Chris no oh sorry it's our couch or Chris and at the beginning you said these often a lot easier for scammers to take over accounts with own nefarious purposes and it is for you know grieving family members to do the same so can you talk a little bit bit more about that how the scammers don't you think scams do take over accounts of deceased people yeah I mean I mean the big problem with it really is is the fact that the the family member has no real idea what to do I mean if I die my family only for the fact that I you know have told them what to do and

you know we've made provisions for stuff like this you don't really get that ogre to approach you're gonna go to the Facebook page you're gonna go to the customer support bit you're not really gonna know where to walk you're probably not going to know to go to the bit on privacy policies on Twitter to find the boot where you kick start the process to recover some of these accounts so really it's it's a problem for the the family is is it's a mess of links of hidden pages of not being able to see this information you know clearly and accurately tell them what to do once you get to the pit on the website about the

deceased relative it's fine you know it tells you what to do what to click on how to do it and you know you can even make you special requests on facebook or and actually getting to that point is a nightmare for a lot of people especially if you know the relatives just died you know the last thing they're going to be doing is thinking about someone's Facebook page whereas the the scammer they don't really a lot of fun care about the the status of the deceased person to care you know they don't care if they're using them if they're dead if they're alive if they find it in a data dump they're going to use in you know

clothes along the scan with it if you know there's a if a platform has a breach and all of the the passwords elite they're going to use it regardless of whether they're alive or dead we have seen instances where someone will tell it's specific families on social media platforms and social engineer relatives if there were if there wasn't account that they really specifically wanted to get into they will use the tried and tested approaches they will social engineer they will pretend to be somebody they might pretend to be someone from the platform helping them with their realism we've seen how what once or twice and so the way they break into these things is fairly of dramatic

and about the kind of way that you'd expect but for the family it's just it's just the red tape and where do I go next

[Music]

this is the problem do you make these things secure because you don't want people to fail them and then you fall ill and you can't remember any of the logins and you didn't think to pass them on to anybody and all of a sudden everybody's locked out from the thing so in some weird ways you know it kind of helps for the for the you know incapacitated or death scenario when some of these accounts are really insecure they you know they have actually got a news password 1 2 3 all 100 main thing of their accounts because it means it's then a race to see who can get in first you or the the scanner

oh yeah it's it would never you know cross your mind until you're actually faced with it and then all of a sudden is this two factor is if you am I using a little you Baqi thing or is it a phone is it SMS has the hope of the change networks or is it you know is a Google Authenticator how on earth do I go into this account and again you know they knew then you rinse them yeah you know even even even just accessing the phone

yeah it's it's it's a common and horrible problem or fortunately any more questions of Chris yeah thanks this it's a really really interesting topic and we're things that I find interesting is how far the law is actually behind on this stuff and do you think that we will see over in the next 5-10 years the law actually catching up to be able to support people because at the moment it seems to be companies themselves making part foreign but there are going to become times when somebody will challenge the right that my kids should inherit my Steam account oh my PSN account or anything like that do you think Lori's gonna catch up it's it's hard to say there are some very

very specific laws in and around this area in the states there was one now I'm not an expert on US legal stuff at all so I'm not going to attempt to explain it or even pretend that I understand it because I was reading through this for a long time and I just gave or well there are some very specific things in some very certain states in the US that deal with this sort of problem you know make it easier to facilitate the transfer of certain specific online accounts into you know the the official last will and testament rather than China boards job it guess this you know hacking for this phone and steal this thing and find out if they

they wrote it down on a piece of paper some work for a man as far as the UK goes I think it will be a long time before the law catches I mean you know look at copyright lord they are everything so it's a complete mask or it's only you know ten years or so since yeah ten years ago you wouldn't even be able to get this kind of assistance with Google or Facebook or anyone else because you know these things did not exist I think I said earlier the Facebook service came in about 2013 I think it was I think Google's was roughly around the same time might have been a year or two earlier you know even

link dings got something similar and a lot of websites do have this functionality or at least will allow you to inquire about the possibility of handing something over or because the way the law is versus you know your actual requirements and needs for these accounts it's it's although you know as you do it basis really until you actually ask the company more provisions they have you might get some weight you might get nowhere it's it's a complete lottery unfortunately any more about the LastPass families before and even using a password book but what steps would you personally take to make it easier for your family on the event of your death what how would you advise somebody to

take steps and make it easier for them is there anything you would say what to do what would I do to make things easier for people okay I mean as we've seen in the example there the one of the biggest problems is these things become so secure that you you can't you know you've got no chance of getting in on the things you know if all of these logins are on a two-factor I on someone's phone well then the phone is locked out because you know if there's some biomass of biometric pass or they've forgotten the pin code or you know the the process for a mocking the phone via know a web poll or something similar it doesn't

really work very well that generally tends to be the biggest headache a lot of the time I found that people can remember the passwords to some degree or they you know our old friend password reuse actually comes in handy but the the number one thing that I found what I dealt with this personally and I know people have dealt with this and we've had one example here that they already it's the it's the phones it's the additional authentication that causes the biggest problem so I would I would urge anymore so you know make a point of talking about what devices they use intend with their logins and how to best you know get into these devices should

show that you know should it be required excellent well if there's no more give it up for Chris Boyd