Back in 2020, law enforcement agents across Europe had a major breakthrough in their fight against organised crime. They managed to crack into EncroChat – a secure encrypted messaging service which ran on modified Android phones, that promised “worry-free secure communications”.
EncroChat’s customers were almost all criminals, who had no qualms about buying a encrypted phone from EncroChat (for roughly £1000), and then pay a hefty subscription for continued use of the system.
EncroChat handsets even came with a “panic” option where just entering a 4 digit code could delete all of your data, supposedly messing up any attempts by police to gather evidence of your wrongdoing.
But investigators managed to gain full control of EncroChat’s infrastructure, and could read users’ supposedly-encrypted messages in real-time.
In a livestreamed press conference this week, Europol shared the latest results of the investigation into the EncroChat encrypted messaging system – used widely by criminal groups.
Law enforcement agents were able to intercept over 115 million conversations between criminals, by an estimated 60,000 users. Europol says that the surveillance helped “prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime.”
According to Europol, the dismantling of EncroChat has resulted in 6.558 arrests to date (including 197 high-value targets) – with the seizure of close to 900 million Euros, and hundreds of tonnes of drugs. To date, criminals convicted as a result of the evidence gathered from EncroChat face a total of 7,134 years of imprisonment.
As you can hear on this episode of the “Smashing Security” podcast, one EncroChat user was identified after he sent a photo of his pet dog via the service (perhaps not realising that the dog’s pet tag was revealing a phone number that he should have probably kept private.)
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
What they did was they noticed the dog had a dog collar. And so of course they're able to ring up Bob the dog and say, hey, who is your owner, Bob? Who's your world dog, Bob?
Smashing Security, episode 302. Lensa AI and a dog collar. A Blog Called Bob with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 302.
My name's Graham Cluley.
Smashing Security, episode 302. Lensa AI and a dog collar. A Blog Called Bob with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 302.
My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole. Hi.
How you doing?
I'm all right. Not too bad. Just you and me in the podcast booth today. Yes.
And on a weird day.
A weird day of the week.
Yeah. I'm giving you my weekend right now.
Because we're a little bit busy next week.
You are, yeah.
And Christmas just around the corner. Well, you've been busy too, Carole. You've been exhibiting your art, haven't you?
Yes, I'm okay. I can juggle a few balls.
Okay, terrific. And well, shall we kick off then?
I think we should. And let's thank this week's sponsors, Bitwarden, Drata, and Kolide. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about end-to-end conviction.
And I'm going to tell you everything you need to know right now about Lensa AI. Plus, we have a featured interview with Rico Acosta.
He is head of IT at Bitwarden and tells us everything we need to learn about how to train staff. All this and much more coming up on this episode of Smashing Security.
He is head of IT at Bitwarden and tells us everything we need to learn about how to train staff. All this and much more coming up on this episode of Smashing Security.
Now, chum chum, the UK's National Crime Agency. Oh my goodness, they're puffing their chests out. They're feeling proud because they've had a success.
They have bagged some baddies once again. They've caught some criminals and they've done it in an interesting way. Would you say yes? Say yes.
They have bagged some baddies once again. They've caught some criminals and they've done it in an interesting way. Would you say yes? Say yes.
It's kind of a trap. Yeah, it's kind of a trap question. Yes, Graham. I would love to hear about it.
Well, they've secured convictions against a couple of drug traffickers. Now, if you roll back in time, you may remember, I think it was episode 229.
Excellently remembered.
We spoke about how law enforcement agencies Security Services across Europe had managed to crack into EncroChat, which was a secure encrypted messaging service, which was beloved by criminals around the world.
Yes, baddies loved it.
Yeah, so the cops, they hijacked it. They were able to read people's encrypted messages being sent by criminals, and they sort of lurked.
A fascinating situation to be in, of course, because you're seeing crimes being committed or you're gathering information, and when do you play your cards?
When does it become obvious that the communications are no longer secure?
But EncroChat was a supposedly secure encrypted messaging service, a bit like Telegram or Signal, but it ran on modified Android phones.
So bad guys could buy an especially modified Android phone with EncroChat.
It'd cost you around about £900, and then you would pay a subscription to access the service, which would be probably about £3,000 for the entire year.
A fascinating situation to be in, of course, because you're seeing crimes being committed or you're gathering information, and when do you play your cards?
When does it become obvious that the communications are no longer secure?
But EncroChat was a supposedly secure encrypted messaging service, a bit like Telegram or Signal, but it ran on modified Android phones.
So bad guys could buy an especially modified Android phone with EncroChat.
It'd cost you around about £900, and then you would pay a subscription to access the service, which would be probably about £3,000 for the entire year.
You've got to have a lot of pocket change to be a criminal these days, don't you?
Well, it's tough, isn't it? You feel sorry for them. They've been hit, of course, by the cost of living going up.
Inflation, exactly.
Exactly. And then they have things like the cops breaking their supposedly worry-free secure communications.
The cops did it in an operation called Operation Venetic, or is it Venetic? I'm not sure.
The cops did it in an operation called Operation Venetic, or is it Venetic? I'm not sure.
Dunno.
I did some Googling to try and find out. Venetic apparently is an extinct language from northeast Italy, which makes sense, I suppose, because that's where Venice is and Venetian.
So I suppose that's where it all comes from. Anyway, EncroChat was loved by the bad guys. Said to be about 60,000 users worldwide, 10,000 of them were in the UK.
The app even had a panic button where if you entered a 4-digit code, it would delete all of your data.
So if you thought the cops were going to collar you, you'd quickly go, you know, 1, 2, 3, 4, and it would delete all the data.
So I suppose that's where it all comes from. Anyway, EncroChat was loved by the bad guys. Said to be about 60,000 users worldwide, 10,000 of them were in the UK.
The app even had a panic button where if you entered a 4-digit code, it would delete all of your data.
So if you thought the cops were going to collar you, you'd quickly go, you know, 1, 2, 3, 4, and it would delete all the data.
Oh.
And it would do it instantly. It wouldn't take 90 days or something.
No, no, it wouldn't be like—
That'll be relevant later. That'll be relevant later.
Oh, okay. So the cops had infiltrated EncroChat.
We talked in the past about a guy who got caught after posting a picture of stinky Bishop cheese in his supermarket and his fingerprints were picked up by the police, and they were able to work out who he was.
Anyway, they wanted to prove the identities of people who were involved in a particular drug dealing operation, because these guys had used pseudonyms.
We talked in the past about a guy who got caught after posting a picture of stinky Bishop cheese in his supermarket and his fingerprints were picked up by the police, and they were able to work out who he was.
Anyway, they wanted to prove the identities of people who were involved in a particular drug dealing operation, because these guys had used pseudonyms.
On the channel? On the channel, right.
Exactly, on EncroChat. So, there was one guy, a 55-year-old called Danny Brown. He didn't use the pseudonym Danny Brown. That wasn't his username on EncroChat. He was ThrowTheDice.
And there was another guy called BoldMove. His real name was Stefan Baldauf. And they had a plan.
And there was another guy called BoldMove. His real name was Stefan Baldauf. And they had a plan.
Okay.
They planned to send 448 kilos of MDMA.
That's ecstasy, isn't it?
Isn't it? Is that right? I don't know. I mean, you know, you live somewhere a bit more urban than me. Well, it's a pretty well-known clue. Is it? Okay. All right. I know MDF.
I know about what that is.
I know about what that is.
Right.
Anyway, MDMA. They were sending 448 kilos of flat-pack furniture. No, no, of Class A drugs worth £45 million to Australia.
And apparently you can make a lot more money out of MDMA in Australia than in the UK. It's got a higher street value.
And apparently you can make a lot more money out of MDMA in Australia than in the UK. It's got a higher street value.
Well, I'm sure everything has a higher street value over there. It takes that, you know, especially if it's imported. Do you think?
Well, sure.
Well, not—
Well, yes. Okay. So not kangaroo meat or something. That's going to be cheaper, I think, in Australia, isn't it?
What, than it's available here in the local Tesco?
Yes.
Right. You would think so. Although maybe we'll have some sort of trade deal with Australia. That'd be terribly convenient, doing trade with them on the other side of the planet.
Anyway, the question is this: how do you sneak that amount of drugs into Australia?
Anyway, the question is this: how do you sneak that amount of drugs into Australia?
Yeah.
How would you sneak drugs into Australia, Carole?
I would— Look, I watch a lot of cop shows, right? So I've seen that they've made boats out of actual cocaine or something. So actually the whole boat.
Oh, the entire boat?
Yeah, something they do. Yeah, no, I'm not— I'm gonna look at this. Would it not dissolve?
I'm gonna look at this right now.
I think it was—
Would it be like a soluble aspirin? Would it just begin to fizz and bubble?
Maybe I'm making this up.
Maybe. I don't know. Maybe you're not. I see, I was thinking nothing so adventurous. I was thinking maybe you'd have a false compartment in your suitcase.
It'd have to be a big suitcase, of course. I don't know.
It'd have to be a big suitcase, of course. I don't know.
It'd have to be quite a big suitcase. Or you, I guess you just, yeah, you have to do it by boat, right?
Well.
They decided to hide it inside a 40-tonne digger. Now, they weren't going to drive the digger there.
Okay.
What they did was they bought a digger, a big digger, you know, with a big arm, you know, something digging up the road, that kind of thing.
Yes, I know what that is. Thank you.
Alright. So, and then they got a welder. They said to this welder, they said, hey mate, here, would you cut open the arm of this digger?
And then we can hide the drugs inside the arm of the digger behind a lead lining.
And then we can hide the drugs inside the arm of the digger behind a lead lining.
How did the drugs get there?
This, no, this is in the UK. They're doing this from the— So they're smuggling from the UK to Australia.
Right, so in the UK, they're putting it into a digger.
Yes.
And then they're gonna send the digger over.
And they send the digger over, and they cover the digger with— They contact a sign-making company. They cover up all the mess they've made with stickers to cover the markings.
They repaint the digger. It gets sent over to Australia. It looks all legit. And they— Well, before they send it to Australia, what they do is they put it up for sale on eBay.
And they arrange with the intended recipients. They say, look, we're gonna put this digger on eBay. Make sure you buy it, right? You pay this much.
They repaint the digger. It gets sent over to Australia. It looks all legit. And they— Well, before they send it to Australia, what they do is they put it up for sale on eBay.
And they arrange with the intended recipients. They say, look, we're gonna put this digger on eBay. Make sure you buy it, right? You pay this much.
How much does a digger cost? So is that, was that the tip-off that a normal digger costs? I don't have no idea. A million quid? I don't know how much a digger costs.
Well, I don't know. I don't think it's that much.
Well, I don't know. Some are pretty—
But maybe it's a secondhand digger. Maybe it's £40,000 or something that.
But they want £24 million for it or something because they wanna pay for the drugs, right?
Well, that's the thing. That's the thing. You don't— And you don't want to make it too cheap.
No.
Do you? You don't want to make it too cheap because someone else might snipe in and buy the digger. And you think, oh God, you know, we've got the drugs going to the wrong place now.
So they panicked apparently because 6 people were watching the auction on eBay who they thought were going to make bids. And it's, this is not good.
We need only our mates to buy this. Anyway. Jeez. Their mates in Australia, they managed to buy the digger. And the digger finally arrives in Brisbane.
But of course, EncroChat has been compromised. The cops are watching it. And so, the Australian police, they X-ray the digger. They remove the drugs.
They reseal up the digger arm, and they install a tracker and a listening device inside the digger.
So they panicked apparently because 6 people were watching the auction on eBay who they thought were going to make bids. And it's, this is not good.
We need only our mates to buy this. Anyway. Jeez. Their mates in Australia, they managed to buy the digger. And the digger finally arrives in Brisbane.
But of course, EncroChat has been compromised. The cops are watching it. And so, the Australian police, they X-ray the digger. They remove the drugs.
They reseal up the digger arm, and they install a tracker and a listening device inside the digger.
Yeah.
And apparently, the two guys who picked up the digger, when it eventually arrived, they spent two days looking, trying to find—
Removing rivets.
And they were probably saying, have we been diddled by these other guys? They've double-crossed us. What's going on?
Now, the cops, of course, still want to know the identity of whoever it is who's done this.
So, all they knew were the code names of these guys on EncroChat, who'd sent it from the UK. So they looked at all the messages that they'd sent.
And one of them, the guy called— his name was Danny Brown. He had sent a photograph of his pet dog, Bob.
Now, the cops, of course, still want to know the identity of whoever it is who's done this.
So, all they knew were the code names of these guys on EncroChat, who'd sent it from the UK. So they looked at all the messages that they'd sent.
And one of them, the guy called— his name was Danny Brown. He had sent a photograph of his pet dog, Bob.
No way.
With a laundry basket in the background.
Did they do facial recon on the dog in social media to identify the owner?
They called up the guys at Clearview AI, and they said, "Look, we know that your technology works on humans. Could you use it on dogs as well?"
Just scrape their ear.
No, they didn't do that. What they did was they noticed the dog had a dog collar.
No.
And so of course, yes.
Oh, it's just old-school detective work, isn't it?
It's CSI style. They zoomed in.
Zoomed in.
They enhanced. Enhanced. Yeah.
Enhance, enhance.
And then they know the phone number for the dog. So they're able to ring up Bob the dog and say—
Hey, woof, woof, woof, woof.
Bob, Bob. "Who is your owner, Bob? Who do you belong to, Bob?" No, no, no, they didn't ring him on the dog and bone.
What they did, it was of course the phone number of the owner, which was there.
Now, that wasn't the only thing that these two guys had made a mistake when they'd posted up on EncroChat, thinking it was all end-to-end encrypted, thinking they were safe.
They'd also accidentally sent selfies of themselves to each other. Accidental selfie.
What they did, it was of course the phone number of the owner, which was there.
Now, that wasn't the only thing that these two guys had made a mistake when they'd posted up on EncroChat, thinking it was all end-to-end encrypted, thinking they were safe.
They'd also accidentally sent selfies of themselves to each other. Accidental selfie.
How does that happen?
Right, so an accidental selfie. It's not when you butt dial someone. It's not a photograph of your bum. It's not saying that. But I've been in accidental selfie situations.
I don't even know what that is yet.
Well, it's when you take a photograph by accident of yourself.
On your phone and then send it to someone by accident?
Well—
A lot of mistakes.
Okay. Carole, do you remember when I was having a lot of trouble with my phone in the shower?
Yes. How could I forget that horrid time?
So I would take the phone into the shower and something about the resonance of the falling water would somehow tell my— by the way, I wasn't taking my phone into the actual water of the shower.
I was sort of propping it up. As everyone does.
I was sort of propping it up. As everyone does.
Yeah.
So I could listen to a podcast while I was having a shower. And something made my phone ring you up.
Yeah, not just once.
No, it was all—
Jesus.
And it was at ridiculous times.
Well, it was shower time.
Yeah, well.
Not hammer time. And it would sometimes initiate FaceTime video calls with you. And I remember one time when I realised it started a FaceTime video call with you, which you answered.
In my panic, covered in soap, I dislodged the phone, which fell into the shower tray, pointing upwards.
In my panic, covered in soap, I dislodged the phone, which fell into the shower tray, pointing upwards.
I would have been scarred for life if I'd opened my eyes.
Oh my God. So accidental selfies can happen.
Now, the thing is, you never video call me, so I always know it's a video call. Eyes sealed shut until told otherwise. Yeah.
Now, they hadn't taken deliberate photos of themselves and sent them to each other.
What they did was, in one case, Danny Brown of Bromley, Kent, he sent a photo to his fellow criminals of his TV, which he'd just bought.
What they did was, in one case, Danny Brown of Bromley, Kent, he sent a photo to his fellow criminals of his TV, which he'd just bought.
Oh, great.
And the reflection—
Love it. Love it. Love this guy.
Displayed himself.
Brilliant.
And the other guy, the other guy, he sent a picture of a brass door sign.
Oh.
Which of course all—
So they were looking for a guy 3 times the size with the convex shape. Fantastic.
It's a bit like the nudes of eBay. People who put things up for sale on eBay and accidentally capture themselves in a mirror, normally in a state of undress.
Have you ever encountered that phenomenon?
Have you ever encountered that phenomenon?
I've heard of it, but I've never— Yeah, no.
Right. Oh no, I'm not suggesting you've ever, you know—
What, trawled eBay looking for a reflection of a nudie? I think there's easier ways to see those online. Just saying. Anyway.
Anyway, I guess this is my public service announcement to criminals out there. You can't necessarily trust end-to-end encryption because who's in charge?
Well, let's remember that for my story as well.
Oh, okay.
All right.
What have you got for us this week, Carole?
Lensa AI. This is an app, despite having been around since 2018, has in the last week caused rather a lot of ruckus.
This is because the company Prisma Labs added a new avatar generation tool based on Stable Diffusion.
This is because the company Prisma Labs added a new avatar generation tool based on Stable Diffusion.
Pardon?
So before they added Stable Diffusion, you basically, this app would let you retouch your pics, you know, add a nice background, whiten your teeth, add contrast to your eyes, Graham, put a border around your picture, whatever.
Remove parsley from between your teeth, get rid of zits.
That kind of thing.
That kind of thing.
Yeah.
Excellent. That's what I need.
Right? Yeah. And with Stable Diffusion, which they recently announced, the app rocketed to the number one spot with everyone trying to create these AI avatars.
Oh.
Stable Diffusion is a latent text-to-image diffusion model, which can generate photorealistic images given any text input. So we've played with this before on the show.
Yes.
I can't remember when.
Not very long ago. It was with Liz Truss, I think. You had her eating a cream cake or something, didn't you? Yes.
So that's the kind of thing, right? Kind of like DALL·E is another one. So the idea is it cultivates autonomous freedom to produce incredible imagery based on the text input.
Why can't they just speak English rather than autonomous freedom and stable diffusion? Why don't they just say it makes up pictures?
Yeah, so you write words, it then creates a picture based on that word. Huzzah.
Very clever stuff.
Very clever stuff.
Yeah.
The reason this kind of rocketed to the top was, of course, celebs. The reputable, I am sure, publication called Hello Giggles said that celebrities—
I read it every week. I get my copy of Hello Giggles.
Says that celebrities like Micaela Rodriguez from Pose, Chance the Rapper, and even Britney Spears' new hubby Sam Asghari— I don't know this guy.
Yeah, they're all celebrities. I've heard of all three of those girls. Exactly.
Yeah, they've all jumped on the lens bandwagon to AFI their selfies. This is according to Hello Giggles. I just want to repeat that.
Right, good. Hello Giggles.
And you can actually play around with Stable Diffusion a bit just to see.
Oh, you want me to do this now?
Yeah, yeah, why not?
All right.
I just want to show you how powerful it is, right? Ask for somebody. So anyone that's famous, like Diana Rigg.
What about her? Do I just type in her name?
Type in a prompt. So Diana Rigg on a horse.
Oh, I love the idea.
Put naked on a horse. See what happens.
No, I don't want to see Diana Rigg naked on a horse. Can I make the horse naked? No, on a horse which is wearing clothes. I'm going to ask for the horse to wear clothes.
Okay, generate image. Here we go. Okay, it's thinking about it. Progress bar. All right. And oh, it's done. Okay. Poor Diana.
That looks a very uncomfortable way to ride horse sidesaddle, I can tell you. But anyway. Not very gracious, but yes, it is Diana Rigg. The horse isn't wearing clothes.
That may be my fault. She is wearing clothes though, thankfully.
Okay, generate image. Here we go. Okay, it's thinking about it. Progress bar. All right. And oh, it's done. Okay. Poor Diana.
That looks a very uncomfortable way to ride horse sidesaddle, I can tell you. But anyway. Not very gracious, but yes, it is Diana Rigg. The horse isn't wearing clothes.
That may be my fault. She is wearing clothes though, thankfully.
So you can just see how it works. So what this company have done is they've taken this tech and put it into their Lensa AI product, and people are going nuts about it.
Well, why don't we talk about maybe the issues that have come up with this huge slam of this? This product Lensa AI, okay?
Well, why don't we talk about maybe the issues that have come up with this huge slam of this? This product Lensa AI, okay?
Yeah.
It's number one, right? It improves facial recognition tech to speed up mass surveillance.
Okay, so we know that mass surveillance can and is used in law enforcement and mass surveillance around the world.
Okay, so we know that mass surveillance can and is used in law enforcement and mass surveillance around the world.
Right.
We were able to fight it off in the country here in the UK for some time a few years ago, but how long can we keep that up? So that's a big issue. So do you want to help?
By using something like this, you are helping to improve the tech.
By using something like this, you are helping to improve the tech.
So how do people help the tech by using Stable Diffusion? 'Cause they're just writing the words in, they're not uploading their photos, are they?
Well, good question.
The way it works with Lensa AI so that you don't end up with these abysmal pictures of Diana Rigg or whatever is that you load 10 selfies up to its iteration of it. There you go.
And from those 10, it will create a cute little avatar, sometimes up to 50 avatars. Right? Which you then can use on your socials or wherever.
The way it works with Lensa AI so that you don't end up with these abysmal pictures of Diana Rigg or whatever is that you load 10 selfies up to its iteration of it. There you go.
And from those 10, it will create a cute little avatar, sometimes up to 50 avatars. Right? Which you then can use on your socials or wherever.
Well, I can understand why people would want to play around with that and how that could have become very popular.
Let me tell you another problem that happened with someone who was trying to play around with this. Okay. So the rendering can be really bad.
Journalist Olivia Snow wrote in Wired that she decided to test the app's limits. So she scrounged around to find 10 pics of herself as a kid.
Right, she says, quote, I found a few photos of myself from childhood until my late teens.
Between my unruly hair, uneven teeth, and the bifocals I started wearing at age 7, my appearance could most generously be described as mousy.
I managed to piece together the minimum 10 photos required to run the app and wait to see how it transformed me from an awkward 6-year-old to a fairy princess.
She says the results were horrifying.
She says later in the article, for Lensa, which endeavors to beautify, as in whiten and sexualize, user-submitted content the lack of moderation similarly threatens to unleash a torrent of likewise horrifying content, in this case, child sexual exploitation material.
Journalist Olivia Snow wrote in Wired that she decided to test the app's limits. So she scrounged around to find 10 pics of herself as a kid.
Right, she says, quote, I found a few photos of myself from childhood until my late teens.
Between my unruly hair, uneven teeth, and the bifocals I started wearing at age 7, my appearance could most generously be described as mousy.
I managed to piece together the minimum 10 photos required to run the app and wait to see how it transformed me from an awkward 6-year-old to a fairy princess.
She says the results were horrifying.
She says later in the article, for Lensa, which endeavors to beautify, as in whiten and sexualize, user-submitted content the lack of moderation similarly threatens to unleash a torrent of likewise horrifying content, in this case, child sexual exploitation material.
So there's two issues here that you've just raised here. One is obviously the sexualization and how that could be used to create child abuse material, maybe.
Yes, exactly. And interestingly, Prisma Labs CEO and co-founder told TechCrunch that this behavior only happened if the AI was intentionally provoked to create this type of content.
Well, yeah, that's—
Yeah. And he said, He says this represents a breach of our terms.
Oh, well then.
And if an individual is determined to engage in harmful behavior, any tool would have the potential to become a weapon, he said. So I thought about this, right?
And I thought I'd take it as a challenge. So I'm going to name 3 tools and you tell me how you would use these as a weapon. Okay?
And I thought I'd take it as a challenge. So I'm going to name 3 tools and you tell me how you would use these as a weapon. Okay?
Okay. All right.
A button.
A button? How could I?
A button is a tool because it closes your clothes. It's very useful.
Oh, yes.
Does a thing.
You could shoot it out of a gun. Maybe you could choke someone with it in their windpipe.
Perhaps if you got them to swallow it and it got stuck a bit, a bit like a fishbone with the Queen Mother. You know?
Perhaps if you got them to swallow it and it got stuck a bit, a bit like a fishbone with the Queen Mother. You know?
What about a tissue then? A tissue?
Bless you. Well, you could— a tissue, you could have chloroform on it.
True.
Or you could— Yeah. If it was a tissue which was hard to rip.
You're pretty good at this.
You could make it into a tourniquet for throttling somebody. I'm struggling here. I wasn't expecting all this, Carole.
Yes, yes. I would love to see that. So basically they are saying, not our problem, gov, it's the users that are coaxing it. It's blameless. Number 3 on my list, societal biases.
By the way, I'm not very happy about the fact that it's also whitening people to make them more beautiful as well.
Well, exactly. Societal biases. So you could whiten teeth, but also whiten people.
So users of non-Anglo descent have also alleged Lensa whitens their skin and anglicizes their features.
And this is a common complaint of image editing software on TikTok and Instagram.
So users of non-Anglo descent have also alleged Lensa whitens their skin and anglicizes their features.
And this is a common complaint of image editing software on TikTok and Instagram.
Right.
The technology doesn't consciously apply representation biases, says the CEO.
Again, the man-made unfiltered data sourced online introduced the model to the existing biases of humankind, he said. The creators acknowledge the possibility of societal biases.
So do we.
So again, it's a shitty answer in my book because they're providing a service and taking absolutely no responsibility for blocking certain requests, which surely is their job, as it is Facebook's job to weed out scams and hate comments and all that stuff, as it's YouTube's.
Again, the man-made unfiltered data sourced online introduced the model to the existing biases of humankind, he said. The creators acknowledge the possibility of societal biases.
So do we.
So again, it's a shitty answer in my book because they're providing a service and taking absolutely no responsibility for blocking certain requests, which surely is their job, as it is Facebook's job to weed out scams and hate comments and all that stuff, as it's YouTube's.
But to be devil's advocate for a moment, Carole, if you had bought, if you were a manufacturer of scissors, which obviously have plenty of lovely purposes, but—
It comes in a huge plastic, you know, difficult to open container. And I'm sure it has warnings, can't be sold to anyone under 18.
Well, and Lensa AI probably makes you click through some agreements to confirm.
Exactly. I read them actually. So yes, they do.
Did you? Right. You know, I mean, I can see them making that parallel.
Doesn't float my boat, but there you go.
Okay.
But you know, noted. Yeah. Number 4, anybody can use it on anyone's selfies or any images.
So as explained in Artnet, Sarah Cascone wrote, I had no intention of using Lensa, but then my husband called my name excitedly across the apartment asking me to check out the 100 artworks the app had just created based on 20 images of my face.
Neither my husband Nathan nor I had downloaded the Lensa photo editing app, but a friend had a trial period 50% discount on image packs which normally cost $12 for 100.
He had offered to run our faces through the app, and without consulting me, Nathan eagerly sent over our photos.
So as explained in Artnet, Sarah Cascone wrote, I had no intention of using Lensa, but then my husband called my name excitedly across the apartment asking me to check out the 100 artworks the app had just created based on 20 images of my face.
Neither my husband Nathan nor I had downloaded the Lensa photo editing app, but a friend had a trial period 50% discount on image packs which normally cost $12 for 100.
He had offered to run our faces through the app, and without consulting me, Nathan eagerly sent over our photos.
Hey, my ugly friends, look, I've made you more attractive. Look what I've done. You've been cursed by being hit with the ugly tennis racket.
Yeah, they're just kind of annoying, right? So you can load up anything.
I could have loaded up 10 pictures of you to find out what it made of you, but I'm then teaching the AI based on your images without your consent?
I could have loaded up 10 pictures of you to find out what it made of you, but I'm then teaching the AI based on your images without your consent?
I think it would pretty much— It would break the machine, I agree. I think everyone would end up more attractive if I got uploaded to this.
If you want to look in the show notes, you can see some of the images that it actually has created.
Oh, okay.
So we have a girl here, but they've kind of rendered her differently, but all her features are a little bit more exaggerated.
Yes.
If you look at the second picture, you can see the girl was pretty much sexualized. And the last segment I got you, you can see the real photos that the person uploaded.
Oh, you can see the pictures that they created. So it kind of airbrushes you and gives you this weird bigger eyes, fatter lips, bigger boobs.
Oh, you can see the pictures that they created. So it kind of airbrushes you and gives you this weird bigger eyes, fatter lips, bigger boobs.
It is very hypersexualized. Yeah.
Finally, copyright. So artists are claiming their work is being stolen.
Yeah.
So it's been noticed that artists' signatures are sometimes still visible, although scrambled, in some of the rendered images because the app uses the open-source Stable Diffusion model that makes the use of copyright art from artists around the world in order to work.
And Prisma Labs responded on Twitter, "The AI learns to recognize the connections between the images and their descriptions, not the artworks.
This way, the model develops operational principles that can be applied to content generation," basically saying the outputs cannot be described as exact replicas of any other artwork.
And Prisma Labs responded on Twitter, "The AI learns to recognize the connections between the images and their descriptions, not the artworks.
This way, the model develops operational principles that can be applied to content generation," basically saying the outputs cannot be described as exact replicas of any other artwork.
So let me get this straight. Prisma Labs, they are recompensing the artists, aren't they?
Of course they are. No, they're not. They went around the web, they scraped everything, including copyright art.
How do they justify that?
And then use that to generate images? Well, I just explained it to you.
They're saying that the image that they've generated on your image is not an exact replica, and therefore, what's your point?
They're saying that the image that they've generated on your image is not an exact replica, and therefore, what's your point?
Yes, but if I'm making sausages and I'm filling them with bits of pig, I have to pay for those bits of pig which end up in the sausage.
That's a pretty gross way of describing it. Do you want to use another foodstuff, maybe?
The point is they're feeding one thing into the funnel, aren't they? That is the commodity, and they're selling the output.
Yes. Well, it's exactly the same as Clearview AI, which does a similar thing. It scraped everything off the web and then uses it.
The other point is that they're selling this stuff cheap, right? So $8 gets you 50 avatars, takes seconds to use, and no artist can compete with that.
And well, they can, but they won't probably be eating very much. They're profiting from stolen, uncompensated, and uncredited art. That's the way I would put that.
The other point is that they're selling this stuff cheap, right? So $8 gets you 50 avatars, takes seconds to use, and no artist can compete with that.
And well, they can, but they won't probably be eating very much. They're profiting from stolen, uncompensated, and uncredited art. That's the way I would put that.
I'm not sure I Prisma Labs.
Well, then I think I've done my job.
Listeners know that a password manager is an important tool for generating and saving secure credentials for each of your online accounts, and podcast sponsor Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Now, what's nice is that it's open source with published third-party security audits. Bitwarden is transparent and secure.
It utilizes end-to-end and zero-knowledge encryption with source code that can be scrutinized by all.
And the team at Bitwarden are always introducing new features to make your life easier as well as more secure.
For instance, they've just introduced passwordless login for the Web Vault, meaning you can authenticate into the Web Vault using your Bitwarden mobile app instead of entering your master password.
Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today. That's bitwarden.com/smashing.
Now, what's nice is that it's open source with published third-party security audits. Bitwarden is transparent and secure.
It utilizes end-to-end and zero-knowledge encryption with source code that can be scrutinized by all.
And the team at Bitwarden are always introducing new features to make your life easier as well as more secure.
For instance, they've just introduced passwordless login for the Web Vault, meaning you can authenticate into the Web Vault using your Bitwarden mobile app instead of entering your master password.
Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today. That's bitwarden.com/smashing.
When do you have insight into your compliance, security, and risk postures? If it's right before an audit, you're in the same boat as many other organizations.
With Drata, G2's highest-rated cloud compliance software, you'll have continuous monitoring and visibility into your risk security controls and audit readiness for standards like SOC 2, ISO 27001, GDPR, HIPAA, and more.
Plus, Drata can streamline compliance for over 14 frameworks and even automate the custom frameworks and controls you create to meet your organization's unique security needs.
With more than 75 native integrations and a risk management solution, you'll have a tool that will scale with you.
Professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it has been to have Drata as their trusted compliance partner.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A.
With Drata, G2's highest-rated cloud compliance software, you'll have continuous monitoring and visibility into your risk security controls and audit readiness for standards like SOC 2, ISO 27001, GDPR, HIPAA, and more.
Plus, Drata can streamline compliance for over 14 frameworks and even automate the custom frameworks and controls you create to meet your organization's unique security needs.
With more than 75 native integrations and a risk management solution, you'll have a tool that will scale with you.
Professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it has been to have Drata as their trusted compliance partner.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A.
The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, that challenge got exponentially harder.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing, and thanks to Kolide for supporting the show.
And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing, and thanks to Kolide for supporting the show.
And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. I saw on the wires that everyone's talking about this new Netflix show, Wednesday. Have you heard of Wednesday?
Yes.
Wednesday Addams from The Addams Family is the main character in this thing. I haven't watched it.
My brother has, and my niece has, and they loved it.
They love it, do they?
They loved it, yeah.
Well, Wednesday, the strangely, gothically, darkly strange Wednesday Addams is played by Jenna Ortega.
And she was in the news this week because she was talking about how she'd had a really hard time filming a dance sequence, which appears in one of the episodes.
And I have seen the dance sequence. It's up on YouTube, and it's pretty cool. She does this kind of jerky, robotic, angular dance sort of thing. Have you seen that, Carole?
And she was in the news this week because she was talking about how she'd had a really hard time filming a dance sequence, which appears in one of the episodes.
And I have seen the dance sequence. It's up on YouTube, and it's pretty cool. She does this kind of jerky, robotic, angular dance sort of thing. Have you seen that, Carole?
Yes, I have. Yeah, it looks good. It reminds me a lot, actually, of Pulp Fiction.
Oh yeah, yeah, a bit like Pulp Fiction.
It has that similar kind of Pulp Fiction-y—
Yeah, Pulp Fiction-y movement does.
She dances a little bit like she's a marionette, but the person who's doing the puppeteering is completely and utterly rat-arsed on MDA or something like that.
But anyway, it's a peculiar thing.
She dances a little bit like she's a marionette, but the person who's doing the puppeteering is completely and utterly rat-arsed on MDA or something like that.
But anyway, it's a peculiar thing.
Oh, now you know what ecstasy does, you see?
But the reason why this is in the news this week is that Jenna Ortega says that, "Oh, I had such a hard time filming that sequence because I had COVID at the time and I had all these symptoms." And she was saying, "Oh God, I felt really bad.
And as soon as the result came back positive, you know, I got whisked away, but you know, I was feeling so bad." And it's like, "Well, hang on, what?
Hang on, so you were on a film set?" surrounded by all these other people.
And as soon as the result came back positive, you know, I got whisked away, but you know, I was feeling so bad." And it's like, "Well, hang on, what?
Hang on, so you were on a film set?" surrounded by all these other people.
It's not 2020 anymore, clearly.
No, but it wasn't filmed yesterday, Carole.
Oh, good point.
Right? And she had all the symptoms. And even if you do have the symptoms now, you're not supposed to be, you know, spluttering and dancing around.
Anyway, I was thinking about dancing because I'd— admittedly, it's a good dance sequence. And I was thinking about dancing.
Anyway, I was thinking about dancing because I'd— admittedly, it's a good dance sequence. And I was thinking about dancing.
And I thought, well, this isn't the best dancing I've ever seen.
And I was reminded— And I'd like to take you back to 1980 at the West Park Pavilion, which is the major entertainment venue on the island of Jersey in the English Channel.
And in 1980, I think it was September 1980, they held the regional final of the EMI Disco Dancing Competition on Channel TV, the local TV station.
And that has been immortalised in the form of a YouTube video where you can see all the best dancers from the best discos, not just in Jersey, which is a tiny island, but also Guernsey, and maybe Alderney as well, where there's about 3 people who live on Alderney.
And I was reminded— And I'd like to take you back to 1980 at the West Park Pavilion, which is the major entertainment venue on the island of Jersey in the English Channel.
And in 1980, I think it was September 1980, they held the regional final of the EMI Disco Dancing Competition on Channel TV, the local TV station.
And that has been immortalised in the form of a YouTube video where you can see all the best dancers from the best discos, not just in Jersey, which is a tiny island, but also Guernsey, and maybe Alderney as well, where there's about 3 people who live on Alderney.
I love that even if a tiny fraction of our listeners go and visit this, it's going to scream up these views because they only have a max of 3,800 views at the moment.
Well, I came across it and I thought, this is fantastic television from 40 years ago. It's half an hour.
It's beautiful.
Now, the competition was sponsored by the local hi-fi store.
Was it?
Yes. If you watch to the end, third prize is a Ferguson clock radio. Second prize winner got a black and white portable TV.
Brilliant.
First prize winner, I'm not going to reveal who does win the prize, but the winner won £100, a hi-fi system, and entry into the UK Disco Dancing Championship.
I have not yet discovered whether they went on to win nationally. But it is a glorious 30 minutes watching people strut their stuff in fantastic costumes.
I have not yet discovered whether they went on to win nationally. But it is a glorious 30 minutes watching people strut their stuff in fantastic costumes.
Yeah, yeah, it's really worth it. I've actually watched this right before the show on your request, and I found my favourite quite early.
Okay, which one did you like?
I—
Was it the guy in the film?
I really like the first guy. No, I really like the first guy with his gold socks and this kind of gold chain wrapped between his legs and wrapped around like a diaper.
His dangler.
And he's topless, of course.
Of course.
Everyone in disco time, we're all topless. But he moves like a real— Anyway, I think he should have won.
I quite liked the guy in the skimpy thong who'd sprayed himself silver like a robot.
Yeah, he could really move too.
There is some pretty impressive dancing.
This explained when I watched this that this explains my husband's dancing. Oh, this is who he is, isn't it?
Oh, I suppose so. Yeah, he is.
We just need to get him some flashy outfits and we're ready to rock.
Well, if he keeps on practicing, he could win himself a clock radio. And I'm sure he'd be— This is the kind of thing they used to put on television in the 1980s. And I loved it.
It took me down a rabbit hole reading more about Channel TV on the internet.
And that is why the regional final from the Channel Islands of the Disco Dancing Championship in 1980 is my pick of the week.
It took me down a rabbit hole reading more about Channel TV on the internet.
And that is why the regional final from the Channel Islands of the Disco Dancing Championship in 1980 is my pick of the week.
Definitely not a barrel scraper, right?
Definitely not. Crow, what's your pick of the week?
Well, my pick of the week is for fans of Maria, because we just recorded our last Sticky Pickles podcast of the season, season 5.
Yes.
And I worked hard to really blow Maria away because she has wonderful explosions of emotions, right? Outrage, or laughter, or shock.
And I wanted to get the trifecta, all the emotions there in the story. And I had to craft it very carefully in order to get that. But boy, she lost it.
And I wanted to get the trifecta, all the emotions there in the story. And I had to craft it very carefully in order to get that. But boy, she lost it.
I have listened to the latest Sticky Pickles. I'm sorry to hear it's the last one of the season. I did laugh out loud in the car as I was listening to it.
Of course you did. You can't help it.
Not just at the sheer smuttiness and filth of your story, which was— it really was— well—
It had to be to make her on edge, right? I had to bring her to her most uncomfortable self.
It brought tears to my eyes, let me say that, without going into too much detail.
But then Maria's story and your reaction to it was really— all I can say is hand cream and horses. That's, I think that's all we need to really say to sum up the episode.
But then Maria's story and your reaction to it was really— all I can say is hand cream and horses. That's, I think that's all we need to really say to sum up the episode.
Yeah, a trigger warning. If you don't like horses, this episode's not for you. Yeah, I love it.
Yeah, and if you like your comedy clean and family friendly, this episode is definitely not for you.
Yeah, and if you like your comedy clean and family friendly, this episode is definitely not for you.
Absolutely not, absolutely not. But yeah, Sticky Pickles, go and check it out. In all good podcast apps, I imagine.
Exactly, of course it is.
How many episodes have you done? You've been doing this for years, haven't you?
This is, for people who don't know, this is the strange cousin of Smashing Security, the estranged cousin.
This is, for people who don't know, this is the strange cousin of Smashing Security, the estranged cousin.
The estranged, yes. The cousin that didn't, yeah. So we've done 75 episodes.
Wow.
And we are approaching 100,000 listens of our show.
Yeah.
Right? And we have a solid base, which I'm sure there is some overlap with Smashing Security listeners.
Oh, I'm pretty sure there is because we both got that guy Turtle or whatever his name is listening to us. Both our shows.
Yes.
So newbies, if you want to check it out, you can find it at stickypickles.com. And if you're already fans of the show, this is a doozy.
My hunksband, he's a regular listener, but only because I always want to have a second listen before I go live. He said after listening to it, pretty kick-ass beauty.
My hunksband, he's a regular listener, but only because I always want to have a second listen before I go live. He said after listening to it, pretty kick-ass beauty.
Did you call him hunksband?
Yeah, I always do.
Have you made up a new word? I haven't heard hunksband before.
Well, I tend to do it. Yeah.
You just do it to him. I understand. Well, well done, Carole, for sneaking in some free sponsorship and advertising for Sticky Pickles on the Smashing Security podcast.
And in that vein, we have a featured interview this week, don't we, with the guys from Bitwarden?
And in that vein, we have a featured interview this week, don't we, with the guys from Bitwarden?
Yes, we do, with Rico Acosta from Bitwarden. He's the IT manager, and he also has an incredibly deep voice, probably the deepest I've ever encountered.
Rico talks all about how to train people into being more secure online. Check this out. Listeners, I am thrilled to welcome Rico Acosta.
He is the IT manager at Bitwarden, and he's also responsible for the security and the security training of all his teammates. So, welcome to Smashing Security, Rico.
Rico talks all about how to train people into being more secure online. Check this out. Listeners, I am thrilled to welcome Rico Acosta.
He is the IT manager at Bitwarden, and he's also responsible for the security and the security training of all his teammates. So, welcome to Smashing Security, Rico.
Thank you very much for having me.
I don't know if you know this, but more than a decade ago, I too was responsible for security training all new employees at this global security firm I worked at.
Okay.
So, I'm totally fascinated to hear about your approach to cyber training and employees at Bitwarden, because at the time, there was nothing for me to, you know, there's nothing I could copy.
You know, it just didn't exist really at the time, or I couldn't find it. So, I had to make it up on the fly. There's so many more tools available to you now.
So it must be so much more efficient, effective in terms of driver training. So tell me, what's your approach to it? How does it work?
You know, it just didn't exist really at the time, or I couldn't find it. So, I had to make it up on the fly. There's so many more tools available to you now.
So it must be so much more efficient, effective in terms of driver training. So tell me, what's your approach to it? How does it work?
Yeah. And I think that's something that's just more at the forefront now.
You know, when I first started working on computers, when, you know, I was a young teenage boy, you know, the internet was still not an accessible thing to most households, right?
So, you know, there wasn't, there was some need for cybersecurity, but not at all the same way now. So, you know, now it's this ever-present need for training.
And I think a big way, you know, it's vigilant and it's constant and it's never-ending. And my start to that, I think, is explaining to people why, why are we doing this?
You know, not just with cybersecurity, with anything, but especially with cybersecurity, it's important for them to understand why.
Or, you know, your teammates need to understand why they're doing it, what they're doing, right?
And because that effectively lets them know, okay, how do I act when, you know, my teammates aren't around or my direct leader isn't around?
How can I help lead others in that effort as well?
You know, when I first started working on computers, when, you know, I was a young teenage boy, you know, the internet was still not an accessible thing to most households, right?
So, you know, there wasn't, there was some need for cybersecurity, but not at all the same way now. So, you know, now it's this ever-present need for training.
And I think a big way, you know, it's vigilant and it's constant and it's never-ending. And my start to that, I think, is explaining to people why, why are we doing this?
You know, not just with cybersecurity, with anything, but especially with cybersecurity, it's important for them to understand why.
Or, you know, your teammates need to understand why they're doing it, what they're doing, right?
And because that effectively lets them know, okay, how do I act when, you know, my teammates aren't around or my direct leader isn't around?
How can I help lead others in that effort as well?
Yeah. Yeah. It makes total sense. I mean, even two-year-olds want to know why.
Right. Absolutely.
Absolutely.
Right. So, so it makes sense.
And I remember, I think when I took over the training, the reason I did it is because IT at the time was responsible and they were basically scaring the poop out of new employees by giving them rules of, you cannot do this, do not do that.
And I remember, I think when I took over the training, the reason I did it is because IT at the time was responsible and they were basically scaring the poop out of new employees by giving them rules of, you cannot do this, do not do that.
Right.
So, so do you find that helps that you get a lot more engagement from those that are taking your training if you explain why?
Oh, absolutely. Understanding the importance of it is what creates that buy-in from people. It's not me just saying, hey, use a good password, right? Use a good password.
Use this number of characters or this many phrases. It's, hey, you should use a good password because here's how easy it is to crack a weak one, right? And then showing an example.
And that is much more eye-opening than just saying, hey, standard password length of whatever is insecure, whatever it may be.
If you can explain that, they buy into that, because now they understand, oh, wow, if I use this password 123, it literally takes a computer 2 seconds to crack this, right?
They can understand real-world applications, they can understand the real-world threats when they understand what we're doing here.
Use this number of characters or this many phrases. It's, hey, you should use a good password because here's how easy it is to crack a weak one, right? And then showing an example.
And that is much more eye-opening than just saying, hey, standard password length of whatever is insecure, whatever it may be.
If you can explain that, they buy into that, because now they understand, oh, wow, if I use this password 123, it literally takes a computer 2 seconds to crack this, right?
They can understand real-world applications, they can understand the real-world threats when they understand what we're doing here.
Yeah. A question I used to get a lot was not a question, but a challenge, I guess, was, 'Look, I'm nobody, right? I work in blah blah. I have nothing to do with, I'm not important.
It's not, it's no big deal if my password is the name of my cat.' Sure. And I had trouble explaining that the weakest link, you're only as strong as the weakest link that you have.
So how do you deal with that?
It's not, it's no big deal if my password is the name of my cat.' Sure. And I had trouble explaining that the weakest link, you're only as strong as the weakest link that you have.
So how do you deal with that?
Absolutely. Absolutely. First, you are special. You are important. But, reminding everyone this person, this attacker, this bad actor, right? This is the whole point.
They're trying to gain knowledge about you and gain access into your life and into your credentials. Right. So they don't know that you're a low-level intern or whatever it may be.
They're trying to gain knowledge about you and gain access into your life and into your credentials. Right. So they don't know that you're a low-level intern or whatever it may be.
That I only have $5 to my name.
Yeah. Right.
Yeah.
Right.
They're making multiple attacks against multiple entities at all times. And the bad guys, they only need one opportunity, right?
You may think, oh, I'm not this high-level person or whatever. But if your account grants access and it's inside the castle walls, now that person is inside, right?
And they can start to move around from that point. And John from accounting may be a good friend of this person, and so they can reach out to John, build access from there, right?
You may think, oh, I'm not this high-level person or whatever. But if your account grants access and it's inside the castle walls, now that person is inside, right?
And they can start to move around from that point. And John from accounting may be a good friend of this person, and so they can reach out to John, build access from there, right?
Yeah. And they have lots of tools to help them find that one needle in the haystack as well, a good metal detector.
Sure. Sure.
Absolutely.
Yeah. Yeah. So tell me, how much do you focus on password management when you're doing cybersecurity training at Bitwarden, which specializes in password management?
That's something obviously we focused on. It's a component of that training. It's, I would argue, the easiest component for our team, because that's what we do all day.
That's where our primary focus and development efforts are, password management. So I try and give everything equal weight. All of these things are important all the time.
So we can't focus on just one area more the other, but it's definitely a strong component. It's one that the team is highly aware of.
I would be flabbergasted to know that anyone on the team hadn't used a password manager. And there shouldn't be kind of this distinction, I think, between personal and business.
You should have them for your personal accounts as well.
That's where our primary focus and development efforts are, password management. So I try and give everything equal weight. All of these things are important all the time.
So we can't focus on just one area more the other, but it's definitely a strong component. It's one that the team is highly aware of.
I would be flabbergasted to know that anyone on the team hadn't used a password manager. And there shouldn't be kind of this distinction, I think, between personal and business.
You should have them for your personal accounts as well.
Yeah. And how could anyone actually manage their passwords? Or rather, how could anyone manage unique passwords today?
I mean, even someone who uses computers only as a sideline, maybe they don't even do it for their job, will still have a dozen different accounts from healthcare to banks to everything that's vital for existence in society versus all the fun accounts.
I mean, even someone who uses computers only as a sideline, maybe they don't even do it for their job, will still have a dozen different accounts from healthcare to banks to everything that's vital for existence in society versus all the fun accounts.
And obviously we would love for you to use Bitwarden, but if you're not using Bitwarden, use a password manager.
There is no chance unless you have eidetic memory where you can memorize everything. Unless you have that, there is no chance that you remember all of your passwords.
And you may think, oh, I barely own a computer, I barely do this and this. I guarantee you have at least 20.
You more than likely have 40 to 50 different passwords for different things. It just stacks up too quickly.
You said, bank accounts, health insurance accounts, but then you think about social media accounts, or if you're part of a forum or a blog, you have logins for those things.
You have logins for your electric bill, you have logins for everything.
So I think in this current era of technology, you are doing yourself a huge disservice and you are putting yourself at risk by not using a password manager.
And it's not because you're not using the password manager, it's because there is no possible way to remember that many.
There is no chance unless you have eidetic memory where you can memorize everything. Unless you have that, there is no chance that you remember all of your passwords.
And you may think, oh, I barely own a computer, I barely do this and this. I guarantee you have at least 20.
You more than likely have 40 to 50 different passwords for different things. It just stacks up too quickly.
You said, bank accounts, health insurance accounts, but then you think about social media accounts, or if you're part of a forum or a blog, you have logins for those things.
You have logins for your electric bill, you have logins for everything.
So I think in this current era of technology, you are doing yourself a huge disservice and you are putting yourself at risk by not using a password manager.
And it's not because you're not using the password manager, it's because there is no possible way to remember that many.
Exactly. Unless you, exactly as you say, unless you have a photographic memory and those of you out there that do, I am so jealous.
And even if you do, even if you do, save that part of your brain to memorize something else.
That's right. Yeah. Don't waste it on these things, on 26-letter passwords. So I'm actually quite a big fan of Bitwarden. I've been using Bitwarden and I think it's quite a joy to use.
I've used other password managers as well, and I agree, everyone has their strengths, but I really love the approach that you guys take.
It's very simple to set up, especially on a consumer level. How is it from an enterprise point of view?
I've used other password managers as well, and I agree, everyone has their strengths, but I really love the approach that you guys take.
It's very simple to set up, especially on a consumer level. How is it from an enterprise point of view?
It's just as easy. It's just as simple and straightforward. Obviously I use it personally. And I manage it for our entire organization as well. It's simple. It works.
We can deploy quickly. There's lots of integrations that IT managers do every day and lots of backend configuration.
And I certainly feel for anybody that is in that field doing that, you can understand how time-consuming those things can be.
But Bitwarden has a very straightforward method of setup.
And what was really impressive for me coming onto the team and then taking over the reins for IT management was the documentation. The team writes excellent documentation.
It's all available online. And really, it's just well done. The team does write really great guides.
We can deploy quickly. There's lots of integrations that IT managers do every day and lots of backend configuration.
And I certainly feel for anybody that is in that field doing that, you can understand how time-consuming those things can be.
But Bitwarden has a very straightforward method of setup.
And what was really impressive for me coming onto the team and then taking over the reins for IT management was the documentation. The team writes excellent documentation.
It's all available online. And really, it's just well done. The team does write really great guides.
And that's super important, right?
Yeah, and if you're maybe junior in your career or just coming into the field, sometimes it can be daunting to try and set up a big enterprise-wide thing.
So being able to have this kind of step-by-step guide that walks through, it actually works. It's very helpful.
So being able to have this kind of step-by-step guide that walks through, it actually works. It's very helpful.
I've had people ask questions, and I'd rather ask you because you know much more about it than I do.
But typically when people are moving from one password manager over to Bitwarden, is that more complex than having someone who's never used a password manager before?
But typically when people are moving from one password manager over to Bitwarden, is that more complex than having someone who's never used a password manager before?
Sure. I think that's another blocker, right?
Actually, a vendor of ours, they expressed an interest in moving, but the initial roadblock was gosh, but it's like, I'm gonna have to invest so much time.
No, let me show you real quick. Let's hop on a quick call. 5 minutes, let's talk about this. And it's very easy. It's very easy.
So prior to using Bitwarden, I was using a different password manager. And I thought the same thing.
You know, what if everything doesn't transfer properly, and all this, but when you dive in, it's simple. I mean, it's straightforward.
And I think that's part of the Bitwarden business model in a way, right? Let's make things that are easy. Get out of the way so the user can use it. That's so important.
And that helps build that buy-in, helps build that use. Because if something is so complicated all the time, you're not going to use it, right?
Actually, a vendor of ours, they expressed an interest in moving, but the initial roadblock was gosh, but it's like, I'm gonna have to invest so much time.
No, let me show you real quick. Let's hop on a quick call. 5 minutes, let's talk about this. And it's very easy. It's very easy.
So prior to using Bitwarden, I was using a different password manager. And I thought the same thing.
You know, what if everything doesn't transfer properly, and all this, but when you dive in, it's simple. I mean, it's straightforward.
And I think that's part of the Bitwarden business model in a way, right? Let's make things that are easy. Get out of the way so the user can use it. That's so important.
And that helps build that buy-in, helps build that use. Because if something is so complicated all the time, you're not going to use it, right?
Yeah.
If you had to go to your car and you had to tap the brake 3 times and touch another button 4 times.
Put the tires on.
Right.
You're not, you're like, I'll walk. I'll walk.
Yeah.
I'll walk 15 miles.
It's fine.
So having that ease of use is something that Bitwarden is very good at.
And that includes everything, you know, switching over to it, you know, personally, or even switching for an entire organization. Enterprise situation. It's straightforward.
It's simple. It helps your users get up and running quickly and be about their day.
And that includes everything, you know, switching over to it, you know, personally, or even switching for an entire organization. Enterprise situation. It's straightforward.
It's simple. It helps your users get up and running quickly and be about their day.
Well, I think it's a darn good product. And that's been my experience as well. Rico, thank you so much for coming on the show. Is there anything you want to add?
But I just thank you very much for doing this. Thank you for making this an easy conversation. I'm really glad to hear that you're enjoying the product.
You know, I think obviously with some bias, it's a really great product. If you're not using Bitwarden, that's okay. We'd love for you to try it out, obviously.
But please use a password manager.
You know, I think obviously with some bias, it's a really great product. If you're not using Bitwarden, that's okay. We'd love for you to try it out, obviously.
But please use a password manager.
It's—
It will make not only your life easier, but it will make it a lot more secure.
I can jump in and say, listeners, you can learn more and try it out for yourself by visiting bitwarden.com/SmashingSecurity. That's bitwarden.com/smashing.
And Rico Acosta, IT manager at Bitwarden, thank you so much for making time to talk to us today.
And Rico Acosta, IT manager at Bitwarden, thank you so much for making time to talk to us today.
Of course. Thank you so much.
There you go. Not bad, eh?
Yeah, definitely not sweating through my shirt over here.
Well, he seems like a very nice chap to me. And thanks, as we've said, to the folks at Bitwarden for sponsoring the podcast.
It's really terrific as an independent podcast to have support from brands such as Bitwarden. We really appreciate it.
And if you want to check out Bitwarden, go to bitwarden.com/smashing. Well, that just about wraps up the show for this week. You can follow us on Twitter while Twitter still exists.
We're @SmashingSecurity, no G, Twitter won't allow us to have a G. And we're also on Mastodon.
If you want to find us on Mastodon, easiest thing to do is go to smashingsecurity.com/mastodon and it will take you to our account.
And look up the Smashing Security subreddit on Reddit as well.
And never forget, if you don't want to miss another episode of Smashing Security, sign up, follow us in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.
It's really terrific as an independent podcast to have support from brands such as Bitwarden. We really appreciate it.
And if you want to check out Bitwarden, go to bitwarden.com/smashing. Well, that just about wraps up the show for this week. You can follow us on Twitter while Twitter still exists.
We're @SmashingSecurity, no G, Twitter won't allow us to have a G. And we're also on Mastodon.
If you want to find us on Mastodon, easiest thing to do is go to smashingsecurity.com/mastodon and it will take you to our account.
And look up the Smashing Security subreddit on Reddit as well.
And never forget, if you don't want to miss another episode of Smashing Security, sign up, follow us in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.
And massive shout out to this episode's sponsors, Bitwarden, Kolide, and Drata. And of course, to our wonderful wonderful Patreon community.
It's thanks to them all that this show is free.
Episodes, show notes, sponsorship info, guest list, and the entire back catalog of more than 301 episodes is all on smashingsecurity.com.
It's thanks to them all that this show is free.
Episodes, show notes, sponsorship info, guest list, and the entire back catalog of more than 301 episodes is all on smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye.
Do you not think that we should stop asking people to follow us on Twitter?
Oh yeah, Elton John has just left Twitter. Did you hear that? I mean, why don't we just—
Why don't we do that? Not saying we have to kill the account, but we could just mention Mastodon, and then I don't have to hear that fucking T-word in a whole show. Wonderful.
Just, you know, please, I'm putting it on the table.
Just, you know, please, I'm putting it on the table.
You're putting it on the table and you're leaving it inside the minibar. There you go. In the fridge.
In another hilarious case, a drug dealer from Liverpool was identified after he sent a picture via Encrochat of some mature Stilton blue cheese he was buying at a supermarket.
What he didn’t realise, as we describe in a different episode of the “Smashing Security” podcast, was that the photo showed enough of his palm and fingertips for Merseyside police to identify him.
Imagine believing you’re a big cheese in the world of crime, and to be caught out in such a way…
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Maybe for our benefit, could you describe what a Stilton cheese tastes like? Because I might, it might add a little bit to that.
Ah, yes. So a Stilton cheese tastes a bit like, you know when you've been wearing socks for about 6 weeks nonstop and you have some kind of fungal infection?
But delicious socks, not like gross socks.
Yes. And you've maybe been walking around in some damp fields.
Nice fields, beautiful fields. With flowers and stuff.
Just in your socks, just no shoes. Exactly. Just walking in the socks on the ground.
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
And then you put them in the airing cupboard or the microwave for a few minutes. And it's, oh, it's very, oh my goodness, it's quite, oh.
It's fricking delicious.
Smashing Security, Episode 229: Dating Leaks, Rights to Repair, and a Stinky Bishop with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.
I'm Carole Theriault.
And we are joined this week by a special guest, someone who hasn't been on the show before. It's Paul Roberts from The Security Ledger. Hello, Paul.
Hey, Graham. Hey, Carole. How are you?
Good. It's been a long time, Paul.
It has indeed. Years, years since we've seen each other.
I think decades, actually.
I'm actually embarrassed you haven't been on the show before.
Well, don't be.
We might be embarrassed after the show's recorded as well that he's been on the show. Let's put it that way.
That's true. Let's see what happens.
This could be a disaster.
Paul, for our listeners that don't know you, what can you tell them? What do they need to know about you?
I'm the editor-in-chief and publisher of the Security Ledger, securityledger.com, which is a cybersecurity news website since 2012.
And I'm the founder of securerepairs.org, which is a group of security and information technology professionals who support the right to repair.
And I'm the founder of securerepairs.org, which is a group of security and information technology professionals who support the right to repair.
Okay, so all we need now is to thank this week's sponsors, 1Password, 1Login, and KnowBe4. Their support helps us give you the show for free.
Coming up on today's show, Graham, what do you got?
Coming up on today's show, Graham, what do you got?
I'm going to be talking about cheese.
Whoa, got bored of cyber? Okay. And Paul, what about you?
I'm going to be talking about the right to repair and cybersecurity.
Super. And I'm going to be looking for love in Japan. Plus, we have an interview with Javvad Malik from KnowBe4. All this and much more coming up on this episode of Smashing Security.
Now, chums, do you have a secret stash? Do you have a secret stash, Carole?
I have many things, yes. Paul?
Yeah, I absolutely do.
Yeah? What sort of stash do you have?
None of your fucking business. Come on.
Exactly, Graham. If I were to tell you, then it wouldn't be a secret anymore, would it?
Very true.
Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah!
There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.
Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah!
There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.
No, in the middle of the night?
No.
You know what, I've always wanted to be one of those people. When I was a kid, I used to obsess about being able to do that when I was older.
I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.
I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.
I often have cravings just before bed, but I really try and resist them. But I must say, Graham, I have never craved cheese.
A soft little one like a French brie, something hard like a cheddar.
You're selling it. The way you say it, I feel like I should be eating cheese before bed.
Yeah, do you have a cheese platter in your fridge already for your 4 o'clock munchies?
With my Jacob's cream crackers at hand and my pickles.
Your chutneys.
Here's the thing. Here's the thing. Cheese is my crack cocaine. I'm not being flippant. Scientists at the University of Michigan, which is in the United States of America. They say—
What are you being local? What?
Michigan, isn't it? Michigan.
It's Michigan.
What's the Michigan?
It sounds like—
Gloucestershire. That's what you just did.
Not McChicken.
Yeah, not McChicken.
That is something different.
Anyway, those boffins, they say that cheese triggers a part of the brain in a similar way to addictive illegal drugs. So, I thought it would be fun if we could play a little game.
I am going to give you a name, and you, you are the contestants, Paul and Carole. You have to tell me if it is a cheese or something else narcotic. Okay?
Are you ready to play the game?
I am going to give you a name, and you, you are the contestants, Paul and Carole. You have to tell me if it is a cheese or something else narcotic. Okay?
Are you ready to play the game?
I might—
Okay.
I don't know if I'm going to be good or bad?
Cheese or wheeze?
Let's decide.
Yep.
Okay.
I am ready.
I was born to play this game.
Stinky Bishop. Stinky Bishop.
Cheese.
Cheese. Paul.
I'm gonna say that's cheese, yeah. Yeah, sure.
It is a cheese. It's also an unpleasant medical condition produced since 1972 from the milk of Gloucester cattle. Has a distinctive aroma, made famous in a Wallace and Gromit movie.
Okay, next one. Poochie love. Poochie love.
Okay, next one. Poochie love. Poochie love.
That is not cheese. I don't know what illicit is. So, I'm gonna say not cheese.
I'm gonna break it. I'm gonna say that is cheese.
Well, it's a strain of marijuana. The old Mary Jane.
The jazz cigarettes.
Okay, next. Dirt lover. Dirt lover.
That's gonna be not a cheese. Not a cheese.
Yeah, I'm with Carole on that.
Yeah.
Dirt Lover comes from the Green Dirt Farm in Missouri. It is a cheese covered in a layer of vegetable ash. It's also a sexual fetish, of course. Okay, next.
Next.
Shatner's Bassoon. Shatner's Bassoon.
That is not a cheese. Ah.
I feel like there's some inside knowledge here that I lack. So I'm gonna break with custom and Carole and say that is a cheese.
I swear to God, there's none.
No, Carole is right. It's a made-up drug. Fat Bottom Girl. Fat Bottom Girl.
Not a cheese.
Not cheese, I agree.
It is a cheese. Oh!
From where?
From somewhere. Goes well with red wine, apparently.
I love that you do your research.
It has flavours of almonds, butter, slightly tangy sweetness. Also a song by Queen. And finally, purple monkey balls.
Definitely a cheese. My favourite cheese.
Wait, what is it again?
Purple monkey balls. You're not going to get it. It's a strain of marijuana again.
Yeah.
Yeah.
Why are you talking about marijuana all the time?
Because I've explained that cheese is my type of drug.
Is marijuana legal in the UK?
Oh, no, no, no, no, no. I don't have any of that sort of nonsense.
Because here in Massachusetts, it is legal.
Yeah.
Are you constantly high?
No comment.
No comment.
Well, a blue Stilton is my crystal meth. I know it's bad for me, but it's irresistible. I would sell my kid's bike.
I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me.
Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquillisers, that kind of thing.
I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me.
Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquillisers, that kind of thing.
Paracetamol.
Right.
We all have our vices.
Yeah, we've all got our vices, right? Some people go to street corners to score. I go down to Waitrose and breathe in the contents of the cheese counter.
Some people do yoga, you know.
Exactly. Everyone's got their thing, right?
Cheese strikes me as a very English thing.
And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, that's not cheese at all.
It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.
And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, that's not cheese at all.
It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.
No.
Well, look, I'm going to switch from cheese now. I'm going to go to—
Finally.
Hard drugs, because a chap called Carl Stewart from Liverpool has been a bit of a naughty boy. He used the name Toffee Force and was up to no good on EncroChat.
Do you guys know what EncroChat is?
Do you guys know what EncroChat is?
No.
New one to me, Graham.
EncroChat is a secure encrypted messaging service which runs on modified Android phones. It promises worry-free, secure communications.
Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?
Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?
Celebrities.
Elon Musk.
Well, it's criminals. Yes, of course.
Oh, right.
It is criminals.
Sorry, Elon.
And last year, law enforcement agents across Europe, they managed to crack into EncroChat, proving that its encryption and the security wasn't quite as good as people had imagined.
And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right?
They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.
And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right?
They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.
So that was their sales point? Was that their sales pitch?
The pitch was really, these are totally secure communications.
We don't save anything, you can delete everything from your phone, no one can find it, bish bash bosh. Okay.
So it wasn't just the app, it was the phone hardware itself.
It's a modified version of Android, that's right. Special phones. And this has been quite a big deal. They've arrested lots of people having cracked into EncroChat.
And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee. How could they prove this?
Well, it turned out that this chap Toffifee was a lover of Stilton cheese.
And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee. How could they prove this?
Well, it turned out that this chap Toffifee was a lover of Stilton cheese.
Okay.
Not just any Stilton cheese, but the kind of mature blue Stilton cheese you buy at Marks & Spencer.
Which is all right. It's not the best or anything.
Well, according to that—
I'm a cheese nut. No.
Well, according to the packaging, it says delicately rich and creamy. And he, I mean, he was from Liverpool. He wasn't gonna have some glamorous exotic cheese.
He probably watched the Marks & Spencer ad. You know, it's a woman who'd go, this is not just any cheese. This is a Marks & Spencer's, blah, blah, blah.
Okay, maybe for the—
I think it's not the moment.
Maybe for our benefit.
Could you describe what a Stilton cheese tastes like? Because it might add a little bit to that.
Ah, yes. So Stilton cheese tastes a bit like— you know when you've been wearing socks for about 6 weeks nonstop? And you have some kind of fungal infection.
But delicious socks, not gross socks.
Yes. And you've maybe been walking around in some damp fields.
Nice fields. Beautiful fields.
With flowers, just in your socks, just no shoes, just walking in the socks on the ground. Yeah.
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
Then you put them in the airing cupboard or the microwave for about— for a few minutes, and it's always very— oh my goodness, it's quite—
It's freaking delicious.
It is delicious.
Really good Stilton is like a cream because it's so— anyway, it's delicious. If you like blue cheese and you haven't had it, yeah, do it.
It's good.
It's good. Okay, it sounds like a full-body experience.
You want it in a jar. That's all I'm saying. Not in a packet. In a jar. That's when it's scraped off the socks.
Yeah.
Okay.
It will try and infect everything else with the smell.
Yeah, your whole fridge.
It's not as bad a smell as a— is it a durian fruit, Carole?
Durian, yeah.
Yes, which I've never smelled, although I have seen film of people smelling it and tasting it. I've heard it is quite decent.
I had a friend once.
Yeah.
Who will remain nameless, who tricked me into eating a chocolate without telling me it contained durian fruit.
It's like, I came down and I was like, it's the most delicious chocolate ever. Oh my God. Oh my God.
Here's one.
Gotta have it. Oh my God. It's so good. Oh my God. Graham, try it. And he just shoved it right in his face. And I just watched.
The durian fruit tastes a bit like sewage, doesn't it?
I don't know. I didn't try it.
I can tell you it does.
What is the thing with durian fruit? Why are people— it's like a delicacy, particularly in Asia, I hear.
It's a delicious— I think it's a delicious texture and delicious taste, but a horrible smell if raw and improperly prepared.
I think you're not allowed to transport it on passenger airlines. Is that right?
Yes, it's too smelly. What did that chocolate taste like, Graham?
I can't remember the chocolate part of it.
Yeah.
Anyway, back to Stilton cheese, which is nothing like durian fruit. It is a delicacy, but quite pungent. Anyway, so this chap, right? This chap called Stuart Toffee Force.
What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks & Spencer.
And from that picture, just of his hand holding the cheese, the police were able to identify him.
What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks & Spencer.
And from that picture, just of his hand holding the cheese, the police were able to identify him.
Oh my— Did they magnify his fingerprints?
Exactly.
No.
Shut up!
Shut up! CSI!
See, I would have thought they went back and looked at surveillance film and found the guy holding a cheese and his cell phone up.
That could have been me. That could have been me holding the cheese.
At 4 AM in the morning.
That might happen hundreds of times a day in the UK, though.
So the Met Police now, they've arrested more than 60 people, many of whom have been charged with serious drug trafficking or firearms offences.
Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.
Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.
I can't remember what he did now. All I remember is he liked cheese.
He was trafficking— He was trafficking in horse tranquilisers and heroin.
And so he obviously had had a record and had prints on file with law enforcement prior to this, I guess.
Well, they'd already arrested him, so maybe they took his prints then and matched them to the ones in the evidence.
Right.
There we go.
That is a level of detail which I would expect a serious reporter like those at the Security Ledger to investigate rather than me.
Yeah, don't leave it to Graham.
Paul, what have you got for us this week? What are you here to talk about this week?
Well, I'm here to talk about the right to repair.
What is a right to repair?
Okay, so a right to repair is basically what it sounds like. It is a legal right, in other words, written into law, that gives you as the owner of a thing the right to repair it.
And usually what that means practically, because you'd be like, well, I can repair it.
But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? Like DRM, digital rights management software.
Owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it.
If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair.
And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device and basically their agents, people they might hire to do a repair.
So independent repair shops.
And usually what that means practically, because you'd be like, well, I can repair it.
But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? Like DRM, digital rights management software.
Owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it.
If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair.
And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device and basically their agents, people they might hire to do a repair.
So independent repair shops.
Hallelujah. Right. Because I honestly, it— okay. I'm sorry. I'm already on your side. Sorry, listeners, I didn't keep the tension up, but okay, carry on. I'll get on my soapbox later.
So this is a really important thing, and it is something that is a little bit esoteric.
I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it.
And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what?
This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.
I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it.
And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what?
This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.
Could I give you a situation and you could tell me how the right to repair movement might suggest I would go about it?
Yes.
It happened to a friend, definitely not me.
Okay.
But I was on my laptop, right? With a glass of very, very nice whiskey. And then my husband asked me a question and I used my hand to communicate, which I do often.
F off.
Or I love you, probably.
And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well.
So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?
And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well.
So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?
So the problem would be this, which would be you did something really common, which is spilled a liquid into your laptop keyboard.
And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.
And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.
Moisture. Right. Yeah.
Maybe there were some short circuits of components on the motherboard on the computer as the liquid seeped in.
And all the rice that's now stuck to it as well.
Who knows what the rice did. So basically you want to fix your laptop and right to repair is really about what are your options as a consumer for getting that laptop fixed.
Right.
And there are generally, in most things in life, there should be three, which is the manufacturer might offer to repair it or have one of their authorized or licensed repair people do it.
You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it.
And generally, it's your automobile, right? Your car.
If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive.
If you bring it to the corner repair shop, same thing, they'll be able to fix it, maybe slightly less expensive.
Maybe they won't use the manufacturer's OEM parts, but you'll save money.
And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market.
The way it works for many devices these days, including your MacBook, you need parts and access to information.
So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage.
We don't do repairs this. We suggest that you buy a new MacBook.
You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it.
And generally, it's your automobile, right? Your car.
If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive.
If you bring it to the corner repair shop, same thing, they'll be able to fix it, maybe slightly less expensive.
Maybe they won't use the manufacturer's OEM parts, but you'll save money.
And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market.
The way it works for many devices these days, including your MacBook, you need parts and access to information.
So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage.
We don't do repairs this. We suggest that you buy a new MacBook.
Right.
Yeah, I'm waiting to meet a real genius at the Genius Bar, honestly, 'cause I've been there a lot looking for them.
Right.
'Cause, you know, I smart people.
And when they say that, it does not mean that that is an unrepairable laptop. It just means it's a repair that the Genius Bar does not do because Apple does not allow them to do it.
Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that would require.
Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that would require.
Right.
Okay. So they would basically say, why don't you just buy a new laptop? And most people would be like, okay, I'll buy a new laptop. It costs you thousands of dollars.
It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth.
But that's the way that system's set up.
The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage.
But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop.
What components actually burned out?
It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth.
But that's the way that system's set up.
The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage.
But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop.
What components actually burned out?
Do I have a vacuum anywhere?
What components burned out? What do we need to replace on this? What is broken exactly? And you need software to tell that to you. And Apple has a whole bunch of tools.
Tools that they don't make available to non-authorized repair people. They also don't make the parts available.
So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are.
And they don't give you access to the parts.
Tools that they don't make available to non-authorized repair people. They also don't make the parts available.
So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are.
And they don't give you access to the parts.
I'm such an Apple fangirl. I'm really feeling this right now.
It isn't just Apple. So this is in one way or another, it's many device makers, though not all.
Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.
Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.
They sell you ink services, like £50 a month or something.
There are major computer manufacturers who are very pro-repair and have a healthy ecosystem of parts that you can buy inexpensively and access to tools and so on.
So what's the argument that these companies who aren't sort of making it easier to repair things, what's their argument for doing this?
They're variations on the same argument that the car dealership would make to you to discourage you from ever going to the corner repair shop, right?
Which is our parts are superior to their parts. Their parts are going to break or cause you to get in an accident.
Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas.
You know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it.
So it's a bunch of kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.
Which is our parts are superior to their parts. Their parts are going to break or cause you to get in an accident.
Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas.
You know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it.
So it's a bunch of kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.
And what do you suspect are the real reasons why they're not doing this?
So a couple things, and it depends on the company.
In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple.
You know, they make money off the Genius Bar, certainly.
However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible.
They want you to get a new phone every 2 to 3 years.
And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's revenue models.
For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.
In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple.
You know, they make money off the Genius Bar, certainly.
However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible.
They want you to get a new phone every 2 to 3 years.
And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's revenue models.
For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.
Yeah, that's where you make your money.
That's where they're making their money.
And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out independent repair and owners from being able to work on their own stuff.
And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out independent repair and owners from being able to work on their own stuff.
Fun topic, Paul.
Sorry.
No, no, it's an important topic. I was just kidding. I was just trying to make a little levity there.
Yeah, I mean, let me tell you why I think this is really important.
Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.
Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.
Right, yes. 'Cause I had plenty in my story, let me point that out.
You did, yours was all cybersecurity.
Yes.
Okay, so I got involved in this because I started going to fix-it clinics in and around Boston where you go and just get stuff repaired by people in your community. It's great.
Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group.
And he was talking about the efforts to get this law passed in some of the states in the United States.
And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity.
That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming.
And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems.
Right? You know, poor configuration, vulnerable software, you name it.
And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about where security risks are with connected devices and where they aren't.
And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.
Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group.
And he was talking about the efforts to get this law passed in some of the states in the United States.
And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity.
That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming.
And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems.
Right? You know, poor configuration, vulnerable software, you name it.
And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about where security risks are with connected devices and where they aren't.
And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.
Do you know what though?
If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.
If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.
Because, oh, you're not suggesting Apple are control freaks, are you? That doesn't sound like them at all.
All I'm saying is I get it, right? Because I understand what you're saying 100%. It makes 100% sense. I agree. I agree. Ethically, morally, I agree.
Yes.
But I also can recognize in me, were I the successful creator of this tiny anything that I didn't, and I thought I was so smart and no one else could possibly do as good a job as my people could, which I would, because that's the type of person I am.
I would be exactly the same and it would suck. And I would need people like you on my case.
I would be exactly the same and it would suck. And I would need people like you on my case.
If you have a business, why would you not want a monopoly on whatever it is that you do?
Exactly.
Right? Who would not want that?
What do you use, Paul?
I have an Apple iPhone. It's an older model.
That's why he's hot on all this. He's peeved about every time he has to go to the Genius Bar. They won't blink and fix it. They won't replace his battery.
Right.
Carole, what have you got for us this week?
Cluley, do you remember Yik Yak?
Yes.
Can you tell our lovely listeners what about our plans on Yik Yak?
Well, many years ago, it's probably about 20 years ago.
20? I thought I put 15 in my notes.
But anyway, Carole, you, I, and our two lovely Croatian friends, we ganged up together to take on the world and create a social networking dating website thing that was going to make us a fortune.
And we called it Yik Yak.
And we called it Yik Yak.
Yep. And we bought the domains.
Yes.
And I remember we had one meeting where we were kind of like, okay, how are we gonna parse people's choosing, right?
Like, we were making up this algorithm for ourselves, like hair color, height, right?
Like, we were making up this algorithm for ourselves, like hair color, height, right?
People care about that.
And we had a meeting about discussing all this stuff. But did you ever think about whether people would just use it for hookup versus serious relationship?
Did that ever occur to you?
Did that ever occur to you?
It never occurred to me at all that people might want to have sex. No, that's not a thought which ever crosses my mind.
Well, if we were around today, single, free and easy— Paul, you're not single and free right now, right?
God, no.
Yeah, we're all married. So if we were single, we would probably be using dating apps to meet people. And the thing is, apparently the pandemic has changed online dating.
There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right?
The BBC suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic.
So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.
There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right?
The BBC suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic.
So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.
God, how awful would that be?
I love it.
I'm kind of surprised that people weren't doing that before. Are you really gonna go out and meet somebody randomly in meat space?
And someone says, once the first lockdown ended, I still preferred initially getting to know people in the virtual world before we went for drinks.
I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.
I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.
Okay, all right.
Right, 'cause you're screening. You kind of meet someone, you're like, okay, I don't like you, but you don't have to schlep back home.
Is there chemistry over Zoom though? I mean, is that a thing? Can you have chemistry with somebody over a Zoom connection?
They wouldn't be able to smell my pheromones.
I'm going to call my husband tonight. I'm going to say, go upstairs to your office. I'll call him on Zoom and I'll see if there's more flirtiness.
Oh, we know what he's like. He's very flirty.
Oh, look, he fell asleep watching TV again.
Exactly. That's normally me, actually. Okay. Before the pandemic, though, apparently many couples still met at school, mutual friends, family, church, bars, whatever. Whatever, right?
But then pandemic happened.
And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it.
They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down.
So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.
But then pandemic happened.
And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it.
They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down.
So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.
Of course, they can't go meet people. Of course, yes, of course it's slowing down because you can't go out.
Exactly. So I'm thinking, I'm thinking, who's winning in this, right? Because there are some apps out there that are geared to more serious relationships than just the bone-in type.
Sorry, what did you say?
I'm crying.
Like a bone-in radio show? What's—
Then the more one-night stands.
Z-E-Z-O-N-1-N?
I wouldn't know, Paul, come on. So serious relationship websites like the Japanese Omiyae. I know I'm saying it wrong, fuck. So I even got my husband to teach me.
Sorry, is it spelled that?
Or is it like Omiya Gladden or something?
What is that?
Oh no, I've got the giggles now. This is really bad. O-M-I-A. That doesn't sound—
O-M-I-A.
Okay.
How do you spell it?
How do you spell it? I have the giggles. I can't stop now. O-M-I.
Is that it? O-M-I? If so, you're definitely pronouncing it incorrectly.
No. O-M-I-A-I.
Oh, O-M-I-A.
O-M-I. O-M-I. OMIA.
Catchy name. They're not listening anyway, Carole, so don't worry, they're not listening.
But anyway, all I can tell you is the name connotes traditional matchmaking systems, okay, that has been going on for centuries. So the name means like look meet or look love.
There's a jeu de mots there somewhere in the OMIA.
As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type.
So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay.
It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.
There's a jeu de mots there somewhere in the OMIA.
As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type.
So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay.
It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.
Right.
5 to 7 million people have used this and they claim they facilitate more than 50 million successful matches so far. Like, what's a successful match?
How do they know that?
Yeah, exactly. What, 3 months, 6 months, a marriage?
Do people go back to the app and say, "Yep, that one worked," or "I snookered her," or whatever?
And then they get a £10 voucher?
No. Yeah.
I like the way that they're sort of like, "Well, we're different 'cause we're trying to get people to have long-term relationships." And it's like, how much— is that really a new concept?
I don't think it is.
I don't think it is.
Yeah, hey, it's all rebranding, dude.
There are really two flavors in the dating app world, which is hookups and people who want to have relationships. Those are basically the two choices.
That is, yeah. So anyway, the reason I'm talking about it is they got hacked.
Oh.
2 million users and most likely exposed. Okay, now they announced this on a Friday. Weren't we talking about that earlier? The Friday announcements, right?
So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers.
So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers.
Oh dear.
Okay, so number one, the first thing to know is Bloomberg said the value of OMIAI's share fell almost 20%.
Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change.
The parent company notified the public of the breaches, and they've put together this document which I want us to look at in a second.
But basically apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration.
And this was all for their security messaging, which we'll get to in a second.
Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change.
The parent company notified the public of the breaches, and they've put together this document which I want us to look at in a second.
But basically apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration.
And this was all for their security messaging, which we'll get to in a second.
Oh, so they asked for all this really detailed personal information and scans of things like ID cards and passports? Passports?
To make sure that they could say, we know who you— we're validating the people.
No mischief makers. I can't create an account, call myself Gloria something or other.
Exactly.
And right, unless I have Gloria's passport, right?
They've put a statement, and Paul, I'm particularly interested in your point of view here, both as a journalist and someone who lives in the States, right?
And has probably read millions of these.
You may have to do a little quick Google Translate depending on how good your Japanese is, 'cause I don't think I can send it to you in English.
And has probably read millions of these.
You may have to do a little quick Google Translate depending on how good your Japanese is, 'cause I don't think I can send it to you in English.
My Japanese is excellent.
Okay, well good, I hope you read that in real time. So.
By which I mean, Chrome did it for me.
Fantastic, okay, so this is their apology and notice regarding member information leakage due to unauthorized access. Okay, right off the bat, I'm thinking that is not from the US.
From a liability standpoint, right?
From a liability standpoint, right?
Yes.
From a liability standpoint, right?
Yeah, that is true, yeah, yeah, yeah.
Yeah, but I have seen press conferences before from Japanese companies after they've been hacked where the board actually go on television and do a very deep bow of apology.
I think we should adopt it.
Yeah, I'd love that. I'm so with you.
So second paragraph, the we deeply apologize for any inconvenience caused by our members and all concerned.
So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID.
But they say at this time they're searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right?
Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.
So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID.
But they say at this time they're searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right?
Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.
So they're searching the web for exposed members, is that what you're saying?
Yeah. Are they? Are they? Are they?
Thank you, Paul. Glad you got it.
Oh, were you being dirty?
Yes, I was.
Oh, I don't get that.
I'm like totally not into that sort of thing. Don't worry, it's good that you don't. Go and get it, girl.
And they're getting a lot of hits too.
We're just gonna crack on. We're cracking on, we're cracking on.
So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.
So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.
Yeah.
So, and it says of these, about 60%, which is the majority of the total— thank you— is occupied by driver license image data. So they also have your phishing. But they—
That's great. That's—
Yeah.
And then they say, don't worry though, because we outsource our financial stuff, so no one got a hold of the credit card info.
Yeah, well, phew. It's like, look, you can always cancel a credit card. I mean, that's not a big deal. But, you know, you can't— you can't unsee that driver's license or passport.
I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—
I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—
Yeah.
On the other hand, they do engage in what I think you guys would recognize some pretty common breach hand waving.
"We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent.
I think that's actually why they took it.
"We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent.
I think that's actually why they took it.
And check this out. So on the site, women can join for free while men have to pay about $40 a month in order for—
Sexist.
In order to use the services. Yet both parties seem to have lost their data, so.
Yes.
Right? So I guess there's equality there. Now on their website, you see I give you the link there in the cast.
Oh, I'm on their homepage right now. Omiai, they've got— they've underlined the eye bit at the end.
But if you, if you scroll down, that they actually advertise their reasons for being safe and secure, right?
They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely.
So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single.
Only people who've uploaded their passport will be allowed onto the site.
They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely.
So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single.
Only people who've uploaded their passport will be allowed onto the site.
They're saying, you know, let me say, my first off-the-top-of-my-head impression of this site is that I am too old to use it, right?
And you know what, that when I look at these faces, they all look young.
And you know what, that when I look at these faces, they all look young.
In the security section, they have this note, okay, there's a starred bit, it says the use is limited to singles and is prohibited for those who have a lover.
Don't get greedy. Don't get greedy.
That's right.
That's right.
Lovers are not welcome.
If you are looking for an affair, then go to ashleymadison.com.
That's true.
Be as careful with your data.
That's right.
But they're just looking for one-night stands. That was hookup material. That wasn't love. That was an eHarmony. Isn't that the love one? eHarmony?
Yes. eHarmony is the algorithmic love company.
Is it?
One of the things that I think is interesting is the cost of collecting and retaining this data.
You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data?
Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.
You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data?
Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.
Or the crate of mature Stilton, which I have in my living room.
Or the crate of mature Stilton. Right.
It—
There is a risk to holding onto it. And the risk is that it's going to leak. And I wouldn't want to know what that crate of Stilton would look like if it were to leak.
But I'm guessing it would be an ugly scene.
But I'm guessing it would be an ugly scene.
Delicious.
An ugly and smelly scene.
I'd eat it. Yummy. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. An artist.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
The perfect solution for companies of all sizes, 1Password is quick to deploy, simple to manage and fit seamlessly into your team's workflow, so you can secure your business without compromising productivity.
All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices.
See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right away.
Find out more and try 1Password for free for 14 days at 1password.com.
All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices.
See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right away.
Find out more and try 1Password for free for 14 days at 1password.com.
According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related.
I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.
I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.
Are you freaking kidding me?
No, I am not. Why, have you chosen that as well?
No, but, you know, I'm surprised you're— Is this a book you're doing?
No, I'm not doing a book. I'm doing the TV version. Oh, right, okay.
I was just gonna say, 'cause it's a beautiful book, listeners. Anyone who likes to read. I just didn't believe you were reading a book like that.
No, I have not.
But if you'd like it, it's good.
Kroll? I've seen the TV version.
Oh, right. Who needs the book?
And I really, really liked it because it was funny and crazy. And I'll tell you some of the people who star in it. We got Lily James, Dominic West, Andrew Scott, who was Moriarty.
He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.
And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining.
I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it.
And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it.
It's cut very well.
He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.
And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining.
I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it.
And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it.
It's cut very well.
What's this play? Where did you see this?
On the BBC website.
Oh, on the BBC.
Yes, on the BBC. On the BBC, darling. Yes, on the BBC.
Brilliant.
Anyway, so my recommendation, my pick of the week this week is The Pursuit of Love on BBC iPlayer. I think you'll rather enjoy it. Paul, what's your pick of the week?
I have, you know, I feel like the dinner guest who you invite and, you know, he just ends up talking about environmental pollution or crime or something and just brings the whole party down.
Fun, so fun.
I have a cybersecurity story that I grabbed from MIT Technology Review called Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms.
And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote.
First of all, it profiled the work of this group called the Ransomware Hunting Team that is a volunteer group that helps ransomware victims get free of the ransomware and kind of works behind the scenes.
Really interesting looking at that.
It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.
And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote.
First of all, it profiled the work of this group called the Ransomware Hunting Team that is a volunteer group that helps ransomware victims get free of the ransomware and kind of works behind the scenes.
Really interesting looking at that.
It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.
So in this case, a bit of a tip-off.
In this case, a cybersecurity firm developed a decryptor for some ransomware used by the DarkSide group and basically blasted out to the world that they had a decryptor and that DarkSide's ransomware was reusing RSA keys.
And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for ticking them off.
So there was a big discussion in this article just about that dynamic. What is the moral responsibility of cybersecurity companies? And is there a right way to do this?
And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for ticking them off.
So there was a big discussion in this article just about that dynamic. What is the moral responsibility of cybersecurity companies? And is there a right way to do this?
So I read this article. It's an interesting security article. Yeah, I'm afraid it is.
I'm really sorry.
But that's all right.
Will you ever forgive me?
No.
But basically, I was thinking you're kind of damned either way, aren't you?
Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.
Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.
Yes.
You know, I have some sympathy with the security firm.
Yes. This gets in. I mean, there are often issues that come up.
You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the— I mean, these type of ethical quandaries come up all the time.
And in the cybersecurity ransomware world, they come up all the time as well.
The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies.
I wrote an article for Security Ledger years ago, in 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you.
The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold.
We don't have the ability to do this— behind the bad guys in terms of our technical expertise and our ability to fight back.
You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the— I mean, these type of ethical quandaries come up all the time.
And in the cybersecurity ransomware world, they come up all the time as well.
The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies.
I wrote an article for Security Ledger years ago, in 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you.
The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold.
We don't have the ability to do this— behind the bad guys in terms of our technical expertise and our ability to fight back.
So this article is your pick of the week this week. And if people want to hear more about the arguments back and forth, they can go and check it out.
Carole, what's your pick of the week, brackets, not security related, close brackets.
Carole, what's your pick of the week, brackets, not security related, close brackets.
It's very, very not security related. And my pick of the week is not an audio drama, but it's an app.
Marvelous.
Okay, to help you take better pictures.
Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry around a DSLR all the time. And it's called Obscura.
Basically, Apple has a very good native app, but it's highly automated, right?
And to some people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images.
I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a— However, you can get Obscura, which I really like.
You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback.
And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters.
Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money.
So if you're into—
Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry around a DSLR all the time. And it's called Obscura.
Basically, Apple has a very good native app, but it's highly automated, right?
And to some people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images.
I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a— However, you can get Obscura, which I really like.
You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback.
And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters.
Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money.
So if you're into—
Are you now using this as your default camera app?
I'm learning. I have to get the memory muscle to work, right? Because I keep kind of going, oh, that's amazing. And then I take it and I'm like, oh God, why can't I get?
And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.
And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.
Oh, bless. Now, Carole, you've been speaking to Javvad Malik from KnowBe4 this week.
Yes, we had a very amazing chat, and what a great guest. So take a listen. This is Javvad.
All right, we're here with someone who has actually been a guest host on Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4.
Welcome, Javvad.
All right, we're here with someone who has actually been a guest host on Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4.
Welcome, Javvad.
Thank you so much, Carole. Thank you for having me.
You are sitting now in the throne. This is like the featured interview, so we're kind of celebrating you and KnowBe4 in this.
I know, I feel very honored and, you know, I could get used to this. This throne is quite comfortable.
Javvad, you do a lot of things.
So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit.
Would that be fair?
So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit.
Would that be fair?
Yes, that's right. When I try to sound cool, I say I'm— think of like The Rock, who's multi-talented in every facet, like wrestling, movies, business ventures.
That's what I aspire to be in the security world.
That's what I aspire to be in the security world.
I don't think you need to aspire. I think you've already reached many of those dizzying— Oh, you're very kind. Well, look, now we are here to talk about KnowBe4.
So can you tell us a little bit about the company and what KnowBe4 does?
So can you tell us a little bit about the company and what KnowBe4 does?
So KnowBe4 is focused on the human.
You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.
And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that.
So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if breaking into an organization technically directly is quite difficult these days.
So it's a favored technique is to just go after the user.
So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest.
That is the preferred method that a lot of criminals break into organizations.
I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails.
So what we do at KnowBe4 is we help try to strengthen the humans.
We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails.
And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious.
You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.
And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that.
So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if breaking into an organization technically directly is quite difficult these days.
So it's a favored technique is to just go after the user.
So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest.
That is the preferred method that a lot of criminals break into organizations.
I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails.
So what we do at KnowBe4 is we help try to strengthen the humans.
We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails.
And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious.
Maybe you can tell us about it from the point of view of someone who might be interested in running these phishing simulations. They come across your name, how does it work?
Product is really self-service. It's highly automated. So if you're a customer or even if not, you can sign up to a free phishing test on our website.
You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's thousands of templates there. And these are in different languages.
They're bundled into different categories. So if you want, hey, let's do social media type one.
So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area.
You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify.
And the great thing about the platform is that it can randomize the time it sends them out.
So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's "Yes, we got this." And then it kind of defeats the purpose of the test.
You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's thousands of templates there. And these are in different languages.
They're bundled into different categories. So if you want, hey, let's do social media type one.
So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area.
You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify.
And the great thing about the platform is that it can randomize the time it sends them out.
So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's "Yes, we got this." And then it kind of defeats the purpose of the test.
So—
It reminds me of the mass mailers of the late—
Yeah.
The early noughties.
Yeah, exactly. So you can actually send different templates to different groups of people or different individuals and at different times. So it staggers them out.
And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be.
It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is.
And then also you can see how many people have reported it to your security team.
So whether that's an internal process you have, if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox.
So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate.
And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be.
It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is.
And then also you can see how many people have reported it to your security team.
So whether that's an internal process you have, if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox.
So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate.
So basically, you're putting the IT team in the driver's seat rather than you guys doing all the decision-making on what content's included and how they're sent out.
They actually get to decide themselves completely. It's almost like an autonomous effort.
They actually get to decide themselves completely. It's almost like an autonomous effort.
Yeah, exactly, exactly.
And that's kind of cool.
Yeah, I mean, you know, it's the security teams that ultimately have the relationship, or should have the relationship, with all the users within the organization.
So they're best placed to make the right decisions if they have the right relationships.
And we've seen examples of where this has gone wrong, where they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for.
We're going to be doing simulation tests at this time throughout the year.
And these are some of the topics that we think are inappropriate for our user base because of whatever reasons.
It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.
So they're best placed to make the right decisions if they have the right relationships.
And we've seen examples of where this has gone wrong, where they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for.
We're going to be doing simulation tests at this time throughout the year.
And these are some of the topics that we think are inappropriate for our user base because of whatever reasons.
It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.
Yeah.
What we try and do is give the people the right tools so that they can— and we offer them training and guidance on this— is how to send, structure these campaigns so that when it goes out, people receive it with this spirit and intent that it was intended to, which is, hey, this is a training exercise.
We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.
We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.
Because, you know, an IT team that act like a kind of authority of punishment is not gonna get people on side in terms of security.
What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk.
So it's important to work with the people to see that the point of this is to get people educated and protect the firm and the individuals.
What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk.
So it's important to work with the people to see that the point of this is to get people educated and protect the firm and the individuals.
That's absolutely, that's exactly it. I mean, there was a story I read a few weeks ago and it was on Sophos Labs published it.
And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise.
But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that, and the license was really expensive.
So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.
And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise.
But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that, and the license was really expensive.
So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.
Oh.
And they then logged on and done their work, and two weeks later, the company was hit by ransomware.
And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done.
And technology should be there to facilitate them in doing what they do.
And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker.
If it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.
And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done.
And technology should be there to facilitate them in doing what they do.
And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker.
If it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.
And so this kind of test would, at knowbe4.com/freetest, allows you to, I don't know, take a pulse of the company's ability to be fooled by such things.
Yeah, that's right. That's right. And we have benchmarking reports on our website as well. You can go into the resources and you can look for our benchmarking reports.
And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right.
And that's a high percentage. That's like 1 in 3 people nearly.
And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right.
And that's a high percentage. That's like 1 in 3 people nearly.
That's more people than click on ads.
Yeah, exactly, exactly.
Yeah.
So 3 out of 10 people typically will fall for this if they've not given any previous cybersecurity training. Is that what you're saying?
That's right, that's right.
And then what kind of numbers do you see after the training has gone through?
If people have gone through a few simulations, have included, you know, presentations and education provided internally?
If people have gone through a few simulations, have included, you know, presentations and education provided internally?
Yeah, so there's a process you need to go through.
You know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's less but more often is probably better.
And you've run it like a proper campaign, then after 90 days even you can halve that to about 10 to 14% of people.
And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.
You know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's less but more often is probably better.
And you've run it like a proper campaign, then after 90 days even you can halve that to about 10 to 14% of people.
And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.
Are you surprised at the number of companies that don't take security seriously even today? I mean, I don't know, I'm in the echo chamber, right? I'm on this podcast every week.
So I'm thinking and breathing and snarfling security all the time.
But people who work in other industries, say retail, finance, health, are they thinking about security as much as they should be, do you think?
So I'm thinking and breathing and snarfling security all the time.
But people who work in other industries, say retail, finance, health, are they thinking about security as much as they should be, do you think?
You know, it's that age-old problem. If you take a problem to an engineer, they will reframe it as an engineering problem and they'll give you an engineering solution.
If you take a problem to a security person, they're gonna reframe it as a security problem and present you with a security answer. So I think you're right.
We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things, hey, what's our return on investment?
What's our profitability this quarter? How can we make it out of the pandemic without going bust?
If you ask me from just a pure security perspective, I'm no, people don't pay attention. And you know, they do far too little, far too late.
But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness.
People are a bit more clued on, and especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be.
Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there.
And we see it all the time with unsecured S3 buckets out there.
It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.
If you take a problem to a security person, they're gonna reframe it as a security problem and present you with a security answer. So I think you're right.
We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things, hey, what's our return on investment?
What's our profitability this quarter? How can we make it out of the pandemic without going bust?
If you ask me from just a pure security perspective, I'm no, people don't pay attention. And you know, they do far too little, far too late.
But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness.
People are a bit more clued on, and especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be.
Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there.
And we see it all the time with unsecured S3 buckets out there.
It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.
Yeah.
So I think it's just about making people aware and just reminding them and being that constant thing in the background. It's not something you can fix quickly.
It's like any behavior change, and that's ultimately what we're going for. It's like behavior change.
When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish.
But today you walk into any corporate office or even public dustbins, there's at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's oh, let me separate my recyclables from my landfill and what have you.
And this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.
It's like any behavior change, and that's ultimately what we're going for. It's like behavior change.
When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish.
But today you walk into any corporate office or even public dustbins, there's at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's oh, let me separate my recyclables from my landfill and what have you.
And this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.
Yeah, and also, I mean, with ransomware on the rise and with the pandemic forcing people to work from home creating almost a kind of new playground for malicious actors.
I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard.
So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time.
So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.
I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard.
So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time.
So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.
Yeah, that's right, that's right. So our templates are constantly being updated, and then our awareness and training modules are always— there's always new content being added.
Yeah, fantastic. Listeners, if you want to try a free phishing test, check out knowbe4.com/freetest and see how safe your office is against this kind of stuff.
Javvad Malik, thank you so much for coming on the show.
Javvad Malik, thank you so much for coming on the show.
Oh, it's always a pleasure, Carole. Thank you so much.
Fascinating stuff. Well, that just about wraps it up for this week. Paul, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Two ways. Go to securityledger.com, and if you're interested in the right to repair stuff, I have a Substack.
As every self-respecting journalist does these days, which is fighttorepair.substack.com.
As every self-respecting journalist does these days, which is fighttorepair.substack.com.
Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G.
And we're also up on Reddit, so look for the Smashing Security subreddit up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.
And we're also up on Reddit, so look for the Smashing Security subreddit up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.
And thanks to this week's episode to our episode sponsors, 1Password, KnowBe4, and 1Login, and of course to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye.
Bye.
You guys are great. You're so smooth. It's like a well-oiled machine.
Carole Theriault here from Smashing Security. Now I have some fantastic news for you. You know how we started asking for a few more reviews?
Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped.
We've had our most downloaded show ever last week. How frickin' cool is that?
This week I want to do a shout out to Zixis, who wrote, "Many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content.
Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis.
And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking.
It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red Piano Roland.
Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys.
Otherwise, it's just Graham, and I mean, ugh. Buckets of love.
Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped.
We've had our most downloaded show ever last week. How frickin' cool is that?
This week I want to do a shout out to Zixis, who wrote, "Many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content.
Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis.
And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking.
It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red Piano Roland.
Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys.
Otherwise, it's just Graham, and I mean, ugh. Buckets of love.
