UK police arrested a 17-year-old teenager in Oxfordshire last night on suspicion of hacking.
The boy, who has not been named, was arrested as part of an investigation by the National Crime Agency (NCA). He remains in police custody.
Although at the time of writing no more details have been shared, there is speculation online that the arrest is in relation to the recent hacks of Uber and Rockstar Games.
The hacks made headlines around the world, with source code and internal videos of a forthcoming version of Rockstar’s “Grand Theft Auto” video game franchise leaking online.
As we described on the latest “Smashing Security” podcast, Uber said it believed that it had been hacked by the notorious LAPSUS$ group.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
If you think about it, you think of all the manufacturers from, you know, smart washing machines to ping pong sticks.
What's a ping pong stick?
Oh, I meant pogo stick. I was basically being polite for vibrator.
I think. But I said ping pong.
I thought I was going to be too rude for this show. Smashing Security, Episode 290: Uber, Rockstar, and Crystal Balls with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 290. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 290. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week on the show, we've got someone who's returning to us after a 5-year absence.
Shut up. That long?
He's upgraded his internet connectivity. He's on fiber. It's Iain Thomson from The Register. Hello, Iain.
Hello, Graham. Hello, Carole.
Hi.
Pleasure to be back. It's been a while.
Yes.
Lovely to chat.
Well, thank you for joining us so early in the morning from your part of the world.
Well, the sun is shining. The sky is clear. We actually had rain yesterday, which was fantastic. We haven't had that in months.
I know as a Brit, you really miss some things and rain is one of them.
I know as a Brit, you really miss some things and rain is one of them.
And where are you?
Oh, I'm in the East Bay, just across the water from San Francisco.
Nice.
It's pretty good. It's an interesting place to live.
Let's first thank this week's sponsors, Bitwarden, Kolide, and Pantera. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
Zoom, just one look and your privacy went boom.
You've missed your calling. What about you, Iain?
I just can't follow that. That's amazing. Well, I mean, for me, it's the uber rockstar hacks. It's an amazing issue to go into. And there are some very weird things about this.
Ooh, I'm excited. And with me, we will be gazing into the crystal ball cybersecurity style.
Plus, we have a featured interview with cybersecurity kingpin from the University of Tulsa, Sal Aurigemma.
And Sal will explain why password managers like that of our sponsor Bitwarden are so valuable. All this and much more coming up on this episode of Smashing Security.
Plus, we have a featured interview with cybersecurity kingpin from the University of Tulsa, Sal Aurigemma.
And Sal will explain why password managers like that of our sponsor Bitwarden are so valuable. All this and much more coming up on this episode of Smashing Security.
Now, chums, we have emerged now, blinking from our self-imposed isolation during the pandemic.
We've ditched our caftans, we've hung those up, we've hitched up our trousers, we've tried to put a belt on if it still fits, we've deodorized ourselves because now we are interacting with our humans for months.
And months, we had been able to fool our colleagues, hadn't we, into believing we were fragrant-smelling. All the time we weren't even wearing underpants, because they never saw us.
We've ditched our caftans, we've hung those up, we've hitched up our trousers, we've tried to put a belt on if it still fits, we've deodorized ourselves because now we are interacting with our humans for months.
And months, we had been able to fool our colleagues, hadn't we, into believing we were fragrant-smelling. All the time we weren't even wearing underpants, because they never saw us.
We were wearing suitsies, weren't we?
Is that what they call them, suitsies?
It's like a onesie, like a baby onesie, but it actually has the finish of a suit. So you can actually just cuddle into it and look professional at the same time.
Oh my word. No, I actually wore a kilt at one meeting, but yes.
How did you prove that, Iain?
When the lockdown first started, we figured it was gonna be, what, 2, 3 months?
And the very first video conferencing meeting that we had, I was just out of bed wearing a sweatshirt. My hair was all a mess, and comments were made.
So the day after, I got dressed up in full kilt and fig and held the meeting that way.
And the response was really good, 'cause I mean, the essence of working as journalists is that you've got the news meeting, you know, everyone's knocking ideas off each other.
And that was a real dislocation. So I figured, you know, keep the spirits up and ended up doing about 30, 35 different costumes at the start.
And the very first video conferencing meeting that we had, I was just out of bed wearing a sweatshirt. My hair was all a mess, and comments were made.
So the day after, I got dressed up in full kilt and fig and held the meeting that way.
And the response was really good, 'cause I mean, the essence of working as journalists is that you've got the news meeting, you know, everyone's knocking ideas off each other.
And that was a real dislocation. So I figured, you know, keep the spirits up and ended up doing about 30, 35 different costumes at the start.
Yes. Iain, you've got to send us some of these pictures.
Oh, no need.
No need, Carole, because I remembered following Iain on Twitter at the time, and I found a picture of you dressed as Joe Exotic, which was your homage to the Tiger King.
No need, Carole, because I remembered following Iain on Twitter at the time, and I found a picture of you dressed as Joe Exotic, which was your homage to the Tiger King.
Yes.
Yes. Including—
Monica had some leopard skin stuff lying around. And that whole weird cat people documentary was raging at the time. So I figured, why not?
Wow. I love it, Iain.
So link's in the show notes if you want to go and check out Iain dressed up as Joe Exotic. But I never went that far.
I might have occasionally donned a pair of glasses to appear more intelligent, even though I can't actually read my computer screen if I'm wearing glasses.
But we're all of an age, I suspect. You know, we've been round the block a few times, haven't we? Be careful, be careful, Graham.
You know, I mean, Iain, do you ever wear glasses these days?
I might have occasionally donned a pair of glasses to appear more intelligent, even though I can't actually read my computer screen if I'm wearing glasses.
But we're all of an age, I suspect. You know, we've been round the block a few times, haven't we? Be careful, be careful, Graham.
You know, I mean, Iain, do you ever wear glasses these days?
I've started wearing them in the last couple of years.
I think, to be honest, having spent, you know, spending this amount of time on a laptop and monitor screen, it's going to happen. So, you know, and you know, there's no shame in it.
It's just I am looking into LASIK, but at the same time, this very idea of someone cutting into your eyes or lasering them out is such an anathema.
I'll live with the glasses, thanks.
I think, to be honest, having spent, you know, spending this amount of time on a laptop and monitor screen, it's going to happen. So, you know, and you know, there's no shame in it.
It's just I am looking into LASIK, but at the same time, this very idea of someone cutting into your eyes or lasering them out is such an anathema.
I'll live with the glasses, thanks.
Carole, do you have to wear glasses for the computer screen?
No.
No?
Oh. No. I've had glasses since I was a teenager.
But not for the computer.
They were for distance, yeah. I don't have nearsightedness issues yet, 'cause I am younger than you, Mr. Cluley.
But you know what, Carole? That might've been a very sensible decision not to wear glasses at the computer screen, because there lies a danger.
Tell me everything.
Which boffins at the University of Michigan, who've teamed up with their counterparts at the Zhejiang University in China, they have been exploring the security risks associated with wearing glasses at a computer.
Okay. And specifically, they have found that you could be unintentionally leaking information through the— No, I know it sounds weird, but they're spot on.
Okay. And specifically, they have found that you could be unintentionally leaking information through the— No, I know it sounds weird, but they're spot on.
This is absolutely true.
Yep. Through the reflection on your glasses when you're on a Zoom call or Google Meet session or something like that.
So, okay, okay. My mind has just gone somewhere very— Okay. Yeah.
So, for example, if you had maybe something not safe for work in the corner of your screen, your boss would be able to see it through your glasses.
So, for example, if you had maybe something not safe for work in the corner of your screen, your boss would be able to see it through your glasses.
Yes. In mirror vision. Potentially. Or if the thing you were looking at on the screen was moving in a particular way, that may indicate what sort of action you were watching.
There's all sorts of— Oh my God. All sorts of possibilities. It's a pogo stick. Yes.
There's all sorts of— Oh my God. All sorts of possibilities. It's a pogo stick. Yes.
Tell us more. Sell it to the judge.
They're just playing leapfrog.
Exactly. But I mean, this is serious because they found that even a standard, you know, 720p camera, you can get, you know, text font sizes at about 50, 60 pixels.
Now, if you're looking at 4K camera, then you could potentially get down to the kind of font sizes used in documents, not just in headings, but, you know, in the actual text itself.
Now, if you're looking at 4K camera, then you could potentially get down to the kind of font sizes used in documents, not just in headings, but, you know, in the actual text itself.
This is the thing. So there's this paper that's been released. It's called Private Eye: On the Limits of Textual Screen Peeking Via Eyeglasses Reflection in Video Conferencing.
That's the name of the paper. And yeah, as Iain says, around about 75% accuracy on reading some screen text. Now I have to say some screen text. First, okay, some caveats.
A few caveats.
That's the name of the paper. And yeah, as Iain says, around about 75% accuracy on reading some screen text. Now I have to say some screen text. First, okay, some caveats.
A few caveats.
Yeah, I'd like to know the caveats.
Yeah. Right, okay. So the technique varies in effectiveness depending on the curvature of your lens.
So if you have prescription glasses, that apparently works better than if you have those, you know, those blue light blocking glasses some people like to use, you know, where if it's late at night or something to help them go to sleep.
So those don't work so well. And the other thing, as Iain says, is the quality of the webcam as well.
So they reckon they can read on-screen text that have heights as small as 10 millimeters. With a 720p webcam.
So if you have prescription glasses, that apparently works better than if you have those, you know, those blue light blocking glasses some people like to use, you know, where if it's late at night or something to help them go to sleep.
So those don't work so well. And the other thing, as Iain says, is the quality of the webcam as well.
So they reckon they can read on-screen text that have heights as small as 10 millimeters. With a 720p webcam.
Now that's kind of big. 10mm is 1cm.
Ah, yeah. But that, and that is on the reflection. That's not on the screen. So what they've done— So what they've done—
We hear the science here. Yeah.
What they've done is it tends to work on quite big text. Now I've put a link in the show notes.
Okay. Oh, God.
I've put a link in the show notes, which goes to a Twitch page. Where you'll get an idea of the size of text which they can pick up. All right. Okay.
All of you looking at fonts at 48p and above, you guys with glasses, you guys are the ones in trouble.
I mean, I mean, we mock, but at the same time, technology advances, you know, stuff that was theoretical, you know, breaking hashing functions that was, you know, considered theoretical at the time.
Now we can do it with ease.
Now we can do it with ease.
Yeah. So, Carole, you click through on that Twitch link, which I've put in the notes just to see.
Now, can you by any chance make out with your squinty little eyes, can you see what they're saying on that webpage?
Now, can you by any chance make out with your squinty little eyes, can you see what they're saying on that webpage?
Where it says, 'Twitch is where millions of people come together.' That one? No, no, no. Above that. Above that.
Oh, 'We saved you a seat in chat.' Can you just about see that text? Just. So I was right.
It is about 48 to 56 point font. It's huge.
It's absolutely huge. I've never seen a webpage with such large fonts as this one.
I've never even seen a presentation given have it in a PowerPoint with this sized font.
But, but as Iain says, if you had a 4K high-definition webcam, which more and more people are beginning to do because they want to look their best when they're doing their video conferencing, then the potential does begin to creep in.
And this technological advance, I mean, this isn't the first time that we've seen reflections leaking information. Back in 2019, I wrote about an obsessed fan of a J-pop pop star.
And what he did was he assaulted her after he worked out where she lived by zooming in on reflections.
And this technological advance, I mean, this isn't the first time that we've seen reflections leaking information. Back in 2019, I wrote about an obsessed fan of a J-pop pop star.
And what he did was he assaulted her after he worked out where she lived by zooming in on reflections.
I remember that case. That was creepy as all hell. Yeah.
He zoomed in the reflections of her eyeballs in selfies she'd posted on social media. And obviously she'd used a good camera to look good, or a fancy smartphone.
And from that, he was able to work out where she lived.
And from that, he was able to work out where she lived.
Jesus Christ, you cannot win. You cannot win. You use your eyeballs, they're using your eyeball reflections. You wear sunglasses, glasses with mirrors, well, you're screwed there too.
You have glass with reflections.
You have glass with reflections.
Well, it turns out you can win. It turns out you can win because there is a mitigation. There is a mitigation, right?
Okay, although these boffins have worked out, well, they can read some text, and at the moment it has to be quite big text, but that may change in the future.
Although they are able to identify, they reckon 94%, with 94% accuracy, the top 100 websites you may have open on your computer, what they cannot cope with is a feature which is available in Zoom, but isn't available in Skype and Google Meet.
Okay, although these boffins have worked out, well, they can read some text, and at the moment it has to be quite big text, but that may change in the future.
Although they are able to identify, they reckon 94%, with 94% accuracy, the top 100 websites you may have open on your computer, what they cannot cope with is a feature which is available in Zoom, but isn't available in Skype and Google Meet.
You know, there's a way you can blur out your background. Indeed.
Yes. Add funny effects, it's like a filter.
Very, very useful. Yes.
Well, it turns out it does have a use because there is a feature to add cartoon glasses to yourself, which are opaque, like cartoon sunglasses. Oh my God.
And that— You see, I don't know.
I don't know. Isn't that going to turn people off? Because, you know, if there's one thing about video conferencing, it's eye contact.
And, you know, it's very important, so. That's true.
What if you wore those glasses with the fake eyes on them? Little pieces of cardboard you used to get.
Oh, yes, you know, they had little pinholes in the middle, so you wouldn't be able to, you know, they wouldn't be able to read your face. You would look natural.
Oh, yes, you know, they had little pinholes in the middle, so you wouldn't be able to, you know, they wouldn't be able to read your face. You would look natural.
You'd look completely normal, yes. You'd look completely normal.
Well, the boffins reckon that in time, maybe the video conferencing manufacturers will do some sort of artificial intelligence, work out where your eyes are, your glasses are, and apply a Gaussian filter to blur out that area.
But I can understand if a politician were using these services, you might want to do that. But do the rest of us have to really worry about this?
Well, the boffins reckon that in time, maybe the video conferencing manufacturers will do some sort of artificial intelligence, work out where your eyes are, your glasses are, and apply a Gaussian filter to blur out that area.
But I can understand if a politician were using these services, you might want to do that. But do the rest of us have to really worry about this?
It depends how much pogo sticking you work.
That's your excuse and you're sticking to it, isn't it?
Iain, what have you got for us this week?
Okay, well, it's a doubleheader, really.
Last week, Uber suffered yet another data breach, and I was talking to an ex-Uber security person, and they were just saying, we warned them about this in 2017, we warned them about this in 2020.
And no, you know, basically, apparently, and I can't confirm this, but the person who was responsible for dealing with the earlier big breach is now the global head of PR.
And that's a lateral move. Oh no, but in terms of sort of the communications of the last data breach, he's now the global head of PR for the company.
And the tactics haven't changed, it's basically say nothing other than, you know, we've had a bit of a problem, everything's fine, Wall Street, calm down.
Last week, Uber suffered yet another data breach, and I was talking to an ex-Uber security person, and they were just saying, we warned them about this in 2017, we warned them about this in 2020.
And no, you know, basically, apparently, and I can't confirm this, but the person who was responsible for dealing with the earlier big breach is now the global head of PR.
And that's a lateral move. Oh no, but in terms of sort of the communications of the last data breach, he's now the global head of PR for the company.
And the tactics haven't changed, it's basically say nothing other than, you know, we've had a bit of a problem, everything's fine, Wall Street, calm down.
Really tight smile. Yeah, I have seen on LinkedIn that they are currently looking for a large number of people to join their security department.
Yeah, I mean, it's the classic horse stable gate situation.
And to be honest, with those job adverts, I think it's more down to the insurance company is insisting that they hire more people rather than they've suddenly found a newfound interest in security.
But yeah, I mean, there was that. And then yesterday we had Rockstar and Grand Theft Auto and somebody grand thefted them. And it's apparently the same person.
And to be honest, with those job adverts, I think it's more down to the insurance company is insisting that they hire more people rather than they've suddenly found a newfound interest in security.
But yeah, I mean, there was that. And then yesterday we had Rockstar and Grand Theft Auto and somebody grand thefted them. And it's apparently the same person.
Now, we all know online personas can be entirely made up from whole cloth, but the fact that both Uber and Rockstar are saying it's the same person is really rather interesting.
In terms of the actual data itself, there doesn't appear to have been any ransom demand, or at least they haven't mentioned any ransom demand in neither of the companies.
In terms of the actual data itself, there doesn't appear to have been any ransom demand, or at least they haven't mentioned any ransom demand in neither of the companies.
So is this just somebody pranking around or— I mean, if I was at the SEC, I'd be looking into who's got share trading options on both of these companies.
I had a quick look at the stock price. They've only dropped a couple of dollars because Wall Street's used to this.
I had a quick look at the stock price. They've only dropped a couple of dollars because Wall Street's used to this.
But yeah, the motivation is weird. So maybe the hackers haven't thought of a way to actually monetise it. Maybe they can't think, well, who would we sell this data to?
But isn't it fun?
It's a bit like the old LulzSec days, isn't it, of doing it for the laughs and embarrassing the big corporation, which might suggest it is kids or people at least who have an immature attitude rather than a more entrepreneurial streak in them.
But isn't it fun?
It's a bit like the old LulzSec days, isn't it, of doing it for the laughs and embarrassing the big corporation, which might suggest it is kids or people at least who have an immature attitude rather than a more entrepreneurial streak in them.
Just because they don't ask for cash?
Well, at the very least, you'd think normally a criminal hack this, they would attempt to extort some money, but maybe they're more—
Maybe they're in the beta phase.
Well, I mean, maybe they're just trying it out, but I've got to say, that's two very high-profile targets and a lot of heat to bring down on the back of your neck.
And so, you know, if you're just doing this for the lulz, then it's going to be a very short career path.
And so, you know, if you're just doing this for the lulz, then it's going to be a very short career path.
I mean, so do we know that they were hacked in a similar fashion?
Because as I read it, Uber, one of the methods which was used was a sort of barrage of push 2FA notifications going to maybe someone, one of their employees who eventually got their account hacked.
Because as I read it, Uber, one of the methods which was used was a sort of barrage of push 2FA notifications going to maybe someone, one of their employees who eventually got their account hacked.
An external contractor, in fact. Yes. Oh, was it? Right. Yeah.
So basically they got into the contractor's account and then used that to get past two-factor and get into the network and look around that way.
So basically they got into the contractor's account and then used that to get past two-factor and get into the network and look around that way.
Yeah, that's at least what Uber is saying at the time. So, I mean, there was that and there's a strong element of social engineering in all of these attacks, right?
I mean, we remember Kevin Mitnick, and one of the strongest things in his arsenal was social engineering, and it appears this has been done in the same way.
But at the moment, you know what these companies are, they're not going to tell anything because they're under liability, actual liability at the moment.
I mean, we remember Kevin Mitnick, and one of the strongest things in his arsenal was social engineering, and it appears this has been done in the same way.
But at the moment, you know what these companies are, they're not going to tell anything because they're under liability, actual liability at the moment.
But what we do know is there's a lot of information which— I mean, certainly the Uber database, I think, has been offered for sale on underground forums, although I don't know if anyone's going to buy it or not.
But The Grand Theft Auto thing, that's interesting because it appears that maybe code and video source code.
I mean, that's a game, a video game, which hasn't come out yet, isn't it? But it's obviously going to be a big deal when it eventually does come out.
And it seems to have been leaked online. And so all the gaming mags are now talking about it.
But The Grand Theft Auto thing, that's interesting because it appears that maybe code and video source code.
I mean, that's a game, a video game, which hasn't come out yet, isn't it? But it's obviously going to be a big deal when it eventually does come out.
And it seems to have been leaked online. And so all the gaming mags are now talking about it.
Yes, I mean, it's one of those franchises. It's sort of, it was a fantastic game just before the internet and then it's really glommed onto the internet and become this huge thing.
So there's a mass amount of interest, which again brings me back to why are they not trying to monetize this? Is this really kids? It's with the Uber thing.
The most worrying thing for me out of that, I mean, yeah, everyone's going to get hacked. Don't worry about it. But apparently it was 1.1 petabytes of data that they got a hold of.
Now, how the hell do you get that amount of data out of an organization without them noticing? You know? Yeah, it's kind of scary. You can't call up IT and say, 'Oi, Bob. Yeah.
I'm just doing a quick backup. So then this network channel is going to be needed for the next, you know, couple of days.' It's just insane. That is extraordinary, isn't it?
So there's a mass amount of interest, which again brings me back to why are they not trying to monetize this? Is this really kids? It's with the Uber thing.
The most worrying thing for me out of that, I mean, yeah, everyone's going to get hacked. Don't worry about it. But apparently it was 1.1 petabytes of data that they got a hold of.
Now, how the hell do you get that amount of data out of an organization without them noticing? You know? Yeah, it's kind of scary. You can't call up IT and say, 'Oi, Bob. Yeah.
I'm just doing a quick backup. So then this network channel is going to be needed for the next, you know, couple of days.' It's just insane. That is extraordinary, isn't it?
So customers of Uber, right? People like the millions and millions of people who have the apps on their phone and have— they've shared their billing information.
Are they at risk in any way?
Are they at risk in any way?
It doesn't appear so at this stage. And I was feeling kind of smug because I have never and will never use Uber. But yeah, the customer information appears to be okay.
So they're safe. Well, what they said in the initial statement was location data hadn't been lost. Payment information at this stage doesn't appear to have been lost.
But with that amount of data, there's going to be an awful lot of leakage if somebody has the time, patience, and, you know, desperation to actually go through it.
So they're safe. Well, what they said in the initial statement was location data hadn't been lost. Payment information at this stage doesn't appear to have been lost.
But with that amount of data, there's going to be an awful lot of leakage if somebody has the time, patience, and, you know, desperation to actually go through it.
And hard drive space as well, of course. Where are they going to store the information?
That's the other challenge.
Carole, what have you got for us this week?
Well, gentlemen, it is Cybersecurity Month in October, so it's almost upon us.
And since 2004, the President of the United States and Congress have declared October to be this month, helping individuals protect themselves online as, you know, threats to technology and all this become more commonplace.
And, you know, we are always talking on this show about threats that are happening right now, like the Uber hack, for example.
We talk about crypto scams and ransomware and massive data leaks.
So I thought I would have a snoop around to see if anyone has recently posted a kind of crystal ball article to warn us what's around the corner.
And lo and behold, I found one written by Danny Palmer at ZDNet. So I wanted to see if you two— actually, we could start a game. What do you think is on the list?
I've got four items on this list.
And since 2004, the President of the United States and Congress have declared October to be this month, helping individuals protect themselves online as, you know, threats to technology and all this become more commonplace.
And, you know, we are always talking on this show about threats that are happening right now, like the Uber hack, for example.
We talk about crypto scams and ransomware and massive data leaks.
So I thought I would have a snoop around to see if anyone has recently posted a kind of crystal ball article to warn us what's around the corner.
And lo and behold, I found one written by Danny Palmer at ZDNet. So I wanted to see if you two— actually, we could start a game. What do you think is on the list?
I've got four items on this list.
What, these are sort of new threats or things which are going to become a big deal?
Yeah, technologies that we're looking at that could be used for bad purposes, and we can see angles as to why that might be.
So would things like deepfakes, would that be a new thing?
Yes, let's start there.
I think that's your starter for ten, to be quite frank. Let's start with deepfakes.
It's on the list. OK, so of course, we've already seen these in use.
We've seen them used in political misinformation campaigns and pranks to fool politicians, and fraud attacks with cybercriminals using deepfake audio and even video to convince employees to authorize significant financial transfers to the accounts owned by the attackers.
And they're getting more difficult to spot all the time.
Like today, if one of you had a boss and you got a call from the boss in their actual voice telling you to do something, would you do it? And the answer is probably yes.
We've seen them used in political misinformation campaigns and pranks to fool politicians, and fraud attacks with cybercriminals using deepfake audio and even video to convince employees to authorize significant financial transfers to the accounts owned by the attackers.
And they're getting more difficult to spot all the time.
Like today, if one of you had a boss and you got a call from the boss in their actual voice telling you to do something, would you do it? And the answer is probably yes.
Well, I don't know. Okay, The Reg is highly security conference and we've got a great IT manager.
When I just after I joined, I left my laptop somewhere at the RSA conference, ironically enough, and freaked out.
Exactly, seriously, a month into the job I was freaking out big style.
Anyway, so I basically sent an email to our IT manager saying I've lost my laptop, locked down all my accounts, the rest of it. Got an email back, not a problem, done.
However, I then went back, found the laptop. I'd left it at the EFF stand of all places and they were just like, we were expecting you, here you go.
Got in contact with the IT manager and he was just like, look, I can't reactivate you because I've only met you once.
I don't know the sound of your voice, you're going to need to go into the office and speak to our then editor, Reg, and he's gonna have to call me because I know who he is.
It's that level of security and it seems these companies aren't taking this seriously.
When I just after I joined, I left my laptop somewhere at the RSA conference, ironically enough, and freaked out.
Exactly, seriously, a month into the job I was freaking out big style.
Anyway, so I basically sent an email to our IT manager saying I've lost my laptop, locked down all my accounts, the rest of it. Got an email back, not a problem, done.
However, I then went back, found the laptop. I'd left it at the EFF stand of all places and they were just like, we were expecting you, here you go.
Got in contact with the IT manager and he was just like, look, I can't reactivate you because I've only met you once.
I don't know the sound of your voice, you're going to need to go into the office and speak to our then editor, Reg, and he's gonna have to call me because I know who he is.
It's that level of security and it seems these companies aren't taking this seriously.
He's one in a million though, that's rare. It seems very good.
Yeah, he was Marco, perfect example of a security manager, you know, hates people, just sits in his apartment in Italy and manages the Reg IT network like a dream.
Well, high five to Marco. But we can see that deepfakes are probably likely to become a big problem, especially misinformation, right, for politicians.
It's really scary, particularly with we're heading up to an election here in the US and the midterms are going to be very interesting.
Terry Pratchett had the wonderful phrase, you know, a lie can go around the world three times before the truth's got its boots on.
I mean, these things are becoming more and more convincing and it's not just business email compromise, it's political campaigning.
Terry Pratchett had the wonderful phrase, you know, a lie can go around the world three times before the truth's got its boots on.
I mean, these things are becoming more and more convincing and it's not just business email compromise, it's political campaigning.
Yep, manipulated media, yep.
Alright, so we try for another one. What else is on the list? We've had deepfakes.
I said deepfakes, Iain, so it's your go.
Yes, okay, one point to you, Graham.
Yeah, okay. I was gonna say, I don't know, I think business email compromise should, if it isn't on the list, it damn well should be.
Well, it's more technology, so I would say—
Ah, in that case I would say biometrics.
Interesting, not on the list, really? So sorry.
We've been able to recreate fingerprints for plastic fingers from fingerprints for years now.
Yeah, that's true.
That's a very— Come on, Danny, why didn't you mention this in your article?
Well, I'll give you guys one for free, another one. So another obvious one is IoT, right, and it's more about the networking of IoT as well.
So you know, we have this massive race to connect all our devices, you know, our homes, our workplace networks, and this increased level of networking also creates a larger attack surface for criminals to exploit.
So you know, we have this massive race to connect all our devices, you know, our homes, our workplace networks, and this increased level of networking also creates a larger attack surface for criminals to exploit.
And a huge botnet potential as well in terms of you don't have to take over anyone's computer, you just take over their so-called smart device.
If you think about it, and you think of all the manufacturers from smart washing machines to ping pong sticks, they get smarter at including more robust security features into their devices, but there's millions and millions of IoT devices out there that lack security.
What's a ping pong stick? Oh, I meant pogo stick. I was basically being polite for vibrator.
What's a ping pong stick? Oh, I meant pogo stick. I was basically being polite for vibrator.
I think— But I said ping pong.
I thought I was going to be too rude for this show, but no. Once again, Carole has trumped us.
Okay, excellent. Okay, so do you need a third one? I've got a possible one. I'm just thinking of the whole clusterfuck, which is NFT, cryptocurrency, blockchain bollocks?
No, that's not there? Yes, it is, but in a different way. It's under quantum computing.
Oh yes, quantum computing. Yes, yeah, yeah, yeah. Potential threat, yep, I understand that.
Let me take a few minutes just to explain it, 'cause it is fairly new technology, but it seems we're at the cusp of quantum computing, right?
So Bob Souter, and check out this guy's job title, Chief Quantum Exponent at IBM.
So Bob Souter, and check out this guy's job title, Chief Quantum Exponent at IBM.
I'm sorry, the minute you hear a title like that, you just think wanker.
And he says, quote, quantum computing is our way of emulating nature to solve extraordinarily difficult problems and to make them tractable.
So basically, quantum computers come in various shapes and forms, but they're all built on the same principle, that they host a quantum processor where quantum particles can be isolated for engineers to manipulate.
And what makes this super sexy for people is that quantum particles can hold immense potential for processing super large amounts of information.
And we're talking in a few minutes answering the problems today's most powerful supercomputers can't do in 1,000 years, ranging from modeling hurricanes all the way to cracking the cryptography keys protecting the most sensitive government secrets.
So basically, quantum computers come in various shapes and forms, but they're all built on the same principle, that they host a quantum processor where quantum particles can be isolated for engineers to manipulate.
And what makes this super sexy for people is that quantum particles can hold immense potential for processing super large amounts of information.
And we're talking in a few minutes answering the problems today's most powerful supercomputers can't do in 1,000 years, ranging from modeling hurricanes all the way to cracking the cryptography keys protecting the most sensitive government secrets.
Yes, which would be bad. Because obviously we are all well-vested in current encryption and cryptography, and we don't want people being able to unlock that.
However, how successful have we been so far in building quantum computers? Have we really made any progress on that?
However, how successful have we been so far in building quantum computers? Have we really made any progress on that?
We have made a lot of progress on it, but it is still extremely expensive.
And there's still a lot of expertise required to develop, you know, it's restricted to basically large tech companies, research institutions, governments.
And there's still a lot of expertise required to develop, you know, it's restricted to basically large tech companies, research institutions, governments.
Because if no one's done it yet, if no one's actually cracked the encryption of all these things that we rely upon yet, then I could have suggested as, oh, I'll tell you a threat in the future, and that is magic.
I am going to invent a device which can just do magical things which break security. I'm not saying that they won't be able to do this, but until we actually see someone do it—
I am going to invent a device which can just do magical things which break security. I'm not saying that they won't be able to do this, but until we actually see someone do it—
I mean, maybe I'm not being quite empathetic enough, but I'm guessing you're a skeptic on this, Graham.
He mostly moans these days, so.
Well, his private life is his own concern, but I mean, no, I mean, at the end of the day, I am a quantum skeptic to the extent that I've been barraged with press releases about this for the last 5 years.
And we're always a few years away. It's like fusion, but on a shorter timescale.
And we're always a few years away. It's like fusion, but on a shorter timescale.
But if someone could get access to a quantum system, right?
Okay, this is an if, this is a big if, and say then decided to plant crypto mining malware on one of these machines, they could get very, very rich very, very quickly at almost no cost to themselves.
That's one of the arguments made in the article.
Okay, this is an if, this is a big if, and say then decided to plant crypto mining malware on one of these machines, they could get very, very rich very, very quickly at almost no cost to themselves.
That's one of the arguments made in the article.
Well, if— Oh yeah, of course if, sure. If these things existed, if I had a magical ping pong stick, I could go around the world or something. I mean, it's— I just want to see it.
I just want to see it.
I just want to see it.
You know, I mean, it's one of those things which I honestly think will come but isn't even close to being there.
I think the real power from a security perspective with quantum computing is in point-to-point communications that are absolutely secure because if anybody tries to get into those, it immediately changes the flow of data and it's instantly noticeable.
So that kind of thing I can get behind.
But all this quantum computing is gonna break all the encryption algorithms, show me the money, and the fact is the people who— honestly, it'll happen, and it'll happen a couple of years before anyone knows about it because the NSA, the Chinese, the Russians, the British, they're not going to be advertising.
I think the real power from a security perspective with quantum computing is in point-to-point communications that are absolutely secure because if anybody tries to get into those, it immediately changes the flow of data and it's instantly noticeable.
So that kind of thing I can get behind.
But all this quantum computing is gonna break all the encryption algorithms, show me the money, and the fact is the people who— honestly, it'll happen, and it'll happen a couple of years before anyone knows about it because the NSA, the Chinese, the Russians, the British, they're not going to be advertising.
They'll be able to break into your computer to stop you from reporting about it. That's the thing.
Well, I did go— Google reminded me of a photo from a few years back when we did work in the office.
I'd gone away on holiday, left my laptop in the office, my work laptop in the office, locked down, came back, and somebody had written NSA was here underneath laptop, so when I moved it, it was just—
I'd gone away on holiday, left my laptop in the office, my work laptop in the office, locked down, came back, and somebody had written NSA was here underneath laptop, so when I moved it, it was just—
Hey, actually, sorry, I'm changing the subject slightly here, but Iain, you are right, actually. My last point does include business email compromise. So well done.
And that's under the heading of machine learning and of course the infamous AI.
So we talk a lot about that stuff, so we're not gonna go into any background, but the idea is that once AI becomes more widely available, what would cyber criminals perhaps wanna make use of it for?
And Mikko Hypponen, hip hip.
And that's under the heading of machine learning and of course the infamous AI.
So we talk a lot about that stuff, so we're not gonna go into any background, but the idea is that once AI becomes more widely available, what would cyber criminals perhaps wanna make use of it for?
And Mikko Hypponen, hip hip.
Absolute badass Finn. He's a marvelous bloke, isn't he?
So he was quoted as saying, Mikko, hip replacement.
Ouch.
We will start seeing malware campaigns where operations and phishing campaigns being run totally automated by machine learning frameworks.
So think about what about a text based generation algorithm to send out and reply to common spam emails or BEC Business Email Compromise campaigns.
So think about what about a text based generation algorithm to send out and reply to common spam emails or BEC Business Email Compromise campaigns.
Yeah, it's going to be a huge issue. And I think we're also missing out on the personal side of it.
I think a lot of people are going to be targeted if you've got a lot of video online. It's the sextortion campaigns all over again.
It would be relatively— if somebody, you know, with the generation that's now putting their entire lives online, that data could be used to build a deepfake and then blackmail that person, particularly if they're a high-earning Instagram influencer or whatever the job title is these days for being a public person.
I think a lot of people are going to be targeted if you've got a lot of video online. It's the sextortion campaigns all over again.
It would be relatively— if somebody, you know, with the generation that's now putting their entire lives online, that data could be used to build a deepfake and then blackmail that person, particularly if they're a high-earning Instagram influencer or whatever the job title is these days for being a public person.
Well, the good news is the U.S. government is spending billions and billions on cyber.
There are all these bills to provide more funding for it, and according to Hacker News, collectively the current bills that are making their way through the House allocate a staggering $15.6 billion to cybersecurity spending.
Yes, there's a few winners here.
There are all these bills to provide more funding for it, and according to Hacker News, collectively the current bills that are making their way through the House allocate a staggering $15.6 billion to cybersecurity spending.
Yes, there's a few winners here.
Yeah, what the— with the big winners of the security industry, the big losers are going to be the actual end users, because I honestly don't think this is going to do a thing.
I mean, we saw Mudge's testimony about Twitter in Congress last week, and basically the most telling thing for me from that was that companies, yeah, they talk the security game, but for them, you know, if the SEC comes calling or the FTC, it's a cost of business issue if they suffer a security failing.
One of the things he said they were terrified of French regulators because they followed up, but with American regulators, no teeth, nothing.
So I think this is a huge government boondoggle to the security industry and the tech industry in general, but I can't see it improving things until regulators get some teeth.
I mean, we saw Mudge's testimony about Twitter in Congress last week, and basically the most telling thing for me from that was that companies, yeah, they talk the security game, but for them, you know, if the SEC comes calling or the FTC, it's a cost of business issue if they suffer a security failing.
One of the things he said they were terrified of French regulators because they followed up, but with American regulators, no teeth, nothing.
So I think this is a huge government boondoggle to the security industry and the tech industry in general, but I can't see it improving things until regulators get some teeth.
Yeah, but I think it does mean that there's going to be a lot of hiring out there, and any company obviously already authorized to sell services and products to the government are going to have— are in for an excellent 2023 and '24, I'm guessing.
Well, kind of.
There was an executive order and a follow-up piece by the US government saying if you're selling to a federal agency, you need to give us an assurance that all this, you know, your software is patched.
If there is a problem, you know, you have a remediation strategy in place.
And if you're using open source software, it has been independently checked by a third party to make sure it's secure. So they are spending the money.
They are being a little smarter in how they spend it. You know, you've got to insist on a certain level of security.
But at the end of the day, until companies are forced by regulation to actually sort this stuff out, then it's just gonna be window dressing.
There was an executive order and a follow-up piece by the US government saying if you're selling to a federal agency, you need to give us an assurance that all this, you know, your software is patched.
If there is a problem, you know, you have a remediation strategy in place.
And if you're using open source software, it has been independently checked by a third party to make sure it's secure. So they are spending the money.
They are being a little smarter in how they spend it. You know, you've got to insist on a certain level of security.
But at the end of the day, until companies are forced by regulation to actually sort this stuff out, then it's just gonna be window dressing.
I agree. And anything that helps us navigate this new quantum-y, IoT-riddled, deepfake-rich world that we're screaming towards is good for me. I mean, a quick question.
Do either of you have smart, so-called smart devices in your home?
Do either of you have smart, so-called smart devices in your home?
I do now.
I do, yes. Yes.
Really? Yeah.
You gave in.
Do you have any? Oh God, no. Nothing. You know, it's— No, man. Nothing.
Yeah, I have one that I can think of, actually.
I mean, it's always— I mean, I even have voice activation on my phone turned off.
Oh yeah.
Yeah, so do I. Every time you said okay and the phone lit up and it was just oh, for God's sake, stop listening.
He uses an Android, everybody.
Show sponsor Penterra is taking a whole new approach to penetration testing, allowing every organization to continuously test the integrity of all cybersecurity layers, including against ransomware and leveraging leaked credentials by emulating real-world attacks at scale all day, every day.
This approach helps security teams across the globe to cope with one of today's top security challenges: the growing digital footprint of the enterprise.
To help out, Penterra security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number 1.
Penterra recommends always taking the adversarial perspective. The best way to find exploitable vulnerabilities is to, well, exploit them.
From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com/penterra.
That's smashingsecurity.com/penterra. And thanks to Penterra for sponsoring the show.
This approach helps security teams across the globe to cope with one of today's top security challenges: the growing digital footprint of the enterprise.
To help out, Penterra security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number 1.
Penterra recommends always taking the adversarial perspective. The best way to find exploitable vulnerabilities is to, well, exploit them.
From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com/penterra.
That's smashingsecurity.com/penterra. And thanks to Penterra for sponsoring the show.
Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go or at work?
Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up, it's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. Smashing Security. And thanks to Bitwarden for sponsoring the show.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up, it's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. Smashing Security. And thanks to Bitwarden for sponsoring the show.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employee, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employee, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Better not be. Well, mine is not security related this week. Not really.
I was sat down, my son was, he said, "Oh, I want to watch something on TV." And I said, "Okay, what do you want to watch?" He said, "Oh, I want to watch the new Lord of the Rings show on Amazon." I said, "All right, yeah, okay." That's fine.
And so he starts watching this Lord of the Rings. Oh my God. Have you ever— have you watched it?
It doesn't have to be security related necessarily. Better not be. Well, mine is not security related this week. Not really.
I was sat down, my son was, he said, "Oh, I want to watch something on TV." And I said, "Okay, what do you want to watch?" He said, "Oh, I want to watch the new Lord of the Rings show on Amazon." I said, "All right, yeah, okay." That's fine.
And so he starts watching this Lord of the Rings. Oh my God. Have you ever— have you watched it?
No, absolutely not. It's that bad?
Oh, it's so bad. I think it's the most— I think it's the most expensive TV show ever made. You'd have thought they could have afforded someone to actually write a script.
It is so— it's the most tedious, boring thing imaginable. Anyway, after about 3 and a half episodes, and I noticed he was beginning to eat the carpet just out of boredom. I said—
It is so— it's the most tedious, boring thing imaginable. Anyway, after about 3 and a half episodes, and I noticed he was beginning to eat the carpet just out of boredom. I said—
Oh, he found it boring as well?
Oh yes, yeah, he found it boring.
He was going, "Oh, it's so boring." And I said, "Look, look, why don't you stop watching it if it's boring and find something else you'd rather watch?" Oh, was it hard being around someone who was moaning?
Cheeky. And what we did was we came across a show, a film, a movie I believe they're called, on Netflix called The Mitchells vs. the Machines.
Which is much, much better than the new Lord of the Rings TV show. And The Mitchells vs. the Machines is one of these animated comedy movie things for all of the family.
It's just standard robot apocalypse, putting the brakes on a family.
He was going, "Oh, it's so boring." And I said, "Look, look, why don't you stop watching it if it's boring and find something else you'd rather watch?" Oh, was it hard being around someone who was moaning?
Cheeky. And what we did was we came across a show, a film, a movie I believe they're called, on Netflix called The Mitchells vs. the Machines.
Which is much, much better than the new Lord of the Rings TV show. And The Mitchells vs. the Machines is one of these animated comedy movie things for all of the family.
It's just standard robot apocalypse, putting the brakes on a family.
Standard robot apocalypse. Fun for all the family.
Well, the family in this case, the Mitchells, they're on a cross-country road trip. And the robot apocalypse gets in their way and tries to ruin it for them.
And it's actually pretty funny. And I enjoyed it greatly.
It features a generation gap between a dad who's useless with technology and hates screens and his daughter, who of course loves them. And there's a pug dog as well.
And it's actually pretty funny. And I enjoyed it greatly.
It features a generation gap between a dad who's useless with technology and hates screens and his daughter, who of course loves them. And there's a pug dog as well.
We all like pug dogs. Some people do.
This one is quite adorable, to be fair, Iain. I think you have to see the movie first. There's an Elon Musk, Steve Jobs-like character at the heart of it.
And the robots obviously take over. Anyway, it's great fun. Has a lovely message behind it. It was very funny. And I think most people haven't heard of it.
So I would recommend— Oh, it also has the Furbies.
And the robots obviously take over. Anyway, it's great fun. Has a lovely message behind it. It was very funny. And I think most people haven't heard of it.
So I would recommend— Oh, it also has the Furbies.
Remember Furbies from the— Oh yes. They were a security risk at one point. You remember? They were banned. Stupid security risk.
But even so, I mean, if Snowden can get data out of the NSA with a Rubik's Cube, then a Furby is the least of your problems.
But even so, I mean, if Snowden can get data out of the NSA with a Rubik's Cube, then a Furby is the least of your problems.
Anyway, I would recommend to people of all ages, if there's a child inside you, if you're a child at heart, you may enjoy this. My son said he enjoyed it and I enjoyed it.
The Mitchells vs. the Machines on Netflix is my pick of the week.
The Mitchells vs. the Machines on Netflix is my pick of the week.
Cool. I'll check it out. Marvellous.
Iain, what's your pick of the week?
My pick of the week is, okay, tangentially security related, but at the same time, I'm a huge space geek. And this is a really, really exciting story. Okay. Allow it.
NASA is about to smash a spacecraft into an asteroid in the next— in 6 days' time. The DART mission.
Basically it's a test to see whether we could deflect a planet-killing asteroid that we knew was approaching the Earth.
So they've sent out the spacecraft, the DART spacecraft, and they're going to— it's carrying a CubeSat on its back.
So the spacecraft will accelerate towards this asteroid, which is a really weird system. It's a big asteroid.
If it hit Earth, we'd have a major problem, but it's orbited by a very small moon.
About, you know, 500 feet across, which is another asteroid which has glommed around it and is now orbiting it.
So NASA's plan is fire the spacecraft into this small moon, leave a CubeSat behind to record what happens, and see if you can deflect an asteroid and how much power and speed you would need to nudge it.
NASA is about to smash a spacecraft into an asteroid in the next— in 6 days' time. The DART mission.
Basically it's a test to see whether we could deflect a planet-killing asteroid that we knew was approaching the Earth.
So they've sent out the spacecraft, the DART spacecraft, and they're going to— it's carrying a CubeSat on its back.
So the spacecraft will accelerate towards this asteroid, which is a really weird system. It's a big asteroid.
If it hit Earth, we'd have a major problem, but it's orbited by a very small moon.
About, you know, 500 feet across, which is another asteroid which has glommed around it and is now orbiting it.
So NASA's plan is fire the spacecraft into this small moon, leave a CubeSat behind to record what happens, and see if you can deflect an asteroid and how much power and speed you would need to nudge it.
What could possibly go wrong here? What? No?
Are we all right? Oh, no, no. I have spoken to someone on NASA. They are hypersensitive about this because in PR disaster terms, that's the killer.
It's just like, yeah, we did this thing and now you're all gonna die. But no, no, they're very careful about it.
But it's crucial because we are going to get hit by a very large asteroid at some point in the next, you know, 100 million years or so, statistically.
And if we're looking to build a long-term civilization, I mean really long-term, then you've either got to get populations on other planets.
Well, you have to get populations on other planets because sooner or later the Earth is gonna get hit.
And this is a really important test to see whether we could deflect this stuff. I mean, I hated Armageddon. Armageddon is one of my all-time hated, most hated films.
But, you know, there is a serious issue behind this.
Incidentally, NASA uses Armageddon as part of its interview training, and they ask people to look for scientific inaccuracies in the film.
My understanding is the record at the moment is 168. That's cool.
It's just like, yeah, we did this thing and now you're all gonna die. But no, no, they're very careful about it.
But it's crucial because we are going to get hit by a very large asteroid at some point in the next, you know, 100 million years or so, statistically.
And if we're looking to build a long-term civilization, I mean really long-term, then you've either got to get populations on other planets.
Well, you have to get populations on other planets because sooner or later the Earth is gonna get hit.
And this is a really important test to see whether we could deflect this stuff. I mean, I hated Armageddon. Armageddon is one of my all-time hated, most hated films.
But, you know, there is a serious issue behind this.
Incidentally, NASA uses Armageddon as part of its interview training, and they ask people to look for scientific inaccuracies in the film.
My understanding is the record at the moment is 168. That's cool.
So you're gonna be glued to this next, in 6 days' time.
Well, we're gonna get images back, but because of the distances involved and the hardware involved— Oh, of course, it's going to take weeks or months before we get the video back.
That's gonna be absolutely on tenterhooks.
That's gonna be absolutely on tenterhooks.
He's not actually gonna be glued to it. No, Carole, just to be clear.
Well, breathing might be a bit difficult, but you know, compared to the standard United Airlines seat, then that would be, you know, somewhat luxurious.
Fantastic. So that's NASA's DART mission. People can read up more about that in the show notes. Carole, what's your pick of the week?
I have a very unusual one this week. So I was in the Cotswolds recently.
This is a lovely part of England near Oxford, and I was on a hike, and we were walking by a number of bus stops, as one does, and every single bus stop in the area had a defibrillator in the bus stop.
Really?
This is a lovely part of England near Oxford, and I was on a hike, and we were walking by a number of bus stops, as one does, and every single bus stop in the area had a defibrillator in the bus stop.
Really?
Yeah. Is that because people would have a heart attack if a bus actually showed up in the Cotswolds?
Defibrillators save lives, right? The latest research showing that accessing these devices within 3 to 5 minutes of a cardiac arrest increases the chance of survival by 40%.
That's pretty good odds. That's good. 3 to 5 minutes though is pretty short, right? That ain't long.
So say you or a loved one has a— gets into a cardiac pickle, wouldn't it be great that there was one nearby? So I started wondering, is there— where's my nearest defibrillator?
Oh yeah. Well, I have one about 3 minutes of walk away, but it's inside a store, not outside. So as long as someone has a cardiac event during business hours, this could be okay.
Though perhaps they may restrict it to customers only, like a parking spot. I'm sorry, have you, can I see proof of purchase?
That's pretty good odds. That's good. 3 to 5 minutes though is pretty short, right? That ain't long.
So say you or a loved one has a— gets into a cardiac pickle, wouldn't it be great that there was one nearby? So I started wondering, is there— where's my nearest defibrillator?
Oh yeah. Well, I have one about 3 minutes of walk away, but it's inside a store, not outside. So as long as someone has a cardiac event during business hours, this could be okay.
Though perhaps they may restrict it to customers only, like a parking spot. I'm sorry, have you, can I see proof of purchase?
A bit like going to the loo, you mean. Yes. Could you buy a coffee first?
Yes. Anyway, so I looked around my neighborhood, didn't see any external defibrillators anywhere. That doesn't mean there isn't one, but I certainly couldn't find one.
So then I thought there must be a service online, which there is, and it's called Circuit in the UK.
And this is a map service where you can find out where the closest defibrillator is working right now, available to you right now, because some are in stores, so they're only available during certain hours.
Right. Now the problem is that lots of people apparently have defibrillators, businesses and organizations and even individuals, but they're not registered.
So if they're not registered in the UK on Circuit, then there's no logging defibrillator information available in the systems. So this is where I am now.
I'm thinking, how do I get one for my local community? Right?
So of course, any advice from listeners greatly appreciated, because I do have a lot of old neighbors around here, some of them in pretty poor health, and this could be a serious lifesaver.
So apparently you can apply for a community public access defibrillator, which is what I think they have in the Wales. It's called a CPAD.
And this is available to members of the public 24 hours a day. And there's a fee, but it looks like you can get a pretty good discount through the British Heart Foundation charity.
Prices for buying one of these things seems to range between 600 and 1,500 quid. No idea if the price difference means one saves you better than the other. No idea.
But I don't understand why there isn't one on every block in UK cities. I mean—
So then I thought there must be a service online, which there is, and it's called Circuit in the UK.
And this is a map service where you can find out where the closest defibrillator is working right now, available to you right now, because some are in stores, so they're only available during certain hours.
Right. Now the problem is that lots of people apparently have defibrillators, businesses and organizations and even individuals, but they're not registered.
So if they're not registered in the UK on Circuit, then there's no logging defibrillator information available in the systems. So this is where I am now.
I'm thinking, how do I get one for my local community? Right?
So of course, any advice from listeners greatly appreciated, because I do have a lot of old neighbors around here, some of them in pretty poor health, and this could be a serious lifesaver.
So apparently you can apply for a community public access defibrillator, which is what I think they have in the Wales. It's called a CPAD.
And this is available to members of the public 24 hours a day. And there's a fee, but it looks like you can get a pretty good discount through the British Heart Foundation charity.
Prices for buying one of these things seems to range between 600 and 1,500 quid. No idea if the price difference means one saves you better than the other. No idea.
But I don't understand why there isn't one on every block in UK cities. I mean—
Yeah, I mean, I'm on the fence about this because I'm probably the only person on the podcast who's qualified to use one of these things because I've had to do training on it for, I'm a member of the emergency response team here and they do take training to use.
Having the defibrillator itself is not enough.
Having the defibrillator itself is not enough.
Well, the CPAD ones seem to be like they can be run by any individual, right? And they have spoken instructions as they go through.
Oh, spoken instructions. Okay, I hadn't heard about those.
And they can't, you know, they will detect the anomaly before anything happens. So it's not like you can just go and charge it and run it on anybody.
They are smart, almost like smart seatbelts.
Internet connected, I have no idea, but yeah, so there's like, anyway, I have to do more research on this, but it just seems to me this is a cost-effective way, and if we had one nearby, so I'm gonna look into it and let you know how I get on.
And that's my tip of the week.
They are smart, almost like smart seatbelts.
Internet connected, I have no idea, but yeah, so there's like, anyway, I have to do more research on this, but it just seems to me this is a cost-effective way, and if we had one nearby, so I'm gonna look into it and let you know how I get on.
And that's my tip of the week.
Defibrillators, oh interesting. So Carole, you've been speaking to one of Bitwarden's customers this week.
Yes, I spoke with Sal Aurigemma from the University of Tulsa. Fascinating chat and guy, take a listen.
So gorgeous, wonderful listeners of Smashing Security, we have the faculty director of the University of Tulsa's Masters of Cybersecurity degree program. What a title.
Sal Aurigemma, welcome to the show, Sal.
So gorgeous, wonderful listeners of Smashing Security, we have the faculty director of the University of Tulsa's Masters of Cybersecurity degree program. What a title.
Sal Aurigemma, welcome to the show, Sal.
I'm really glad to be here. Thanks, Carole Theriault.
Could I say your last name properly? Help me.
Not even close.
Aurigemma. Aurigemma. Yeah, Aurigemma. See, now we should start with your background, Sal. So maybe we should introduce you to all our listeners.
So how did you end up at the University of Tulsa? Tell us about your background.
So how did you end up at the University of Tulsa? Tell us about your background.
Oh, okay. Well, I didn't plan on getting there. I joined the Navy right out of my undergraduate. I have an undergraduate degree in nuclear engineering. It's not a growth industry.
So I graduated University of Florida, nuclear engineering degree, went into the Navy as a submariner.
Spent about 10 years on active duty and then I transferred over to the intel community. Security, and then I was a reservist for another 10, 11 years.
And as I left active duty to go into civilian life, I went and got my master's in information systems so I could transition in the IT field, thinking, well, that's a job that's never going away.
And I was right on that one prediction. Pretty much if you're in IT, you have a job until you die, although it could be the reason you die.
After I worked for about a decade in IT, and I did things, system architecture, project management, ended up doing a lot of network and security-related projects and items.
I actually was deployed to Afghanistan for a year. I didn't love it so much. When I came back, I said, you know, I'm gonna do what I always wanted to do is go get my PhD.
I did that at the University of Hawaii and graduated 2013, and then I went to University of Tulsa, which is well known for their cybersecurity education.
I was really excited to join the faculty there, and that's where I've been since. And I just transitioned to the faculty director for our online master's cybersecurity program.
So I graduated University of Florida, nuclear engineering degree, went into the Navy as a submariner.
Spent about 10 years on active duty and then I transferred over to the intel community. Security, and then I was a reservist for another 10, 11 years.
And as I left active duty to go into civilian life, I went and got my master's in information systems so I could transition in the IT field, thinking, well, that's a job that's never going away.
And I was right on that one prediction. Pretty much if you're in IT, you have a job until you die, although it could be the reason you die.
After I worked for about a decade in IT, and I did things, system architecture, project management, ended up doing a lot of network and security-related projects and items.
I actually was deployed to Afghanistan for a year. I didn't love it so much. When I came back, I said, you know, I'm gonna do what I always wanted to do is go get my PhD.
I did that at the University of Hawaii and graduated 2013, and then I went to University of Tulsa, which is well known for their cybersecurity education.
I was really excited to join the faculty there, and that's where I've been since. And I just transitioned to the faculty director for our online master's cybersecurity program.
Wow, okay. So now at the University of Tulsa, and you're working in cybersecurity, what are your main focuses? I just love this inside look, you know?
Well, we have faculty that cover the entire spectrum of cybersecurity research. I primarily focus on behavioral information security.
Smashing security, I really want to understand from the employee or the end user, like you and I, what motivates us to actually take those security actions that we know we should, or what stops us from doing it when we know we should.
Now, if we don't know we should, that's a different scenario. That's an education and awareness thing.
But if we're getting that education awareness or reading it in the news, why aren't we taking the steps that should be universally understood as necessary to protect ourselves?
And then we have other faculty in a program that, you know, everything from blockchain to network security to cybersecurity economics.
We've got a very diverse, excellent faculty at the University of Tulsa.
Smashing security, I really want to understand from the employee or the end user, like you and I, what motivates us to actually take those security actions that we know we should, or what stops us from doing it when we know we should.
Now, if we don't know we should, that's a different scenario. That's an education and awareness thing.
But if we're getting that education awareness or reading it in the news, why aren't we taking the steps that should be universally understood as necessary to protect ourselves?
And then we have other faculty in a program that, you know, everything from blockchain to network security to cybersecurity economics.
We've got a very diverse, excellent faculty at the University of Tulsa.
Okay. So, human behavior. Tell me about human behavior and the disconnect that we might have with technology. Have you seen any of those in your research?
Well, sure. And you know, what it comes down to is I can pretty much predict what a computer's going to do because I can tell it what to do.
And then if it doesn't, I could reprogram it, right? Or if it really, really doesn't do what it's supposed to do, I throw it away and get a new one. Cannot do that with humans.
That's illegal. Also, there's a whole lot more factors on the human perspective that aren't, you know, inputs, outputs, and processing like you have for a computer.
There's just a whole bunch of different variables that from different parts of that end user or employee's life that can impact their ability to follow through on security-related actions.
I mean, you know, probably the biggest thing we hear when we talk to folks about, hey, so we just trained you on this use of, let's say, a password manager, two-factor, or some other security tool.
How come you didn't use it? And almost, I won't say almost universally, I'll say very high up on the scale, right? So I didn't have enough time to do it.
And you go, well, are you sure you didn't have enough time to do it? They're like, oh yeah, I didn't have enough time to do it. Well, you were at work and they paid you to do it.
And then when it's an end user, especially my students in my classes, I go, hey, why didn't you do it? Oh, I didn't have enough time. Oh, let's take time right now in class to do it.
And when you take away that, I'll call it an excuse of not enough time, then you start to get into, well, when I say I didn't have enough time, what I meant was, I really don't know how to do it, or I'm not confident in this technology that this is something I should spend my time doing.
And now you're getting into different types of reasons other than I don't have enough time.
Now, that said, if your cybersecurity technology takes an awful lot of effort and time for the end user to bring into their life, well, that's a big problem. Right. Yeah.
You've made it so hard no one wants to adopt it. That's a you problem as a technology.
And then if it doesn't, I could reprogram it, right? Or if it really, really doesn't do what it's supposed to do, I throw it away and get a new one. Cannot do that with humans.
That's illegal. Also, there's a whole lot more factors on the human perspective that aren't, you know, inputs, outputs, and processing like you have for a computer.
There's just a whole bunch of different variables that from different parts of that end user or employee's life that can impact their ability to follow through on security-related actions.
I mean, you know, probably the biggest thing we hear when we talk to folks about, hey, so we just trained you on this use of, let's say, a password manager, two-factor, or some other security tool.
How come you didn't use it? And almost, I won't say almost universally, I'll say very high up on the scale, right? So I didn't have enough time to do it.
And you go, well, are you sure you didn't have enough time to do it? They're like, oh yeah, I didn't have enough time to do it. Well, you were at work and they paid you to do it.
And then when it's an end user, especially my students in my classes, I go, hey, why didn't you do it? Oh, I didn't have enough time. Oh, let's take time right now in class to do it.
And when you take away that, I'll call it an excuse of not enough time, then you start to get into, well, when I say I didn't have enough time, what I meant was, I really don't know how to do it, or I'm not confident in this technology that this is something I should spend my time doing.
And now you're getting into different types of reasons other than I don't have enough time.
Now, that said, if your cybersecurity technology takes an awful lot of effort and time for the end user to bring into their life, well, that's a big problem. Right. Yeah.
You've made it so hard no one wants to adopt it. That's a you problem as a technology.
Yeah, there's only so many hoops that we're all willing to go through.
Yeah, exactly. And, you know, there's the younger generation. So we're talking like the college-age students, stuff like that.
When I hear that they say, well, I don't have enough time, typically they have more of something what I call high-threat apathy.
And so what that means is they don't have the time to do something. They don't think it really is important to them.
In other words, like, yeah, I've heard about the threats out there, maybe even had some accounts compromised or heard bad things of other people, but whatever, you know, I'm not going to do anything about them because it's just not really that pressing a matter.
And those that do feel like something bad can happen to them, you know, they're like, well, I'm too insignificant a target for cybercriminals to come after.
If I got hacked, well, what are they going to get? My Insta account, my email? But, you know, we know what to tell those people.
The problem is we have to understand that's part of the reason why they're not adopting this technology so we can formulate our messaging better, right?
And if we ignore our demographic, if we just do the same old cybersecurity training we do at every organization I've ever been at, from the military and the government to my university, where we just go, here's your training, it's good enough for everybody, and we check the box, well, then we're never really going to make progress.
I think we need to understand our target audience and then tailor the message to it. And it's not really that hard. I mean, we do if-then statements in our programs all the time.
Why can't we do that in our training?
When I hear that they say, well, I don't have enough time, typically they have more of something what I call high-threat apathy.
And so what that means is they don't have the time to do something. They don't think it really is important to them.
In other words, like, yeah, I've heard about the threats out there, maybe even had some accounts compromised or heard bad things of other people, but whatever, you know, I'm not going to do anything about them because it's just not really that pressing a matter.
And those that do feel like something bad can happen to them, you know, they're like, well, I'm too insignificant a target for cybercriminals to come after.
If I got hacked, well, what are they going to get? My Insta account, my email? But, you know, we know what to tell those people.
The problem is we have to understand that's part of the reason why they're not adopting this technology so we can formulate our messaging better, right?
And if we ignore our demographic, if we just do the same old cybersecurity training we do at every organization I've ever been at, from the military and the government to my university, where we just go, here's your training, it's good enough for everybody, and we check the box, well, then we're never really going to make progress.
I think we need to understand our target audience and then tailor the message to it. And it's not really that hard. I mean, we do if-then statements in our programs all the time.
Why can't we do that in our training?
You know, it's okay.
This is fascinating because I'm a huge password manager fan, have been for 10 years, and it's basically because I don't remember tons of passwords that are different from each other.
I just don't have the skill, and I have a lot of different accounts.
This is fascinating because I'm a huge password manager fan, have been for 10 years, and it's basically because I don't remember tons of passwords that are different from each other.
I just don't have the skill, and I have a lot of different accounts.
And you're not alone. Science has proven that we humans, except for that small percentage of savants out there, we can't create random passwords, and we sure as heck remember them.
Right? And then, so you've got people like me saying, oh, make sure every password is unique on every account. And someone who is not using that kind of tech will be like, well, how?
Have you looked into that? What are your findings on that?
Have you looked into that? What are your findings on that?
So there's a couple of fields of psychology, you know, there's negative biases that go into what people do based upon what they already know or what they think could possibly happen, right?
We discussed a few of those things.
What we're focusing on lately is trying to build up more on the positive psychology side where we're trying to build up the skills and resilience of end users to say, hey, if there's a problem, do I know what to do about it?
Am I optimistic that I can overcome this?
Because if the answer is, if I sit down with someone who's a retired couple and they're like, you know, I just don't understand the computer well enough, this isn't going to work for me.
Well, you know, maybe a password manager isn't the ideal thing for you, but maybe writing it down in a book is, if you have that book available to you.
But that's not the majority of people out there today, right? So really what we're trying to do is find out for different, again, different demographics and different user bases.
Okay, are you a constant user of technology? Then we know password managers, we are 100% certain password managers can work for you.
We just gotta get past the hurdles to get you to do it. And part of that is showing how easy it is to use. And then when there's a problem, do you have somewhere to go to?
Do you have someone to talk to, to help you get through that problem? And that's, you know, that's part of the challenge too, right?
We discussed a few of those things.
What we're focusing on lately is trying to build up more on the positive psychology side where we're trying to build up the skills and resilience of end users to say, hey, if there's a problem, do I know what to do about it?
Am I optimistic that I can overcome this?
Because if the answer is, if I sit down with someone who's a retired couple and they're like, you know, I just don't understand the computer well enough, this isn't going to work for me.
Well, you know, maybe a password manager isn't the ideal thing for you, but maybe writing it down in a book is, if you have that book available to you.
But that's not the majority of people out there today, right? So really what we're trying to do is find out for different, again, different demographics and different user bases.
Okay, are you a constant user of technology? Then we know password managers, we are 100% certain password managers can work for you.
We just gotta get past the hurdles to get you to do it. And part of that is showing how easy it is to use. And then when there's a problem, do you have somewhere to go to?
Do you have someone to talk to, to help you get through that problem? And that's, you know, that's part of the challenge too, right?
I mean— Yep. 100%. Yeah. SPEAKER_03.
So it sounds kind of wishy-washy, but I'll just say that first and foremost, if you don't understand the audience you're talking to, whether it's your employees, and I'm not just saying, okay, these are the people in the accounting department.
I'm talking about of the people in the accounting department, what are the individual factors?
What is it about those as individuals that is either going to help or hurt them in adopting these security technologies?
Well, then you haven't done the proper work to understand what your messaging should be so that it will get through and then provide them the resources they need to succeed.
And that's why I like tools like Bitwarden, where, you know, hey, it's open source, but they have really great user manuals online and then they have videos that kind of help people walk through it.
And whether it's that or it's two-factor authentication, I'm a huge fan of a couple of different technologies. I don't know if I'm allowed to say them on the podcast. Am I?
So it sounds kind of wishy-washy, but I'll just say that first and foremost, if you don't understand the audience you're talking to, whether it's your employees, and I'm not just saying, okay, these are the people in the accounting department.
I'm talking about of the people in the accounting department, what are the individual factors?
What is it about those as individuals that is either going to help or hurt them in adopting these security technologies?
Well, then you haven't done the proper work to understand what your messaging should be so that it will get through and then provide them the resources they need to succeed.
And that's why I like tools like Bitwarden, where, you know, hey, it's open source, but they have really great user manuals online and then they have videos that kind of help people walk through it.
And whether it's that or it's two-factor authentication, I'm a huge fan of a couple of different technologies. I don't know if I'm allowed to say them on the podcast. Am I?
You can say whatever you like. SPEAKER_03. Go for it. I love YubiKeys, right? I really do love YubiKeys because once you get them set up, then they are easy to use.
Now you have to get past the whole, well, especially with college students, I would actually give them out.
They'll be like, well, if I don't have my keys with me, I'm like, well, when you're an adult, that problem will solve itself because you'll need to get in and out of things easier.
But, you know, with the password manager thing, we have it on our phones. Well, do they know that that's available to them? Do they know how seamless it works?
So when you can show people how it works, but more importantly, don't just lie about the technology and say it solves all your problems. Show what problems it solves.
Show what problems it maybe doesn't solve completely. But it's better than it was before.
And then I always at the end come back to, well, if you're not going to use something like a password manager to deal with all of these hundreds of accounts you have, what else are you going to do?
Because the bad guys will easily figure out if you reuse a password or if you use some awful pattern based upon, you know, be careful.
Now you have to get past the whole, well, especially with college students, I would actually give them out.
They'll be like, well, if I don't have my keys with me, I'm like, well, when you're an adult, that problem will solve itself because you'll need to get in and out of things easier.
But, you know, with the password manager thing, we have it on our phones. Well, do they know that that's available to them? Do they know how seamless it works?
So when you can show people how it works, but more importantly, don't just lie about the technology and say it solves all your problems. Show what problems it solves.
Show what problems it maybe doesn't solve completely. But it's better than it was before.
And then I always at the end come back to, well, if you're not going to use something like a password manager to deal with all of these hundreds of accounts you have, what else are you going to do?
Because the bad guys will easily figure out if you reuse a password or if you use some awful pattern based upon, you know, be careful.
10 years ago I used a pattern. SPEAKER_03. Yeah. Oh, I did too. So here's a real life story. When I was working for the Department of Defense, it was a long time ago.
I'm sure it's been fixed. I had hundreds of systems that fell under me as a supervisor and my technicians, right? And we're talking about systems on different classification levels.
And then the DOD kept coming out with more and more ridiculous password change rules.
First it was 90 days, then it got all the way down to 45 days, and then 24 characters can't change. So what are you doing?
You're creating a pattern and you're going to computer number 2 and adding a 2 to the end, right? And then you go down, right?
I'm sure it's been fixed. I had hundreds of systems that fell under me as a supervisor and my technicians, right? And we're talking about systems on different classification levels.
And then the DOD kept coming out with more and more ridiculous password change rules.
First it was 90 days, then it got all the way down to 45 days, and then 24 characters can't change. So what are you doing?
You're creating a pattern and you're going to computer number 2 and adding a 2 to the end, right? And then you go down, right?
I did. Mine was, I live on blah blah street, right? So it would be like, I live on Google Street. And then it was, I live on Google 1 Street. I live on Google 2 Street.
Literally, and I was a security professional. Well, yeah, embarrassing.
Literally, and I was a security professional. Well, yeah, embarrassing.
Another thing that gets to another point. You're a security professional.
This thing that kind of security overlooks we've understood it's been a problem for a while for those of us in security, but now I'm starting to see 18, 19-year-olds or 60-year-olds telling me that, you know, they're just getting security overloaded.
And I'm like, wow.
So there's so many things they have to be concerned about when they go online that, you know, they just get overwhelmed and you get to the point where you're like, well, is it even worth doing anything?
If the bad guys have so many ways to get me, right? And, you know, I look at it like this.
There's only a few things that you or I as individuals can do to protect our data and access to our data. Everything else is up to the service provider, right?
Like LinkedIn, if LinkedIn gets hacked and all the passwords get stolen, like in 2013, there was nothing we could have done about that. What can we do about it?
Well, we make sure we have unique passwords, that they're strong. We're not reusing them, things like that. And we can't do that without a tool to help us, right?
So use a password manager or at least have a very good password management mechanism so that you do all the things a password manager does.
But I can't imagine living without it now. I mean, all the services on my phone and my computer, there's just no way.
I know 5 passwords in my memory most days, but I have 600 accounts in my password manager.
This thing that kind of security overlooks we've understood it's been a problem for a while for those of us in security, but now I'm starting to see 18, 19-year-olds or 60-year-olds telling me that, you know, they're just getting security overloaded.
And I'm like, wow.
So there's so many things they have to be concerned about when they go online that, you know, they just get overwhelmed and you get to the point where you're like, well, is it even worth doing anything?
If the bad guys have so many ways to get me, right? And, you know, I look at it like this.
There's only a few things that you or I as individuals can do to protect our data and access to our data. Everything else is up to the service provider, right?
Like LinkedIn, if LinkedIn gets hacked and all the passwords get stolen, like in 2013, there was nothing we could have done about that. What can we do about it?
Well, we make sure we have unique passwords, that they're strong. We're not reusing them, things like that. And we can't do that without a tool to help us, right?
So use a password manager or at least have a very good password management mechanism so that you do all the things a password manager does.
But I can't imagine living without it now. I mean, all the services on my phone and my computer, there's just no way.
I know 5 passwords in my memory most days, but I have 600 accounts in my password manager.
How old are you, Sal?
I'm 312 years old. Oh, but you know, of those 600 accounts, let's be honest, 400 of them I had to sign up to get a discount. Right.
But still, you know, there's still dozens, if not 100 accounts I might use a year.
And you know, if my password is, "I love Smashing Security, 1 bang, bang, 3 bang," you know, after a while, the attackers only need a couple of those accounts to figure out my pattern.
Right?
But still, you know, there's still dozens, if not 100 accounts I might use a year.
And you know, if my password is, "I love Smashing Security, 1 bang, bang, 3 bang," you know, after a while, the attackers only need a couple of those accounts to figure out my pattern.
Right?
Is there anything you want to add before we close off?
Well, here's what I'll say.
If you are not using a password manager, if you are not using two-factor authentication, if you are not patching your systems, those are the three things that you can do to protect yourself.
I say number one, the number one thing is out of all the things we've talked about, there's only one security tool that ever pays you back in the long run.
And that's a password manager.
Because while it is effort to set up, I have saved — I'm gonna say thousands of hours in the last 12 to 15 years using a password manager, because I didn't have to remember things, I didn't have to figure out a password, and more importantly, it logged my stuff in immediately.
So there's no other security tool out there that saves you time as an individual like a password manager. So please look into it, and I do recommend Bitwarden.
If you are not using a password manager, if you are not using two-factor authentication, if you are not patching your systems, those are the three things that you can do to protect yourself.
I say number one, the number one thing is out of all the things we've talked about, there's only one security tool that ever pays you back in the long run.
And that's a password manager.
Because while it is effort to set up, I have saved — I'm gonna say thousands of hours in the last 12 to 15 years using a password manager, because I didn't have to remember things, I didn't have to figure out a password, and more importantly, it logged my stuff in immediately.
So there's no other security tool out there that saves you time as an individual like a password manager. So please look into it, and I do recommend Bitwarden.
Yes, so do I.
So if you want to learn more about password managers and how to secure your private information — and I agree with Sal 100%, once it's set up, it's gold — okay, visit bitwarden.com/smashing.
That's bitwarden.com/smashing. And Sal Aurigemma — did I do well there? Great job. Thank you. Faculty director of the University of Tulsa's master's cybersecurity degree program.
I wish I could make that tighter. Thank you so much for coming on the show.
So if you want to learn more about password managers and how to secure your private information — and I agree with Sal 100%, once it's set up, it's gold — okay, visit bitwarden.com/smashing.
That's bitwarden.com/smashing. And Sal Aurigemma — did I do well there? Great job. Thank you. Faculty director of the University of Tulsa's master's cybersecurity degree program.
I wish I could make that tighter. Thank you so much for coming on the show.
It was a total pleasure to speak with you.
Well, after the hundreds of shows I've listened to in the past, I'm super excited to have been part of your show. Oh, what an answer.
Thanks, Sal. Great stuff. Well, that just about wraps up the show for this week. Iain, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Oh, I'm old school, I'm afraid. So I'm Twitter, @ianthomson on Twitter. And it's a really odd spelling because my parents are bastards, but we've had words about this.
So it's I-A-I-N and then Thomson without a P, and believe me, the jokes that were made at school about Thomson without a P is really quite savage.
So it's I-A-I-N and then Thomson without a P, and believe me, the jokes that were made at school about Thomson without a P is really quite savage.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G, and we also have a Smashing Security subreddit.
And don't forget, to ensure you never miss another episode, I recommend following Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget, to ensure you never miss another episode, I recommend following Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And huge, huge thank you to this episode's sponsors. This is Kolide, Pantera, and Bitwarden. And of course, to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 289 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 289 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. Bye.
Oh, Iain, it was so great having you on. Great chatting to you, enjoyed it.
I mean, it's been years since I've seen you. I mean, I think decades actually. God, yes, it is. Yeah, it is over a decade.
Fuck, we're old, right? Speak for yourself.
Earlier this year, UK police arrested seven people after hacks against firms such as Microsoft, NVIDIA, Ubisoft, Samsung, and Okta. All of the hacks, like those against Uber and Rockstar Games, were linked to the LAPSUS$ group.
At the time, the father of one of those arrested (who happened to live in Oxford) said that he hoped to convince his teenage son to stop using computers.
The FBI has requested the public’s assistance in identifying anybody connected with the LAPSUS$ group.
Update: Teen hacking suspect charged with computer use and breach of bail conditions
