Login chaos for England’s contact tracing service, our drill-down on the Britain’s Huawei 5G ban, MGM’s blockbuster breach, and how to pronounce “Gigabyte.”
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Plus we have a bonus featured interview with Scott Petry, the co-founder of Authentic8, all about how you can browse the internet safely, securely, and anonymously when conducting research, collecting sensitive evidence, and analyzing data.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey everybody, Carole Theriault here. We just want to extend a heartfelt thanks to our Patreon supporters.
Today we showcase these 10 with our deep thanks: Yurik Taraday, Alexander Burris, Mark Kali, Daniel Tedman, Stuart Mann, David Matthews, Richard Hicks, Giselle Warwick, Neil Wilson, and Michael Crumb.
Thank you all. If you want to join the Smashing Security Patreon community, check us out at smashingsecurity.com/patreon. Now let's get this show on the road.
Today we showcase these 10 with our deep thanks: Yurik Taraday, Alexander Burris, Mark Kali, Daniel Tedman, Stuart Mann, David Matthews, Richard Hicks, Giselle Warwick, Neil Wilson, and Michael Crumb.
Thank you all. If you want to join the Smashing Security Patreon community, check us out at smashingsecurity.com/patreon. Now let's get this show on the road.
G-I-G-A-B-Y-T-E. How do you pronounce that?
Well, gigawatt, obviously.
Well, no, because she spelled bite, Carole.
So it's not even spelled. It's gigawatt.
Gigabyte and GIF, right? NIST says that the G-I-G-A prefix is pronounced jiga. What?
Jiga, jiga, jiga, jiga, jiga, jiga.
Making the pronunciation of what we normally would say gigawatts in Back to the Future is actually correct as jiga-watts.
What?
Smashing Security, episode 187. Huawei ban, MGM hack, and a contact tracing cock-up. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 187. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 187. My name's Graham Cluley.
I'm Carole Theriault.
And we're joined this week, you already know who it is, it's Maria Varmazis.
It's me. Yay!
Hi. Welcome, Maria.
Back by popular demand via Twitter. Thank you all for summoning me.
God, eh? Your fans went crazy. They're like, Maria! I broke the rules by asking you publicly just to see what would happen and whoa, what a—
Name her on—
Yeah, I can't say no. The internet demands it. It's like proposing in public.
Well, what's coming up on the show this week?
Okay, first, thanks to this week's sponsors, Authenticate and LastPass. Their support helps us give you this show for free.
Now, coming up on today's show, Graham is going to share the latest UK COVID tracing snafu. Maria asks, who are we when it comes to Huawei?
And I'll be showing how not to handle a ginormous data breach.
Plus, we have an amazing feature interview with the CEO of Authenticate, Scott Petry, where you can learn more about how they can provide resilient privacy to online work.
It's super cool. So stay tuned after Pick of the Week. And there's loads more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham is going to share the latest UK COVID tracing snafu. Maria asks, who are we when it comes to Huawei?
And I'll be showing how not to handle a ginormous data breach.
Plus, we have an amazing feature interview with the CEO of Authenticate, Scott Petry, where you can learn more about how they can provide resilient privacy to online work.
It's super cool. So stay tuned after Pick of the Week. And there's loads more coming up on this episode of Smashing Security.
Who are we watching? Can we really?
Oh my God. It was gorgeous.
Come on.
Now, chums, chums, it may have escaped your notice. There's a global pandemic going on. Did you spot it?
No.
Someone could have told me. Someone could have mentioned. Turns out, despite what some countries' leaders would have you believe, it's actually quite serious.
Mm.
And maybe something should be done about it. So I don't know what—
Would be nice.
Yeah, if someone could sort it out, that'd be smashing. Now, Great Britain, as we know, we lead the world, right?
Hashtag fact.
I don't think anyone would agree with that at all.
Well, you say that, Carole, but I think the evidence is all there. We're the only country which declares its own fabulousness in its actual name. We're great. We're Great Britain.
France isn't Fantastic France. There's no Rather Super Russia, no Bloody Brilliant Belgium.
France isn't Fantastic France. There's no Rather Super Russia, no Bloody Brilliant Belgium.
I don't think that's true at all. Have you done your research on that? I don't think you have.
What?
What about O Canada? It's very O.
Hold on, Graham. Hold on. What?
Are you reaching for the globe?
She's getting it.
I'm reaching for The Economist Pocket World in Figures. Okay, okay.
Challenge me if you wish.
The United States. We're very united.
Yes.
Cannot be divided. Definitely no culture war going on at all. United States.
So you're—
Exactly.
Okay, maybe you're right. Maybe you're right. I will look it up and I'll say after the show.
The Democratic Republic of Canada. Toronto, right? I don't even need a map for that one.
Well, here in the United Kingdom, the powers that be decided to put in place a contact tracing program. Not an app.
I mean, they tried to do an app, but it's had a few teething problems on the Isle of Wight, and they've admitted it's not actually very good.
Maybe they'll get back to it later in the year. Who knows? Who knows?
No, I actually mean that they've got people who are contacting people who've contracted COVID-19, working out where they've been, who they might have infected, trying to trace the infection.
That's obviously a good thing to do.
I mean, they tried to do an app, but it's had a few teething problems on the Isle of Wight, and they've admitted it's not actually very good.
Maybe they'll get back to it later in the year. Who knows? Who knows?
No, I actually mean that they've got people who are contacting people who've contracted COVID-19, working out where they've been, who they might have infected, trying to trace the infection.
That's obviously a good thing to do.
Yes.
Kind of this countrywide— people are actually calling people saying, "Hey, you apparently have been infected.
Can you tell me where you've been so I can contact some of those people and let them know that it's serious?" What we've been doing in the Commonwealth of Massachusetts, as a matter of fact.
Can you tell me where you've been so I can contact some of those people and let them know that it's serious?" What we've been doing in the Commonwealth of Massachusetts, as a matter of fact.
Yes, I think many countries have been doing something similar. And there were some concerns at first.
Well, couldn't scammers phone up people, send text messages, and the government reassured us that, "You don't have to worry about that, because the genuine contact tracers—" Was there a cough there?
Well, couldn't scammers phone up people, send text messages, and the government reassured us that, "You don't have to worry about that, because the genuine contact tracers—" Was there a cough there?
Because he got it, right?
So, "You don't have to worry about that—" "You don't have to worry about that, because the genuine contact tracers," they said, "will sound very professional." Right. They said.
And so you don't have to worry about scammers. Now, who should be put in charge of this monumental challenge?
What great brain should organise this thing with the— Well, who they've ended up choosing is Dido Harding.
And Dido Harding is the ex-chief executive officer of TalkTalk, who were massively hacked by teenagers. Yeah, good communicator though.
Well, yes, she appeared on TV a lot talking about— What was it she was talking about? It was sequential attacks and ransomware.
And so you don't have to worry about scammers. Now, who should be put in charge of this monumental challenge?
What great brain should organise this thing with the— Well, who they've ended up choosing is Dido Harding.
And Dido Harding is the ex-chief executive officer of TalkTalk, who were massively hacked by teenagers. Yeah, good communicator though.
Well, yes, she appeared on TV a lot talking about— What was it she was talking about? It was sequential attacks and ransomware.
It's like Rudy Giuliani, sort of cybersecurity expert. Yes. Yes. Oh. Wonderful.
But Dido has lots of experience. She used to be a horse jockey. She's a prominent member of the Jockey Club. Okay.
There's nothing wrong with that. Yeah. No, there's not.
No, let me explain.
Don't be a dick. No, he's a dick.
No, there's nothing wrong with being a jockey. And she's very important inside the Jockey Club.
It was her organisation which gave the go-ahead to the Cheltenham Horse Racing Festival, where oodles of people, over 250,000 people went, while most of the country was preparing for lockdown.
Oh. And then there was a flare-up of COVID-19 in Cheltenham.
It was her organisation which gave the go-ahead to the Cheltenham Horse Racing Festival, where oodles of people, over 250,000 people went, while most of the country was preparing for lockdown.
Oh. And then there was a flare-up of COVID-19 in Cheltenham.
She's had lots of experience. Can I just make sure I understand? So she was put in charge of this? Yes. The government's contact and trace program? Yes.
She then broke the rules for her own course?
She then broke the rules for her own course?
Oh, no, no. This was basically her interview, her audition for the job.
So before she got the job, a few weeks before, she had organised this thing where there was a flare-up of— So she's perfect.
I mean, to be honest, if you're going to trace lots of people who might have the infection, go down the list of people who went to the horse race, which she organised.
So she has access to the data. It makes a lot of sense to me. Anyway, it is what it is.
And in May, the UK government, Boris Johnson, stood up there and he said, we've got 25,000 contact tracers ready to go. He said, this is a world-beating test and tracing system.
We're going to train them up, and they're going to be starting to phone everybody up. So you may ask, now it's a couple of months later, how's it all going?
So before she got the job, a few weeks before, she had organised this thing where there was a flare-up of— So she's perfect.
I mean, to be honest, if you're going to trace lots of people who might have the infection, go down the list of people who went to the horse race, which she organised.
So she has access to the data. It makes a lot of sense to me. Anyway, it is what it is.
And in May, the UK government, Boris Johnson, stood up there and he said, we've got 25,000 contact tracers ready to go. He said, this is a world-beating test and tracing system.
We're going to train them up, and they're going to be starting to phone everybody up. So you may ask, now it's a couple of months later, how's it all going?
Are they off to the races?
Sorry. It's going to be interesting, Graham, because we covered this a few weeks ago.
It'd be interesting to see what's happened since, because it was imminently about to be, you know—
It'd be interesting to see what's happened since, because it was imminently about to be, you know—
Well, it's all in place now, and it was all going very smoothly until this morning as we record this. We're recording this on Tuesday the 14th of July. Bastille Day.
Fabulous French again. So, yeah, it was going well until then, because this morning at 8 o'clock, the contact tracers tried to log into their online system from their homes.
As they do every day. But this day they were greeted with a message which said, "Your password has expired." You can't log in.
Fabulous French again. So, yeah, it was going well until then, because this morning at 8 o'clock, the contact tracers tried to log into their online system from their homes.
As they do every day. But this day they were greeted with a message which said, "Your password has expired." You can't log in.
Wah-wah. Is this an old-school security thing?
Because we used to do that in the old days, where we'd force a password reset every, I don't know, twice a year, whatever, some amount of time.
In this case, it was exactly two months since the tracers had all been registered on the service. Two months had gone by. And so, they all had their passwords expired.
So everyone got the same email.
So everyone got the same email.
It was an email they got. Oh no, they tried to log in.
Oh my god. You tried to log in, and you were told, "Contact your administrator." Now, there have been stories in the past— One guy named Joe. About— Stop it, Joe. Well—
Joe's on holiday going, "What the fuck?" Anyway.
If you found it difficult to contact an administrator, maybe they've turned their mobile phone off. You might try and go to the website, which lets you reset the password.
So these are the workers, right? These are the 25,000 people that have been hired by the government to help combat this pandemic.
This is the CTO being like, "Ticket resolved. There's a password reset protocol. Why aren't they using it, dumb users?"
So, if you went to the webpage run by Serco, which lets you reset your password, you were greeted with a message from your browser saying, "Can't open that page." Because the server is not responding.
Now, do you have any guesses?
Now, do you have any guesses?
It's too much traffic. DDoSed! They gave it a gentle hug to death.
Yeah, but it's almost not DDoSed. It's DDoSed, but it's almost by request.
It's a requested DDoS. It's getting Reddited.
Maybe they were testing the resiliency of the system. That's what's going on.
I mean, just COVID-19 does a denial of service on your own body, and you can't— you aren't effective, you know, you can't work and you can't stand up and you feel terrible.
Similarly, this has happened to you as well, and you can't get through to the site because this is horrendous. Ah, okay.
So I would to remind everybody, I'm sure our listeners are very wise, but enforcing regular password changes just for the sake of it, every two months, not necessarily a good idea.
Similarly, this has happened to you as well, and you can't get through to the site because this is horrendous. Ah, okay.
So I would to remind everybody, I'm sure our listeners are very wise, but enforcing regular password changes just for the sake of it, every two months, not necessarily a good idea.
No, it's also extremely old school, and there's much cooler ways to manage these things these days?
Well, I think you should only really change your password if you've got a reason to change your password.
So only reset people's passwords if you've had a breach or something, or if you realize— Or it's weak. Yes, or if you realize you're reusing the same password.
Let's hope those 25,000 people, by the way, when they were registered, weren't all given the same password. Let's hope that wasn't the case, but who knows.
So only reset people's passwords if you've had a breach or something, or if you realize— Or it's weak. Yes, or if you realize you're reusing the same password.
Let's hope those 25,000 people, by the way, when they were registered, weren't all given the same password. Let's hope that wasn't the case, but who knows.
They changed the password policy to expire every 90 days now. So that'll help.
But also the problem is that when you get told, if you're in a regular job, if you remember regular jobs, any of us, where if your company did enforce a password change on you, you would often take your existing password and you'd add a number 1 on the end.
Exactly. Or number 2 or April. How do you know my password, Graham?
Exactly. Or number 2 or April. How do you know my password, Graham?
Who told you my algorithm?
I don't know if you're being 100% fair.
I mean, I think in this instance, fine, but I think a lot of companies out there still— and we used to recommend it, I used to work at a security firm where we recommend it.
In fact, internally, every 90 days the password was a forced change.
I mean, I think in this instance, fine, but I think a lot of companies out there still— and we used to recommend it, I used to work at a security firm where we recommend it.
In fact, internally, every 90 days the password was a forced change.
Yes, this is 10 years ago, but that might have been our IT department recommending it.
I'm not sure that the security experts at that particular company thought that was a good idea.
I'm not sure that the security experts at that particular company thought that was a good idea.
All I'm saying is there's a lot of companies who are doing this where the IT experts who are responsible for security are mandating this, and I think there are some costs to this.
And this is a very good example as one of them. If everyone's password has to be changed on the same day, your site goes down.
And this is a very good example as one of them. If everyone's password has to be changed on the same day, your site goes down.
I think one reason why some companies have implemented in the past a sort of regular resetting of passwords is because people leave a company and they think, crikey, we don't want that password still living.
Now, that does deal with that problem, but a better way to deal with that problem would be when someone leaves the company, reset any passwords which they had access to instead.
Now, that does deal with that problem, but a better way to deal with that problem would be when someone leaves the company, reset any passwords which they had access to instead.
Rather than that would require an actual offboarding process that's somewhat organized. And that's asking a lot of them.
You can tell that Graham never worked in IT.
I don't even know if that's necessarily an IT problem, if that's just people left, you know, especially for something maybe as ephemeral as a contact tracing program.
These are usually duct tape and bits of string, right? So, yeah, having a robust organization around that might be asking a lot.
These are usually duct tape and bits of string, right? So, yeah, having a robust organization around that might be asking a lot.
But, you know, well, that's why you bring in people like Dido Harding, right, to head it up, who—
Give everyone COVID-19 so you can test how robust your program is. No. Okay. No.
So if we were talking about the company that we all used to work at when we used to do the hard password resets, I— there was another algorithm that was very common in the area where I worked, where someone I know, when she first started, her password was the top row of her keyboard, and the next reset it was the second row, and the third reset it was the third row.
And then by the time you got to, what, month 6 or 5, she could just go right back to the top again. So, brrr, across the top. Oh, wow. Yeah, that was her security. Yep.
Just keep going through. Yep. Yeah.
So if we were talking about the company that we all used to work at when we used to do the hard password resets, I— there was another algorithm that was very common in the area where I worked, where someone I know, when she first started, her password was the top row of her keyboard, and the next reset it was the second row, and the third reset it was the third row.
And then by the time you got to, what, month 6 or 5, she could just go right back to the top again. So, brrr, across the top. Oh, wow. Yeah, that was her security. Yep.
Just keep going through. Yep. Yeah.
Great security. Maria, what have you got for us this week?
Today's story broke this morning, and it's actually a UK story, but in typical American fashion, I'm gonna make it about the United States first. And then we'll get our hands on it.
USA! USA, exactly.
Oh yeah, that has a different tinge to it now, doesn't it? Yeah.
America first? So in the middle of our quarantine haze, there was a story that I know I missed and you might have missed.
It sounded like a typical back and forth in the long battle between US and China and another little petty political point being scored by the United States against Huawei, which is the Chinese tech giant, right?
Yes. So you're probably very well aware that Huawei has been on the U.S.
quote entity list since May 2019, which means that in the United States you need to have government permission to sell Huawei's tech.
So this has trickled down to things like getting Google had to revoke Huawei's Android license. I think you guys have covered it a lot in previous episodes.
So basically bit by bit, the United States has been chipping away at Huawei's attempts to sort of infiltrate the United States market and the West in general, and trying to use different laws to force this telecom giant to stop working with the West and the United States under the guise of national and international security.
It sounded like a typical back and forth in the long battle between US and China and another little petty political point being scored by the United States against Huawei, which is the Chinese tech giant, right?
Yes. So you're probably very well aware that Huawei has been on the U.S.
quote entity list since May 2019, which means that in the United States you need to have government permission to sell Huawei's tech.
So this has trickled down to things like getting Google had to revoke Huawei's Android license. I think you guys have covered it a lot in previous episodes.
So basically bit by bit, the United States has been chipping away at Huawei's attempts to sort of infiltrate the United States market and the West in general, and trying to use different laws to force this telecom giant to stop working with the West and the United States under the guise of national and international security.
So what's the fear been? What's America been so worried about?
America's fear is that Huawei is sort of a proxy for the Chinese government and is basically allowing the Chinese government to spy on, say, United States interests.
So the fear is that if the private sector in the United States, or heaven forbid the government, had any kind of Huawei kit, the Chinese government could spy and steal stuff.
So the new development in May of 2020, during this whole pandemic, which I think we're all aware of by now, is that the United States Commerce Department enacted a new regulation that made it super, super tough for Huawei to make their own semiconductor chips, which are, you know, the hardware brains that run smartphones and other important things.
The regulation said that as long as even the equipment used to make a semiconductor, for example, originates in the United States, the end product cannot be sold to Huawei.
So the fear is that if the private sector in the United States, or heaven forbid the government, had any kind of Huawei kit, the Chinese government could spy and steal stuff.
So the new development in May of 2020, during this whole pandemic, which I think we're all aware of by now, is that the United States Commerce Department enacted a new regulation that made it super, super tough for Huawei to make their own semiconductor chips, which are, you know, the hardware brains that run smartphones and other important things.
The regulation said that as long as even the equipment used to make a semiconductor, for example, originates in the United States, the end product cannot be sold to Huawei.
So how do you manage that with supply chains?
Well, I don't know if you know this, but the vast majority of semiconductor fabrication machines are actually made in the United States.
So even if you're a Korean or Taiwanese semiconductor manufacturer, if you're using United States machines, you cannot sell chips to Huawei.
So even if you're in Korea selling to China, if your equipment's American, the United States government says your product is now under United States Commerce controls and you cannot sell.
TIL. Today I learned. Yep. So that happened in May. I know I was not paying attention, and this was we had other fish to fry.
This one totally slipped by me, and now we're seeing the repercussions of that.
So that move that the United States Commerce Department made effectively stopped the vast majority of chipmakers all over the world from doing business with Huawei.
So if you're a reputable chipmaker, and again, a lot of them are in Asia, no matter where you are, you can't do business with this huge tech giant.
So Huawei now has a super hard time making these brains of their products, these chips, and they have to find new sources to get them made, but they can't go to any of the reputable known folks in the supply chain all over the world.
So security analysts watching this on the sidelines were going, Huawei's probably going to have to either try to home source this, which is not going to be great, or try to find dodgier suppliers who really can't guarantee the security integrity of what they're making.
So even if you're a Korean or Taiwanese semiconductor manufacturer, if you're using United States machines, you cannot sell chips to Huawei.
So even if you're in Korea selling to China, if your equipment's American, the United States government says your product is now under United States Commerce controls and you cannot sell.
TIL. Today I learned. Yep. So that happened in May. I know I was not paying attention, and this was we had other fish to fry.
This one totally slipped by me, and now we're seeing the repercussions of that.
So that move that the United States Commerce Department made effectively stopped the vast majority of chipmakers all over the world from doing business with Huawei.
So if you're a reputable chipmaker, and again, a lot of them are in Asia, no matter where you are, you can't do business with this huge tech giant.
So Huawei now has a super hard time making these brains of their products, these chips, and they have to find new sources to get them made, but they can't go to any of the reputable known folks in the supply chain all over the world.
So security analysts watching this on the sidelines were going, Huawei's probably going to have to either try to home source this, which is not going to be great, or try to find dodgier suppliers who really can't guarantee the security integrity of what they're making.
Or presumably get semiconductors made by any other country other than the US. Well, semiconductor fabrication machines.
Yeah, made by some other country. And that's not an easy— my dad was a semiconductor engineer.
This is like— I was thinking you were swatted up on this. Okay, that's good.
This is my dad's thing. It was like, I remember I grew up hearing about this kind of stuff all the time.
Is it big in Greece?
Are they making lots of semiconductors? My dad was in the United States. Yeah, stop being so racist. No, my dad, he came to the United States in the '80s.
My dad was working for the United States. So, yeah, shame on you, Graham. Yeah, shame.
My dad was working for the United States. So, yeah, shame on you, Graham. Yeah, shame.
I thought this was a sideline from the hot sauce, the Varmazis hot sauce. Maybe you're doing also Varmazis semiconductor manufacturing facilities.
My dad worked at a semiconductor fab in Massachusetts. That was my dad's line of work.
How unglamorous. I thought it was really cool.
Excuse you!
Can I say, by the way, today I learned that TIL means 'Today I Learned.' I always thought it was 'True In Life.' But from what you said, Carole, this has just blown my mind.
So I'm basking in that at the moment.
So I'm basking in that at the moment.
Did you know that LOL does not mean 'Lots of Love'? Just checking on that one too. Okay. I think you're supposed to roll. Okay, so— Just think of how many people— LOL. Lots of love.
Okay, sorry. Anyway, so back to the extremely interesting semiconductor story. Yes, yes. So I just gotta say, this is sort of some interesting chess by the US Commerce Department.
Look at this interesting move. It does force the hand of pretty much everybody working with Huawei, no matter where you are.
So bringing me back to the whole reason I'm bringing this story up, as of today there are repercussions now for the United Kingdom.
So breaking news via the BBC this morning, there you go, UK's mobile providers are now being banned from buying new Huawei 5G equipment after 31st of December this year, and they must also remove all of Huawei's 5G kit from their networks by 2027.
So that's a freaking long time.
Well, a lot of the telecoms that they've been sort of working this out with said that if you try to do it sooner, that things will break, things will just break.
They can't do it much faster than this. So yeah, yeah, it is a long time.
Okay, sorry. Anyway, so back to the extremely interesting semiconductor story. Yes, yes. So I just gotta say, this is sort of some interesting chess by the US Commerce Department.
Look at this interesting move. It does force the hand of pretty much everybody working with Huawei, no matter where you are.
So bringing me back to the whole reason I'm bringing this story up, as of today there are repercussions now for the United Kingdom.
So breaking news via the BBC this morning, there you go, UK's mobile providers are now being banned from buying new Huawei 5G equipment after 31st of December this year, and they must also remove all of Huawei's 5G kit from their networks by 2027.
So that's a freaking long time.
Well, a lot of the telecoms that they've been sort of working this out with said that if you try to do it sooner, that things will break, things will just break.
They can't do it much faster than this. So yeah, yeah, it is a long time.
They plan to cash out by then, so it's not going to be their problem.
But they can't do it that fast. So note that this ban is not retroactive against any existing Huawei kit from previous Gs. So 2, 3, or 4G equipment can stay.
Yeah, the UK government says that that stuff does not pose the same security risk because presumably it was made with the more trustworthy chips.
So the current thinking in pundit land is that the US's Commerce Department move in May against Huawei forced the UK's hand on this whole issue.
Oh yeah, because yeah, in response to the US sanction in May, Huawei tried to reassure the UK that they had this massive stockpile of trustworthy chips that they already had.
We got a deal for you guys. Yeah, we got a deal. They can pull from that stockpile to assure a safe 5G rollout across the UK.
But security analysts in the UK said that does not hold much water. So here we are. So this move is expected to delay the 5G rollout in the UK by about a year and cost £2 billion.
And, you know, I wonder if—
Yeah, the UK government says that that stuff does not pose the same security risk because presumably it was made with the more trustworthy chips.
So the current thinking in pundit land is that the US's Commerce Department move in May against Huawei forced the UK's hand on this whole issue.
Oh yeah, because yeah, in response to the US sanction in May, Huawei tried to reassure the UK that they had this massive stockpile of trustworthy chips that they already had.
We got a deal for you guys. Yeah, we got a deal. They can pull from that stockpile to assure a safe 5G rollout across the UK.
But security analysts in the UK said that does not hold much water. So here we are. So this move is expected to delay the 5G rollout in the UK by about a year and cost £2 billion.
And, you know, I wonder if—
What the 5G conspiracy theorists are thinking about this.
Oh, I'm sure they're loving it. They're "no microchips in my neck!" And no, the forums must be full of, you see, we told you, right?
Yeah, yeah. So your glorious leader, he's going to be quite happy about the UK making this decision, I think, isn't he?
I'm sure we'll hear a gloat if it hasn't already been published or he hasn't tweeted it already, I'm sure.
I wonder whether part of the incentive for the UK as well might have been to get a little bit closer to him and to America because we've got this impending deadline of Brexit coming up and we're very keen to get some of that American chlorinated chicken.
The chlorinated chicken.
The chlorinated chicken.
I'm sure this is not going to go down without a fight, and there's going to be some kind of retaliation from either Huawei or China. I mean, what is there?
This just seems like another escalation in this whole Cold War, if you want to call it that, because this is a serious amount of cash which China now isn't going to get, right?
As I said, if I was them, I would be pissed off. This is really something, and I'd be pissed off at both the UK and the US right now.
So there's no way this isn't gonna— there aren't going to be consequences to this. So I guess watch this space.
This just seems like another escalation in this whole Cold War, if you want to call it that, because this is a serious amount of cash which China now isn't going to get, right?
As I said, if I was them, I would be pissed off. This is really something, and I'd be pissed off at both the UK and the US right now.
So there's no way this isn't gonna— there aren't going to be consequences to this. So I guess watch this space.
But important message for listeners out there is if you've got a Huawei phone, it's not going to stop working or anything.
You're not going to have to send it in or replace any chips inside or anything like that.
You're not going to have to send it in or replace any chips inside or anything like that.
Consumer device, nothing like that. No, it should be okay.
It's just if you are in a country where you're able to buy Huawei devices, not the United States, their devices will probably get a lot harder to get your hands on and they may become unavailable.
And they're a lower cost alternative for smartphones, I believe. So this will have, at least on the consumer market, some consequences as well.
But thinking bigger picture in terms of US, China, UK, that whole triangulation, there's something's going to happen from this. I don't know what yet.
It's just if you are in a country where you're able to buy Huawei devices, not the United States, their devices will probably get a lot harder to get your hands on and they may become unavailable.
And they're a lower cost alternative for smartphones, I believe. So this will have, at least on the consumer market, some consequences as well.
But thinking bigger picture in terms of US, China, UK, that whole triangulation, there's something's going to happen from this. I don't know what yet.
And we're all a little bit brighter now on semiconductors.
Very illuminating, Maria.
You learned about it here on Smashing Security.
Very good.
Love Maria. Love Maria. She's fantastic, isn't she?
She's the best. Fantastic. Well, from the radiant memory banks.
Why am I talking like that?
Carole, what have you got for us?
Okay, well, you guys get to both sit back, and I'm gonna tell you a quick tale before we get into the nitty-gritty of the story, okay?
So we start way back in the beginning of the aftertimes. So February, right?
And this is when news of MGM Resorts, suffering a data leak, started making waves, not just because they left their data unsecured, but we were hearing that more than 10 million user accounts stolen from MGM Resorts were being basically auctioned on a hacking forum or published on a hacking forum.
So we start way back in the beginning of the aftertimes. So February, right?
And this is when news of MGM Resorts, suffering a data leak, started making waves, not just because they left their data unsecured, but we were hearing that more than 10 million user accounts stolen from MGM Resorts were being basically auctioned on a hacking forum or published on a hacking forum.
And MGM Resorts, this is a hotel company. They have a huge hotel in Vegas and other things.
Well, you know what? They were the hotel where the shooting happened. That was an MGM resort hotel.
Oh dear.
So ZDNet, a tech publisher, did some digging into this story.
And according to its analysis published in late February, the MGM data dump that was shared contained the personal details of 10 million former hotel guests, right?
We're not talking just regular guests like you or me or even the illustrious Maria.
We're talking like celebs like Justin Bieber and CEOs like Jack Dorsey and reporters and government officials and even employees at some of the world's largest tech companies.
And according to its analysis published in late February, the MGM data dump that was shared contained the personal details of 10 million former hotel guests, right?
We're not talking just regular guests like you or me or even the illustrious Maria.
We're talking like celebs like Justin Bieber and CEOs like Jack Dorsey and reporters and government officials and even employees at some of the world's largest tech companies.
So it's their personal information, their contact details and things like that were included in this data which the hacker got hold of?
No, don't worry. It's not even that much, right? It's just your full name, your address, your phone number, email, date of birth, that sort of stuff. Peanuts. All right. Peanuts.
Right, right. Anyway, so ZDNet had all these contact details and they thought, well, why don't we call some of these people up, right?
And say, hey, we're ZDNet verifying a huge dataset. Can you confirm this information is yours?
So they ended up chatting to loads of victims and the victims were, oh shit, yeah, that is my full name, my contact deets, yada, yada, yada.
And these folks also confirmed that they had stayed at the MGM Resort Hotel. So ZDNet were, we're onto something here. Okay, okay, so we're still in February now, right? Right.
So ZDNet now contact MGM Resorts going, hey guys, we found this data dump and we've kind of confirmed a few deets, and could it be you're the digital version of Typhoid Mary here, right?
Because basically they hadn't yet admitted publicly that something had gone on. Oh, I see, right. And ZDNet get this response within an hour from MGM Resorts security people, right?
And it says, quote, this is back in February.
So quote, last summer we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.
We are confident that no financial payment card or password data was involved in this matter. Did you— did I say sorry? Did you hear the sorry there?
Right, right. Anyway, so ZDNet had all these contact details and they thought, well, why don't we call some of these people up, right?
And say, hey, we're ZDNet verifying a huge dataset. Can you confirm this information is yours?
So they ended up chatting to loads of victims and the victims were, oh shit, yeah, that is my full name, my contact deets, yada, yada, yada.
And these folks also confirmed that they had stayed at the MGM Resort Hotel. So ZDNet were, we're onto something here. Okay, okay, so we're still in February now, right? Right.
So ZDNet now contact MGM Resorts going, hey guys, we found this data dump and we've kind of confirmed a few deets, and could it be you're the digital version of Typhoid Mary here, right?
Because basically they hadn't yet admitted publicly that something had gone on. Oh, I see, right. And ZDNet get this response within an hour from MGM Resorts security people, right?
And it says, quote, this is back in February.
So quote, last summer we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.
We are confident that no financial payment card or password data was involved in this matter. Did you— did I say sorry? Did you hear the sorry there?
No, there wasn't actually an apology.
You didn't see— okay, I didn't see one either.
So they haven't said that we've informed the customers or—
Actually, the hotel chain said they promptly notified all impacted hotel guests. Yes, in accordance with applicable state laws. All right.
Now, I don't know what that means for the rest of the people that were in that data dump. You know, I'm sure they're not all US citizens.
There might have been Canadians, for instance, or maybe Europeans or Africans or Asians or anyone from all over. And how does that apply?
Now, I don't know what that means for the rest of the people that were in that data dump. You know, I'm sure they're not all US citizens.
There might have been Canadians, for instance, or maybe Europeans or Africans or Asians or anyone from all over. And how does that apply?
Yes, because here in the Royal Duchy of Oxfordshire, we have very specific data notification rules, which they should have applied.
Wait, are we talking about Nevada's data protection laws?
Now, okay, okay, so MGM Resorts also told ZDNet they effectively— don't worry too much, this data was old, right? And ZDNet was able to confirm this.
So when they contacted people, none of them had stayed at a hotel past 2017, and some of the phone numbers they had called were disconnected.
But of course many were still valid because how many people change house or change phone numbers, or I don't know, change their date of birth, right?
So when they contacted people, none of them had stayed at a hotel past 2017, and some of the phone numbers they had called were disconnected.
But of course many were still valid because how many people change house or change phone numbers, or I don't know, change their date of birth, right?
Right. Yes. Yes, exactly. How can you say the data's old?
But they said it was an old dump, an old data dump.
Story of my life.
The article ends with this statement, right?
The size and the severity of this MGM Resorts security incidents pale in comparison to the massive data breach that impacted Marriott Hotels in 2017, when hundreds of millions of users were stolen by Chinese state-sponsored hackers.
Hackers. Sorry, who said that? This was at the end of the ZDNet article.
The size and the severity of this MGM Resorts security incidents pale in comparison to the massive data breach that impacted Marriott Hotels in 2017, when hundreds of millions of users were stolen by Chinese state-sponsored hackers.
Hackers. Sorry, who said that? This was at the end of the ZDNet article.
All right, so they reassured people, yeah, there's been a breach.
They're saying, look, 10 million, 10 million, 10 million, it's not—
Yeah, big deal. Yeah, right, it's not 100 million.
Yeah, exactly. And you know, Bieber schmieber, who cares, right?
So, well, lo and behold, it seems that either MGM Resorts either played down the extensiveness of this hack, or despite having claimed they had two independent forensic teams analyze the situation way back in February, maybe they failed to notice that perhaps the problem was way bigger than was reported back in February.
So, well, lo and behold, it seems that either MGM Resorts either played down the extensiveness of this hack, or despite having claimed they had two independent forensic teams analyze the situation way back in February, maybe they failed to notice that perhaps the problem was way bigger than was reported back in February.
When you say it was way bigger, what do you mean by way bigger?
Well, remember we were talking about 10 million guests? Turns out it was 142 million guests.
Oh, and your argument is that 142 million is bigger in some way than 10 million? Is that what you are arguing?
It's 132 million bigger, it seems.
My goodness, so quite a large number.
So the plot thickens because the hacker claims to have obtained this hotel data after they breached this company called DataViper.
This is a data leak monitoring service operated by Night Lion Security.
So ZDNet contact the founder of Night Lion Security, and Vinny Troia, in a phone call with ZDNet, said his company never owned a copy of the full MGM database, and the hackers are merely trying to ruin his company's reputation.
Who knows? Anywho, what does ZDNet do next?
They contact MGM Resorts for a quote saying, "Hey dudes, looks like maybe we missed a zero or something here because..." And they provided a quote which says, quote, MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation.
This is a data leak monitoring service operated by Night Lion Security.
So ZDNet contact the founder of Night Lion Security, and Vinny Troia, in a phone call with ZDNet, said his company never owned a copy of the full MGM database, and the hackers are merely trying to ruin his company's reputation.
Who knows? Anywho, what does ZDNet do next?
They contact MGM Resorts for a quote saying, "Hey dudes, looks like maybe we missed a zero or something here because..." And they provided a quote which says, quote, MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation.
They used the word scope, did they? They used the word scope. Is it possible they were looking down the wrong end of the scope and so it appeared smaller rather than proper size?
The MGM Resorts spokesperson also pointed out that the vast majority of data consisted of contact information like names, postal addresses, and email addresses.
You know, not the important stuff like financial information, just your private personal information. So they still have not apologized.
There was a quote you read on— you saw something on Twitter just before we started recording, Graham. Do you remember what it said?
You know, not the important stuff like financial information, just your private personal information. So they still have not apologized.
There was a quote you read on— you saw something on Twitter just before we started recording, Graham. Do you remember what it said?
Yeah, the guy from the BBC said MGM are still not confirming actually the size of the breach. I think they have—
Where's GDPR? That's what I'm saying.
Come on, GDPR. Yeah, there been some Europeans there.
Yeah, and I think bug off, because ultimately what we're seeing here is how not to handle a data breach, in the worst state.
So the only way you can fight back is basically do not stay at MGM Resorts. That's what I would say. Shame on you, MGM Resorts.
So the only way you can fight back is basically do not stay at MGM Resorts. That's what I would say. Shame on you, MGM Resorts.
Yeah, I'm not surprised when a small company fucks up their response, but a company as huge as MGM, they don't have an excuse.
So I, yeah, just shaking my head at them because they should know better. This is not an acceptable response. This story is a mess. Not your fault.
The facts of the story are an absolute mess.
So I, yeah, just shaking my head at them because they should know better. This is not an acceptable response. This story is a mess. Not your fault.
The facts of the story are an absolute mess.
Yeah. And basically MGM are the cause of the mess because they didn't come clean when they should have.
Are MGM the one with the lion? Are they?
Have I Silo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep, and darkweb.
To learn how Silo for Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate.
That's smashingsecurity.com/authenticate, and that is spelled authentic with a number 8 on the end. Use a password manager.
Have I Silo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep, and darkweb.
To learn how Silo for Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate.
That's smashingsecurity.com/authenticate, and that is spelled authentic with a number 8 on the end. Use a password manager.
Just do it. These aren't my words. These are the words of Brian X. Chen, the lead consumer technology writer at the New York Times.
It's time that everybody uses a password manager, both at home and at work.
Now get this, LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts.
And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.
It's time that everybody uses a password manager, both at home and at work.
Now get this, LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts.
And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. And my Pick of the Week this week is not security-related. Good. It is a website, a rather cute website.
And what it does is it says, let's face it, we're all stuck indoors. It's going to be a while till we travel again.
Wouldn't you like to look out through someone else's window somewhere else in the world?
And on the website windowswap.com, and there's a dash between window and swap, you can see movies through other people's windows all around the world.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. And my Pick of the Week this week is not security-related. Good. It is a website, a rather cute website.
And what it does is it says, let's face it, we're all stuck indoors. It's going to be a while till we travel again.
Wouldn't you like to look out through someone else's window somewhere else in the world?
And on the website windowswap.com, and there's a dash between window and swap, you can see movies through other people's windows all around the world.
Oh, I love this one with these cute little doggies.
And you can cycle through them. So if you don't like one, just press it again. And you'll go somewhere else in the world. Oh, bunch of cars. Boring.
And some of them are really rather relaxing. Oh, this is nice.
And some of them are really rather relaxing. Oh, this is nice.
Have you ever landed on anyone having the, you know, doing the naughty?
Right, Carole, stop. Right. No, no, no, no. No.
I'm not saying it's what it's for, but you'd forget.
You'd forget that you would be filming. It's always gotta be filth with you, doesn't it, Carole?
Carole, I knew you'd try and make this scrubby. These are not live streams through people's windows.
What they are is you get to submit to the makers of the site who are Sonali Ranjit and Vaishnav Balasubramanian.
You can submit a 10-minute video file, which obviously they vet and watch, and then they put it up on the site if they like it. So it's not a live stream. It's just 10 minutes.
But some of them are really charming and relaxing.
What they are is you get to submit to the makers of the site who are Sonali Ranjit and Vaishnav Balasubramanian.
You can submit a 10-minute video file, which obviously they vet and watch, and then they put it up on the site if they like it. So it's not a live stream. It's just 10 minutes.
But some of them are really charming and relaxing.
I agree. I might submit mine, actually. I might do the same.
Why not? It's very, very cute. And it is window-swap.com.
Okay, can I just ask a question? What if you submit a 10-minute video and it's perfect, and it's perfect, and at 9 minutes 13 you run past naked. Really fast.
Once again, can we go back to this?
Once again, can we go back to this?
It's always you being grubby, isn't it? It's always you who has to ruin things for everybody else.
I think you're hinting that this is what you're going to do. You might want to find my video.
9 minutes 13, eh?
Okay, good to know.
Good to know.
Maria, what's your pick of the week? My pick of the week is going to piss some people off, and that's why I like it.
I saw you tweet about this.
Yeah, if you follow me on Twitter and actually pay attention to what I tweet, you've seen this story. Okay, so basically I want to know, I'm going to ask the two of you first.
How do you pronounce the file format that ends with .gif? How do you pronounce that? GIF?
How do you pronounce the file format that ends with .gif? How do you pronounce that? GIF?
Because I'm not a pervert. And it's not a jiff? No, it's never ever.
No, I've never said jiff. I never said jiff. Okay, always GIF. How do you pronounce G-I-G-A-B-Y-T-E?
G-I-G-A-B-Y-T-E. Did I misspell that? I forgot the A. Sorry, you know, a thing I just made up. I can spell G-I-G-A-B-Y-T-E.
How do you pronounce that? Well, gigawatt, obviously.
Well, no, because she spelled byte. So it's not—
Can't even spell, can he?
It's gigabyte. Gigabyte.
Gigabyte and GIF, right? So NIST, which is the National Institute of Science and Technology, United States, one of our big sciency places. I almost had an internship there.
I should—
I should—
Yes, they're actually very cool because they provide a framework for cybersecurity.
So if you're a company and you kind of want free resource on how to build a security policy in your company, NIST has a ton of up-to-date resources.
So just sorry, just doing a little ad for them, but it is good stuff.
So if you're a company and you kind of want free resource on how to build a security policy in your company, NIST has a ton of up-to-date resources.
So just sorry, just doing a little ad for them, but it is good stuff.
Yes, they are a repository of extremely intelligent people. I highly respect them. Okay, so NIST says that the G-I-G-A prefix is pronounced correctly, jiga.
What? Jiga, jiga, jiga, jiga, jiga, jiga.
Making the pronunciation of what we normally would say gigawatts in Back to the Future is actually correct as jiga-watts.
Jiga-watts.
Hang on.
So in Back to the Future, they say jiga-watts.
They say jiga-watts, and people have been giving them shit since the '80s that Back to the Future was like, oh, they said jiga-watts. Apparently that's correct.
And we should also be saying gigabyte.
And we should also be saying gigabyte.
Look, gigawatts is way more fun to say.
Gigawatt? Gigabyte.
Gigabyte? Gigawatt?
I wish Doc Brown wasn't French or something. He was just saying gigabyte.
Gigabyte. Yes, it's beautiful.
Say giga. Giga giga. Say giga giga.
See, it's fun. I think we need to get on board with the NIST.
No, I'm not. No, no, I'm not happy about this. Oh, surprise, surprise. The thing that we've all learned under lockdown is that scientists can't be trusted. There's Dr.
Fauci going around telling people to wear masks, and we've been reliably told that maybe we shouldn't do that.
And maybe similarly, we shouldn't trust these people trying to tell us that gigabyte isn't pronounced gigabyte.
Fauci going around telling people to wear masks, and we've been reliably told that maybe we shouldn't do that.
And maybe similarly, we shouldn't trust these people trying to tell us that gigabyte isn't pronounced gigabyte.
It's jiggabyte, and I will die on this hill. No, I won't. But jiggabyte, jigga-jigga. It's actually gigabite, if you want to go by the original Greek. Gigabite!
Oh, well, if you're okay, the Greek has corrected us. No, no, no, no, that's not Greek.
I'm just joking. Oh my God, actual Greeks will be so mad at me. Funny.
Carole, what's your pick of the week?
Mine's not funny. Oh, mine's not funny.
Mine's not funny. Well, that just about wraps it up.
No, but it's kind of maybe important, maybe interesting, maybe.
Okay, maybe. Okay, so during the pandemic I have been giving some thought to the single folk out there, right?
Because during a pandemic, if you're on the lookout for a partner, that's gonna suck. Yes. And I was thinking, oh, you know, I wonder what's going on.
And then I was scrolling through my pods and I found this pod that I subscribed to, I don't know, a few years ago, a year ago, and I'd never listened to it. And it's called No.
I think I probably read about it somewhere, subscribed to it, and there it was sitting my feet.
Because during a pandemic, if you're on the lookout for a partner, that's gonna suck. Yes. And I was thinking, oh, you know, I wonder what's going on.
And then I was scrolling through my pods and I found this pod that I subscribed to, I don't know, a few years ago, a year ago, and I'd never listened to it. And it's called No.
I think I probably read about it somewhere, subscribed to it, and there it was sitting my feet.
No, with a canoe?
No, no, as an N-O.
No. Oh, N-O, right. Pronounced no. Yes.
It's put out by a podcast network called The Heart Radio, and they put out a few episodes, and one of them was this 4-part series called No.
And this is where— this is not for kids, this is not for kids— but this is where the host Caitlin Prest explores her kind of sexual— Sorry, my mom's calling me.
And this is where— this is not for kids, this is not for kids— but this is where the host Caitlin Prest explores her kind of sexual— Sorry, my mom's calling me.
What? In the middle of this?
Just— I know, Mom, your timing. She's like, Carole, do not say the words you're gonna say.
Don't stop. Wow, are you being dirty on the radio? Karen.
Karen's on the— Karen's calling in.
Oh my goodness.
So where the host Caitlin Prest explores her kind of sexual boundaries and how she may have managed or mismanaged some of the situations as she kind of, I don't know, slalom through boyfriends, friends with benefits, all the stuff.
But even cooler than that, so A, I recommend listening to it. I'm not saying you're gonna agree with it all. I'm not saying you will or won't. It's just worth listening to.
It's gonna stretch your mind a bit.
But even cooler is that a show that I have listened to for more than a decade, Radiolab, did this retrospective on this Caitlin No series that she did.
And so they kind of sum up her 4 episodes into 1 tiny episode, and then they kind of explore it from different points of view, what she kind of covered in her show.
It's fascinating. Check it out, or don't. All right. Or don't, you know.
So where the host Caitlin Prest explores her kind of sexual boundaries and how she may have managed or mismanaged some of the situations as she kind of, I don't know, slalom through boyfriends, friends with benefits, all the stuff.
But even cooler than that, so A, I recommend listening to it. I'm not saying you're gonna agree with it all. I'm not saying you will or won't. It's just worth listening to.
It's gonna stretch your mind a bit.
But even cooler is that a show that I have listened to for more than a decade, Radiolab, did this retrospective on this Caitlin No series that she did.
And so they kind of sum up her 4 episodes into 1 tiny episode, and then they kind of explore it from different points of view, what she kind of covered in her show.
It's fascinating. Check it out, or don't. All right. Or don't, you know.
So are you recommending the podcast now or the Radiolab episode? I recommend both. Okay. All right. And we'll put links in the show notes if anyone wants to check it out.
Under this episode, 187.
Marvelous. Well, that just about wraps it up this week.
Maria, I'm sure lots of our listeners would love to follow you online and tell you that you're wrong about how to pronounce gigabyte. Gigabyte.
Maria, I'm sure lots of our listeners would love to follow you online and tell you that you're wrong about how to pronounce gigabyte. Gigabyte.
Giga giga.
Remind us what your Twitter handle is. I'm on gigabyte.
No, I'm on Twitter at @mvarmazis.
Please spell it correctly.
Fantastic. Fantastic. And you can follow us on Twitter @SmashInSecurity, no G, Twitter allows to have a G, and you can join the Smashing Security subreddit as well.
And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Pocket Casts.
And don't forget, if you want to be sure never to miss another episode, please subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Pocket Casts.
And thank you for listening to us, for supporting, for sharing episodes of Smashing Security. You guys rock.
Also, huge thank you to this week's Smashing Security sponsors, Authenticate and LastPass. Their support helps us give you this show for free.
And make sure to stay tuned for our exclusive feature interview with Scott Petry, co-founder and CEO of Authenticate.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, huge thank you to this week's Smashing Security sponsors, Authenticate and LastPass. Their support helps us give you this show for free.
And make sure to stay tuned for our exclusive feature interview with Scott Petry, co-founder and CEO of Authenticate.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye, au revoir, toodaloo.
All right, very exciting today, listeners. We have Scott Petry, he's the co-founder and CEO of Authenticate. Scott, thank you so much for joining us on the show today.
Carole, thanks for having me.
You know, we also have another special guest here on this interview, don't we, Graham? Make yourself known.
I wasn't expecting to be introduced. Hello, I'm here. Nice to meet you, Scott.
Nice to meet you, Graham.
So first, Scott, tell us all about Authenticate. What do you guys do?
Well, Authenticate is focused on doing something that sounds really simple, but is actually pretty sophisticated. We build what's called a web isolation platform.
And that basically means that as users interact with web services, we provide an intermediary web environment that conducts all their actions for them and turns whatever they're doing online into a safe, secure, benign, policy-controlled, audited work stream.
So you can think about Authenticate as basically providing a platform that allows people to access the internet using browsers running on our platform rather than the browser on their own local device.
And that basically means that as users interact with web services, we provide an intermediary web environment that conducts all their actions for them and turns whatever they're doing online into a safe, secure, benign, policy-controlled, audited work stream.
So you can think about Authenticate as basically providing a platform that allows people to access the internet using browsers running on our platform rather than the browser on their own local device.
Okay, so I'm guessing the kind of people that would be really interested in this are people that are really interested in keeping their actions private or really into privacy?
It's a great question. And the answer is yes, plus. So when we started the company, we basically saw that there was more and more stuff being done online, right?
The proliferation of cloud applications, people moving all their personal activities, you know, banks and healthcare providers starting to provide web access portals for users.
People were using the regular browser that came with their computer, using the browser to store passwords, to download data, cache information, keep their local state in that environment.
At the same time, advertisers or bad actors are using the exact same channel of delivering web code to try to corrupt those systems.
And so when we started the company, we were thinking about pretty much a broad array of issues associated with the browser, and anonymity and privacy is absolutely one of those things.
But also integrity of the page code when you render a page, or the ability to manage credentials without those being stored in a place that's susceptible to exploit, or checking the integrity of a link to ensure it's not routing off to a rogue server somewhere before someone clicks it.
So we really looked at this holistically.
I mean, the web security world is defined by probably 12 different categories of product that live either at the endpoint, at the network, or at some sort of edge-based control mechanism.
And what we said was, why don't we take all of those capabilities and embed them in the application itself called the browser? And that's how we built this platform.
The proliferation of cloud applications, people moving all their personal activities, you know, banks and healthcare providers starting to provide web access portals for users.
People were using the regular browser that came with their computer, using the browser to store passwords, to download data, cache information, keep their local state in that environment.
At the same time, advertisers or bad actors are using the exact same channel of delivering web code to try to corrupt those systems.
And so when we started the company, we were thinking about pretty much a broad array of issues associated with the browser, and anonymity and privacy is absolutely one of those things.
But also integrity of the page code when you render a page, or the ability to manage credentials without those being stored in a place that's susceptible to exploit, or checking the integrity of a link to ensure it's not routing off to a rogue server somewhere before someone clicks it.
So we really looked at this holistically.
I mean, the web security world is defined by probably 12 different categories of product that live either at the endpoint, at the network, or at some sort of edge-based control mechanism.
And what we said was, why don't we take all of those capabilities and embed them in the application itself called the browser? And that's how we built this platform.
Ah, that's interesting.
So you basically provide a browser that allows people to do work that, and it protects their identity and it kind of anonymizes them, not pseudo-anonymizes them, but anonymizes them.
Wow, better than GDPR.
So you basically provide a browser that allows people to do work that, and it protects their identity and it kind of anonymizes them, not pseudo-anonymizes them, but anonymizes them.
Wow, better than GDPR.
We are fully compliant with GDPR and alphabet soup of other requirements as well for a variety of reasons.
But, you know, we used to refer to the platform as a cloud browser before the analyst community started to track this concept of virtual browser infrastructure or started become a category.
Because the idea is basically you run the browser as a service and it lives in our platform. You have a secure connection to it.
At that point, you're basically sort of using an intermediary or proxy— I don't want to say proxy for the technical reasons, but sort of metaphorical proxy to get out to the internet.
That platform becomes the sacrificial lamb, and it keeps everything you're doing at arm's length from anybody on the other side of the equation.
But, you know, we used to refer to the platform as a cloud browser before the analyst community started to track this concept of virtual browser infrastructure or started become a category.
Because the idea is basically you run the browser as a service and it lives in our platform. You have a secure connection to it.
At that point, you're basically sort of using an intermediary or proxy— I don't want to say proxy for the technical reasons, but sort of metaphorical proxy to get out to the internet.
That platform becomes the sacrificial lamb, and it keeps everything you're doing at arm's length from anybody on the other side of the equation.
And that's kind of the beauty of this approach, isn't it?
Is that you're letting someone browse the internet like they would normally, but they're kind of doing it inside a protected bubble.
And if anything bad happens in it, it's not gonna cause them any harm.
Is that you're letting someone browse the internet like they would normally, but they're kind of doing it inside a protected bubble.
And if anything bad happens in it, it's not gonna cause them any harm.
Exactly right. We transcode everything that the browser executes using standard protocols into our proprietary and encrypted display protocol, you know, remote rendering protocol.
It's more than just display, it's audio, video, et cetera. It's binary files if authorized.
But then the important thing, Graham, also is that in addition to that bubble, a lot of our customers are operating in compliance-oriented organizations, or they have sensitive workflows like law enforcement investigations or financial activities.
We provide a full suite of administrative policies as well to control device access, data policies like upload and download, and then we have the ability for all activity to be logged centrally regardless of device, network, et cetera.
And that log data is all encrypted with customer-controlled keys. So the customer gets to control their data rather than us controlling their data.
It's more than just display, it's audio, video, et cetera. It's binary files if authorized.
But then the important thing, Graham, also is that in addition to that bubble, a lot of our customers are operating in compliance-oriented organizations, or they have sensitive workflows like law enforcement investigations or financial activities.
We provide a full suite of administrative policies as well to control device access, data policies like upload and download, and then we have the ability for all activity to be logged centrally regardless of device, network, et cetera.
And that log data is all encrypted with customer-controlled keys. So the customer gets to control their data rather than us controlling their data.
So that to me seems really cool because if I was, for instance, investigating financial fraud or if I was in law enforcement working on a case, I would imagine if I was using a normal browser on my computer, I'd kind of have to fill in a logbook every time I clicked on a link or downloaded something.
Whereas if you're working inside that sort of environment you're describing, everything is sort of getting logged for you.
Whereas if you're working inside that sort of environment you're describing, everything is sort of getting logged for you.
It's absolutely right. And if you think about that example right there, and we have customers who have spoke, we've spoken to about this.
When IT gives a financial crimes investigator a set of tools, they are by definition doing things outside of corporate policy.
They're going to a website perhaps or interacting on an internet forum that a normal employee wouldn't be allowed to get to.
They're interacting with web code that could be damaging to the organization that a normal employee wouldn't be allowed to transit the gateway and come into the environment.
And so, they're giving the employee these tools that allow them to conduct their investigations anonymously and securely, as Carole, you know, as you said.
But it's also still inside of the realm of control, where IT has positive visibility over how the tool is being used and to prevent abuse, which is a critical part of the compliance equation as well.
When IT gives a financial crimes investigator a set of tools, they are by definition doing things outside of corporate policy.
They're going to a website perhaps or interacting on an internet forum that a normal employee wouldn't be allowed to get to.
They're interacting with web code that could be damaging to the organization that a normal employee wouldn't be allowed to transit the gateway and come into the environment.
And so, they're giving the employee these tools that allow them to conduct their investigations anonymously and securely, as Carole, you know, as you said.
But it's also still inside of the realm of control, where IT has positive visibility over how the tool is being used and to prevent abuse, which is a critical part of the compliance equation as well.
So tell me about the customers you have. Like you mentioned law enforcement, I'm guessing there's also going to be some law firms. Firms involved, insurance companies?
A little bit of history. This is the second company that I've started.
The first company was an email security company that was also a pioneer in the cloud space, and it became a pretty well-known company.
And that was an awesome platform because we could sell the same thing to every customer.
And if I knew then what I know now, the cross to bear, or the challenge for our company is that we're not a single platform for a single customer.
It's not like you can just go to every organization and say replace your browser.
It's a little bit more difficult than that because of a variety of reasons, whether it's user preference issues or whether it's IT change management issues or whatever.
What we've been able to do though, and what our market differentiation is, is that our product can be configured very specifically for very specific use cases.
So yes, we have financial services firms using us for forms of financial fraud and money laundering investigations. Yes, we absolutely have law firms using us.
The use case there is slightly different though.
That might be an environment where the senior partners need to get access to social media sites or personal sites, but the legal IT doesn't want that information to be commingled with sensitive client data on the same device.
And so they can use our platform as a way to give a second window onto the internet where there's no data commingling, if you understand that.
We have— It's almost like a virtual safe room. 100%, 100%.
And with the recent change to the way everybody works, if this was a video conference, you'd see me in one of the bedrooms in my house. And this is my office now.
More and more people are working remotely, and so we've seen this idea of being able to take the browser and implement positive policy control and audit over the browser.
It allows IT to get back in control of what people are doing when they're working remote without having to give them a laptop and a VPN connection et cetera.
So we have a lot of organizations that are using this for regulated access to cloud applications, whether it's HR and payroll-related activity, call center, help desk-oriented activity.
Those employees are all working remotely now. When you send your employees home, how do you tell them, okay, be careful when you log into Freshdesk, right?
The first company was an email security company that was also a pioneer in the cloud space, and it became a pretty well-known company.
And that was an awesome platform because we could sell the same thing to every customer.
And if I knew then what I know now, the cross to bear, or the challenge for our company is that we're not a single platform for a single customer.
It's not like you can just go to every organization and say replace your browser.
It's a little bit more difficult than that because of a variety of reasons, whether it's user preference issues or whether it's IT change management issues or whatever.
What we've been able to do though, and what our market differentiation is, is that our product can be configured very specifically for very specific use cases.
So yes, we have financial services firms using us for forms of financial fraud and money laundering investigations. Yes, we absolutely have law firms using us.
The use case there is slightly different though.
That might be an environment where the senior partners need to get access to social media sites or personal sites, but the legal IT doesn't want that information to be commingled with sensitive client data on the same device.
And so they can use our platform as a way to give a second window onto the internet where there's no data commingling, if you understand that.
We have— It's almost like a virtual safe room. 100%, 100%.
And with the recent change to the way everybody works, if this was a video conference, you'd see me in one of the bedrooms in my house. And this is my office now.
More and more people are working remotely, and so we've seen this idea of being able to take the browser and implement positive policy control and audit over the browser.
It allows IT to get back in control of what people are doing when they're working remote without having to give them a laptop and a VPN connection et cetera.
So we have a lot of organizations that are using this for regulated access to cloud applications, whether it's HR and payroll-related activity, call center, help desk-oriented activity.
Those employees are all working remotely now. When you send your employees home, how do you tell them, okay, be careful when you log into Freshdesk, right?
And I know, I know, and use your computer, but make sure it's secure. Exactly.
Yeah, it's incredibly crazy. Our customers are across a variety of use cases ranging from very sensitive and very secure to just good IT practices for employees being online.
Let's say I'm listening to this and I'm thinking, this sounds extremely cool. I'm thinking this could be something good for my organization or for my project. What steps do they do?
How does it work? Do they get to test it out or—
How does it work? Do they get to test it out or—
100%. So we are a cloud-native platform, so there's no installation of anything required.
You don't need to put network kit, you don't need to have a guy come visit your home and configure your router or anything, right?
You basically can see— exactly, you sign up for the product. We certainly give evaluations, we give trials.
You can, like a web conferencing system, you can use the browser to access the platform or you can install a native client to access the platform.
We support the traditional compute platforms and iOS.
Then you basically run it like you would use a browser, whether it's inside a tab in Chrome or whether it's a window and a separate application.
It looks like, acts like, quacks like a regular browser environment.
You don't need to put network kit, you don't need to have a guy come visit your home and configure your router or anything, right?
You basically can see— exactly, you sign up for the product. We certainly give evaluations, we give trials.
You can, like a web conferencing system, you can use the browser to access the platform or you can install a native client to access the platform.
We support the traditional compute platforms and iOS.
Then you basically run it like you would use a browser, whether it's inside a tab in Chrome or whether it's a window and a separate application.
It looks like, acts like, quacks like a regular browser environment.
So there's really nothing to learn here. It's like if you know how to surf the web already, you can just surf the web but inside Authenticate silo.
100%.
Now the splitting of the use case though, you might have people who want to have two separate environments, but in a pre-COVID world, IT liked to be able to say if you're going to X, render it in the local browser.
If you're going to Y, that's when we'll use this web isolation platform.
And so needless to say, we have all the IT integrations that you would want for traditional network environments as well, including the ability to forward URLs or redirect URLs to our platform.
So you can say, my employee is going to be doing access to their behind-the-firewall web application from their local browser.
But if they go to Facebook, that kicks over into our platform and that would be all seamless to the user.
Now the splitting of the use case though, you might have people who want to have two separate environments, but in a pre-COVID world, IT liked to be able to say if you're going to X, render it in the local browser.
If you're going to Y, that's when we'll use this web isolation platform.
And so needless to say, we have all the IT integrations that you would want for traditional network environments as well, including the ability to forward URLs or redirect URLs to our platform.
So you can say, my employee is going to be doing access to their behind-the-firewall web application from their local browser.
But if they go to Facebook, that kicks over into our platform and that would be all seamless to the user.
This is a newbie question.
I apologize if it's obvious, but so I'm using this browser and I go to something like Facebook or a page where I need to authenticate my login instance, right?
So then how does that work? Do I just have to enter my password and it's Facebook knows that I'm the right person, but no one can trace it back to my particular IP address?
I apologize if it's obvious, but so I'm using this browser and I go to something like Facebook or a page where I need to authenticate my login instance, right?
So then how does that work? Do I just have to enter my password and it's Facebook knows that I'm the right person, but no one can trace it back to my particular IP address?
Yeah. So your IP address is certainly hidden. Facebook would see it as a machine that maybe was or was not associated with you before.
But an important point though, Carole, is once you give Facebook your identity, now they can track you through other things. Once you're logged in, they can drop a cookie.
And I won't get into how we handle cookies, but you can either choose to save cookies or you can choose to have them purged. And we offer some capabilities around that.
But if you're using the web anonymously, means you're not logging in regardless of the platform. As soon as you log in, server-side, they know who you are.
But an important point though, Carole, is once you give Facebook your identity, now they can track you through other things. Once you're logged in, they can drop a cookie.
And I won't get into how we handle cookies, but you can either choose to save cookies or you can choose to have them purged. And we offer some capabilities around that.
But if you're using the web anonymously, means you're not logging in regardless of the platform. As soon as you log in, server-side, they know who you are.
Exactly. Okay.
One of the things we do a lot of is training for people in terms of doing secure and what we call non-attributed, where you can't be attributed back to the kind of activity you're doing.
Non-attributed access when you're doing investigations.
One of the things that you have to tell people is it just doesn't work like, it should not work like a normal browser where you order your pizza in one tab and you investigate the bitcoin transaction in another tab because you're mixing your environments there and those are all certain tells that can tell your adversary that you're conducting this investigation.
So it just shows sort of how insidious this entire internet technology stack is when you have to think that carefully about what you're doing in this application on your computer to determine whether bad guys are tracking you or not.
Non-attributed access when you're doing investigations.
One of the things that you have to tell people is it just doesn't work like, it should not work like a normal browser where you order your pizza in one tab and you investigate the bitcoin transaction in another tab because you're mixing your environments there and those are all certain tells that can tell your adversary that you're conducting this investigation.
So it just shows sort of how insidious this entire internet technology stack is when you have to think that carefully about what you're doing in this application on your computer to determine whether bad guys are tracking you or not.
It's awful. Yeah. And no, but I'm wondering if it's something that would even suit me in my line of work.
I have to do research on lots of different things that are unseemly, technologically unsound, immoral, unethical.
And from my search results, it might look, I might be getting fed information from YouTube and the like that is completely unwarranted for my interests.
I have to do research on lots of different things that are unseemly, technologically unsound, immoral, unethical.
And from my search results, it might look, I might be getting fed information from YouTube and the like that is completely unwarranted for my interests.
So we do a lot of work with media.
My second favorite story of customer acquisition was we have the ability to sign up on the web and we saw a name that was a name brand TV news anchor and signed up, took a 30-day trial, swiped his credit card and was using it.
And about 6 weeks later, we got contacted from the CISO of that media organization and did a deal with them.
So the idea of individual users using it as a way to maintain safety and anonymity online is certainly important, more so for media people.
You can keep yourself and your sources secure and basically untracked if you use our product in conjunction with some other pretty standard good messaging hygiene.
My second favorite story of customer acquisition was we have the ability to sign up on the web and we saw a name that was a name brand TV news anchor and signed up, took a 30-day trial, swiped his credit card and was using it.
And about 6 weeks later, we got contacted from the CISO of that media organization and did a deal with them.
So the idea of individual users using it as a way to maintain safety and anonymity online is certainly important, more so for media people.
You can keep yourself and your sources secure and basically untracked if you use our product in conjunction with some other pretty standard good messaging hygiene.
Yeah, very cool, Scott.
And one of the things I like about this is that you're not being tracked when you're using this, but you can see who's trying to track you as well.
And so you can begin to collect data like that with both the toolbox and Lightbeam as well, which is one of your— is that an add-on for it?
And so you can begin to collect data like that with both the toolbox and Lightbeam as well, which is one of your— is that an add-on for it?
Yeah, we have some add-ons that are in the browser that allow you to do that. The thing I'll say though is that we are not doing that and trying to track any information.
You are free to do that, but if you read our privacy policy, we're extremely clear that we don't use this platform as a way for us to collect user data or statistics and use those in any marketing or analytics type of way.
And it sort of plays against us sometimes, Graham, because a lot of security companies like to tout dashboards that say how many exploits they've blocked or how— we just don't want to express anything surrounding how our customers are using our product.
And when they encrypt their logs, we don't have access— we wouldn't have access to that even if we were so motivated.
So we've really— we give you the tools to do that and collect the information, but we're not trying to aggregate that and create side business and monetize the data like so many awful companies are.
You are free to do that, but if you read our privacy policy, we're extremely clear that we don't use this platform as a way for us to collect user data or statistics and use those in any marketing or analytics type of way.
And it sort of plays against us sometimes, Graham, because a lot of security companies like to tout dashboards that say how many exploits they've blocked or how— we just don't want to express anything surrounding how our customers are using our product.
And when they encrypt their logs, we don't have access— we wouldn't have access to that even if we were so motivated.
So we've really— we give you the tools to do that and collect the information, but we're not trying to aggregate that and create side business and monetize the data like so many awful companies are.
Well, well done to you for that, because I do think when that kind of data is collected, it can be considered rather toxic data anyway.
It's not the kind of data which you want lurking about on your drives or being collected either, because it's going to be abused by someone in marketing or they could have a data breach one day.
So yeah, who wants it, frankly? Exactly.
It's not the kind of data which you want lurking about on your drives or being collected either, because it's going to be abused by someone in marketing or they could have a data breach one day.
So yeah, who wants it, frankly? Exactly.
Now, Scott, I have one last question for you.
I see on your smashingsecurity.com/authenticate page you're offering a curated list of open-source intelligence research tools that you guys have. Tell me about that.
I see on your smashingsecurity.com/authenticate page you're offering a curated list of open-source intelligence research tools that you guys have. Tell me about that.
We've learned a lot about OSINT, which is open-source intelligence gathering, and we've spent a lot of time doing training, pulling together training programs and curricula, working with customers on improving their tradecraft.
And so we've curated this list of different open-source tools that would help people conduct their investigations.
And we like it if they want to try using those tools inside of our product.
If they don't, use a virtual environment in their local computer so they don't taint their own environment.
But as they conduct their research, this is a handy list of tools that can be used for people to dig a little bit deeper and learn more about companies or properties or regions as they conduct their investigations.
And so we've curated this list of different open-source tools that would help people conduct their investigations.
And we like it if they want to try using those tools inside of our product.
If they don't, use a virtual environment in their local computer so they don't taint their own environment.
But as they conduct their research, this is a handy list of tools that can be used for people to dig a little bit deeper and learn more about companies or properties or regions as they conduct their investigations.
Yeah, it's an extremely cool piece of research.
I know a lot of people that will love this, and the best bit is you don't even have a gate on it, which is sometimes a beautiful, beautiful thing.
So on the behalf of the tech community, I thank you for that.
I know a lot of people that will love this, and the best bit is you don't even have a gate on it, which is sometimes a beautiful, beautiful thing.
So on the behalf of the tech community, I thank you for that.
It's a nice freebie. You're welcome. And believe me, we have internal debates about that, but I think we really give something to get something, right?
Give something to get something. Exactly.
Give something to get something. Exactly.
It's like you don't want someone to buy you a beer somewhere and then ask you to get married. I mean, it's too fast. It's too fast. Exactly.
Now, says the married woman on the Also, Joseph Stalin can only download so many copies of this gateway. Arnold Aardvark from Afghanistan.
Exactly, exactly.
Scott, is there anything else that you'd like to add? It's been so great speaking with you.
Thank you, it's been great speaking with you both as well.
I would just say that this idea of a web isolation platform and Silo as a browser running in a remote environment, it sounds very simple, but as you peel back and understand more about how the browser betrays you on a daily basis, whether you're using it for your own personal social connections and the cookies are being dropped and you're being tracked, or whether you want to do some actual research on the web, it just makes no sense to let all of that arbitrary third-party code come into your environment and execute.
And it's shocking to me that we have become so cavalier about it. And literally $100 billion plus is being spent on securing the environment after people have rendered a web page.
So the last thing I would say is, if you're listening to this and that makes sense, give it a try.
I would just say that this idea of a web isolation platform and Silo as a browser running in a remote environment, it sounds very simple, but as you peel back and understand more about how the browser betrays you on a daily basis, whether you're using it for your own personal social connections and the cookies are being dropped and you're being tracked, or whether you want to do some actual research on the web, it just makes no sense to let all of that arbitrary third-party code come into your environment and execute.
And it's shocking to me that we have become so cavalier about it. And literally $100 billion plus is being spent on securing the environment after people have rendered a web page.
So the last thing I would say is, if you're listening to this and that makes sense, give it a try.
Authentic8.com. And that's Authentic with a number 8.
Authentic8. Exactly. Scott Petry, co-founder and CEO of Authentic8. Thank you so, so much for coming on. It's been an amazing pleasure to speak with you.
Carole, it's been great as well. And Graham, thank you. It's been fun.
Cheers. All right, boys, that was pretty good. Everyone happy before I stop the recording?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Maria Varmazis:
Scott Petry – @imscottpetryShow notes:
- Coronavirus: Contact tracers in England 'locked out of accounts' — Sky News.
- TalkTalk’s ex-CEO Dido Harding heads up the UK’s Coronavirus tracing app… — Graham Cluley.
- Apparently Coronavirus-tracing scammers won’t sound professional… (Yeah, right!) — Graham Cluley.
- Huawei 5G kit must be removed from UK by 2027 — BBC News.
- US sanctions make Huawei more of a security risk, says leaked UK report — The Verge.
- A different future for telecoms in the UK — NCSC.
- Commerce Addresses Huawei’s Efforts to Undermine Entity List, Restricts Products Designed and Produced with U.S. Technologies — U.S. Department of Commerce.
- A hacker is selling details of 142 million MGM hotel guests on the dark web — ZDNet.
- WindowSwap.
- How do you pronounce "Gigawatt"? — Waldo Jaquith on Twitter.
- Metric (SI) Prefixes — NIST.
- No podcast.
- In the No Part 1 — Radiolab.
- 21 OSINT Tools for Cyber Threat Intelligence — Authentic8.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Authentic8
Silo for Research (Toolbox) from Authentic8 is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep and dark web.
To learn how Silo for Research enables teams to timely and efficiently investigate, while ensuring maximum security and oversight to ensure compliance – including GDPR – go to smashingsecurity.com/authentic8 now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
I'm wondering where UK will be buying 5G equipment from?