Smashing Security podcast #200: Two flipping hundred

Come on, 200, Cluley. Come on.

Seriously, well done.

Come the fuck on. That's amazing.

That is amazing.

How many podcasts do that?

1%?

Jesus Christ. And we don't even have each other. It's amazing. We should be recording.

We are.

Oh, great. The hate is what fuels you.

Fucking 200. Jesus.

Smashing Security, Episode 200. Two flipping hundred. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode Two Fucking Hundred. My name's Graham Cluley. Woo-hoo!

And I'm Carole Theriault, and you heard who we have with us.

Woo!

Maria Varmazis! Ah, 200, guys! Maria, thank you so much for coming on this extremely special episode. You know, someone was fighting you for this episode.

Really?

Oh yeah.

Well, who, Godzilla?

I'm not gonna name any names.

I didn't even know. Was it Kasparov again? That bastard.

Dave Bittner.

Oh, oh, oh, oh.

Should we just for a moment just sort of bask in the glory of having produced 200 episodes of this podcast?

Why don't we do that on our live stream at 8:00 PM UK time on Thursday, 5:00 in Boston, 2:00 PM West Coast. Graham still hasn't done the research of what time it is in Australia. And for details, you would go to smashingsecurity.com/live. Be there, be square. Graham will be so embarrassed if there's only me. Yes.

And then we will properly celebrate. We're gonna take questions, aren't we, Carole?

Yes, it's an AMA. So this is where I promise I will only speak truth. On the show.

Woo-hoo!

On the 200th show, thanks to this week's sponsors: LastPass, Immersive Labs, and Mimecast. Their support definitely helps us give you the show for free. And coming up on today's show: Graham grabs his ballerina slippers, Maria is going to look at women in tech, and I'm looking into smartwatches for kids and asking you, Maria and Graham, whether you would do this or not.

Oh boy.

Plus, we have a very fantastic featured interview with Michael Madon at Mimecast. He is the Senior VP of Security Awareness, and previously— I know he won't me saying that— but he used to work at the U.S. Treasury Department, and he was awarded the National Intelligence Distinguished Service Medal, and he won a Bronze Star.

Oh wow.

So he's an impressive dude with impressive things to say on how we can be safer online during these unprecedented times. I loved our chat, check it out at the end of the show.

All this and much more coming up on this 200th episode of Smashing Security.

Now, chums, as it is something of a celebration, I thought we could play a little game. We're going to play a word association game.

Oh, I love these. Okay.

I am going to say a word and I want both of you ladies to shout out the first word you think of.

Okay.

Okay.

Space.

Star Trek. Wait, that's two words.

So that's one word.

So Trek.

Alright.

Space Trek, Carole?

Yeah, yeah, no, I'd probably— I was gonna sing Star Wars or Star Trek. So that's really outrageous. I know.

Warfare.

Warfare.

Yeah, what do you think of warfare?

Iraq, actually. Isn't that weird?

Mm-hmm, okay.

That's 'cause how old I am.

Yeah.

Warfare.

Trump?

No, my answer was Stratego, the board game, because— Okay.

We'll get you on tomorrow. More for Milly Grant. Men.

Bullies.

Bullying.

Bullying.

Men.

Sex. Sex. Not men. What's that? Well, look, don't worry if you don't have an answer for me at the moment, because maybe you just don't know it yet. Because did you see all the kerfuffle on the internet this week? A kerfuffle?

Which one? Yeah, where were you looking? What hosepipe were you getting drenched by?

There was a UK government ad which was doing the rounds. People were retweeting it and sharing it on Instagram. It was turned into a meme about a young dancer called Fatima. And the ad was basically saying, she should hang up her ballet shoes and pirouette her way into a new career. So there's a picture of this girl.

Okay, yeah, can we see the ad, but rather than having your—

Yeah, well, we'll There's a picture of a young woman sitting on a bench. And she's obviously a ballerina. link to it Well, I think it's more to do with her leg spread, because that's actually quite difficult to do. Why don't you try it right now, Graham? Carole, what's coming

He will end up in traction. Don't try it.

Don't try it.

in the show notes. And— I've already hurt my back. I'm gonna fall off my stool. up on the

No, definitely do it. Do it right now.

Anyway, she is tying up her little ballet pump things. And it says next to it, it says, Fatima's next job could be in cyber, brackets, she just doesn't know it yet. show this week? Rethink, reskill, and reboot. And it's all part of the Cyber First initiative run by the UK government. And I think I know where you're going with this, and I think we're gonna have a bit of a jibaji. Okay. Okay. I actually— This is marvelous because I remember my own beginnings in computer security.

You were also a ballerina.

Well, actually, you know what, Maria? Actually, I was.

I didn't say you weren't.

No, Maria, stand your ground, honey. Really stand your ground on this. I'm with you 100%.

A lot of people may not realize this, but anyone who's seen my calves will know that I have quite a strong lower leg. And—

Really? Where was that when we went ice skating? When you were clinging to the edge for dear life and you literally dragged yourself around the skating rink?

All right, please tell me there's video of this.

No, no. Sadly, it was before video was widely available.

Before video existed. So the late 1800s. Okay, gotcha.

Told you he was old. Now, I know some people think ballet's for sissies and it's a piece of cake doing a pirouette. Prancing around, twirling your arms in the air.

I don't think that.

Well, no, no, no. None of us think, because frankly, ballerinas are terrifying.

Have you seen their feet close up?

That was just what I was thinking. Anyone who does that to their feet, badass.

Yeah.

I haven't been to those kind of websites for a long time. No, I haven't seen anything like that.

Weren't you going to do a foot fetish website at one point?

Let's not talk about that, please.

Not right now.

Why would you mention that on a podcast?

It's our 200th show!

It's time for us to get honest.

Yes.

Let's be real. Let's get vulnerable, Graham. Let's do this.

Maybe we should talk about this more on the livestream. Yes, let's get back on the plot. I'm of the view you don't— How am I going to edit this? I'm of the view you don't want to—

As it always is with Maria on the show. That's not this one.

Hey, it's not my fault. I think it's all you.

I'm of the view you don't want to mess with ballerinas, right? Because they're strong, they're tough, they've trained. They could, you know, wasn't that Bond villain Xenia Onatopp? She was, I think she was a ballerina.

They could strangle you with a little pirouette.

Yes.

Yes.

Black Swan, the movie.

Yeah.

Oh yeah.

So good.

Yeah.

Any road, back to the plot. So the UK government have put out this ad saying, look, ballerinas, seriously, you should be thinking about becoming cybersecurity experts instead. And I—

This ad came out last week, right?

Well, it became popular in the last week. Yes, I think it's actually been doing the rounds for about a year. Just writing notes. Yeah, we'll need that. For a year or so. So presumably they thought she would be better at running the UK's test and trace operation than a former horse jockey who used to be in charge of TalkTalk when that got hacked. That's probably their thinking. But many a cybersecurity expert might have made the mistake originally of beginning and forging a career in the arts instead.

Hush, hush.

No, for real, for real. Bruce Schneier used to be a Punch and Judy man. Did you know that?

That's not a ballet, dude.

No, but it's still the arts.

Oh, right, okay.

It is, it is.

Was he?

Yes.

That's why he's so triangular in shape.

That's really cool.

He's like a Marvel Comics—

Does he bust it out at the Vegas DEF CON parties? Because they would have trapezes there, and if you have enough to drink—

I can just see him going, taking his ponytail, swinging it behind his head, and, "I am going!" He's like, "I am a trapeze artist!" Everyone's like, "No, dude, you're plastered.

Don't do—" I don't know if he drinks or not.

Yeah, he could drink a whole bottle of vodka and still do it without any problems.

I apologize if he doesn't. And then he's like, "No, for I don't like to suppose. I don't like to suppose, sorry.

Little known fact about little Eddie Snowden is he used to model balloons at kids' parties. Did you know that?

real." And then he does it and everyone shuts up.

No. Is he going to come on the show?

That would be amazing.

We'll see. Maybe episode 201. We'll see. Anyway.

Is he who I fought with to be on episode 200? I'm gonna say that it was. I'm gonna say that it was.

Okay. Tell everyone, tell everyone.

That's going on Twitter.

People were furious about this ad, and I wanted to know what you thought of this ad, because some people were saying, this has killed the dreams of every Fatima, everyone who trained to become a ballerina or to work in the arts. And it's saying to you, yeah, your job's rubbish. You're never going to make a career out of that. Come and be cyber instead.

What do you think? It's nothing new. Every— people say stuff like this all the time. So I have a very cynical view of it as someone who left tech to pursue a career in the arts.

Oh, you went the wrong way.

I left the money to go into the arts, so yeah. Okay, Graham.

Yes. You ready for this?

Yeah, I'm ready. I'm ready. Bring it.

Okay. Why are you asking us? 'Cause we're on the show right now.

Well, yeah.

It's 200th show.

I can't ask Edward Snowden 'cause he's not turned up to episode 203. So I have to ask you, what do you think?

Okay, there is a bloody pandemic on. How many people do you think are going to the ballet right now? Well, that's— How many ballerinas do you think have been told, "Oh, you know what? You're so amazing. Yeah. I'm looking It's just that no one's actually coming in to see you, and it doesn't really look great on screen right now, and we don't have all that sorted out for digital ballet." So maybe what's happening is the government's kind of saying these are people that could get a secondary career whilst we deal with the pandemic, earn extra skills. Yes, maybe? at it. Okay.

It's interesting you become a shill for the Tory government because that is pretty much— that is pretty much— Whoo! Whoo! Whoo! Whiting words. UK Chancellor Rishi's point of view is that he has been sort of pronouncing upon the fact that many people who work in the arts at the moment might want to retrain. Which did create quite a kerfuffle because other people are saying, well, it's almost a debasement of all the artistic jobs which are out there. And how would we feel if—

Well, okay, I know this is going to cause a lot of contention, but no one is forced to look at that ad and go, okay, I need to do this. Right? There's not— there's— I'm looking at the ad again. I want to— I'm looking at it now. Let me look. Okay.

I don't understand people acting this is new. A new attitude. Right. This is the prevailing attitude towards a career in the arts is that they're not real jobs. And yes. And in the UK compared to the US certainly values the arts more. There's more funding from the public compared to the United States. But here in the States especially, it's and right now during the pandemic, you can't make a living off of it very easily. And a lot of artists are told you need to have a real job in addition to your art job to survive.

And I think in the UK, people consider different artistic jobs differently. So you'll have at the very bottom, for instance, actors.

And I think they clearly are essential for the economy. Okay, so let's analyse.

You know, which frankly is just pretending to be someone, isn't it? And doing a funny voice and not walking into the furniture.

We're all very smart. Look at the ad.

And then you'll have dancers and you may have painters. But at the very top, at the very top, you have podcast co-hosts.

It says Fatima's next job could be in cyber, as though that is the most wonderful place to be. No, I don't agree with that.

Don't do it, Fatima. Don't do it. Stay a dancer, please.

I think cyber if you're kind of thinking, I'm into that kind of stuff, and yeah, you can make a decent wedge on it as well. Yeah, I mean, I know lots of freelance journalists, for example, who they say that they are freelance journalists but they have a day job to pay for that, and that sucks ass that that's happened. Yeah, I think it's the arrogance of the "could be" in cyber, like even a ballerina could be that smart, you know. There's something about the "could" that maybe is a bit jarring. And I don't like the, "She just doesn't know it yet." Yes, me neither.

Yes, this person who spends her life priming her body to be in peak physical form definitely wants to sit hunched over at a desk typing. Carpal tunnel goes so well with that pirouette. Okay, you know what? You're changing my mind.

You know what else? A bit of coaxial cable.

As I said, to me, I don't understand why people are angry as if this is a new attitude, because it's not. It's not one that I like, but it's out there all the time. Good Lord, I heard it from my dad growing up. Oh no, mine too. I studied economics. I studied computer science. I know. I think the ad had good intentions, but was a bit backhanded. I think it was just trying to encourage young people to get interested in cybersecurity.

I get that. And you know what? Normally I would say we so, so need bright young minds to come in and from all industries, right? Because you need different, you need different brains to tackle all these different problems. It's basically a social problem. How are people attacking us?

But imagine if you were Fatima and you were into ballet and you saw these big ads going on saying, oh, "Lovely that you're trying out that ballet thing, but frankly, dear, you should be doing something else." Well, I'd like to think Fatima would just go, "Fuck you, whatever, I'm sticking with ballet," if she wants to.

I'd like to think this wouldn't change her opinion of what she wants to do with her life.

Some people might be insecure. What if Mozart had been told he was wasting his time? Or Stephen Hawking, or Colonel Sanders, or someone important like that? And instead, they'd been diverted into cyber.

Many questions there, okay. Here's my follow-up question.

Should we be using the word cyber at all?

That's what I thought this one was going to be about. I thought we were going to talk about the whole cyber discussion, right? Because when I, as someone who grew up— excuse me, voice is cracking, this is how passionate I feel about this— somebody who grew up of the age of AOL chat rooms, when I hear your next job can be in cyber, my brain goes somewhere entirely different, especially when she just doesn't know it yet. I'm like, oh, that sounds like a threat. So that's— so the language of this ad is actually what gets me a little bit— wow, my voice. This today. Amazing. Because for youngsters who aren't aware, cyber used to mean a bit of hanky-panky online nookie. Yes. The BDSM community are correct. I didn't know that. I'm not kidding. You didn't know that cyber meant cybersex? That's just—

No, no, they're just angry with me for last week, and they said, oh, you sound a bit vanilla. And I'm like, yep, owning.

Sorry, I'm a bit confused because you've used the word BDSM. Okay.

As my other job, I work with lots of companies and I have to do lots of stuff. And so maybe my echo chamber is filled with the word cyber and I totally directly put it into cybersecurity. I'm drinking the Kool-Aid for 20 years now.

A lot of people do. And that's the debate right now and has been for— actually, it's been a debate for a really long time because U.S. government uses cyber a lot and then the private sector in the U.S. hates it. And there's that whole thing there. And I personally always cringe when I hear cyber, 'cause I go, ugh. Do you?

Because I saw some people being a bit snarky on Twitter this week about the word cyber. And these were the same people who were defending Fatima or whatever and say, oh, she should stay as a ballet dancer. But they're saying, oh, she shouldn't have used the word cyber. It's a fricking ad.

Does she even exist? Yeah.

Like, she could be a fricking— It's all an illusion. Yes. Cast away all your attachments. Yes. Everyone's freaking out about this.

Guys, Trump is about to be reelected. Oh God.

For God's sake, focus on what matters, goddamn it! For God's sake.

Well, I agree, Carole. I agree.

And put a bow on it, we're done.

I don't see why Maria is so upset about the use of the word cyber.

I'm not upset, I'm just Greek. I sound upset, okay?

She's not.

I thought she was.

No, no, no, I'm just—

This is the—

It's the Greek coming out.

She just thinks of sex.

Yeah, it's just— to me, cyber is cybersex. That's always what it's been. It's ASL, one of cyber. It was the thing that—

But you're way younger than me. How do you know this? Like what? What?

Did you never see The Lawnmower Man with Pierce Brosnan?

I was of the age when this stuff was going on. I was like, I was working at Sophos, obviously.

There was no sex there. So that's why I gave you these words at the beginning. Space, warfare, men, bullying, sex. Each one you can put cyber in front of. You see? Cyberspace, cyber warfare, Cybermen. You have to be a Doctor Who fan for that one. Yeah, okay. Cyberbullying, cybersex. But I didn't dare put down security because I thought that'd give it away.

You were so good. You won that round, Graham.

Well, I just think we need to relax about using the word cyber. And I think it's all right.

I think the battle is lost on cyber. Yeah, I agree. I can't, it's so annoying.

I just think all these people, 'cause what I haven't enjoyed this week in regards to this is the dog piling on. Okay, it was a dumb ad, right? And maybe it was uncool. But a bit clumsy. The amount of whinging. I agree with you. It was just like, "Oh, this is terrible." And it's just like, well, yeah, it's not great, but we don't all have to moan. And then they start complaining about the word cyber. Mikko Hypponen was a trapeze artist.

Well, what do we mean by cyber? Like in that context of that ad, what does that actually mean? Cyber what?

Pandora's box is open.

Well, they meant cybersecurity. They meant cybersecurity because it was the NCSC who were behind this.

Oh my God, Maria, I'm so— okay, okay, so we're basically— okay, are you right, Crow? Back the— back up, back up. We're rewinding the tape. Okay, so you're saying Fatima's next job could be in cybersex with brackets.

She just doesn't know it yet. 5 minutes ago we had this conversation.

Okay, I told you I was— okay, I told you I was vanilla. I didn't get it. I didn't read that. I didn't see it.

I'm not kidding. I know that that's not how that ad's supposed to be read. So my brain's going, that's not how it's meant to be read, but my brain goes there. I know I'm not the only one.

My brain's exploding.

You just figured out what I just told you 5 minutes ago.

Okay. Yes. Yes. And the government must be freaking out because that is definitely not what they meant.

No, I don't. Oh my goodness. I don't think that's— I don't think that is what anyone is saying that they meant. It's only Maria. Yeah. Who's still in the '90s, who's thinking of cybersex. That's right.

Yeah. No. Oh yeah.

Because no one else was alive in the '90s and were actually paying attention.

He's Finnish, he drinks.

No, no, no. It was just me.

It was just Maria.

I'm the only survivor of the '90s. It's true. Yep.

She is. Episode 200 and this is going on.

Maria.

Are we now just getting to the sex story?

And Edward Snowden— Have you got a story for us? Can you make it quick?

Yeah, I've got this totally not controversial topic at all.

Okay.

So it was suggested to us by a loyal listener, @ilwombato on Twitter. Oh, @ilwombato. Yes. High five, sir. Sir or ma'am or other. Yes. Not going to presume anyone's gender here. That's not that kind of podcast. The tweet that we were tagged in was this: Fact of the day, 50% of women who take a tech role drop it by the age of 35. Oh, okay.

Well, look, we've got two women here. Which one of you have dropped it by the age of 35? Me! Ah!

Well, no, Maria, take heed. Have you dropped it?

Well, here's the thing. Was I ever in one?

Oh! You're here. We're talking about cyber, not cybersex.

We're talking about cyber. Everyone knows that apart from you, Carole. Okay, so, so then—

Well, I've got to remind myself. So the quote was, "Take a tech role." Cyber was never even uttered in this. And the source of this data was a study by Accenture that came out this year. So Accenture is a big consultancy firm. They do stuff like this. Some people don't find these studies credible, whatever. I'm just going to take it at face value. Yeah, they did a huge study called Resetting Tech Culture: 5 Strategies to Keep Women in Tech, because it is a notorious problem in the industry about the pipeline and why do women leave and all this stuff. And can I ask, Maria, why did you leave tech?

Because apparently you're claiming you have left tech. Well, I kind of—

I don't know if I was ever in it. That was my follow-up statement because I worked in tech on the comms side. I was not a programmer. So is that what they mean? Are we talking about only women who code, or are we talking about women who work in the tech industry in general regardless of the role?

So I don't know. You used a computer. You used a computer. You weren't flower arranging, were you? You were—

I did flower arranging for fun after work. That's true. Okay, so get to Ikebana for real. I mean, it's a topic near and dear to me because I went to school for computer science and I was an earlier version of the pipeline problem where halfway through engineering school I changed to a completely different major. So, yeah, okay, so it's all this stuff is perception, right?

And I would say that all of our listeners who've listened to you over the many, many stories you've helped tell with us, that you are a cute geek, techy lady.

She got stutter.

You're in the club. No, she's in the club. I think she's in the club.

Maybe. I mean, yes, maybe.

You feel you're in the club. You identify.

I identify with the club. I hugely respect women who actually are software engineers as I've never been one. So I feel this study is probably talking more about them. But I know many women who are software engineers. So the stat of 50% of them leaving by 35 roughly tracks with my anecdote.

So does the survey give any descriptions of why people leave and what might we do to try and keep them?

Well, it's a huge study, so yes, there's a lot of it. And if we could go through the whole thing point by point, I don't think anything would surprise anybody, right? Because if we put forward oh, we've got a solution to this problem, I would be a bazillionaire and I would just retire right now because I'd be all set. I echo a comment that somebody made in the Twitter thread, what's the stat for men? The reasons that people leave are very different. But I wouldn't be surprised if it's not terribly dissimilar for men. By a certain age, some people just go, I can't deal with this anymore and I'm leaving.

Yeah, so I can say for me why I left, because I think I would be, according to this data, I would be one of those people that left. If you don't consider this tech and running a tech company and working with tech firms all the time. But my reason for leaving was your staff, people who were working for you.

Fuck my fucking staff.

Oh my God, they were so arrogant and "Actually, actually, come on, I think you're fine. Actually, come on, I think it's just deepening." Constantly. Okay.

Thank God he's no longer in your life, eh? Thank God you no longer have to work with him.

That bore. Oh, wait.

Also, though, I think it's a much harder climb, and I don't think men can really understand that. I'm not saying that men don't have hard climbs. I just think when I did the climb, I had a number of wins, but I also got kicked back in a way that I found quite hard. And by the end of it, I just couldn't take it anymore. It made me sick to my stomach to even support it.

That was sort of similar for me.

I had to get the fuck out was really where I got to.

So I left my last full-time job at age of 33, and I'm a few years older now. So that was for me, I left before 35. You talk to other people who work in other industries and you go, you know what, they are fulfilled with what they're doing and they're not going through half the crap that I'm going through. So why am I putting up with this? And that kind of sticks with you. And again, it really does, Carole, as you say, just a huge setback where you go, it's really hard to bounce back from it. You just go, I don't know why I'm putting up with this.

So yeah, because they loved us for our creativity. And then you're basically working with Simon Cowell the entire time. That's basically what I think corporations are to the artistic mind. Yeah, I think college pipelines have maybe gotten their act together a little more. They've gotten better at, since I was in college, helping to nurture an environment where women who want to code or work in the tech industry feel like they can be themselves. And I know in my conversations with other women who have left, some of them are engineers, some of them just in the tech industry like me, it's when you get to the corporate world, then that's when you have to really start conforming to what they think a woman corporate needs to act and behave like and look like.

I think it's a bit unfair, Carole, to say they don't shower very often. I think you should take that back.

What?

I didn't say all of them. I think they shower often. They just don't ever change their clothes.

I do think that's changing. I think things have changed quite a bit in the last 10, 15 years for men and how they have to present themselves in corporate. But the difference is huge.

Yeah, but you know what? Fuck, it's really cool. 200 fucking episode. What are you wearing right now?

Sorry, what kind of podcast is it? What the fuck? What are you wearing right now?

Really? Did you just? ASL? Yeah. I'm wearing slippers, leggings, and a jean shirt, right? And very happy indeed.

I've got my ballerina's tutu and an aqualung on at the moment.

This is weird.

This is the 200 and fucking weirdest episode we've ever done. Jeez. Amazing.

I'm glad I

We're gonna switch gears now, everyone. So I used to think that parents were rather overprotective before 2020 with their kids. Like, not all parents, but a number of parents, you know, what are they— what's the word— helicopter parents. Yeah. And I think I saw a lot of that with some of the people I knew, and I used to think, oh God, just let them be. But now today I'm like, whoa, if I had a kid right now in this situation, I'd be wanting to keep serious tabs on them, right?

could be here for this.

Like, just know where you are, who you're hanging out with, what are you doing, are they infected? I don't know, just everything. Now, you guys are both parents. Do you feel different since 2020 happened and all the bullshit that came with it?

No, it's totally exactly the same.

Yeah, it's just as petrifying being a parent as ever.

I mean, so if you saw him licking somebody else's face, your kid, would you be worried?

Well, yes, I'd be worried. Why is my child licking someone's face? Of course it would be worrisome regardless of the pandemic.

If they can't be safe. Okay, fair, fair. Yes.

The fact that we've got— Maria and I have kids, not together, but we have kids.

Yeah, let's please clarify that.

It's kind of irrelevant to that. You would think any kid who was going around licking people would be a bit odd.

I can see that some parents today wouldn't want to let their kids out of their sight, you know? And also many can't because they're in homes where the parents are remote workers or stay-at-home parents and the kids are being homeschooled. All that time must be exhausting.

It'd be great if the kids were outside.

Yeah, I was just thinking a little out of sight would be nice.

Yeah. And so maybe if you wanted them a little out of sight, but you wanted to know kind of where they were and what they were doing, you might employ technology to help you out a little. And today we're going to talk about one of these little pieces of technology and see what you think. Okay. So it's called the X4 smartwatch designed by Norway-based company called— I can't remember the name— Xplora. Xplore with an X, no E-X. Oh, really?

So that's the first concern is that they've got Xplore without an E. I find that rather upsetting, especially for a kid's product. Also the fact it says smartwatch. Obviously any product which contains the word smart in its name is gonna start alarm bells ringing, isn't it?

Basically the new Xplora offers various uses, right? So it's an asset tracker, a bike tracker, pet tracker, kids smartwatch. On their official website, the Xplora watch piece of kit on sale for right now £159 instead of the retail £179. So there's a sale. They say the most advanced children's smartwatch to date. So you can swim, phone, capture great photos, and interact with recognized entertainment brands. So as parents, you guys are— I'm guessing at this point you're going, yeah, yeah, not for me. Thanks though.

Thanks. Feels a bit overkill. I mean, my son is sort of talking about wanting to wear a watch and things, and I'm trying to work out what I should get him, but this feels overkill to me. Well, it's got GPS, right?

So you'll always know where your kid is. They— you can have the messages come in, so there's SMSs they can send, and they can, you know, you can interact on the phone with them, go, where are you? You should be home for dinner, and all that kind of stuff.

But you can do this with a phone, so—

Well, yes, but a phone has a lot more capability. So this is— the idea behind this is that you can limit the functionality and that it's more ideal for a younger audience or an older, more elderly audience that might be bamboozled by all the tech.

Okay. So rather than calling it a smartwatch, they could call it a rubbish phone. Exactly. This is gonna sell well with the kids.

I'm all in. I'm all in with the rubbish phone thing.

I would actually really be intrigued by a rubbish phone. Yes.

That would be— Yeah, true, true.

Truth in advertising.

And then they have on their webpage, "As always with our products and services, they are fully GDPR compliant, making sure your data is secure and stored only in the EU. We're offering localized speaking support to you." Teams in each of our markets to ensure a world-class experience. Okay, so put that little crazy kitten in your basket. Okay, how many companies are up front, not just with complying with GDPR, but they're using it as their big sales pitch? So maybe you're feeling a little bit okay, you know, and they're based in the EU, you know, they're in Norway, they're following— you know, their data is in the EU, they're following GDPR, and the portfolio of products is basically the, the wholesale pitch is this is an effective and safe way for you parents to stay connected to your children without giving them access to the internet at too young an age by a smartphone. So that is the whole idea behind the X4 Xplora product.

All right. Okay.

At this point, I'm thinking these guys really get the concerned parent thing, right? And they get that parents are also increasingly nervous about tech and data snarling and all that kind of stuff and bad stuff, cyber stuff. So hand clap to them. You know, this is good.

I've just seen a picture of this on a kid's wrist. It's flipping enormous.

Yeah, it is. I was thinking that too.

Well, kids have small hands, right? I know. So these guys get all this, okay? And you'd be like, okay, hand clap. Well, slow that hand clap down. Get your popcorn. Okay, researchers at Mimonic, a security firm in Norway, decided to do a little digging into this kid-friendly GDPR-compliant easy peasy to use smartwatch that's great for kids. Yeah, and what they found is inside the popular smartwatch designed exclusively for children, it contains an undocumented backdoor that makes it possible for somebody to remotely capture camera shots, wiretap voice calls, and track locations in real time. Why?

There's a camera on this thing so kids can take cool pics because it's important.

Yes, but I imagine parents would quite like to see their kids and listen to their conversations and all the rest of it, so this backdoor will be very handy, won't it, for helicopter parents? So I'm reading this in Ars Technica, right? And I was like, "What?" Okay, so for a hacker to do this, they don't have to solder something to a watch to do this, but the researchers did in order to understand how the watch worked and find the security holes.

You're gonna have to wait five minutes to find out the answer to that question, Graham. So after doing more poking around, they said sending the SMS triggered a picture to be taken on the watch and was immediately uploaded to the Xplora server. Okay, one of the researchers, Sand, wrote, there was zero indication on the watch the photo was taken. The screen remained off the entire time. So I'm reading this going, oh my God, this is serious, right? Yeah. And then they have this line about how 19 of the pre-installed apps on the watch were developed by Qihoo 360. This is a Chinese security company and app maker. Yeah. And one of the subsidiaries jointly designed the X4 with Xplora. So basically, Qihoo are in bed with Xplora here on this one, and they manufacture all the watch's hardware. Ransware. I was yakking to my husband, my smooth, super smart husband, about all this.

As opposed to your other husband? Yeah, how many have you got?

And I was telling him about the Qihoo and all this, and he went, oh, that's interesting, I think they're on the sanctions list in the States. And he checked, and indeed they are. And Dan Goodin actually mentions this later down in his article. So anyway, there's loads and loads of information on how they actually did this. Go see the links on the episode webpage. Okay, so you're thinking this watch now, you're thinking, oh, it doesn't sound so good, right? You're thinking this sounds awful that this could happen.

I know, I'm now thinking it sounds awesome because if I'm a paranoid parent, what a brilliant way to photograph where they really are as opposed to where they're—

You already have a GPS in the phone that allows you to track them. You know exactly where they are. You don't need this backdoor for doing that.

Yeah, okay.

Yep. Okay, so then I'm reading all this and I'm thinking, okay, well, how do they react? Like, what happened? So it turns out the research teams at Mimonic contacted Explora and said, "Hey, dudes, look what we found." And they issued a statement and they said, I'm gonna say it in short, but basically, "Thanks for telling us." And then they say, "Note, it would be really difficult to make use of this backdoor." So quote, "To make use of the functions, someone would need to know both the phone number assigned to the watch." It has a slot for a SIM card from a mobile phone carrier, right, that exists on the watch. And they would also need to know the unique encryption key hardwired into each device. So then I'm like, oh, that's a different kettle of fish, isn't it? I don't know.

Well, I don't know how the encryption works and all the rest of that, but certainly in terms of mobile phone numbers, surely you could just sort of brute force it. If you're after people who might have this particular device, then maybe you'd just run through a whole bunch of phone numbers to see which ones hit it or hit one of these devices. It may not be that you're after a specific kid. You could just be after any kid. Alright, hang on, why does it have the functionality that if you send a particularly crafted SMS, it will then take a photograph without the actual wearer being aware that it's happened?

Yes, that indeed is the question. Why the hell was that even there in the first place?

Because if you didn't have that functionality, then no one would be able to exploit it, right? Somebody forgot.

To me, and I don't know enough about this to say this with any veracity, but to me, it sounds like a weird snafu in the coding to have that in there.

Well, more than a snafu, it was obviously a deliberate choice, and it was coded for some purpose.

Okay, so this is the sitch as we see it right now, right? There's a smartwatch that they're saying, "This is for kids." It had an undocumented backdoor on the watch as detailed by the Mimonic researchers, but by all accounts, it would be a bit of a pig to take advantage of. However, what the fuck's it doing there in the first place, guys?

Somebody put it in during product testing for some sort of easy shortcut and they forgot to take it out. Maybe.

If they said that in a response, you'd be like, oh, I totally get it.

Yeah, but would a company really admit to that? I wish they would.

Yeah. So are they pushing out an update to disable that functionality?

Yeah, they very quickly issued a patch, which is good. The response seems good.

But it sounds to me, Carole, like you're kind of thinking this is quite a cool product. Despite this?

I don't know. I'm concerned by why this thing was there in the first place. So if smarter than Graham thinks he is, can explain that to me, right? To say how this could have accidentally been a, "Oops, how did that end up in there?" You know, I'm imagining right now there must be a lot of difficult conversation between the two technology partners that have created this watch because this is not a fun place to be. That's my view anyway. But you know, I just think, actually coming back to your point in the beginning, I'm up for basic phones. Bring back the Nokia 3310, bring me back Snake, the brick.

Yeah, the brick. I would be a fan of bringing back the brick phones, that's for sure. I would totally go back to that. Battery life, battery life.

Yeah, you find it in your bag easier because they're not so slippy and tiny.

God knows you could drop that thing.

Yes.

And I also prefer the old ringtones. Modern ringtones are rubbish. I want the old polyphonic type of their little MIDI files almost.

What I miss were the little phone charms. I had one that would light up a second before my phone call would actually arrive. Because it would be the phone was waking up. So if I had my phone on silent, I would just have this little light flashing and it was—

A visual indicator that your brain has been irradiated.

Correct. It was great. I was, this is cancer. It's on its way to my brain. No, no. All that, yeah.

This episode of Smashing Security is sponsored by LastPass. Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.

This episode of Smashing Security is also sponsored by Immersive Labs. They have created a free ebook.

In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce.

It's called Aligning Cyber Skills to the MITRE ATT&CK Framework. The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity skill strategy.

So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more.

It literally is a go-to framework. Learn more at immersive labs.com/smashing.

And thanks to LastPass for supporting the show.

And thanks to Immersive Labs for sponsoring the show.

Today's show is sponsored by Mimecast, the number one cloud email security and resilience companion for Microsoft 365. Safeguard your organization against phishing, business email compromise, and risks of ransomware with Mimecast awareness training, an important layer of defense that picks up where Microsoft security leaves off. Mimecast's unique breed of awareness training creates real change in your people and how your organization thinks about security. The video modules are funny and engaging. Carole, what's your The phishing test examples are from real-life emails your employees have clicked on. And the real-time dashboard gives you access to individuals' test results, allowing you to focus on the employees that need it the most. Mimecast email security and awareness training creates real change in your people. Real life, real time, real change. Learn more about the impact of security awareness training by downloading the free State of Email Security report at smashingsecurity.com/mimecasthub. Mimecast. Relentless protection. Resilient World. story for us this week? And welcome back. And you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Really?

Week. Pick of the Week. On a 200-fucking-episode, it better not be Mr. Cluley.

And Carole, it's funny that you have just been speaking about old-fashioned mobile phone games like Snake, because my pick of the week this week is a slightly retro style of game. It's called Scribble. I love Scribble! It is, you know this? I do. I love it, yes. So there's a ringing endorsement. Scribble is spelled S-K-R-I-B-B-L-E. And then .io. That is the name of the website. And it is basically, it's sort of Pictionary, isn't it? What happens is you are put into a room with about a dozen other people and one of them is nominated. They're given a word and they have to draw it on the screen with their mouse. And everyone else is trying to guess what the word is.

Can we do this? If our live YouTube thing doesn't work out very well, could we just ask people to say what to draw and then we could just, we could play Scribble.

Yeah, you can actually do a private room, so you don't have to have 12 strangers. Oh, I can get off the stage? We're gonna go screw.

And it's quite fun. And the quicker you are at it, the more points you get, and—

Who do you play with, Graham?

Well, I don't know. Complete weirdos.

I was playing with— Do you

I was playing with someone called Clever Dick earlier. I don't know if that was your username, Carole, but I was playing with them just earlier today. It's a simple little game. And of course everyone— I'm terrible at drawing with a mouse. I don't have one of those, what are they called? The stylus.

play with your friends?

Stylus or skating pad or whatever they're called, you know. But anyway, that is my pick of the week, scribble.io, but scribble is spelled in a weird way. So look at it in the show notes.

Do you play with your buds?

Scratch. Scribble. So Crow, you're the odd one out there because you've never played Scrabble.

You should do it. It's pretty good. Okay.

Yay. So my pick of the week is yet again a video game because I'm stuck at home like everybody else and video games have become—

keep you sane, keep you sane. They do.

And this game is one that I probably wouldn't normally play. I feel like most of my endorsements start that way. I wouldn't normally play this. It's not really my style. It's a game called Hades and it's by Supergiant Games. And they've made a whole bunch of amazing games like Bastion and Transistor, both of which I've enjoyed a great deal. This one— Oh, yeah, of course.

That will mean something to somebody.

So to the people who— so Hades is a game about dying over and over and over and over and over and over. And the plot of the story is basically you're the Prince of Hades, like you're Hades's son, and you're trying to escape the underworld. And you will attempt it many, many, many, many times, and you will die over and over and over. And every time you die, you learn something new, and you start over right at the beginning, but you kind of take some of that knowledge with you.

So it's like Groundhog Day with And is it physically fighting? Like, is it like, you know, like two characters having a— or is it more mental? Bill Murray, a little bit.

Oh no, it's fighting. It's a fighting game. And I'm not— OK. It gave me crazy carpal tunnel when I first started playing it because I'm just not really into that. But the game is very smart about how it designs making the fights easier if you're not a fighting type person. And normally, the kind of game where you just die over and over is not very interesting. But they work it into the plot of the story in such a way that it's actually necessary for you to advance the plot. And they turn it on its head. It's very creative. Super, super fun. And yeah, I highly recommend it. It's really fun.

Is it appropriate for all ages? Would you play this with your 3-year-old?

I have. Should I have? I don't— I mean, it's cartoony style. It's not, you know, you're controlling a tiny little sprite on the screen and you're fighting like crystal demons. I don't know what its rating is, but should I play it in front of my 3-year-old? I don't know, but I have.

So no, the internet will tell you.

Ah, you're fine, you're fine. Fantastic. And Carole, what's your pick of the week?

Well, I have a very huge kicking pick of the week for you guys. I'm not even kidding. It's super huge, because I have been working in secret with the lovely Anna Brady since the summer, and we've been grabbing tiny little moments together online, and we finally have something to show for it. And because I made the deadline of the 200th show— yay! You guys, get ready because I, Carole Theriault, announce a brand new hilarious podcast, Sticky Pickles, co-hosted with my very good friend Anna Brady, the Anna Brady that has appeared a number of times on Smashing Security. Sticky Pickles, like being stuck in a pickle. Sticky Pickles, it's all about getting stuck in a pickle and having to think on your feet about how you might get out of it. And we've obviously designed these to be as hilarious and ridiculous and cringeworthy as possible. She doesn't know my story, I don't know hers, and it has absolutely nothing to do with technology. I know, don't cry, people.

I like the sound of that. Nothing to do with technology.

So hopefully by the time this goes live, you'll be able to just go subscribe to it. But if not, you want to listen, you can go to stickypickles.com and you'll be redirected and you can listen directly. So for the next wee while, our plan is to drop a new episode every Friday at noon UK time. Your job, if you like what you hear, right, is to freaking tell me because I love doing it. But you know, if a tree falls in the forest, no one's there to hear it. Who gives a fuck, right?

So how do we get in touch with you, Carole, to talk to you about the Sticky Pickles podcast?

Well, you can email us at . We have an Instagram page, Sticky Pickles Pod. How modern! Wow. Twitter page, called Sticky Pickles. So if you like it, our plan is to make 1,000 downloads. Small potatoes for some.

I thought you

I thought, oof. We can make our download number, that means maybe we should make more. It's just a question of logistics 'cause it actually takes a frickload of time.

were gonna say

It's true. Doesn't it?

And now that I'm doing 2 or 3 at a time, it's hard. So yeah, please.

So we need everyone who listens to Smashing Security who wants to hear more of Carole unleashed 1,000 episodes there. to download Sticky Pickles, the podcast?

Yes.

And download all of them, all 3 of them.

And then grab your friend's phone.

And then we go and—

Get me to 1,000. Downloading right now.

Oh no, Maria, I totally want your feedback. And we want to maybe invite guests, so that'd be a nice thing to know if we do another series of these. Please, should we have guests on the show? It adds work, but if it's worth it, we'll do it. So it's down to you guys.

I've done my bit. Maybe if anyone is running a botnet, they could download the episode multiple times.

Hint!

I'm sure somebody listening is.

Not that we would condone such activity. However.

Never! It's just a statement of fact.

I would hate that, actually. I would hate that if all the bot— Yes, because then you're thinking, oh wow, 10,000 people loved my show. No, one guy did.

Botnet dudes, vary the IP addresses.

Yeah, forget that.

Forget that idea. Cycle those IPs. Do not do that.

Listen to it. Tell me I'm funnier.

Well, you will be funnier than me because I'm not on the show. Oh, you mean funnier than Anna?

No, no, I don't think I'm funnier than Anna. Anna is funny. She's hilarious. Yes, you're funny too. You're pretty good looking. I bet most of our listeners, if they go through their podcasts on their phone, that some of them don't even have one podcast that is only presented by me.

Oh yeah. I should warn you, okay?

It's a teeny bit rude. Yeah. It's got the explicit tag for a reason.

Well, you know what a group of whales is a pod, a group of white males is a podcast.

Is that it? Yeah, well, not this one. Not this one. Sisters. Yeah, no, no, take a listen. I would really love feedback. And it's been kind of, you know, it was a pandemic panic special. That's how we did this, because we thought we need to cheer ourselves up. So it is fun, and it does get crazy.

So how sticky are these pickles? Okay, there's—

Okay, okay. I don't want to give it any weight.

So sticky.

Can I just ask a question about the name? Does pickle mean— is it a euphemism?

Do you think your penis looks like a pickle? Not if it's healthy.

I'd go to the doctor if it did.

Right. Okay. So I think you answered your own question. Okay, good. Maria. Okay, I'll give you a weird little scenario. Okay, I'm not going to give anything away, but imagine you're hosting a work party at your home. Right?

Hell on earth. Yes. Yeah, yeah. Okay.

And you have a family member there and they happen to get absolutely arseholed and do something utterly outrageous in front of your new colleagues.

Wasn't that an episode of The IT Crowd?

I don't know. I've never watched The IT Crowd. What? Okay, I'm not kidding. I know, I know, lots of people have told me that. Everyone in my whole echo chamber can't believe that, but I've never actually seen a full episode in my life.

What the fuck? Okay, all right, so I haven't stolen it.

Okay, but question is, right, in the show is what do you do now? So my— I'll set this up for Anna to be within cringeworthy, you know, oh my God, I have no idea how to handle this. And then I'll— we'll set the question, let her just try and wiggle out of it live on air.

See, I'm a chaos agent, so I would just get everybody trashed, nobody will know.

You see, you could be a guest on the show.

You know my number.

You know my number. Oh, well, listen to it. Let us know if you want to be on it. Okay, okay, okay. That's my pick of the week. StickyPickle.com. Make me proud, guys. I'm counting on you.

StickyPickleOfTheWeek.com.

Sounds fantastic.

Sticky Pickle of the Week.

Sticky Pick of the... But you know how I'm going to cheer myself up is because I believe we have a featured interview with Mimecast. Oh, cool.

Yeah. Michael Madon is coming on the show now, and you can learn loads of stuff, but also he's very funny. So enjoy. Play it.

Hit it. Punch it, Chewy.

So October is here, and that means it's Cybersecurity Month. Now, this is a very exciting thing for people within the industry, but there might be some people out there that don't even know it exists. So I've invited Michael Madon, Head of Security Awareness at Mimecast, to join us. Michael, thank you so much for coming on the show.

Hi, Carole. It's great to be back.

I'm glad because you are the guy that we need to talk about this. So it is Cybersecurity Month. Who cares? Should I care?

You know, it's funny because sort of the way you were introducing it, it did seem like sort of a holiday and it is a holiday, but not for us, right? It's really, in some ways, October begins the holiday season for hackers because they're ramping up for our actual holiday season and October is when they begin the ramp-up of their attacks. On our side, for awareness month, I think the industry, I think we picked October really because of that, because we know that the holidays are a time when people are at their most vulnerable to do things like click something that's interesting, go online to interesting sites and buy cool stuff for Aunt Mildred. But the hackers know that too. And so October is a time when we really as a community come together to inform companies, to inform people, to inform Aunt Mildred that your computer is the coolest thing ever, but it's also really, it could be very dangerous and to be vigilant when you use a phone, your computer, etc., because there are criminals out there who are literally targeting you to get your information and to do things like empty your bank account.

And it's for people who know what a roguelike is, this is a roguelike game. So none— the rooms are never the same. They're generated on the spot by the game. So you can't memorize the layout of a room or how a fight's gonna go because it's always random.

Well, yeah, and I suspect this is probably, I mean, well, I know it is the first October that we've ever had where we have a global pandemic which has forced people to work from home. So you have all these people that may have done all their online shopping within the secure perimeter of the business and now are doing a lot of that home shopping or that shopping on their home computers. Do you see that that is going to cause some problems?

Yeah, I actually see what's happening. So what was before the virus, what was happening was there was this movement of work and home and personal life just really conflating into this well, some people would say a beautiful flower, but others would say this mess, right? And so working from home and being stuck within four walls, I think has only compounded the problem, right? So I think people may be shopping at home with the home computer. They may be shopping with their work computer. I think personal and work has been just mushed together more than it, more than it ever has. I think since we started working with computers, there's never been a time where I think the separation between work and home has been less.

And so it's true, I flip-flop between doing work and then going and buying jogging pants, right?

Exactly. And it never stops, and the hackers know this. So I think what it has done, I think the virus and also compounded with just the general stress and turmoil that people feel in their, you know, the effect of the virus or a political system, is just putting people under a tremendous amount of stress. And so what does this all mean? So the hackers love this because for them this is a field day, right? It actually really is a holiday, and here's why. So typically what hackers do is they look for vulnerabilities in people, right? They look for when people are not paying attention and they literally target people with things they think they'll be interested in. So what they're really looking for is a person who's very busy, very distracted, under a lot of stress, and not paying attention. Well, welcome the great year of 2000. Here we are, right? People are under an insane amount of stress, totally distracted, and oh, and there's one more component, craving information. So the hackers are exploiting all this and they're having a field day. Hacks have gone up hundreds of times. And we see this in our own systems. And if you don't train, and if you don't train yourself and train employees, the situation becomes pretty dire.

OK, so let's start with companies. OK, so we've got all these companies. They've got their home workforce now, a brand new thing for many companies. What do you think are some of the key, what are the key things they need to address in terms of awareness? If there is any one or the three messages you need them to get across to all their employees, what would you say that is?

But before I joined Mimecast and sort of entered into the business world, I ran the intelligence shop out of the Treasury Department, the US Treasury Department. So in that capacity, we worked on issues like sanctions, right? Sanctioning Iran or Iranian entities or North Korean entities, et cetera. So often I'll get phone calls from people that I used to work with who are working with clients and have questions about treasury things. So I get a call from a former colleague of mine who said, look, I have, I represent a client. They are an engineering firm with a lot of IP, super, super cool energy stuff that's very, very important. They got hit by a ransomware attack, and the ransomware attack hit them exactly where their IP was, and they were frozen up and they couldn't work. So they were, the ransom attack was for $3 million, which they were going to pay. Yeah. So they work with their attorneys, they were going to pay it, and at the last minute, and it was all above board, and at the last minute, the attorney said, sorry, wait a minute, you can't pay this ransom because the ransomware attacker is actually associated and affiliated with a designated entity. And you can't, if someone is a designated entity by the UN or by the US, you literally can't send them money. It's like sending money to a terrorist organization, right? And how did this happen? One of their employees clicked on a link, clicked on, it was actually an SMS, you know, went through their phone. They also got the same message on their computer and they clicked that. And so their phone was completely compromised and then their work computer was completely compromised and it was one person. And actually, there's no great answer. There is no great answer. And the only right thing, which is unfortunately to say, is don't get into that situation. From a Mimecast perspective, we were built for this. I mean, we actually built the entire company virtually, but we also set the training up. And the reason why we set it up so it would work in a virtual environment from the beginning was not that we predicted this insanity to happen, but because training needs to meet people where they are. And people, many, many people do not want to take any sort of training behind a desk. We designed our training so that we meet people where they are and they're not always behind their desk. So what I would encourage companies to do is find a security awareness training program that really meets people, meets employees where they are, and also has a learning methodology that incorporates microlearning so that it's super short and people don't have to click through PowerPoint slides, God forbid. And the last part, which is really the most important, is that a security program that addresses the hearts and minds of the employee, right? Ultimately, cybersecurity training and awareness training is a hearts and minds campaign, right? It's about changing the way people think about security from something they have to do, like compliancy, to something they want to do, that they're committed to do, right? From compliance to commitment is really what you're looking for in a program.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G, and you can also join the Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, and you really shouldn't, because we're gonna have at least another 200 fabulous episodes for you in the future. Subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Pocket Casts. And don't forget Sticky Pickles as well.

I've heard you talk before about having a stop and think mentality. What do you, what does that mean to you? What are you trying to suggest people should do when they're to employ that technique?

Yeah, that's exactly right. And I don't think it really has changed. So at the end of the day, if a person is getting an email that seems in any way, or a text, or honestly even a phone call, right, like a solicitation of some kind that seems in any way dodgy, chances are it is dodgy. And there's no real big downside if you think it's dodgy and it's not, so what? You've checked it out. But before you click on that link, either in your phone or on the computer or you provide any sort of personal information on the phone, which most banks, almost all banks will never require, stop and think about that and just take a tactical pause. And at the end of the day, the safest thing you can do is just delete it. And also block numbers that come in, set up email filters that were things just go to spam and you don't have to look at them. And then on the corporate side is you have to have a layer of security that blocks as best as possible these phishing attacks that come in. I mean, this is the number one threat that a company has for compromise is the individual, right? So I think it's one, educate the individuals so if they see something, they take a tactical pause, take a breath and say, wait, should I really be clicking on this? Is it really worth it, it seems funny, something's misspelled or the URL doesn't make any sense or this just doesn't seem right, ignore it or delete it. And then on the company side, they have to provide protection for their employees so that their employees aren't overwhelmed with the attacks.

Do you think home users would be wiser to have two different email addresses, for instance, that they use all the time? One for their online shopping where maybe they're not 100% confident that everything is above board and then having one that they use for banking and for more of their really serious trusted work? The answer is maybe.

If you do that, but then your password's the same for everything, then it doesn't matter.

Okay, good point.

What I found, so at work, of course, we use a VPN, which is a virtual private network. And then I started using that on my home computer too, especially with working from home and the fact that we're all just more vulnerable and we're all so interconnected with each other that if a hacker really wants to get at you, right, they can compromise one of your friends and pretend to write an email from that friend, right? It won't be exactly the same, right? Likely it'll be strange, or likely they may be asking for information or asking you to send them money or saying they're in a panic and they've gotten held up. So it is very possible that one of your friends or colleagues has been compromised too. So I think a VPN is actually probably a nice way to go. It's a little bit of a pain, but it does provide extra comfort on a personal computer. And then I do think setting up different personas, that's a really good point. I do think setting up different personas that are separated from each by things always use different passwords. 100%. Always. And also multifactor authentication. Again, it's a little bit of a pain. It is so much better to use multifactor authentication. You know, places like Google or Microsoft, they all have multifactor and they've all made it pretty much as easy as possible. The thing I think most people struggle with is there is this assumption that when they say download a new app or tool or service, they assume that the default configuration is the safest configuration. So I think they just go, "I've just set it up as a default and that means it'll be safe enough." And I think that is a really, really dangerous approach. Totally. So a couple of things on that. That's super interesting, right? If you look at, for example, a company that's in AWS, LastPass is only as secure as you want your configuration to be. If the analogy's with your house, how secure do you want your house? You don't get your house with a bolt on it. You get a key set, but you don't have to use it. It could be wide open. Do you want an alarm system? Do you want motion detecting? Are you actually gonna lock your door or just get the house the way it is and it doesn't come locked? So I think that that's really the analogy that people should use. I think for someone who's not necessarily sophisticated in looking at configuration, what I would say is this, if you're gonna download something, go to the actual website where that thing is. Don't download something from a link. Like I would absolutely go to the actual website or go to the App Store.

Never download something from a link. And you web providers out there, make sure it's really easy to find the page. Now, companies who want to provide training to their employees need to get their skates on and need to do it virtually, I guess. I think that sounds great, and I think a place that our listeners can look is Mimecast. If you want more information on this, please visit smashingsecurity.com/mimcasthub, and there you can find the State of Email Security 2020 report that has been published by Mimecast.

I mean, the neatest thing is that when I sold Atata to Mimecast and we became Mimecast Awareness Training, we were always looking for that golden nugget that actually showed that our product worked. You know, it's actually very, very hard for a company to actually prove that they work. They look at tests and they say, look, people on phishing tests have gone down to 2%, but that's a test. It's hard to really demonstrate efficacy. And what's so cool is that we just finished up research that shows definitively with 30,000 to 40,000 customers that if you don't have Mimecast awareness training, you're 5.2 times more likely to click on a bad link. I mean, that was really meaningful for us because now we can show and then continue to learn from what we're doing.

Michael Madon, thank you so much for coming on the show. You're— it's always good to have an expert that really knows their stuff. You can tell you've been in the industry a long time. I'm not saying you're long in the tooth or anything. Very long, long time. You see, I told you. Told you it's good, right?

I enjoyed all that. Excellent points. Well made. On that sticky pickled bombshell, we've just about wrapped it up for our 200— fuck. I can't even say it. Podcast. It's hard to believe we've got this far, but we have to thank all, yes, each and every one of our lovely listeners, our sponsors, our amazing guests like Maria Varmazis, who's been on the show this week.

Yay, thank you for having me.

And congratulations on 200! Thank you so much. We look great for 200, I think, don't you?

Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Twitter is still where it's at, God help it.

Okay, don't freak out, people, but as it's our 200th show, I'm sending you actual smooches on the cheek to all of you in the Smashing Security community. I know it's not safe. Kick me. Mwah. Mwah. Mwah.

It's @mvarmazis is where I am.

Mwah. You chums rock. Also, high five to this week's Smashing Security sponsors, Mimecast, LastPass, and Immersive Labs. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us. Remember to show up on Thursday, 8 o'clock UT time, smashingsecurity.com/live.

Until next time, or maybe on the livestream. Cheerio, bye-bye.

Later. Goodbye. See you Tuesday. See you Thursday.

See you next Tuesday. See you next Tuesday.

We should have put it on Tuesday. I didn't want to say it. I was just sitting here chuckling. Well, it's been a pleasure. Thank you for having me on episode 200.

That's the way to say it.