Smashing Security podcast #210: DC rioters ID’d, Energydots, and ransomware gets you in a pickle

Hello, it's Carole here from Smashing Security. I have some fantastic news. You remember how through December we decided to give all of the profits that we made from Patreon over to the local food bank? Well, we wrote the check and it was 550 pounds strong, almost 800 US dollars, which is incredible. The volunteers at the food bank were incredibly grateful and promised to put it to fantastic use of feeding people that need feeding. So thank you all. Amazing. Now it's that time to get the first show of 2021 on the road.

Smashing Security Episode 210 DC Rioters ID'd Energy Dots And Ransomware Gets You In A Pickle With Carole Theriault and Graham Cluley Hello, hello and welcome to Smashing Security Episode 210. My name's Graham Cluley And I'm Carole Theriault And we're joined this week by Dave Bittner from the CyberWire and Hacking Humans Hello Dave Hello, hello. It's great to be back Happy New Year, Dave Thank you very much Welcome to 2021 where everything is looking rosy and wonderful and there will never be any problems ever again. Fantastic. Couldn't be better. Did you have happy holidays, Dave?

We did, actually. We took a week off between Christmas and New Year's and more or less shut the company down, which is the only way to get type A folks to stop working. So that's what we did. Are you type A? No, no, not me.

Oh, right, Definitely type B. Whatever that means. That sounds like me. Well, of course, Carole, you and I, we did that extra special thing, didn't we? We went up on the YouTube. We did our live stream, our Christmas special with some marvellous guests.

It started off pretty dirty, I've got to say.

With Geoff White and his balloon modelling. Yeah, that was pretty filthy. Mark Stockley and Maria, of course. Dave, did you manage to catch the video?

I did. I did catch the video. I'll admit my invitation must have gotten lost in the mail, but I did catch the...

You were invited. Everyone's invited to watch the show.

Watch the show. Right, right. Carole, what's coming up on the show this week? First, let's thank this week's sponsors, 1Password and CrowdSec. Their support help us give you this show for free. I'm going to be looking at sex toys. I'm going to be taking a close look at them.

Of course you are.

Yes.

Enough. David?

I'm going to be taking a look at how people have been identifying some of the folks who ransacked the U.S. Capitol last week.

Oh, good. And I'm talking energy dots. Plus, we have a featured interview with the founder of CrowdSec, Philippe Humer, who tells us all about how his IP technology can help save the day. So check that out. All this and much more coming up on today's episode.

Now, chums, chums, let me take you back in time to the golden era of smashing security. I'm talking about last October, episode 199. Last year. Exactly. When we had the lovely Zoe Kleinman, BBC's technology correspondent, discussing some of the fascinating work done by Pentest Partners. Pentest partners, of course, have done all kinds of research into security vulnerabilities on IoT devices. And they took a close look at a device which had come out from China, but it's been sold around the world, called the Qiui Cellmate. Qiui is spelt Q-I-U-I, but pronounced Qi. It sounds innocent enough. It sounds it, doesn't it? But the Cellmate, let me tell you, if you weren't aware, is an IoT chastity lock for men.

Oh, yes, we talked about this. Yes, yes. Yes, with Zoe, that's right. Exactly. I remember, I remember.

So if you want to restrict access to your proverbials or somebody else's, perhaps, you would give them one of these, clamp it on, press a button on your little app.

Is this because someone touches themselves too much in public or something? Why does someone have one of these? I don't think you need to do that, Carole. If you're suffering from that problem, you could just wear mittens or something. No, this is more of a, it's kind of a sex toy thing. And they lock up your privates.

They lock it up on an app. What if you need

to go to the loo? I think we talked about this. Yes. I think you can still drizzle through. So I think you know, good Lord, because otherwise that would be unhealthy, wouldn't it? I was thinking they look like pants. So I was assuming

you're... No, it's something which clamps. I'm trying to be delicate, Carole, because I know what I want to. What was your topic? Why did you choose this topic? Because it's an important topic. Right. I was hoping that we wouldn't get too grubby.

In what way, shape, or form is this an important topic?

Yes, yes, yes. Why is this front page news on our show? Let's start 2021, you know, clean breast of things. Let's not get all muddied down in some of the filth which we've done in past episodes. Let's move forward and not just be childish and snigger at these things.

John McAfee from fulfilling his promise, wouldn't it? Exactly.

This is maybe the gadget for John McAfee. You got there right before me, Dave. I was going to tell you. The problem is, I believe Mr. McAfee is currently in a Spanish prison away to an extradition to the States. He's got other locks on his mind. presumably then you call the person who's locked up your junk and said, hello, and they go, it's not me, it's not me.

Exactly. Exactly, because someone else has commandeered control of it. I wonder if anyone's faked that. Now, I've been looking at the source code of this ransomware. And here's an interesting little fact. For research purposes only, right? Can either of you guess what programming language the ransomware is written in? What programming language do you imagine? It must be a pun. I'm testing your pun skills. It's Python. Oh. How I chortled when I realized that. Only guys laugh at

that. Women still don't understand the joke at all. Now, the good news is that if you're unlucky enough to be hit by this ransomware, you don't have to pay. You don't have to pay. live in a cell for the rest of your life. You can still go to the loo, right? Yes. You can still poop in number one and number two. You might find it hard to

wash your penis afterwards, though.

Well, you know, bit of Febreze. What could

possibly go wrong by getting an electronic device that's that close to your goodies wet? There are alternative ways to override the lock, which don't involve paying the ransom, which is good because you probably don't have a backup penis to rely upon. Speak for yourself. board. I remember this from last time.

unlock the sex toy. Seems like it would be a lot

easier if you had a very dear friend who could

help you with this endeavor. Or you can get an angle grinder as well to cut through. No, I'm not going to go into DIY with you. What's the point? But another thing to consider, Dave. If you did manage to extricate your little friend from the chastity cage, you might still be blackmailed.

put your dick somewhere stupid. Yes it's not quite the same as the lion with the thorn in its paw is it? That particular that you've shared with us there.

Well I don't know if news of this has made its way across the pond to all of you but we had a bit of a kerfuffle last week here at the U.S. Capitol.

I'm so sorry, man. It was unbelievable to watch. Yeah, it really was. And I make light of it only because, as I often say, we laugh because otherwise we would cry.

Which is interesting because if anyone saw the video live stream we did just before Christmas, I thought I was going to be zip tie guy because I, of course, had my zip tied to my shirt so that when I stood up, it pulled the zip of my trousers up. That's the story I was telling. But yes, there's a new zip tie guy in town.

He may have a few more views, Graham. You've been

unseated. Yes, you're no longer alpha zip tie guy. They're a little heavy. Yeah, like dragging yourself around.

Yeah. So you use these zip ties. Now, this gentleman was dressed head to toe in camouflage. Unlike most of his companions, he was wearing a mask. And so began this online odyssey of trying to look at every possible little detail that was revealed in photographs of this guy. And I've included a link to a Twitter thread where they do just that and they start with looking at the type of camouflage he was wearing, where it was probably purchased. He was wearing a few patches on his shirt and one of them, a telltale one was a thin blue line patch, which is a patch that supports the police. And his was in the shape of Tennessee. So there's a bit of information. Perhaps this gentleman is from Tennessee. And then they started – people started combing through other photos from that day, from other demonstrations previously where this person may have shown up. He was wearing some patches on his hat and on the front of his body armor that were unique. And so sure enough some folks found some photos of him outside the Capitol and he had a companion there. There was a woman who was who had a red hat on. And so now even though we don't know who he is well maybe we start looking to try to figure out who this woman is.

Oh narrowing down people who might be wearing red hats at this particular event. I suspect there's quite a few of them.

Yeah, well, you know, you start with a large pool and then you narrow it down. Okay, but question, question, question. Don't you think that inside that would be the one place I could imagine in America where facial recognition software would be? Yes. Yes. So this particular gentleman, only his eyes were visible underneath of his baseball cap here. But people stayed at it. And by going through footage, they found a video that someone had posted from the lobby of the Grand Hyatt DC Hotel, which let me say is a bit of a swanky hotel, on the night of January 6. And sure enough, it looks like this guy with his female companion, who it turns out, wait for it, is his mom.

Was it take your mom to work day? Yeah. Well, you know. Take your mom to a riot day. Take your mom to the riot day. Do you think this stuff is a bit scary? Because I'm just remembering, wasn't it the Boston Marathon where the internet, I think it was on Reddit, but there was kind of a hunt for who was suspicious on the day. And people got it wrong, didn't they? And they got it wrong. It worries me. I certainly saw a lot of people online hunting and looking for clues as to who people were in the crowd. Yeah, because if they get it wrong, man, and you just get attacked by this mob.

Right. And to their credit, the folks who seem to be going at this in a responsible way were very specific about saying, we're not going to name names until we can get 100% verification. We're sending all this information on to the FBI so that they can do the work that they need to do. And that seems to be what happened here because update from the New York Times, this gentleman was arrested. It turns out he's a 30-year-old bartender. Looks like he let things get away from him. His mother was interviewed by the Times of London, and she was quoted as saying, I'd rather die as a 57-year-old woman than live under oppression. I'd rather die and would rather fight. So there you go.

Well, Matt, there you are. You know, it is an interesting question, this issue of people trying to work out who is who at a controversial event like this. What I quite liked was, of course, you're probably familiar with this interesting platform Parler. And there was somebody who it appears, judging by a screenshot which has been shared on Twitter, there's someone who posted up on Parler claiming to be a White House attorney. Yes. And they said the president is strongly considering pardoning all patriots who stormed the Capitol, but we need to get him the right information so he can do it in the next week and a half. If you would like a pardon, please respond below with your name, city, what crimes you think you need to be pardoned for. Yes. And share it with anyone else.

My favorite part of that is that the U.S. Justice Department actually put out a press release saying that that was not actually them. But

Thank God they did. Today, you've got to. You've got to. Yeah. Yeah. Yeah. So, you know, again, we laugh because otherwise we would cry. This is indeed frightening stuff, you know, not far from where I live. And who knows where we're going to go from here as a nation. Certainly, I know, you know, you all have your hands full with plenty of stuff over your way as well. But it's been a sobering week for us here stateside. To I'm trying to think what have you got for us Carole energy dots I'm talking energy dots now what does that word mean to you does it mean anything to either of you no energy dots because it did me from our childhood Probably the same decade, 1980s. Energy dots. Are

They acid or something? Is it at a rave?

No, probably. There was a candy that came on a sheet of paper that was little dots of candy. And they were awful because you'd always get a mouthful of paper with them. That's what I can remember.

Energy dots were in Pac-Man. Those were the little dots that you grabbed. You got your little do-do-do-do-do, and that's what they were called. Yeah, yeah. So anyway, today, the term Energy Dots refers to something a little more questionable, maybe even controversial, but you guys tell me what you think, okay? So let me start with the website description of this thing, okay? Okay. Handy frequency technology discs that you can wear, stick to devices, or place around the home. Use them to rebalance, bring positive energy, and support your well-being. Oh, yeah. Okay. So, can you tell me what that is? Can you tell me what it is? So, it's

IoT crystals? Is that what we're talking about?

They're stickers, right? They're basically stickers that you stick to either your phone or devices or you'll just wait what they stick it to. Right.

Graham's going to need his angle grinder.

Exactly. Right. But it's apparently it's an answer to the exposure of non-ionizing EMF radiation. So, yes. Now, Amazon has reportedly a glut of companies offering these EMF protections or EMF harmonizers. The idea is what do these things do and why are people buying them and what is going on? Right. So they say these disks do on the website. They say they've created an EMF protection device. It's called SmartDot. That's one of them. And it's programmed to retune electromagnetic frequencies emitted by your wireless devices. This

Sounds a little bit the holographic nanolayer catalyms that Mark Stockley was on the show last year talking about, which was nonsense as well.

It's very much that, I think. Okay, now, but I'd invite you guys to go to the website. So energydots.com. If you guys go there, it takes a

Long time to load. Probably because it's really popular. Oh, when I go there, it says you need to enter your username and password. It says the site is protected. energydots.com. .com. Have they shut down their website? Let's see. Because people are. There's been a bit of news. Because they've been in the papers.

Yeah, I get the same thing. Dots, right? I get the same thing. Oh, interesting. Okay, interesting, interesting. Okay, well, I'll just have to tell you what's there. So basically you affix this smart dot, this sticker-like thing, to your favorite gadgets and then await harmonizing. And I'm not sure how sorry you know when that hits you or how you know that your well-being is being fully supported but there you go now in the product selection they have lots of different things they have pet dots aqua dots space dots hang on a minute hang on right so what these

You can't stick it on water. Stick it on your fish. I would

Go tell you if I could get to the website. Stick it on your fish. But the website's down.

If a goldfish, stick this to its

Tail. Maybe when you're swimming. Put it in the bathtub. Yeah. So they say at one point on the website, they say, it is the natural fields or information programmed onto the magnetic dot that does the work and creates positive change. OK, full stop. The next sentence, magnets have been used as storage devices for decades. Bank cards, videotapes, a computer, hard drive are all examples of magnetic storage. It's unrelated. Yeah. So they're basically saying because we use them to store our devices, it's good for you. We trust it. We trust magnets. It's crazy. Anyway, and the other thing I scooped up in their website is they have this set of this place where they talk about independent research. Sorry, I'm being a

bit slower. What you're saying is this company, EnergyDot, sell little stickers which you stick on your equipment and it then produces harmonization and good stuff in your life. Is that right?

Why is it so complicated to you? It's completely clear from everything I've said. Oh, sorry. This is all the stuff from their website. I don't know why you're trying to dig in. Just trying to clarify. Trying to find a problem. No, no, no, you're absolutely right. You're absolutely right. It's not very clear what it does. I was looking to try and get an actual description of what it does, right? Not easy. But what they're trying to do from all these words on their website is to show that it gives you something good. And this is one of the examples they have in their independent research. It's called chickpea growth. Okay. And it says, quote, We all need a healthy living environment to thrive, and this can affect the way we think and feel, both mentally and physically. Our chickpea experiment was conducted over a 15-day period to learn more about the effects of EMFs. The results found that exposed to a mobile phone, chickpeas were unable to grow as much in comparison to alongside a mobile phone with a smart dot.

Well, there it is. That's all the evidence I need.

Yeah, there was no link to any research on that one. I'm sure it's peer-reviewed. would be interesting, Graham. If only these things were infused with copper, then we'd be on to something. Oh, they're not cheap. They're not cheap. They're about 20 quid a pop. You can get the whole gamut, a whole pack, I think, for 180 quid. So what? 250 bucks.

Oh, my goodness. Because Smashing Security stickers, if anyone wants them from our online store, are a lot less. Or if you become a patron, you'll be sent three stickers very generously.

Now, earlier today, previous guest of Smashing Security, Rory Cellan-Jones, he wrote a piece about these energy dots because they did a little digging of their own. So they went out and bought some energy dots and then they sent them. Did they buy chickpeas as well to do the experiment? They sent them to the University of Surrey for tests. And would you be surprised the test found no evidence of any effect? No. What? Like at all. Like nada. Like nothing. Energy Dots told the BBC that the stickers were programmed with scalar energy, which the scientist equipment would be unable to detect the scalar energy.

What are you going to do?

I mean, so it sounds like pretty shoddy reporting by the BBC then, who didn't do it properly. You know, I'm sure there's some sort of quantum element here as well, because as we all know, that things happen in the quantum realm that we simply cannot understand. But they happen. Even last year USA Today said look we're doing a fact check into this and they found no evidence, right, that the low-powered magnet would protect cell phone users from EMF radiation. Do you think that's why their website has disappeared as well? It's gone absent, because then we can't disprove any of it, because it's no longer available. It probably got hit by an EMF pulse. I read this BBC news report, and it's quite interesting, and people have to be very careful about what they believe online, surprise, surprise, because they claim to have partnered with two NHS hospitals. Oh, yeah. And the references to those hospitals have disappeared from their website, apparently, once the BBC started making inquiries, because one hospital said, well, we don't know anything about this. We haven't partnered with them. And the other hospital doesn't actually exist.

Yeah, and then they said, oh, it was a screw-up of their ad people. I know. I mean, it doesn't

exist in our realm, But what about the quantum realm? I'm sure. Oh, here you go, Dave. It's an active hospital in another dimension. But you know what? Okay, so let's say I met someone on the street that was talking about all this stuff. And you know, I knew absolutely nothing about EMFs and all this stuff and blah, blah. And I would go and start Googling it, right? I would go do a search. So today I was screwing around doing different searches, and I had "5G scientists find" or "latest news on EMF radiation" or "what is EMF radiation," and all of them, the first page, I had contradictory news. Well, I can tell you from my perspective that nothing gets the conspiracy theorists out of the woodwork like mentioning an EMP pulse on our show, which is a real thing, a real possibility. You know, it's this notion that someone sets off a nuclear weapon, it creates an electromagnetic pulse, and all the computers and things stop working. There's something to that. But in terms of the top 10 threats we need to worry about of keeping the electrical grid going, it's probably not up there.

Well, thank you for mentioning it on our podcast then, Dave. I really appreciate that. Nice. Jeez. I'm spreading the love.

I'll leave you with something quite ironic. I think I'm using the term correctly, but so I of course checked out their privacy statement because why wouldn't I, and it says, "With this website there are no implied conditions, warranties, terms, representations regarding the quality, accuracy or completeness of the information," right? So they're basically saying it could all be bullshit. We're not holding ourselves accountable at anything we've said here. And then they also say, "EnergyDot's website pages do not constitute either an offer or legal or professional or medical advice. And by using this website, you confirm that you've not relied on any such content." So basically, don't trust us is the other thing it says.

Right, right. To be fair, we'd say that for our podcast as well. I mean, we would say don't believe anything we say or trust us or believe it.

For entertainment purposes only. Well, I would say that's true for one of us, clearly. I think he's saying don't blame me. It's not trust. It's about blame.

Exactly. Well, I do blame him for so many things. Anyway, but if a company says don't trust us, maybe we should listen. Maybe. I don't know.

Why are you saying that? Are you thinking I'm getting forgetful?

It's one with a one, right?

It's a great password manager. It works for home use. It works for families. It works for business. So I run a little business here at home and it means... And imagine I worked in a bigger business, right? Imagine I was part of the remote workforce. I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.

Oh, and tell you what, now that all of us are working from home and your computer is being used not just for work, but also for home stuff more often than ever before. This kind of stuff keeps everything nicely segregated.

Listeners can find out more, and they can try 1Password for free for 14 days at 1Password.com. And thanks to them for supporting the show. Hey, Clue Clue, did you hear my CrowdSec special interview that I did?

The one at the end of this podcast?

Yeah, the one of episode 210.

Yes, yes. Yeah, I've heard it. Yeah, it's great. Yeah.

I don't know if I believe you. Just tell me everything you know about CrowdSec. Go.

Oh, okay. CrowdSec, they're building a community where you, SecOps and DevOps, can join forces around the world and actually make a difference against all the new attacks which are coming out. Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.

Okay. Tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?

Okay, yeah, they analyze your visitors' behavior. They deal with the malicious traffic. Oh, yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.

Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this. So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net slash smashing. And Smashing Security special listeners, guess what? There's a prize just for you. If you go and join the user community, find out what it is. We're dying to know. Learn more, crowdsec.net slash smashing. And thanks to CrowdSec for supporting the show.

And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick Of The Week. Pick Of The Week Pick Of The Week Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related, necessarily. Well, my Pick Of The Week this week is not security-related. I think we've all been reeling by the horrendous news reports coming from America, where we saw people breaking into a building and then obviously causing some mayhem and distress and stealing stuff as well and doing a lot of damage. And that's why my pick of the week this week is a computer game all about the removal business. It's called Moving Out. And in Moving Out, which is available on Steam and also available for the Switch, PlayStation and Xbox, I've been playing it on the Nintendo Switch. You are a house removal person working with your partner. And your job is to move everything from inside the house into the removal van within a certain time limit. And of course, you have to do this in coordination because there are some things which are quite heavy, fridges, sofas.

You recently moved house, didn't you? So you are obviously quite good at this. You're no, no, no, don't touch that one.

That's right. And so it's quite amusing because, of course, you have to coordinate with your colleague in the removal business to say, you get that end, I'll get this end, and you're trying to get through the door together and you keep on bumping up against it. And eventually in this game, what you find works best is to smash the windows and throw the sofa out of the window to get it out that way. And so you're knocking things over left, right and center because you're so desperate to get things into the van to get to your next job that mayhem ensues and the craziness truly does. If you've ever played a video game like Overcooked or perhaps even closer to this, there's a great game called Totally Reliable Delivery Service. Overcooked, if you played that, Dave, you will certainly know the kind of mayhem.

Yes, I played Overcooked. It's a lot of fun.

It's a lot of fun. Well, moving out is similarly a great deal of fun. And that is why it is my pick of the week. Links in the show notes.

Hey, sounds interesting. It's good fun. Dave, what's your pick of the week?

Well, I also have a video game. You know, I puzzle games. I something that's going to take my mind away from the day-to-day things that we've been dealing with all last year, and it seems into this year as well. If you've got a problem with that, all you need is some harmonization. Maybe you should just stick a dot on your forehead.

It's true. It's true. Well, now I know. Now I know. If they get their website working, I'll order some. So a game I've been enjoying, I've been playing it on my phone. It's called Polybridge. And this is a puzzle game where it is your job to construct bridges mostly across bodies of water. And so it's a sort of combination of engineering skills. You have different materials that you can use to build the bridge. You have wood and steel and ropes and steel cables and things that. You have different types of vehicles you have to get across the bridge. Some of them are light. Some of them are heavy. Some of them move fast. Some of them move slow. So do you have to learn some physics so you come away with a bit more knowledge? Do you think you're more reliable now? Could I trust you to build a bridge if you and I were walking along and there was this big stream? Are you Isambard Kingdom Brunel now? Are you capable of making some truly impressive bridges?

Are you capable of making some truly impressive bridges?

Yes I will say that you do get much better at this as you go along because you learn what works and what doesn't. And they start you out with very simple things. But as you go along, they get more complicated. You have to build many more things. There are hydraulics, there are drawbridges, all sorts of fun challenges that you have to make your way through. There is a PolyBridge 2, which I also recently started playing, having made my way through the original PolyBridge. And to your point, what I found was that starting out PolyBridge 2, which starts at a lower level, I can just zip right through the beginning of it because of all these skills I've learned along the way on the regular PolyBridge. But it is a fun game. It's distracting. If you like these sort of little engineering puzzle types of games, it has a whimsical nature to it as well. I highly recommend it. It's PolyBridge, and it is my pick of the week.

And where do you play it? Do you play it on Steam? Do you play on your phone?

It's in the App Store for iOS. That's where I play it. It's available on Steam.

Yes, I think I've played it on the Nintendo Switch. It's good fun, this game. I've played it as well. I'm not very good at it.

Graham, did you do anything else?

No, no, no. No time for anything else. That and the podcast, Carole.

Cool. I like the sound of this one. I think this sounds... You don't like the sound of mine? Not as much. Just the mayhem ensues, I just, yeah, I don't know. Maybe when I come over we can play it in 2025. Yeah exactly, see you then. Okay Graham, what's your pick of the week?

What's your pick of the week?

Well let's start the year as we mean to go on. An audio drama, brand new 10 episode pod thriller from the BBC called The Cypher. And it all starts with a mysterious puzzle that appears online, a cryptic puzzle, and our main character who's incredibly curious and smart mouth and sharp-witted and intelligent and 16 cracks the puzzle. But rather than big celebration, everything goes askew. We won't say how the details but things get exciting. She ends up hunting a serial killer at some point who seem intent on killing top-rated scientists from around the world and what's going on. Anyway, it's really fun and it's a great pandemic audio adventure because you're flying around, going to different countries, doing all kinds of crazy stuff, running around. A bit like what's his name? The guy who lives up in Jackson Hole. I can't remember his name. Harrison Ford. Harrison Ford. It's a bit like that, but with a 16-year-old girl.

Do you mean Indiana Jones? Yes, Indiana Jones. Oh, great. Okay. Now we're with you. All right. Long way to get there, but we got there, so that's good.

Only when it's only available on BBC Sounds.

I think the app's quite good, actually. I think the app on iPhone, I was playing around with it. I'm like, it's not bad. I think it's pretty good. There you go. So that's my pick of the week.

What's it called again?

The Cypher.

Marvelous. Now, Carole, I believe you've got a featured interview up your sleeve for us this week.

I do, with the founder of CrowdSec, which was very exciting. Now, this is a great interview. Not only is he super, super personable, but I got to learn a lot about his approach to security. Check it out. Okay, so I am here with the delightful Philippe Hummer. You will hear that he has a French accent, which I adore. He is the founder of CrowdSec. Now, CrowdSec is one of our sponsors. And CrowdSec is not just their company name. It is also the name of their free open source security automation tool. Now, we're going to get into that in a little bit. But first, I want to welcome to the show. Thank you, Philippe, for coming on the show.

My pleasure. I'm really happy to be there with you and discussing. And with my strong French accent, I hope everyone will understand.

Okay, so let's start. Let's start with the landscape. So right now, we're still in the middle of the pandemic. We've got tons of big companies out there with huge remote workforces, and we are still seeing loads of hacks happening. So why is that happening? What's going on? Maybe you can just give us a bit of insight onto the environment we're looking at right now.

Yeah, absolutely. It sounds crazy, but even in 2020, we were not ready for such a remote work force. And even the biggest companies got hacked. And even in the early 2021, it's repeated again, based on what, 20 years of experience in the industry. I think there are four pillars to it. The first one would be time, because you never get to choose a time when you're attacked, right? It's a time between the zero day, zero day is when you find a new vulnerability, and when the patch is released. And when the patch is released and when you apply it. And all of this takes time. And on the attacker side, the time is counted in seconds. And on the defensive side, it's counted in weeks. And this is totally asymmetrical. But there are other points that are asymmetrical. If you think about it, like firewalls, they are not filtering much of what's really happening. Because you don't filter anyone coming to your mail, your website, your apps, your DNS and all. All of those protocols are just not filtered or barely filtered. And most of them are now encrypted. So it makes it extremely complicated for appliances to see through the traffic, see if there's something dangerous. So once again, it plays against you. Then the next one would be the perimeter. And actually, I think it's even the biggest one. Back in the 80s, CTOs had their servers in their basement, and they were happy about it because they can draw a wall around, a sort of castle around all the resources. It's almost like a watered moat, and they're in control of everything. Yeah, it's kind of Alcatraz. Or if you want another image, it's fun. It's this Gandalf in the middle of the bridge in the Moria saying, you shall not pass, except there are thousands of bridges and no Gandalf. So it doesn't play well. But most seriously, I mean, if you think about these cloud drives, right? Dropbox, for example, or Google Drive, whatever. And

We all use those all the time, right? For personal stuff, for work stuff.

Yeah. We store everything there. And we mix private and professional life greatly in this. There is the cloud. There are a lot of containers, SaaS. I mean, you can store things in your WordPress back office for what it's worth. We wouldn't know about it being the CTO. And then we had the pandemic. So we had the COVID-19 VPNs, as I call them. I mean, before that, some companies had some VPN. And after the COVID, all companies had VPNs. But how many of them were ready for that? How many did the job properly or did it make the proper security policies around it? So basically, now you've got the little one in the gaming room playing with the PlayStation or its Android device and bringing all the hell of the world into your central IT core system because there are no more perimeters, right?

Exactly. And from what you're saying, as the person in charge of all the traffic and managing the systems, you actually have fairly limited visibility and time to act due to how it works and due to encryption and due to lack of information you have and visibility.

Yeah, absolutely. I mean, this is why the game is rigged, but there's one more force at work and it's tremendous. It's money. We all know that this is the biggest one ever in the world. So hackers are using what? Stolen servers that they compromised before. They're using their IPs and resources. So it's for free, basically. They're using free open source tools. Some of them buy a bit, but it's mainly free open source tools and their time. And when you're on defense side, you need to use what? Appliances that cost a hell lot. Licenses. You need to have DevOps and SecOps people watching over your security and creating proper environments. You need to do a pen test and so on. It's stressful. No wonder most IT people are bald. No, I'm kidding.

But no, I can understand the stress levels, right? I'd want to pull my hair out, especially now in this new world. It's scary.

And the worst part is they just have to succeed once. You have to defend and fold all of their attacks, all of them, one by one. Every single one. They just have to succeed once. Yeah. This is the crazy part. So it's totally rigged. That's why it's so asymmetrical. And that's why even big companies fell for hacking in 2020 and before.

Okay. So I see the scene now. It's very bleak. But you created this CrowdSec tool for a reason.

Someone lately told me, gave me a new way of seeing it. It's kind of a giant multiplayer firewall. And it's exactly this, actually. It's brilliant because we've been working on this for a year now, and it didn't come into my mind. The best way I could represent it before was it's a Waze of security, right? But it's this. It's a giant multiplayer firewall. So this tool is not really a firewall as such. It's folding attacks by looking at behavior. So for example, if you knock five times the password and it's not the right one, maybe you don't have the password and you're trying to guess it, right? It's called password brute forcing. Or if you constantly call URLs on the website that do not exist, maybe you're scanning the website and not making a legitimate use of it. Okay, so the basic layer is this. It's behavioral standpoint. We try to assess what you're doing with the resources. So it's super simple. There are scenarios, you just apply them and it detects shenanigans in your logs, right? But this is kind of, it's known and not known, but I mean, the tool does something that maybe some other tools are doing or used to do like Fail2ban. But we added something new to this. And the thing is the crowd. The crowd is so powerful.

The crowd. So this is all the other people, the community of users. Right. Everyone using it, if you find an attack, if you block an attack because, you know, say it was a brute force, you detected it, then you share the IP across a network. Basically, it's this. You detect an attacker, you detect its IP, and you share it all across a network. So this IP is burnt for all the users using the product. And it's extremely powerful because if you think about it, it's a bit like Waze. You don't need to know what's happening, you know, two kilometers away from you because the GPS is going to tell you there's a roadblock or, I don't know, a speed trap. And it shows you everything that's happening. And it's based only because all the users are sharing their position and speed and also what they saw on the road. And it's exactly what we're doing, but on internet. So what you're saying is whenever your tool spots something, a bad IP, it shares that bad IP with all the other community blocking it from availability. Absolutely. And the point is, we want to make, you know, if you think about it, a hacker has few resources that he really cares about. You know, his time, obviously, but the second most precious resources, it's IPs, IP addresses. You know, if he compromised like 3,000 of them, he's using them on a daily basis to, I don't know, validate credit card numbers, for example. He has stolen a credit card database and he wants to validate every number to resell them at a higher price. And what he does is using those 3,000 IPs to do so, just not to get caught with one only. But if you burn them, it's like if you're emptying the cartridges in his pocket, so he cannot fire anymore at you because one by one they get burned. Exactly. He doesn't have any more cartridges. I noticed in the beginning, I said it's a free open source security automation tool. So this is for free? How does that work? Yeah, we're part of those people that think, you know, open source doesn't mean being poor and walking the woods to hunt for little animals to feed yourself and so on. We think those people are extremely talented. The people that are working with us are extremely talented. Pentesters, SecOps, DevOps that have like years of experience. So those people, they should earn their money, right? So what we do is we have to find a way of monetizing this properly and in respect for the community, that is, and I shall tell it like every day again, our biggest asset. So we should never ever be aggressive toward this community. So what we do is like the softest we found is that people not partaking in identifying those bad IPs are paying to get access to this database. So even though you would not partake into the network, you could still benefit from its database, but you would pay your access for that. Okay, so what you're saying is, if I used your tool and I said, yeah, yeah, I don't want you to see any of the IPs addressed or any of the information. I don't want to take part in blocking IPs. You say, no problem. That's fine. But we're going to ask for a fee from you to use the service. That makes total sense to me. Okay, got it. Yeah. And we think it's more than enough for us to be profitable, first of all, and to have the softest possible monetizing way toward the community. Yeah, because obviously you want to pay people. I hate how often in our industry people are underpaid. You remember this SSL thing? Yeah, it was like two years ago, I think. Gross. Yeah. People that use your tool and they do decide to share their data and help the community, they get to use it for free. Is that right? Yeah, absolutely. And on top of that, we don't even export the logs, right? Because, you know, since we are based in EU, there is a strong regulation around that is called GDPR. And it states basically it's very protective toward privacy, which is great. I mean, we love it. So we don't export logs as such. Everything is treated locally and we just get the meta. The meta being like the timestamp. When is this event happening? The IP that is involved in the shenanigans and the scenario that the IP tried to trigger, like, I don't know, password brute force or credit card stuffing or whatever it is. And this is the only information that are flowing back from you to us. So we don't export your logs. We don't want to know where you are or whatever, what you do in life. We just want to see who is attacking who. God, to hear a company say that is so great. I just hope we get more companies that say that. Tell you what. Tell us, who is the kind of person that would really benefit from this? Is this like from a home user to a small business to enterprises?

We thought it would be SMBs and small companies, you know, would be the major benefactor from this. They would really enjoy the fact that, you know, it's costless or close to, and they would, you know, instantly get better security. But in the end, the first one that asked for a contract is a very big US hosting company. Oh, there you go. Yeah. And it's kind of a tier one thing, you know? And we're like, okay, so our business model, the one that we showcase to our investors is like, okay, you know, guys, there's a lot of SMBs out there and they want to have better security for bucks. And this is where we stand. And you know like in December you get a tier one demanding okay can we get a support contract with you guys because we intend to deploy tens of thousands of machines and you're like sure but let me call my investor because I need to tell them something first guys we were wrong. Yeah I don't know I mean anyone can use it if you think about it across the industry across 40 years of IT devices ranging from the old school IBM machine in your basement that was doing the accountancy in the bank, up until the latest Apple Watch 6, all of them have one common point. They can do web requests, HTTP requests, right? So if we can, and this is what we do, if you can enable trust in just one HTTP request, you can help things like IoT devices that are dumb as such or very limited in resources and that cannot make any smart thing to analyze security. The only thing they can do is like, OK, can I connect to this? And you can tell them, yeah, right, on the file. You can say, yeah, you could or no, you should not. And so you can protect things that are even the dumbest or the smallest possible CPU package and RAM package. And that can do any of those things.

It's certainly exciting times at CrowdSec.

Yeah, it is. We love it. We could talk all day now. Is there anything else you'd like to add? Yeah, please. I mean, it's a global thing we are trying to start. So it's just a sparkle now. And we need the community to grow. We need people to come and say, OK, we need this and that or to develop tools with us, to interact with us. I mean, money is not the stake here. I mean, we have really literally VCs knocking at the door every other day. So what we need more than money is people interacting with us, discussing with us, saying we need this, we need that, we'd like to develop this and that, how should we do it? So please come and join the crowd. We are here to back each other and we'd be delighted to discuss and interact with you guys and try the product. It's really cool and it's free.

Fantastic. Guys, you can find all the information you need at crowdsec.net slash smashing. And that's with a G. What an amazing interview. Thank you so much, Philippe Hummer from the founder of CrowdSec.

Thank you. Anytime you want, Carole.

Brilliant.

Cool. Well, that just about wraps it up for this week. Dave, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for folks to do that?

Well, you can follow me on Twitter. It's at Bittner, B-I-T-T-N-E-R. And everything else is over on thecyberwire.com.

Cool. And you can follow us on Twitter at Smash Insecurity. No G. Twitter on the last average. And we're also on Reddit. Go and look for the Smashing Security subreddit up there. And don't forget, make sure you never miss another episode of Smashing Security. Subscribe in your favourite podcast app, such as Apple Podcasts, Pocket Casts and Spotify.

Again, big thanks to our sponsors, 1Password and CrowdSec, and to our wonderful Patreon community, all of whom help us make this show free for all. Now, if you want details of past episodes or sponsorship information, guest lists or the entire back catalogue of our 200 plus episodes of Smashing Security, check out smashingsecurity.com.

Until next time, cheerio, bye bye.

Bye-bye.

Ta-ta for now. But you know what? Very interesting to me that in watching the show, I had a revelation that Graham and I have something in common.

Okay. Is it an inherent ruggedness and squareness of chin?

Well, beyond that, beyond that. So what do we have in common? Well, Carole, do you remember some of the things that Graham talked about on the live stream?

No, I wasn't listening.

You weren't. All right. Well, let me lead into this. Let's take a little trip back together.

Yes.

The year is 1985. The Internet's domain name system has just been created. We're all holding hands and singing We Are the World together. And four post-menopausal women have just moved into a Miami condo and started calling themselves the Golden Girls.

Oh, yes, Betty White. She's still going, you know.

She is. Yeah. I'm 15 years old. I'm a sophomore in high school, and my father has just finished a term volunteering as a board member for a local nonprofit. And as a thank you for his time with this organization, they present him with a lovely leather briefcase.

Leather briefcase.

My father is very proud of this briefcase. He starts using it day by day. And one day I'm downstairs where he has his little office and I see sitting next to his desk is his old briefcase. And I say to him, Dad, what are you going to do with that old briefcase?

Please, Dad, can I have it? Please, Dad. Please.

And he says, Son, would you like to have that briefcase? I said, Yes, Daddy, I would.

It's like a Norman Rockwell painting.

Right. And so the briefcase got passed on to me and I started using this briefcase in school to carry my books, my personal effects, my papers, my pens, the various things. My calculator. Calculator. Yes, indeed. So, Graham, you and I have that in common. I'm curious, at what point did you stop using your briefcase? Because I remember the moment for me, but I want to hear yours.

I think I probably continued using it for quite some time, even after the lovely Harriet inquired why I was the only kid at school who had a briefcase. I don't think I took that as a hint. I don't remember stopping. I must have stopped at some point, but I don't recall. What happened with you?

Well, as you both know, I was very much into theater in high school. So one day after school, I went into a rehearsal for one of the shows that we were doing. And again, I'm a sophomore in high school. And I remember a young lady a couple years older than me, a senior, a beautiful statuesque young lady with long flowing red hair, a dancer. So quite beautiful, everything that a young 15-year-old boy could possibly want, but was so far out of reach. And as I walked in, she looked at me and she said, "What's with the briefcase, nerd boy?"

And immediately you set fire to it. I let it go. It dropped to the floor and kicked it to the curb.