Penile penal problems, identifying rioters in Washington DC, and can a sticker protect you from radiation?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
And don’t miss our featured interview with CrowdSec’s Philippe Humeau.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hello, it's Carole Theriault here from Smashing Security. I have some fantastic news.
You remember how through December we decided to give all of the profits that we made from Patreon over to the local food bank?
Well, we wrote the check and it was £550 strong, almost $800 US, which is incredible.
The volunteers at the food bank were incredibly grateful and promise to put it to fantastic use of feeding people that need feeding. So thank you all. Amazing.
Now it's that time to get the first show of 2021 on the road.
You remember how through December we decided to give all of the profits that we made from Patreon over to the local food bank?
Well, we wrote the check and it was £550 strong, almost $800 US, which is incredible.
The volunteers at the food bank were incredibly grateful and promise to put it to fantastic use of feeding people that need feeding. So thank you all. Amazing.
Now it's that time to get the first show of 2021 on the road.
I'm trying to be delicate, Carole, because I know—
What was your topic? Why did you choose this topic?
Because it's an important topic.
Right.
I was hoping that we wouldn't get too grubby. In what way, shape, or form is this an important topic?
Yes.
Yes. Why is this front page news on our show?
Smashing Security, Episode 210: DC Rioters ID'd, Energy Dots, and Ransomware Gets You in a Pickle with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 210. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 210. My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by Dave Bittner from the Cyberwar and Hacking Humans. Hello, Dave.
Hello, hello. It's great to be back.
Happy New Year, Dave.
Yes, thank you very much.
Welcome to 2021, where everything is looking rosy and wonderful and there will never be any problems ever again. Fantastic.
Couldn't be better.
Did you have happy holidays, Dave?
We did, actually. We took a week off between Christmas and New Year's and more or less shut the company down, which is the only way to get Type A folks to stop working.
So that's what we did.
So that's what we did.
Are you Type A?
No, no.
Oh, right, right.
No, no, no, no, no, no.
Okay, okay.
Some people are.
Graham, are you?
Oh, yes, I definitely am. Whatever that means. That sounds like me. Well, of course, Carole, you and I, we did that extra special thing, didn't we?
We went up on the YouTube, we did our livestream, our Christmas special with some marvelous guests.
We went up on the YouTube, we did our livestream, our Christmas special with some marvelous guests.
It started off pretty dirty, I gotta say, with Geoff White.
And his balloon modeling. Yeah, that was pretty filthy. Mark Stockley and Maria, of course. Dave, did you manage to catch the video?
I did. I did catch the video. I'll admit my invitation must have gotten lost in the mail, but I did catch the—
I don't think so. You were invited. Everyone's invited to watch the show.
Yeah, watch the show.
Right, right.
Carole, what's coming up on the show this week?
First, let's thank this week's sponsors, 1Password and CrowdSec. Their support helps us give you this show for free. Now, Graham, tell us what's coming up for your bit of the show.
I'm going to be looking at sex toys. I'm going to be taking a close look at them.
Of course you are.
Yes.
Enough. David?
I'm going to be taking a look at how people have been identifying some of the folks who ransacked the US Capitol last week.
Oh, good. And I'm talking energy dots.
Plus, we have a featured interview with the founder of CrowdSec, Philippe Humeau, who tells us all about how his IP technology can help save the day. So check that out.
All this and much more coming up on today's episode.
Plus, we have a featured interview with the founder of CrowdSec, Philippe Humeau, who tells us all about how his IP technology can help save the day. So check that out.
All this and much more coming up on today's episode.
Now, chums, let me take you back in time to the golden era of Smashing Security. I'm talking about last October, episode 191.
Last year.
Yeah, exactly. When we had the lovely Zoe Kleinman, BBC's technology correspondent, discussing some of the fascinating work done by Pentest Partners.
Pentest Partners, of course, have done all kinds of research into security vulnerabilities on IoT devices.
And they took a close look at a device which had come out from China, but it's been sold around the world, called the Qiui Cellmate. Qiui is spelled Q-I-U-I, but pronounced key.
Pentest Partners, of course, have done all kinds of research into security vulnerabilities on IoT devices.
And they took a close look at a device which had come out from China, but it's been sold around the world, called the Qiui Cellmate. Qiui is spelled Q-I-U-I, but pronounced key.
It sounds innocent enough.
It sounds it, doesn't it? But the Cellmate, let me tell you, if you weren't aware, is an IoT chastity lock for men.
Oh yes, we talked about this before. Yes, yes, yes, with Zoe. That's right.
Exactly.
I remember. So if you want to restrict access to your proverbials or somebody else's perhaps, you would give them one of these, clamp it on, press a button on your little app.
What is this? Is this because someone touches themselves too much in public or something?
I don't think—
Why does someone have one of these?
I don't think you need to do that, Carole. If you're suffering from that problem, you could just wear mittens or something.
But it's—
No. Well, you could— No, this is more of a— it's kind of a sex toy thing. It's kind of a bit sort of—
Oh, it's got a frisson.
Is the phrase BDSM? I don't know.
I'm not really sure what that stands for, but it's something where you're in a relationship where someone says, oh no, no, no, you can't do anything with that until I give you permission.
I'm not really sure what that stands for, but it's something where you're in a relationship where someone says, oh no, no, no, you can't do anything with that until I give you permission.
And they lock up your privates.
They lock it up on an app.
What if you need to go to the loo? I think we talked about this. Yes.
I think you can still drizzle through. So I think you can. Good Lord. Because otherwise that would be— That would be unhealthy, wouldn't it? For the electronics.
I mean, let's be practical here.
I was thinking they looked like pants. So I was assuming—
No, it's something which clamps. I'm trying to be delicate, Carole, because I know how much you love—
What was your topic? Why did you choose this topic?
Because it's an important topic.
Right.
I was hoping that we wouldn't get too grubby while talking about this.
In what way, shape, or form is this an important topic?
Yes.
Why is this front page news on our show? Jesus.
Let's start 2021, you know, clean breast of things. Let's not get all muddied down in some of the filth which we've done in past episodes.
Let's move forward and not just be childish and snigger at these things. Now, the penetration testers, they found some troubling security vulnerabilities in the Qiui Cellmate.
Let's move forward and not just be childish and snigger at these things. Now, the penetration testers, they found some troubling security vulnerabilities in the Qiui Cellmate.
Did they? Hell, surprise.
They said it opened up the door to some pretty eye-watering attacks.
They explained, how attackers could grab remote control of a wearer's penile prison and lock them up permanently unless a ransom was paid because of vulnerabilities.
They explained, how attackers could grab remote control of a wearer's penile prison and lock them up permanently unless a ransom was paid because of vulnerabilities.
Oh, it's only for boys.
Oh, for goodness' sake, ladies.
You said penile prison.
Well, I said a male chastity.
Yes. Oh, okay. Sorry, I missed that. I missed the adjective.
Yes, it is. Yes. Now, we looked at this threat. We discussed it, you know, the potential for ransoms and so forth.
It was a bit worrying, and we treated it with the gravitas it deserved, and we resolved to keep a close eye open on any developments. Well, there have now been developments.
So I wanted to be sure that any listeners of ours who use the Cellmate chastity lock, and I'm sure we've, I mean, we've got a lot of—
It was a bit worrying, and we treated it with the gravitas it deserved, and we resolved to keep a close eye open on any developments. Well, there have now been developments.
So I wanted to be sure that any listeners of ours who use the Cellmate chastity lock, and I'm sure we've, I mean, we've got a lot of—
Tweet us.
Get in touch.
Asking for a friend.
Because source code of ransomware which targets these devices has now been posted on GitHub.
Of course it has.
And it takes advantage of the flaws and demands a 0.02 bitcoin ransom, which is round about $650 at the current exchange rate.
Because as you know, bitcoin prices have been zooming up, haven't they? They're— I think it's over $30,000 now, or maybe even more.
So not quite enough for John McAfee to win his bet. But, you know, it's still going quite well. So this piece of ransomware—
Because as you know, bitcoin prices have been zooming up, haven't they? They're— I think it's over $30,000 now, or maybe even more.
So not quite enough for John McAfee to win his bet. But, you know, it's still going quite well. So this piece of ransomware—
Although this device would keep John McAfee from fulfilling his promise, wouldn't it?
Exactly.
This could— this is maybe the gadget for John McAfee. You got there right before me, Dave. I was gonna put down—
The problem is, I believe Mr. McAfee is currently in a Spanish prison. Awaiting extradition to the States. So.
He's got other locks on his mind.
Yeah. You may not be able to receive these via Amazon. I don't know, get a delivery of one of these.
Anyway, if you get hit by the ransomware, you get this message saying, "Hahaha, I have your cock now.
Send 0.02 bitcoin to this address by this time or you'll be locked up forever." So presumably then you call the person who's locked up your junk and said, "Hello?" And they go, "It's not me, it's not me."
Anyway, if you get hit by the ransomware, you get this message saying, "Hahaha, I have your cock now.
Send 0.02 bitcoin to this address by this time or you'll be locked up forever." So presumably then you call the person who's locked up your junk and said, "Hello?" And they go, "It's not me, it's not me."
Exactly.
Yeah. Exactly. 'Cause someone else has commandeered control of it, which is—
I wonder if anyone's faked that.
Now I've been looking at the source code of this ransomware. And here's an interesting little fact.
For research purposes only, right, Graham?
Can either of you guess what programming language the ransomware is written in? What programming language do you imagine it would have been written in?
It must be a pun.
I'm testing your pun skills. It's Python. Do you know how I chortled when I realized that?
Only guys laugh at that. Women still don't understand the joke at all.
Now, the good news is that if you're unlucky enough to be hit by this ransomware, you don't have to pay. You don't have to pay.
No, you can just live in a cell for the rest of your life. You can still go to the loo, right?
Yes.
You can still poop and number one and number two. So what's the drama?
You might find it hard to wash your penis afterwards though.
Well, you know. Bit of Febreze.
What could possibly go wrong by getting an electronic device that's that close to your goodies wet?
Yes.
There are alternative ways to override the lock, which don't involve paying the ransom, which is good because you probably don't have a backup penis to rely upon.
Speak for yourself.
So what you can do is you can prise open, apparently, prise open the circuit board.
I remember this from last time.
And apply a voltage with two wires.
It's right near your left bollock.
To unlock the sex toy.
You seem like it'd be a lot easier if you had a very dear friend who could help you with this endeavor.
Or you can get an angle grinder as well to cut through.
No, I'm not going to go into DIY with you. What's the point?
There's no point. There's no point.
You can't even put a light bulb in.
So another thing to consider, Dave, is if you did manage to extricate your little friend from the chastity cage—
Who you calling little?
Still be blackmailed. Because of course you may not want folks to know that that's where you parked your Percy.
Right.
So even if you can get it out, that isn't necessarily the end of the story. So I think there's some obvious morals to be learnt from this tale.
There's no morals. Don't put your dick somewhere stupid.
It's not quite the same as the lion with the thorn in its... Or is it troll, that particular moral that you've shared with us there? But yes. Good. Nice.
What?
Happy New Year, everybody. Welcome to the show. So, Dave, what have you got for us this week?
Well, I don't know if news of this has made its way across the pond to all of you, but we had a bit of a kerfuffle last week here at the US Capitol.
I'm so sorry, man. It was unbelievable to watch.
Yeah, it really was. I make light of it only because, as I often say, we laugh because otherwise we would cry.
So some rioters took hold of the US Capitol here in DC, egged on by our president.
So I think everyone's probably aware of that story, but one thing that caught my eye in all of this was the online attempt.
Sort of open-source public attempt to try to figure out who some of these people were who stormed the Capitol building.
And one gentleman in particular got to be known as Zip-Tie Guy.
So some rioters took hold of the US Capitol here in DC, egged on by our president.
So I think everyone's probably aware of that story, but one thing that caught my eye in all of this was the online attempt.
Sort of open-source public attempt to try to figure out who some of these people were who stormed the Capitol building.
And one gentleman in particular got to be known as Zip-Tie Guy.
That's right. Yeah.
Which is interesting because if anyone saw the video livestream we did just before Christmas, I thought I was going to be Zip-Tie Guy because I of course, had my zip tied to my shirt so that when I stood up, it pulled the zip of my trousers up.
That's the story I was telling. But yes, there's a new zip tie guy in town.
That's the story I was telling. But yes, there's a new zip tie guy in town.
He may have a few more views, Graham.
You've been unseated. Yes, you're no longer alpha zip tie guy. I hope you're able to get over it.
Yeah.
So this particular zip tie guy was a gentleman who made his way into the Senate chamber, and he's called zip tie guy because he had a handful of zip ties.
These are the kind of zip ties that you use instead of handcuffs.
So if you're planning on arresting or restraining a whole lot of people and you don't want to spend the money for handcuffs, handcuffs are also heavy.
These are the kind of zip ties that you use instead of handcuffs.
So if you're planning on arresting or restraining a whole lot of people and you don't want to spend the money for handcuffs, handcuffs are also heavy.
That's what I was gonna say. They're a little heavy.
Yeah.
Like dragging yourself around.
Yeah. So you use these zip ties. Now, this gentleman was dressed head to toe in camouflage.
Jesus.
Unlike most of his companions, he was wearing a mask.
And so began this online odyssey of trying to look at every possible little detail that was revealed in photographs of this guy.
And I've included a link to a Twitter thread where they do just that. And they start with looking at the type of camouflage he was wearing, where it was probably purchased.
He was wearing a few patches on his shirt, and one of them, a telltale one, was a Thin Blue Line patch, which is a patch that supports the police, and his was in the shape of Tennessee.
So there's a bit of information. Perhaps this gentleman is from Tennessee.
And then people started combing through other photos from that day, from other demonstrations previously where this person may have shown up.
He was wearing some patches on his hat and on the front of his body armor that were unique.
And so sure enough, some folks found some photos of him outside the Capitol, and he had a companion there. There was a woman who had a red hat on.
And so now, even though we don't know who he is, well, maybe we start looking to try to figure out who this woman is.
And so began this online odyssey of trying to look at every possible little detail that was revealed in photographs of this guy.
And I've included a link to a Twitter thread where they do just that. And they start with looking at the type of camouflage he was wearing, where it was probably purchased.
He was wearing a few patches on his shirt, and one of them, a telltale one, was a Thin Blue Line patch, which is a patch that supports the police, and his was in the shape of Tennessee.
So there's a bit of information. Perhaps this gentleman is from Tennessee.
And then people started combing through other photos from that day, from other demonstrations previously where this person may have shown up.
He was wearing some patches on his hat and on the front of his body armor that were unique.
And so sure enough, some folks found some photos of him outside the Capitol, and he had a companion there. There was a woman who had a red hat on.
And so now, even though we don't know who he is, well, maybe we start looking to try to figure out who this woman is.
Oh, narrowing down people who might be wearing red hats at this particular event. I suspect there's quite a few of them.
Yeah, well, you know, you start with a large pool and then you narrow it down.
Okay, but question, question, question. Don't you think that would be the one place I could imagine in America where facial recognition software would be de rigueur?
Yes.
You'd imagine that an official being the person that goes and sits at Nancy Pelosi's desk and rifles through her drawers, you'd think he'd be caught at some point on camera and be thrown through a facial recognition software.
Yes. So this particular gentleman, only his eyes were visible underneath of his baseball cap here. But people stayed at it.
And by going through footage, they found a video that someone had posted from the lobby of the Grand Hyatt D.C.
Hotel, which, let me say, is a bit of a swanky hotel on the night of January 6th.
And sure enough, it looks like this guy with his female companion, who it turns out— wait for it— is his mom.
And by going through footage, they found a video that someone had posted from the lobby of the Grand Hyatt D.C.
Hotel, which, let me say, is a bit of a swanky hotel on the night of January 6th.
And sure enough, it looks like this guy with his female companion, who it turns out— wait for it— is his mom.
Was it Take Your Mum to Work Day?
Yeah. Well, you know, take your mum to a riot day.
Do you think this stuff is a bit scary?
Because I'm just remembering, wasn't it the Boston Marathon where the internet, I think it was on Reddit, but there was kind of a hunt for who was suspicious on the day.
Because I'm just remembering, wasn't it the Boston Marathon where the internet, I think it was on Reddit, but there was kind of a hunt for who was suspicious on the day.
And people got it wrong, didn't they?
And they got it wrong.
It worries me. I certainly saw a lot of people online hunting and looking for clues as to who people were in the crowd.
And it always feels a little bit uncomfortable when people start naming names, doesn't it?
And it always feels a little bit uncomfortable when people start naming names, doesn't it?
Yeah, because if they get it wrong, man, and you just get attacked by this mob.
Right.
And to their credit, the folks who seem to be going at this in a responsible way were very specific about saying, "We're not going to name names until we can get 100% verification.
We're sending all this information on to the FBI so that they can do the work that they need to do." And that seems to be what happened here because update from the New York Times, this gentleman was arrested.
It turns out he's a 30-year-old bartender. Looks like he let things get away from him.
His mother was interviewed by the Times of London and she was quoted as saying, "I'd rather die as a 57-year-old woman than live under oppression.
I'd rather die and would rather fight." Okay, well, there you are.
And to their credit, the folks who seem to be going at this in a responsible way were very specific about saying, "We're not going to name names until we can get 100% verification.
We're sending all this information on to the FBI so that they can do the work that they need to do." And that seems to be what happened here because update from the New York Times, this gentleman was arrested.
It turns out he's a 30-year-old bartender. Looks like he let things get away from him.
His mother was interviewed by the Times of London and she was quoted as saying, "I'd rather die as a 57-year-old woman than live under oppression.
I'd rather die and would rather fight." Okay, well, there you are.
You know, it is an interesting question, this issue of people trying to work out who is who at a controversial event like this.
What I quite liked was, of course, you're probably familiar with this interesting platform Parler, and there was somebody who it appears, judging by a screenshot which has been shared on Twitter, there's someone who posted up on Parler claiming to be a White House attorney.
Yes.
And they said, the president is strongly considering pardoning all patriots who stormed the Capitol, but we need to get him the right information so he can do it in the next week and a half.
If you would like a pardon, please respond below with your name, city, what crimes you think you need to be pardoned for. Yes. And share it with anyone else.
What I quite liked was, of course, you're probably familiar with this interesting platform Parler, and there was somebody who it appears, judging by a screenshot which has been shared on Twitter, there's someone who posted up on Parler claiming to be a White House attorney.
Yes.
And they said, the president is strongly considering pardoning all patriots who stormed the Capitol, but we need to get him the right information so he can do it in the next week and a half.
If you would like a pardon, please respond below with your name, city, what crimes you think you need to be pardoned for. Yes. And share it with anyone else.
My favorite part of that is that the US Justice Department actually put out a press release saying that that was not actually them.
Oh, thank you. Thank God they did. Like today, you've got to. You've got to.
Yeah. Yeah. So, again, we laugh because otherwise we would cry. This is indeed frightening stuff, not far from where I live.
And who knows where we're going to go from here as a nation. Certainly, I know you all have your hands full with plenty of stuff over your way as well.
But it's been kind of a sobering week for us here stateside.
And who knows where we're going to go from here as a nation. Certainly, I know you all have your hands full with plenty of stuff over your way as well.
But it's been kind of a sobering week for us here stateside.
Crazy times.
Yep.
On that, Carole, take us out of these dark times.
I know, I'm trying to think.
What have you got for us, Carole?
Energy dots. I'm talking energy dots. Now, what does that word mean to you? Does it mean anything to either of you?
No.
Energy Dots.
Because it did me from our childhood, probably the same decade, 1980s. Energy Dots.
Oh, are you talking— are they at a rave or—
No.
Well, probably there was a candy that came on a sheet of paper that was little dots of— little dots of candy that— and they were awful because you'd always get a mouthful of paper with them.
That's when I can remember.
That's when I can remember.
It's Energy Dots were in Pac-Man. Oh, Oh, those are the little dots that you grabbed and got your little doo doo doo doo doo. And that's what they were called.
Yeah.
So anyway, today the term energy dots refers to something a little more questionable, maybe even controversial. But you guys tell me what you think.
Okay, so let me start with the website description of this thing. Okay. Handy frequency technology discs that you can wear, stick to devices, or place around the home.
Use them to rebalance, bring positive energy, and support your well-being.
Okay, so let me start with the website description of this thing. Okay. Handy frequency technology discs that you can wear, stick to devices, or place around the home.
Use them to rebalance, bring positive energy, and support your well-being.
Oh yeah.
Okay. So can you tell me what that— can you tell me what it is?
Like IoT crystals? Is that what we're talking about?
They're stickers, right? They're basically stickers that you stick to either your phone or devices or— well, you'll just wait what they stick it to, right?
Graham's going to need his angle grinder.
Exactly right. But it's apparently an answer to the exposure of non-ionizing EMF radiation. So yes.
Now, Amazon has reportedly a glut of companies offering these EMF protections or EMF harmonizers.
The idea is, what do these things do and why are people buying them and what is going on? Right. So, they say these discs do on the website.
They say they've created an EMF protection device. It's called Smart Dot. That's one of them.
And it's programmed to retune electromagnetic frequencies emitted by your wireless devices.
Now, Amazon has reportedly a glut of companies offering these EMF protections or EMF harmonizers.
The idea is, what do these things do and why are people buying them and what is going on? Right. So, they say these discs do on the website.
They say they've created an EMF protection device. It's called Smart Dot. That's one of them.
And it's programmed to retune electromagnetic frequencies emitted by your wireless devices.
This sounds a little bit like the holographic nanolayer catalyzers that Mark Stockley was on the show last year talking about, which was nonsense as well.
It's very much like that, I think.
Right.
Okay, now, but I'd invite you guys to go to the website, so energiedots.com. If you guys go there, it takes a long time to load.
Probably because it's really popular. Oh, when I go there, it says you need to enter your username and password. It says the site is protected.
Energy dots.
Dot com.
Dot com. Is—
Have they shut down their website?
Let's see.
Because people are—
There's been a bit of news.
Because they've been in the papers.
Yeah, I get the same thing.
Interesting. Dots, right?
Same thing.
Oh, interesting. Okay, interesting, interesting. Okay, well, I'll just have to tell you what's there.
So basically you affix this smart dot, this sticker-like thing to your favorite gadgets and then await harmonization.
And I'm not sure how you know when that hits you or how you know that your wellbeing is being fully supported, but there you go.
Now in the product selection, they have lots of different things. Like they have PetDots, AquaDots, SpaceDots.
So basically you affix this smart dot, this sticker-like thing to your favorite gadgets and then await harmonization.
And I'm not sure how you know when that hits you or how you know that your wellbeing is being fully supported, but there you go.
Now in the product selection, they have lots of different things. Like they have PetDots, AquaDots, SpaceDots.
Hang on a minute, hang on.
Right?
So what, these are dots for your pet?
Yes, to make sure that they're at ease.
And what's an AquaDot? You can't stick it on water.
Stick it on your fish.
I would go tell you if I could get to the website.
Stick it on your fish.
But the website's down.
If you have a goldfish, just stick this to its tail.
Maybe when you're swimming? Like what?
Put it in the bathtub?
Yeah. So they say at one point on the website, they say it is the natural fields or information programmed onto the magnetic dot that does the work and creates positive change. Okay.
Full stop. The next sentence, magnets have been used as storage devices for decades. Bank cards, videotapes, a computer hard drive are all examples of magnetic storage.
It's unrelated.
Full stop. The next sentence, magnets have been used as storage devices for decades. Bank cards, videotapes, a computer hard drive are all examples of magnetic storage.
It's unrelated.
Yeah.
So they're basically saying because we use them to store our devices, it's good for you. We trust it. We trust magnets. It's crazy.
Anyway, and the other thing I scooped up on their website is they have this place where they talk about independent research, which—
Anyway, and the other thing I scooped up on their website is they have this place where they talk about independent research, which—
Sorry, I'm being a bit slow.
What you're saying is this company, Energy Dot, sell little stickers which you stick on your equipment and it then produces harmonization and good stuff in your life. Is that right?
What you're saying is this company, Energy Dot, sell little stickers which you stick on your equipment and it then produces harmonization and good stuff in your life. Is that right?
Why is it so complicated to you? It's completely clear from everything I've said.
Oh, sorry.
This is all the stuff from their website. I don't know why you're trying to dig in.
Just trying to clarify. Trying to find a problem?
No, no, no, you're absolutely right. You're absolutely right. It's not very clear what it does. I was looking to try and get an actual description of what it does, right? Not easy.
But what they're trying to do from all these words on their website is to show that it gives you something good.
And this is one of the examples they have in their independent research. It's called Chickpea Growth, okay?
And it says, quote, "We all need a healthy living environment to thrive, and this can affect the way we think and feel both mentally and physically.
Our chickpea experiment was conducted over a 15-day period to learn more about the effects of EMFs.
The results found that exposed to a mobile phone, chickpeas were unable to grow as much in comparison to alongside a mobile phone with a Smart Dot." So there it is.
But what they're trying to do from all these words on their website is to show that it gives you something good.
And this is one of the examples they have in their independent research. It's called Chickpea Growth, okay?
And it says, quote, "We all need a healthy living environment to thrive, and this can affect the way we think and feel both mentally and physically.
Our chickpea experiment was conducted over a 15-day period to learn more about the effects of EMFs.
The results found that exposed to a mobile phone, chickpeas were unable to grow as much in comparison to alongside a mobile phone with a Smart Dot." So there it is.
That's all the evidence I need.
Yeah, there was no link to any research on that one, but I'm sure it's peer-reviewed.
Yeah, that would be interesting if it was true, though, wouldn't it? Well, that sounds kind of interesting.
Yes, if it were true, it would be interesting, Graham. If only these things were infused with copper, then we'd be on to something.
How much do these stickers cost?
Oh, they're not cheap. They're not cheap. They're about £20 a pop. You can get a whole pack, I think, for it was £180. So what, $250?
Oh my goodness. Because Smashing Security stickers, if anyone wants them from our online store, are a lot less than that.
Or if you become a patron, you'll be sent three stickers very generously.
Or if you become a patron, you'll be sent three stickers very generously.
Now, earlier today, previous guest of Smashing Security, Rory Cellan-Jones, wrote a piece about these energy dots because they did a little digging of their own.
So they went out and bought some energy dots and then they sent them.
So they went out and bought some energy dots and then they sent them.
Did they buy chickpeas as well to do the experiment properly?
They sent them to the University of Surrey for tests. And would you be surprised the test found no evidence of any effect?
No.
Nothing. Energy Dots told the BBC that the stickers were programmed with scalar energy, which the scientist equipment would be unable to detect. The scalar energy—
What are you gonna do?
I mean, so it sounds pretty shoddy reporting by the BBC then, who didn't do it properly.
You know, I'm sure there's some sort of quantum element here as well, because as we all know, things happen in the quantum realm that we simply cannot understand, but they happen.
And yeah, shame on the BBC for their shoddy reporting and testing techniques. I mean, I'm on team Dot.
And yeah, shame on the BBC for their shoddy reporting and testing techniques. I mean, I'm on team Dot.
Fake news.
Even last year, USA Today said, look, we are doing a fact check into this and they found no evidence, right, that the low-powered magnet would protect cell phone users from EMF radiation.
Anyway, so all this is going on and the crux of this, right? So I was thinking, how does this happen? How do people fall for this?
'Cause people are, and that's why people like Rory are writing about it. We're trying to tell people this may not be very good.
There is lots of charlatans out there making a buck out of this weird kind of Venn diagram between fact and non-fact.
There's that sentence, absence of evidence is not evidence of absence.
Anyway, so all this is going on and the crux of this, right? So I was thinking, how does this happen? How do people fall for this?
'Cause people are, and that's why people like Rory are writing about it. We're trying to tell people this may not be very good.
There is lots of charlatans out there making a buck out of this weird kind of Venn diagram between fact and non-fact.
There's that sentence, absence of evidence is not evidence of absence.
Do you think that's why their website has disappeared as well? It's gone absent because then we can't disprove any of it because it's no longer available.
It probably got hit by an EMF pulse.
I heard, I read this BBC News report and it's quite interesting and people have to be very careful about what they believe online, surprise, surprise, because they claim to have partnered with two NHS hospitals.
Oh yeah.
And the references to those hospitals have disappeared from their website apparently once the BBC started making inquiries because one hospital said, well, we don't know anything about this, we haven't partnered with them.
And the other hospital doesn't actually exist.
And the other hospital doesn't actually exist.
Yeah, and then they said, oh, it was a screw-up with their ad people. I know.
I mean, it doesn't exist in our realm, but what about the quantum realm? I'm sure—
Oh, here you go—
Hospital in another dimension.
But you know what, okay, so say, let's say I met someone on the street that was talking about all this stuff, and, you know, I knew absolutely nothing about EMFs and all this stuff and blah blah, and I would go and start Googling it, right?
I would go do a search.
So today I was screwing around doing different searches and I had "5G scientists find" or, you know, "latest news on EMF radiation" or "what is EMF radiation" and all of them, the first page, I had contradictory news.
So I'm looking at one here. I took a screenshot of one and it says "a scientist brand 5G claims complete rubbish." Right.
Another one say "5G confirmed safe by radiation watchdogs." You're thinking, okay.
And then "as a prominent scientist warned that 5G could pose health hazards." You know, that's number 4.
"Science: What are the percentage of serious health effects with 5G?" That's number 5. And these are all on the front page.
So obviously those that are trying to make a buck out of this are spending a lot of SEO money to grab the top locations of this through keywords.
And that may be where, you know, if I want to go educate myself, what am I going to do if I'm a normal Joe?
I'm going to go and Google it, or I'm going to go to a search engine, type in the keyword.
And then I think, oh, these guys are selling for 20 quid this potential harmonization which may or, you know, do something. What's the harm in me buying it?
Even if it's fake, who cares? And I don't know how to deal with that argument.
I would go do a search.
So today I was screwing around doing different searches and I had "5G scientists find" or, you know, "latest news on EMF radiation" or "what is EMF radiation" and all of them, the first page, I had contradictory news.
So I'm looking at one here. I took a screenshot of one and it says "a scientist brand 5G claims complete rubbish." Right.
Another one say "5G confirmed safe by radiation watchdogs." You're thinking, okay.
And then "as a prominent scientist warned that 5G could pose health hazards." You know, that's number 4.
"Science: What are the percentage of serious health effects with 5G?" That's number 5. And these are all on the front page.
So obviously those that are trying to make a buck out of this are spending a lot of SEO money to grab the top locations of this through keywords.
And that may be where, you know, if I want to go educate myself, what am I going to do if I'm a normal Joe?
I'm going to go and Google it, or I'm going to go to a search engine, type in the keyword.
And then I think, oh, these guys are selling for 20 quid this potential harmonization which may or, you know, do something. What's the harm in me buying it?
Even if it's fake, who cares? And I don't know how to deal with that argument.
Yeah.
And I don't know how to deal with that argument.
Well, I can tell you from my perspective that nothing gets the conspiracy theorists out of the woodwork like mentioning an EMP pulse on our show, which is a, you know, and it's a real thing, a real possibility, you know, that's this notion that someone sets off a nuclear weapon, it creates an electromagnetic pulse and all the computers and things stop working.
There's something to that, but in terms of the top 10 threats we need to worry about of keeping the electrical grid going, it's probably not up there.
But let me tell you, if you even mention it in passing, people run to their local public libraries and start sending you emails about it.
It is one of those things that the folks who are into this sort of thing electromagnetic stuff, boy, do they latch onto it and they come at you with vigor.
There's something to that, but in terms of the top 10 threats we need to worry about of keeping the electrical grid going, it's probably not up there.
But let me tell you, if you even mention it in passing, people run to their local public libraries and start sending you emails about it.
It is one of those things that the folks who are into this sort of thing electromagnetic stuff, boy, do they latch onto it and they come at you with vigor.
Well, thank you for mentioning it on our podcast then, Dave. I really appreciate that. Nice.
Jeez.
I just, I'm spreading the love.
I'll leave you with something quite ironic. I think I'm using the term correctly, but so I of course checked out their privacy statement because why wouldn't I?
And it says, with this website, there are no implied conditions, warranties, terms of representations regarding the quality, accuracy, or completeness of the information. Right?
So they're basically saying it could all be bullshit. We're not holding ourselves accountable at anything we've said here.
And then they also say, Energy Dot's website pages do not constitute either an offer or legal or professional or medical advice.
And by using this website, you confirm that you have not relied on any such content. So basically, don't trust us is the other thing it says.
And it says, with this website, there are no implied conditions, warranties, terms of representations regarding the quality, accuracy, or completeness of the information. Right?
So they're basically saying it could all be bullshit. We're not holding ourselves accountable at anything we've said here.
And then they also say, Energy Dot's website pages do not constitute either an offer or legal or professional or medical advice.
And by using this website, you confirm that you have not relied on any such content. So basically, don't trust us is the other thing it says.
Right, right.
To be fair, we'd say that for our podcast as well. I mean, we would say don't believe anything we say or trust us or believe it or, you know, don't rely on us.
For entertainment purposes only.
Well, I would say that's true for one of us, clearly.
I think he's saying, I think he's saying don't blame me. It's not trust, it's about blame.
Exactly. Well, I do blame him for so, so many things. Anyway, but if a company says don't trust us, maybe we should listen. Maybe. I don't know. Hey, Graham.
Hey.
Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?
Why are you saying that? You thinking I'm getting forgetful?
Yes, often, very. And I'm a little bit worried about it.
I suppose most of us, you know, working from home all the time I mean, how do you even remember a password in these scenarios? Nice segue, eh?
I suppose most of us, you know, working from home all the time I mean, how do you even remember a password in these scenarios? Nice segue, eh?
Yeah, well, I use a good password manager. I in fact use 1Password.
1Password, that's one with a one, right?
That's right.
One password.
It's a great password manager. It works for home use. It works for families. It works for business. So I run a little business here at home.
And it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online.
Make it really easy for me to create and use strong passwords or share them with my colleagues.
And it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online.
Make it really easy for me to create and use strong passwords or share them with my colleagues.
Oh, and tell you what, now that all of us are working from home and your computer is being used not just for work but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.
Yeah, and listeners can find out more, and they can try 1Password for free for 14 days at 1password.com. Thanks to them for supporting the show.
Hey, Clue Clue, did you hear my CrowdSec special interview that I did?
Well, the one at the end of this podcast?
Yeah, the one of episode 210.
Yes, yes. Yeah, I've heard it. Yeah.
Did you?
Yeah. Okay. I don't know if, I don't know if I believe you. Tell me everything you know about CrowdSec. Go.
Oh, okay. CrowdSec, they're building a community where you SecOps and DevOps can join forces around the world.
And actually make a difference against all the new attacks which are coming out.
Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.
And actually make a difference against all the new attacks which are coming out.
Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.
Okay, tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?
Okay, yeah, they analyze your visitors' behavior. They deal with the malicious traffic.
And oh yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.
And oh yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.
Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this.
So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net/smashing. And Smashing Security special listeners, guess what?
There's a prize just for you if you go and join the user community. Find out what it is, we're dying to know. Learn more, crowdsec.net/smashing.
And thanks to CrowdSec for supporting the show.
So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net/smashing. And Smashing Security special listeners, guess what?
There's a prize just for you if you go and join the user community. Find out what it is, we're dying to know. Learn more, crowdsec.net/smashing.
And thanks to CrowdSec for supporting the show.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone choose something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related.
I think we've all been reeling by the horrendous news reports coming from America where we saw people breaking into a building and then obviously causing some mayhem and distress and stealing stuff as well and doing a lot of damage.
And that's why my pick of the week this week is a computer game all about the removal business. It's called Moving Out.
And in Moving Out, which is available on Steam and also available for the Switch, PlayStation, and Xbox— I've been playing it on the Nintendo Switch— you are a house removal person working with your partner, and your job is to move everything from inside the house into the removal van within a certain time limit.
And of course, you have to do this in coordination because there are some things which are quite heavy, like fridges, like sofas.
I think we've all been reeling by the horrendous news reports coming from America where we saw people breaking into a building and then obviously causing some mayhem and distress and stealing stuff as well and doing a lot of damage.
And that's why my pick of the week this week is a computer game all about the removal business. It's called Moving Out.
And in Moving Out, which is available on Steam and also available for the Switch, PlayStation, and Xbox— I've been playing it on the Nintendo Switch— you are a house removal person working with your partner, and your job is to move everything from inside the house into the removal van within a certain time limit.
And of course, you have to do this in coordination because there are some things which are quite heavy, like fridges, like sofas.
You recently moved house, didn't you? So you're obviously quite good at this. Is that— you're like, no, no, no, don't touch that one.
That's right. And so it's quite amusing because of course you have to coordinate with your colleague in the removal business to say, you get that end I'll get this end.
And you're trying to get through the door together and you keep bumping up against it.
And eventually in this game, what you find works best is to smash the windows and throw the sofa out of the window to get it out that way.
And so you're knocking things over left, right and center because you're so desperate to get things into the van to get to your next job that mayhem ensues and the craziness truly does.
If you've ever played a video game like Overcooked or perhaps even closer to this is a great game called Totally Reliable Delivery Service.
Overcooked, if you played that, Dave, you will certainly know the kind of mayhem. Yes, I've played Overcooked. It's a lot of fun.
Well, Moving Out is similarly a great deal of fun, and that is why it is my pick of the week. Links in the show notes.
And you're trying to get through the door together and you keep bumping up against it.
And eventually in this game, what you find works best is to smash the windows and throw the sofa out of the window to get it out that way.
And so you're knocking things over left, right and center because you're so desperate to get things into the van to get to your next job that mayhem ensues and the craziness truly does.
If you've ever played a video game like Overcooked or perhaps even closer to this is a great game called Totally Reliable Delivery Service.
Overcooked, if you played that, Dave, you will certainly know the kind of mayhem. Yes, I've played Overcooked. It's a lot of fun.
Well, Moving Out is similarly a great deal of fun, and that is why it is my pick of the week. Links in the show notes.
Hey, sounds interesting.
It's good fun. Dave, what's your pick of the week?
Well, I also have a video game. You know, I like puzzle games.
I like something that's going to take my mind away from the day-to-day things that we've been dealing with all last year. And it seems into this year as well.
I like something that's going to take my mind away from the day-to-day things that we've been dealing with all last year. And it seems into this year as well.
And if you've got a problem with that, all you need is some harmonization. Maybe you should stick a dot on your forehead.
It's true. Well, now I know. I'm gonna, if they get their website working, I'll order some. So a game I've been enjoying, I've been playing it on my phone, it's called Poly Bridge.
And this is a puzzle game where it is your job to construct bridges across, mostly across bodies of water. So it's this sort of combination of engineering skills.
You have different materials that you can use to build the bridge. You have wood and steel and ropes and steel cables and things like that.
You have different types of vehicles you have to get across the bridge. Some of them are light, some of them are heavy, some of them move fast, some of them move slow.
But it has a physics simulator. So when you build your bridge and you click go, these vehicles try to go across the bridge.
And part of the fun, I will admit, is when the bridges fail, they fail catastrophically. And so, oh, wonderful fun to watch your bridge collapse and everyone go into the drink.
And this is a puzzle game where it is your job to construct bridges across, mostly across bodies of water. So it's this sort of combination of engineering skills.
You have different materials that you can use to build the bridge. You have wood and steel and ropes and steel cables and things like that.
You have different types of vehicles you have to get across the bridge. Some of them are light, some of them are heavy, some of them move fast, some of them move slow.
But it has a physics simulator. So when you build your bridge and you click go, these vehicles try to go across the bridge.
And part of the fun, I will admit, is when the bridges fail, they fail catastrophically. And so, oh, wonderful fun to watch your bridge collapse and everyone go into the drink.
So do you have to learn some physics? So you come away with a bit more knowledge? Do you think you're more reliable now?
Could I trust you to build a bridge if you and I were walking along and there was this big stream and there was some wood nearby?
Could I trust you to build a bridge if you and I were walking along and there was this big stream and there was some wood nearby?
I need you to be some Bard Kingdom Bitner now. Are you capable of making some truly impressive bridges?
Yes, I will say that you do get much better at this as you go along because you learn what works and what doesn't.
And they start you out with very simple things, but as you go along, they get more complicated you have to build many more things.
There are hydraulics, there are drawbridges, all sorts of fun challenges that you have to make your way through.
There is a Poly Bridge 2, which I also recently started playing, having made my way through Poly Bridge, the original Poly Bridge.
And to your point, I— what I found was that starting out Poly Bridge 2, which starts at a lower level, I can just zip right through the beginning of it because of all these skills I've learned along the way.
On the regular Poly Bridge. But it is a fun game. It's distracting. If you like these sort of little engineering puzzle types of games, it has a whimsical nature to it as well.
I highly recommend it. It's Poly Bridge and it is my pick of the week.
And they start you out with very simple things, but as you go along, they get more complicated you have to build many more things.
There are hydraulics, there are drawbridges, all sorts of fun challenges that you have to make your way through.
There is a Poly Bridge 2, which I also recently started playing, having made my way through Poly Bridge, the original Poly Bridge.
And to your point, I— what I found was that starting out Poly Bridge 2, which starts at a lower level, I can just zip right through the beginning of it because of all these skills I've learned along the way.
On the regular Poly Bridge. But it is a fun game. It's distracting. If you like these sort of little engineering puzzle types of games, it has a whimsical nature to it as well.
I highly recommend it. It's Poly Bridge and it is my pick of the week.
And where do you, where do you play it? Do you play it on Steam or?
Yes.
Do you play on your phone?
Yes, I play on my phone. It's available It's in the App Store for iOS. That's where I play it.
It's available on Steam. Yes, I think I've played it on the Nintendo Switch. It's good fun, this game. I've played it as well. I'm not very good at it.
Geez, Graham, do you do anything else?
No, no, no. No time for anything else. That and the podcast, Carole.
Cool, I like the sound of this one. I think this sounds—
Oh, you don't like the sound of mine?
Not as much. Just the mayhem ensues. I just— Yeah, I don't know. Maybe when I come over, we can play it in 2025.
Yeah, exactly. See you then.
Okay.
Carole, what's your pick of the week?
Well, let's start the year as we mean to go on, an audio drama. Brand new 10-episode pod thriller from the BBC called The Cipher.
And it all starts with a mysterious puzzle that appears online. A cryptic parallax.
And our main character, who's incredibly curious and smart-mouthed and sharp-witted and intelligent and 16, cracks the parallax.
But rather than a big celebration, everything goes askew. And obviously, I'll hide the details, but things get exciting.
She ends up hunting a serial killer at some point, who seems intent on killing top-rated scientists from around the world, and what's going on. Anyway, it's really fun.
And it's a great pandemic audio junket because you're flying around, going to different countries, doing all kinds of crazy stuff, running around.
A bit like, what's his name, the guy who lives up in Jackson Hole? I can't remember his name.
And it all starts with a mysterious puzzle that appears online. A cryptic parallax.
And our main character, who's incredibly curious and smart-mouthed and sharp-witted and intelligent and 16, cracks the parallax.
But rather than a big celebration, everything goes askew. And obviously, I'll hide the details, but things get exciting.
She ends up hunting a serial killer at some point, who seems intent on killing top-rated scientists from around the world, and what's going on. Anyway, it's really fun.
And it's a great pandemic audio junket because you're flying around, going to different countries, doing all kinds of crazy stuff, running around.
A bit like, what's his name, the guy who lives up in Jackson Hole? I can't remember his name.
Where in the world?
I can't remember his name. Harrison Ford.
Harrison Ford.
It's a bit like that, but with a 16-year-old girl.
Do you mean Indiana Jones?
Yes.
Yes.
Oh, great.
Okay.
Now we're with you.
All right. Long, long way to get there, but we got there, so that's good.
I just had this complete brain fart, complete, there's nothing in there that could help me. Anyway, 10 episodes. It's a thriller. They're about 20 minutes or 30 minutes an episode.
Easily digestible. Enjoy. Find it wherever you get your podcasts, including BBC Sounds. Do you use BBC Sounds, either of you?
Easily digestible. Enjoy. Find it wherever you get your podcasts, including BBC Sounds. Do you use BBC Sounds, either of you?
Graham?
Only when it's only available on BBC Sounds.
I think the app's quite good, actually. I think the app on iPhone, I was playing around with it, and I'm, it's not bad. I think it's pretty good. There you go.
So that's my pick of the week. What's it called again? The Cipher.
So that's my pick of the week. What's it called again? The Cipher.
Marvellous. Now, Carole, I believe you've got a featured interview up your sleeve for us this week.
I do, with the founder of CrowdSec, which was very exciting. Now, this is a great interview.
Not only is he super, super personable, but I got to learn a lot about his approach to security. Check it out. Okay, so I am here with the delightful Philippe Humeau.
You will hear that he has a French accent, which I adore. He is the founder of CrowdSec. Now, CrowdSec is one of our sponsors.
And CrowdSec's not just their company name, it is also the name of their free open-source security automation tool. Now, we're going to get into that in a little bit.
But first, I want to welcome you to the show. Thank you, Philippe, for coming on the show.
Not only is he super, super personable, but I got to learn a lot about his approach to security. Check it out. Okay, so I am here with the delightful Philippe Humeau.
You will hear that he has a French accent, which I adore. He is the founder of CrowdSec. Now, CrowdSec is one of our sponsors.
And CrowdSec's not just their company name, it is also the name of their free open-source security automation tool. Now, we're going to get into that in a little bit.
But first, I want to welcome you to the show. Thank you, Philippe, for coming on the show.
My pleasure. I'm really happy to be there with you and discussing. And with my strong French accent, I hope everyone will understand.
OK, so let's start. Let's start with the landscape. So right now, we're still in the middle of the pandemic.
We've got tons of big companies out there with huge remote workforces, and we are still seeing loads of hacks happening. So why is that happening? What's going on?
Maybe you can just give us a bit of insight onto the environment we're looking at right now.
We've got tons of big companies out there with huge remote workforces, and we are still seeing loads of hacks happening. So why is that happening? What's going on?
Maybe you can just give us a bit of insight onto the environment we're looking at right now.
Yeah, absolutely. It sounds crazy, but even in 2020, we were not ready for such a remote workforce, you know?
And even the biggest companies got hacked, and even in the early 2020, based on what, 20 years of experience in the industry, I think there are 4 pillars to it.
The first one would be time, you know, because you never get to choose a time when you're attacked, right?
It's the time between the zero-day, zero-day is when you find a new vulnerability, and when the patch is released, and when the patch is released and when you apply it.
And all of this takes time. And on the attacker side, the time is counted in seconds, you know, and on the defense side, it's counted in weeks. And this is totally asymmetrical.
But there are other points that are asymmetrical.
If you think about it, firewalls, they are not filtering much of what's really happening because you don't filter anyone coming to your mail, your website, your apps, your DNS and all.
All of those protocols are just not filtered or barely filtered, and most of them are now encrypted, so it makes it extremely complicated for appliances to see through the traffic, see if there's something dangerous.
So once again, it plays against you. Then the next one would be the perimeter, and actually I think it's even the biggest one.
Back in the '80s, CTOs had their servers in their basement and they were happy about it because they can draw a wall around a sort of castle around all the resources.
And even the biggest companies got hacked, and even in the early 2020, based on what, 20 years of experience in the industry, I think there are 4 pillars to it.
The first one would be time, you know, because you never get to choose a time when you're attacked, right?
It's the time between the zero-day, zero-day is when you find a new vulnerability, and when the patch is released, and when the patch is released and when you apply it.
And all of this takes time. And on the attacker side, the time is counted in seconds, you know, and on the defense side, it's counted in weeks. And this is totally asymmetrical.
But there are other points that are asymmetrical.
If you think about it, firewalls, they are not filtering much of what's really happening because you don't filter anyone coming to your mail, your website, your apps, your DNS and all.
All of those protocols are just not filtered or barely filtered, and most of them are now encrypted, so it makes it extremely complicated for appliances to see through the traffic, see if there's something dangerous.
So once again, it plays against you. Then the next one would be the perimeter, and actually I think it's even the biggest one.
Back in the '80s, CTOs had their servers in their basement and they were happy about it because they can draw a wall around a sort of castle around all the resources.
It's almost like a watered moat and they're in control of everything.
Yeah, it's kind of Alcatraz.
Or if you want another image that is fun, it's like this Gandalf in the middle of the bridge in the Moria Mines saying, "You shall not pass," except there are thousands of bridges and no Gandalf.
So it doesn't play well. But more seriously, I mean, if you think about these cloud drives, Dropbox, for example, or Google Drive, whatever.
Or if you want another image that is fun, it's like this Gandalf in the middle of the bridge in the Moria Mines saying, "You shall not pass," except there are thousands of bridges and no Gandalf.
So it doesn't play well. But more seriously, I mean, if you think about these cloud drives, Dropbox, for example, or Google Drive, whatever.
And we all use those all the time, right?
Oh, yeah.
For personal stuff, for work stuff.
Yeah.
We store everything there and we mix private and professional life greatly in this. There is the cloud, there are a lot of containers, SaaS.
I mean, you can store things in your WordPress back office for what it's worth. We wouldn't know about it being the CTO.
And then we had the pandemic, so we had the COVID-19 VPNs, as I call them. I mean, before that, some companies had some VPN, and after the COVID all companies had VPNs.
But how many of them were ready for that? How many did the job properly or made the proper security policies around it?
So basically, now you've got the little one in the gaming room playing with the PlayStation or its Android device and bringing all the hell of the world into your central IT core system because there are no more parameters, right?
I mean, you can store things in your WordPress back office for what it's worth. We wouldn't know about it being the CTO.
And then we had the pandemic, so we had the COVID-19 VPNs, as I call them. I mean, before that, some companies had some VPN, and after the COVID all companies had VPNs.
But how many of them were ready for that? How many did the job properly or made the proper security policies around it?
So basically, now you've got the little one in the gaming room playing with the PlayStation or its Android device and bringing all the hell of the world into your central IT core system because there are no more parameters, right?
Exactly.
And from what you're saying, as the person in charge of all the traffic and managing the systems, you actually have fairly limited visibility and time to act due to how it works and due to encryption and due to lack of information you have and visibility.
And from what you're saying, as the person in charge of all the traffic and managing the systems, you actually have fairly limited visibility and time to act due to how it works and due to encryption and due to lack of information you have and visibility.
Yeah, absolutely. I mean, this is why the game is rigged, but there's one more force at work and it's tremendous. It's money.
You know, we all know that this is the biggest one ever in the world. So hackers are using what? Stolen servers, you know, that compromised before.
They're using their IPs and resources, so it's for free basically.
You know, we all know that this is the biggest one ever in the world. So hackers are using what? Stolen servers, you know, that compromised before.
They're using their IPs and resources, so it's for free basically.
They're using free open source tools, some of them buy a bit, but it's mainly free open source tools, and their time. And when you're on defense side, you need to use what?
Appliances that cost a hell lot, licenses, you need to have DevOps and SecOps people watching over your security and creating proper environment.
You need to do a pen test and so on.
Appliances that cost a hell lot, licenses, you need to have DevOps and SecOps people watching over your security and creating proper environment.
You need to do a pen test and so on.
It's stressful. No wonder most IT people are bald. No, I'm kidding. I'm kidding. But no, but I can understand the stress levels, right?
I'd want to pull my hair out, especially now in this new world. It's scary.
I'd want to pull my hair out, especially now in this new world. It's scary.
And the worst part is they just have to succeed once. You know, you have to defend and fold all of their attacks, all of them, one by one.
Every single one.
They just have to succeed once. Yeah, this is the crazy part. So it's totally rigged. That's why it's so asymmetrical.
And that's why even big companies fell for hacking in 2020 and before.
And that's why even big companies fell for hacking in 2020 and before.
Okay, okay. So I see the scene now. It's very bleak. But you, you created this CrowdSec tool for a reason.
You know, someone lately told me, gave me a new way of seeing it. It's kind of a giant multiplayer firewall.
Firewall.
And it's exactly this, actually. It's brilliant because we've been working on this for a year now, and it didn't come into my mind.
The best way I could represent it before was it's a Waze of security, right?
The best way I could represent it before was it's a Waze of security, right?
Yeah.
So, but it's this, it's a giant multiplayer firewall. So this tool is not really a firewall as such. It's folding attacks by looking at behavior.
So for example, if you knock 5 times the password and it's not the right one, maybe you don't have the password and you're trying to guess it, right?
It's called password brute forcing.
So for example, if you knock 5 times the password and it's not the right one, maybe you don't have the password and you're trying to guess it, right?
It's called password brute forcing.
Or if you constantly call URLs on the website that do not exist, maybe you are scanning the website and not making a legitimate use of it.
Okay, so the basic layer is this: it's behavioral standpoint. We try to assess what you're doing with the resources. So it's super simple.
There are scenarios, you just apply them, and it detects shenanigans in your logs, right?
Okay, so the basic layer is this: it's behavioral standpoint. We try to assess what you're doing with the resources. So it's super simple.
There are scenarios, you just apply them, and it detects shenanigans in your logs, right?
But this is kind of, it's known and not known. But I mean, the tool does something that maybe some other tools are doing or used to do, like fail2ban.
But we added something new to this. And the thing is the crowd. The crowd is so powerful.
But we added something new to this. And the thing is the crowd. The crowd is so powerful.
The crowd, so this is all the other people, the community of users, right?
Everyone using it. If you fold an attack, if you block an attack because, you know, say it was a brute force, you detected it, then you share the IP across the network.
Right.
Basically it's this: you detect an attacker, you detect its IP, and you share it all across the network. So this IP is burnt for all the users using the product.
And it's extremely powerful because if you think about it, it's a bit like Waze.
You don't need to know what's happening, you know, 2 kilometers away from you because the GPS is going to tell you there's a roadblock or, I don't know, a speed trap or, and it shows you everything that's happening.
And it's extremely powerful because if you think about it, it's a bit like Waze.
You don't need to know what's happening, you know, 2 kilometers away from you because the GPS is going to tell you there's a roadblock or, I don't know, a speed trap or, and it shows you everything that's happening.
And it's based only because all the users are sharing their position and speed and also what they saw on the road. And it's exactly what we're doing, but on internet.
So what you're saying is whenever your tool spots something, a bad IP, it shares that bad IP with all the other community, blocking it from availability.
Absolutely. And the point is we want to make, you know, if you think about it, a hacker has few resources that he really cares about? You know, it's time, obviously.
But the second most precious resource is IPs, IP addresses.
You know, if he compromised 3,000 of them, he's using them on a daily basis to, I don't know, validate credit card numbers, for example.
He has stolen a credit card database and he wants to validate every number to resell them at a higher price.
And what he does is using those 3,000 IPs to do so, just not to get caught with one only. But if you burn them, it's if you're emptying the cartridges in his pocket, you know?
So he cannot fire anymore at you because one by one they get burned.
But the second most precious resource is IPs, IP addresses.
You know, if he compromised 3,000 of them, he's using them on a daily basis to, I don't know, validate credit card numbers, for example.
He has stolen a credit card database and he wants to validate every number to resell them at a higher price.
And what he does is using those 3,000 IPs to do so, just not to get caught with one only. But if you burn them, it's if you're emptying the cartridges in his pocket, you know?
So he cannot fire anymore at you because one by one they get burned.
Exactly.
In the end, he doesn't have any more cartridges.
I noticed in the beginning I said it's a free open-source security automation tool. So this is for free? How does that work?
Yeah, we're part of those people that think open source doesn't mean being poor and walk in the woods to hunt for little animals to feed your family.
We think those people are extremely talented. The people that are working with us are extremely talented pentesters, SecOps, DevOps that have years of experience.
So those people, they should earn their money, right?
So what we do is we have to find a way of monetizing this properly and in respect for the community that is—and I shall tell it every day again—our biggest asset.
So we should never ever be aggressive toward this community. So what we found is that people not partaking in identifying those bad IPs are paying to get access to this database.
So even though you would not partake into the network, you could still benefit from its database, but you would pay your access for that.
We think those people are extremely talented. The people that are working with us are extremely talented pentesters, SecOps, DevOps that have years of experience.
So those people, they should earn their money, right?
So what we do is we have to find a way of monetizing this properly and in respect for the community that is—and I shall tell it every day again—our biggest asset.
So we should never ever be aggressive toward this community. So what we found is that people not partaking in identifying those bad IPs are paying to get access to this database.
So even though you would not partake into the network, you could still benefit from its database, but you would pay your access for that.
Okay.
So what you're saying is if I used your tool and I said, yeah, yeah, I don't want you to see any of the IP address or any of the information, I don't want to take part in blocking IPs, you say, no problem, that's fine, but we're going to ask for a fee from you to use the service.
That makes total sense to me.
So what you're saying is if I used your tool and I said, yeah, yeah, I don't want you to see any of the IP address or any of the information, I don't want to take part in blocking IPs, you say, no problem, that's fine, but we're going to ask for a fee from you to use the service.
That makes total sense to me.
Absolutely.
Okay, got it. Yep.
And we think it's more than enough for us to be profitable, first of all, and to have the softest possible monetizing way toward the community.
Yeah, because obviously you want to pay people. I hate how often in our industry people are underpaid.
You remember this SSL thing? Yeah, it was 2 years ago, I think. Tell me, tell me. There was a vulnerability in the SSL library, right?
Yes.
And everyone on earth is using it, banks, major businesses, all of them, they rely on this SSL library.
And then the developers were pointed, finger pointed, okay guys, you did crap. How could you let that pass? And so on. Those guys were working for free.
I mean, tons of business were making money out of it and those guys were working for free.
And then the developers were pointed, finger pointed, okay guys, you did crap. How could you let that pass? And so on. Those guys were working for free.
I mean, tons of business were making money out of it and those guys were working for free.
It's outrageous.
That's so gross. Gross.
Yeah, yeah, gross. Yeah. People that use your tool and they do decide to share their data and help the community, they get to use it for free, is that right?
Yeah, absolutely. And on top of that, we don't even export the logs, right? Because, you know, since we are based in EU, there is a strong regulation around that is called GDPR.
And it states basically, it's very protective toward privacy, which is great. I mean, we love it. So we don't export logs as such.
Everything is treated locally and we just get the meta.
The meta being the timestamp, when is this event happening, the IP that is involved in the shenanigans, and the scenario that the IP tried to trigger, I don't know, password brute force or credit card stuffing or whatever it is.
And this is the only information that is flowing back from you to us. So we don't export your logs. We don't want to know where you are or whatever, what you do.
We just want to see who is attacking who.
And it states basically, it's very protective toward privacy, which is great. I mean, we love it. So we don't export logs as such.
Everything is treated locally and we just get the meta.
The meta being the timestamp, when is this event happening, the IP that is involved in the shenanigans, and the scenario that the IP tried to trigger, I don't know, password brute force or credit card stuffing or whatever it is.
And this is the only information that is flowing back from you to us. So we don't export your logs. We don't want to know where you are or whatever, what you do.
We just want to see who is attacking who.
God, to hear a company say that is so great. I just hope we get more companies that say that. Tell you what, tell us, who is the kind of person that would really benefit from this?
Is this from a home user to a small business to enterprises?
Is this from a home user to a small business to enterprises?
We thought it would be SMBs and small companies would be the major benefactor from this.
They would really enjoy the fact that it's costless or close to, and they would instantly get better security.
But in the end, the first one that asked for a contract is a very big US hosting company.
They would really enjoy the fact that it's costless or close to, and they would instantly get better security.
But in the end, the first one that asked for a contract is a very big US hosting company.
Oh, there you go.
Yeah. It's kind of a tier 1 thing.
We're like, okay, so our business model, the one that we showcase to our investors is, okay, you know, guys, there's a lot of SMBs out there and they want to have better security.
And this is where we stand.
And, you know, in December, you get a Tier 1 demanding, okay, can we get a support contract with you guys because we intend to deploy tens of thousands of machines?
And you're like, sure. But let me call my investor because I need to tell them something first. Guys, we were wrong.
We're like, okay, so our business model, the one that we showcase to our investors is, okay, you know, guys, there's a lot of SMBs out there and they want to have better security.
And this is where we stand.
And, you know, in December, you get a Tier 1 demanding, okay, can we get a support contract with you guys because we intend to deploy tens of thousands of machines?
And you're like, sure. But let me call my investor because I need to tell them something first. Guys, we were wrong.
Yeah, yeah.
I don't know. I mean, anyone can use it.
If you think about it, across the industry, across 40 years of IT devices ranging from the old school IBM machine in your basement that was doing the accountancy in the bank up until latest Apple Watch 6, all of them have one common point.
They can do web requests, HTTP requests, right?
If you think about it, across the industry, across 40 years of IT devices ranging from the old school IBM machine in your basement that was doing the accountancy in the bank up until latest Apple Watch 6, all of them have one common point.
They can do web requests, HTTP requests, right?
Yeah.
So if we can, and this is what we do, if you can enable trust in just one HTTP request, you can have things like IoT devices that are dumb as such, or very limited in resources, and that cannot make any smart thing to analyze security.
The only thing they can do is, "Okay, can I connect to this?" And you can tell them, "Yeah," right? On the fly.
You can say, "Yeah, you could," or, "No, you should not." And so you can protect things that are even the dumbest or the smallest possible CPU package and RAM package, and that can't do any of those things.
The only thing they can do is, "Okay, can I connect to this?" And you can tell them, "Yeah," right? On the fly.
You can say, "Yeah, you could," or, "No, you should not." And so you can protect things that are even the dumbest or the smallest possible CPU package and RAM package, and that can't do any of those things.
It's certainly exciting times at CrowdSec. Yeah, it is.
We love it.
We could talk all day now. Is there anything else you'd like to add?
Yeah, please. I mean, it's a global thing we are trying to start, so it's just a sparkle now, and we need the community to grow.
We need people to come and say, okay, we need this and that, or to develop tools with us, to interact with us. I mean, money is not the stake here.
I mean, we literally have VCs knocking at the door every other day.
So what we need more than money is people interacting with us, discussing with us, saying we need this, we need that, we'd like to develop this and that, how should we do it?
So please come and join the crowd. We are here to back each other and we'd be delighted to discuss and interact with you guys and try the product. It's really cool and it's free.
We need people to come and say, okay, we need this and that, or to develop tools with us, to interact with us. I mean, money is not the stake here.
I mean, we literally have VCs knocking at the door every other day.
So what we need more than money is people interacting with us, discussing with us, saying we need this, we need that, we'd like to develop this and that, how should we do it?
So please come and join the crowd. We are here to back each other and we'd be delighted to discuss and interact with you guys and try the product. It's really cool and it's free.
Fantastic, guys. You can find all the information you need at crowdsec.net/smashing and that's with a G. What an amazing interview.
Thank you so much, Philippe Humeau from the founder of CrowdSec.
Thank you so much, Philippe Humeau from the founder of CrowdSec.
Thank you. Anytime you want.
Brilliant.
Cool.
Well, that just about wraps it up for this week. Dave, thank you so much for coming on the show.
I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for folks to do that?
I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for folks to do that?
Well, you can follow me on Twitter. It's @Bittner, B-I-T-T-N-E-R, and everything else is over on thecyberwire.com.
Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G.
And we're also on Reddit, go and look for the Smashing Security subreddit up there.
And don't forget, make sure you never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
And we're also on Reddit, go and look for the Smashing Security subreddit up there.
And don't forget, make sure you never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
Again, big thanks to our sponsors, 1Password and CrowdSec, and to our wonderful Patreon community, all of whom help us make this show free for all.
Now, if you want details of past episodes or sponsorship information, guest lists, or the entire back catalog of our 200+ episodes of Smashing Security, check out smashingsecurity.com.
Now, if you want details of past episodes or sponsorship information, guest lists, or the entire back catalog of our 200+ episodes of Smashing Security, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye, ta-ta for now.
But you know what? Very interesting to me that in watching the show, I had a revelation that Graham and I have something in common.
Okay.
Is it an inherent ruggedness and squareness of chin?
Well, beyond that, beyond that.
So what do we have in common?
Well, Carole, do you remember some of the things that Graham talked about on the live stream?
I wasn't listening.
You weren't really. All right. Well, let me lead into this. Let's take a little trip back together.
Right. Yes.
The year is 1985. The internet's domain name system has just been created. We're all holding hands and singing We Are the World together.
And four postmenopausal women have just moved into a Miami condo and started calling themselves the Golden Girls.
And four postmenopausal women have just moved into a Miami condo and started calling themselves the Golden Girls.
Oh, yes.
Happy days.
She's still going, you know.
She is.
Yeah.
I'm 15 years old. I'm a sophomore in high school, and my father has just finished a term volunteering as a board member for a local nonprofit.
And as a thank you for his time with this organization, they present him with a lovely leather briefcase.
And as a thank you for his time with this organization, they present him with a lovely leather briefcase.
Leather briefcase.
My father is very proud of this briefcase. He starts using it day by day.
And one day I'm downstairs where he has his little office, and I see sitting next to his desk is his old briefcase.
And I say to him, Dad, what are you going to do with that old briefcase?
And one day I'm downstairs where he has his little office, and I see sitting next to his desk is his old briefcase.
And I say to him, Dad, what are you going to do with that old briefcase?
Please, Dad, can I have it? Please, Dad, please.
And he says, Son, would you like to have that briefcase? I say, yes, Daddy, I would.
Norman Rockwell. Right.
And so the briefcase got passed on to me and I started using this briefcase in school to carry my books, my personal effects, my papers, my pens, the various things.
My calculator.
Calculator. Yes, indeed. So Graham, you and I have that in common. I'm curious, at what point did you stop using your briefcase?
Because I remember the moment for me, but I want to hear yours.
Because I remember the moment for me, but I want to hear yours.
Oh, I think I probably continued using it for quite some time, even after the lovely Harriet inquired why I was the only kid at school who had a briefcase.
I don't think I took that as a hint. I don't remember stopping. I must have stopped at some point, but I don't recall what happened with you?
I don't think I took that as a hint. I don't remember stopping. I must have stopped at some point, but I don't recall what happened with you?
Well, as you both know, I was very much into theater in high school. So one day after school, I went into a rehearsal for one of the shows that we were doing.
And again, I'm a sophomore in high school and I remember a young lady, a couple years older than me, a senior, a beautiful statuesque young lady with long flowing red hair, a dancer, so quite beautiful.
Everything that a young 15-year-old boy could possibly want, but was so far out of reach.
And as I walked in, she looked at me and she said, "What's with the briefcase, nerd boy?" And immediately I set fire to it. I let it go.
It dropped to the floor and kicked it to the curb.
And again, I'm a sophomore in high school and I remember a young lady, a couple years older than me, a senior, a beautiful statuesque young lady with long flowing red hair, a dancer, so quite beautiful.
Everything that a young 15-year-old boy could possibly want, but was so far out of reach.
And as I walked in, she looked at me and she said, "What's with the briefcase, nerd boy?" And immediately I set fire to it. I let it go.
It dropped to the floor and kicked it to the curb.
It's tragic.
It really was.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dave Bittner:
Show notes:
- Smashing Security's Christmas live stream — YouTube.
- Smashing Security 199: A few tech cock-ups, and one cock lock-up.
- Taking a screwdriver to unlock your IoT sex toy is nuts — Graham Cluley.
- Zip tie guy Twitter thread.
- FBI Arrests Man Who Carried Zip Ties Into Capitol — The New York Times.
- SmartDot radiation-protection phone stickers 'have no effect' — BBC News.
- Fact check: Low-powered magnets do not protect against EMF emission — USA Today.
- Moving Out game — Team 17.
- Moving Out trailer — YouTube.
- Poly Bridge — Dry Cactus.
- The Cipher — BBC Sounds.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Sponsor: CrowdSec
CrowdSec is open-source and crowd-powered software enabling you to detect and block attacks. While sharing with its user community, you contribute to improve its efficiency and make the internet safer. Learn more and try it for yourself at crowdsec.net/smashing
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
