Smashing Security podcast #229: Dating leaks, right to repair, and a stinky bishop

Maybe for our benefit could you describe what a Stilton cheese tastes like because it might add a little bit to them.

Stilton cheese tastes a bit like you know when you've been wearing socks for about six weeks and you have some kind of fungal infection, but delicious socks not like Carole's socks. And you've maybe been walking around in some damp fields, nice fields, beautiful fields

with flowers and stuff. Just

in your socks, just no shoes. Exactly. Just walking in the socks on the ground. And then maybe you got

caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two. Then you put them in the airing cupboard or the

microwave for a few minutes. And it's great. Oh, my goodness. It's quite freaking delicious. Smashing Security, episode 229. Dating leaks, rights to repair, and a stinky bishop with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 229. My name's Graham

Hey, Graham. Hey, Carole. How are you? Good. It's been a long time, Paul. It has indeed, years, years since we've seen each other.

I think decades, actually. I'm actually embarrassed you haven't been on the show before. Well, don't be. We might be embarrassed after the show's recorded as well that he's been on the show. That's true. Think of it that way.

Let's see what happens. This could be a disaster. Paul, for our listeners that don't know you, what can you tell them? What do they need to know about you?

I'm the editor-in-chief and publisher of the Security Ledger, securityledger.com, which is a cybersecurity news website since 2012. And I'm the founder of securerepaars.org, which is a group of information security and information technology professionals who support the right to repair.

Okay, so all we need now is to thank this week's sponsors, 1Password, 1Login, and KnowBe4. Their support helps us give you the show for free. Coming up on today's show, Graham, what do you got? I'm going to be talking about cheese. Whoa, got border cyber? Okay. And Paul, what about you?

I'm going to be talking about the right to repair and cybersecurity.

Super. And I'm going to be looking for love in Japan. Plus, we have an interview with Javad Malik from KnowBe4. All this and much more coming up on this episode of Smashing Security.

Now chums, chums, do you have a secret stash? Do you have a secret stash Carole of many things?

Yes.

Yeah, I absolutely do.

Yeah, what sort of stash do you

have? None of your business. Yes, come on.

Exactly, Graham. If I were to tell you, then it wouldn't be a secret anymore, would it?

Very true. Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah, there, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies, some stinky cheese.

No. In the middle of the night? No. You know what? I've always wanted to be one of those people. When I was a kid, I used to obsess about being able to do that when I was older. I could go down to the fridge. No one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.

I often have cravings just before bed, but I really try and resist them. But I must say, Graham, I have never craved cheese.

A soft little one, like a French brie, something hard, like a cheddar.

You're selling it. The way you say it, I feel like I should be eating cheese before bed.

Yeah, do you have a cheese platter in your fridge already for your four o'clock munchies?

With my Jacob's cream crackers at hand and my pickles. Your chutneys. Here's the thing, here's the thing. Cheese is my crack cocaine. I'm not being flippant. Scientists at the University of Michigan, which is in the United States of America, they say—

What, are you being local? What, what? Michigan, isn't it? Michigan. It's Michigan. What's the Michigan? It sounds like Gloucestershire. That's what you just did. Not McChicken. Yeah, not McChicken. That is something different.

Fritter Manga. Anyway, those boffins, they say that cheese triggers a part of the brain in a similar way to addictive illegal drugs. So I thought it would be fun if we could play a little game. I am going to give you a name, and you, you are the contestants, Paul and Carole, you have to tell me if it is a cheese or something else narcotic, okay? Are you ready to play the game?

Okay. I might— Okay. I don't know if I'm going to be good or bad at this. Cheese or wheeze. Let's decide. Yep.

Okay. I am ready. I was born to play this game.

Stinky Bishop.

Stinky Bishop. Cheese.

I'm gonna say that's cheese.

Yeah, sure it is a cheese. It's also an unpleasant medical condition. Produced since 1972 from the milk of Gloucester cattle, has a distinctive aroma, made famous in a Wallace and Gromit movie. Okay, next one. Poochie Love. Poochie Love. That is not cheese. I just don't know what it is. So I'm going to say not cheese. I'm

That's going to be not a cheese.

Yeah, I'm with Carole on that.

Dirt lover comes from the Green Dirt Farm in Missouri. It is a cheese covered in a layer of vegetable ash. It's also a sexual fetish, of course.

Shatner's bassoon. That is not a cheese. I feel like there's some inside knowledge here that I lack, so I'm going to break with Carole and say that is a cheese.

Okay, next. Shatner's bassoon.

I swear to God, there's none. No, Carole is right. It's a made-up drug. Fat bottom girl. Not a cheese.

Not cheese, I agree. It is a cheese.

From where?

From somewhere. Goes well with red wine, apparently.

I love that you do your research. It has flavours of almonds, butter, slightly tangy sweetness. Also a song by Queen. Definitely a cheese. My favourite cheese. Wait, what is it again? Purple monkey balls. Why are you talking about marijuana all the time?

Because I've explained that cheeses are my type of drug.

Now is marijuana legal in the UK?

Oh no, no, no, no, no.

Because here in Massachusetts it is legal. Are you constantly high?

No comment. No comment.

Some people do yoga. Exactly, everyone's got their thing, right?

That's not cheese at all. No. It's barely cheese. Well, look, I'm going to switch from cheese now. I'm going to go to hard drugs because a chap called Carl Stewart from Liverpool has been a bit of a naughty boy.

No, new one to me, Graham.

He used the name Toffee Force and was up to no good on EncroChat. Do you guys know what EncroChat is? EncroChat is a secure encrypted messaging service which runs on modified Android phones. It promises worry-free secure communications. Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone? Celebrities?

Elon Musk? Well, it's criminals. Yes, of course.

So that was their sales point?

Was that their sales pitch? The pitch was really, these are totally secure communications.

We don't save anything. You can delete everything from your phone.

So it wasn't just the app. It was the phone hardware itself. It's a modified version of Android. That's right, special phones.

Which is all right. It's not the best or anything.

Well, according to the— I'm a cheese nut. No. According to the packaging, it says delicately rich and creamy. And he was from Liverpool. He wasn't going to have some glamorous exotic cheese.

He probably watched the Marks and Spencer's ad, you know, with a woman, you know, who'd go, "This is not just any cheese. This is a Marks and Spencer's."

Maybe for our benefit, could you describe what a Stilton cheese tastes like? Because I might add a little bit to that.

So Stilton cheese tastes a bit like, you know, when you've been wearing socks for about six weeks and you have some kind of fungal infection. But delicious socks, not gross socks. Yes. And you've maybe been walking around in some damp fields. Nice fields, beautiful fields with flowers and stuff.

Just in your socks, just no shoes, just walking in the socks on the ground. And then maybe you got

Caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two. Then you put them in the airing

Cupboard or the microwave for a few minutes. And it's, oh, my goodness. It's quite.

It's freaking delicious. It is delicious. Really good Stilton is like a cream because it's so, anyway, it's delicious. If you like blue cheese and you haven't had it, yeah, do it. It's good. It's good. It sounds

Like a full body experience.

You want it in a jar. That's all I'm saying. Not in a packet. In a jar. That's when it's scraped off the socks. Okay.

It will try and infect everything else with the smell. Yeah, your whole fridge. It's not as bad a smell as a, is it a durian fruit, Carole? Durian, yeah.

Yes, which I've never smelled, although I have seen film of people smelling it. And I've heard it is quite the scent.

I had a friend once, who will remain nameless, who tricked me into eating a chocolate without

It's like, I came down and I was like, it's the most delicious chocolate ever. Oh my God. Oh my God. Here's one. Gotta have it. Oh my God. It's so good. Oh my God. Go and try it. And he just shammed it right in his face. And I just watched.

A durian fruit tastes a bit like sewage, doesn't it? I don't know. I didn't try it. I can tell you it does.

telling me it contained durian fruit.

What is the thing with durian fruit? Why are people... It's like a delicacy, particularly in Asia, I hear. People are mad for it.

I think it's a delicious texture and delicious taste, but a horrible smell if raw and improperly prepared. I think

You're not allowed to transport it on passenger airlines. Is that right? Yeah. Because

It's too smelly. What did that chocolate taste like, Graham?

I can't remember the chocolate part of it. Yeah. Anyway, back to Stilton cheese, which is nothing like durian fruit. It is a delicacy, but quite pungent. Anyway, so this chap, right, this chap, Carl Stewart, Toffee Force, what he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks and Spencer. And from that picture, just of his hand holding the cheese, the police were able to identify him.

Did they magnify his fingerprints? Exactly. Shut up. Shut up. CSI.

See, I would have thought they went back and looked at surveillance film and found the guy holding a cheese and his cell phone up.

That could have been me.

That could have been me holding the cheese. At 4 a.m. in the morning. That might happen hundreds of times a day in the UK, though.

So the Met Police now, they've arrested more than 60 people, many of whom have been charged with serious drug trafficking or firearms offences. Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and six months in the clink.

I can't remember what he did now. All I remember is he liked cheese. He was trafficking

In horse tranquilizers and heroin. So he

Obviously had a record and had prints on file with law enforcement prior to this, I guess. Well, they'd

Already arrested him, so maybe they took his prints then and matched them. Oh, right. There we go. That is a level of detail which I would expect a serious reporter like those at the Security Ledger to investigate rather than me.

Yeah, don't leave it to Graham.

Paul, what have you got for us this week?

Well, I'm here to talk about the right to repair. What is a right to repair? Okay. So a right to repair is basically what it sounds like. It is a legal right, in other words, written into law that gives you as the owner of a thing the right to repair it. And usually what that means practically, because you'd be like, well, I can repair it. But these days, increasingly, because everything we use basically has software on it and also these days digital locks, right, like DRM, digital rights management software, owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it. If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair. And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device, and basically their agents, people they might hire to do a repair. So independent repair shops.

Hallelujah. Because I honestly, okay, I'm sorry, I'm already on your side. Sorry, listeners. I didn't keep the tension up. But okay, carry on. I'll get on my soapbox later.

So this is a really important thing. And it is something that is a little bit esoteric. I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia and really has a lot of people paying attention to it. And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, you know what, this is not fair, or this is inconvenient for me, or this is costing me money needlessly. And I want to do a repair myself.

Could I give you a situation

Yes.

It happened to a friend, definitely not me. Okay. But it was on my laptop, right? With a glass of very, very nice whiskey. And then my husband asked me a question and I used my hand to communicate, which I do often. F off. Or I love you, probably. And I spilt all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea. But it's not been working really well. So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?

and you could tell me how the right to repair movement might suggest I would go about it?

So the problem would be this, which would be you did something really common, which is spilled a liquid into your laptop keyboard. And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly. Moisture.

And all the rice that's now stuck to it as well. Who knows what the rice did?

So basically, you want to fix your laptop. And right to repair is really about what are your options as a consumer for getting that laptop fixed? Right. And they're generally in most things in life. There should be three, which is, you know, the manufacturer might offer to repair it or have one of their authorized or licensed repair people do it. Yeah. You can try to repair it yourself if you're technically inclined. And many people are. Or you could hire an independent, in other words, non authorized repair shop to do it. And generally, it's with your automobile, right, your car. Right. Maybe there were some short circuits of components on the motherboard on the computer as the liquid seeped in. If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive. If you bring it to the corner repair shop, same thing. They'll be able to fix it, maybe slightly less expensive. Maybe they won't use the manufacturer's OEM parts, but you'll save money. And obviously, if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market. The way it works for many devices these days, including your MacBook, you need parts and access to information. So the reality for many consumers today who are in your situation is they bring their MacBook to the Apple store, to the Genius Bar, and they say, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage. We don't do repairs. We suggest that you buy a new MacBook.

I'm waiting to meet a real genius at the Genius Bar, honestly, because I've been there a lot looking for them. Because, you know, I smart people.

And when they say that, it does not mean that that is an unrepairable laptop. It just means it's a repair that the Genius Bar does not do because Apple does not allow them to do it. Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that that would require. Right. Right. Okay. So they would basically say, why don't you just buy a new laptop? And most people would be like, okay, I'll buy a new laptop. It costs you thousands of dollars. It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth. But that's the way that that system is set up. The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage. But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, OK, Carole spilled whiskey into her laptop. What components actually burned out? What components burned out? What do we need to replace on this? What is broken exactly? And you need software to tell that to you. And Apple has a whole bunch of tools that they don't make available to non-authorized repair people. They also don't make the parts available. So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are. And they don't give you access to the parts.

I'm such an Apple fangirl. I'm really feeling this right now.

It isn't just Apple. So this is, in one way or another, it's many device makers.

And sell you ink services, 50 pounds a month or something.

Though not all. Companies like Dell and Hewlett-Packard make both parts and diagnostic tools and schematics.

There are major computer manufacturers who are very pro-repair and have a healthy ecosystem of parts that you can buy inexpensively and access to tools and so on.

So what's the argument that these companies who aren't sort of making it easier to repair things, what's their argument for doing this?

They're variations on the same argument that the car dealership would make to you to discourage you from ever going to the corner repair shop, right? Which is our parts are superior to their parts. Their parts are going to break and cause you to get in an accident. Our mechanics are PhDs walking around in lab coats, and their repair people are grease monkeys without high school diplomas. You know, we care about the safety and privacy of your data, and those other people are probably criminals who will steal it and sell it. So it's a bunch of misleading and untrue qualitative statements about the superiority of authorized repair. But there's no data to back up any of those claims, but they make them anyway.

And what do you suspect are the real reasons why they're not doing this? So a couple things. And it depends on the company. In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple. You know, they make money off the genius bar, certainly.

Fun topic, Paul.

Sorry. I'm sorry.

No, no, it's an important topic. I was just kidding. I was just trying to make more of a levity there.

Yeah. I mean, let me tell you why I think this is really important. Okay. So first of all, let me tell you, do you want the, this is a cybersecurity podcast. So here's the link to cybersecurity.

Right. Yes. Because I had plenty in my story. Let me point that out. You did. Yours was all cybersecurity. Yes. Okay. So I got involved in this because I started going to fix it clinics in and around Boston where you go and just get stuff repaired by people in your community. It's great. Before COVID, they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the right to repair program at USPIRG, the public interest research group.

Do you know what, though? If I made a cell phone and the world decided, oh my God, I need to have that and everyone bought it, I would be an absolute control freak about everything about it.

Oh, you're not suggesting Apple are control freaks, are you? That doesn't sound like them at all. All I'm saying is I get it, right? Because I understand what you're saying 100%. It makes 100% sense. I agree. I agree. Ethically, morally, I agree.

If you have a business, why would you not want a monopoly on whatever it is that you do? Right?

What do you use, Paul?

I have an Apple iPhone. I have an Apple iPhone. It's an older model.

That's why he's hot on all this. He's peeved about every time he has to go to the Genius Bar. They won't blink and fix it. They won't replace his battery. Right. Carole, what have you got for us this week?

Clearly, do you remember Yik Yak?

Yes. Can you tell our lovely listeners what about our plans on Yik Yak? Well, many years ago.

It was probably about 20 years ago.

20? I put 15 in my notes here. But anyway, Carole, you, I, and our two lovely Croatian friends, we ganged up together to take on the world and create a social networking dating website thing that was going to make us a fortune. And we called it Yik Yak.

Yep. And we bought the domains. Yes. And I remember we had one meeting where we were kind of like, okay, how are we gonna parse people's choosing, right? Like we were making up this algorithm for ourselves, like hair color, height, right? People care about that. And we had a meeting about discussing all this stuff. But did you ever think about whether people would just use it for hookup versus serious relationship? Did it ever occur to you?

It never occurred to me at all that people might want to have sex, no. That's not a thought which ever crosses my mind.

Well, if we were around today, single, free and easy, Paul, you're not single and free right now, right?

God, no.

Yeah. Yeah, we're all married. Okay. So, okay. But if we were single, we would probably be using dating apps to meet people. And the thing is, apparently, the pandemic has changed online dating. There's a shift. So, it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right? The BBC suggested that some of the changes might be here to stay, even as life returns to normal, because, of course, this all has to do with the pandemic. So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.

God, how awful would that be?

I love it. I'm kind of surprised that people weren't doing that before. Like, are you really going to go out and meet somebody randomly, you know, in meatspace?

And someone says, once the first lockdown ended, I still preferred initially getting to know people in the virtual before we went for drinks. I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well. Okay. All right. Right? Because you're screening. You kind of meet someone. You're like, okay, I don't like you, but you don't have to schlep back home.

Is there chemistry over Zoom, though? I mean, is that a thing? Like, can you have chemistry with somebody over a Zoom connection? They wouldn't be able to smell my pheromones.

I'm going to call my husband tonight. I'm going to say, go upstairs to your office. I'll call him on Zoom and I'll see if there's more flirtiness.

Oh, we know what he's like. He'll be very flirty. Oh, look, he fell asleep watching TV again.

Exactly. That's normally me, actually. Okay. Before the pandemic, though, apparently many couples still met at school, mutual friends, family, church, bars, whatever, right? But then pandemic happened. And this is confirmed by people like Match Group, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Henge, as some of us like to call it. They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down. So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.

Because they can't go meet people. Of course they can. Yes, of course it's slowing down because you can't go out.

Exactly. So I'm thinking, who's winning in this, right? Because there are some apps out there that are geared to more serious relationships than just the boning type. Sorry.

What did you say? Boning. Boning. I'm crying. Like a boning radio show what's that is that b-o-n-i-n-g

I wouldn't know Paul come on so so serious relationship websites like the Japanese Omiai you know I'm saying it wrong. So I can get my husband and teach me sorry is that is it spelled. Oh no I've got the giggles now this is really bad oh me I a okay how do you spell it just spell it I have the giggles I can't stop now O-M-I.

Is that it? O-M-I? If so, you're definitely pronouncing it incorrectly.

No, O-M-I-A-I.

Oh, O-M-I-A. O-M-I-A? O-M-I-A. O-M-I-A. It's a catchy name. They're not listening anyway, Carole, so don't worry. They're not listening.

But anyway, all I can tell you is the name connotes traditional matchmaking systems, okay? That has been going on for centuries. So the name means like look, meet, or look, love. There's a joy de vivre there somewhere in the Omiai. Someone described it in an app review saying the search function is very detailed, allows you to specify preferences in various fields, including nationality, education, income, and body type. So in Japan, that seems to be the four things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about it seems okay it focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term flame right five to seven million people have used this and they claim they facilitate more than 50 million successful matches so far like what's what's a successful they know that yeah exactly what three months six months a marriage do people go back to

The app and say yep that one worked all right yeah who could her. And then they get like a

Ten pound voucher. No. Yeah.

I like the way that they're sort of like, well, we're, we're different. Cause we're trying to get people to have long-term relationships. And it's like, how much, like, is that really a new concept? I don't think it is. Yeah. Hey, it's all rebranding, dude. They're really two flavors in the dating app world, which is hookups and people who want to have relationships. Like those are the two, that's basically the two choices. That's easy. Yeah. So anyway, the reason I'm talking about it is they got hacked.

So they asked for all this kind of really detailed personal information and scans of things like ID cards and passports.

To make sure that they could say, we know who you are, we're validating the people.

No mischief makers. I can't create an account called myself Gloria something or other. Exactly. Right. Unless I have Gloria's passport. Right. They've put a statement and Paul, I'm particularly interested in your point of view here, both as a journalist and someone who lives in the States, right? You've probably read millions of these.

My Japanese is excellent.

Excellent. Well, good. I hope you read that in real time. So...

By which I mean Chrome did it for me. Fantastic. Okay. So this is their apology and notice regarding member information leakage due to unauthorized access. True. Yeah, yeah, yeah, yeah.

But I have seen press conferences before from Japanese companies after they've been hacked where the board actually go on television and do a very deep bow of apology.

Well, I think we should adopt it.

Yeah. I'd love that.

Who would not want that?

I know. I'm so with you.

They're searching the web for exposed members, is that what you're saying? Yeah,

Are they? Are they? Are they?

Thank you, Paul. Glad you got it. Oh, are you being dirty? Yes, I was. Oh, I don't get that. I'm like... Don't worry, it's good that you don't get it, Carole.

And they're getting a lot of hits too. We're just gonna crack on, we're cracking on, we're cracking on. Yeah. Well, phew. It's you can always cancel a credit card. I mean, that's not a big deal, but you can't unsee that driver's license or passport.

We're, you know, yeah. Yeah. On the other hand, they do engage in what I think you guys would recognize some pretty, pretty common breach hand waving. We have no reason to believe that any of the stolen information has been used. Why they took it.

I'm on their home page right now on Omie. They've got and they've underlined the I bit at the end but

If you if you scroll down that they actually advertise their reasons for being safe and secure right they say basically there we make various efforts so that users who want to have a serious relationship can use it safely and securely so we only display nicknames only the people that have passed the age confirmation which we have you know checked through every

Single only people who've uploaded their passport will be allowed onto the site you know

Let me say my first off the top of my head impression of this site is that I am too old to you.

Right and you know what?

That when I look at these faces they all look young.

In the security section they have this note okay there's a starred bit and says the use is limited to singles and is prohibited for those who have a lover. Don't get greedy don't get one lover that's right that's right lovers are not welcome if you are looking for an affair then go to ashleymadison.com which will be just as careful with your data that's right. That was hookup material. That wasn't love. That wasn't eHarmony. Isn't that the love one? eHarmony. Yes. eHarmony is the algorithmic love company. Is it?

Or the crate of mature Stilton, which I have in my living room.

Or the crate of mature Stilton. Right. There is a risk to holding on to it. And the risk is that it's going to leak. And I wouldn't want to know what that crate of Stilton would look like if it were to leak. But I'm guessing it would be an ugly scene.

Delicious. An ugly and smelly scene. I'd eat it.

Yummy. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. And to do that, they need new school security awareness training. KnowBe4 are the provider of the world's largest security awareness and simulated phishing platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number four dot com slash free test. Think of KnowBe4 for your security training.

The perfect solution for companies of all sizes. 1Password is quick to deploy, simple to manage, and fits seamlessly into your team's workflow so you can secure your business without compromising productivity. All kinds of teams can securely share everything needed to work together, give employees access to logins, documents, credit cards, and more on all of their devices. See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised so you can update passwords right away. Find out more and try 1Password for free for 14 days at 1password.com.

According to the OneLogin I Am Okay mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic. In today's Work From Anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information, assets, and technologies are properly protected. And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message, you are not alone. Smashing Security listeners are invited to attend their live event on Wednesday, May 26th for free. It's called Keeping the Mind Clear and the Company Secure. Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show. And welcome back and you join us at our favourite part of the show, the part of the show that we like to call Pick Of The Week. Pick Of The Week Pick Of The Week Pick of the Week is the part of the show where everyone chooses saying they like. Could be a funny story, a book, that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Are you freaking kidding me?

No, I am not. Why, have you chosen that as well?

No, but, you know, I'm surprised you're... Is this a book you're doing?

No, I'm not doing a book. I'm doing the TV version of Nancy Mitford's book.

Oh, okay, I was just going to say, because it's a beautiful book, listeners. Anyone who likes to read. I just didn't believe you were reading a book like that.

No, I have not read the book. But if you'd like it, it's good.

I've seen the TV version.

Oh, right. Who needs the book? And I really liked it because it was funny and crazy. And I'll tell you some of the people who star in it. We've got Lily James, Dominic West, Andrew Scott, who was Moriarty. He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.

What's this? Where did you see this?

On the BBC website.

Oh, on the BBC.

Yes, on the BBC. On the BBC, darling. On the BBC. Yes, on the BBC. Anyway, so my recommendation, my pick of the week this week is The Pursuit of Love on BBC iPlayer. I think you'll rather enjoy it. Oh, what's your pick of the week? I have, you know, I feel like the dinner guest who you invite and he just ends up talking about environmental pollution or crime or something and just brings the whole party down. So fun. I have a cybersecurity story that I grabbed from MIT Technology Review called Colonial Pipeline Ransomware Hackers Had a Secret Weapon, Self-Promoting Cybersecurity Firms. And it's by Renee Dudley and Daniel Golden. It's a bit of a tip off. In this case, a cybersecurity firm developed a decryptor for some ransomware used by the DarkSide group and basically blasted out to the world that they had a decryptor and that DarkSide's ransomware was reusing RSA keys. And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did and then thanked the cybersecurity firm for tipping them off. So I read this article. It's an interesting security article. Yeah, I'm afraid it is cybersecurity related. But that's all right. Will you ever forgive me?

No.

Well, but basically, I was thinking you're kind of damned either way, aren't you? Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption. You know, I have some sympathy with the security firm. Yes. This gets in. I mean, there are often issues that come up. You know, did Franklin Roosevelt know about Pearl Harbor, but didn't do anything because he knew that then the U.S. would be able to get into the war? I mean, these type of ethical quandaries come up all the time. And in the cybersecurity ransomware world, they come up all the time as well. So this article is your pick of the week this week. And if people want to hear more about the arguments back and forth, they can go and check it out. Carole, what's your pick of the week brackets, not security related, close brackets? It's very, very not security related. And my pick of the week is not an audio drama, but it's an app to help you take better pictures. Are you now using this as your default camera app? I'm learning. I have to get the memory muscle to work, right? Marvelous. Now, Carole, you've been speaking to Javad Malik from KnowBe4 this week. Yes, we had a very amazing chat and what a great guest. So take a listen. I feel very honored and, you know, I could get used to this. This throne is quite comfortable.

Javad, you do a lot of things. So, on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast. You're a popular vlogger and blogger. You do events. You're basically an all-round security pundit. Would that be fair?

Yes, that's right. When I try to sound cool, I say I'm think of The Rock, who's multi-talented in every facet, wrestling, movies, business ventures. That's what I aspire to be in the security world. I don't think you need to aspire. I think you've already reached many of those dizzying heights. KnowBe4 is focused on the human. You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.

Maybe you can tell us about it from the point of view of someone who might be interested in running these phishing simulations. They come across your name. The product is really self-service. It's highly automated. So if you're a customer or even if not, you can sign up to a free phishing test on our website. You can go nobifor.com slash free test and you can sign up there. And what you'll see is that there's thousands of templates there and these are in different languages.

So basically, you're putting the IT team in the driver's seat. Rather than you guys doing all the decision-making on what content's included and how they're sent out, they actually get to decide themselves completely. It's almost an autonomous effort. Yeah, exactly. Exactly. That's kind of cool.

Yeah.

Because, you know, an IT team that acts as a kind of authority of punishment is not going to get people on side in terms of security. What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk. So it's important to work with the people to see the, you know, the point of this is to get people educated and protect the firm and the individuals.

I mean, you know, it's the security teams that ultimately have the relationship or should have the relationship with all the users within the organization. So they're best placed to make the right decisions if they have the right relationships and we've seen examples of where this has gone wrong where you know they should have that environment where they tell people hey if you receive a phishing email this is what you should do this is what you should look out for we're going to be doing simulation tests at this time you know throughout the year and these are some of the topics that you know we think are inappropriate for our user base because of whatever reasons. It's when you get that wrong, people that instead of being educated in a phishing test, they end up getting annoyed. Yeah, what we try and do is give the people the right tools so that they can and we offer them training and guidance on this is how to send structure these campaigns so that when it goes out, people receive it with this spirit and intent that it was intended to, which is hey, this is a training exercise. We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which, frankly, anyone can make.

That's absolutely that's exactly it. I mean, there was a story I read a few weeks ago and it was on Sophos Labs published it. And there was a biomedical institute and they partner with some universities. And there was some visualization tool that you could use if you were on premise. But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that. And the license was really expensive. So what a user ended up doing or a student, they downloaded a cracked copy and Windows Defender threw up an alert. And so they disabled Windows Defender and they then logged on and done their work. And two weeks later, the company was hit by ransomware. And this is the thing is that people are just trying to do their job most of the time. They're trying to be helpful and they're trying to get their work done. And technology should be there to facilitate them in doing what they do. And if it's there as a blocker and security is no exception, security is probably when implemented poorly, it becomes the biggest blocker. You know, if it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or expose the company to breaches.

And so this kind of test would, at nob4.com slash free test, allows you to, I don't know, take a pulse of the company's ability to be fooled by such things.

Yeah, that's right. And we have benchmarking reports on our website as well. You can go into resources and you can look for our benchmarking reports. And most companies, when they do their first test without training and everything, it's typically over 30% of people will fall victim to a phishing email. And that's a high percentage. That's one in three people nearly. That's more people that click on ads.

Yeah. So three out of 10 people typically will fall for this if they've not given any previous cyber security training. Is that what you're saying?

That's right. And then what kind of numbers do you see after the training has gone through? If people have gone through a few simulations, have included, you know, having presentations and education provided internally?

Yeah. So there's a process you need to go through. Typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training so you sign them up to courses and they can be short ones but it's less but more often is probably better and you've run it as a proper campaign then after 90 days even you can half that to about 10 to 14 percent of people. And if you actually carry that on for a year, that drops down to about 5%. So, a significant reduction can be achieved over that period of time.

Are you surprised at the number of companies that don't take security seriously even today? I mean, I don't know. I'm in the echo chamber, right? I'm on this podcast every week. So, I'm thinking and breathing and snarfling security all the time. But people who work in other industries, say retail, finance, are they thinking about security as much as they should be, do you think?

You know, it's that age old problem. If you take a problem to an engineer, they will reframe it as an engineering problem and they'll give you an engineering solution. If you take a problem to a security person, they're going to reframe it as a security problem and present you with a security answer. So I think you're right. We have this bias because we are in this echo chamber as security professionals or practitioners. And other organizations and people working in other departments, they don't have that lens. And they're looking at things, hey, what's our return on investment? What's our profitability this quarter? How can we make it out of the pandemic without going bust? If you ask me from just a pure security perspective, I'm no, people don't pay attention. And they do far too little, far too late. But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness. People are a bit more clued on. And especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be. Cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there. And we see it all the time with unsecured S3 buckets out there. It's not that the functionality doesn't exist. It's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public. So I think it's just about making people aware and just reminding them and being that constant thing in the background. It's not something you can fix quickly. It's any behavior change. And that's ultimately what we're going for. It's behavior change. When we look at things environmental awareness, you know, growing up, there wasn't really a concept of recycling or separating out your rubbish. But today you walk into any corporate office or even public dustbins there's at least two if not more there's maybe five in some offices where when you go to throw away your rubbish there's oh let me separate my recyclables from my landfill and what have you. And but this is something that happened over a long period of time and raising awareness and I think that that's the process we're going through at the moment with security awareness.

Yeah. And also, I mean, with ransomware on the rise and with the pandemic forcing people to work from home and creating almost a kind of new playground for malicious actors, I think it's important for us to understand how we're being duped. And that changes all the time. Because of course, as soon as we're all aware that something can happen, we tend to be on our guard. So they change the pattern. And people KnowBe4, for example, are paying attention to that all the time. So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.

Yeah, that's right. So our templates are constantly being updated and then our awareness and training modules are always, there's always new content being added.

Fantastic. Listeners, if you want to try a free phishing test, check out nob4.com slash free test and see how safe your office is against this kind of stuff. Javad Malik, thank you so much for coming on the show.

Oh, it's always a pleasure, Carole. Thank you so much.

Fascinating stuff. Well, that just about wraps it up for this week. Paul, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Two ways. Go to securityledger.com.

Cool. And you can follow us on Twitter at smashinsecurity. No G. Twitter wouldn't last have a G. And we're also up on Reddit. So look for the Smashing Security subreddit up there. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Pocket Casts, Spotify and Google Podcasts.

And if you're interested in the right to repair stuff, I have a substack, as every self-respecting journalist does these days, which is fighttorepair.substack.com.

And thanks to this week's episode sponsors, 1Password, KnowBefore and 1Login. And of course, to our wonderful Patreon community.

Until next time, cheerio. Bye-bye. Bye. Bye. Bye.

It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists and the entire back catalogue of more than 228 episodes, check out smashingsecurity.com.

You guys are great. You're so smooth. It's a well-oiled machine.

Carole here from Smashing Security. Now I have some fantastic news for you. You know how we started asking for a few more reviews? Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped. We've had our most downloaded show ever last week. How freaking cool is that? This week, I want to do a shout out to Zixis, who wrote many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content. Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done. Thank you, Zixis. And also to Red Piano Roland, always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking. It's been a rough few months and you guys have always been a lift to my spirits. Thank you, Graham and Carole. You are so, so welcome, Red Piano Roland. Guys, if you've got the time, please keep them coming. It is seriously making a difference and keeping us independent. Plus, it's just really, really nice to hear from you guys. Otherwise, it's just Graham. And I mean, ugh. Buckets of love.