A big cheese ends up in jail, a Japanese dating site spills the dirt after a hack, and we learn all about the right to repair.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Roberts from The Security Ledger.
Plus don’t miss our featured interview with Javvad Malik from KnowBe4.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Maybe for our benefit, could you describe what a Stilton cheese tastes like? Because I might, it might add a little bit to that.
Ah, yes. So a Stilton cheese tastes a bit like, you know when you've been wearing socks for about 6 weeks nonstop and you have some kind of fungal infection?
But delicious socks, not like gross socks.
Yes. And you've maybe been walking around in some damp fields.
Nice fields, beautiful fields. With flowers and stuff.
Just in your socks, just no shoes. Exactly. Just walking in the socks on the ground.
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
And then you put them in the airing cupboard or the microwave for a few minutes. And it's, oh, it's very, oh my goodness, it's quite, oh.
It's fricking delicious.
Smashing Security, Episode 229: Dating Leaks, Rights to Repair, and a Stinky Bishop with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 229. My name's Graham Cluley.
I'm Carole Theriault.
And we are joined this week by a special guest, someone who hasn't been on the show before. It's Paul Roberts from The Security Ledger. Hello, Paul.
Hey, Graham. Hey, Carole. How are you?
Good. It's been a long time, Paul.
It has indeed. Years, years since we've seen each other.
I think decades, actually.
I'm actually embarrassed you haven't been on the show before.
Well, don't be.
We might be embarrassed after the show's recorded as well that he's been on the show. Let's put it that way.
That's true. Let's see what happens.
This could be a disaster.
Paul, for our listeners that don't know you, what can you tell them? What do they need to know about you?
I'm the editor-in-chief and publisher of the Security Ledger, securityledger.com, which is a cybersecurity news website since 2012.
And I'm the founder of securerepairs.org, which is a group of security and information technology professionals who support the right to repair.
And I'm the founder of securerepairs.org, which is a group of security and information technology professionals who support the right to repair.
Okay, so all we need now is to thank this week's sponsors, 1Password, 1Login, and KnowBe4. Their support helps us give you the show for free.
Coming up on today's show, Graham, what do you got?
Coming up on today's show, Graham, what do you got?
I'm going to be talking about cheese.
Whoa, got bored of cyber? Okay. And Paul, what about you?
I'm going to be talking about the right to repair and cybersecurity.
Super. And I'm going to be looking for love in Japan. Plus, we have an interview with Javvad Malik from KnowBe4. All this and much more coming up on this episode of Smashing Security.
Now, chums, do you have a secret stash? Do you have a secret stash, Carole?
I have many things, yes. Paul?
Yeah, I absolutely do.
Yeah? What sort of stash do you have?
None of your fucking business. Come on.
Exactly, Graham. If I were to tell you, then it wouldn't be a secret anymore, would it?
Very true.
Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah!
There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.
Well, you know, in the middle of the night, if you can't sleep, do you find yourself sneaking out of bed, trying not to wake your partner, creeping tippy-toe down the stairs, opening the fridge, and hallelujah!
There, hidden behind the kale and the quinoa, there it is, the thing which will satisfy all of your munchies: some stinky cheese.
No, in the middle of the night?
No.
You know what, I've always wanted to be one of those people. When I was a kid, I used to obsess about being able to do that when I was older.
I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.
I could go down to the fridge, no one would, you know, I wouldn't wake anyone up, whatever, whatever. But I never do it.
I often have cravings just before bed, but I really try and resist them. But I must say, Graham, I have never craved cheese.
A soft little one like a French brie, something hard like a cheddar.
You're selling it. The way you say it, I feel like I should be eating cheese before bed.
Yeah, do you have a cheese platter in your fridge already for your 4 o'clock munchies?
With my Jacob's cream crackers at hand and my pickles.
Your chutneys.
Here's the thing. Here's the thing. Cheese is my crack cocaine. I'm not being flippant. Scientists at the University of Michigan, which is in the United States of America. They say—
What are you being local? What?
Michigan, isn't it? Michigan.
It's Michigan.
What's the Michigan?
It sounds like—
Gloucestershire. That's what you just did.
Not McChicken.
Yeah, not McChicken.
That is something different.
Anyway, those boffins, they say that cheese triggers a part of the brain in a similar way to addictive illegal drugs. So, I thought it would be fun if we could play a little game.
I am going to give you a name, and you, you are the contestants, Paul and Carole. You have to tell me if it is a cheese or something else narcotic. Okay?
Are you ready to play the game?
I am going to give you a name, and you, you are the contestants, Paul and Carole. You have to tell me if it is a cheese or something else narcotic. Okay?
Are you ready to play the game?
I might—
Okay.
I don't know if I'm going to be good or bad?
Cheese or wheeze?
Let's decide.
Yep.
Okay.
I am ready.
I was born to play this game.
Stinky Bishop. Stinky Bishop.
Cheese.
Cheese. Paul.
I'm gonna say that's cheese, yeah. Yeah, sure.
It is a cheese. It's also an unpleasant medical condition produced since 1972 from the milk of Gloucester cattle. Has a distinctive aroma, made famous in a Wallace and Gromit movie.
Okay, next one. Poochie love. Poochie love.
Okay, next one. Poochie love. Poochie love.
That is not cheese. I don't know what illicit is. So, I'm gonna say not cheese.
I'm gonna break it. I'm gonna say that is cheese.
Well, it's a strain of marijuana. The old Mary Jane.
The jazz cigarettes.
Okay, next. Dirt lover. Dirt lover.
That's gonna be not a cheese. Not a cheese.
Yeah, I'm with Carole on that.
Yeah.
Dirt Lover comes from the Green Dirt Farm in Missouri. It is a cheese covered in a layer of vegetable ash. It's also a sexual fetish, of course. Okay, next.
Next.
Shatner's Bassoon. Shatner's Bassoon.
That is not a cheese. Ah.
I feel like there's some inside knowledge here that I lack. So I'm gonna break with custom and Carole and say that is a cheese.
I swear to God, there's none.
No, Carole is right. It's a made-up drug. Fat Bottom Girl. Fat Bottom Girl.
Not a cheese.
Not cheese, I agree.
It is a cheese. Oh!
From where?
From somewhere. Goes well with red wine, apparently.
I love that you do your research.
It has flavours of almonds, butter, slightly tangy sweetness. Also a song by Queen. And finally, purple monkey balls.
Definitely a cheese. My favourite cheese.
Wait, what is it again?
Purple monkey balls. You're not going to get it. It's a strain of marijuana again.
Yeah.
Yeah.
Why are you talking about marijuana all the time?
Because I've explained that cheese is my type of drug.
Is marijuana legal in the UK?
Oh, no, no, no, no, no. I don't have any of that sort of nonsense.
Because here in Massachusetts, it is legal.
Yeah.
Are you constantly high?
No comment.
No comment.
Well, a blue Stilton is my crystal meth. I know it's bad for me, but it's irresistible. I would sell my kid's bike.
I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me.
Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquillisers, that kind of thing.
I'd become a rent boy if I thought I could fund my love of a stinky bishop. But some people, some people aren't like me.
Some people haven't gone as deep into vice as me, and they've contented themselves with the likes of cocaine, heroin, MDMA, horse tranquillisers, that kind of thing.
Paracetamol.
Right.
We all have our vices.
Yeah, we've all got our vices, right? Some people go to street corners to score. I go down to Waitrose and breathe in the contents of the cheese counter.
Some people do yoga, you know.
Exactly. Everyone's got their thing, right?
Cheese strikes me as a very English thing.
And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, that's not cheese at all.
It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.
And it's not just from the Wallace and Gromit, but I mean, of course, here in the United States, we are defined by American cheese, which if you've ever had it, that's not cheese at all.
It's barely cheese. I mean, it's mostly noticeable for being incredibly regularly square.
No.
Well, look, I'm going to switch from cheese now. I'm going to go to—
Finally.
Hard drugs, because a chap called Carl Stewart from Liverpool has been a bit of a naughty boy. He used the name Toffee Force and was up to no good on EncroChat.
Do you guys know what EncroChat is?
Do you guys know what EncroChat is?
No.
New one to me, Graham.
EncroChat is a secure encrypted messaging service which runs on modified Android phones. It promises worry-free, secure communications.
Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?
Now, can you imagine who would be particularly interested in spending thousands of dollars and a regular subscription to have such a phone?
Celebrities.
Elon Musk.
Well, it's criminals. Yes, of course.
Oh, right.
It is criminals.
Sorry, Elon.
And last year, law enforcement agents across Europe, they managed to crack into EncroChat, proving that its encryption and the security wasn't quite as good as people had imagined.
And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right?
They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.
And apparently it had over 60,000 users worldwide, 10,000 in the UK. And everyone thought they were safe with it, right?
They thought, I've got this special phone, I've bought it from this French company, EncroChat, and if the cops ever come knocking on my door, all I have to do is enter a 4-digit PIN onto the phone and it wipes automatically all the data from the phone.
So that was their sales point? Was that their sales pitch?
The pitch was really, these are totally secure communications.
We don't save anything, you can delete everything from your phone, no one can find it, bish bash bosh. Okay.
So it wasn't just the app, it was the phone hardware itself.
It's a modified version of Android, that's right. Special phones. And this has been quite a big deal. They've arrested lots of people having cracked into EncroChat.
And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee. How could they prove this?
Well, it turned out that this chap Toffifee was a lover of Stilton cheese.
And they had this chap, Carl Stewart, who they suspected was supplying large amounts of Class A and Class B drugs under the name Toffifee. How could they prove this?
Well, it turned out that this chap Toffifee was a lover of Stilton cheese.
Okay.
Not just any Stilton cheese, but the kind of mature blue Stilton cheese you buy at Marks & Spencer.
Which is all right. It's not the best or anything.
Well, according to that—
I'm a cheese nut. No.
Well, according to the packaging, it says delicately rich and creamy. And he, I mean, he was from Liverpool. He wasn't gonna have some glamorous exotic cheese.
He probably watched the Marks & Spencer ad. You know, it's a woman who'd go, this is not just any cheese. This is a Marks & Spencer's, blah, blah, blah.
Okay, maybe for the—
I think it's not the moment.
Maybe for our benefit.
Could you describe what a Stilton cheese tastes like? Because it might add a little bit to that.
Ah, yes. So Stilton cheese tastes a bit like— you know when you've been wearing socks for about 6 weeks nonstop? And you have some kind of fungal infection.
But delicious socks, not gross socks.
Yes. And you've maybe been walking around in some damp fields.
Nice fields. Beautiful fields.
With flowers, just in your socks, just no shoes, just walking in the socks on the ground. Yeah.
And then maybe you got caught in a rain shower and then took a shower in your socks and then slept in your socks and then did that for a year or two.
Then you put them in the airing cupboard or the microwave for about— for a few minutes, and it's always very— oh my goodness, it's quite—
It's freaking delicious.
It is delicious.
Really good Stilton is like a cream because it's so— anyway, it's delicious. If you like blue cheese and you haven't had it, yeah, do it.
It's good.
It's good. Okay, it sounds like a full-body experience.
You want it in a jar. That's all I'm saying. Not in a packet. In a jar. That's when it's scraped off the socks.
Yeah.
Okay.
It will try and infect everything else with the smell.
Yeah, your whole fridge.
It's not as bad a smell as a— is it a durian fruit, Carole?
Durian, yeah.
Yes, which I've never smelled, although I have seen film of people smelling it and tasting it. I've heard it is quite decent.
I had a friend once.
Yeah.
Who will remain nameless, who tricked me into eating a chocolate without telling me it contained durian fruit.
It's like, I came down and I was like, it's the most delicious chocolate ever. Oh my God. Oh my God.
Here's one.
Gotta have it. Oh my God. It's so good. Oh my God. Graham, try it. And he just shoved it right in his face. And I just watched.
The durian fruit tastes a bit like sewage, doesn't it?
I don't know. I didn't try it.
I can tell you it does.
What is the thing with durian fruit? Why are people— it's like a delicacy, particularly in Asia, I hear.
It's a delicious— I think it's a delicious texture and delicious taste, but a horrible smell if raw and improperly prepared.
I think you're not allowed to transport it on passenger airlines. Is that right?
Yes, it's too smelly. What did that chocolate taste like, Graham?
I can't remember the chocolate part of it.
Yeah.
Anyway, back to Stilton cheese, which is nothing like durian fruit. It is a delicacy, but quite pungent. Anyway, so this chap, right? This chap called Stuart Toffee Force.
What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks & Spencer.
And from that picture, just of his hand holding the cheese, the police were able to identify him.
What he did was he had posted on EncroChat a photograph of a block of Stilton cheese in the palm of his hand while standing in the aisle of Marks & Spencer.
And from that picture, just of his hand holding the cheese, the police were able to identify him.
Oh my— Did they magnify his fingerprints?
Exactly.
No.
Shut up!
Shut up! CSI!
See, I would have thought they went back and looked at surveillance film and found the guy holding a cheese and his cell phone up.
That could have been me. That could have been me holding the cheese.
At 4 AM in the morning.
That might happen hundreds of times a day in the UK, though.
So the Met Police now, they've arrested more than 60 people, many of whom have been charged with serious drug trafficking or firearms offences.
Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.
Carl Stewart, this chap with the cheese, he's now been sentenced to 13 years and 6 months in the clink.
I can't remember what he did now. All I remember is he liked cheese.
He was trafficking— He was trafficking in horse tranquilisers and heroin.
And so he obviously had had a record and had prints on file with law enforcement prior to this, I guess.
Well, they'd already arrested him, so maybe they took his prints then and matched them to the ones in the evidence.
Right.
There we go.
That is a level of detail which I would expect a serious reporter like those at the Security Ledger to investigate rather than me.
Yeah, don't leave it to Graham.
Paul, what have you got for us this week? What are you here to talk about this week?
Well, I'm here to talk about the right to repair.
What is a right to repair?
Okay, so a right to repair is basically what it sounds like. It is a legal right, in other words, written into law, that gives you as the owner of a thing the right to repair it.
And usually what that means practically, because you'd be like, well, I can repair it.
But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? Like DRM, digital rights management software.
Owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it.
If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair.
And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device and basically their agents, people they might hire to do a repair.
So independent repair shops.
And usually what that means practically, because you'd be like, well, I can repair it.
But these days, increasingly, because everything we use basically has software on it, and also these days digital locks, right? Like DRM, digital rights management software.
Owners need more than just the thing itself. They need access to the software that runs it to read error codes and figure out what's wrong with it.
If there's a part, a component on a circuit board that has burned out, they need a schematic diagram to figure out where that component is on the board and a part number to replace it themselves if they want to do that repair.
And so right to repair laws basically codify that in law and say, as a manufacturer, if you make a thing and you have authorized repair people who get access to these tools and parts and information, then you also need to make that available to your customers, the people who own the device and basically their agents, people they might hire to do a repair.
So independent repair shops.
Hallelujah. Right. Because I honestly, it— okay. I'm sorry. I'm already on your side. Sorry, listeners, I didn't keep the tension up, but okay, carry on. I'll get on my soapbox later.
So this is a really important thing, and it is something that is a little bit esoteric.
I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it.
And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what?
This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.
I think most people don't pay a lot of attention to this, but it is a movement that's been picking up steam both in the EU and in the UK and in North America and in Australia, and really has a lot of people paying attention to it.
And I think because we are increasingly inhabiting a world of intelligent, internet-connected, software-driven stuff, and the more onerous these kind of manufacturer-imposed ecosystems, kind of walled gardens become, the more people are kind of taking notice of this and saying, "You know what?
This is not fair," or, "This is inconvenient for me," or, "This is costing me money needlessly." I want to do a repair myself.
Could I give you a situation and you could tell me how the right to repair movement might suggest I would go about it?
Yes.
It happened to a friend, definitely not me.
Okay.
But I was on my laptop, right? With a glass of very, very nice whiskey. And then my husband asked me a question and I used my hand to communicate, which I do often.
F off.
Or I love you, probably.
And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well.
So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?
And I spilled all the whiskey all over the keyboard of the laptop, which basically, you know, I then put it upside down in rice because I read that was a good idea, but it's not been working really well.
So in that situation, are you saying that that would be something I could say, look, you have to help me try and fix this?
So the problem would be this, which would be you did something really common, which is spilled a liquid into your laptop keyboard.
And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.
And in that situation, there is probably some damage caused by that that is preventing your laptop from working correctly.
Moisture. Right. Yeah.
Maybe there were some short circuits of components on the motherboard on the computer as the liquid seeped in.
And all the rice that's now stuck to it as well.
Who knows what the rice did. So basically you want to fix your laptop and right to repair is really about what are your options as a consumer for getting that laptop fixed.
Right.
And there are generally, in most things in life, there should be three, which is the manufacturer might offer to repair it or have one of their authorized or licensed repair people do it.
You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it.
And generally, it's your automobile, right? Your car.
If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive.
If you bring it to the corner repair shop, same thing, they'll be able to fix it, maybe slightly less expensive.
Maybe they won't use the manufacturer's OEM parts, but you'll save money.
And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market.
The way it works for many devices these days, including your MacBook, you need parts and access to information.
So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage.
We don't do repairs this. We suggest that you buy a new MacBook.
You can try to repair it yourself if you're technically inclined, and many people are, or you could hire an independent, in other words, non-authorized repair shop to do it.
And generally, it's your automobile, right? Your car.
If you bring it to the dealership and their repair people, they'll have all the parts and tools and stuff, but it might be more expensive.
If you bring it to the corner repair shop, same thing, they'll be able to fix it, maybe slightly less expensive.
Maybe they won't use the manufacturer's OEM parts, but you'll save money.
And obviously if you go out in your driveway and go under your car and repair it yourself, that's the cheapest solution. And that's a functioning market.
The way it works for many devices these days, including your MacBook, you need parts and access to information.
So the reality for many consumers today who are in your situation is they bring their you take your MacBook to the Apple Store, to the Genius Bar, and they say, mm, they take it out back and light incense and wave their hands over it and bring it back out to you and say, sorry, no, liquid damage.
We don't do repairs this. We suggest that you buy a new MacBook.
Right.
Yeah, I'm waiting to meet a real genius at the Genius Bar, honestly, 'cause I've been there a lot looking for them.
Right.
'Cause, you know, I smart people.
And when they say that, it does not mean that that is an unrepairable laptop. It just means it's a repair that the Genius Bar does not do because Apple does not allow them to do it.
Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that would require.
Apple doesn't want to hire and retain the people to do the soldering work or the more complex repairs that would require.
Right.
Okay. So they would basically say, why don't you just buy a new laptop? And most people would be like, okay, I'll buy a new laptop. It costs you thousands of dollars.
It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth.
But that's the way that system's set up.
The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage.
But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop.
What components actually burned out?
It is not the cheapest option available to you. Your old laptop gets thrown in a landfill where it leaches dangerous chemicals into the earth.
But that's the way that system's set up.
The other alternative would be to take it to an independent repair shop where they might have the skills and tools to repair that liquid damage.
But many of those independent repair shops do not have access to the tools that Apple makes available to figure out, okay, Carole spilled whiskey into her laptop.
What components actually burned out?
Do I have a vacuum anywhere?
What components burned out? What do we need to replace on this? What is broken exactly? And you need software to tell that to you. And Apple has a whole bunch of tools.
Tools that they don't make available to non-authorized repair people. They also don't make the parts available.
So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are.
And they don't give you access to the parts.
Tools that they don't make available to non-authorized repair people. They also don't make the parts available.
So if you want to replace a discrete component, they don't give you the schematic diagram to tell you what those parts are and where they are.
And they don't give you access to the parts.
I'm such an Apple fangirl. I'm really feeling this right now.
It isn't just Apple. So this is in one way or another, it's many device makers, though not all.
Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.
Companies like Dell and Hewlett-Packard make both parts diagnostic tools and schematics.
They sell you ink services, like £50 a month or something.
There are major computer manufacturers who are very pro-repair and have a healthy ecosystem of parts that you can buy inexpensively and access to tools and so on.
So what's the argument that these companies who aren't sort of making it easier to repair things, what's their argument for doing this?
They're variations on the same argument that the car dealership would make to you to discourage you from ever going to the corner repair shop, right?
Which is our parts are superior to their parts. Their parts are going to break or cause you to get in an accident.
Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas.
You know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it.
So it's a bunch of kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.
Which is our parts are superior to their parts. Their parts are going to break or cause you to get in an accident.
Our mechanics are PhDs walking around in lab coats and their repair people are grease monkeys without high school diplomas.
You know, we care about the safety and privacy of your data and those other people are probably criminals who will steal it and sell it.
So it's a bunch of kind of misleading and untrue qualitative statements about the superiority of authorized repair, but there's no data to back up any of those claims, but they make them anyway.
And what do you suspect are the real reasons why they're not doing this?
So a couple things, and it depends on the company.
In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple.
You know, they make money off the Genius Bar, certainly.
However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible.
They want you to get a new phone every 2 to 3 years.
And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's revenue models.
For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.
In the case of Apple, there certainly is, you know, obviously having a monopoly on aftermarket service and parts is incredibly valuable to Apple.
You know, they make money off the Genius Bar, certainly.
However, I actually think that that's less of an issue for them than the fact that they really want to try and create a situation where the lifecycle of their phones, particularly, and iPads is as low as possible.
They want you to get a new phone every 2 to 3 years.
And if there are robust repair options that let you extend the life of your phone to 5, 7, 10 years, that has a major impact on Apple's revenue models.
For other companies, and I've written a lot about John Deere, a major US agricultural equipment maker, it seems clear that the monopoly on the aftermarket parts and service is the point.
Yeah, that's where you make your money.
That's where they're making their money.
And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out independent repair and owners from being able to work on their own stuff.
And service revenue as a percentage of their overall revenue has skyrocketed in the last 10 or 12, 15 years as they've been able to basically lock out independent repair and owners from being able to work on their own stuff.
Fun topic, Paul.
Sorry.
No, no, it's an important topic. I was just kidding. I was just trying to make a little levity there.
Yeah, I mean, let me tell you why I think this is really important.
Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.
Okay, so first of all, let me tell you, do you want the, this is a cybersecurity podcast, so here's the link to cybersecurity.
Right, yes. 'Cause I had plenty in my story, let me point that out.
You did, yours was all cybersecurity.
Yes.
Okay, so I got involved in this because I started going to fix-it clinics in and around Boston where you go and just get stuff repaired by people in your community. It's great.
Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group.
And he was talking about the efforts to get this law passed in some of the states in the United States.
And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity.
That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming.
And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems.
Right? You know, poor configuration, vulnerable software, you name it.
And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about where security risks are with connected devices and where they aren't.
And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.
Before COVID they were a thing. And ended up talking to a guy, Nathan Proctor, who is the head of the Right to Repair program at US PIRG, the Public Interest Research Group.
And he was talking about the efforts to get this law passed in some of the states in the United States.
And he was saying that one of the big arguments against, one of the things that sends lawmakers screaming is cybersecurity.
That vendors, OEMs can come in and say, hackers, hacking, data theft, and people kind of run screaming.
And I knew enough to know that those arguments were almost certainly not accurate, that there wasn't really a cyber risk in repair and the types of things these laws were asking about that devices get hacked because of other problems.
Right? You know, poor configuration, vulnerable software, you name it.
And so I started this group Secure Repairs to basically say, listen, as a security community, we should speak with one voice on this and we should speak the truth about where security risks are with connected devices and where they aren't.
And we should use our influence to sort of try and bend this policy discussion in the right direction. And the right direction being the one based on facts and not fear.
Do you know what though?
If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.
If I made a cell phone and the world decided, oh my God, I need to have that, and everyone bought it, yes, I would be an absolute control freak about everything about it.
Because, oh, you're not suggesting Apple are control freaks, are you? That doesn't sound like them at all.
All I'm saying is I get it, right? Because I understand what you're saying 100%. It makes 100% sense. I agree. I agree. Ethically, morally, I agree.
Yes.
But I also can recognize in me, were I the successful creator of this tiny anything that I didn't, and I thought I was so smart and no one else could possibly do as good a job as my people could, which I would, because that's the type of person I am.
I would be exactly the same and it would suck. And I would need people like you on my case.
I would be exactly the same and it would suck. And I would need people like you on my case.
If you have a business, why would you not want a monopoly on whatever it is that you do?
Exactly.
Right? Who would not want that?
What do you use, Paul?
I have an Apple iPhone. It's an older model.
That's why he's hot on all this. He's peeved about every time he has to go to the Genius Bar. They won't blink and fix it. They won't replace his battery.
Right.
Carole, what have you got for us this week?
Cluley, do you remember Yik Yak?
Yes.
Can you tell our lovely listeners what about our plans on Yik Yak?
Well, many years ago, it's probably about 20 years ago.
20? I thought I put 15 in my notes.
But anyway, Carole, you, I, and our two lovely Croatian friends, we ganged up together to take on the world and create a social networking dating website thing that was going to make us a fortune.
And we called it Yik Yak.
And we called it Yik Yak.
Yep. And we bought the domains.
Yes.
And I remember we had one meeting where we were kind of like, okay, how are we gonna parse people's choosing, right?
Like, we were making up this algorithm for ourselves, like hair color, height, right?
Like, we were making up this algorithm for ourselves, like hair color, height, right?
People care about that.
And we had a meeting about discussing all this stuff. But did you ever think about whether people would just use it for hookup versus serious relationship?
Did that ever occur to you?
Did that ever occur to you?
It never occurred to me at all that people might want to have sex. No, that's not a thought which ever crosses my mind.
Well, if we were around today, single, free and easy— Paul, you're not single and free right now, right?
God, no.
Yeah, we're all married. So if we were single, we would probably be using dating apps to meet people. And the thing is, apparently the pandemic has changed online dating.
There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right?
The BBC suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic.
So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.
There's a shift. So it obviously had a reputation for being a little fast-paced. You know, I knew people who could munch through matches as though they were Skittles, right?
The BBC suggested that some of the changes might be here to stay even as life returns to normal, because of course this all has to do with the pandemic.
So someone said, I think video calls are very much here to stay as a means of pre-screening people you meet on apps.
God, how awful would that be?
I love it.
I'm kind of surprised that people weren't doing that before. Are you really gonna go out and meet somebody randomly in meat space?
And someone says, once the first lockdown ended, I still preferred initially getting to know people in the virtual world before we went for drinks.
I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.
I feel it's definitely a positive trend. I'm now going on fewer dates, but when I do, it tends to be far more likely that date goes well.
Okay, all right.
Right, 'cause you're screening. You kind of meet someone, you're like, okay, I don't like you, but you don't have to schlep back home.
Is there chemistry over Zoom though? I mean, is that a thing? Can you have chemistry with somebody over a Zoom connection?
They wouldn't be able to smell my pheromones.
I'm going to call my husband tonight. I'm going to say, go upstairs to your office. I'll call him on Zoom and I'll see if there's more flirtiness.
Oh, we know what he's like. He's very flirty.
Oh, look, he fell asleep watching TV again.
Exactly. That's normally me, actually. Okay. Before the pandemic, though, apparently many couples still met at school, mutual friends, family, church, bars, whatever. Whatever, right?
But then pandemic happened.
And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it.
They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down.
So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.
But then pandemic happened.
And this is confirmed by people like Match Group, you know, which own dozens of dating apps, Tinder, OkCupid, Hinge, or Hinge, as some of us like to call it.
They reported an 11% increase in average subscribers in a 12-month mid-pandemic period. That's pretty big, right? And they just think that the pace is slowing down.
So the data is showing that people are being more selective and intentional about who they're reaching out to in the first place.
Of course, they can't go meet people. Of course, yes, of course it's slowing down because you can't go out.
Exactly. So I'm thinking, I'm thinking, who's winning in this, right? Because there are some apps out there that are geared to more serious relationships than just the bone-in type.
Sorry, what did you say?
I'm crying.
Like a bone-in radio show? What's—
Then the more one-night stands.
Z-E-Z-O-N-1-N?
I wouldn't know, Paul, come on. So serious relationship websites like the Japanese Omiyae. I know I'm saying it wrong, fuck. So I even got my husband to teach me.
Sorry, is it spelled that?
Or is it like Omiya Gladden or something?
What is that?
Oh no, I've got the giggles now. This is really bad. O-M-I-A. That doesn't sound—
O-M-I-A.
Okay.
How do you spell it?
How do you spell it? I have the giggles. I can't stop now. O-M-I.
Is that it? O-M-I? If so, you're definitely pronouncing it incorrectly.
No. O-M-I-A-I.
Oh, O-M-I-A.
O-M-I. O-M-I. OMIA.
Catchy name. They're not listening anyway, Carole, so don't worry, they're not listening.
But anyway, all I can tell you is the name connotes traditional matchmaking systems, okay, that has been going on for centuries. So the name means like look meet or look love.
There's a jeu de mots there somewhere in the OMIA.
As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type.
So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay.
It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.
There's a jeu de mots there somewhere in the OMIA.
As someone described it in an app review, saying the search function is very detailed, allows you to specify preferences in various fields including nationality, education, income, and body type.
So in Japan, that seems to be the 4 things that matter. Nationality, education, income, and body type. So Japanese, smart, rich, thin. That's all they care about, it seems. Okay.
It focuses on trying to offer its customers an opportunity for a long-term relationship rather than a short-term fling.
Right.
5 to 7 million people have used this and they claim they facilitate more than 50 million successful matches so far. Like, what's a successful match?
How do they know that?
Yeah, exactly. What, 3 months, 6 months, a marriage?
Do people go back to the app and say, "Yep, that one worked," or "I snookered her," or whatever?
And then they get a £10 voucher?
No. Yeah.
I like the way that they're sort of like, "Well, we're different 'cause we're trying to get people to have long-term relationships." And it's like, how much— is that really a new concept?
I don't think it is.
I don't think it is.
Yeah, hey, it's all rebranding, dude.
There are really two flavors in the dating app world, which is hookups and people who want to have relationships. Those are basically the two choices.
That is, yeah. So anyway, the reason I'm talking about it is they got hacked.
Oh.
2 million users and most likely exposed. Okay, now they announced this on a Friday. Weren't we talking about that earlier? The Friday announcements, right?
So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers.
So they did this and they said that the personal data of 1.71 million users was likely to have leaked due to unauthorized access to its servers.
Oh dear.
Okay, so number one, the first thing to know is Bloomberg said the value of OMIAI's share fell almost 20%.
Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change.
The parent company notified the public of the breaches, and they've put together this document which I want us to look at in a second.
But basically apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration.
And this was all for their security messaging, which we'll get to in a second.
Okay, and that is the biggest drop that company ever saw since it got listed in 2017, and they're valued around $70 million. So a big chunk of change.
The parent company notified the public of the breaches, and they've put together this document which I want us to look at in a second.
But basically apparently the still unknown hackers have made away with usernames, photographs, as well as data from ID cards, driver's licenses, and passports, all of which were mandatory during the registration.
And this was all for their security messaging, which we'll get to in a second.
Oh, so they asked for all this really detailed personal information and scans of things like ID cards and passports? Passports?
To make sure that they could say, we know who you— we're validating the people.
No mischief makers. I can't create an account, call myself Gloria something or other.
Exactly.
And right, unless I have Gloria's passport, right?
They've put a statement, and Paul, I'm particularly interested in your point of view here, both as a journalist and someone who lives in the States, right?
And has probably read millions of these.
You may have to do a little quick Google Translate depending on how good your Japanese is, 'cause I don't think I can send it to you in English.
And has probably read millions of these.
You may have to do a little quick Google Translate depending on how good your Japanese is, 'cause I don't think I can send it to you in English.
My Japanese is excellent.
Okay, well good, I hope you read that in real time. So.
By which I mean, Chrome did it for me.
Fantastic, okay, so this is their apology and notice regarding member information leakage due to unauthorized access. Okay, right off the bat, I'm thinking that is not from the US.
From a liability standpoint, right?
From a liability standpoint, right?
Yes.
From a liability standpoint, right?
Yeah, that is true, yeah, yeah, yeah.
Yeah, but I have seen press conferences before from Japanese companies after they've been hacked where the board actually go on television and do a very deep bow of apology.
I think we should adopt it.
Yeah, I'd love that. I'm so with you.
So second paragraph, the we deeply apologize for any inconvenience caused by our members and all concerned.
So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID.
But they say at this time they're searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right?
Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.
So inconvenience, I think, is a little bit of a light word considering you've somehow my passport number has gotten snarfed along with all my other personal ID.
But they say at this time they're searching the web and they're saying they're not looking. Let's see, that's a really hard statement to make, right?
Like, we haven't seen it be used, therefore it's not happening yet because maybe we're not looking in the right places, you know? I don't know.
So they're searching the web for exposed members, is that what you're saying?
Yeah. Are they? Are they? Are they?
Thank you, Paul. Glad you got it.
Oh, were you being dirty?
Yes, I was.
Oh, I don't get that.
I'm like totally not into that sort of thing. Don't worry, it's good that you don't. Go and get it, girl.
And they're getting a lot of hits too.
We're just gonna crack on. We're cracking on, we're cracking on.
So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.
So they— but like health insurance cards, passport numbers, they have this also, this ID number Japan, the numbers, car driver's license.
Yeah.
So, and it says of these, about 60%, which is the majority of the total— thank you— is occupied by driver license image data. So they also have your phishing. But they—
That's great. That's—
Yeah.
And then they say, don't worry though, because we outsource our financial stuff, so no one got a hold of the credit card info.
Yeah, well, phew. It's like, look, you can always cancel a credit card. I mean, that's not a big deal. But, you know, you can't— you can't unsee that driver's license or passport.
I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—
I like the deep bow thing as well, and I would love to see Western companies do that because I think it's both deserved and would be a really welcome change from the sort of legalistic, "Regarding the incident that occurred last week regarding our members." If you were offended, we're—
Yeah.
On the other hand, they do engage in what I think you guys would recognize some pretty common breach hand waving.
"We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent.
I think that's actually why they took it.
"We have no reason to believe that any of the stolen information has been used." It's like, "We have no reason to believe that the $600 they took from your bedside drawer has been spent." Well, I think it will be spent.
I think that's actually why they took it.
And check this out. So on the site, women can join for free while men have to pay about $40 a month in order for—
Sexist.
In order to use the services. Yet both parties seem to have lost their data, so.
Yes.
Right? So I guess there's equality there. Now on their website, you see I give you the link there in the cast.
Oh, I'm on their homepage right now. Omiai, they've got— they've underlined the eye bit at the end.
But if you, if you scroll down, that they actually advertise their reasons for being safe and secure, right?
They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely.
So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single.
Only people who've uploaded their passport will be allowed onto the site.
They say basically there, we make various efforts so that users who want to have a serious relationship can use it safely and securely.
So we only display nicknames, only the people that have passed the age confirmation, which we have, you know, checked through every single.
Only people who've uploaded their passport will be allowed onto the site.
They're saying, you know, let me say, my first off-the-top-of-my-head impression of this site is that I am too old to use it, right?
And you know what, that when I look at these faces, they all look young.
And you know what, that when I look at these faces, they all look young.
In the security section, they have this note, okay, there's a starred bit, it says the use is limited to singles and is prohibited for those who have a lover.
Don't get greedy. Don't get greedy.
That's right.
That's right.
Lovers are not welcome.
If you are looking for an affair, then go to ashleymadison.com.
That's true.
Be as careful with your data.
That's right.
But they're just looking for one-night stands. That was hookup material. That wasn't love. That was an eHarmony. Isn't that the love one? eHarmony?
Yes. eHarmony is the algorithmic love company.
Is it?
One of the things that I think is interesting is the cost of collecting and retaining this data.
You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data?
Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.
You applaud them for their sincere efforts to verify the actual identity of all their applicants, but you wonder, having verified that identity, why are you holding onto this data?
Because it's like the 30,000-gallon tank of spent diesel fuel in the back of your lot. If it just sits there long enough, something bad's gonna happen.
Or the crate of mature Stilton, which I have in my living room.
Or the crate of mature Stilton. Right.
It—
There is a risk to holding onto it. And the risk is that it's going to leak. And I wouldn't want to know what that crate of Stilton would look like if it were to leak.
But I'm guessing it would be an ugly scene.
But I'm guessing it would be an ugly scene.
Delicious.
An ugly and smelly scene.
I'd eat it. Yummy. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. An artist.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
The perfect solution for companies of all sizes, 1Password is quick to deploy, simple to manage and fit seamlessly into your team's workflow, so you can secure your business without compromising productivity.
All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices.
See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right away.
Find out more and try 1Password for free for 14 days at 1password.com.
All kinds of teams can securely share everything needed to work together. Give employees access to logins, documents, credit cards, and more on all of their devices.
See if company email addresses or credentials have been exposed in a data breach and get alerts when accounts are compromised, so you can update passwords right away.
Find out more and try 1Password for free for 14 days at 1password.com.
According to the OneLogin I Am OK mental health survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show.
In today's work-from-anywhere era, CISOs and IT executives work tirelessly to make sure the organization's information assets and technologies are properly protected.
And this increased pressure has led to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies. OneLogin's message: you are not alone.
Smashing Security listeners are invited to attend their live event on Wednesday, May 26th, for free. It's called Keeping the Mind Clear and the Company Secure.
Learn more at smashingsecurity.com/oneloginiamokay. That's smashingsecurity.com/oneloginiamokay. And thanks to OneLogin for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related.
I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.
I have, over the last few days, watched a TV program on the old television, in fact, on BBC iPlayer, and it is an adaptation of a book by Nancy Mitford called The Pursuit of Love.
Are you freaking kidding me?
No, I am not. Why, have you chosen that as well?
No, but, you know, I'm surprised you're— Is this a book you're doing?
No, I'm not doing a book. I'm doing the TV version. Oh, right, okay.
I was just gonna say, 'cause it's a beautiful book, listeners. Anyone who likes to read. I just didn't believe you were reading a book like that.
No, I have not.
But if you'd like it, it's good.
Kroll? I've seen the TV version.
Oh, right. Who needs the book?
And I really, really liked it because it was funny and crazy. And I'll tell you some of the people who star in it. We got Lily James, Dominic West, Andrew Scott, who was Moriarty.
He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.
And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining.
I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it.
And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it.
It's cut very well.
He was also in Fleabag, if you remember him. And we also have Emily Mortimer, who appears as the Bolter, who is the mother of one of the characters.
And Emily Mortimer, the actress, also directs, and she wrote the adaptation as well of The Pursuit of Love. And it's really very entertaining.
I wasn't quite sure what to expect when I started it, but I thought, oh, this is a lot of fun, and I greatly enjoyed it.
And I was reading an interview with Emily Mortimer where she said it was partly based, or at least inspired by, that Marie Antoinette movie from a few years ago, which had modern bits and period bits, but modern music and all the rest of it.
It's cut very well.
What's this play? Where did you see this?
On the BBC website.
Oh, on the BBC.
Yes, on the BBC. On the BBC, darling. Yes, on the BBC.
Brilliant.
Anyway, so my recommendation, my pick of the week this week is The Pursuit of Love on BBC iPlayer. I think you'll rather enjoy it. Paul, what's your pick of the week?
I have, you know, I feel like the dinner guest who you invite and, you know, he just ends up talking about environmental pollution or crime or something and just brings the whole party down.
Fun, so fun.
I have a cybersecurity story that I grabbed from MIT Technology Review called Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms.
And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote.
First of all, it profiled the work of this group called the Ransomware Hunting Team that is a volunteer group that helps ransomware victims get free of the ransomware and kind of works behind the scenes.
Really interesting looking at that.
It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.
And it's by Renee Dudley and Daniel Golden. This is one of those stories that I didn't write, but I kind of wish I wrote.
First of all, it profiled the work of this group called the Ransomware Hunting Team that is a volunteer group that helps ransomware victims get free of the ransomware and kind of works behind the scenes.
Really interesting looking at that.
It's also interesting because it talks a little bit about some of the ethical quandaries that cybersecurity firms face when they look to both call attention to their wares and their technical expertise, but also in the process might actually do a favor for some of the cyber criminal groups that they are actually working against.
So in this case, a bit of a tip-off.
In this case, a cybersecurity firm developed a decryptor for some ransomware used by the DarkSide group and basically blasted out to the world that they had a decryptor and that DarkSide's ransomware was reusing RSA keys.
And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for ticking them off.
So there was a big discussion in this article just about that dynamic. What is the moral responsibility of cybersecurity companies? And is there a right way to do this?
And that was a big red flag to the DarkSide group to fix that flaw in their ransomware, which they promptly did, and then thanked the cybersecurity firm for ticking them off.
So there was a big discussion in this article just about that dynamic. What is the moral responsibility of cybersecurity companies? And is there a right way to do this?
So I read this article. It's an interesting security article. Yeah, I'm afraid it is.
I'm really sorry.
But that's all right.
Will you ever forgive me?
No.
But basically, I was thinking you're kind of damned either way, aren't you?
Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.
Because if you produce a tool to decrypt the damage done, you want to tell people that it's available because there may be victims who never find out that there's a tool available or there's a way to do the decryption.
Yes.
You know, I have some sympathy with the security firm.
Yes. This gets in. I mean, there are often issues that come up.
You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the— I mean, these type of ethical quandaries come up all the time.
And in the cybersecurity ransomware world, they come up all the time as well.
The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies.
I wrote an article for Security Ledger years ago, in 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you.
The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold.
We don't have the ability to do this— behind the bad guys in terms of our technical expertise and our ability to fight back.
You know, did Franklin Roosevelt know about Pearl Harbor but didn't do anything because he knew that then the US would be able to get into the— I mean, these type of ethical quandaries come up all the time.
And in the cybersecurity ransomware world, they come up all the time as well.
The big problem that this article raised, and this is a sort of structural problem, is that the traditional people we look to to address these problems, like the FBI or Scotland Yard, are way behind even volunteer groups like this ransomware hunting team in actually being able to intercede and help companies.
I wrote an article for Security Ledger years ago, in 2014, based on a presentation I had seen in Boston by the head of the Boston FBI, where he basically told an audience, if you get infected with ransomware, just pay the ransom because we can't help you.
The encryption's too good. We don't have the technical expertise to decrypt this stuff. So just pay the ransom. We can't spin straw into gold.
We don't have the ability to do this— behind the bad guys in terms of our technical expertise and our ability to fight back.
So this article is your pick of the week this week. And if people want to hear more about the arguments back and forth, they can go and check it out.
Carole, what's your pick of the week, brackets, not security related, close brackets.
Carole, what's your pick of the week, brackets, not security related, close brackets.
It's very, very not security related. And my pick of the week is not an audio drama, but it's an app.
Marvelous.
Okay, to help you take better pictures.
Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry around a DSLR all the time. And it's called Obscura.
Basically, Apple has a very good native app, but it's highly automated, right?
And to some people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images.
I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a— However, you can get Obscura, which I really like.
You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback.
And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters.
Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money.
So if you're into—
Well, if you used to take pictures with an old camera and you miss the flexibility of that, but you don't really want to carry around a DSLR all the time. And it's called Obscura.
Basically, Apple has a very good native app, but it's highly automated, right?
And to some people that might be used to taking pictures with old cameras, it can feel a bit like a digital straitjacket because you don't have any manual control over the images.
I mean, it's been getting better. I'm not saying it's the worst, but I'm just saying for a— However, you can get Obscura, which I really like.
You get full control over the key camera settings. The UI is very nice, easy to kind of intuit and clear, speedy, and it's got great haptic feedback.
And it also can read different picture formats. So JPEGs, but also the Apple HEIC and the RAWs and all those things. And it works in landscape portrait and has loads of filters.
Filters, which I haven't, I'm not really into filters, but if you are into that, there's tons of them. And it's just a really cool app. And I think well worth the money.
So if you're into—
Are you now using this as your default camera app?
I'm learning. I have to get the memory muscle to work, right? Because I keep kind of going, oh, that's amazing. And then I take it and I'm like, oh God, why can't I get?
And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.
And I'm like, no, no, just go to the other app and then fix the exposure and I'll get a much better pic. So it's worth it. So the app is called Obscura and it's my pick of the week.
Oh, bless. Now, Carole, you've been speaking to Javvad Malik from KnowBe4 this week.
Yes, we had a very amazing chat, and what a great guest. So take a listen. This is Javvad.
All right, we're here with someone who has actually been a guest host on Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4.
Welcome, Javvad.
All right, we're here with someone who has actually been a guest host on Smashing Security before. That's Javvad Malik. He is a security awareness advocate at KnowBe4.
Welcome, Javvad.
Thank you so much, Carole. Thank you for having me.
You are sitting now in the throne. This is like the featured interview, so we're kind of celebrating you and KnowBe4 in this.
I know, I feel very honored and, you know, I could get used to this. This throne is quite comfortable.
Javvad, you do a lot of things.
So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit.
Would that be fair?
So on top of being a security awareness advocate at KnowBe4, you also are a host on a podcast, you're a popular vlogger and blogger, you do events, you're basically an all-round security pundit.
Would that be fair?
Yes, that's right. When I try to sound cool, I say I'm— think of like The Rock, who's multi-talented in every facet, like wrestling, movies, business ventures.
That's what I aspire to be in the security world.
That's what I aspire to be in the security world.
I don't think you need to aspire. I think you've already reached many of those dizzying— Oh, you're very kind. Well, look, now we are here to talk about KnowBe4.
So can you tell us a little bit about the company and what KnowBe4 does?
So can you tell us a little bit about the company and what KnowBe4 does?
So KnowBe4 is focused on the human.
You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.
And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that.
So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if breaking into an organization technically directly is quite difficult these days.
So it's a favored technique is to just go after the user.
So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest.
That is the preferred method that a lot of criminals break into organizations.
I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails.
So what we do at KnowBe4 is we help try to strengthen the humans.
We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails.
And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious.
You know, we talk about all our layers in security and we have all of our technical layers and protect and defend and detect and respond and all that kind of stuff.
And majority of times we're focusing on the technical layers, which are very important. But what KnowBe4 focuses exclusively on is the human layer within that.
So people, they make mistakes and/or they can be fooled. And criminals, they, you know, if breaking into an organization technically directly is quite difficult these days.
So it's a favored technique is to just go after the user.
So whether that be a phishing email, of sending them a USB or drive to plug in or phoning them up and pretending to be someone and getting them to do something that's not in their best interest.
That is the preferred method that a lot of criminals break into organizations.
I mean, even if you look at a lot of these threat intelligence reports that track nation-states or organized criminal gangs, the majority of the time, point of entry is through phishing emails.
So what we do at KnowBe4 is we help try to strengthen the humans.
We give them security awareness and training, help them practice in a safe environment by sending them simulated phishing emails.
And then there's a whole ton of awareness content on the back of it in the form of videos and games and all the other material like posters and what have you, just to help people, you know, just remember what's important and what to do if they suspect anything to be a bit malicious.
Maybe you can tell us about it from the point of view of someone who might be interested in running these phishing simulations. They come across your name, how does it work?
Product is really self-service. It's highly automated. So if you're a customer or even if not, you can sign up to a free phishing test on our website.
You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's thousands of templates there. And these are in different languages.
They're bundled into different categories. So if you want, hey, let's do social media type one.
So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area.
You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify.
And the great thing about the platform is that it can randomize the time it sends them out.
So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's "Yes, we got this." And then it kind of defeats the purpose of the test.
You go knowbefore.com/freetest and you can sign up there. And what you'll see is that there's thousands of templates there. And these are in different languages.
They're bundled into different categories. So if you want, hey, let's do social media type one.
So you can say, okay, let's send our users a LinkedIn phishing template because that's quite a popular one in the work area.
You can tailor it to be, you know, more specific or more generic. And, you know, it goes off to all the users that you specify.
And the great thing about the platform is that it can randomize the time it sends them out.
So it's not like everyone in the office gets the exact same template at the exact same time, because you then get the meerkat kind of response where one person gets it, he looks up, and they look around and say, "Hey, has anyone else got this?" And everyone's "Yes, we got this." And then it kind of defeats the purpose of the test.
So—
It reminds me of the mass mailers of the late—
Yeah.
The early noughties.
Yeah, exactly. So you can actually send different templates to different groups of people or different individuals and at different times. So it staggers them out.
And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be.
It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is.
And then also you can see how many people have reported it to your security team.
So whether that's an internal process you have, if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox.
So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate.
And then what you can do, you can see how many people have opened the email, how many people have clicked through on a link or whatever the payload might be.
It might be a link, it might be a, hey, enter your credentials here, it might be reply or whatever that is.
And then also you can see how many people have reported it to your security team.
So whether that's an internal process you have, if you receive a suspicious email, forward it to the security team, or you can download our Phish Alert button, or PAB for short, which is a Gmail and Outlook plugin that sits in your inbox.
So if you see an email that looks suspicious, you just click the button and it takes it out of your inbox and sends it to the security team to investigate.
So basically, you're putting the IT team in the driver's seat rather than you guys doing all the decision-making on what content's included and how they're sent out.
They actually get to decide themselves completely. It's almost like an autonomous effort.
They actually get to decide themselves completely. It's almost like an autonomous effort.
Yeah, exactly, exactly.
And that's kind of cool.
Yeah, I mean, you know, it's the security teams that ultimately have the relationship, or should have the relationship, with all the users within the organization.
So they're best placed to make the right decisions if they have the right relationships.
And we've seen examples of where this has gone wrong, where they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for.
We're going to be doing simulation tests at this time throughout the year.
And these are some of the topics that we think are inappropriate for our user base because of whatever reasons.
It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.
So they're best placed to make the right decisions if they have the right relationships.
And we've seen examples of where this has gone wrong, where they should have that environment where they tell people, hey, if you receive phishing email, this is what you should do, this is what you should look out for.
We're going to be doing simulation tests at this time throughout the year.
And these are some of the topics that we think are inappropriate for our user base because of whatever reasons.
It's when you get that wrong, people, instead of being educated in a phishing test, they end up getting annoyed.
Yeah.
What we try and do is give the people the right tools so that they can— and we offer them training and guidance on this— is how to send, structure these campaigns so that when it goes out, people receive it with this spirit and intent that it was intended to, which is, hey, this is a training exercise.
We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.
We're all trying to get better here. We're not trying to catch people out and punish them for making a mistake, which frankly anyone can make.
Because, you know, an IT team that act like a kind of authority of punishment is not gonna get people on side in terms of security.
What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk.
So it's important to work with the people to see that the point of this is to get people educated and protect the firm and the individuals.
What you'll get is people trying to bypass security to do things in a secret way, which puts the company presumably more at risk.
So it's important to work with the people to see that the point of this is to get people educated and protect the firm and the individuals.
That's absolutely, that's exactly it. I mean, there was a story I read a few weeks ago and it was on Sophos Labs published it.
And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise.
But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that, and the license was really expensive.
So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.
And there was a biomedical institute and they partner with some universities and there was some visualization tool that you could use if you were on-premise.
But if you're using your own machines, which everyone was because everyone's working from home, they weren't offering a license for that, and the license was really expensive.
So what a user ended up doing, or a student, they downloaded a cracked copy, and Windows Defender threw up an alert, and so they disabled Windows Defender.
Oh.
And they then logged on and done their work, and two weeks later, the company was hit by ransomware.
And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done.
And technology should be there to facilitate them in doing what they do.
And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker.
If it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.
And this is the thing, is that people are just trying to do their job most of the time. They're trying to be helpful, and they're trying to get their work done.
And technology should be there to facilitate them in doing what they do.
And if it's there as a blocker, and security is no exception, security is probably, when implemented poorly, it becomes the biggest blocker.
If it's not implemented properly, then people will find creative ways to bypass it just to get the job done. And unfortunately, that does open up or exposes the company to breaches.
And so this kind of test would, at knowbe4.com/freetest, allows you to, I don't know, take a pulse of the company's ability to be fooled by such things.
Yeah, that's right. That's right. And we have benchmarking reports on our website as well. You can go into the resources and you can look for our benchmarking reports.
And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right.
And that's a high percentage. That's like 1 in 3 people nearly.
And most companies, when they do their first test without training and everything, it's typically over 30% of people will click on a— will fall victim to a phishing email. Right.
And that's a high percentage. That's like 1 in 3 people nearly.
That's more people than click on ads.
Yeah, exactly, exactly.
Yeah.
So 3 out of 10 people typically will fall for this if they've not given any previous cybersecurity training. Is that what you're saying?
That's right, that's right.
And then what kind of numbers do you see after the training has gone through?
If people have gone through a few simulations, have included, you know, presentations and education provided internally?
If people have gone through a few simulations, have included, you know, presentations and education provided internally?
Yeah, so there's a process you need to go through.
You know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's less but more often is probably better.
And you've run it like a proper campaign, then after 90 days even you can halve that to about 10 to 14% of people.
And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.
You know, typically if you're doing monthly sort of simulated phishing and you're offering ongoing awareness training, so you sign them up to courses and they can be short ones, but it's less but more often is probably better.
And you've run it like a proper campaign, then after 90 days even you can halve that to about 10 to 14% of people.
And if you actually carry that on for a year, that drops down to about 5%. So a significant reduction can be achieved over that period of time.
Are you surprised at the number of companies that don't take security seriously even today? I mean, I don't know, I'm in the echo chamber, right? I'm on this podcast every week.
So I'm thinking and breathing and snarfling security all the time.
But people who work in other industries, say retail, finance, health, are they thinking about security as much as they should be, do you think?
So I'm thinking and breathing and snarfling security all the time.
But people who work in other industries, say retail, finance, health, are they thinking about security as much as they should be, do you think?
You know, it's that age-old problem. If you take a problem to an engineer, they will reframe it as an engineering problem and they'll give you an engineering solution.
If you take a problem to a security person, they're gonna reframe it as a security problem and present you with a security answer. So I think you're right.
We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things, hey, what's our return on investment?
What's our profitability this quarter? How can we make it out of the pandemic without going bust?
If you ask me from just a pure security perspective, I'm no, people don't pay attention. And you know, they do far too little, far too late.
But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness.
People are a bit more clued on, and especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be.
Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there.
And we see it all the time with unsecured S3 buckets out there.
It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.
If you take a problem to a security person, they're gonna reframe it as a security problem and present you with a security answer. So I think you're right.
We have this bias because we are in this echo chamber as security professionals or practitioners and other organizations and people working in other departments, they don't have that lens and they're looking at things, hey, what's our return on investment?
What's our profitability this quarter? How can we make it out of the pandemic without going bust?
If you ask me from just a pure security perspective, I'm no, people don't pay attention. And you know, they do far too little, far too late.
But I think on the flip side, I think when you look at over the last couple of decades, there is a rise in awareness.
People are a bit more clued on, and especially from a technical perspective, operating systems and platforms are a lot more secure than what they used to be.
Security, cloud services are really good by and large, but it's just making people aware of some of the dangers that are still out there.
And we see it all the time with unsecured S3 buckets out there.
It's not that the functionality doesn't exist, it's just that someone just forgot to check or didn't think to check that should this option be ticked to private or public.
Yeah.
So I think it's just about making people aware and just reminding them and being that constant thing in the background. It's not something you can fix quickly.
It's like any behavior change, and that's ultimately what we're going for. It's like behavior change.
When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish.
But today you walk into any corporate office or even public dustbins, there's at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's oh, let me separate my recyclables from my landfill and what have you.
And this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.
It's like any behavior change, and that's ultimately what we're going for. It's like behavior change.
When we look at things like environmental awareness, growing up, there wasn't really a concept of recycling or separating out your rubbish. Throw away your rubbish.
But today you walk into any corporate office or even public dustbins, there's at least two, if not more, there's maybe five in some offices where when you go to throw away your rubbish, there's oh, let me separate my recyclables from my landfill and what have you.
And this is something that happened over a long period of time and raising awareness. And I think that that's the process we're going through at the moment with security awareness.
Yeah, and also, I mean, with ransomware on the rise and with the pandemic forcing people to work from home creating almost a kind of new playground for malicious actors.
I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard.
So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time.
So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.
I think it's important for us to understand how we are being duped, and that changes all the time because, of course, as soon as we're all aware that something can happen, we tend to be on our guard.
So they change the pattern, and people like KnowBe4, for example, are paying attention to that all the time.
So I guess you're updating these tests and constantly providing new information so people can kind of get tested against what's going on right now outside.
Yeah, that's right, that's right. So our templates are constantly being updated, and then our awareness and training modules are always— there's always new content being added.
Yeah, fantastic. Listeners, if you want to try a free phishing test, check out knowbe4.com/freetest and see how safe your office is against this kind of stuff.
Javvad Malik, thank you so much for coming on the show.
Javvad Malik, thank you so much for coming on the show.
Oh, it's always a pleasure, Carole. Thank you so much.
Fascinating stuff. Well, that just about wraps it up for this week. Paul, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Two ways. Go to securityledger.com, and if you're interested in the right to repair stuff, I have a Substack.
As every self-respecting journalist does these days, which is fighttorepair.substack.com.
As every self-respecting journalist does these days, which is fighttorepair.substack.com.
Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G.
And we're also up on Reddit, so look for the Smashing Security subreddit up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.
And we're also up on Reddit, so look for the Smashing Security subreddit up there.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Pocket Casts, Spotify, and Google Podcasts.
And thanks to this week's episode to our episode sponsors, 1Password, KnowBe4, and 1Login, and of course to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 228 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye.
Bye.
You guys are great. You're so smooth. It's like a well-oiled machine.
Carole Theriault here from Smashing Security. Now I have some fantastic news for you. You know how we started asking for a few more reviews?
Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped.
We've had our most downloaded show ever last week. How frickin' cool is that?
This week I want to do a shout out to Zixis, who wrote, "Many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content.
Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis.
And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking.
It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red Piano Roland.
Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys.
Otherwise, it's just Graham, and I mean, ugh. Buckets of love.
Well, quite a few of you decided to take part and take that 60 seconds to write something nice about us. Well, guess what? It's really helped.
We've had our most downloaded show ever last week. How frickin' cool is that?
This week I want to do a shout out to Zixis, who wrote, "Many thanks to the hosts and guests for making the flow of entertaining and thought-provoking content.
Listening to the podcast used to be part of my commute, and now it's an even more essential part of my lockdown endurance routine. Awesome and well done." Thank you, Zixis.
And also to Red Piano Roland. "Always my pick of the week. This show never fails to make me smile. I always look forward to each new episode and listen whilst doing the cooking.
It's been a rough few months, and you guys have always been a lift to my spirits. Thank you, Graham and Carole." You are so, so welcome, Roland. Red Piano Roland.
Guys, if you've got the time, please keep them coming. It is seriously making a difference in keeping us independent. Plus, it's just really, really nice to hear from you guys.
Otherwise, it's just Graham, and I mean, ugh. Buckets of love.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Paul Roberts – @paulfroberts
Javvad Malik – @J4vv4D
Show notes:
- Cheese Is Addictive As Drug: Dairy Product Triggers Brain Region Linked To Addiction — Tech Times.
- How Police Secretly Took Over a Global Phone Network for Organized Crime — Motherboard.
- Liverpool man latest to be jailed as part of national Operation Venetic — Merseyside Police.
- Hard cheese: Stilton snap shared via EncroChat leads to drug dealer's downfall — The Register.
- Automakers Hype Hacking Threat To Sink Pro-Repair Measure — Forbes.
- FTC Report Slams OEM Restrictions on Repair — Fight to Repair.
- securepairs.org – IT pros fight for a fixable future.
- Apology for dating breach (Japanese).
- Coronavirus: Why dating feels so different now — BBC Worklife.
- How Covid-19 has upended dating for singles — Vox.
- Japan's biggest dating app hit by major cyberattack — TechRadar.
- Omiai(お見合い)
- The Pursuit of Love — BBC.
- Adapting The Pursuit of Love for BBC One — BBC Writers Room.
- The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms — MIT Technology Review.
- Obscura.
- Fstoppers Reviews Obscura 2: A Superb iOS Photo App that Rethinks the 'Interface' — Fstoppers.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Sponsor: OneLogin
According to the OneLogin IAMokay Mental Health Survey, more than 77% of technology leaders have said that their work-related stress increased due to the COVID-19 pandemic.
As a result, CISOs and IT executives have been under ever-increasing pressure – leading to deteriorating mental health, addiction issues, and even suicidal thoughts and tendencies.
OneLogin’s message? You’re not alone. Attend their live event on Weds May 26, “Keeping the Mind Clear and the Company Secure” at smashingsecurity.com/oneloginiamokay
Sponsor: KnowBe4
Did you know that 91% of successful data breaches started with a spear phishing attack?
Find out what percentage of your employees are at risk with KnowBe4’s free phishing security test.
Plus, see how you stack up against your peers with the new phishing industry benchmarks.
Find out more at www.knowbe4.com/freetest
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
