Ooh la la! Horreur Wi-Fi en France! Some folks have experienced the drawbacks of Web 3.0 as their NFTs are stolen, and should computers own the copyright over the art they produce?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
Plus don’t miss our featured interview with Sean Herbert of baramundi.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
When he came back the next day, knock, knock, knock, knock, knock. Bonjour. Bonjour. Comment allez-vous? Oui, bien, gracias. Avez-vous une jamme de Radio-Française?
Carole, if you could just fade that bit down and just provide a translation over the top like they do on the news.
Smashing Security, episode 263. Problemes de Bitdefender et Artiste en Duet 3.0, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 263.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we're joined by a special guest. He's returning to the show live from his chicken shed. It is Mark Stockley. Hello, Mark.
I'm back.
Welcome back, Mark.
Thanks.
So any chicken updates or?
Well, we had a very interesting episode last week. Where I learned an entirely new noise that chickens make, which is, I have to say, quite a disturbing noise.
Is it the noise when you tread on a chicken? That's quite a disturbing one. Or the one where it falls inside a shredder? No, not those noises.
Is there something you want to tell us, Graham?
I used to keep chickens, not any longer.
Well, until the shredder incident.
Anyway, carry on, carry on.
Well, it turns out all the chickens are okay, but I think it was the sound of a fox trying to pull a chicken through the wall of the chicken coop.
And our little dog, bless it — you have to imagine I'm running down the garden path.
And our little dog, bless it — you have to imagine I'm running down the garden path.
You called your dog Bless It?
Yeah, Brian.
Brian Bless It.
Our little dog Daisy is the bravest dog in the world.
The chickens are making all sorts of weird noises they've never made before, which is obviously just their way of saying, oh my God, there's a fox trying to pull us through the cage.
And you've got to imagine I'm running down the path, I'm basically dressing myself as I run down the path barefoot, and this little dog just runs into the darkness barking its head off to go and fight off whatever the thing is that's causing the chickens problems.
And whatever it is, the dog is tiny, so whatever it is is going to be 10 times bigger than the dog, and it just ran fearless at the problem. Aw, Daisy girl.
The chickens are making all sorts of weird noises they've never made before, which is obviously just their way of saying, oh my God, there's a fox trying to pull us through the cage.
And you've got to imagine I'm running down the path, I'm basically dressing myself as I run down the path barefoot, and this little dog just runs into the darkness barking its head off to go and fight off whatever the thing is that's causing the chickens problems.
And whatever it is, the dog is tiny, so whatever it is is going to be 10 times bigger than the dog, and it just ran fearless at the problem. Aw, Daisy girl.
Aw.
We don't deserve them. We just don't. Anyway, all the chickens are okay and the dog's okay.
And Daisy's a hero.
And Daisy's a hero.
Maybe she needs some fillet steak for dinner or something.
That's a bit much.
She didn't rescue them from a burning building.
Well, let's thank this week's sponsors, Collide and Baramundi. It's their support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?
I'm jamming, I'm jamming, I'm jamming, jamming, jamming, jamming.
Sorry. Okay.
I'm not even going to ask.
Mark. Mark, what are you talking about?
This is going to shock you, but mine is about some NFT shenanigans.
Oh God.
All right.
All right.
And I'm doing a bit of art, a bit of tech, and some copyright stuff. Plus, we have a featured interview with Sean Herbert of Baramundi.
All this and much more coming up on this episode of Smashing Security.
All this and much more coming up on this episode of Smashing Security.
Maintenant, mes amis, mes amis. Come with me, allons-y, on a trip across the Channel to la belle France.
Oh, we're going to France, sorry.
Brie, Camembert.
I have literally no idea where we're going.
Où est la piscine?
Avez-vous familiarité with la belle France et le ANFR? Have you heard of the ANFR?
Yes, but I can't for the life of me remember what it stands for.
Oh, well, it is the French Agence Nationale des Fréquences. I'm sorry. The National Agency for Frequencies. They are the people in charge of radio frequencies across la belle France.
Okay.
And earlier this month, it was reporté in the newspapers.
Are we doing this fake French the whole way through?
Yes, about—
I'm sorry, listeners. Trust me, it's harder for me than you.
I was just thinking that.
It was reported about les incidents étrangers occurring in the French town of Messanges, which is in southwest France.
So something odd was going on in Messanges, and the residents of Messanges. They were complaining. They were grumbling. Oh my goodness.
They were moaning to their mobile phone operators all the time. They're saying, for goodness' sake, why are our mobile phone connections keep on disappearing?
Why can't we get a signal? Why is not even the Wi-Fi working?
So something odd was going on in Messanges, and the residents of Messanges. They were complaining. They were grumbling. Oh my goodness.
They were moaning to their mobile phone operators all the time. They're saying, for goodness' sake, why are our mobile phone connections keep on disappearing?
Why can't we get a signal? Why is not even the Wi-Fi working?
So I understand why you were interested in this story, Graham, with all your connectivity issues.
Well, that's right. As listeners found out last week, I've had lots of connectivity issues over the last 18 months or so.
All kinds of problems, different times a day, recording the podcast.
You know, when kids come out of schools and they go on their video consoles or their smartphones, my internet disappeared. And I've now had to get satellite links via Starlink.
All kinds of problems, different times a day, recording the podcast.
You know, when kids come out of schools and they go on their video consoles or their smartphones, my internet disappeared. And I've now had to get satellite links via Starlink.
It's been all smooth sailing since then, actually, hasn't it?
Yeah, it has been, hasn't it? Anyway, so people were claiming, oh, my wifi, it's been cut off. Every night between midnight and 3 AM.
Interesting.
Quelle étrange. Très peculiar.
Very precise.
Yes, isn't it? How peculiar. So the mobile phone operator, they said, "There's nothing wrong at our end.
There's no problem at all." Which I have to say was the response I was getting from Vodafone on the many times when I made contact with them.
There's no problem at all." Which I have to say was the response I was getting from Vodafone on the many times when I made contact with them.
I don't think you're alone.
Yeah, I can imagine anything you complain about to any authorities, "Nope." We don't see that. Good luck.
Not our problem.
Yeah.
Well, I think it's even bigger than that, isn't it? Any form of technology problem at all.
I mean, if you've ever worked in a company with an IT department, you will know that the front desk of the IT department's job is basically to find out why your problem isn't their problem.
I mean, if you've ever worked in a company with an IT department, you will know that the front desk of the IT department's job is basically to find out why your problem isn't their problem.
That's right.
It's not to solve your problem. It's just to point out that actually that exists elsewhere.
My mobile phone operator, they were basically saying, have you tried turning the printer off and on again? For my mobile phone connection.
And then you're, do you know who I am? Do you? Do you?
And they'd only speak to me online, which was a challenge as well, because I couldn't get online to complain about the lack of— Anyway, those days are past.
It's not about you, Graham.
No, hopefully now Elon Musk has fixed everything. Anyway, so the mobile phone operator, they saw no problems.
And so these aggrieved residents of Messanges in southwest France, they called in the big guns. They called in the ANFR, the French Agence Nationale des Fréquences.
And so these aggrieved residents of Messanges in southwest France, they called in the big guns. They called in the ANFR, the French Agence Nationale des Fréquences.
So they went national and said, look, our local guys are not playing fair.
Yeah, we need to get this looked into. And so a member of the ANFR— so just like you have TV detector vans or—
Do you though?
Well, no, actually, that's a whole different story I could tell you.
So for the last 18 months, I've been getting letters from the TV licensing people telling me you don't have a TV licence. Our van is definitely coming round.
So for the last 18 months, I've been getting letters from the TV licensing people telling me you don't have a TV licence. Our van is definitely coming round.
We definitely have detector vans that can definitely detect passive receiving devices. This is definitely a thing that exists.
Well, I bought my TV licence the day I moved into this property, and somewhere on their database, they have not entered my address properly.
And so they send me letters constantly saying, you don't have a TV licence. It's like, I do. I do. I want them to show up.
And so they send me letters constantly saying, you don't have a TV licence. It's like, I do. I do. I want them to show up.
No, no, you don't. You don't. I was just going to say, I've read about this. You do not want to allow them into your house apparently.
They're not fire ants. What happens if they come in your house?
I don't know. I can't remember that bit of the article.
All I know is they apparently doorstop you and will try and come in and use many, many different techniques to try and enter the premises to do their checks.
All I know is they apparently doorstop you and will try and come in and use many, many different techniques to try and enter the premises to do their checks.
Well, Carole, I have a TV licence. I want to show it to them.
That's fine. Okay, you can bring it to the door.
No, but— well, all right. Okay, maybe I do that.
But the thing is that every time I try and call them up or contact them electronically, ironically to say, "I do have a TV licence," I can't get through to a human to explain I do have one.
So I want them to come round because then they will stop sending me letters. Yeah, okay.
But the thing is that every time I try and call them up or contact them electronically, ironically to say, "I do have a TV licence," I can't get through to a human to explain I do have one.
So I want them to come round because then they will stop sending me letters. Yeah, okay.
Just breathe. Breathe.
So if you're listening to this and you work for TV licensing—
Graham, I'm really thinking you need to calm down just a bit.
Okay. Anyway, the ANFR, they do have a little van, unlike the TV licensing people. And they went out to try and investigate this mobile connection.
Basically, do we have a signal between 12 and 3 o'clock as we drive around the area? It's not high.
Yeah. So the guy was driving around, he's thinking, oh, he's thinking there's nothing wrong. It is all fine here until the stroke of midnight, when his spectrum analyser showed—
Thank you for translating it. I was getting a bit lost there.
It showed the telltale signs of interference. Now, this investigator, he knew his onions, and he recognised—
That's a bit racist.
That a prohibited—
Fine up till now, but that bit.
Fuck Graham.
A prohibited wave jammer was being deployed. Right?
A wave jammer.
A wave jammer. And it was knocking out all mobile phone frequency bands in the town. And he thought, "Quelle horreur," he thought.
"What on earth is going on here?" So, can you locate the jammer?
"What on earth is going on here?" So, can you locate the jammer?
Oh! Okay.
You can if you work for the Agence Nationale des Fréquences, and you have one of his vans. Because his van has a radio detection finder on the roof. Oh my God.
Presumably they would need two vans.
What, to triangulate, you mean?
Maybe they have two aerials on the top or something. I'm not sure. But anyway, he obviously—
Very tight triangle.
Anyway, he wanted—
That's aigu, aigu, Graham. Triangle aigu.
He wanted to know where the jammer was, who was running it. So he tootled around, and he attempted to locate the source of the disturbance.
Maybe it became stronger as he, you know, hotter, colder, you know, maybe, anyway. He had a little time on his hands.
Maybe it became stronger as he, you know, hotter, colder, you know, maybe, anyway. He had a little time on his hands.
I think it's like a submarine where you'd have that screen inside your van with a little dot, and it's going, doot, doot, doot, and you're getting closer and closer and closer and closer.
Mon Dieu.
Mon Dieu.
Okay. Eventually, eventually he arrived at a solitary house in a neighbouring town by the coast where he could tell the jamming signal was definitely coming from.
But by this point it was 1:30 in the morning. He couldn't go barging into the house. He had to return in the morning with a member of the gendarmerie to assist him, right?
You can't just go clouting in and saying, what on earth's going on?
But by this point it was 1:30 in the morning. He couldn't go barging into the house. He had to return in the morning with a member of the gendarmerie to assist him, right?
You can't just go clouting in and saying, what on earth's going on?
Exactly, TV licence people.
Right.
Exactly.
I would love it if the police came round. I would show them.
Call the police.
I would say, arrest these TV licensing people for wasting my time and sending me so many letters when I do have a licence. Anyway.
Yeah.
It's very cute that you think that's a person.
Yeah, I know.
And not some two-line Java programme. Sorry, there are no two-line Java— some 200-line Java programme.
When he came back the next day, knock, knock, knock, knock, knock. Bonjour. Bonjour. Comment allez-vous? Oui, bien, gracias. Avez-vous un jammer de radio-française?
Carole, if you could just fade that bit down and just provide a translation over the top they do on the news.
Anyway, he asks him, do you have a jammer de radio-française? And this man says, oui, I do. He says, yes, I do have a jammer, a radio jammer.
Okay.
He admitted he had a multiband jammer. Which can neutralize both mobile telephone and Wi-Fi signals. So you might be asking yourself, why was he running it each day?
Can we guess? Can we guess? Of course, you can. Was he worried about the Wi-Fi frequencies affecting his health? So he was blocking them from coming into his—
So he's blocking them with a much stronger signal.
With another much stronger thing. Let's not point out the irony of that, but—
But it's going the other way.
Yeah.
No, that wasn't what he was doing.
Had he recently had his COVID booster? And he was concerned about the effects of 5G mind control.
From the lizard people.
From the lizard people.
No, the reality is rather more mundane. He was fed up with his teenage kids. Not just fed up with teenage kids generally, although that would be understandable.
He was fed up with his kids using their smartphones rather than sleeping at night. And so he had acquired a jammer to completely knock out all mobile phone signal.
He was fed up with his kids using their smartphones rather than sleeping at night. And so he had acquired a jammer to completely knock out all mobile phone signal.
Is this man ridiculous? He's the father. Just take the phones away. Just take the phones away.
Do you realise how scary teenagers are, Carole? They are petrifying. They're hairy.
For God's sake.
They smell. It's bad. His kids have become addicted to social networks, he said, and other apps, in particular since they were all locked down because of COVID.
And so he went on the internet as to how can I jam the signal?
And so he went on the internet as to how can I jam the signal?
Right, there's your problem.
Did he not realise the radius of jamming might impact everyone around him?
Well, it turned out it was a bit stronger than he'd intended. And so it hadn't just knocked it out in his house, but also his rest of his village and the neighbouring town as well.
And he now faces a fine of up to €30,000 and 6 months in jail as a consequence because—
And he now faces a fine of up to €30,000 and 6 months in jail as a consequence because—
I hope he doesn't go to jail. I mean, I don't mind him being slapped on the wrist, kind of going, don't do this. And, you know, to warn others.
He won't have to worry about his kids anymore, will he, if he's in there?
Why are these industrial-sized jammers available on Amazon.fr?
Wherever he bought it. I think they are prohibited to own unless you have maybe a license or something. Maybe you're going to use it in some sort of approved way.
So I think just owning one can actually give you a penalty.
But obviously he knocked out— and there's a serious problem because if you knock out the radio signals, if there were low-flying aircraft, for instance, it can apparently interfere with them and all kinds of things by just blasting out this really strong radio signal to drown out everything else.
So I think just owning one can actually give you a penalty.
But obviously he knocked out— and there's a serious problem because if you knock out the radio signals, if there were low-flying aircraft, for instance, it can apparently interfere with them and all kinds of things by just blasting out this really strong radio signal to drown out everything else.
Yeah, he needs to go to parenting classes, I think.
I feel like if his children are teenagers, then—
It's too late.
The damage may already have been done. I love the irony of, you know, he was doing this to protect his children from the evils of the internet.
Yeah.
And in order to protect them from the evils of the internet, he went to the internet and bought something he would have no chance of buying that in the local shop.
Yeah.
Like if he goes to his hypermarket.
That's true.
You know, live tracks.
Hypermarché is the play.
Carrefour.
Yeah.
Giant radio frequency jammer. Not gonna find one.
Mark, what do you have for us this week?
Well, I am going to delve into the murky world of NFTs once more.
Oh, good. Yuck. Yeah.
I was doing this one for you, Carole. Yeah. I'm gonna talk about Web3. 'Cause Web3 is grating on me at the moment. Have you heard of Web3?
Yes.
I have.
What is Web3?
So Web2 is the era we're in now. Okay.
Right.
So Web2, Web 2.0, as it was called back in sort of 2000, is all about consolidation of the internet around giant centralised services. Okay.
So think Facebook, Amazon, things like that. Okay. So that's Web2 and exists broadly speaking, because people don't want to run their own stuff.
So everything is kind of centralized around Amazon Web Services and, you know, Facebook owns social media. Anyway, so that's Web2. We're going to talk about Web3.
I'm going to start my story with something that I think will tickle you, Graham, because I have noticed that there's nothing that you love more than a chuckle about an amusing name.
So I'm going to start my story with one of the best names in information security. Mr. Moxie Marlinspike.
So think Facebook, Amazon, things like that. Okay. So that's Web2 and exists broadly speaking, because people don't want to run their own stuff.
So everything is kind of centralized around Amazon Web Services and, you know, Facebook owns social media. Anyway, so that's Web2. We're going to talk about Web3.
I'm going to start my story with something that I think will tickle you, Graham, because I have noticed that there's nothing that you love more than a chuckle about an amusing name.
So I'm going to start my story with one of the best names in information security. Mr. Moxie Marlinspike.
Oh yes. Moxie, yes.
Nice. Beautiful.
Not his real name.
Oh, surprise.
Anyway, Moxie's quite famous. So he's the inventor of SSL stripping, which is not a form of entertainment. It's a type of attack.
And he was the chap behind Signal, wasn't he?
He was. He's the creator and CEO of Signal, which is a secure messaging app that probably you guys all use. I use. No doubt lots of listeners use.
He's also the former head of security at Twitter. So basically he's a man whose opinions about security and cryptography are worth listening to.
And on the 7th of January, he published an article that sort of beautifully exposed some of the nonsense that people say about Web3 called "My First Impressions of Web3." And because he's a very clever chap, he didn't just go and read about Web3.
He actually built some stuff. So he built some distributed apps and he made an NFT in order to learn about it, to sort of form an opinion.
And then his opinion is written in this article.
He's also the former head of security at Twitter. So basically he's a man whose opinions about security and cryptography are worth listening to.
And on the 7th of January, he published an article that sort of beautifully exposed some of the nonsense that people say about Web3 called "My First Impressions of Web3." And because he's a very clever chap, he didn't just go and read about Web3.
He actually built some stuff. So he built some distributed apps and he made an NFT in order to learn about it, to sort of form an opinion.
And then his opinion is written in this article.
Okay.
So anyway, so Web 2 is all about this consolidation. It's all about big platforms, and Web 3 is not that. So Web 3 is all about decentralization, okay?
Because people don't trust companies like Facebook, Google, or Amazon and that sort of thing with their stuff. It's Web 3.
It's all built on blockchains, which are distributed, and so it's resilient and immutable and free from those large players that get to dictate the game.
Because people don't trust companies like Facebook, Google, or Amazon and that sort of thing with their stuff. It's Web 3.
It's all built on blockchains, which are distributed, and so it's resilient and immutable and free from those large players that get to dictate the game.
Yeah, the information hoovers.
That's the theory, okay? But Moxie Marlinspike's article says in fact it really isn't like that at all. Shock horror.
So the paper's well worth a read, but the main argument goes something like this, okay?
So things that are decentralized evolve very slowly because you have to get everybody to do the same thing. You have to convince every individual they want to do the same thing.
And things that are centralized evolve very, very quickly. And if you want to win in technology, then you have to quickly.
And that is why people spend millions and millions of dollars on things like agile development and DevOps and DevSecOps and stuff like that.
And you may have noticed that Web3 is actually evolving very quickly.
So the paper's well worth a read, but the main argument goes something like this, okay?
So things that are decentralized evolve very slowly because you have to get everybody to do the same thing. You have to convince every individual they want to do the same thing.
And things that are centralized evolve very, very quickly. And if you want to win in technology, then you have to quickly.
And that is why people spend millions and millions of dollars on things like agile development and DevOps and DevSecOps and stuff like that.
And you may have noticed that Web3 is actually evolving very quickly.
Hmm.
Because I mean, who had heard of NFTs 6 months ago, right?
Ah, lovely days.
So even though it's decentralized, Web3 is evolving very quickly. So how is it doing this?
By using Web2? Yes. Oh, gorgeous.
The answer is, although Web3 is decentralised under the surface—
In order to compete—
The things you actually interact with, like the websites and the apps, are very, very Web2 indeed.
And in fact, there's a layer of things underneath those webs and apps, which is also very, very Web2, in fact. And those are the things that are evolving.
And in fact, there's a layer of things underneath those webs and apps, which is also very, very Web2, in fact. And those are the things that are evolving.
Wow.
So this supposedly decentralized Web3 ecosystem is basically just a Web2 ecosystem with a really, really, really slow and inefficient database buried far beneath the surface.
So it's almost like they're repackaging Web2 in a way to make it sound cutting edge and to give people a sense of better privacy or security?
Yes, it is. But I don't know that there's any malice in it. I don't know that it's— I think what he's saying is that things naturally centralize in order to move quickly.
Right.
Yeah.
Which makes— I've never thought about that before.
It's easier.
Well, the example he gives in the paper is if you compare email, which has been around for almost 50 years, email still doesn't have end-to-end encryption.
No.
But WhatsApp, which has been around for 6 minutes, does have end-to-end encryption.
It went from not having end-to-end encryption to having end-to-end encryption because all that needed to happen is that WhatsApp needed to decide that that was a thing.
Whereas with email, every SMTP server in the world and every email client in the world all had to adopt the same form of encryption, which is why it's really hard.
It went from not having end-to-end encryption to having end-to-end encryption because all that needed to happen is that WhatsApp needed to decide that that was a thing.
Whereas with email, every SMTP server in the world and every email client in the world all had to adopt the same form of encryption, which is why it's really hard.
So there are lots of people talking about Web3 and what they may not be talking about is the fact that its foundations are actually Web2 and it's very reliant on the old centralized—
Well, it's the other way. So its foundations are Web3. So where the data is stored is Web3.
Yes.
But the sort of Web3-ness is being kind of robbed and abstracted by the Web2-ness that's on top. So I'll give you an example.
According to Marlin Smite, almost all distributed apps, which are sort of Web3 apps, actually interact with the blockchain, the distributed bit, by using just one of two services called Infura and Alchemy.
So they're these giant central points of failure, but also fantastic places to track people if you want to, and also quite useful places to attack if you wanted to.
So the whole sort of resilience from being distributed doesn't exist if you just channel everything through one gatekeeper.
Similarly, the Web3 poster child, you've probably heard of non-fungible tokens.
According to Marlin Smite, almost all distributed apps, which are sort of Web3 apps, actually interact with the blockchain, the distributed bit, by using just one of two services called Infura and Alchemy.
So they're these giant central points of failure, but also fantastic places to track people if you want to, and also quite useful places to attack if you wanted to.
So the whole sort of resilience from being distributed doesn't exist if you just channel everything through one gatekeeper.
Similarly, the Web3 poster child, you've probably heard of non-fungible tokens.
NFTs.
Is massively reliant on one website called OpenSea.
Mm-hmm.
So OpenSea is the eBay of NFTs. You go there to create and sell and trade your NFTs, and it is so important in fact that it's actually valued at $13 billion. It's just ridiculous.
But I just want to dwell for a second on the fact that the decentralized Web3, in its nascent decentralized ecosystem, has a property worth $13 billion.
But I just want to dwell for a second on the fact that the decentralized Web3, in its nascent decentralized ecosystem, has a property worth $13 billion.
Oh my goodness.
How decentralized is that? So they're trying to avoid these giant Facebook and Amazon-like platforms, and they've got a platform that's worth $13 billion.
Well, not worth.
Look, someone will pay $13 billion.
Will they?
Will they? Yes, Facebook will.
Yeah.
OpenSea just got to rename themselves OpenMetaSea or something, and then Facebook will buy them.
Anyway, not only is everything NFT-related, almost everything NFT-related flowing through OpenSea, but OpenSea is even filling in some of the missing functionality that doesn't exist in the slow-moving Web3 bit.
So some of the functionality around things like paying royalties.
Basically, some of the functionality that you think you're getting from the Web3 bit, you're actually getting from OpenSea, which means that your NFT is completely tied to the existence of OpenSea.
Anyway, not only is everything NFT-related, almost everything NFT-related flowing through OpenSea, but OpenSea is even filling in some of the missing functionality that doesn't exist in the slow-moving Web3 bit.
So some of the functionality around things like paying royalties.
Basically, some of the functionality that you think you're getting from the Web3 bit, you're actually getting from OpenSea, which means that your NFT is completely tied to the existence of OpenSea.
Yeah.
And OpenSea is also the home of an NFT that I created the last time I was on this show.
We're so pleased.
Called Graham or Carole.
Tell me it sold for millions.
I have some bad news, I'm afraid.
Oh.
So on Saturday, 19th of February, attackers stole 254 NFTs from OpenSea. Worth a cool $1.7 million.
Estimated, estimated. I think we should use these words here.
Yeah, yeah. It's something between zero and $1.7 million.
Yeah.
Sadly, oh, it pains me to say that the Graham or Carole NFT, oh no, was not one of them.
Oh, damn.
I still own that. If you want to buy it, it's still there. Yes.
Run, run, don't walk, people, run.
If you want to steal it, actually, just go ahead. Anyway, the fog on the attack is clearing now. In the beginning, nobody really seemed to know what happened.
And in fact, because this is the upside-down world of NFTs, nobody can even agree if what happened was actually theft.
In the beginning, the rumor mill was insistent that the attacker had exploited a vulnerability in a new type of smart contract that OpenSea was asking everyone to upgrade to.
And in fact, because this is the upside-down world of NFTs, nobody can even agree if what happened was actually theft.
In the beginning, the rumor mill was insistent that the attacker had exploited a vulnerability in a new type of smart contract that OpenSea was asking everyone to upgrade to.
Right.
So the day before, on the 18th, the site had given everyone a week to upgrade their NFTs from version 2.2 of the Wyvern protocol to version 2.3 of the Wyvern protocol.
Because we're in that sort of weird Web3, Web2, neither one nor the other space, they couldn't just upgrade everyone.
They want everyone to upgrade, but they couldn't just upgrade everyone by pressing a button. And they had to get everyone to agree to upgrade their NFTs.
But because it's their kind of Web 2, it's like, okay, you have to upgrade your NFTs because it's distributed.
But if you don't upgrade your NFTs, you can't be on our website because we're the £800 gorilla and we get to decide what's going on.
Because we're in that sort of weird Web3, Web2, neither one nor the other space, they couldn't just upgrade everyone.
They want everyone to upgrade, but they couldn't just upgrade everyone by pressing a button. And they had to get everyone to agree to upgrade their NFTs.
But because it's their kind of Web 2, it's like, okay, you have to upgrade your NFTs because it's distributed.
But if you don't upgrade your NFTs, you can't be on our website because we're the £800 gorilla and we get to decide what's going on.
Wow.
Well, Web 3 is really wonderful, isn't it?
No, but come on. I think anytime you go through a technological change, there is a period of unrest. Right? And what the hell is going on? I'm not really surprised by that.
Yes, but there are lots of online services where you don't have to, you know, if this is— someone else could have just pulled a lever and it could have happened automatically.
I agree, I agree. But I think this is an interesting dilemma, the idea that people want distribution, people kind of consider distribution a way of preserving their privacy.
And we've been spoonfed that for, I don't know, 5 years at least, you know, strongly. And at the same time, we're saying, yeah, but centralized is way faster.
And we've been spoonfed that for, I don't know, 5 years at least, you know, strongly. And at the same time, we're saying, yeah, but centralized is way faster.
But I think actually what the money is saying is that people don't care about being distributed.
Yeah. So Mark, the initial reports, a lot of them said that OpenSea had been hacked or something.
Yes, that's right.
But it turned out that wasn't the case.
That's correct. So OpenSea say there wasn't a vulnerability in the new protocol. It says all the victims were phished, which is very Web 2.0.
So according to an analysis of the attack about a month ago, an attacker created a smart contract which was designed to steal other people's NFTs, and then they sent phishing emails with links to fake websites that told those users to sign a message that would help them to migrate to the new type of smart contract.
So I guess OpenSea must have trailed the fact that they were going to do this. But in actual fact, what those people were signing was a private sale of their NFTs to the attacker.
So they were effectively signing a Web3 blank check. People who send phishing emails these days, they're pretty good at fooling people.
And I'm not at all surprised that people fell for this, because as you say, it's all brand new technology.
So according to an analysis of the attack about a month ago, an attacker created a smart contract which was designed to steal other people's NFTs, and then they sent phishing emails with links to fake websites that told those users to sign a message that would help them to migrate to the new type of smart contract.
So I guess OpenSea must have trailed the fact that they were going to do this. But in actual fact, what those people were signing was a private sale of their NFTs to the attacker.
So they were effectively signing a Web3 blank check. People who send phishing emails these days, they're pretty good at fooling people.
And I'm not at all surprised that people fell for this, because as you say, it's all brand new technology.
Mm-hmm.
So basically what these people were signing was a blank check, which would allow the attacker to fill in the details of what was actually being sold and how much it was being sold for later on.
So when OpenSea announced on their blog that users had a week to upgrade, the attacker executed the smart contract and that transferred ownership of all the victims' NFTs without payment.
And it pulled in about, as we said, between $0 and $1.7 million worth of NFTs depending on your valuation.
So when OpenSea announced on their blog that users had a week to upgrade, the attacker executed the smart contract and that transferred ownership of all the victims' NFTs without payment.
And it pulled in about, as we said, between $0 and $1.7 million worth of NFTs depending on your valuation.
Yes.
Some of the NFTs were from famous collections like the Bored Ape Yacht Club, which we spoke about last time. And the more expensive ones sold on very quickly.
So some people are saying, well, why didn't they sort of try to freeze the wallets that were involved and stuff.
And as you will recall from our last conversation, stuff on OpenSea can all be listed automatically by bots and it gets sold if somebody— you know, there are bots looking for bargains, and if they think they find one, it'll just get bought.
So the expensive NFTs are gone. At first it was thought that there were 32 victims, there were 32 people who interacted with it.
There were actually 17 victims, so there weren't many people who were affected by this. But you know, there's 254 NFTs.
The most interesting thing about it though, for me, was the range of responses that you see.
So OpenSea itself and other sort of responsible players were very concerned with the affected users. You know, are they okay?
Because whatever you think of NFTs, those people have lost a lot of money. Not everybody was that kind.
Within the sort of Web3 culture, there's this idea that code is law, meaning that if the code allows a thing to happen, then that's perfectly okay.
And so if you're dumb enough to click, yes, I'm going to sign this blank check, then, you know, essentially all the people who are attacked gave the attacker permission to steal their NFTs, in which case was it—
So some people are saying, well, why didn't they sort of try to freeze the wallets that were involved and stuff.
And as you will recall from our last conversation, stuff on OpenSea can all be listed automatically by bots and it gets sold if somebody— you know, there are bots looking for bargains, and if they think they find one, it'll just get bought.
So the expensive NFTs are gone. At first it was thought that there were 32 victims, there were 32 people who interacted with it.
There were actually 17 victims, so there weren't many people who were affected by this. But you know, there's 254 NFTs.
The most interesting thing about it though, for me, was the range of responses that you see.
So OpenSea itself and other sort of responsible players were very concerned with the affected users. You know, are they okay?
Because whatever you think of NFTs, those people have lost a lot of money. Not everybody was that kind.
Within the sort of Web3 culture, there's this idea that code is law, meaning that if the code allows a thing to happen, then that's perfectly okay.
And so if you're dumb enough to click, yes, I'm going to sign this blank check, then, you know, essentially all the people who are attacked gave the attacker permission to steal their NFTs, in which case was it—
And the transaction presumably is now recorded on the blockchain.
Yes, it is now immutable, cannot be erased, although it can be because, you know, what happens in these situations is that people are all for decentralization until there's a problem, and then they realize there's no one they can complain to.
And then there's a lot of, I want to talk to the manager. And suddenly the idea of a central authority becomes very, very attractive.
And then there's a lot of, I want to talk to the manager. And suddenly the idea of a central authority becomes very, very attractive.
So Mark, are people going to be able to get their pointless NFTs back? No.
Well, I mean, obviously they can just sort of screenshot them.
Yeah. Because they didn't really ever own them anyway, did they? They didn't.
That's a whole other thing. But I think the TL;DR is no, no, they didn't.
Well, what a great advert for NFTs this whole OpenSea phishing attack has been. Marvellous. Carole, what have you got for us this week?
Well, we are heading into art land. Now, in the document, I have put two images for you to look at. So one, we have a largely cloudy dawn or dusky sky in front of a bit of land.
And then the other one, we have a sun-dappled train track covered with, I don't know, wisteria, vines, I don't know, stuff. Mm-hmm. Mm-hmm. So any thoughts on these?
And then the other one, we have a sun-dappled train track covered with, I don't know, wisteria, vines, I don't know, stuff. Mm-hmm. Mm-hmm. So any thoughts on these?
I think I recognize the artist on the first one. Do you? I can, I, yes, I just know her style. I think it could be carole.wtf who did that one. Would that be right?
Yeah, so one of them is mine and the other one?
The other one? You want me to identify who did this other one?
No, no, no. I just— do you have any views on it? Do you like it?
Well, it's obviously not as good as yours, Carole. Well, thanks very much, but— No, it seems very competent.
Do you think you could do it?
No, no, no. I definitely couldn't do that.
Mark could probably do it, though.
Mark's an artist. Oh, hang on. I'm just— I'm looking now. I'm looking now. The first one's really good. I love the first one with the big moody sky.
Well, good, because it's probably going in my art show in May, which I'm now signed up to do. So good.
I like you like that one. The second one looks like one of those Magic Eye puzzles.
It does a bit.
Which I have never, ever, ever been able to do. Or I've just stared at these things for hours without—
Maybe there's a different meaning in this picture than I actually have seen.
There is something with the colours and yeah, there is something a bit Magic Eye about it.
Well, the thing is, when an artist creates a work, you are basically recognized as the copyright holder. The copyright is recognized as belonging to the creator.
And according to Artsy.net, they shorten the legalese in the US to copyright gives artists who have created fixed tangible works a bundle of rights.
The rights provide the artist protection and ensures the artist can profit from what they've made.
So for example, with a painting I did, I could create copies or create prints, postcards, whatever, and make them available to people for profit.
And according to Artsy.net, they shorten the legalese in the US to copyright gives artists who have created fixed tangible works a bundle of rights.
The rights provide the artist protection and ensures the artist can profit from what they've made.
So for example, with a painting I did, I could create copies or create prints, postcards, whatever, and make them available to people for profit.
NFTs. You're thinking of NFTs. Yes, I could do stupid NFTs.
I could make prints. I can display it publicly. But if you bought the painting from me, you would only get copyright if I transferred it and intended to transfer it to you.
So if you bought it, that would not mean that you'd have permission to take pictures of the piece, make postcards of it, and sell my piece to anybody. Right. Okay?
So the painting of the train tracks is having trouble establishing copyright. And the problem is weird because we know who the creator is. We know that the image is an original.
We know that it exists. It's not just an idea or a thought, you know, an idea to do something in the future. And the problem is because the creator is not human.
So if you bought it, that would not mean that you'd have permission to take pictures of the piece, make postcards of it, and sell my piece to anybody. Right. Okay?
So the painting of the train tracks is having trouble establishing copyright. And the problem is weird because we know who the creator is. We know that the image is an original.
We know that it exists. It's not just an idea or a thought, you know, an idea to do something in the future. And the problem is because the creator is not human.
It's an AI. Carole, you're not an AI.
Don't be ridiculous. You're just an eye.
Just an eye.
No, I think just an A actually.
Do you mean asshole? No. Just, I don't know what's going on, Cluley. Do we need to take this offline?
I thought when actually, when you were saying it was created by dot dot dot, I thought you were going to say alien. And I was quite excited for about half a second there.
You know that maybe it is kind of like an alien. Let me just recap this backstory.
Back in 2018, Stephen Thaler filed an application to register a copyright claim in this work, the work that I showed you, the train tracks.
And the author of the work was identified as the AI algorithm Creativity Machine. That's the name of the AI algorithm.
And Thaler listed himself as the claimant alongside a transfer statement of ownership of the machine. And the reason he wants to do this is for this concept of work for hire.
So you do work for a company, you make original work, and then the company owns that because effectively in your contract you're saying, yeah, you can profit from my work as an organization.
So effectively that's what Thaler was trying to get. He wanted to be able to, I guess, sell images of this wonderful painting or make money off it.
In his application, Thaler left a note for the office stating that the work was autonomously created by a computer algorithm running on a machine, and he was seeking to register this computer-generated work as a work for hire for the owner of the creativity machine.
Okay, so that all makes sense.
In 2019, a year later, the Copyright Office registration specialist refused to register the claim, finding that it lacks the human authorship necessary to support a copyright claim.
Okay. Now, we've kind of talked about this. You might remember that Banksy got himself into a similar pickle.
So he has images that a greeting card company basically took and started making cards to sell. And he was like, hey, those are mine. And they're like, well, who are you, Banksy?
You need to register yourself. We need to know who you are to prove that you own the copyright.
But because he was this kind of anonymous character, he wouldn't come forward and claim the works.
Therefore, they were just operating in this weird bubble because they were saying, Banksy, you can't go and complain about this by using the laws that you've complained about not to register any of your stuff.
Back in 2018, Stephen Thaler filed an application to register a copyright claim in this work, the work that I showed you, the train tracks.
And the author of the work was identified as the AI algorithm Creativity Machine. That's the name of the AI algorithm.
And Thaler listed himself as the claimant alongside a transfer statement of ownership of the machine. And the reason he wants to do this is for this concept of work for hire.
So you do work for a company, you make original work, and then the company owns that because effectively in your contract you're saying, yeah, you can profit from my work as an organization.
So effectively that's what Thaler was trying to get. He wanted to be able to, I guess, sell images of this wonderful painting or make money off it.
In his application, Thaler left a note for the office stating that the work was autonomously created by a computer algorithm running on a machine, and he was seeking to register this computer-generated work as a work for hire for the owner of the creativity machine.
Okay, so that all makes sense.
In 2019, a year later, the Copyright Office registration specialist refused to register the claim, finding that it lacks the human authorship necessary to support a copyright claim.
Okay. Now, we've kind of talked about this. You might remember that Banksy got himself into a similar pickle.
So he has images that a greeting card company basically took and started making cards to sell. And he was like, hey, those are mine. And they're like, well, who are you, Banksy?
You need to register yourself. We need to know who you are to prove that you own the copyright.
But because he was this kind of anonymous character, he wouldn't come forward and claim the works.
Therefore, they were just operating in this weird bubble because they were saying, Banksy, you can't go and complain about this by using the laws that you've complained about not to register any of your stuff.
On the subject, Banksy, he does drawings on the sides of walls of buildings and things like that, right?
Which I believe he asks permission first before he does that. It's very important to respect other people's rights.
I don't think many people would complain though, if they— Oh, I would. Would you?
I would. You're massively overrated. Yeah, I don't get it at all.
Still though, it'd be worth a pretty penny.
Yeah, I mean, obviously, you know, he can come and just staple a million dollars to my wall if he likes. Exactly.
If I came by, if I ran a greeting cards company and I took a nice artistic photograph of his art on my wall. So it's my photograph. Can I then put that on my greeting cards?
I think it would probably— you could probably argue if the photograph included your living room to— you know what I mean? What if I put—
If my cat was in front of it? If my cat was in the picture as well? So it's not just his art.
Well, I hope your cat doesn't actually take a selfie of the art, because that too is a problem, because they're not a human.
We had a macaque who a nature photographer said grabbed his camera and took his own selfie. And then he was trying to make money off this picture.
And PETA went after him saying, how dare you?
You have infringed the monkey's copyright by releasing The Wildlife Personalities, the self-published book of photography that included the famous monkey selfie.
We had a macaque who a nature photographer said grabbed his camera and took his own selfie. And then he was trying to make money off this picture.
And PETA went after him saying, how dare you?
You have infringed the monkey's copyright by releasing The Wildlife Personalities, the self-published book of photography that included the famous monkey selfie.
That does sound like a very important use of PETA's time. Doesn't it?
I agree with that. Okay, so let's back to AI creating work. So effectively, Stephen Thaler went back twice to try and get this application or this copyright ruling amended.
And he's not been successful.
So a few days ago, he was told for the third time, no, you can't do this, because they concluded that the work lacked the required human authorship necessary to sustain a claim in the copyright.
'Cause he provided no evidence or sufficient creative input or intervention by a human author in the work. So basically they're saying there's no human.
And he's not been successful.
So a few days ago, he was told for the third time, no, you can't do this, because they concluded that the work lacked the required human authorship necessary to sustain a claim in the copyright.
'Cause he provided no evidence or sufficient creative input or intervention by a human author in the work. So basically they're saying there's no human.
Well, has he explained anywhere why he didn't just put his own name on the copyright claim?
Yeah, you could. I think I would've just refiled, right? And said, actually, I created the AI.
How many times do they have to tell you this has to have a human on it before you go, hmm, I'm a human.
Is it ordinary for an artist to have to prove that they humanly created a work of art?
Because where's the evidence that Da Vinci or someone else like that— he might have just used a printer out or something.
Because where's the evidence that Da Vinci or someone else like that— he might have just used a printer out or something.
Yeah, probably used a printer. Yeah, yeah, I know. Yeah, those canons have been around a while.
And, well, you know, it's just, you know, used an Instagram filter or something. It's not that good anyway, the Mona Lisa.
She doesn't have eyebrows. Okay, so they lack personhood. Actually, to your point, Mark, I think he wants to be the first to try and break this copyright rule for human only. Right.
I mean, I'm sure that's what's driving him rather than owning the actual copyright.
I mean, I'm sure that's what's driving him rather than owning the actual copyright.
Yeah. So he wants to make sure that this computer program gets its fair dues. The money that's due to this computer program should go to this computer program.
And then as soon as it develops the ability to understand money and use it, it can do something with the money it's earned. I've got a question for you.
If I make a pencil and then you draw a picture with the pencil, can I claim that the pencil is the originator of the artwork?
And then as soon as it develops the ability to understand money and use it, it can do something with the money it's earned. I've got a question for you.
If I make a pencil and then you draw a picture with the pencil, can I claim that the pencil is the originator of the artwork?
Or the brush.
Or yeah. Yeah. Or Photoshop.
Yeah. Or Procreate.
Well, I want to know who wrote the program. Because to me, the program is like a really, really good pencil.
Well, okay. Maybe Adobe own everything. What's all going on in there?
I feel like there needs to be some sort of barrier to entry, like a literal barrier to entry, where you say, if a computer program can get past this barrier, like if it can walk itself, well, that would be one.
I don't know. I was thinking more like if it could get itself to the courthouse and argue its case.
I don't know. I was thinking more like if it could get itself to the courthouse and argue its case.
Well, that's not that— I mean, all he needs is a few wheels. What if— can I push them in a wheelchair?
You see? Well, I suppose, but at some point it has to be able to engage the services of a lawyer.
Graham just not playing. Okay, so there you go. AI, AI.
I'm just conscious of time.
Well, you know, sorry, I talked for 10 minutes.
No, I'm not blaming you. I'm just thinking we need to—
No, no, it's always my story. This is why I go, maybe we should swap places, Graham. You can go last and I will go first. I think that's a great idea.
Maybe that's the way to do it.
Baramundi offer unified endpoint management from a single platform. Think of it as an all-in-one solution, consolidated endpoint management, under a single interface.
For example, with Baramundi JOBS, you can control and monitor all tasks in the management suite, including software deployment, automation, and operating system installation.
Baramundi also offer vulnerability detection and patch management, so you're ready to deploy updates and patches for Microsoft and third-party applications.
And you can centrally manage any number of devices, no matter where they're located. And that means you can distribute all the necessary updates to smartphones, tablets, notebooks.
Excited to check it out? Well, we don't blame you. Our pals at Baramundi are offering Smashing Security listeners a 30-day full version free trial.
Check it out at baramundi.com/smashing. That's baramundi.com/smashing.
For example, with Baramundi JOBS, you can control and monitor all tasks in the management suite, including software deployment, automation, and operating system installation.
Baramundi also offer vulnerability detection and patch management, so you're ready to deploy updates and patches for Microsoft and third-party applications.
And you can centrally manage any number of devices, no matter where they're located. And that means you can distribute all the necessary updates to smartphones, tablets, notebooks.
Excited to check it out? Well, we don't blame you. Our pals at Baramundi are offering Smashing Security listeners a 30-day full version free trial.
Check it out at baramundi.com/smashing. That's baramundi.com/smashing.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. Smashingsecurity.com/kolide.
Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. Smashingsecurity.com/kolide.
And thanks to Kolide for supporting the show.
And welcome back and enjoy our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is a little bit sort of security related.
I switched on Netflix and I found a documentary, a lovely documentary about a beautiful romance of how a Norwegian woman working in London finds a guy on Tinder and she thinks, oh, I like the look of him.
So she swipes right, I think is the direction and it turns out that he is Simon Leviev, who is a wealthy jet-setting son of a billionaire diamond dealer.
It's oh, too good to be true. But she meets him for a lunch date at a posh London hotel, and he's romantic, he's funny, he's charming, he's very, very rich.
And later that day, she jumps into his chauffeur-driven Rolls-Royce and is whisked off in his private jet to Bulgaria. And it sounds like a beautiful romance.
But it's not actually a beautiful romance because things take something of a turn for the worse in this Netflix documentary, which is called The Tinder Swindler.
And I was watching it agog. My jaw was down on the floor going, oh my goodness. Why didn't I think of that? This is too much. Have either of you seen this? No. No.
Well, apparently it's quite popular on Netflix at the moment. I would recommend it, particularly if you're interested.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is a little bit sort of security related.
I switched on Netflix and I found a documentary, a lovely documentary about a beautiful romance of how a Norwegian woman working in London finds a guy on Tinder and she thinks, oh, I like the look of him.
So she swipes right, I think is the direction and it turns out that he is Simon Leviev, who is a wealthy jet-setting son of a billionaire diamond dealer.
It's oh, too good to be true. But she meets him for a lunch date at a posh London hotel, and he's romantic, he's funny, he's charming, he's very, very rich.
And later that day, she jumps into his chauffeur-driven Rolls-Royce and is whisked off in his private jet to Bulgaria. And it sounds like a beautiful romance.
But it's not actually a beautiful romance because things take something of a turn for the worse in this Netflix documentary, which is called The Tinder Swindler.
And I was watching it agog. My jaw was down on the floor going, oh my goodness. Why didn't I think of that? This is too much. Have either of you seen this? No. No.
Well, apparently it's quite popular on Netflix at the moment. I would recommend it, particularly if you're interested.
The Tinder Swindler.
No, not the Tiddlers. The Tiddlers. Wouldn't it be great if Tinder was called Tiddler?
Has Tinder Swindler come into your feed on Netflix, I wonder?
Well, it's one of the top things to view at the moment. It's been extremely popular. Really?
It was initially brought to my attention by a friend of the show, Ray Redacted, who tweeted about it.
Anyway, it is a story with plenty of twists in the tale, and it's quite astonishing what occurs. Is it worth watching? Yes, it is worth watching.
I think anyone who enjoys Smashing Security will enjoy the Tinder Swindler. So that is my pick of the week.
It was initially brought to my attention by a friend of the show, Ray Redacted, who tweeted about it.
Anyway, it is a story with plenty of twists in the tale, and it's quite astonishing what occurs. Is it worth watching? Yes, it is worth watching.
I think anyone who enjoys Smashing Security will enjoy the Tinder Swindler. So that is my pick of the week.
Thank you, Ray, for the suggestion.
Mark, what's your pick of the week?
Well, if your suggestion is going to appeal to a mass audience, you know, everyone who's got Netflix, I think mine is probably going to appeal to maybe one listener.
I don't know which one. I'm sure there's somebody out there that will enjoy this as much as I did. And so this is for you, whoever you are.
I don't know which one. I'm sure there's somebody out there that will enjoy this as much as I did. And so this is for you, whoever you are.
Mrs. Trellis of North Wales, make a note now of what Mark's going to talk about.
My pick of the week is a presentation, hour and a half long presentation called Leaf Bricks and Insect Herbivory.
What the fuck?
And this is— I'm serious. This is my love letter to YouTube. Okay, so I think YouTube and social media, they get a really bad press.
But the really wonderful thing about the internet and YouTube in particular is that whatever you are interested in, whether it is the effect of COVID vaccines and 5G mind control or insect herbivory, there is stuff for you.
And if you're into insect herbivory, there is a presentation by a guy called Thomas Dykstra, Dykstra with a Y. And he has rethought why insects eat plants.
He has rethought— this is his life's work, right? Is to research why do insects eat plants. And his conclusion is that insects only eat unhealthy plants.
And different insects eat different plants based on how unhealthy they are.
So if you've got locusts eating your plants, then your plants are healthier than if you have got scale insects eating your plants.
And basically there's an hour and a half of this stuff, and he goes on to explain why if he's right, then kind of everything we think we know about insects is wrong.
And it has all sorts of interesting things to say about—
But the really wonderful thing about the internet and YouTube in particular is that whatever you are interested in, whether it is the effect of COVID vaccines and 5G mind control or insect herbivory, there is stuff for you.
And if you're into insect herbivory, there is a presentation by a guy called Thomas Dykstra, Dykstra with a Y. And he has rethought why insects eat plants.
He has rethought— this is his life's work, right? Is to research why do insects eat plants. And his conclusion is that insects only eat unhealthy plants.
And different insects eat different plants based on how unhealthy they are.
So if you've got locusts eating your plants, then your plants are healthier than if you have got scale insects eating your plants.
And basically there's an hour and a half of this stuff, and he goes on to explain why if he's right, then kind of everything we think we know about insects is wrong.
And it has all sorts of interesting things to say about—
Because we used to think it was just because insects were hungry. But now, right. Exactly.
And what they are— But they're attracted to different—
But they're picky. They are picky. And so you can learn about your crops or your garden based on what kind of insect is attacking what.
And he's done another presentation where he talks about citrus growing in Florida, because there are records going back over 100 years.
And he sort of charts the decline of the citrus industry in Florida through the different waves of insect attacks that have happened to it.
And he's done another presentation where he talks about citrus growing in Florida, because there are records going back over 100 years.
And he sort of charts the decline of the citrus industry in Florida through the different waves of insect attacks that have happened to it.
Wow, I think that's super cool.
So there you go. So we have identified our one listener, and it's Carole Theriault.
Yes! Well, I'd like the idea of it. I want to go educate myself. I like it.
Anyway, link's in the show notes. But I love the fact that you— if this is your thing, 'cause I'm very specific about what I wanted to watch, and I loved this presentation.
But, you know, there are probably only 3 of us in the world.
But, you know, there are probably only 3 of us in the world.
Well, that's okay, I'm one of them.
Very cool. Carole, what's your pick of the week?
Well, let's carry on with my art theme.
So my pick of the week actually comes from a rock-solid recommendation from my mother-in-law, and it's a TV show or a documentary on iPlayer called Eye of the Storm, and it's on for the next 8 days only.
Okay, so it's a documentary of acclaimed Scottish artist James Morrison. He was born in 1932 and recently passed away at the start of the pandemic.
And near the end of his life, the BBC spent two years with him, you know, on and off documenting his last days as a painter.
He is an extraordinary landscape painter, and a lot of his work focuses on skies. I sky work as well, so— and I really love his stuff. It's sublime.
And you'll see many, many of his works in the documentary. But what's just so heartbreaking is that he's losing his sight.
And he is becoming, you know, he's 92 near the time of his death, right?
So he's getting weaker and weaker, and he can no longer go outside and paint, which is what James Morrison did most of his life. And he can't see as much.
And, you know, there's all these talks of, you know, Matisse used to have to paint on the walls from bed when he was too weak to get out of bed, or Monet continued painting even though he lost his own sight, or Beethoven composed while deaf.
So it's a beautiful way of someone coming to terms with losing the thing that they love most. And I found it touching, but also very beautiful.
So it's called The Eye of the Storm on BBC iPlayer. And it's a story of James Morrison, Scottish painter.
So my pick of the week actually comes from a rock-solid recommendation from my mother-in-law, and it's a TV show or a documentary on iPlayer called Eye of the Storm, and it's on for the next 8 days only.
Okay, so it's a documentary of acclaimed Scottish artist James Morrison. He was born in 1932 and recently passed away at the start of the pandemic.
And near the end of his life, the BBC spent two years with him, you know, on and off documenting his last days as a painter.
He is an extraordinary landscape painter, and a lot of his work focuses on skies. I sky work as well, so— and I really love his stuff. It's sublime.
And you'll see many, many of his works in the documentary. But what's just so heartbreaking is that he's losing his sight.
And he is becoming, you know, he's 92 near the time of his death, right?
So he's getting weaker and weaker, and he can no longer go outside and paint, which is what James Morrison did most of his life. And he can't see as much.
And, you know, there's all these talks of, you know, Matisse used to have to paint on the walls from bed when he was too weak to get out of bed, or Monet continued painting even though he lost his own sight, or Beethoven composed while deaf.
So it's a beautiful way of someone coming to terms with losing the thing that they love most. And I found it touching, but also very beautiful.
So it's called The Eye of the Storm on BBC iPlayer. And it's a story of James Morrison, Scottish painter.
It sounds delightful. His art is incredible. It is. And it's not just about art. It's also about aging from the sound of things.
And that's leaving a beautiful, beautiful legacy, right?
As we have done with the Smashing Security podcast. Yes. Not that this is the end yet, because first of all, Carole, we've got a featured interview, haven't you?
We do. Let's hear it. So today we are talking patch management and how to communicate it simply to our C-level folks. So today I'm talking with Sean Herbert.
He's Baramundi's UK Country Manager and a trusted advisor when it comes to managing and securing organizational networks from threats. Thanks so much for talking to us, Sean.
Thank you very much for having me. So first, maybe we should start with you telling us about Baramundi, a name I love to say, by the way. It just rolls off the tongue so beautifully.
Hey.
He's Baramundi's UK Country Manager and a trusted advisor when it comes to managing and securing organizational networks from threats. Thanks so much for talking to us, Sean.
Thank you very much for having me. So first, maybe we should start with you telling us about Baramundi, a name I love to say, by the way. It just rolls off the tongue so beautifully.
Hey.
Yeah. I mean, the common thing is for people to ask, is it the fish? But it's not.
We're a unified endpoint management provider, so it's all about the control of all of your endpoints in your environment, regardless of where they are.
You know, first step to being able to control or secure anything is knowing where it is and what's actually out there. And that's fundamental to what we do.
And within it, we're a modular setup.
So there's plenty of different bits and bobs, whether it be inventory, deploying of software applications, patch management, vulnerability scanning, MDM, all of that is within the UEM scope.
And that's what we do at Baramundi.
We're a unified endpoint management provider, so it's all about the control of all of your endpoints in your environment, regardless of where they are.
You know, first step to being able to control or secure anything is knowing where it is and what's actually out there. And that's fundamental to what we do.
And within it, we're a modular setup.
So there's plenty of different bits and bobs, whether it be inventory, deploying of software applications, patch management, vulnerability scanning, MDM, all of that is within the UEM scope.
And that's what we do at Baramundi.
And you've been there, what, 5 years now?
5 years. 5 fantastic years, actually. Best company I've worked for in a— yeah, ever, actually, I think I would say. That's saying a lot.
Just been through a pandemic, right?
Yeah, indeed.
Well, you know, that's— and that's a very quick and easy way of measuring the worth of a company is how they treat their employees during what can fundamentally be the hardest times.
And Baramundi really, really excelled at that. There was no furloughs, nothing. It was just, you know, push on forward.
Well, you know, that's— and that's a very quick and easy way of measuring the worth of a company is how they treat their employees during what can fundamentally be the hardest times.
And Baramundi really, really excelled at that. There was no furloughs, nothing. It was just, you know, push on forward.
That's so lovely to hear because often in this show, we cover companies that don't always do the right thing by their employees or their partners.
So maybe we can talk first about patching vulnerabilities because it remains a key vector for much of the bad stuff that's hitting us.
And I'd love to know what your take is on this issue.
So maybe we can talk first about patching vulnerabilities because it remains a key vector for much of the bad stuff that's hitting us.
And I'd love to know what your take is on this issue.
Yeah, I mean, it remains the key vector because it's the easiest route in.
And a lot of the time, those gaps are advertised, you know, patches aren't secret and the vulnerabilities that they are patching aren't secret either.
So as an entry point, they become a lot easier as an attack vector.
And I've always looked at patching as the fundamentals, what you should be doing first and foremost before you're doing anything weird and wonderful on top of that, or particularly massively innovative from a security standpoint.
If you have all of these incredibly innovative products and you're not doing the bare basics like patching, for instance, it's essentially like leaving the house, turning on the lasers and CCTV camera, but leaving the front door unlocked and wide open.
That's essentially what patching is — lock the windows, lock the doors before you're even thinking about anything else.
And a lot of the time, those gaps are advertised, you know, patches aren't secret and the vulnerabilities that they are patching aren't secret either.
So as an entry point, they become a lot easier as an attack vector.
And I've always looked at patching as the fundamentals, what you should be doing first and foremost before you're doing anything weird and wonderful on top of that, or particularly massively innovative from a security standpoint.
If you have all of these incredibly innovative products and you're not doing the bare basics like patching, for instance, it's essentially like leaving the house, turning on the lasers and CCTV camera, but leaving the front door unlocked and wide open.
That's essentially what patching is — lock the windows, lock the doors before you're even thinking about anything else.
Do you think most companies have that baked into their minds or do they just over, it's just an oversight? They just don't think about patching as a prime security mechanism?
No, I think most IT managers, network managers, and admins know that patching is what you need to be doing.
But essentially, it's to what degree they're doing it that really differs across different companies.
Now, what you tend to find is the bare minimum, or you'd hope the bare minimum, is that people have auto-updaters on.
And I say bare minimum because it's not what I would consider best practice by any stretch of the imagination, but patching something is better than patching nothing at all.
But you find a lot of companies are using WSUS and handling the Microsoft side of things.
But what tends to get overlooked a lot of the time is the third party patching world, the Adobes, the Googles, the Javas of the world, which are consistently adding new patches to the vulnerabilities that are found.
And that really counts towards things like the Cyber Essentials framework and those sorts of things that people really need to have in place.
But essentially, it's to what degree they're doing it that really differs across different companies.
Now, what you tend to find is the bare minimum, or you'd hope the bare minimum, is that people have auto-updaters on.
And I say bare minimum because it's not what I would consider best practice by any stretch of the imagination, but patching something is better than patching nothing at all.
But you find a lot of companies are using WSUS and handling the Microsoft side of things.
But what tends to get overlooked a lot of the time is the third party patching world, the Adobes, the Googles, the Javas of the world, which are consistently adding new patches to the vulnerabilities that are found.
And that really counts towards things like the Cyber Essentials framework and those sorts of things that people really need to have in place.
The thing is, though, IT and admins, as far as my experience goes, are very beholden to what the board or the senior management team feel is vital.
So, do you feel that C-levels really force this issue home, talk to people about patch management and kind of say, what's going on? What are we doing here? Talk to me about it, guys.
So, do you feel that C-levels really force this issue home, talk to people about patch management and kind of say, what's going on? What are we doing here? Talk to me about it, guys.
You tend to find with C-level CEOs and the like, they don't tend to come from the more techie side of the business.
Finance, sales tends to be where the CEOs lay, and certainly the CFOs who are holding the purse strings a lot of the time.
So being able to communicate why you need toolsets in place to be able to do these things, that can be difficult.
Myself, I'm lucky enough to understand the requirement for patching and the requirement for good tools to be able to help to do that.
But being able to translate that to language that is understood by somebody who's essentially not a techie for something that is also essentially not particularly sexy.
It's not a super sexy thing to talk about the patching aspect. You know, it doesn't light people's hearts up and that sort of thing.
So finding a way to be able to communicate that effectively to those people who aren't techies is key.
I've done speaking slots in the past at places like DTX or IP Expos— it used to be— and I really put an onus on trying to do that as well.
So putting different scenarios in people's minds to be able to understand it, not just the C-level, but also for those techies, those IT managers and those network admins to be able to understand that actually I need to frame this in a way that somebody who isn't me, who isn't qualified the way I am, understands it.
So I've done talks where I've likened it to the Death Star. Oh, really? How do you do that? Talk to me. Essentially what I did was remind people of the story.
Now, most people in the tech world, I'm sure, don't need to be reminded of the story of the initial Star Wars, where the Empire built a big old weapon that was designed to destroy planets, but the designer created a flaw in that, and those designs were stolen, and the rebels then were able to manipulate that flaw in order to then destroy the weapon.
Then relating that to actually what could the Empire have done better to ensure that these things wouldn't have happened.
So it's looking at things like employee actions, control of assets out there, audits, reporting on the things that they're doing, learning from their mistakes.
I mean, they went and built a second Death Star and left this one with loads of gaps open and just stuck a shield around it.
It's trying to relate it in that way to say, if they'd only patched up that small hole in that exhaust valve, then the first Death Star would have been out there.
And who knows, the empire could have still been going to this day, he says, living in a fictional world in his head.
So it's trying to frame it in those sorts of ways where people think.
And not necessarily take that scenario and go and speak to your CEO about it, but understand that you need to frame it in a way that they will understand, get on the same page as them, and be able to— if you're going to talk to the CFO, talk to them about why it's important from a costing point of view, what saving is what's that investment then later going to make to them?
From a CEO, obviously, it's mitigating risk and those sorts of things to ensure that the company isn't then held accountable for being hacked or whatever it may well be.
Finance, sales tends to be where the CEOs lay, and certainly the CFOs who are holding the purse strings a lot of the time.
So being able to communicate why you need toolsets in place to be able to do these things, that can be difficult.
Myself, I'm lucky enough to understand the requirement for patching and the requirement for good tools to be able to help to do that.
But being able to translate that to language that is understood by somebody who's essentially not a techie for something that is also essentially not particularly sexy.
It's not a super sexy thing to talk about the patching aspect. You know, it doesn't light people's hearts up and that sort of thing.
So finding a way to be able to communicate that effectively to those people who aren't techies is key.
I've done speaking slots in the past at places like DTX or IP Expos— it used to be— and I really put an onus on trying to do that as well.
So putting different scenarios in people's minds to be able to understand it, not just the C-level, but also for those techies, those IT managers and those network admins to be able to understand that actually I need to frame this in a way that somebody who isn't me, who isn't qualified the way I am, understands it.
So I've done talks where I've likened it to the Death Star. Oh, really? How do you do that? Talk to me. Essentially what I did was remind people of the story.
Now, most people in the tech world, I'm sure, don't need to be reminded of the story of the initial Star Wars, where the Empire built a big old weapon that was designed to destroy planets, but the designer created a flaw in that, and those designs were stolen, and the rebels then were able to manipulate that flaw in order to then destroy the weapon.
Then relating that to actually what could the Empire have done better to ensure that these things wouldn't have happened.
So it's looking at things like employee actions, control of assets out there, audits, reporting on the things that they're doing, learning from their mistakes.
I mean, they went and built a second Death Star and left this one with loads of gaps open and just stuck a shield around it.
It's trying to relate it in that way to say, if they'd only patched up that small hole in that exhaust valve, then the first Death Star would have been out there.
And who knows, the empire could have still been going to this day, he says, living in a fictional world in his head.
So it's trying to frame it in those sorts of ways where people think.
And not necessarily take that scenario and go and speak to your CEO about it, but understand that you need to frame it in a way that they will understand, get on the same page as them, and be able to— if you're going to talk to the CFO, talk to them about why it's important from a costing point of view, what saving is what's that investment then later going to make to them?
From a CEO, obviously, it's mitigating risk and those sorts of things to ensure that the company isn't then held accountable for being hacked or whatever it may well be.
You're absolutely right. You could apply the logic to any real scenario.
So if the CEO is a car buff, or the CEO is into any sport or any hobby, you could apply the kind of moral of the story of we need to lock everything down in order to stay, you know, to lower our risk, in a way that they exactly right.
So if the CEO is a car buff, or the CEO is into any sport or any hobby, you could apply the kind of moral of the story of we need to lock everything down in order to stay, you know, to lower our risk, in a way that they exactly right.
If you're a football fan, you talk about where all the players are positioned on the pitch to fill holes there.
And you could say, well, that's like patching and making sure there's no vulnerabilities that people can take advantage of. You can apply it to pretty much any situation.
I've done it with, like I say, the Death Star, Independence Day.
I did one that was speaking about the whole UEM and Unified Endpoint Management suite and how that relates to things like the Fellowship of the Ring and how different people relate to different modules and what they did.
And not only is it useful for them to be able to then translate that and talk to their C-levels, those who hold those purse strings, but also especially at events, whatever it may well be, InfoSecs of the world, a lot of the time you're sort of pummeled to death with tech demos and tech speak.
And sometimes it's nice to just have a little bit of a reprieve from that and be able to take a moment to have a bit of fun with it and have a smile on your face.
The metaphors aren't going to work every single time with these sorts of things, but people tend to be very forgiving with that sort of side of things when it's an enjoyable presentation at least, and the key message is being delivered.
And you could say, well, that's like patching and making sure there's no vulnerabilities that people can take advantage of. You can apply it to pretty much any situation.
I've done it with, like I say, the Death Star, Independence Day.
I did one that was speaking about the whole UEM and Unified Endpoint Management suite and how that relates to things like the Fellowship of the Ring and how different people relate to different modules and what they did.
And not only is it useful for them to be able to then translate that and talk to their C-levels, those who hold those purse strings, but also especially at events, whatever it may well be, InfoSecs of the world, a lot of the time you're sort of pummeled to death with tech demos and tech speak.
And sometimes it's nice to just have a little bit of a reprieve from that and be able to take a moment to have a bit of fun with it and have a smile on your face.
The metaphors aren't going to work every single time with these sorts of things, but people tend to be very forgiving with that sort of side of things when it's an enjoyable presentation at least, and the key message is being delivered.
The other cool thing about it is it's actually memorable. Narratives are much more memorable than key facts.
Yeah, absolutely.
That's part of what we do Smashing Security for, right? Try to educate people through storytelling.
Yeah, storytelling is powerful, absolutely. Being able to relate that to yourselves as well, it's the power of the hearth, isn't it?
People gathering around the hearth to share stories about their lives and all that sort of thing.
It was what was fundamental to us as human beings, to be able to relate anything out there, especially if you don't understand it, to a story, to a metaphor, or to a simile.
I think our brains are just made to do that.
People gathering around the hearth to share stories about their lives and all that sort of thing.
It was what was fundamental to us as human beings, to be able to relate anything out there, especially if you don't understand it, to a story, to a metaphor, or to a simile.
I think our brains are just made to do that.
Sean, I don't know if you're up for this. I'm going to test you. I'm going to say, give us a takeaway. Imagine our listeners are all CEOs that are tangentially interested in IT.
Is there some key takeaway of why it's important to look at your patches and your patching vulnerability?
Is there some key takeaway of why it's important to look at your patches and your patching vulnerability?
Key takeaway for CEOs on why patching is important or why they should be doing patching or looking at patching as a key aspect to their security.
One, first and foremost, it's the easiest thing to get sorted.
There's plenty of tools out there that do it, none as good as Barramundi, obviously, but there's plenty of tools out there that you can do it.
And even if you're doing the bare minimum, as I say, auto-updaters or using WSUS or whatever it is, Windows Update Online, all of those are providing patches.
There's really no excuse for you not to patch something at least within your environment. And it's a big tick in the box.
If you take away local admin rights and patch your environment, you're mitigating a lot of the risk within your environment straight off the gate.
Because as I said, those who are looking to infiltrate your system, they don't want to sit down and write the most complex hack in the world.
I mean, some people take joy in that, but if they're trying to make money out of the situation, then they're going to want to do it in the easiest way possible.
And in order to mitigate that is to take away those easy routes in, lock your doors, lock your windows before you leave the house and turn on the cameras, the lasers, the smoke detectors, the movement detectors, etc.
So that's what I'd say.
One, first and foremost, it's the easiest thing to get sorted.
There's plenty of tools out there that do it, none as good as Barramundi, obviously, but there's plenty of tools out there that you can do it.
And even if you're doing the bare minimum, as I say, auto-updaters or using WSUS or whatever it is, Windows Update Online, all of those are providing patches.
There's really no excuse for you not to patch something at least within your environment. And it's a big tick in the box.
If you take away local admin rights and patch your environment, you're mitigating a lot of the risk within your environment straight off the gate.
Because as I said, those who are looking to infiltrate your system, they don't want to sit down and write the most complex hack in the world.
I mean, some people take joy in that, but if they're trying to make money out of the situation, then they're going to want to do it in the easiest way possible.
And in order to mitigate that is to take away those easy routes in, lock your doors, lock your windows before you leave the house and turn on the cameras, the lasers, the smoke detectors, the movement detectors, etc.
So that's what I'd say.
Now you guys have also made a white paper available free to our listeners, all about patch management called Automatically Detect and Quickly Eliminate Vulnerabilities.
You guys can get your free copy at baramundi.com/smashing, and that's BaraMundi, B-A-R-A-M-U-N-D-I. It's great. Yeah, just note not two Rs because then it is a fish.
You guys can get your free copy at baramundi.com/smashing, and that's BaraMundi, B-A-R-A-M-U-N-D-I. It's great. Yeah, just note not two Rs because then it is a fish.
Singular R for BaraMundi. But absolutely, yeah, that paper's fantastic. As you say, it's free for your listeners to download as well.
Covers off the capabilities not only within the suite, but also just general best practices for vulnerability scanning and patch remediation, which both of which can be handled out of the BaraMundi UEM suite.
Which actually sets us apart from a lot of other products out there.
A lot of the time when you're looking at the vulnerability status as when it is applied to the patching status, a lot of the time these patch providers say, oh yeah, you've patched up to date with all of the content we provide, therefore you're not vulnerable.
Yeah, you know, that's falling short of the mark somewhat because no patch provider can provide every single possible patch you might possibly need within your environment.
So that's why we took it a step further with having a vulnerability scanner alongside that to compare your environment with a huge portfolio of CVEs and CCEs to say, great, you've patched up to date with all the content we provide you.
However, outside of that, these vulnerabilities still need addressing. So go out and manually get them or take remedial action as you see fit.
Or sometimes there's no patch available for some of these CVEs or vulnerabilities that are found out there.
So, you know, rolling back to a previously known good state, uninstalling, whatever it may well be, at least you are aware of your vulnerability status and able to take action as a result of that.
And we think that's key and fundamental to being able to secure your environment.
Covers off the capabilities not only within the suite, but also just general best practices for vulnerability scanning and patch remediation, which both of which can be handled out of the BaraMundi UEM suite.
Which actually sets us apart from a lot of other products out there.
A lot of the time when you're looking at the vulnerability status as when it is applied to the patching status, a lot of the time these patch providers say, oh yeah, you've patched up to date with all of the content we provide, therefore you're not vulnerable.
Yeah, you know, that's falling short of the mark somewhat because no patch provider can provide every single possible patch you might possibly need within your environment.
So that's why we took it a step further with having a vulnerability scanner alongside that to compare your environment with a huge portfolio of CVEs and CCEs to say, great, you've patched up to date with all the content we provide you.
However, outside of that, these vulnerabilities still need addressing. So go out and manually get them or take remedial action as you see fit.
Or sometimes there's no patch available for some of these CVEs or vulnerabilities that are found out there.
So, you know, rolling back to a previously known good state, uninstalling, whatever it may well be, at least you are aware of your vulnerability status and able to take action as a result of that.
And we think that's key and fundamental to being able to secure your environment.
Yeah, as always, the most important approach is preventative, right?
Rather than reactive. Absolutely, absolutely. And then patching is exactly that.
You know, it's, like I say, there's no excuse really to not be patching, especially the Microsoft stuff. So you should absolutely be doing that.
Don't be the person caught out and say, oh, well actually we got infiltrated by XYZ malware because we didn't patch this vulnerability within, you know, within Microsoft.
WannaCry was, you know, the big key one many, many years now.
We're looking back where that was exactly the case where the vulnerability was discovered and the patch released for it, I think in February of the year.
And then the vulnerability or the way to take control of that vulnerability or to access that vulnerability was then released in April, and then the WannaCry situation happened in May.
So there was almost a two-month gap between patch happening and then the WannaCry situation happening where— Preventative measures could have saved the day. Exactly, exactly that.
You know, it's, like I say, there's no excuse really to not be patching, especially the Microsoft stuff. So you should absolutely be doing that.
Don't be the person caught out and say, oh, well actually we got infiltrated by XYZ malware because we didn't patch this vulnerability within, you know, within Microsoft.
WannaCry was, you know, the big key one many, many years now.
We're looking back where that was exactly the case where the vulnerability was discovered and the patch released for it, I think in February of the year.
And then the vulnerability or the way to take control of that vulnerability or to access that vulnerability was then released in April, and then the WannaCry situation happened in May.
So there was almost a two-month gap between patch happening and then the WannaCry situation happening where— Preventative measures could have saved the day. Exactly, exactly that.
Sean Herbert, UK Country Manager, BaraMundi, thank you so much for coming on the show.
And again, you can get your free copy of this white paper called Automatically Detect and Quickly Eliminate vulnerabilities at baramundi.com/smashing.
And all I have to say now is may the Force be with you, Sean Herbert.
And again, you can get your free copy of this white paper called Automatically Detect and Quickly Eliminate vulnerabilities at baramundi.com/smashing.
And all I have to say now is may the Force be with you, Sean Herbert.
And with you. Thank you very much. Thank you.
Very cool. Well, that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Well, you can find me on Twitter @MarkStockley.
And you can follow us on Twitter @SmashInSecurity, no G, which will mouse to have a G, and we're also on Reddit in the Smashing Security Reddit.
And don't forget to ensure that you never miss another episode by following Smashing Security in your favorite podcast app.
And don't forget to ensure that you never miss another episode by following Smashing Security in your favorite podcast app.
And huge, huge thank you to this episode's sponsors, Kolide and Barramundi, and to our wonderful Patreon community. It's thanks to them all the show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 261 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 261 episodes, check out smashingsecurity.com.
And also, if you're a fan of Wordle, don't forget that when you tweet your Wordle score to @GrahamCluley, because he loves them. Yeah. No, I don't.
Until next time, cheerio. Bye-bye. Bye.
Hey listeners, Mark's not lying. Graham does actually really love getting the Wordle scores tweeted at him. Loves it.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mark Stockley:
Show notes:
- Les dents, le brouilleur et au lit! — ANFR.
- Dad takes down town's internet by mistake to get his kids offline — Bleeping Computer.
- My first impressions of web3 — Moxie Marlinspike.
- Graham or Carole? – NFT for sale — OpenSea.
- $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users — The Verge.
- Art Copyright, Explained — Artsy.
- The US Copyright Office says an AI can’t copyright its art — The Verge.
- Ruling on "A Recent Entrance to Paradise" — Copyright Review Board.
- Appeals court blasts PETA for using selfie monkey as ‘an unwitting pawn’ — The Verge.
- 'Monkey selfie' case: Photographer wins two year legal fight against Peta over the image copyright — The Independent.
- What I Wish They Taught Me about Copyright in Art School — Library of Congress.
- Who is Banksy and why did he lose the trademark for four of his most famous works? — Sydney Morning Herald.
- The Tinder Swindler — Netflix.
- You Can’t Make This Up: The Making of a Swindler (Part one) — Podcast going behind the scenes of “The Tinder Swindler.”
- Why insects do not (and cannot) attack healthy plants — YouTube.
- Eye of the Storm — BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
- Support us on Patreon!
Sponsor: baramundi
Optimize your IT processes with the baramundi Management Suite and make optimal use of resources by automating time-consuming routine tasks.
Stay in control and maximize your productivity by automating routine tasks. The Unified Endpoint Management Software can be installed and implemented quickly, is intuitive to use, has a modular structure and offers a high level of usability and transparency.
Try out the free 30-Day full version for yourself today at baramundi.com/smashingsecurity
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
