A man hacks his employer to prove its security sucks, Telegram provides a helping hand to the Eternity Project malware, and what the heck do mental health apps think they’re up to?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dr Jessica Barker.
Plus don’t miss our featured interview with Rumble’s Chris Kirsch.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Oh my God, they didn't kill him, did they?
Well—
Oh, shut up! No, shut up!
No, no, they didn't kill him. Smashing Security, Episode 275: Jail for Bing. And mental health apps may not be good for you with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 275. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 275. My name's Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we're joined by a returning guest, someone who's been on the show several times before. It's Dr. Jessica Barker. Hello, Jess.
Hello, hello. Thank you for having me back. I'm a bad penny.
Oh, I love it.
I love it that you're back. Have you anything to share with us? Anything amazing you want to tell our audience?
Have you been anywhere wonderful? Seen anything terrific?
Since we last spoke, I've been back to Dubai and Abu Dhabi, got to see the end of the Dubai Expo, which was great, amazing. And then I've also started horse riding again.
Oh la la!
Yeah.
That's amazing.
Random little hobby that I've added that I hadn't done for years.
Went horse riding in the Abu Dhabi desert, and that inspired me to come home and start horse riding lessons, which I haven't had for decades. But it's great fun.
Went horse riding in the Abu Dhabi desert, and that inspired me to come home and start horse riding lessons, which I haven't had for decades. But it's great fun.
Horse riding in the desert. It sounds absolutely horrific. You poor thing. What a horrible experience. No, what a horrible experience that must have been.
One struggles on.
Okay. Yeah. We're going to stop him right there and thank this week's sponsors, Collide, Rumble, and Good Access. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be looking at how companies point the finger at suspected hackers.
Okay, okay, mysterious. What about you, Jess?
I will be talking about malware as a service sold via Telegram, and I will be sharing the privacy lowdown on some popular mental health apps.
Plus, we have a great featured interview with Chris Kirsch. He is the co-founder and CEO of Rumble.run. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, have you ever felt unlistened to in the workplace?
I'm sorry, I'm sorry, did you say something? Did I hear something?
Have you ever felt you're Chicken Little, warning the company of impending doom and disaster, no one taking you seriously? Yes, definitely.
I have worked at places where I'm, I really think you guys know I have to do this. I really think this is important. And they're, yes, yes, yes, it's on the list.
We shouldn't do this IT vigilante thing. We shouldn't dress him up in orange latex, produce a series of videos.
Did you warn something dreadful was going to happen, then discover to your horror that you'd been thrown into a Chinese jail for seven years? Had that ever happened to you?
Did you warn something dreadful was going to happen, then discover to your horror that you'd been thrown into a Chinese jail for seven years? Had that ever happened to you?
No.
No, okay.
Not that I can remember, no.
Not that you can remember. Well, they might have wiped your mind, mightn't they? That might have been part of the torture process. It's always possible.
I have to ask myself all the time, what might have happened yesterday that I've had wiped? In a sort of Men in Black scenario from my brain.
I have to ask myself all the time, what might have happened yesterday that I've had wiped? In a sort of Men in Black scenario from my brain.
This could work in my advantage, actually.
Let me tell you the story of a man, a man called Han Bing. He is a database administrator.
Right.
And he worked for a real estate company in China called Lianjia, formerly known as Homelink.
Okay.
And in his job, he had some security responsibilities. He had admin rights and so forth.
And he discovered what he believed were some problems with the security, the computer security at his company.
And he wanted to bring them to the attention of senior members of the firm.
And he discovered what he believed were some problems with the security, the computer security at his company.
And he wanted to bring them to the attention of senior members of the firm.
Right. So he's like, ooh, this looks a bit not good for us. Let me just tip it off.
Yeah. We need to fix this. There's a problem here. It needs, or something needs to be patched or reconfigured, or we need to throw some budget at the wall and see if it sticks.
Kind of what you want ideal employees to do.
Yeah.
Yeah. Yeah. Sounds great.
Yeah, it sounds good.
Like I said, have you ever been in that situation where you've kind of gone, "Guys, I think we've got a problem, Houston. I think," and everyone's like, "Shush, shush, shush, shush.
Will you stop distracting us from what we really want to focus on with all your, 'Oh, there's a security problem.'"
Will you stop distracting us from what we really want to focus on with all your, 'Oh, there's a security problem.'"
"There's some sort of phishing." Yes, we're trying to design the sales service to be slicker. Please stop telling us about vulnerabilities.
Yeah, vulnerability with the landing page, or did you realize this page you've created allows you to send spam text messages to anyone in the world for free or something.
Not that that's ever happened at any companies we've ever worked at, Carole. Something which we've warned about, and maybe people aren't that interested in dealing with.
Not that that's ever happened at any companies we've ever worked at, Carole. Something which we've warned about, and maybe people aren't that interested in dealing with.
I cannot confirm or deny.
And then the worst happens, and they say, why didn't anyone tell us? Shouldn't you have known about this?
Right.
Yeah.
And maybe you've already spoken to your boss, and your boss is like, ch-ch-ch, you know, come on, come on, come on, come on. Don't worry. No one's gonna exploit that.
And you think, well, I'm gonna go to the very top. I'm gonna usurp my boss. I'm gonna waltz around him. I'm gonna go straight to the chiefs. I'm gonna explain the problem to them.
They're gonna reward me with riches. They're gonna be so grateful that I've brought this to their attention.
And maybe my boss will get the boot 'cause he isn't taking this problem seriously. But you feel strongly about it.
And you think, well, I'm gonna go to the very top. I'm gonna usurp my boss. I'm gonna waltz around him. I'm gonna go straight to the chiefs. I'm gonna explain the problem to them.
They're gonna reward me with riches. They're gonna be so grateful that I've brought this to their attention.
And maybe my boss will get the boot 'cause he isn't taking this problem seriously. But you feel strongly about it.
Yes, exactly.
It's exactly that scenario, isn't it?
Can I just bring it even a bit further? I suspect many people, after announcing, and I would always do it in writing, right?
And then I would print with the metadata of the email that I sent and keep a copy of said email just in case they erased the whole server or my emails from the server saying, "And no, you never did tell us." And then in case they break into your home and burn your printed copy, you have it tattooed on your left buttock.
Well, we've talked about tattooing stuff.
And then I would print with the metadata of the email that I sent and keep a copy of said email just in case they erased the whole server or my emails from the server saying, "And no, you never did tell us." And then in case they break into your home and burn your printed copy, you have it tattooed on your left buttock.
Well, we've talked about tattooing stuff.
It's the ultimate backup, in fact. There it is on your backside.
I feel this was a conversation the last episode that I joined you on. Your tattoo artists are busy.
Well, Oxford, you know.
So Han Bing, with another database administrator who he got on board, he presented his evidence to the bosses, and he waited for their response.
You can imagine the scene, the flip charts, the PowerPoint slides, the rolled-up sleeves, the expectance of backslaps, congratulations, the opening of champagne, instant pay rises all round.
We're going to fix the problem. 'You are a hero. You saved the company.' That's what they're imagining.
You can imagine the scene, the flip charts, the PowerPoint slides, the rolled-up sleeves, the expectance of backslaps, congratulations, the opening of champagne, instant pay rises all round.
We're going to fix the problem. 'You are a hero. You saved the company.' That's what they're imagining.
If that's what they're imagining, they're sorely mistaken.
Even half that is just, "Thanks, we'll look into it," is the best one should be able to hope for, or in my experience anyway.
Even half that is just, "Thanks, we'll look into it," is the best one should be able to hope for, or in my experience anyway.
Maybe they've not been through this before.
Yeah, maybe not. Maybe they're a little naive. Well, it didn't quite go down how they planned, because people had their noses seriously put out of joint by what Han Bing said.
Because he was insulting someone else's code?
Well, the thing was, there were arguments between him and the other database administrators. Maybe they thought it made it look like they hadn't been on the ball.
Maybe they had been lax in the security. They had maybe introduced problems or not dealt with issues. And here was this whistleblower kicking up a stink, making them look bad.
And of course, the boss as well, he's been sort of undermined by Han Bing going to the big bosses.
Maybe they had been lax in the security. They had maybe introduced problems or not dealt with issues. And here was this whistleblower kicking up a stink, making them look bad.
And of course, the boss as well, he's been sort of undermined by Han Bing going to the big bosses.
Oh my God. They didn't kill him, did they?
Well.
Oh, shut up. No, shut up.
No, no, they didn't kill him. But I prefer your story. I mean, we could say he got killed at that point, if you'd like. No, no, no, no, no.
Something happened to him which was even worse than death. He had his office relocated.
Something happened to him which was even worse than death. He had his office relocated.
Oh dear. Near the toilets? That's the worst.
Probably near the toilets. Maybe on the back of a 737. It was some cockroach class, I don't know. But they moved his office and he felt sad.
He thought, no one likes me at this company anymore, I'm undervalued.
He thought, no one likes me at this company anymore, I'm undervalued.
I try to do something amazing and here I am sitting near the bugs.
And according to the Chinese reports, the reports which come out of China, which have been translated with the help of online services for me to understand, he became passive and sluggish.
Often late and early, and there was absenteeism. So he wasn't quite as enthusiastic as he used to be.
Often late and early, and there was absenteeism. So he wasn't quite as enthusiastic as he used to be.
Yeah.
'Cause he felt like, no one cares about me, little old me.
Okay, so he's disgruntled.
He is disgruntled. Either he had completely ridiculous out-of-proportion thoughts as to how well he would be rewarded.
No.
Or maybe he was just a bit of a grumpy old misanthrope in the first place. Bit of a git.
Why not both? Maybe both.
Possibly both. Quite possibly both. Often does combine, doesn't it? You feel like you— the people who are grumpiest feel like they deserve the most.
That's so true.
Yeah, and it's the way you communicate these things. You know, if you're saying, "Captain, I found a problem and George did it," that's going to cause a bit of fracas in the group.
But if you're kind of, "Hey, I think we can tighten our security even further." Yeah, it sounds like going for a full-on presentation and finger-pointing may not be the way to go.
So what happened next is where the company's problems really started, because on June 4th, 2018, someone using admin privileges and a root account accessed financial information on the servers at this company, Lianjia, and they deleted the data.
In fact, they didn't just delete the data, they wiped it. They overwrote it multiple times with garbage to try to prevent the data from being recovered.
In fact, they didn't just delete the data, they wiped it. They overwrote it multiple times with garbage to try to prevent the data from being recovered.
So all their financial data, all their stuff, all their accounts gone.
All gone. Large parts of their operations were impacted.
Were they in debt? Just out of interest. I'm just— my conspiracy hat's on.
No.
Well, just checking.
Tens of thousands of employees went without salaries for an extended period of time.
And it cost them tens of thousands of dollars to restore the data and get things back up and running again. But they think there were much more costs than that.
And so the company initiated an investigation and they thought, well, who could possibly have accessed this root account and used these admin privileges to access this database?
And it cost them tens of thousands of dollars to restore the data and get things back up and running again. But they think there were much more costs than that.
And so the company initiated an investigation and they thought, well, who could possibly have accessed this root account and used these admin privileges to access this database?
And by a process of elimination—
Well, they came down to a list of the 5 database administrators who they employed.
And they were, of course, Han Bing, Gary Google, Peter Pornhub, Arthur Alta Vista, and Dudley Dogpile.
And they were, of course, Han Bing, Gary Google, Peter Pornhub, Arthur Alta Vista, and Dudley Dogpile.
Dudley Dogpile?
You don't remember Dogpile?
No.
Oh, Carole, how old are you? Dogpile was a search engine. It still is.
For real?
Is it? This is a new one to me.
Not a very popular one.
Is it shit?
Is that the whole point?
It was a bit like Ask Jeeves, but with dogs as their logo instead.
I've never even heard of it.
There you go.
Not the best name.
I know, but you know, how crazy is Google or Bing or all the rest of them? So they asked these five people, they said, can you hand over your laptops? We want to take a look at them.
And four of them said, sure, no problem. Go ahead. Forensically examine as much as you like. The Han Bing. He went, oh, whoa, whoa, whoa. What? No, hang on.
He said, I've got some private data on my laptop, and if anyone wants my password, it has to be the police. I'm not going to help you.
You know, I can enter my password myself, and I'll be present while you're doing any checks, but I'm not going to hand this over.
And four of them said, sure, no problem. Go ahead. Forensically examine as much as you like. The Han Bing. He went, oh, whoa, whoa, whoa. What? No, hang on.
He said, I've got some private data on my laptop, and if anyone wants my password, it has to be the police. I'm not going to help you.
You know, I can enter my password myself, and I'll be present while you're doing any checks, but I'm not going to hand this over.
Okay, I think that's a fair response, whether he's guilty or not guilty, right? I know people, Graham, you know people as well, that there's no way they'd hand their passwords over.
Yeah, and you can understand his reluctance, certainly. Yeah, and he's saying he's happy for them to check it, he just wants to be there.
Maybe he'll do the typing. Maybe he'd delete any suspicious photos at all.
Well, it turns out the company's investigators, they already knew they weren't actually interested in anything on the laptops.
They say that it was quite likely that whoever had made the unauthorized access wouldn't actually have left any traces or any breadcrumbs on their own PCs.
They only wanted to see how each suspect would react. And 4 of them had no problems, and the 5th was like, "Whoa, whoa, whoa.
Why would you want to do that?" So Peter Pornhub, he got away with it. Yeah. So the investigators meanwhile had cross-referenced server logs, MAC addresses, IP addresses.
They looked at CCTV footage, times when things were accessed.
Well, it turns out the company's investigators, they already knew they weren't actually interested in anything on the laptops.
They say that it was quite likely that whoever had made the unauthorized access wouldn't actually have left any traces or any breadcrumbs on their own PCs.
They only wanted to see how each suspect would react. And 4 of them had no problems, and the 5th was like, "Whoa, whoa, whoa.
Why would you want to do that?" So Peter Pornhub, he got away with it. Yeah. So the investigators meanwhile had cross-referenced server logs, MAC addresses, IP addresses.
They looked at CCTV footage, times when things were accessed.
Of course. I mean, all their financial data is gone. It's not like, "Oh, someone said that the CEO likes yogurt when he hates it." It's a big deal.
Exactly.
Yeah.
Exactly.
And done in such a way that they can't get it back and all that disruption and the morale for people not receiving their salaries. It must have caused a whole host of problems.
Yeah, absolutely. And one of the clues they said they found was that Bing's MacBook laptop had the hostname Yggdrasil, the giant tree of Norse mythology.
And on one of the server logs they had, a computer with that name had connected to their server.
And on one of the server logs they had, a computer with that name had connected to their server.
Mm. So they didn't need to go in at all. They just knew by computer name.
They kind of just knew by some of that information. Exactly. So Han Bing has now been sentenced.
It's finally gone to court, and he has been sentenced to 7 years in prison and told to pay compensation of $30,000, or the equivalent of, to his former employer as well.
All because he wanted security fixed. And for some reason, and what is this reason?
Some reason he chose to sort of, well, I'll show them, I'll prove that it's a big problem, and did this to try and get their attention.
It's finally gone to court, and he has been sentenced to 7 years in prison and told to pay compensation of $30,000, or the equivalent of, to his former employer as well.
All because he wanted security fixed. And for some reason, and what is this reason?
Some reason he chose to sort of, well, I'll show them, I'll prove that it's a big problem, and did this to try and get their attention.
It's the mix, isn't it, of A, I'll prove them wrong and myself right.
But also, if he felt, as you said, Carole, if he felt disgruntled, if he felt pushed to one side and he'd been ignored.
And maybe there was other stuff, you know, maybe there was a pattern of these. And so he just thought he'd stick it to them, I guess.
And he obviously thought he was cleverer than all of them and he'd get away with it.
But also, if he felt, as you said, Carole, if he felt disgruntled, if he felt pushed to one side and he'd been ignored.
And maybe there was other stuff, you know, maybe there was a pattern of these. And so he just thought he'd stick it to them, I guess.
And he obviously thought he was cleverer than all of them and he'd get away with it.
Yep. And this is why Graham and I and Smashing Security are launching Give Your Data Administrator a Hug Day today.
So just to make sure they don't get disgruntled so this doesn't happen to you. Enjoy.
So just to make sure they don't get disgruntled so this doesn't happen to you. Enjoy.
I should stress that it's Give Your Database Administrator a Hug Day today. Yesterday was Give Your Database Administrator a Personal Deodorant Day.
So as long as you follow all of the—
So as long as you follow all of the—
That's so lame.
Jeez.
What?
I'm just saying. When's the last time you've even hung out with a data administrator?
Well, it's not just them, Carole. When did you last give somebody a hug?
When's the last time I put deodorant on?
No. Well, now we're talking. Jess, over to you. What have you got for us this week?
Well, I have been reading research from the darkweb monitoring company Cyble, who have published a report about the Eternity Project malware. Have you read this?
No, I haven't.
So they share a lot of findings about this malware and the Tor site that is used to share this malware, to sell this malware.
But they include findings that this malware as a service is also being sold via Telegram.
But they include findings that this malware as a service is also being sold via Telegram.
Telegram comes up a lot with these little dodgy groups, doesn't it?
Doesn't it? It seems to be coming up more and more over kind of the last year.
This particular family of malware, the Eternity Project, includes stealers, miners, ransomware, and DDoS bots.
And this Telegram channel that the researchers at Cyble have found apparently has about 500 subscribers. So not a huge amount, but substantial enough.
And interestingly, it employs a bot that allows the purchaser to compile the code themselves.
So they can take it off the shelf, they can just buy the malware as is, or they can have the support of this Telegram bot that enables them to customize it too.
So we've got script kiddies who are getting a little bit of support to customize their malware to be just exactly how they want it.
This particular family of malware, the Eternity Project, includes stealers, miners, ransomware, and DDoS bots.
And this Telegram channel that the researchers at Cyble have found apparently has about 500 subscribers. So not a huge amount, but substantial enough.
And interestingly, it employs a bot that allows the purchaser to compile the code themselves.
So they can take it off the shelf, they can just buy the malware as is, or they can have the support of this Telegram bot that enables them to customize it too.
So we've got script kiddies who are getting a little bit of support to customize their malware to be just exactly how they want it.
Okay, forgive me because I'm not as techie as you guys. But so you'd be on Telegram, you'd be looking for this, I'm looking for this.
And then you would go through Tor to a special website and buy certain bits and bobs and create your malware, that type of thing? Or is it all free? Or—
And then you would go through Tor to a special website and buy certain bits and bobs and create your malware, that type of thing? Or is it all free? Or—
So you buy it, they sell it on an annual subscription model.
Okay.
So you can basically buy the malware and then get the code and be able to customize it with the support of a Telegram bot, I think, being able to tell you different things that you can do and how to do it.
As I understand it.
As I understand it.
Is it expensive to do this, or?
It is not. It's not the cheapest out there, but it is as little as $90 for a miner and $490 for ransomware. So ransomware is the most expensive.
It is pretty cheap when compared to the potential rewards for using this code.
And that's the worry, of course, is that these sort of services give the tools to absolutely anyone with a criminal bent, so that they can begin to exploit it and make potentially a large amount of money.
And that's the worry, of course, is that these sort of services give the tools to absolutely anyone with a criminal bent, so that they can begin to exploit it and make potentially a large amount of money.
And I just want to say, when Jessica says miners, she does mean crypto miners, not kids.
Not Arthur Scargill.
Good point. Yes, crypto miner.
I'm keeping it topical.
So I wonder what Telegram says about this. They've always, as far as I know, said, look, we don't monitor the chats, we don't know what people are using for.
We don't have logs.
We are not responsible. We're just letting people connect.
Yeah, I haven't seen if they've responded to this. It's pretty new, this news coming out. I don't think they have, and they don't seem to respond to much of this stuff individually.
They seem to have this kind of statement, as you say, that, you know, hey, this is just happening on Telegram, but we're not responsible for it.
They seem to have this kind of statement, as you say, that, you know, hey, this is just happening on Telegram, but we're not responsible for it.
And I think probably what they would say would be that the onus is on people who stumble across these groups to report them so they can be shut down, but of course they can pop up within seconds elsewhere.
So there's a lot of this going on on Telegram, and some of these groups have thousands and thousands of people participating on them, sharing information, including sometimes journalists.
You know, there's journalists who are subscribed to Telegram channels where they find out what the latest ransomware attacks are going to be.
So there's a lot of this going on on Telegram, and some of these groups have thousands and thousands of people participating on them, sharing information, including sometimes journalists.
You know, there's journalists who are subscribed to Telegram channels where they find out what the latest ransomware attacks are going to be.
That's very true.
There's probably companies out there who are also subscribed to some of these channels just to get a heads up as to whether they might be the next target.
This is certainly not the first time that we have seen Telegram being used by cybercriminals for all sorts of different things as well.
Not just this, selling malware, but being used for cryptocurrency scams, job recruitment scams that I think we've spoken about before on Smashing Security, sharing of nudes, you know, unauthorised, without people's permission.
And BlackBerry recently released a report about remote access Trojan being sold really, really cheaply, $20.
And that was also using a Telegram channel, kind of a support with nearly 3,000 subscribers. So this seems to be growing more and more as a problem.
Not just this, selling malware, but being used for cryptocurrency scams, job recruitment scams that I think we've spoken about before on Smashing Security, sharing of nudes, you know, unauthorised, without people's permission.
And BlackBerry recently released a report about remote access Trojan being sold really, really cheaply, $20.
And that was also using a Telegram channel, kind of a support with nearly 3,000 subscribers. So this seems to be growing more and more as a problem.
So if you bought that, all you would need to do is just email, for instance, somebody with a link pointing to that executable, telling them it's something like an update or something, and then you would have remote control of their computer and be able to spy on what they were up to.
So you can imagine a lot of people out there might be tempted to use a remote access Trojan to snoop on a, you know, maybe a potential partner or an ex-partner.
All kinds of ghastliness there, isn't it? This, this malware you're talking about, though, the Eternity Project malware, it's a bit of a stupid name, isn't it? Eternity Project.
So you can imagine a lot of people out there might be tempted to use a remote access Trojan to snoop on a, you know, maybe a potential partner or an ex-partner.
All kinds of ghastliness there, isn't it? This, this malware you're talking about, though, the Eternity Project malware, it's a bit of a stupid name, isn't it? Eternity Project.
Oh, look, Graham's bitching again.
No, well, I just think it's just a little bit full of itself, isn't it? It doesn't call itself something like lumpy trousers. I just think sometimes—
Do you call yourself something like lumpy trousers?
I have lumps, maybe not in the right place. More like sugar lumps.
But it's just, I just think sometimes they're a little bit full of themselves and maybe they need a little bit more sense of humour. It just sounds pretentious.
But it's just, I just think sometimes they're a little bit full of themselves and maybe they need a little bit more sense of humour. It just sounds pretentious.
Just like you, yeah.
You're not full of yourself.
It sounds pompous.
You're not, yeah, you're not pompous.
And I'm Pompa so much.
No.
It sort of sounds like a Marvel film or some kind of trilogy.
The Eternity Project malware. It must be 14-year-old, surely, with a name like that. Carole, what have you got for us this week?
I have something super cheery.
Okay.
Yeah, we're talking mental health. 'Cause you know, it's Mental Health Awareness Month.
Hang on, it's Hug a Database Administrator Day.
Oh, I just called that. That's a tweet.
Oh, okay. Oh, that isn't official.
Yeah. Okay.
Is it too close to pandemic, post-pandemic, pandemic still?
Yes, of course it bloody is.
Exactly. Maybe just elbow bump or something.
Yeah, elbow bump. Yeah. So it's Mental Health Awareness Month.
Yeah, yeah. And Graham, so how are you feeling? Are you going a bit mental?
I don't think the phrase "a bit mental" is terribly politically correct, but anyway, I feel all right. Not too bad at the moment. Thank you very much for asking.
That's very good. But there are many, many people out there who are not feeling A-okay or fine at the moment, right? And there are countless reasons why that might be.
There's inflation, divisive politics, misinformation, you know, poisoned earth, Will Smith losing his cool, Depp versus Heard. I mean, all these dramas.
There's inflation, divisive politics, misinformation, you know, poisoned earth, Will Smith losing his cool, Depp versus Heard. I mean, all these dramas.
What's happening with Will Smith hitting someone and Amber Heard and Johnny Depp having a barney at court? These, you're putting these up alongside climate change and— Oh, I see.
Okay.
Okay.
All right.
Yes, yes, absolutely.
All these dramas, all these dramas have no doubt played a very significant part in making us feel either depressed or lonely or anxious or annoyed or frustrated.
All the things that maybe a therapist could help us unpack.
All these dramas, all these dramas have no doubt played a very significant part in making us feel either depressed or lonely or anxious or annoyed or frustrated.
All the things that maybe a therapist could help us unpack.
Yes, yes, I suppose so. Maybe.
When the pandemic hit, the need for therapy skyrocketed for probably mostly obvious reasons, right?
And the irony was that therapists weren't allowed to see their patients because remember lockdown? So online video, text, and phone sessions slowly normalized.
And those of us that didn't have a therapist pre-pandemic found ourselves suddenly in need. We were all out of luck, right? Therapists were booked solid, taking no new patients.
And the irony was that therapists weren't allowed to see their patients because remember lockdown? So online video, text, and phone sessions slowly normalized.
And those of us that didn't have a therapist pre-pandemic found ourselves suddenly in need. We were all out of luck, right? Therapists were booked solid, taking no new patients.
So, right, I suppose so. Yeah.
So you're sitting there and you need a therapist, right, for your lumpy trouser problem, Graham, right? And you can't find one.
I don't think that's a therapy issue, but anyway, carry on.
Could all be in your head, right? Maybe you just think—
Oh, maybe, maybe, yeah.
Okay, so what do you do? What do you do?
You can't find a therapist, you've gone through the phone book, you know, you've looked around neighborhood, everyone's saying, sorry, totally booked. What do you do?
You can't find a therapist, you've gone through the phone book, you know, you've looked around neighborhood, everyone's saying, sorry, totally booked. What do you do?
Are you going to suggest, because I remember a few weeks ago you were talking about getting yourself a virtual boyfriend via an app. Which was AI-controlled.
Are you talking about an AI therapist?
Are you talking about an AI therapist?
Close, close.
I see. I know the way your mind works now.
So you may have heard ads or promos for online therapy, where therapists are vetted and whatever your problem, they'll align you with a professional who can help.
So these online app services, for example. Is there any name actually that comes up when you think about it?
I'm a big pod listener, so there's two that come up in my head immediately of these kinds of online services that have been touted recently.
So these online app services, for example. Is there any name actually that comes up when you think about it?
I'm a big pod listener, so there's two that come up in my head immediately of these kinds of online services that have been touted recently.
Oh, I have heard one advertised, but I can't remember the name. Is it BetterHelp?
BetterHelp is one. I'm going to talk about BetterHelp.
BetterHelp, is it? Okay.
Right.
And you may have heard of Talkspace as well.
All right.
Yeah. That's another one that I hear all the time.
So you go to Talkspace website and it says, feeling better starts 'With a single message.' That's their strapline at the moment on their homepage.
And they say, 'Look, we need to do a brief assessment.' So basically answer a few questions about your preferences, pick a provider, we'll give you a selected, we'll give you a list of recommendations.
You go ahead and pick which one sounds good for you and just start your therapy and begin the journey towards a happier you.
So you go to Talkspace website and it says, feeling better starts 'With a single message.' That's their strapline at the moment on their homepage.
And they say, 'Look, we need to do a brief assessment.' So basically answer a few questions about your preferences, pick a provider, we'll give you a selected, we'll give you a list of recommendations.
You go ahead and pick which one sounds good for you and just start your therapy and begin the journey towards a happier you.
And this will be online therapy with a real living therapist?
Yes. So someone they've vetted.
Is it a Zoom call or something?
Yeah, it's like a Zoom call. Maybe you can get text messages. You can leave phone, answer phone voicemail type things.
Yeah, I think I've seen these on Instagram where you exchange messages and stuff.
Yep, exactly.
So Talkspace and BetterHelp are both known to have done a very huge advertising campaign during the pandemic because people, there was basically a mental health crisis.
And they can step in and be helpful.
So BetterHelp have the, on their homepage, it's you deserve to be happy, and answer a few questions to find a therapist who fits your needs and preferences. So same idea.
But they then make a big deal about tapping into the largest network of licensed professional board-certified providers.
So Talkspace and BetterHelp are both known to have done a very huge advertising campaign during the pandemic because people, there was basically a mental health crisis.
And they can step in and be helpful.
So BetterHelp have the, on their homepage, it's you deserve to be happy, and answer a few questions to find a therapist who fits your needs and preferences. So same idea.
But they then make a big deal about tapping into the largest network of licensed professional board-certified providers.
Okay, so good, professional.
Yeah.
Certified.
Both sites look slick, and they're full of quotes from people saying, oh my God, my life's so much better now that I've done BetterHelp.
So this is a good news story. This is a good news story. Excellent. Exactly.
Great.
Oh, well, thanks very much.
And they're very professional websites, 'cause if you think about it, some mental health issues are basically something you don't want to, you want to keep it entre nous.
It's a private thing. If I go to a therapist with an uncontrollable embarrassing tic, for example, I don't want people around me to know about it.
Graham, for example, would just mock me every time he sees me.
It's a private thing. If I go to a therapist with an uncontrollable embarrassing tic, for example, I don't want people around me to know about it.
Graham, for example, would just mock me every time he sees me.
Yeah, it's sensitive. It's potentially really sensitive stuff that people don't just want to talk to anyone about. They want—
Exactly—
Professional experience certified.
That was a bit mean.
Who, Jessica's mean to you?
I think you were just a bit mean to me there. I think you've hurt me there.
Get a therapist.
I might know an app that can—
Yeah, well, maybe you want to listen a bit more before you advertise this.
Okay.
Oh no.
So as this is a security podcast, Graham, to your point, let's bring in Mozilla, the power behind Privacy Not Included.
This is a site devoted to assessing products, services that are online connected, and they give them a privacy rating.
Sometimes that's a good privacy rating, and sometimes it's a poo-poo rating.
This is a site devoted to assessing products, services that are online connected, and they give them a privacy rating.
Sometimes that's a good privacy rating, and sometimes it's a poo-poo rating.
So Mozilla, they're the people who make Firefox and Thunderbird.
And this little project they do, have a team of, I think they must have lawyers in there because they read all the small print, they look at the settings, they do some research online, they reach out to the company for a response.
And just last week they released their findings on a slew of mental health apps. And it's not scary at all if you don't care a jot about privacy.
Okay, so I'm gonna— so you know how I said I knew about Talkspace and BetterHelp? So I had those already listed before I went and read all the stuff that they'd done.
And both of them are listed as two of the six worst offenders on Mozilla's list.
And just last week they released their findings on a slew of mental health apps. And it's not scary at all if you don't care a jot about privacy.
Okay, so I'm gonna— so you know how I said I knew about Talkspace and BetterHelp? So I had those already listed before I went and read all the stuff that they'd done.
And both of them are listed as two of the six worst offenders on Mozilla's list.
The two that have been advertising so much through the pandemic.
Yes, trying to build the number of people that use their services.
So I'm going to list out, this is Carole's Cliff Notes, if you want, of Mozilla's Privacy Not Included's Cliff Notes on Talkspace.
And you can obviously, all the links are in the show notes, so you can go read to your heart's content.
But Talkspace says they collect a lot of personal information on users, including name, email address, phone number, gender, relationship status, employer, geolocation information, transcripts, and more.
And they say they can use this personal information for marketing, tailored advertising, and research purposes.
Now, there are no promises in the small print not to sell non-medical information. So they are HIPAA compliant, they say, right?
So they're not gonna sell the medical stuff, but the non-medical stuff, unless you live in California or in the European or UK regions, you have GDPR protecting you, your information may be used.
So I'm going to list out, this is Carole's Cliff Notes, if you want, of Mozilla's Privacy Not Included's Cliff Notes on Talkspace.
And you can obviously, all the links are in the show notes, so you can go read to your heart's content.
But Talkspace says they collect a lot of personal information on users, including name, email address, phone number, gender, relationship status, employer, geolocation information, transcripts, and more.
And they say they can use this personal information for marketing, tailored advertising, and research purposes.
Now, there are no promises in the small print not to sell non-medical information. So they are HIPAA compliant, they say, right?
So they're not gonna sell the medical stuff, but the non-medical stuff, unless you live in California or in the European or UK regions, you have GDPR protecting you, your information may be used.
Wow.
So you're not only paying then for the therapy, they're also going to take your data, or at least they have the option of taking your data and selling it to someone else for money as well.
Because your subscription isn't enough for them.
So you're not only paying then for the therapy, they're also going to take your data, or at least they have the option of taking your data and selling it to someone else for money as well.
Because your subscription isn't enough for them.
Because you're—
Yes.
Talkspace also says, quote, your written authorization will be required for uses and disclosures of psychotherapy notes and uses and disclosures of your protected health information for marketing, which basically says they might give you a, hey, blah, blah, blah, blah, do you allow us to do this?
Consent, right? And how many people just click without looking?
Consent, right? And how many people just click without looking?
Especially when people are potentially very vulnerable, trying to get therapy, trying to get help.
They've turned to this solution, and maybe they're not in the right frame of mind to be.
They've turned to this solution, and maybe they're not in the right frame of mind to be.
100%. 100%. I couldn't agree with you more on that.
If you go for in-person therapy to somewhere and you go and lie on the couch and all the rest of it, do the therapists then say, oh, thank you very much telling me about all of your problems, it's going to be very useful, I'm going to be able to use this?
Do you mind if I sell it to Coca-Cola?
I'm gonna sell this to Grazia magazine. I've got a lovely little column I'm going to write about people with weird problems. It's just another way to supplement my income.
Oh great, that'll be $400, please.
Oh great, that'll be $400, please.
Of course.
So the New York Times reported in 2020 that former employees and therapists at Talkspace told them that anonymized conversations between medical professionals and their clients were regularly reviewed by the company so they could mine them for info.
So they're basically saying that idea that you and your therapist are all alone, no one's listening, may not be all it is.
And then Talkspace say in their privacy policy, if you do want us to share your personal data or feel uncomfortable with the way we use your information in order to deliver our services, please do not use our services.
And Mozilla's Privacy Not Included say we think that's pretty good advice.
So they're basically saying that idea that you and your therapist are all alone, no one's listening, may not be all it is.
And then Talkspace say in their privacy policy, if you do want us to share your personal data or feel uncomfortable with the way we use your information in order to deliver our services, please do not use our services.
And Mozilla's Privacy Not Included say we think that's pretty good advice.
So basically—
If you don't like it, sling your hook is what they're saying. Yeah, well, that is true. I mean, that is ultimately the best advice, isn't it? Is not to use it.
I agree.
It would be nice if they—
Well, yeah, wasn't that their homepage?
Yeah, exactly.
They could have had that on big letters there to say, by the way, you don't want to use us.
Great work, Mozilla, though.
I know. It's such a great site.
Seriously, I'm going to recommend that all listeners and you too bookmark that page because you sometimes think, oh, we need to buy a new something smart for the home, you can just go look and see if they've already reviewed it.
And if not, you can actually give it to them and recommend that they go review it for you. So it's a very cool site. So again, link in the show notes. Do check it out, guys.
It's really good. BetterHelp wasn't much better. They say they collect, use, and store communications between users and counselors on their platform.
They also collect a whole lot of personal information from responses on their intake questionnaire, things like are you feeling depressed or anxious, or are you struggling to maintain relationships, to things like name, age, email address, and phone number.
And Mozilla say as well that they can use this data they collect on you for personalization, product offerings relevant to your individual interests, and targeted ads.
So if you had an embarrassing problem, say you were a shoe fetishist or a foot fetishist, right, what would your ads be like?
Seriously, I'm going to recommend that all listeners and you too bookmark that page because you sometimes think, oh, we need to buy a new something smart for the home, you can just go look and see if they've already reviewed it.
And if not, you can actually give it to them and recommend that they go review it for you. So it's a very cool site. So again, link in the show notes. Do check it out, guys.
It's really good. BetterHelp wasn't much better. They say they collect, use, and store communications between users and counselors on their platform.
They also collect a whole lot of personal information from responses on their intake questionnaire, things like are you feeling depressed or anxious, or are you struggling to maintain relationships, to things like name, age, email address, and phone number.
And Mozilla say as well that they can use this data they collect on you for personalization, product offerings relevant to your individual interests, and targeted ads.
So if you had an embarrassing problem, say you were a shoe fetishist or a foot fetishist, right, what would your ads be like?
Shoes and feet.
For nail polish?
Yeah, but you'd love it, wouldn't you? You'd be happy if you're a foot fetishist to get loads of shoes and feet photos.
Yeah, well, it doesn't help your drama and your therapy.
Maybe you're getting therapy because you can't get enough pictures of shoes and feet. And they're actually doing you a favour.
Maybe you're thinking, well, it's just hard to get hold of new material.
Maybe you're thinking, well, it's just hard to get hold of new material.
And even The Economist again shared a report of one user that said, when I first joined BetterHelp, I started to see targeted ads with words that I had used on the app to describe my personal experiences.
Wow. It's right—
Wow. It's right—
Wow.
No, you're not feeling good, you may be feeling a bit paranoid, you're in this session, you're talking about your deepest hurts and sensitivities, and then you see words that you have used being—
No, you're not feeling good, you may be feeling a bit paranoid, you're in this session, you're talking about your deepest hurts and sensitivities, and then you see words that you have used being—
I'm just imagining getting some therapy and suddenly I've got ads for a trombone, a terrapin, and half a pound of lard appearing, you know, because I've shared my most intimate thoughts.
And where, what is it? It's a horrendous thing, isn't it?
And where, what is it? It's a horrendous thing, isn't it?
When you put it like that, Graham, I love.
See, I would really like it if more products and services, if I'm paying for them, I could have some confidence that is how they're making their money.
I know we've said that before in the show. We've kind of said that, right? Free is not free.
Yeah, it's nice to pay for something, but you then learn to be suspicious if something's free.
But when they start charging you and they're also mining you for information or exploiting it in some fashion, then that really feels quite underhand because how are you going to spot that unless you read the terms and conditions and all the privacy policies, which we know—
But when they start charging you and they're also mining you for information or exploiting it in some fashion, then that really feels quite underhand because how are you going to spot that unless you read the terms and conditions and all the privacy policies, which we know—
I mean, Jen Caltreider, she's Mozilla's Privacy Not Included lead, right? She says, quote, the vast majority of mental health apps are exceptionally creepy.
They track, share, and capitalize on users' most intimate personal thoughts, feelings like moods, mental state, biometric data.
Turns out researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information, unquote.
That's scathing, right?
They track, share, and capitalize on users' most intimate personal thoughts, feelings like moods, mental state, biometric data.
Turns out researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information, unquote.
That's scathing, right?
Yeah, yeah, that is— you can feel the anger of that statement.
And yeah, it's— you sort of think as well, I'm obviously naive, but you would think, okay, it's a company making a mental health app.
They're making all these statements about how they want people to be happier and healthier.
So to then know that behind the scenes they made that decision to actually at least open the door on misusing data in that way just feels so sad, doesn't it?
And yeah, it's— you sort of think as well, I'm obviously naive, but you would think, okay, it's a company making a mental health app.
They're making all these statements about how they want people to be happier and healthier.
So to then know that behind the scenes they made that decision to actually at least open the door on misusing data in that way just feels so sad, doesn't it?
Yes.
And what's really gross about it is they— I have seen many ads from these two particular companies talk about how much cheaper it is to use these services rather than going to a therapist in their office or having a one-on-one with a therapist that you find on your own.
And the other problem is Silicon Valley investors are pouring hundreds of millions of dollars into these apps.
Insurance companies get to collect extra data on the people they insure. Data brokers are enriching their databases with even more sensitive data.
And what's really gross about it is they— I have seen many ads from these two particular companies talk about how much cheaper it is to use these services rather than going to a therapist in their office or having a one-on-one with a therapist that you find on your own.
And the other problem is Silicon Valley investors are pouring hundreds of millions of dollars into these apps.
Insurance companies get to collect extra data on the people they insure. Data brokers are enriching their databases with even more sensitive data.
Just wait until you start getting your online therapy in Mark Zuckerberg's metaverse. Do you know what assets are connected to your network? Most organizations don't.
For your security program to be effective, you need an inventory of all your devices so you can make critical decisions fast.
Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems.
Quickly find systems affected by the latest security news. Just think of Log4j, SolarWinds, and Kaspersky.
It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud.
Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.
For your security program to be effective, you need an inventory of all your devices so you can make critical decisions fast.
Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems.
Quickly find systems affected by the latest security news. Just think of Log4j, SolarWinds, and Kaspersky.
It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud.
Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.
So we all know that users these days sometimes have to connect from an unsecured network using any device they have at hand, and companies have no control over the device applications, clouds, and the infrastructure that connects it all together.
This rapid shift in online work created security gaps that bad actors use to full.
And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out GoodAccess.
This is a global company based in the Czech Republic with a proven 10-year track record.
They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access for small and medium-sized businesses worldwide.
And this begins with a free GoodAccess starter product for unlimited usage by up to 100 employees. Yes, you heard right, 100 employees. Learn more at smashingsecurity.com/goodaccess.
And big thank yous to GoodAccess for sponsoring the show.
This rapid shift in online work created security gaps that bad actors use to full.
And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out GoodAccess.
This is a global company based in the Czech Republic with a proven 10-year track record.
They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access for small and medium-sized businesses worldwide.
And this begins with a free GoodAccess starter product for unlimited usage by up to 100 employees. Yes, you heard right, 100 employees. Learn more at smashingsecurity.com/goodaccess.
And big thank yous to GoodAccess for sponsoring the show.
Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide that's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. K-O-L-I-D-E, and thanks to Kolide for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide that's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. K-O-L-I-D-E, and thanks to Kolide for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security related.
Good.
I've been rummaging around on the old Netflix. I thought, look, you know, I pay for this every month. Maybe I should watch a few more shows. And I have been watching—
Don't worry, they're not tracking you.
I have been watching a documentary because I love documentaries all about Three Mile Island, meltdown on Three Mile Island. Which for our younger listeners—
I don't know anything about that. Yeah, well, help me.
You don't know anything about Three Mile Island? My goodness.
Hey, you shouldn't shame me.
I'm not.
I was about to say, Carole, for our younger listeners and co-hosts, I will tell you this was the worst commercial nuclear accident in US history, where a nuclear reactor began to go a little bit— rather boiled over.
Things went a little bit bad and radioactive material was leaked out into the atmosphere and went into a nearby town. It was the Americans' version basically of Chernobyl.
Thankfully not quite as bad, but pretty darn bad. Happened in 1979.
And the accident occurred just 10 days after a movie called The China Syndrome, which you may have seen with Jack Lemmon and Jane Fonda. I think Michael Douglas was in it as well.
That came out just 10 days earlier. You've never seen The China Syndrome? Well, it's basically the story of what happened at Three Mile Island, and it came out a week before.
I was about to say, Carole, for our younger listeners and co-hosts, I will tell you this was the worst commercial nuclear accident in US history, where a nuclear reactor began to go a little bit— rather boiled over.
Things went a little bit bad and radioactive material was leaked out into the atmosphere and went into a nearby town. It was the Americans' version basically of Chernobyl.
Thankfully not quite as bad, but pretty darn bad. Happened in 1979.
And the accident occurred just 10 days after a movie called The China Syndrome, which you may have seen with Jack Lemmon and Jane Fonda. I think Michael Douglas was in it as well.
That came out just 10 days earlier. You've never seen The China Syndrome? Well, it's basically the story of what happened at Three Mile Island, and it came out a week before.
Well, that explains everything.
Exactly. Jane Fonda must have been behind the leak at Three Mile Island. Anyway, it's very interesting.
Four-part documentary all about what occurred and how catastrophe was— well, at least a larger catastrophe was averted and the impact on the town as well.
So very cheery all round. I find it very interesting.
Four-part documentary all about what occurred and how catastrophe was— well, at least a larger catastrophe was averted and the impact on the town as well.
So very cheery all round. I find it very interesting.
Is there anything that you're going to change in your behaviour should it happen close to your home?
Well, yes. What I'm going to do is not live near a nuclear power plant. Oh, you do though. No, I don't.
You do.
No, I don't.
Oh no, you don't. No, you don't. You don't.
That's true. Thank you very much.
He was right. Excusez-moi.
So that is my pick of the week, Meltdown: Three Mile Island on Netflix. Jess, what's your pick of the week?
Well, mine is also a TV show, but not a documentary, I don't think. But mine is Slow Horses on Apple TV. Have either of you watched this?
No, I haven't. It's on my list though. It is on my list.
Oh, it's so good. It's so good. My parents recommended it, and every time I've spoken to them for the last few weeks, they've said, have you watched Slow Horses yet?
And I've had to say, no, Mum and Dad, I've not. It's on my list. So finally got to watching it at the weekend and watched it all over the weekend. Wow.
And I've had to say, no, Mum and Dad, I've not. It's on my list. So finally got to watching it at the weekend and watched it all over the weekend. Wow.
Oh, I love that.
That's how good it was. So good. And I saw a YouTube interview about it and someone described it as James Bond without James Bond. And I thought that was quite a good description.
It's basically about a group of dysfunctional MI5 agents. So, an office of agents in MI5 who have failed or been sidelined for one reason or another.
And so, they've been put in this unit that is called Slough House.
And I think the line is something like, you know, they're so far from the actual work in MI5 that they might as well be in Slough.
It's basically about a group of dysfunctional MI5 agents. So, an office of agents in MI5 who have failed or been sidelined for one reason or another.
And so, they've been put in this unit that is called Slough House.
And I think the line is something like, you know, they're so far from the actual work in MI5 that they might as well be in Slough.
Love it.
No offence to listeners based in Slough.
No offence to Slough at all.
And for listeners that have never heard of Slough, that's just a town outside of London.
Yeah.
If you haven't heard of Slough, well done.
It's based on a popular series of books that I've not read, but really want to now, by an author called Mick Herron, Slough House.
And it stars Gary Oldman, who's amazing, obviously, Jack Lowden, and Olivia Cooke.
And it stars Gary Oldman, who's amazing, obviously, Jack Lowden, and Olivia Cooke.
Yeah.
So, it's got a great cast. With Mick Jagger singing the theme tune because he loved the book so much, he wanted to sing the theme tune. Pretty amazing.
You haven't read the books, have you?
No, I've not read the books. Apparently, the books are really good. If the books are anything like the series, which obviously they are, then they must be amazing.
It's a great mix, I think quite rare, in that it is very dramatic and tense, and there's some moments without ruining it, but there's some moments, there's a sort of a theme of the series that every time these moments are on screen, I feel really sick to my stomach, really anxious, but balanced with absolute hilarity and really dark humor and some absolute laugh-out-loud moments.
It's a great mix, I think quite rare, in that it is very dramatic and tense, and there's some moments without ruining it, but there's some moments, there's a sort of a theme of the series that every time these moments are on screen, I feel really sick to my stomach, really anxious, but balanced with absolute hilarity and really dark humor and some absolute laugh-out-loud moments.
Sounds a bit like my life.
And one unintentional laugh-out-loud, and I know that Pick of the Week is not meant to be security, but there is a hacker character in amongst them all.
And there are some inaccuracies. He uses this one sentence, you'll know what I'm talking about. They're in a cafe and there is buzzword after buzzword.
None of it makes sense if you know at all anything about hacking, and that will blow your mind. And that really did make us laugh.
But so watch for that, but also watch because it is very gripping, very funny, and it really subverts some stereotypes. Plus, there is a season 2 coming.
And there are some inaccuracies. He uses this one sentence, you'll know what I'm talking about. They're in a cafe and there is buzzword after buzzword.
None of it makes sense if you know at all anything about hacking, and that will blow your mind. And that really did make us laugh.
But so watch for that, but also watch because it is very gripping, very funny, and it really subverts some stereotypes. Plus, there is a season 2 coming.
Ooh. Jess, you say the books are called Slough House.
I believe they are.
And the series, the TV show is called Slow Horses. I'm wondering, is it because Mick Jagger, when he sings, "Slough House," it sounds a bit like slow horses?
Is that why they've called the TV show Slow Horses?
Is that why they've called the TV show Slow Horses?
I mean, I love that theory. But no, but no.
No.
There's not very much. No.
All right.
There is, there is. Basically, these dysfunctional agents are described as the slow horses.
They're, you know, I was part of a slow horse for my first horse riding lesson in a couple of decades. That horse didn't move very fast. Good pivot, good pivot.
That is the same as these agents, basically.
They're, you know, I was part of a slow horse for my first horse riding lesson in a couple of decades. That horse didn't move very fast. Good pivot, good pivot.
That is the same as these agents, basically.
Here we go again, hearing about her riding in the desert on some Arabian stallion.
Well, Graham, when we got onto this call, you said, oh, I just slipped one in before I could get him on the show.
What? No, I meant I've been on the exercise bike. That's what slipped in.
Oh, well, now you tell us.
Carole, what's your pick of the week?
Well, I'm carrying off my theme of Mental Health Awareness Month because I've been listening to a podcast recommended by my buddy Andy, who is currently studying psychotherapy.
And she knows I'm a podaholic, and she curates a few good therapy ones for me to check out. And this one called Therapy Uncensored is one that gets my vote.
Co-hosted by Sue Marriott and Ann Kelly, and they describe it as a candid, unscripted conversation rooted in attachment and relational science.
So Graham, I imagine you're as interested in my pick of the week as I was into yours.
And she knows I'm a podaholic, and she curates a few good therapy ones for me to check out. And this one called Therapy Uncensored is one that gets my vote.
Co-hosted by Sue Marriott and Ann Kelly, and they describe it as a candid, unscripted conversation rooted in attachment and relational science.
So Graham, I imagine you're as interested in my pick of the week as I was into yours.
Yeah, yeah, I'm all into that.
But the idea is that they unpack how to improve relationships with others and understand what makes you and those you love emotionally tick.
So this is my cup of coffee, my cup of java. If you wanted to learn how to better deal with conflict or improve your compassion, Graham, or whether you want to have a—
So this is my cup of coffee, my cup of java. If you wanted to learn how to better deal with conflict or improve your compassion, Graham, or whether you want to have a—
Why would you do that?
Just ask.
We'll have a discussion after the show. You carry on.
We will have a discussion. Is that right? Okay.
Or maybe, you know, on a more serious note, you maybe have had, you know, suffered some trauma or a loved one has, or maybe you have a kid or student that's acting out and you need to figure out a way to calm them and refocus them without aggravating the situation.
So basically, whatever your drama, they seem to have something thought-provoking to say about it. I've probably listened to maybe 10 or 12 of the episodes.
There's probably 170 there. And I found all of them super interesting, right?
And they get guests, they call themselves neuro nerds, and they get guests who specialize on specific areas of certain behaviors and how to deal with them or overcome them.
I just like it. It just has a real feel of intelligence and usefulness.
Plus, you don't have to give anyone any sensitive information to listen to the podcast, which is a super big bonus. So this is Therapy Uncensored.
Find it wherever you get your podcast. You can also listen on the website. And that is my pick of the week for Mental Health Month.
Or maybe, you know, on a more serious note, you maybe have had, you know, suffered some trauma or a loved one has, or maybe you have a kid or student that's acting out and you need to figure out a way to calm them and refocus them without aggravating the situation.
So basically, whatever your drama, they seem to have something thought-provoking to say about it. I've probably listened to maybe 10 or 12 of the episodes.
There's probably 170 there. And I found all of them super interesting, right?
And they get guests, they call themselves neuro nerds, and they get guests who specialize on specific areas of certain behaviors and how to deal with them or overcome them.
I just like it. It just has a real feel of intelligence and usefulness.
Plus, you don't have to give anyone any sensitive information to listen to the podcast, which is a super big bonus. So this is Therapy Uncensored.
Find it wherever you get your podcast. You can also listen on the website. And that is my pick of the week for Mental Health Month.
Marvelous. Now, Carole, you've been speaking to Chris Kirsch of Rumble this week, haven't you?
Yes, my friend. I hope I can call him that. Chris Kirsch. It was a really interesting conversation. They're really thinking about security in a pretty unique way. Check it out.
So a treat today.
We have Chris Kirsch, the CEO of Rumble.run, a company he co-founded with Metasploit creator HD Moore to help companies get visibility into everything connected to the network.
Welcome back to Smashing Security, Chris.
So a treat today.
We have Chris Kirsch, the CEO of Rumble.run, a company he co-founded with Metasploit creator HD Moore to help companies get visibility into everything connected to the network.
Welcome back to Smashing Security, Chris.
Thank you very much.
Now we are here to talk effectively about knowing thy network, you know, and a big part of that is asset inventory. Or what we're connecting to the network at any given time.
So it sounds to me pretty straightforward. Is there a problem? Am I missing something? SPEAKER_03.
Yeah, so you think that asset inventory is a solved problem, but most companies still use a spreadsheet or at best some home-baked solution.
And even when they use a professional solution, often that's called a CMDB, stands for Configuration Management Database, essentially like a database of all the assets on your network.
Those solutions typically still miss about 10% to 40% of devices on the network.
So it sounds to me pretty straightforward. Is there a problem? Am I missing something? SPEAKER_03.
Yeah, so you think that asset inventory is a solved problem, but most companies still use a spreadsheet or at best some home-baked solution.
And even when they use a professional solution, often that's called a CMDB, stands for Configuration Management Database, essentially like a database of all the assets on your network.
Those solutions typically still miss about 10% to 40% of devices on the network.
That's a lot. SPEAKER_03. Yeah, and it can be as high as 80%. I've seen that too. There are a few reasons for that. It mostly depends on what technology they're using.
But the root cause is usually that there are unmanaged assets that are no longer managed through drift, through reorgs in the company. Nobody is responsible for them anymore.
Or they've always been unmanaged because there were just some employee putting out a rogue router on the network or a rogue machine.
Or assets that have become unmanaged over time, right?
But the root cause is usually that there are unmanaged assets that are no longer managed through drift, through reorgs in the company. Nobody is responsible for them anymore.
Or they've always been unmanaged because there were just some employee putting out a rogue router on the network or a rogue machine.
Or assets that have become unmanaged over time, right?
Right. Legacy stuff. Like, say, oh, that fax machine's been there forever. SPEAKER_03. Yeah.
Yeah.
For those listeners who don't know what a fax machine is—
Sorry, go on. Go on.
Yeah. SPEAKER_03. So it becomes even worse when you've got things like mergers and acquisitions, right?
Then you've got what I call digital archaeology, where the people who originally set up the network are no longer there. Nobody knows that certain subnets exist.
You might not have credentials for all of the machines on there.
And it gets even worse with operational technology and IoT because those are typically completely off the radar of the IT team.
Then you've got what I call digital archaeology, where the people who originally set up the network are no longer there. Nobody knows that certain subnets exist.
You might not have credentials for all of the machines on there.
And it gets even worse with operational technology and IoT because those are typically completely off the radar of the IT team.
You know, it's a bit like an attic, right? I think I kind of know what's stored up there, but really probably 80% have no idea, right?
And it's like, I would say I know, and I was like, of course I know where that is. And then it would take me 3 days to find it.
Well, there's solutions out there to help you figure all this out. Why are they having trouble discovering these devices? SPEAKER_03.
Most of the other solutions take very much an IT mindset to the problem.
And they're saying, well, if there is a device on the network, then surely I have the ability to log onto it or to install software on it.
So they either deploy agents or they use something called an authenticated scan, which is basically connecting to the device, logging in with username and password, and then interrogating the device on what it is.
And so vulnerability scanners, for example, are a good case for that, where they try to log onto every device, and they do a reasonable job. But there are two things.
Number one, if they can't authenticate to a device because it's unmanaged, or maybe it's like a Polycom phone, or it's a—
And it's like, I would say I know, and I was like, of course I know where that is. And then it would take me 3 days to find it.
Well, there's solutions out there to help you figure all this out. Why are they having trouble discovering these devices? SPEAKER_03.
Most of the other solutions take very much an IT mindset to the problem.
And they're saying, well, if there is a device on the network, then surely I have the ability to log onto it or to install software on it.
So they either deploy agents or they use something called an authenticated scan, which is basically connecting to the device, logging in with username and password, and then interrogating the device on what it is.
And so vulnerability scanners, for example, are a good case for that, where they try to log onto every device, and they do a reasonable job. But there are two things.
Number one, if they can't authenticate to a device because it's unmanaged, or maybe it's like a Polycom phone, or it's a—
Right. SPEAKER_03. —some kind of HVAC system or something like that, right? Or a developer box that was set up in the corner for testing that's not on the Active Directory.
So those kind of things they really struggle with. And things like vulnerability scanners don't collect the right information for asset inventory.
Something might be an IP camera or something, and they will only tell you, oh, it's Linux 2.6.18, something very generic that actually doesn't help you very much in figuring out what something is.
So one good example for that is we did a project with a luxury retailer. The kind of stuff that you and I maybe want to buy but can't afford.
And so they had a global retail network, different brands and so on, very fragmented because they'd acquired a lot of different fashion houses over the years.
And so we did a bake-off against a major IT service management vendor.
So those kind of things they really struggle with. And things like vulnerability scanners don't collect the right information for asset inventory.
Something might be an IP camera or something, and they will only tell you, oh, it's Linux 2.6.18, something very generic that actually doesn't help you very much in figuring out what something is.
So one good example for that is we did a project with a luxury retailer. The kind of stuff that you and I maybe want to buy but can't afford.
And so they had a global retail network, different brands and so on, very fragmented because they'd acquired a lot of different fashion houses over the years.
And so we did a bake-off against a major IT service management vendor.
And that means what, a bake-off?
A bake-off means, you know, like they tried Rumble versus the other product. Right.
And when they were scanning, especially for their Asian operations, which had a lot of lack of visibility— M&A, different fiefdoms, IT fiefdoms, you know— we found 2.5 times as many devices on that network.
And the reason for that was that they just didn't have a lot of the credentials. And they were also missing network segments.
There were some network segments they didn't even know they had, so they weren't scanning them.
And when they were scanning, especially for their Asian operations, which had a lot of lack of visibility— M&A, different fiefdoms, IT fiefdoms, you know— we found 2.5 times as many devices on that network.
And the reason for that was that they just didn't have a lot of the credentials. And they were also missing network segments.
There were some network segments they didn't even know they had, so they weren't scanning them.
So you're looking for these things in a different way, right? So you must have something unique that you're doing? Are you allowed to tell us or is it all secret?
Yeah, I'm happy to tell you just a little bit. I'm just going to give you a peek behind the curtain. So, okay, good.
In a nutshell, the reason our solution is that good is really thanks to my co-founder. His name is H.D. Moore and he's the creator of Metasploit.
Metasploit is an open source network penetration testing tool.
And so when you think about it, a penetration tester is dropped onto a network, either from the outside looking in or on the inside, and trying to figure out what's on the network.
And then once they figure out, okay, there's active machines here and there, then they need to fingerprint those machines and figure out what they are before they attack them.
Because if you don't know what it is, you can't attack it, right? And then Metasploit goes further. It exploits machines. There's post-exploitation, all of that stuff.
But HD basically had the idea of applying the early phases of a pen test, the network scanning and the fingerprinting, to IT asset inventory.
So he says, like, using something really cool and applying it to the most boring thing on the planet, you know.
And yeah, so by using that approach compared to the IT-focused approach of logging onto machines, you find all the orphaned and rogue devices and all the weird stuff on your network.
And that's not just the case for IT, but it's also the case for OT, so operational technology, IoT, manufacturing, hospitals, all of that stuff.
In a nutshell, the reason our solution is that good is really thanks to my co-founder. His name is H.D. Moore and he's the creator of Metasploit.
Metasploit is an open source network penetration testing tool.
And so when you think about it, a penetration tester is dropped onto a network, either from the outside looking in or on the inside, and trying to figure out what's on the network.
And then once they figure out, okay, there's active machines here and there, then they need to fingerprint those machines and figure out what they are before they attack them.
Because if you don't know what it is, you can't attack it, right? And then Metasploit goes further. It exploits machines. There's post-exploitation, all of that stuff.
But HD basically had the idea of applying the early phases of a pen test, the network scanning and the fingerprinting, to IT asset inventory.
So he says, like, using something really cool and applying it to the most boring thing on the planet, you know.
And yeah, so by using that approach compared to the IT-focused approach of logging onto machines, you find all the orphaned and rogue devices and all the weird stuff on your network.
And that's not just the case for IT, but it's also the case for OT, so operational technology, IoT, manufacturing, hospitals, all of that stuff.
Wow. So say I did this. I ran this. And I found, I don't know, this plethora of devices connected to my network. What do I do then?
You're giving me visibility, or are you giving me tools to try and go and look at them as well? SPEAKER_03. Yeah, so typically, what you do depends on who you are.
We have different types of users using that data, and it's really quite interesting. So 4 different types of users.
The first one is the enterprise security team, so they use it for situational awareness.
They want to know — most of them scan internally trying to figure out what do I actually have behind the firewall?
Some of them also take an external perspective looking in and saying what is actually exposed outside from the internet that attackers might be able to see from the outside.
And then once they have that situational awareness, they can use Rumble in many cases for what I call rapid response, for breaking security news.
You know, they listen to Smashing Security and they hear about things like Log4j and SolarWinds and "hey, we shouldn't use Kaspersky anymore" and all of those things.
So how would you find those things on the network? And so with Rumble, we really do things differently because we decouple the scan from the assessment.
We scan your network and we collect a bunch of stuff, and then at the moment when you actually need to know a specific thing, then you can say, show me all of the things that are X, right?
So for Log4j, we might find you all of the applications that include Log4j.
SolarWinds boxes we can fingerprint through certain attributes, and we can even fingerprint Windows devices that are running Kaspersky without authentication over the network.
So it goes a lot deeper than most people expect for an unauthenticated scan. So that's the enterprise security team, right?
But then we have the second user group is incident response, and in incident response, really, there are a few other use cases. So people use it both proactively and reactively.
So proactive would be something like threat hunting.
You know that there are a lot of devices getting attacked — let's say Schneider Electric had some power supplies that had a security issue, so you try to find all of these devices so that you can patch and update them, right?
Or to see if they were already compromised, for example.
You're giving me visibility, or are you giving me tools to try and go and look at them as well? SPEAKER_03. Yeah, so typically, what you do depends on who you are.
We have different types of users using that data, and it's really quite interesting. So 4 different types of users.
The first one is the enterprise security team, so they use it for situational awareness.
They want to know — most of them scan internally trying to figure out what do I actually have behind the firewall?
Some of them also take an external perspective looking in and saying what is actually exposed outside from the internet that attackers might be able to see from the outside.
And then once they have that situational awareness, they can use Rumble in many cases for what I call rapid response, for breaking security news.
You know, they listen to Smashing Security and they hear about things like Log4j and SolarWinds and "hey, we shouldn't use Kaspersky anymore" and all of those things.
So how would you find those things on the network? And so with Rumble, we really do things differently because we decouple the scan from the assessment.
We scan your network and we collect a bunch of stuff, and then at the moment when you actually need to know a specific thing, then you can say, show me all of the things that are X, right?
So for Log4j, we might find you all of the applications that include Log4j.
SolarWinds boxes we can fingerprint through certain attributes, and we can even fingerprint Windows devices that are running Kaspersky without authentication over the network.
So it goes a lot deeper than most people expect for an unauthenticated scan. So that's the enterprise security team, right?
But then we have the second user group is incident response, and in incident response, really, there are a few other use cases. So people use it both proactively and reactively.
So proactive would be something like threat hunting.
You know that there are a lot of devices getting attacked — let's say Schneider Electric had some power supplies that had a security issue, so you try to find all of these devices so that you can patch and update them, right?
Or to see if they were already compromised, for example.
Yeah, you're trying to race ahead of the— SPEAKER_03. Exactly, the potential attack, right? Exactly.
And the reactive side would be something like you're getting an alert on a certain IP address, but you don't know what's behind that IP address.
So is it my domain controller, is it an IP camera and so on, is it maybe an access badge door controller kind of thing? So Rumble gives you that context.
You can, for example, give it an IP address and it gives you that, and then you can also say, show me all other things that look like that, so you can go hunting, right?
And the reactive side would be something like you're getting an alert on a certain IP address, but you don't know what's behind that IP address.
So is it my domain controller, is it an IP camera and so on, is it maybe an access badge door controller kind of thing? So Rumble gives you that context.
You can, for example, give it an IP address and it gives you that, and then you can also say, show me all other things that look like that, so you can go hunting, right?
So you're giving people the tools to go and find all the little critters in their network. SPEAKER_03.
Exactly, and so you can either use Rumble directly or you can import it into your Splunk environment and use it there. Now we have the blue team covered, right? Now the red team.
So the penetration testers love it because it really helps them with their reconnaissance phase.
It provides you a lot more depth than some of the other open-source tools, and it provides you a very good user interface to pivot into information.
So you can look, for example, for — we have something called an outlier index where you can filter for devices that are weird and different from the other ones.
You can look for devices that are not on the Active Directory because they're probably not patched, right?
And we can even find you devices that are multi-homed, so that have two network cards and that allow you to jump from one network segment into the other as a pivot point.
We can do that even when we only scan one of the interfaces because a lot of the devices are leaking their secondary interfaces.
Exactly, and so you can either use Rumble directly or you can import it into your Splunk environment and use it there. Now we have the blue team covered, right? Now the red team.
So the penetration testers love it because it really helps them with their reconnaissance phase.
It provides you a lot more depth than some of the other open-source tools, and it provides you a very good user interface to pivot into information.
So you can look, for example, for — we have something called an outlier index where you can filter for devices that are weird and different from the other ones.
You can look for devices that are not on the Active Directory because they're probably not patched, right?
And we can even find you devices that are multi-homed, so that have two network cards and that allow you to jump from one network segment into the other as a pivot point.
We can do that even when we only scan one of the interfaces because a lot of the devices are leaking their secondary interfaces.
I bet you, pentesters that are listening out there, are now downloading fast. Okay, and group 4, group 4.
Group 4, okay. So group 4 is IT teams. So now we're outside of the security realm.
And so those folks typically have a CMDB or are looking to get a CMDB, but they're really having trouble getting the right data into it, getting clean data, getting comprehensive data.
Yes, they can pull Rumble data into ServiceNow. That's a very common one. Jira Service Management is one that's up and coming.
And that enables them to, number one, have a fuller view of what they actually have on the network.
They can look for operating systems and devices that are end of life, that are no longer patchable, and so on.
And so you think that given our history, we would only sell into security. But actually, our largest deal was with a telco provider that purely uses it for that use case.
And so we cover all of the industries, really across the board from anything from brick-and-mortar retail to cloud hosting providers.
And so those folks typically have a CMDB or are looking to get a CMDB, but they're really having trouble getting the right data into it, getting clean data, getting comprehensive data.
Yes, they can pull Rumble data into ServiceNow. That's a very common one. Jira Service Management is one that's up and coming.
And that enables them to, number one, have a fuller view of what they actually have on the network.
They can look for operating systems and devices that are end of life, that are no longer patchable, and so on.
And so you think that given our history, we would only sell into security. But actually, our largest deal was with a telco provider that purely uses it for that use case.
And so we cover all of the industries, really across the board from anything from brick-and-mortar retail to cloud hosting providers.
Now, tell me, listeners are listening to this and they're going, look, can I have a play around with this? I just want to see what's connected to my network.
What do you say to that, Chris?
What do you say to that, Chris?
Sure, absolutely. So they can do that. And quite frankly, I'm making some bold claims here.
And most people don't really believe that you can do that with an unauthenticated scan until you try it out.
And by the way, we then also augment that with API integrations to cloud hosting providers, with integrations with, let's say, CrowdStrike and SentinelOne, where you can figure out, are any of my endpoints missing endpoint protection, for example?
That's a huge use case, right? So if you would like to try any of that out, please go to rumble.run. There is a 21-day trial, fully featured. You can go up to 50,000 devices.
You can go wild if you want to. Just register and go. Some people start out just with their home network. It's the easiest way to do it because it's a small network.
It's somewhere where you don't need to ask others for permission. They get comfortable with that, see the quality of the scan, and then they bring it to work.
That's what we see quite often.
And if you'd started a trial at the beginning of this interview, you may already be done scanning your home network because it's really quick and easy to get started and to scan the network and then to view your devices.
And if you are not in IT or security as a job, or you just want to use this at home, we also have a free edition for up to 256 devices.
And you can do that— either use that for free at home, or even in a small business, you can use it commercially.
And most people don't really believe that you can do that with an unauthenticated scan until you try it out.
And by the way, we then also augment that with API integrations to cloud hosting providers, with integrations with, let's say, CrowdStrike and SentinelOne, where you can figure out, are any of my endpoints missing endpoint protection, for example?
That's a huge use case, right? So if you would like to try any of that out, please go to rumble.run. There is a 21-day trial, fully featured. You can go up to 50,000 devices.
You can go wild if you want to. Just register and go. Some people start out just with their home network. It's the easiest way to do it because it's a small network.
It's somewhere where you don't need to ask others for permission. They get comfortable with that, see the quality of the scan, and then they bring it to work.
That's what we see quite often.
And if you'd started a trial at the beginning of this interview, you may already be done scanning your home network because it's really quick and easy to get started and to scan the network and then to view your devices.
And if you are not in IT or security as a job, or you just want to use this at home, we also have a free edition for up to 256 devices.
And you can do that— either use that for free at home, or even in a small business, you can use it commercially.
So that's fine, as well. So what happens if you're not technically au fait, like some of our listeners may not be, and they want to try this out?
Able to get comprehensible information even if they're not very techie?
Able to get comprehensible information even if they're not very techie?
Yeah, what most people find is, let's say, somebody who's not as technical on scanning a home network, most people scan their network and they're quite surprised what they find because they thought, like, oh, I know what's on my home network.
It's not that big. It's not that complicated. And then they figure out, like, oh, yeah, that thing. I put that in, like, 5 years ago. I didn't even remember that.
And that thing, oh, yeah, like, my daughter added that. I didn't know that was connected and so on. So it's quite eye-opening just to see what's connected.
Of course, if you want to dive in deeper and do some of the more funky stuff, that requires a little bit more technical expertise.
But we see just, you know, tech enthusiasts and private people using it as well, up to, you know, very large enterprises.
It's not that big. It's not that complicated. And then they figure out, like, oh, yeah, that thing. I put that in, like, 5 years ago. I didn't even remember that.
And that thing, oh, yeah, like, my daughter added that. I didn't know that was connected and so on. So it's quite eye-opening just to see what's connected.
Of course, if you want to dive in deeper and do some of the more funky stuff, that requires a little bit more technical expertise.
But we see just, you know, tech enthusiasts and private people using it as well, up to, you know, very large enterprises.
Chris, thank you so much. This is Chris Kirsch, CEO of Rumble.run. Is there anything you'd like to add? SPEAKER_03.
No, just head over to Rumble.run, give the product a try, and thanks a lot for having me.
No, just head over to Rumble.run, give the product a try, and thanks a lot for having me.
Listeners, you heard Chris run to rumble.run so that you can see what devices are connected to your network. Chris, thank you so much for coming on the show. Okay.
You can say thanks if you want. You can say yeah. I didn't know how you wanted to cut it.
You can say thanks if you want. You can say yeah. I didn't know how you wanted to cut it.
You can respond.
And that just about wraps up the show for this week. Jess, I'm sure lots of our listeners would love to follow you online. What's the best way folks to do that?
You can find me on Twitter @DrJessicaBarker and check out Cygenta.co.uk to see what we are all about.
Marvelous. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And again, massive thank you to our episode sponsors, Kolide, Good Access, and Rumble, and to our wonderful Patreon communities. Thanks to them all, this show is free.
And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 275 episodes, check out smashingsecurity.com.
And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 275 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye. Bye-bye.
Can I ask you a question though? What? What's your problem with Slough? Slough? I have very good friends who live in Slough. What's your problem with Slough?
Do you? It's just the word. It's a bit stains. Slough looks like—
Okay, I'll just hang up the phone now.
Slough looks like slough. And stains just makes me think of dirty underpants.
Yet again, a very reasonable explanation.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Jessica Barker – @drjessicabarker
Chris Kirsch – @chris_kirsch
Show notes:
- Angry IT admin wipes employer’s databases, gets 7 years in prison — Bleeping Computer.
- A closer look at Eternity Malware — Cyble.
- Researchers Warn of "Eternity Project" Malware Service Being Sold via Telegram — The Hacker News.
- Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains — BlackBerry.
- Top Mental Health and Prayer Apps Fail Spectacularly at Privacy, Security — Mozilla Foundation.
- Talkspace privacy & security guide — Mozilla Foundation.
- BetterHelp privacy & security guide — Mozilla Foundation.
- Dramatic growth in mental-health apps has created a risky industry — The Economist.
- Meltdown Three Mile Island — Netflix.
- The China Syndrome trailer — YouTube.
- Slow Horses — Apple TV+.
- Therapist Uncensored podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Sponsor: GoodAccess
GoodAccess – Free Business Cloud VPN for up to 100 Users.
Get a cloud VPN with strong network encryption and unprecedented online threat protection. No hardware. 100% free. Just create your team and enjoy GoodAccess forever.
Check it out now at smashingsecurity.com/goodaccess.
Sponsor: Rumble
Rumble, made by the creator of Metasploit, finds many devices connected to your network that other solutions miss, including orphaned machines running outdated operating systems.
It can even tell you which machines are missing endpoint protection, from your local network to the cloud.
Sign up for a free trial and build your asset inventory in minutes. Get your trial at www.rumble.run
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
