Trouble brews with the Tim Hortons app, Mandiant gets in a tussle with a Russian ransomware gang, and should good faith security researchers be at risk of prosecution?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist’s Geoff White.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And it also knew every time it thought he might have entered a competitor's premises.
Shut up!
For real!
If you went to KFC or Subway or Starbucks or McDonald's, it knew about it.
Do they call you up and go, "What are you doing?" And you're like, "I'm just getting a chicken drumstick."
"No coffee, I swear, no coffee." "It's not as good as our donuts."
Smashing Security, Episode 278: Tim Hortons, Avoiding Sanctions, and Good Faith Security Research with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 278. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 278. My name is Graham Cluley.
And I'm Carole Theriault.
And we are joined today not just by podcast royalty, but also author extraordinaire, It's The Lazarus Heist's Geoff White. Hello, Geoff.
Hi, Graham. Hi, Carole. How are you guys?
Fantastic. Now, you're launching your book in two days, or on the— today?
Yes, Thursday the 9th. Depending on when people are listening, it could be in the past. But Thursday the 9th is the key date for that, yes.
So what is this book about? What's it called, Geoff? What's it about, for those who don't already know?
The book is called The Lazarus Heist. It's the inside story of North Korea's cyberwar.
It's how North Korea became a sort of global cyber threat and the sort of really bizarre activities that North Korea's hackers get up to and the kind of bizarre relationships they have, not just with organized cybercrime, but with organized street-level crime.
It's got hapless philanthropists in Sri Lanka, Instagram influencers in Dubai, shonky Japanese used car salesmen. It's got it all. It really does.
Yeah, it takes some really bizarre— It's a really dumb movie. Probably even gonna be a documentary at some stage, but yeah.
It's how North Korea became a sort of global cyber threat and the sort of really bizarre activities that North Korea's hackers get up to and the kind of bizarre relationships they have, not just with organized cybercrime, but with organized street-level crime.
It's got hapless philanthropists in Sri Lanka, Instagram influencers in Dubai, shonky Japanese used car salesmen. It's got it all. It really does.
Yeah, it takes some really bizarre— It's a really dumb movie. Probably even gonna be a documentary at some stage, but yeah.
So, "The Lazarus Heist" started out as a podcast, but there's much more than what was in the podcast in the book, isn't there?
That's right. So basically the podcast is still on BBC Sounds. Sorry to promote an alternative platform, but BBC Sounds, "Lazarus Heist" podcast, still there.
Series 1 stopped last year, and that narrative of that podcast kind of ended in 2017 with WannaCry, which probably needs no introduction to your listeners.
So then there's 5 years more hacking to cover, so a lot of that's in the book. All of the stuff they did with ATM jackpotting, making cash points spew out cash around the world.
Cryptocurrency, the huge, huge, huge cryptocurrency attacks they've been involved in. So all that's kind of in the book, so great.
And then after I finished the book, there's a whole bunch more stuff they did, including the recent Axie Infinity Ronin Bridge $625 million hack that's been attributed to North Korea.
So what's useful is all that stuff isn't in the book.
That very recent stuff isn't in the book, but we're working on Series 2 of the podcast, which is going to be out later this year.
Series 1 stopped last year, and that narrative of that podcast kind of ended in 2017 with WannaCry, which probably needs no introduction to your listeners.
So then there's 5 years more hacking to cover, so a lot of that's in the book. All of the stuff they did with ATM jackpotting, making cash points spew out cash around the world.
Cryptocurrency, the huge, huge, huge cryptocurrency attacks they've been involved in. So all that's kind of in the book, so great.
And then after I finished the book, there's a whole bunch more stuff they did, including the recent Axie Infinity Ronin Bridge $625 million hack that's been attributed to North Korea.
So what's useful is all that stuff isn't in the book.
That very recent stuff isn't in the book, but we're working on Series 2 of the podcast, which is going to be out later this year.
Oh, cool. You chose the right pony, Geoff White, eh?
A horse that keeps kicking. I wish they'd kind of just stop for a little while so we could all catch up.
Because whenever we close, you know, you finish the book or you finish the series or whatever, they keep going on doing more stuff that's attributed to them.
So I just wish they'd have a little hiatus while we catch up.
Because whenever we close, you know, you finish the book or you finish the series or whatever, they keep going on doing more stuff that's attributed to them.
So I just wish they'd have a little hiatus while we catch up.
Now, anyone listening who enjoyed your previous book, they know that this is going to be another great read from you. Crime.com, wasn't it, your previous book?
It was.
Yes.
So anyone who wants a copy of this book, this book is called The Lazarus Heist.
It is called The Lazarus Heist. Yes.
Okay. Anyone who wants to read this book, we are able to offer a free copy.
Thank you, Geoff.
To a lucky winner.
What we're asking people to do is if you email us at with the subject line Lazarus, because we want our email, we want to be able to find our emails.
So you have to use the subject line Lazarus and explain why you want to read Geoff's book.
We will pass your messages on to Geoff, and he will choose a winner who will get a free complimentary copy of The Lazarus Heist book, hot off the presses.
What we're asking people to do is if you email us at with the subject line Lazarus, because we want our email, we want to be able to find our emails.
So you have to use the subject line Lazarus and explain why you want to read Geoff's book.
We will pass your messages on to Geoff, and he will choose a winner who will get a free complimentary copy of The Lazarus Heist book, hot off the presses.
I will even sign it. How about that? I will sign—
What?
Sign the thing. Which is weird, because I didn't realise this. When you sign it, you cross out your name on the title page, and then you sign underneath it.
Oh, really?
And the other day somebody said, 'Why have you crossed out your name?' And I had to sort of say, 'Well, that's kind of how you do it.' I didn't know that either though.
I just think it's a bit weird, because it looks like you're going, 'No, I did not write this.' And then below saying, 'Yes, I did.' There we go. They did run. Yes, they did.
I just think it's a bit weird, because it looks like you're going, 'No, I did not write this.' And then below saying, 'Yes, I did.' There we go. They did run. Yes, they did.
Today I learned, you see.
But I have to say, one thing I am looking forward to about launching the book, and this is going to sound slightly strange, is I'm really looking forward to not having to talk about the sodding book anymore.
Because I really— that will come as a shock to people who've been looking at my social media as I relentlessly plug myself and the book. But I don't like this stuff.
I'm not a marketer. And I do it through gritted teeth. So after the book's gone out, you can quieten down a bit. You don't have to mention it at every breath.
Because I really— that will come as a shock to people who've been looking at my social media as I relentlessly plug myself and the book. But I don't like this stuff.
I'm not a marketer. And I do it through gritted teeth. So after the book's gone out, you can quieten down a bit. You don't have to mention it at every breath.
So Carole, what have we got coming up this week?
Well, let's thank this week's sponsors, Bitwarden, Sneak, and Collide. It's their support that help us give you this show for free.
Now, coming up in today's show, Graham, what do you got?
Now, coming up in today's show, Graham, what do you got?
I'm gonna be telling you all about a misbehaving app.
Oh God.
Geoff, what about you?
I'm gonna be taking a somewhat circuitous route around the Weevil and LockBit ransomware gangs.
Ooh, and there's been a cybersecurity policy change in the US of A, and I'm gonna tell you all about it. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, what has Canada ever done for us?
Outrageous.
Celine Dion.
There you go.
Celine Dion, yes.
I'm just gonna put that out there.
Other than Celine Dion, what has Canada ever done for us?
Leonard Cohen.
Okay, Leonard Cohen. Other than Leonard Cohen—
Michael J. Fox. Other than Michael J. Fox— Mike Myers.
Tar Sands. Is Tar Sands a thing? They have tar sands, don't they? Getting tar from sand. That sounds impressive.
I can't even remember his name. The Star Trek numero uno.
Shatner.
Shatner!
How can you forget Shatner's name? I don't know.
I just did.
So, you might think from that that Canadians are lovely people.
We are.
Right, Carole? You might think of that. But— They're an odd race, aren't they, the Canadians?
Race?
I have in-laws in Canada, thank you very much. They're an odd bunch. Going out in a boat, drinking maple syrup, apologising all the time, Tim Hortons coffee.
Yeah, I used to work at Tim Hortons. That was my first job.
Oh, interesting. You used to work at Tim Hortons.
Mm-hmm.
What do Tim Hortons sell, for people who haven't experienced Tim Hortons?
So it's like a doughnut shop, right?
You have lots of fresh donuts open 24 hours and Tim Hortons coffee, which I think, I don't know if this is true, but the rumor was that they had put MSG in it, which made it very yummy for people.
So you would go on a street in the city and there'd be 5 coffee shops, but only a lineup at Tim Hortons. So that could be total conspiracy theory.
You have lots of fresh donuts open 24 hours and Tim Hortons coffee, which I think, I don't know if this is true, but the rumor was that they had put MSG in it, which made it very yummy for people.
So you would go on a street in the city and there'd be 5 coffee shops, but only a lineup at Tim Hortons. So that could be total conspiracy theory.
My extensive research hasn't found out about the MSG, but it has said that nearly 8 out of every 10 cups of coffee sold in Canada are poured at Tim Hortons.
Right.
Whoa.
It's because I work there, you see? That's why.
Because of you, Carole, because you are such an efficient, great team member.
Well, you might think that Canadian companies are composed of lovely Canadian people and they wouldn't possibly do anything bad whatsoever.
And because of that, because Canadian people are so extraordinarily trustworthy, like Michael J.
Fox or William Shatner, you probably would willingly give them your home address, your work location, hand them your vacation plans, because you know you can trust the Canadian, right?
Because they're lovely people. And you'd do so willingly, but I imagine you wouldn't be as happy if you were doing it unconsciously without realizing that you were doing it.
Well, you might think that Canadian companies are composed of lovely Canadian people and they wouldn't possibly do anything bad whatsoever.
And because of that, because Canadian people are so extraordinarily trustworthy, like Michael J.
Fox or William Shatner, you probably would willingly give them your home address, your work location, hand them your vacation plans, because you know you can trust the Canadian, right?
Because they're lovely people. And you'd do so willingly, but I imagine you wouldn't be as happy if you were doing it unconsciously without realizing that you were doing it.
Like you're lying in a ditch, passed out.
MSG overload.
That's passed oot, actually, Carole.
Well, in June 2020, an article by Canadian journalist James McLeod writing for the National Post, he discovered that a firm had been tracking his movements without his conscious knowledge.
Without him being aware.
Without him being aware, exactly.
Right, okay.
And the article revealed that this Canadian company knew where he slept, where he worked, even tracked his longitude and latitude when he went on vacation to Morocco.
Oh, can I guess how?
Am I not allowed?
Go on, you guess how, you guess how.
Tim Hortons app.
Yeah, you're not allowed to guess. You're not allowed to guess.
Okay, carry on. You're doing great.
Yes, the Tim— You're absolutely correct, Carole. Of course you knew, because you are Canadian. The Tim Hortons app.
Well, I wouldn't know that.
Well, you guessed it correctly. People who installed the Tim Hortons app onto their smartphone were being tracked.
And according to this journalist, James McLeod, this was happening even when he'd told it to track him only when the app was open, right?
So some people want the app to identify his location, because then it tells you where you can get your nearest doughnut.
And according to this journalist, James McLeod, this was happening even when he'd told it to track him only when the app was open, right?
So some people want the app to identify his location, because then it tells you where you can get your nearest doughnut.
Yeah, Apple Fritter, by the way, is the best one, I think, to this day.
Oh, is it? Yeah, it's delicious. So what did you actually do at the Tim Hortons, Carole?
I emptied the dishwasher, cleared the ashtrays, because people could smoke in there at the time. Oh, clean the bathrooms. That was a really fun job.
So you were executive level from the sounds of it.
Oh yeah, yeah. I was high up. I was about 15. I was 15.
Employee number 15.
I used to work 11 to 7.
Whoa.
11 at night to 7 in the morning.
Oh, the night shift as a 15-year-old.
Wow.
Okay.
I know, right? It was a different time, Geoff.
It was a different time. Seriously.
God. Wow.
Well, this journalist, he found that the app was tracking him hours or even days after he'd used the app.
So even when he wasn't using the app, it was still grabbing his precise location. In fact, it grabbed it over 2,700 times in less than 5 months. Question.
So even when he wasn't using the app, it was still grabbing his precise location. In fact, it grabbed it over 2,700 times in less than 5 months. Question.
Yes. Is this an official Tim Hortons app?
This is the official Tim Hortons app.
See, apps.
This is why I don't have apps on my phone. I've never trusted apps. I've never liked this thing of, oh, put this program on your device and it'll just run and that'll be fine.
It's—
I don't know. Don't trust it. Yeah, you want a one-stop shop.
Shop to yell at people. That's why browsers are good, right?
Well, the journalist James McLeod, he said that the app knew he was using an Android Pixel 3 XL. That got uploaded to Tim Hortons servers. They knew his IP address.
It was logging that. His Android advertising ID, his carrier. It knew they had Bluetooth enabled. It knew how much free space he had on his device and his battery charge at any time.
You know, it's like maybe it could pop up a message if you're running low on battery.
It was logging that. His Android advertising ID, his carrier. It knew they had Bluetooth enabled. It knew how much free space he had on his device and his battery charge at any time.
You know, it's like maybe it could pop up a message if you're running low on battery.
Yeah, plug in quick, we'll lose contact.
Yes.
And it also knew every time it thought he might have entered a competitor's premises.
Shut up!
Are you kidding?
For real!
If you went to KFC or Subway or Starbucks or Second Cup or McDonald's, it knew about it. It knew when you entered. Do they call you up?
They go, "What are you doing?" And you're like, "I'm just getting a chicken drumstick."
"No coffee, I swear, no coffee." "It's not as good as our doughnuts." But what's interesting about that is, of course, all of those outlets would have their own Wi-Fi networks.
So if the app is allowed to look at available Wi-Fi networks nearby, as soon as you walked into a McDonald's and it saw McDonald's free Wi-Fi or whatever, that's how it would be able to identify if you're in a competitor's place.
So if the app is allowed to look at available Wi-Fi networks nearby, as soon as you walked into a McDonald's and it saw McDonald's free Wi-Fi or whatever, that's how it would be able to identify if you're in a competitor's place.
Oh, I suppose.
I mean, that— well, possible, possible.
That'd be one way to do it. But it seems what Tim Hortons had actually done is they had basically mapped all of their competitors across Canada.
And so they were looking at your latitude and longitude, and they knew you've actually entered the building. You haven't just walked past it and picked up the Wi-Fi.
You've actually dared to cheat on Tim Hortons and go into a competitor. The only way to stop it collecting data was to stay completely stationary.
If you didn't move, because you've eaten too many apple fritters.
And so they were looking at your latitude and longitude, and they knew you've actually entered the building. You haven't just walked past it and picked up the Wi-Fi.
You've actually dared to cheat on Tim Hortons and go into a competitor. The only way to stop it collecting data was to stay completely stationary.
If you didn't move, because you've eaten too many apple fritters.
Don't move, don't move, Horton's on you. God, so creepy.
I wonder what the apple fritters had in them, if it was MSG in the coffee.
It's like dispatching Carole to follow you around and make notes of, you know, which other place you've been to.
I need to, I need just to correct something, because you started this story bitching about Canadians.
No, I said they were lovely.
They're very nice. But actually, look at this. Do you know who owns Tim Hortons?
Who owns Tim Hortons?
Since 2014? Burger King. Oh, Burger King is not a Canadian-originated company. So up yours, as we say in Canada.
And presumably it was a Canadian journalist who exposed this, which means that— isn't the Canadian journalist the hero of this? As in Canada Strikes Back? Yes.
Now, according to Tim Hortons, this information it was collecting was only used to tailor marketing and promotional offers to users inside the Tim Hortons app.
So it'd say, hey, did you know that our chicken fries or whatever they do are better than KFC's? But it wasn't just that.
They also knew when you were at home or when you left your home or visited your ex-girlfriend's house, or the journalist found that it knew when he'd visited a baseball game, or visited his parents at a rural farm in Oregon, or visited Manitoba for his cousin's wedding.
So it'd say, hey, did you know that our chicken fries or whatever they do are better than KFC's? But it wasn't just that.
They also knew when you were at home or when you left your home or visited your ex-girlfriend's house, or the journalist found that it knew when he'd visited a baseball game, or visited his parents at a rural farm in Oregon, or visited Manitoba for his cousin's wedding.
How did he figure out that they knew? Because they would pop up and say, hey, don't you want to grab a coffee right over here?
This was the thing. He didn't at first know that his app was tracking him at all.
And it was only when an Android operating system update had been pushed out onto his phone with a new security feature, which occasionally popped up a message saying, Hey, this app you've got here is continuing to grab your location data in the background.
And that's what made him wonder why and why he sent a sort of data access request saying, what information have you actually collected about me?
And he got reams and reams of data, you know, thousands and thousands of lines of JSON, which then when it was analyzed, told him quite a lot.
And he got an independent analyst to look at this data and he said, look, what could you make from this data?
And this chap said, well, I've looked at the data and what I notice is that you head out from work on Fridays about 2 PM. So you leave the office at 2 PM on Fridays.
And apparently the journalist put his hands up and said, well, it is a bit of a joke in the office that I do leave the office early on Fridays, which maybe is a bit of fun, but if you're an assassin, for instance.
And it was only when an Android operating system update had been pushed out onto his phone with a new security feature, which occasionally popped up a message saying, Hey, this app you've got here is continuing to grab your location data in the background.
And that's what made him wonder why and why he sent a sort of data access request saying, what information have you actually collected about me?
And he got reams and reams of data, you know, thousands and thousands of lines of JSON, which then when it was analyzed, told him quite a lot.
And he got an independent analyst to look at this data and he said, look, what could you make from this data?
And this chap said, well, I've looked at the data and what I notice is that you head out from work on Fridays about 2 PM. So you leave the office at 2 PM on Fridays.
And apparently the journalist put his hands up and said, well, it is a bit of a joke in the office that I do leave the office early on Fridays, which maybe is a bit of fun, but if you're an assassin, for instance.
At Tim Hortons?
At Tim—
The deadly Tim Hortons squad.
Yeah.
Now we're turning it into a murder.
If you wanted to silence a journalist and you knew he left the office early on Fridays.
You could poison his coffee.
Exactly.
Right.
So, there was an FAQ inside the app about how it was going to handle location tracking, but it wasn't very clear.
They've now updated that information to make it a little bit less ambiguous as to what they're collecting and what choices you have and how you need to check your device settings.
But in the wake of this article, there were 4 lawsuits filed against Tim Hortons. Which seems very American to me. Is that very Canadian, Carole, to launch a lawsuit?
Surely it'd be oh, that's okay, never mind.
They've now updated that information to make it a little bit less ambiguous as to what they're collecting and what choices you have and how you need to check your device settings.
But in the wake of this article, there were 4 lawsuits filed against Tim Hortons. Which seems very American to me. Is that very Canadian, Carole, to launch a lawsuit?
Surely it'd be oh, that's okay, never mind.
Okay, should we look and see if there are Tim Hortons now in the States before you continue your complaining?
There are Tim Hortons in the States as well.
Oh, and do these plaintiffs live in Canada or the States? Do we know?
That's the kind of detail which obviously I haven't gone into at this stage.
Well then, shut your trap about the Canadians.
Anyway, Tim Hortons. They say they're going to defend themselves vigorously against that. And vigorously? Yes. No, yes. What was wrong with defending yourself vigorously?
I just assumed it would be rigorously, but okay.
Oh, maybe rigorously and vigorously.
Maybe, maybe, maybe, maybe.
For now though, they haven't deleted the data because of the pending legal action. So the data's still there, sat on a server.
Because of course, deleting it might destroy the evidence. They said they're going to when they're allowed to.
Because of course, deleting it might destroy the evidence. They said they're going to when they're allowed to.
Yeah, maybe just make sure all the security information on that is all encrypted and hashed and stuff, guys.
Now, when this article came out first, you know, setting off alarm bells, the authorities got involved and they launched an official investigation.
The Commission d'accès à l'information du Québec and its equivalents in Alberta. Good skills.
The Commission d'accès à l'information du Québec and its equivalents in Alberta. Good skills.
Beautiful, beautiful skills.
British Columbia. They launched a joint investigation. The outcome has just been published. They've basically said this data shouldn't have been collected. It was unnecessary.
Delete.
Too sensitive, the information, you know, it wasn't used for its stated purpose. And so, you know, this was too much of a risk privacy-wise beyond the potential marketing benefits.
So Tim Hortons have had their hands slapped. Naughty Canadians. What? People can now— Again!
So Tim Hortons have had their hands slapped. Naughty Canadians. What? People can now— Again!
Again! Naughty Canadians owned by Americans.
Burger King, yeah.
Geoff, what would you like to talk to us about? Other than your book. You can talk about your book.
Oh god, not the book again. I would like to pick up on something another journalist has done, which is in bleepingcomputer.com.
Other websites are available, but I saw this in bleepingcomputer. Headline: 'Mandiant: No evidence' in inverted commas, We were hacked by LockBit ransomware.
This is a story by Sergey Gatlan. This is posted June 6th, 3:54 PM. Keep that in mind, is relevant.
Other websites are available, but I saw this in bleepingcomputer. Headline: 'Mandiant: No evidence' in inverted commas, We were hacked by LockBit ransomware.
This is a story by Sergey Gatlan. This is posted June 6th, 3:54 PM. Keep that in mind, is relevant.
Okay, a few days ago, right?
Exactly, yeah, yeah. So, yeah, a few days ago, 3:50 in the afternoon.
American cybersecurity firm Mandiant, it says here, is investigating LockBit ransomware gang's claims that they hacked the company's network and stole data.
So it's, oh, shock horror, LockBit have hacked into Mandiant.
And obviously hacking into cybersecurity companies, we know, has been a thing, and they try and get hold of their tools and so on.
Then it says the ransomware groups— this is LockBit— published a page on its data leak website earlier today.
So this is the 6th, saying that 350,000 files they allegedly stole from Mandiant will be leaked online.
This is basically the LockBit ransomware group saying, oh, we popped Mandiant, you know, stay tuned here.
All available data will be published, exclamation mark, said the gang's darkweb leak site. Under a timer showing just under 3 hours left until the countdown ends.
Which is why the 3:50 PM timeline a few days ago is relevant, because you would think, well, 3 hours has now passed since the article was posted, 6th of June, 3 in the afternoon.
What happened?
American cybersecurity firm Mandiant, it says here, is investigating LockBit ransomware gang's claims that they hacked the company's network and stole data.
So it's, oh, shock horror, LockBit have hacked into Mandiant.
And obviously hacking into cybersecurity companies, we know, has been a thing, and they try and get hold of their tools and so on.
Then it says the ransomware groups— this is LockBit— published a page on its data leak website earlier today.
So this is the 6th, saying that 350,000 files they allegedly stole from Mandiant will be leaked online.
This is basically the LockBit ransomware group saying, oh, we popped Mandiant, you know, stay tuned here.
All available data will be published, exclamation mark, said the gang's darkweb leak site. Under a timer showing just under 3 hours left until the countdown ends.
Which is why the 3:50 PM timeline a few days ago is relevant, because you would think, well, 3 hours has now passed since the article was posted, 6th of June, 3 in the afternoon.
What happened?
Yes.
Well, doesn't seem that the data actually leaked out, because then Mandiant replied and said, look, we are investigating this, but we've no evidence that they've actually broken into our networks.
And it seems that Mandiant earlier revealed in a report that the Russian Evil Corp cyber group has now switched to deploying LockBit ransomware.
So basically, Russian Evil Corp have obviously been doing loads and loads of ransomware, loads of cybercrime with the years.
Now, the reason they've switched to LockBit is because, thanks to Russia's reinvasion of Ukraine, the US has now said to victims of ransomware you can't pay Russia because it's under sanctions.
And it seems that Mandiant earlier revealed in a report that the Russian Evil Corp cyber group has now switched to deploying LockBit ransomware.
So basically, Russian Evil Corp have obviously been doing loads and loads of ransomware, loads of cybercrime with the years.
Now, the reason they've switched to LockBit is because, thanks to Russia's reinvasion of Ukraine, the US has now said to victims of ransomware you can't pay Russia because it's under sanctions.
Oh my God.
So obviously the Evil Corp guys, like, "Oh God, that's gonna be a bummer for us.
Well, never mind, we'll just hop on the LockBit bandwagon and that way people can still pay us and it won't be obvious that they're paying Russians." Total rebranding, exactly.
So this whole thing has been— the Mandiant hack seems to have been a diversion, a smokescreen for LockBit.
Who are basically now apparently part of the Russian, the REvil group hacking gang. So just smoke and mirrors, this.
I really think this whole thing of ransomware groups hacking and leaking data on these leak sites and, you know, doing timelines and countdowns, and frankly journalists covering that and getting involved in that, is murky territory indeed.
And this article just really, you know, illuminated that for me.
You know, you've got a claim that isn't substantiated and is actually more about the ransomware gang trying to protect their revenue stream than actually the story they were trying to put out to journalists and others.
Fascinating, really fascinating.
Well, never mind, we'll just hop on the LockBit bandwagon and that way people can still pay us and it won't be obvious that they're paying Russians." Total rebranding, exactly.
So this whole thing has been— the Mandiant hack seems to have been a diversion, a smokescreen for LockBit.
Who are basically now apparently part of the Russian, the REvil group hacking gang. So just smoke and mirrors, this.
I really think this whole thing of ransomware groups hacking and leaking data on these leak sites and, you know, doing timelines and countdowns, and frankly journalists covering that and getting involved in that, is murky territory indeed.
And this article just really, you know, illuminated that for me.
You know, you've got a claim that isn't substantiated and is actually more about the ransomware gang trying to protect their revenue stream than actually the story they were trying to put out to journalists and others.
Fascinating, really fascinating.
So let me get this straight. America has said you can't pay all this money to Russians, right? So under sanctions, you can't give money to Russia at the moment.
Evil Corp are obviously Russian, and as a result, Evil Corp have gone, oh, what can we do other than try and get people another way?
Couldn't America therefore say, new rule, everybody, you can't pay cybercriminals money wherever they might be in the world?
And then the cybercriminals will say, oh, well, unfortunately, we can't charge anyone any longer, we'll stop hitting Americans. Would that not be the logical next step?
Evil Corp are obviously Russian, and as a result, Evil Corp have gone, oh, what can we do other than try and get people another way?
Couldn't America therefore say, new rule, everybody, you can't pay cybercriminals money wherever they might be in the world?
And then the cybercriminals will say, oh, well, unfortunately, we can't charge anyone any longer, we'll stop hitting Americans. Would that not be the logical next step?
Remarkably, Graham, you are not the first person to have had that thought.
I hate to piss on your chips, as they say up in Doncaster, but other people have been thinking along the same lines. And yes, the US, I think, is edging close to this.
The problem is, obviously, for the US government, their own entities, public sector organizations in the US, they can say you cannot pay a ransom.
And we sort of have the same thing in the UK. I don't think, for example, hospital trusts are allowed to or do pay ransoms — obviously, that would be bad headlines.
But to reach out to the private sector and say, OK, we're now going to make it illegal for you to pay these ransoms—
I hate to piss on your chips, as they say up in Doncaster, but other people have been thinking along the same lines. And yes, the US, I think, is edging close to this.
The problem is, obviously, for the US government, their own entities, public sector organizations in the US, they can say you cannot pay a ransom.
And we sort of have the same thing in the UK. I don't think, for example, hospital trusts are allowed to or do pay ransoms — obviously, that would be bad headlines.
But to reach out to the private sector and say, OK, we're now going to make it illegal for you to pay these ransoms—
Exactly.
—is difficult because this does happen, companies do get hit by ransomware attacks.
A, do you want to make those companies so that all their data's scrambled and they can't get it back? B, how do you enforce this? How do you police this?
So these sanctions type of measures are a way to do it by the back door.
A, do you want to make those companies so that all their data's scrambled and they can't get it back? B, how do you enforce this? How do you police this?
So these sanctions type of measures are a way to do it by the back door.
Yeah, but think about the things where the actual victim is your customer base, right?
So you're a private company, you've got your customers, they're gonna— yeah, that would suck. Very true.
So you're a private company, you've got your customers, they're gonna— yeah, that would suck. Very true.
Exactly.
This is the interesting thing about this whole sort of sanctioning Russia type thing is suddenly ransomware payments and the legitimacy thereof has suddenly come under a whole new spotlight.
Really, really super fascinating. And of course, then you've got ransomware gangs turning around and trying to obfuscate which ransomware gang you've got hit by.
So traditionally they had no problem saying, hey, you've been hit by Conti, you've been hit by Locky, whoever it was.
Now, I suspect there's going to be a sort of counter movement where you get hit by a ransomware gang, but they don't tell you who it is.
And you can't identify who it is because they don't want you to know it's Russian, because if it's Russian, you wouldn't be able to pay.
So I think that's going to be the new game in town, is lots of affiliates, lots of shadow identities for these ransomware gangs so that you can turn around to the government, US government, and say, hey, we had no idea we were paying Russia.
It was this other gang we didn't even know was Russian. So I think that's probably going to be the new game.
This is the interesting thing about this whole sort of sanctioning Russia type thing is suddenly ransomware payments and the legitimacy thereof has suddenly come under a whole new spotlight.
Really, really super fascinating. And of course, then you've got ransomware gangs turning around and trying to obfuscate which ransomware gang you've got hit by.
So traditionally they had no problem saying, hey, you've been hit by Conti, you've been hit by Locky, whoever it was.
Now, I suspect there's going to be a sort of counter movement where you get hit by a ransomware gang, but they don't tell you who it is.
And you can't identify who it is because they don't want you to know it's Russian, because if it's Russian, you wouldn't be able to pay.
So I think that's going to be the new game in town, is lots of affiliates, lots of shadow identities for these ransomware gangs so that you can turn around to the government, US government, and say, hey, we had no idea we were paying Russia.
It was this other gang we didn't even know was Russian. So I think that's probably going to be the new game.
And why do you think these gangs— oh, excuse me.
Sorry, your house is being invaded by Muppets. What's going on?
It's just a phone. As long as your phone hasn't been hacked, Carole.
Carole, what's your story for us this week?
Okay, I'm gonna kick off by describing the plot of a movie. Okay? And listeners, listen up. See if you can beat these two, 'cause it's gonna be quick, I feel.
Truly, Madly, Deeply.
No. Ready?
High school student unwittingly hacks into a military supercomputer while searching for new video games and leads the supercomputer to activate a grave national response to his simulation.
High school student unwittingly hacks into a military supercomputer while searching for new video games and leads the supercomputer to activate a grave national response to his simulation.
Sounds like WarGames to me. WarGames, yeah.
It is WarGames! Yes!
Played by Matthew Broderick when he accessed the computer system controlling the United States nuclear arsenal, mistaking the system for an interactive video game.
Do you remember who his girlfriend was? Who the actress was? I've never seen it.
Played by Matthew Broderick when he accessed the computer system controlling the United States nuclear arsenal, mistaking the system for an interactive video game.
Do you remember who his girlfriend was? Who the actress was? I've never seen it.
Oh, what? I've never seen WarGames.
Okay, Ally Sheedy. Sorry, listeners, this is a little embarrassing.
Now, the movie's depiction of the dangers of the computer age, where even nuclear annihilation could be just a few keystrokes away, was not lost on policymakers.
According to one report cited by the DOJ, after viewing WarGames at Camp David, President Ronald Reagan asked advisors and their chair, Joint Chiefs of Staff, whether the plot of the movie was possible.
And apparently the CFAA, America's Computer Fraud and Abuse Act, is sometimes said to be the eventual result of that deliberation. Isn't that amazing?
Now, the movie's depiction of the dangers of the computer age, where even nuclear annihilation could be just a few keystrokes away, was not lost on policymakers.
According to one report cited by the DOJ, after viewing WarGames at Camp David, President Ronald Reagan asked advisors and their chair, Joint Chiefs of Staff, whether the plot of the movie was possible.
And apparently the CFAA, America's Computer Fraud and Abuse Act, is sometimes said to be the eventual result of that deliberation. Isn't that amazing?
Wow. Yeah, and I'd heard that Reagan story before. Yeah. By the way, I mean, you know, talking of Camp David, there's got to be another Taylor in Washington, D.C., hasn't there?
I mean, really. Yes. Sorry. Bad gag, but a good one. There we are. That's a joke from the '70s.
I mean, really. Yes. Sorry. Bad gag, but a good one. There we are. That's a joke from the '70s.
Yeah.
Now, there's a variety of things that are covered under the Computer Fraud and Abuse Act.
All right.
So you've got things, I'll name a few and see if you guys can then come up with them. So obviously computer fraud. Yes. Right?
Abuse as well, computer abuse. Yes.
Trespassing on a government computer, yes, right? Unauthorized computer access, cyber espionage, password trafficking, right? Threats and extortion.
So they all seem like pretty large camps. And here lieth the problemeth.
A bona fide security researcher looking for, for example, a vulnerability or looking for any wrongdoing may have to take some of these steps in order to be able to prove or disprove a hypothesis, right?
So kind of like you're going to go public with your findings, you want to be damn sure you're right.
And problem is you don't necessarily want to face a jail sentence if you're found guilty of breaking any of these laws.
And to compound the problem, the CFAA's legal lingo is a little wishy-washy in places. And that meant that circuit courts around the US could interpret the laws differently.
So it basically meant you would maybe go to jail in some states, and in others you get a slap on the wrist.
And it seems that these issues, among others, have been in part addressed in a recent redraft of the CFAA.
The DOJ recently announced that the US government is altering how vigorously it enforces a central cybercrime law by amending its charging policy.
Okay, this is all blah, blah, blah to say basically we're not going to go after good faith or ethical or security researchers.
So they all seem like pretty large camps. And here lieth the problemeth.
A bona fide security researcher looking for, for example, a vulnerability or looking for any wrongdoing may have to take some of these steps in order to be able to prove or disprove a hypothesis, right?
So kind of like you're going to go public with your findings, you want to be damn sure you're right.
And problem is you don't necessarily want to face a jail sentence if you're found guilty of breaking any of these laws.
And to compound the problem, the CFAA's legal lingo is a little wishy-washy in places. And that meant that circuit courts around the US could interpret the laws differently.
So it basically meant you would maybe go to jail in some states, and in others you get a slap on the wrist.
And it seems that these issues, among others, have been in part addressed in a recent redraft of the CFAA.
The DOJ recently announced that the US government is altering how vigorously it enforces a central cybercrime law by amending its charging policy.
Okay, this is all blah, blah, blah to say basically we're not going to go after good faith or ethical or security researchers.
Thank goodness. Thank goodness for that, right.
And they define what good faith security research means, yeah. And I was interested, Geoff, because you are basically a cybersecurity investigative journalist, an author.
What's your take on this?
What's your take on this?
It's an interesting question because there have been— I know quite a few security researchers who've been questioned about things, and I think one person who was actually in the end convicted, or at least cautioned, for having done this.
It is very difficult because the prosecutors don't want to give security researchers that get out where it's like, oh, I was just doing research, and allowing hackers in through the back door.
So yeah, I applaud the motivation behind it, but applying these things is sometimes somewhat difficult.
And look, as a good security researcher, part of your job is to know where the law stops, what you're allowed to do. So yeah, it's tricky, it's interesting, that one.
It is very difficult because the prosecutors don't want to give security researchers that get out where it's like, oh, I was just doing research, and allowing hackers in through the back door.
So yeah, I applaud the motivation behind it, but applying these things is sometimes somewhat difficult.
And look, as a good security researcher, part of your job is to know where the law stops, what you're allowed to do. So yeah, it's tricky, it's interesting, that one.
Leonard Bailey, he's the head of cybersecurity unit at the DOJ.
He's speaking about these changes at the RSA cybersecurity conference, which I think is happening right now as we speak.
According to SC Magazine, discussion with the information security community did cause Bailey to realize that ethical hackers did have a legit beef with being pursued under the CFAA, but not by federal government.
So basically, this is saying, look, if you can prove that you're an ethical or good faith actor, we'll look the other way. But there's also a civil area in this.
And that means it allows for criminal prosecution as well of hackers who violate the law. Oh, that's interesting, right?
So the CFAA also allows private individuals and organizations to bring legal action against these same researchers.
So for example, if you took someone's username and password to go and expose a company for doing X, Y, or Z, they could say, well, look, you broke the terms and conditions.
So after the DOJ announced its policy, Andrew Crocker, an attorney with the EFF, said it was welcome but insufficient because it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, or innovators.
He's speaking about these changes at the RSA cybersecurity conference, which I think is happening right now as we speak.
According to SC Magazine, discussion with the information security community did cause Bailey to realize that ethical hackers did have a legit beef with being pursued under the CFAA, but not by federal government.
So basically, this is saying, look, if you can prove that you're an ethical or good faith actor, we'll look the other way. But there's also a civil area in this.
And that means it allows for criminal prosecution as well of hackers who violate the law. Oh, that's interesting, right?
So the CFAA also allows private individuals and organizations to bring legal action against these same researchers.
So for example, if you took someone's username and password to go and expose a company for doing X, Y, or Z, they could say, well, look, you broke the terms and conditions.
So after the DOJ announced its policy, Andrew Crocker, an attorney with the EFF, said it was welcome but insufficient because it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, or innovators.
Well, the other thing that this makes me think of is the SLAPP. This is Strategic Lawsuits Against Public Participation.
So this is basically investigative journalists and investigators generally trying to go after corruption and kleptocracy and that kind of thing, and the targets of those investigations turning around and suing them.
For libel, but also data protection as well. Increasingly, these SLAPP things are really interesting.
And this makes me think that, you know, if you're a security researcher trying to find out about a company and expose its wrongdoing or its vulnerabilities or problems, it's a similar sort of thing, isn't it, of using private prosecutions to try and shut down legitimate debate.
So this is basically investigative journalists and investigators generally trying to go after corruption and kleptocracy and that kind of thing, and the targets of those investigations turning around and suing them.
For libel, but also data protection as well. Increasingly, these SLAPP things are really interesting.
And this makes me think that, you know, if you're a security researcher trying to find out about a company and expose its wrongdoing or its vulnerabilities or problems, it's a similar sort of thing, isn't it, of using private prosecutions to try and shut down legitimate debate.
They can tie you up with legal paperwork, and they can tie up with a threat indeed of being sued, which just scares you off and silences you. Exactly.
Exactly. But this is, I think we can all agree, a good step in the right direction, right?
Doesn't mean there's not going to be a misstep, because of course this is policy, so there's nothing to say that a future administration might reverse it, right?
But I think it's a step in the right direction. Do you guys agree?
Doesn't mean there's not going to be a misstep, because of course this is policy, so there's nothing to say that a future administration might reverse it, right?
But I think it's a step in the right direction. Do you guys agree?
I do, I do. I think it's generally good news. Yes, because there's been some craziness in the past.
There was that chap who was being threatened by the governor of one particular state because he'd gone to a website and simply gone view source in order to look at the HTML of the web page.
And that was considered to be hacking.
There was that chap who was being threatened by the governor of one particular state because he'd gone to a website and simply gone view source in order to look at the HTML of the web page.
And that was considered to be hacking.
And so, yeah, that's it.
I mean, look, wherever it ends up, having a debate about it is at least useful because you can have a discussion about it rather than just passing a law and seeing what happens.
Yeah, interesting. Really interesting. Smashing Security.
I mean, look, wherever it ends up, having a debate about it is at least useful because you can have a discussion about it rather than just passing a law and seeing what happens.
Yeah, interesting. Really interesting. Smashing Security.
Snyk is a developer security platform integrating directly into development tools, workflows, and automation pipelines.
Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
Get started right now with a free forever account at snyk.co/smashing. That's S-N-Y-K.co/smashing. And thanks to Snyk for supporting the show.
Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
Get started right now with a free forever account at snyk.co/smashing. That's S-N-Y-K.co/smashing. And thanks to Snyk for supporting the show.
Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this?
A good password manager is robust and cost-effective, as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this?
A good password manager is robust and cost-effective, as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Kolide Security sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide that's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide that's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. Good.
A couple of weeks ago, Ncuti Gatwa was named the new Doctor Who. And I thought, I've never heard of him. Who on earth is he? Why have they given him the Doctor Who job?
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. Good.
A couple of weeks ago, Ncuti Gatwa was named the new Doctor Who. And I thought, I've never heard of him. Who on earth is he? Why have they given him the Doctor Who job?
I haven't heard of him either.
Ah, well, it turned out he is a star of the TV show Sex Education. It's a Netflix series. He plays a character called Eric.
I've seen this show before, and it's good.
Have you? You've seen Sex Education?
Yeah, it's good.
Yeah, it is good, isn't it? Yeah. So how would you describe it? Describe Sex Education?
Uh, dirty. Well, in one word, basically, it's kind of set in high school is what I remember, and it was way more advanced than I was at that time.
Yes, so gobsmackingly so. Gillian Anderson is one of the stars. She plays the sex therapist mother of a teenager who has hang-ups about sex.
And basically a couple of the teenagers decide to set up their own therapy for fellow students at the school with their sexual and relationship problems. It's quite funny.
It's really well written. Ncuti Gatwa's character is brilliant. He's a great actor. He's going to be a marvelous Doctor too. I've been watching Series 1 of Sex Education.
I think it's been going for a few years now. So I'm really— I'm way behind the curve. But I've really been enjoying it. And that is why it is my pick of the week.
And basically a couple of the teenagers decide to set up their own therapy for fellow students at the school with their sexual and relationship problems. It's quite funny.
It's really well written. Ncuti Gatwa's character is brilliant. He's a great actor. He's going to be a marvelous Doctor too. I've been watching Series 1 of Sex Education.
I think it's been going for a few years now. So I'm really— I'm way behind the curve. But I've really been enjoying it. And that is why it is my pick of the week.
Yeah, good one.
No complaints from me on that. Geoff, what's your pick of the week?
I'm going to pick a pick of the week Twitter account, which is my guilty pleasure. I'm sure everybody has a comedy Twitter account they turn to as a guilty pleasure.
And one I discovered the other day, which is definitely not suitable for work, is the account Forest Friends.
So it's forest as in normal spelling of forest, like the woods, and then friends, but instead of an I, it's a 1. So it's Forest Friends with a 1.
You know the Sylvanian Families toys, the little rabbity type things? Yeah, it's those.
It's cute pictures of little— I don't know if it is the actual Sylvanian Families, but they're little rabbity, cute little things.
And one I discovered the other day, which is definitely not suitable for work, is the account Forest Friends.
So it's forest as in normal spelling of forest, like the woods, and then friends, but instead of an I, it's a 1. So it's Forest Friends with a 1.
You know the Sylvanian Families toys, the little rabbity type things? Yeah, it's those.
It's cute pictures of little— I don't know if it is the actual Sylvanian Families, but they're little rabbity, cute little things.
Why do you like this? Because, yes, a good question.
They are captioned with the most obscene captions. What they've done is taken setups of Forest Friends, cute little rabbits, and then just put the most disgusting captions on.
It is roll-up funny. I'm not sure how long it's going to last. I presume maybe if it is Sylvanian Families, they'll try and shut it down or something.
But it is, it's a guilty pleasure. And it is, as I say, definitely not suitable for work. But they're roll-up funny, some— Oh yeah, they're spicy.
It is roll-up funny. I'm not sure how long it's going to last. I presume maybe if it is Sylvanian Families, they'll try and shut it down or something.
But it is, it's a guilty pleasure. And it is, as I say, definitely not suitable for work. But they're roll-up funny, some— Oh yeah, they're spicy.
This is spicy, guys. Warning. Yes. Yeah, now we know how author and investigative journalist spends his free time.
Exactly. Yes, my guilty pleasure. Fantastic.
Well, check it out while you still can. Carole, what have you got for pick of the week?
Okay, so the other day I wanted to make a cake, but I wanted just to make a teeny tiny one just for the two of us, right, for date night, right?
And all the cakes were in big volumes. So I went to this trusted site that I use all the time. It's called Inch Calculator.
And on here you have all the wonderful cooking calculators available. So you can change it from weights to volumes and different measuring stuff.
So anyone can figure out how to get around a recipe if you don't have the right measurements that they are saying.
And all the cakes were in big volumes. So I went to this trusted site that I use all the time. It's called Inch Calculator.
And on here you have all the wonderful cooking calculators available. So you can change it from weights to volumes and different measuring stuff.
So anyone can figure out how to get around a recipe if you don't have the right measurements that they are saying.
That's really useful because I've got recipes where it's like 1 cup. Yeah. And you're like, what's that? How much is it?
I've got big cups.
I've got small cups. Give us only a bonehead.
Tell us about your small cups, Geoff.
Nothing small about my cups.
But what's really cool is it's not just about cooking.
Inch Calculator is just a bunch of math geeks that just love to create these calculators to make life easier for people, but then also explain the mathematical process. Right.
And they have it for everything. So they have like body shape calculators and dog chocolate toxicity calculators and tip calculators. It's like an amazing site.
So I think everyone will find something they like there. So inchcalculator.com is the site. It's been around for yonks and it just keeps growing and I think it's great.
And that is my pick of the week.
Inch Calculator is just a bunch of math geeks that just love to create these calculators to make life easier for people, but then also explain the mathematical process. Right.
And they have it for everything. So they have like body shape calculators and dog chocolate toxicity calculators and tip calculators. It's like an amazing site.
So I think everyone will find something they like there. So inchcalculator.com is the site. It's been around for yonks and it just keeps growing and I think it's great.
And that is my pick of the week.
Brilliant. That just about wraps up the show for this week. Geoff, I'm sure lots of our listeners would love to participate in our incredible competition.
Let's mention it one more time. So for a free copy— the chance to win a free copy of The Lazarus Heist book.
All they have to do is email us at with the subject line Lazarus and explaining why they want a copy of Geoff's book, and we will pick one out of the hat and Geoff will sign the book to you as well.
Geoff, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?
Let's mention it one more time. So for a free copy— the chance to win a free copy of The Lazarus Heist book.
All they have to do is email us at with the subject line Lazarus and explaining why they want a copy of Geoff's book, and we will pick one out of the hat and Geoff will sign the book to you as well.
Geoff, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?
Best way is probably on Twitter. I am Geoff White, Geoff with a G, White like the color. And then 247, the numbers 247, 'cause I'm Geoff White 24/7.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G, and we're also on Reddit, we have a Smashing Security subreddit.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.
And huge thank you to this episode's sponsors, Bitwarden, Sneak, and Kolide, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 277 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 277 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye.
Book, book, book, book, book. Write the book, book, book. Lazarus Heist.
Stop talking about the book. God.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Geoff White – @geoffwhite247
Show notes:
- Double-double tracking: How Tim Hortons knows where you sleep, work and vacation — Financial Post.
- Report: Tim Hortons collected location data without consent — The Register.
- Joint investigation into location tracking by the Tim Hortons App — Office of the Privacy Commissioner of Canada.
- Mandiant: “No evidence” we were hacked by LockBit ransomware — Bleeping Computer.
- Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act — Dept of Justice.
- DOJ: Congress looked into CFAA updates but effort was stalled by extortion concerns — The Record.
- The (still) unanswered questions around the CFAA and ‘good faith’ security research — SC Magazine.
- Sex Education — Netflix.
- Forest fr1ends — Twitter.
- Inch Calculator.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Bitwarden
A password manager is an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Open source with published 3rd party security audits, Bitwarden is transparent and secure, utilizing end-to-end and zero knowledge encryption with source code that can be scrutinized by all.
Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today.
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Sponsor: Snyk
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.
Get started right now, with a free forever account, at snyk.co/smashing
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
