A new version of the LockBit ransomware offers a bug bounty, women uninstall period-tracking apps in fear of how their data might be used against them, and Microsoft’s facial recognition tech no longer wants to know how you’re feeling.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford from The Host Unknown podcast.
Plus don’t miss our featured interview with Bitwarden founder and CTO Kyle Spearrin.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You would be the sort of person who would be to test gravity.
You would jump off a cliff and say, let me test this for you to see if it works or not, and you'd go splat at the bottom of the cliff.
You would jump off a cliff and say, let me test this for you to see if it works or not, and you'd go splat at the bottom of the cliff.
Or the guy who jumped off the Eiffel Tower to test his flying suit.
You know what, my brother did that, although he was 7.
What?
So a little bit younger.
Your brother climbed— jumped off the Eiffel Tower?
No, he jumped off the roof of our house. My mum sewed him a Superman outfit when he was about 6 or 7.
Technically a flying suit.
And he went up on the roof, launched himself, and then fell promptly to the ground anyway. So, you know, he was 7 though, so, you know.
Your genetics, girl. Your genetics.
Smashing Security, Episode 281: Debug Ransomware and Win a Million Dollars, Period Tracking Apps, and AI Gets Emotional with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 281. My name's Graham Cluley.
Smashing Security, Episode 281: Debug Ransomware and Win a Million Dollars, Period Tracking Apps, and AI Gets Emotional with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 281. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we've got a very special guest. Who have we got in the hot seat today?
The award-winning Thom Langford.
Award-winning? I like the sound of that. Thank you very much.
Yes, well, Thom, and your podcast has recently won an award. Do you want to tell our audience about it?
Yes, please. The Host Unknown podcast. It releases every week.
I couldn't remember the name.
I know you couldn't. I know, I know, because you don't give us a second thought, but you guys live rent-free in our heads, so.
We've appeared on the show.
We've actually sponsored your podcast.
You have.
We actually gave you money.
We've come on the show as well.
Yes.
I think you give us less thought than we give you, because you're all we ever think about. What would Smashing do?
Is this Chicago? Are we your inspiration?
Of course you are. We look up to you. We look up to you. We really enjoy it when we win awards, but you know.
Well, congratulations.
Yes, thank you very much.
So what award did the Host Unknown podcast win, Thom?
From memory, the most entertaining podcast.
No, well, that's incorrect.
That's obviously.
Yes.
What was it?
Yes, you've won the best non-vendor cybersecurity podcast.
Oh, that's right, that's right. You won the— the most entertaining blog, didn't you? Yeah.
Yes.
Interesting.
It's a stellar award system.
Yes.
Should we go to our sponsors? Let's thank this week's wonderful sponsors, Bitwarden, Sneak, and Kolide. It's their support that help us give you the show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about an unpopular software update that could earn you $1 million.
Okay.
And Thom, what about you?
I'm going to talk about unintended digital consequences to laws.
And I'm calling mine, are you crying or just cutting onions? Plus, we have a featured interview this week with Kyle Spearrin of Bitwarden.
All this and much more coming up on this episode of Smashing Security.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums. Do you love a software update?
That's the best thing ever. It's better than Christmas.
I like doing them just before going live on a podcast.
That is exactly— You know what, Thom? That's exactly what I imagined you would do.
I would— I thought if there was a new version of macOS which came out 20 minutes before recording your podcast, you were the sort of— How can I put this politely?
Complete blithering idiot who would click apply updates?
I would— I thought if there was a new version of macOS which came out 20 minutes before recording your podcast, you were the sort of— How can I put this politely?
Complete blithering idiot who would click apply updates?
And done it. I've done it. In fact, we mentioned it on the show. Not the operating system, just my entire sound deck system for a podcast. Done it just before the show.
Delayed us by about 45 minutes.
Delayed us by about 45 minutes.
Of course you did.
But I got new free stuff.
Yes, but sometimes it can have unintended consequences, can't it? I mean, I must admit, I'm a slight addict to installing updates as well. I do have to resist.
I think maybe some other people should beta test them before me.
I think maybe some other people should beta test them before me.
Can I ask though, do you have it all set up automatically, or do you jump the gun and go and get it before it's handed out for the automatic rollout?
Well, it depends. On my phone, they automatically install.
Right.
Don't really care about that. On my desktop computer, where it's a little bit more work-oriented, I try to have some manual involvement, so I choose when to do it.
And obviously in the workplace as well, people are staggering the rollout of patches and security updates to make sure they don't conflict with anything.
You know, they can be a problem, can't they, security updates?
Because they may introduce some sort of clash or a new vulnerability, or you may be thinking, well, I have to install this to protect against a vulnerability.
Oh my goodness, what am I going to do? Is it going to be worse installing the patch, or is that going to introduce a vulnerability, or is that going to fix a vulnerability?
Dither, dither, dither.
And obviously in the workplace as well, people are staggering the rollout of patches and security updates to make sure they don't conflict with anything.
You know, they can be a problem, can't they, security updates?
Because they may introduce some sort of clash or a new vulnerability, or you may be thinking, well, I have to install this to protect against a vulnerability.
Oh my goodness, what am I going to do? Is it going to be worse installing the patch, or is that going to introduce a vulnerability, or is that going to fix a vulnerability?
Dither, dither, dither.
Wow.
Okay. I don't put that much thought in it. I mean, obviously, things can go wrong, but I just think they're probably 99% good.
So just rock on because it's better to have them than not.
So just rock on because it's better to have them than not.
Do you do beta updates?
No.
No.
Really? Why not?
Because I'm not needy.
Because they're bloody betas.
That's early free stuff.
But if you—
I love that people like you exist though, Thom. I'm not even kidding. I love that people go out and they're beta— because we need beta testers. We need alpha testers.
We need those people. But no way would I do it.
We need those people. But no way would I do it.
You know what, Thom? If you'd been around when Isaac Newton was around, which possibly you were, and he invented gravity, of course.
Gravity didn't exist before the apple fell on his head. Yeah. You would be the sort of person who would be to test gravity.
You would jump off a cliff and say, "Let me test this for you to see if it works or not." And you'd go splat at the bottom of the cliff.
Gravity didn't exist before the apple fell on his head. Yeah. You would be the sort of person who would be to test gravity.
You would jump off a cliff and say, "Let me test this for you to see if it works or not." And you'd go splat at the bottom of the cliff.
Or the guy who jumped off the Eiffel Tower to test his flying suit. You know what?
My brother did that, although he was 7.
What?
So a little bit younger.
Your brother climbed and jumped off the Eiffel Tower?
No, he jumped off the roof of our house.
He—
Yeah, my mum— my mum sewed him a Superman outfit when he was about 6 or 7.
Technically a flying suit. 'Cause he was in love with Christopher Reeve's Superman.
And it was all during that series. And he went up on the roof, and it was not very high. It was a very low-sloping roof at this stage, but still, he had to put a good 6 feet to fall.
And when you're only 3 foot 2, that's kind of a big deal.
Right! Launched himself and then fell promptly to the ground and didn't understand it. And then everyone was like, Superman never had to go off buildings.
And then he showed us in the VHS where he does, 'cause he does go off a few buildings, doesn't he? He flies off. Yeah. Anyway, so, you know, he was 7 though, so. You know?
And then he showed us in the VHS where he does, 'cause he does go off a few buildings, doesn't he? He flies off. Yeah. Anyway, so, you know, he was 7 though, so. You know?
Yeah.
Your genetics, girl. Your genetics. Anyway, I want to talk to you today about an update to a very unpopular piece of software.
Ooh.
Not unpopular because hardly anyone runs it, but nobody wants it. I'm not talking about Clippy. Some people might even like Clippy.
I'm talking about an update to a notorious piece of ransomware. LockBit, of course. LockBit has been at the heart of some 40% of all known ransomware attacks last month.
I'm talking about an update to a notorious piece of ransomware. LockBit, of course. LockBit has been at the heart of some 40% of all known ransomware attacks last month.
40%, really?
40%. Worldwide. According to reports. According to reports. Yes.
Reports.
Yes.
Ransomware du jour.
And a new version of LockBit has been beta testing for a while. Have you been running the beta test of LockBit on your computers?
It's cost me a fortune. Cost me a fortune. But yes.
Well, LockBit 3.0 has now been officially released. Huzzah! Or maybe not. So what is new about LockBit 3.0?
Well, Bleeping Computer reports that there are some interesting new developments in LockBit aside from all the, you know, the core stuff of encrypting your data and exfiltrating your data and demanding the money from you.
So one of the new things is that the LockBit gang is now running a bug bounty program.
Well, Bleeping Computer reports that there are some interesting new developments in LockBit aside from all the, you know, the core stuff of encrypting your data and exfiltrating your data and demanding the money from you.
So one of the new things is that the LockBit gang is now running a bug bounty program.
Oh my frickin' Lord. Of course they are. You know why? They're streamlined.
It's very efficient.
They're agile.
Yeah.
It's really impressive when you think of how many legitimate companies aren't running a bug bounty.
And now the criminals are running bug bounties saying, if you find a bug in our software, in our ransomware, please let us know.
And you can earn anywhere from $1,000 up to $1 million.
And now the criminals are running bug bounties saying, if you find a bug in our software, in our ransomware, please let us know.
And you can earn anywhere from $1,000 up to $1 million.
Yeah, yeah. I'll wait to see that be paid out before.
Do they take that off your bill as well? That's right.
You've hit us, you've hit us hard, but we found a spelling mistake or we found that your files were slightly crashed.
So in the announcement, the LockBit gang are saying that they are inviting all security researchers, ethical and unethical hackers on the planet to participate.
So they want to know about bugs which are basically costing them money or bugs which are meaning maybe they're less efficient and they've clearly got the funds. They're claiming.
So in theory, someone could find a vulnerability or a weakness in their encryption algorithm, maybe a way to get back the data without paying the gang. And you've then got a choice.
Do you tell that to the good guys or do you tell it to the bad guys? And now the bad guys are saying, well, tell us and we'll pay you for it.
So in the announcement, the LockBit gang are saying that they are inviting all security researchers, ethical and unethical hackers on the planet to participate.
So they want to know about bugs which are basically costing them money or bugs which are meaning maybe they're less efficient and they've clearly got the funds. They're claiming.
So in theory, someone could find a vulnerability or a weakness in their encryption algorithm, maybe a way to get back the data without paying the gang. And you've then got a choice.
Do you tell that to the good guys or do you tell it to the bad guys? And now the bad guys are saying, well, tell us and we'll pay you for it.
I guess that really depends on if you are an ethical or an unethical hacker or security researcher.
Yes, exactly.
What would happen though, if you do it ethically? Okay. So where do you go? So do you go to your local federal cop? Sophos, is that where you would go?
Yeah. Or publish it publicly.
Or there's organizations like No More Ransomware, that group, different security companies and researchers.
I'd give it to Graham. He'd know what to do with it.
Are we saying we don't agree with responsible disclosure at this time?
Well, it puts us in an awkward position here, isn't it?
Because normally we're saying, well, you know, you should really tell the software vendor about the bugs so that they can fix them.
But when the software is written by bad guys, maybe—
Because normally we're saying, well, you know, you should really tell the software vendor about the bugs so that they can fix them.
But when the software is written by bad guys, maybe—
And seriously, locking down hospitals and schools and— Yeah.
Well, I was going to say we shouldn't be helping organizations that are ripping millions of dollars off of organizations globally, but that's not really a clear definition of whether they're a criminal enterprise or a regular enterprise, really, is it?
I think globally you can add a B to that, not millions, but billions. Yeah.
Well, I think the other thing is, of course, if you help a criminal organization like the guys behind LockBit, it might be frowned upon by law enforcement in your particular country.
They may think, well, you're basically in league with them, aren't you? You are part of their enterprise if you're assisting them making their software, quote, better.
They may think, well, you're basically in league with them, aren't you? You are part of their enterprise if you're assisting them making their software, quote, better.
You're receiving stolen funds.
Yes, I would imagine so as well.
And we're kind of circling back to your argument, though, of should there be laws to prevent people from actually paying bad guys in these situations?
Well, this is the way of getting your money back, I suppose, isn't it? I wonder if there's any scams which— I wonder if it's possible to scam the ransomware guys.
If you could somehow convince them that there is a vulnerability which isn't really as bad as they thought, or if you say, look, I've looked at your code and I found a way to improve it.
If you apply this patch to your ransomware and in fact, the patch means that any funds people pay go into your bitcoin wallet rather than theirs, and you can then—
If you could somehow convince them that there is a vulnerability which isn't really as bad as they thought, or if you say, look, I've looked at your code and I found a way to improve it.
If you apply this patch to your ransomware and in fact, the patch means that any funds people pay go into your bitcoin wallet rather than theirs, and you can then—
You could be more glorious than that.
You could just lock up their data and ask for payment for it, and then return the payments to the people that have paid up in the first place going, "Don't do that again." So they're not just interested in bugs and vulnerabilities in their ransomware, they're also looking for brilliant ideas on improving their operations.
You could just lock up their data and ask for payment for it, and then return the payments to the people that have paid up in the first place going, "Don't do that again." So they're not just interested in bugs and vulnerabilities in their ransomware, they're also looking for brilliant ideas on improving their operations.
So if you've thought of a new way that they can make even more money, they're interested in that, and they will pay out, they say, for those.
And they're saying, they will give out exactly $1 million, no more and no less, for doxing their affiliate program boss.
So LockBit, like other ransomware operations, is ransomware as a service.
You basically, if you're a criminal, you work as an affiliate of theirs and they have this chap who's sort of running the affiliate program, right?
They don't want his true identity to become public knowledge.
And so they're saying, if you've worked out who our bad guy is, and they say whether you're an FBI agent or a very clever hacker who's found out how to do this, let us know his name and we will give you $1 million in bitcoin for that information.
So they're actually saying to law enforcement, hey, if you think you're on the trail of us, we'll give you a million dollars. Thanks for the heads up.
And then we'll go and hide in Monte Carlo or wherever.
And they're saying, they will give out exactly $1 million, no more and no less, for doxing their affiliate program boss.
So LockBit, like other ransomware operations, is ransomware as a service.
You basically, if you're a criminal, you work as an affiliate of theirs and they have this chap who's sort of running the affiliate program, right?
They don't want his true identity to become public knowledge.
And so they're saying, if you've worked out who our bad guy is, and they say whether you're an FBI agent or a very clever hacker who's found out how to do this, let us know his name and we will give you $1 million in bitcoin for that information.
So they're actually saying to law enforcement, hey, if you think you're on the trail of us, we'll give you a million dollars. Thanks for the heads up.
And then we'll go and hide in Monte Carlo or wherever.
But you do have to set up a bitcoin account, right?
Well, yes, you would need some sort of crypto.
I know, there's some costs.
There's some costs. I think people would be able to work out how to do it.
And also, you're going to get paid $1 million in bitcoin, which tomorrow is going to be worth $800,000 in bitcoin. Yes, $1 million in bitcoin.
And the day after that, it's going to be worth $750,000 and so on. It's not the most stable of currencies at the moment.
And the day after that, it's going to be worth $750,000 and so on. It's not the most stable of currencies at the moment.
No. Anyway, ransomware is evolving and so are the campaigns to distribute it. There was a recent Lockbit campaign which arrived as an email claiming copyright infringement.
So if you were to run, for instance, an award-winning cybersecurity podcast and you regularly infringed the copyright of another cybersecurity podcast, maybe by using their jingles or something like that, yes, and you received an email from them, I would suggest, Thom, that you be very, very careful about opening the attachments.
So if you were to run, for instance, an award-winning cybersecurity podcast and you regularly infringed the copyright of another cybersecurity podcast, maybe by using their jingles or something like that, yes, and you received an email from them, I would suggest, Thom, that you be very, very careful about opening the attachments.
Okay. I'm glad we use open source music then.
Thom, what's your subject for us this week?
This is talking about the very recent decision by the US Supreme Court to rescind the Roe versus Wade ruling, which allows for abortion rights for women in the US.
And that's across the US. It's now down to individual states to decide. And that's broadly speaking, that's now made up upon party lines.
So, you know, red versus blue parties and whichever states are run by which. The actual ethics, morals behind all of that is not what I'm going to be looking into in this point.
That's for an entirely different show.
What I want to look at is actually the impact that something, and I don't want to say something as innocuous as this because it's far from it, but something that feels very unrelated to technology can actually have some big technology impacts.
So there's a couple of layers here.
So firstly, it's about, you know, we in InfoSec and also the privacy professionals have been saying for years that privacy is a vital component of security.
Security and privacy are two different things. You can be secure but not private. The two need to go hand in hand, and it's important.
You know, we talk about mass surveillance and things like that, and many people who support surveillance— and ostensibly I do in a sort of benign environment— but the argument is, if you've done nothing wrong, you've got nothing to hide, which sounds great until what's defined as wrong changes, which is what's happened here, right?
So the law has changed in this instance. So enter, with the advent of smartphones and digital watches and the health tech environments, there's many period tracking apps.
Apps that are just used not just for convenience sake, women wanting to know when their period is likely to come on, but it's also very useful for medical conditions, when's the best time to fall pregnant, and generally allow women to be more informed about their health.
And that's across the US. It's now down to individual states to decide. And that's broadly speaking, that's now made up upon party lines.
So, you know, red versus blue parties and whichever states are run by which. The actual ethics, morals behind all of that is not what I'm going to be looking into in this point.
That's for an entirely different show.
What I want to look at is actually the impact that something, and I don't want to say something as innocuous as this because it's far from it, but something that feels very unrelated to technology can actually have some big technology impacts.
So there's a couple of layers here.
So firstly, it's about, you know, we in InfoSec and also the privacy professionals have been saying for years that privacy is a vital component of security.
Security and privacy are two different things. You can be secure but not private. The two need to go hand in hand, and it's important.
You know, we talk about mass surveillance and things like that, and many people who support surveillance— and ostensibly I do in a sort of benign environment— but the argument is, if you've done nothing wrong, you've got nothing to hide, which sounds great until what's defined as wrong changes, which is what's happened here, right?
So the law has changed in this instance. So enter, with the advent of smartphones and digital watches and the health tech environments, there's many period tracking apps.
Apps that are just used not just for convenience sake, women wanting to know when their period is likely to come on, but it's also very useful for medical conditions, when's the best time to fall pregnant, and generally allow women to be more informed about their health.
I don't know why you need an app to work out what's the best time to be pregnant. I would think normally probably about quarter past 1 in the morning would be my advice.
I can't believe you reproduced.
I was going to— I was just wondering where you were going with that, Graham, and I was thinking that's probably because you don't have a uterus. But, you know, how do you know?
I might have. You medically qualified?
You definitely 100% do not.
Oh, okay.
But this data is stored somewhere, right? And many different apps, many different providers, etc.
And the data is put into these apps and lots of insights and data mining and blah, blah, blah. But that data is very often sold or passed on or requested by medical organizations.
The key thing here now is a lot of women in the US and actually globally as well in support of the environment that they've seen themselves faced with, are boycotting these apps, primarily because this data could be used to determine if a woman falls pregnant and then within the following 9 months is suddenly not pregnant.
And there could be a multitude of reasons for that.
But that data, it has been made clear, can be used for legal proceedings against that woman in case that laws in those particular states have been broken.
So this link here is fascinating.
And I think it really drives home the drum that many privacy advocates have been banging for a very long time, which is we have to protect our data.
Now, I know as a 51-year-old balding short fat cis white man who's had two kids.
And the data is put into these apps and lots of insights and data mining and blah, blah, blah. But that data is very often sold or passed on or requested by medical organizations.
The key thing here now is a lot of women in the US and actually globally as well in support of the environment that they've seen themselves faced with, are boycotting these apps, primarily because this data could be used to determine if a woman falls pregnant and then within the following 9 months is suddenly not pregnant.
And there could be a multitude of reasons for that.
But that data, it has been made clear, can be used for legal proceedings against that woman in case that laws in those particular states have been broken.
So this link here is fascinating.
And I think it really drives home the drum that many privacy advocates have been banging for a very long time, which is we have to protect our data.
Now, I know as a 51-year-old balding short fat cis white man who's had two kids.
Come on, Thom. You're not 51. You're much older than that.
Exactly. And who is no longer able to sire children.
This has got very little to do with me personally, but I think that the fact that such a change in a law could alter how we interpret or how we accept our data to be used and how actually we should become far more conscious about where our data goes.
I've been fairly open with this stuff. Yeah, I'll accept those cookies. Yeah, you can take my data. I've got nothing to hide, because I'm in a privileged position.
This really highlights the fact that the environment in which we live in can change at any moment and will actually put any one of us at risk.
So there's a link in the show notes to just one of these stories. There's plenty of stories out there. You just have to Google them.
But folks, really think hard who you're giving your data to, which devices you're using, which companies you are giving your data to, and what is their standard?
What is their approach to how they're going to manage your data?
This has got very little to do with me personally, but I think that the fact that such a change in a law could alter how we interpret or how we accept our data to be used and how actually we should become far more conscious about where our data goes.
I've been fairly open with this stuff. Yeah, I'll accept those cookies. Yeah, you can take my data. I've got nothing to hide, because I'm in a privileged position.
This really highlights the fact that the environment in which we live in can change at any moment and will actually put any one of us at risk.
So there's a link in the show notes to just one of these stories. There's plenty of stories out there. You just have to Google them.
But folks, really think hard who you're giving your data to, which devices you're using, which companies you are giving your data to, and what is their standard?
What is their approach to how they're going to manage your data?
I would plug right now, if it's okay, I'd plug Firefox's Privacy Not Included site.
So you can put in different devices or apps, 'cause they do all the legwork for you by reading all the terms and looking at all the features and reading the website.
So you can put in different devices or apps, 'cause they do all the legwork for you by reading all the terms and looking at all the features and reading the website.
Yeah.
And giving you a kind of educated feel of how they're handling data.
That's a really good one. Yeah, that's a really good one.
Yeah, and this is really a problem.
I've been reading on Vice recently, they've been tracking some of the response to this, and they've been investigating some of the tech companies who run, for instance, period tracking apps.
And they found the number one period tracker on the App Store is handing over data to police, no warrant required.
I've been reading on Vice recently, they've been tracking some of the response to this, and they've been investigating some of the tech companies who run, for instance, period tracking apps.
And they found the number one period tracker on the App Store is handing over data to police, no warrant required.
Oh, wait until the law against being a short, bald, wok smuggling male is going to come in. It's—
Sorry, wok smuggling? What, you've been smuggling woks? What does that—
Yeah.
What?
Under my shirt.
I don't even know what that means.
If you were to put a wok up your shirt, what would it look like?
Like I had a great big chest, I suppose.
Well, it depends how high up you put it, yes.
Oh, I see. Oh, right, okay. I see, yes.
This is great radio, guys.
Carole, what have you got for us this week?
We start with me asking you guys a question in two different ways, and I want you to try and categorise each question based on what you hear. I know where you live.
I know where you live. But you don't come and visit me.
So from those two, would you say there's any difference?
Yes.
Yeah, yeah. Well, yes, the second one sounded rather aggressive, I thought.
A little threatening?
Exactly.
A little bit, yes.
I was going for that. I was going for that.
Well done, girl.
Thanks. And the first one?
I know where you live. It was kind of a bit sexy.
Yeah.
Oh.
But the whole point here is that it was easy for you to decipher between two emotional states. It's possible to get it wrong, right? Of course, we all get occasionally wrong.
But we have these built-in mechanisms to help us navigate the emotional tone of a speaker, right?
Even if you don't speak a language, I suspect you can get the emotional tone because the tone goes beyond the language barrier.
If you closed your eyes and thought of the Swedish Chef, who's not even speaking any Swedish at all, or any language at all, but on the Muppets, you would know whether he was having fun or whether he was freaking out just by his tone.
But we have these built-in mechanisms to help us navigate the emotional tone of a speaker, right?
Even if you don't speak a language, I suspect you can get the emotional tone because the tone goes beyond the language barrier.
If you closed your eyes and thought of the Swedish Chef, who's not even speaking any Swedish at all, or any language at all, but on the Muppets, you would know whether he was having fun or whether he was freaking out just by his tone.
Yes.
Right, even if your eyes were closed, you'd know.
Yep. Yes. It would explain why I wasn't able to buy anything when I went on holiday in Sweden though. I learned all my Swedish from the Muppets.
And with all things labelled artificial intelligence or AI, we also have a component called emotional AI. Do you guys know anything about that?
Emotional? No. Oh, tell me.
Very interesting. So it's called emotional recognition technology, and it typically relies on software to look at loads of different qualities.
So if it's visual, it'd be facial expressions, or if it was audio, it'd be speed of speech, tone of voice, word choice.
You'd gather all this data to automatically detect an emotional state.
So if it's visual, it'd be facial expressions, or if it was audio, it'd be speed of speech, tone of voice, word choice.
You'd gather all this data to automatically detect an emotional state.
It sounds awfully clever.
It does sound awfully clever, and it is awfully clever. And in order for an AI to be able to classify this information it's getting, it needs a glut load of practice, doesn't it?
So it's going to need a huge amount of data of people looking angry or happy or smiling or sounding—
Yes.
Or orgasm face or whatever it might be that—
Vinegar strokes.
No, it might need—
I don't want to know.
I don't ask anymore. Is it to do with the wok? No, don't tell us, Thom.
You know what, the face you pull when you've got a mouthful of vinegar.
Oh, right.
But the thing is, emotions are a little bit more complicated than happy, sad, right? There's how happy, how sad, or sarcasm, satirical happiness or fake sadness, right?
Yes, yes.
Because, you know, we've all been— if anyone who's been in a failed relationship, we know this kind of I'll take the bin out then. You're angry.
No, I'm not.
Yeah, you are. No, I'm not. I can tell you're angry. I am not angry. I can, and it goes on and on and on.
Yep, that rings a bell.
About 9,000 of them.
So why am I talking about this? Well, this week we learned that Microsoft is moving emotion recognition features from its facial recognition tech in Azure.
And they're doing this because they say the science of emotion is far from settled. Like, duh. So Microsoft announced this change in a blog post last week.
And while they kind of buried this news at the bottom, like they had 5 points they were making, this was number 5.
So this was Natasha Crampton, a Microsoft Chief Responsible AI Officer, who wrote the post. She says, quote, finally, right? Number 5. Finally.
We recognize that for AI systems to be trustworthy, they need to be appropriate solutions to the problems they're designed to solve.
As part of our work to align our Azure Face service to the requirements of Responsible AI standard, which they've written, we are also retiring capabilities that infer emotional states and identity attributes such as gender, age, smile, facial hair, hair, and makeup.
Because basically I'm sure they were shit at it. That's what I'm assuming.
And they're doing this because they say the science of emotion is far from settled. Like, duh. So Microsoft announced this change in a blog post last week.
And while they kind of buried this news at the bottom, like they had 5 points they were making, this was number 5.
So this was Natasha Crampton, a Microsoft Chief Responsible AI Officer, who wrote the post. She says, quote, finally, right? Number 5. Finally.
We recognize that for AI systems to be trustworthy, they need to be appropriate solutions to the problems they're designed to solve.
As part of our work to align our Azure Face service to the requirements of Responsible AI standard, which they've written, we are also retiring capabilities that infer emotional states and identity attributes such as gender, age, smile, facial hair, hair, and makeup.
Because basically I'm sure they were shit at it. That's what I'm assuming.
Okay.
It's good to know, by the way, that Microsoft also have a responsible AI department, just like we've discovered last week, Google have one as well.
Begs the question, who heads up their irresponsible AI department?
Yes, indeed, yes. Quote unquote, yes.
So Microsoft are kind of pulling away from it saying there's basically a lack of scientific consensus on the definition of emotions, very similar to last week, and the challenges on how these inferences generalize across use cases, regions, demographics.
So basically, we don't really know what we're doing is what they're saying. And they're pulling away from it. They're kind of going, we've played with this.
It turns out we're going to get in hot water. We're pulling back.
So Microsoft are kind of pulling away from it saying there's basically a lack of scientific consensus on the definition of emotions, very similar to last week, and the challenges on how these inferences generalize across use cases, regions, demographics.
So basically, we don't really know what we're doing is what they're saying. And they're pulling away from it. They're kind of going, we've played with this.
It turns out we're going to get in hot water. We're pulling back.
Yeah.
But it led me to think there must be a lot of other firms maybe dabbling in this, right? Because there's a lot of wonga here.
If you can target someone emotionally, we all know that we're more likely to be engaged and therefore more likely to pay attention to that service or buy that product or whatever.
So NBC News writes that many companies, and they had a few listed, so I just wanted to, and I went around Googling, I got into a rabbit hole of who uses emotional AI and why.
Can you think of any reasons why anyone would want to use it before I list any? Okay, I'll kick off a few and then—
If you can target someone emotionally, we all know that we're more likely to be engaged and therefore more likely to pay attention to that service or buy that product or whatever.
So NBC News writes that many companies, and they had a few listed, so I just wanted to, and I went around Googling, I got into a rabbit hole of who uses emotional AI and why.
Can you think of any reasons why anyone would want to use it before I list any? Okay, I'll kick off a few and then—
Give us a few seed ones.
Yeah, I'll give you a few seed ones. Okay, hold on. Okay, so Cognito Dialogue. This is a call center emotional intelligence and customer service.
And they claim to provide live analysis of the emotions of the caller because you're obviously not listening, right?
On customer service lines so that employees in call center can alter their behavior accordingly. So imagine I call up, right? And I'm labeled super pissed off, super pissed off.
And it just turns out I've got a cold. Right? And they couldn't read me properly.
And they claim to provide live analysis of the emotions of the caller because you're obviously not listening, right?
On customer service lines so that employees in call center can alter their behavior accordingly. So imagine I call up, right? And I'm labeled super pissed off, super pissed off.
And it just turns out I've got a cold. Right? And they couldn't read me properly.
Oh, yeah.
I might get some free stuff and I'd give it to you, Thom, because you love free stuff.
I do love free stuff. I mean, in essence, any kind of interaction with AI at the moment is a fairly flat experience.
You know, it's all very discrete in the sense that it's very specific in what it does.
I guess what this is doing is it's actually going to allow you to interact with an AI in a way that will respond to how you are behaving and talking and presenting and respond back in an appropriate manner.
You know, it's all very discrete in the sense that it's very specific in what it does.
I guess what this is doing is it's actually going to allow you to interact with an AI in a way that will respond to how you are behaving and talking and presenting and respond back in an appropriate manner.
Maybe. Let me give you some more examples and see if you're still comfy, right?
So Brazil's Yellow Line of São Paulo Metro deployed AdMobilize emotion AI analytics technology to optimize their subway interactive ads. Ads according to people's emotions.
So you walk by feeling a little bit pissed off because someone with BO's armpit was in your face the whole ride, and they then show you a happy clappy ad to try and make you happy and therefore engage you.
So Brazil's Yellow Line of São Paulo Metro deployed AdMobilize emotion AI analytics technology to optimize their subway interactive ads. Ads according to people's emotions.
So you walk by feeling a little bit pissed off because someone with BO's armpit was in your face the whole ride, and they then show you a happy clappy ad to try and make you happy and therefore engage you.
Oh, they can fuck right off.
Okay.
What about this? Okay, so Skyscanner, this is a meta search engine and travel agency. They deployed Sitecorp's Emotion AI tech to their Russian website.
So basically, if a user displayed sad emotions that was interpreted by the AI, the API would suggest a fun travel destination.
Like imagine your partner's just died and you go on going, I need to go to, and they're like, Disneyland for couples and loved ones.
So basically, if a user displayed sad emotions that was interpreted by the AI, the API would suggest a fun travel destination.
Like imagine your partner's just died and you go on going, I need to go to, and they're like, Disneyland for couples and loved ones.
Scatter their ashes.
There was even one during the pandemic to track consumers' sentiments and trends about the pandemic and the spread of COVID-19.
There is tracking emotions of students during classroom video calls so that teachers can measure performance, interest, and engagements, or rather their bosses could do it.
See, that's my worry. It's not that teachers can do it. It's so that the principal can measure the teacher's job and how good they are.
There is tracking emotions of students during classroom video calls so that teachers can measure performance, interest, and engagements, or rather their bosses could do it.
See, that's my worry. It's not that teachers can do it. It's so that the principal can measure the teacher's job and how good they are.
I think we're at the very beginning of this process.
So right now, this feels extraordinarily artificial and forced and not natural in the slightest because that's not how we expect advertising hoardings to behave or for our school to be able to say, oh, your child looked disengaged.
No, his dog just died this morning. So it feels very unnatural.
But I imagine in 10 to 15 years' time, this is going to be rolled out in a way that is much more invisible and yet more effective. So at the moment, I think it's horrible.
So right now, this feels extraordinarily artificial and forced and not natural in the slightest because that's not how we expect advertising hoardings to behave or for our school to be able to say, oh, your child looked disengaged.
No, his dog just died this morning. So it feels very unnatural.
But I imagine in 10 to 15 years' time, this is going to be rolled out in a way that is much more invisible and yet more effective. So at the moment, I think it's horrible.
Yeah.
Exactly as you say. Right now, there are issues. Like, for example, there's that nasty bias thing going on, right?
So there have been studies from the University of Maryland that found that emotional AI is manipulative and discriminatory.
So it would read, one AI would read Black subjects as angrier than white subjects. And even Microsoft's AI read Black subjects as betraying more contempt.
So there have been studies from the University of Maryland that found that emotional AI is manipulative and discriminatory.
So it would read, one AI would read Black subjects as angrier than white subjects. And even Microsoft's AI read Black subjects as betraying more contempt.
Oh my goodness.
Well, just like when they put their AI onto Twitter and Twitter managed to turn it into a raving Nazi. Well, a raging Nazi.
A raving Nazi is quite a happy one because they're dancing.
A raving Nazi is quite a happy one because they're dancing.
But a raging Nazi.
Subtle difference, but important one.
They did used to put their hands in the air, didn't they? A bit like ravers.
They did. Like, they just didn't care.
And this is the thing, to your point though, Thom, you were saying, okay, when 10, 15 years, this could happen.
But Sandra Watcher, she's an associate professor and senior research fellow at University of Oxford, and she's saying there's no proven basis in science to what they're doing.
At absolute worst, this is pseudoscience. And she says, quote, even if we were to find evidence the AI is reliably able to infer emotion that alone would still not justify its use.
Our thoughts and emotions are the most intimate parts of our personality and are protected by human rights, such as the right to privacy.
Let's not pave the road for it, because I don't like the idea that a camera can look at me and decide how I feel.
But Sandra Watcher, she's an associate professor and senior research fellow at University of Oxford, and she's saying there's no proven basis in science to what they're doing.
At absolute worst, this is pseudoscience. And she says, quote, even if we were to find evidence the AI is reliably able to infer emotion that alone would still not justify its use.
Our thoughts and emotions are the most intimate parts of our personality and are protected by human rights, such as the right to privacy.
Let's not pave the road for it, because I don't like the idea that a camera can look at me and decide how I feel.
But you're all right with a human deciding that?
I would like them to go, how are you? That's kind of the question we ask each other, right?
Yeah, but not everybody. A shop assistant won't ask you how you are, or at least not in a way that they do.
Me, I obviously have a better relationship than you do.
Well, yeah, but they mean it, you know?
Yeah.
When they say, "How are you?" they really don't want to know.
Well, I always tell them, I'm like, "Well..." And sometimes people don't want to be told, "Oh, you know, smile, love, it may never happen," or something.
Or, you know, they don't want to know.
Or, you know, they don't want to know.
You don't have to do that. You don't have to say any of that. You could just say, "Can you get out of the way, please, so I can get into the store?" for example.
You don't have to go, "How are you?" to people you don't care about asking. But if you care and you want understand that, you can ask them.
Anyway, I agree with Sandra Wachter and emotional AI. Interesting but scary stuff.
You don't have to go, "How are you?" to people you don't care about asking. But if you care and you want understand that, you can ask them.
Anyway, I agree with Sandra Wachter and emotional AI. Interesting but scary stuff.
When you opened with the Swedish chef, it reminded me of the Swedish chemist joke. Do you remember that one?
No.
Is it about the deodorant?
Yes.
Tell me.
So a guy walks into this Swedish chemist, says, "Do you have any deodorant?" And the guy behind the—
Well, hang on. We both know it. We can do the parts of this, Thom. We can do it between us. Yeah. You be the customer.
I'll be the customer. Hello. Do you have any deodorant?
Yes. Ball or— Oh, I've forgotten what it is now. Oh, yeah. I know. Okay. Yes. Ball or aerosol?
No, it's for my armpits.
So good, guys.
That's our favourite time of the show.
Swedish listeners, please write in.
Alright then.
Snyk is a developer security platform integrating directly into development tools, workflows, and automation pipelines.
Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
Get started right now with a free forever account at snyk.co/smashing. That's Snyk, which is S-N-Y-K,.co/smashing. And thanks to Snyk for supporting the show.
Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
Get started right now with a free forever account at snyk.co/smashing. That's Snyk, which is S-N-Y-K,.co/smashing. And thanks to Snyk for supporting the show.
Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure, using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure, using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back.
Can you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back.
Can you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. Super Mario, Legend of Zelda, Red Dead Redemption. These are all fantastic video games.
And up there, right at the top of all of the greatest video games of all time, is of course Alley Cat. Have either of you played Alley Cat?
And up there, right at the top of all of the greatest video games of all time, is of course Alley Cat. Have either of you played Alley Cat?
No. No. I hardly play any video game though.
I've not heard of this. What platform was it?
Well, it came out on the IBM PC. So that, the very fact I call it the IBM PC gives you a hint.
Yes.
1988, people.
Also available for the Amstrad 1640 and 1512.
Actually, a little bit earlier than 1988. It was, I think about 1983 it came out.
Wow.
Written by the late Bill Williams. It has the best theme tune of any video game ever. Long live 8-bit.
Alley Cat is a game where you are a cat and you want to make a bit of romance with a lovely lady cat who lives in an apartment complex.
And so you have to sort of avoid dogs and jump into windows.
It's a great fun game, as listeners will be able to find out, because you can play it on an emulator, which I will link to at the Internet Archive.
You can play the old MS-DOS version of Alley Cat, even if you don't have MS-DOS.
Now, why am I talking about Alley Cat other than it is one of the great games of all time is that there was a new imagination of Alley Cat, which came out for Windows, released a few years ago for free, which I will also let— I can't believe— Thom, I thought you were old.
You must have played Alley Cat.
Alley Cat is a game where you are a cat and you want to make a bit of romance with a lovely lady cat who lives in an apartment complex.
And so you have to sort of avoid dogs and jump into windows.
It's a great fun game, as listeners will be able to find out, because you can play it on an emulator, which I will link to at the Internet Archive.
You can play the old MS-DOS version of Alley Cat, even if you don't have MS-DOS.
Now, why am I talking about Alley Cat other than it is one of the great games of all time is that there was a new imagination of Alley Cat, which came out for Windows, released a few years ago for free, which I will also let— I can't believe— Thom, I thought you were old.
You must have played Alley Cat.
I don't. You see, I remember things on the Spectrum 48K, you know, Nodes of Yesod and Jet Set Willy and stuff like that.
Oh, Jet Set Willy, yeah.
I don't remember this. Manic Miner.
Yeah.
You know?
Yeah.
Well, those are all good too. Well, anyway, I am recommending Alley Cat as my pick of the week, albeit being about 40 years old.
You can also check out Alley Cat, the Re-Meow Edition for Microsoft Windows. I haven't tried that one, but I'm sure it's jolly good as well, written by true fans of Alley Cat.
And that is why it is my pick of the week.
You can also check out Alley Cat, the Re-Meow Edition for Microsoft Windows. I haven't tried that one, but I'm sure it's jolly good as well, written by true fans of Alley Cat.
And that is why it is my pick of the week.
Very good.
Thom, what's your pick of the week?
So as you know, I'm a bit of a raging nerd or even a raving nerd as well, for that matter.
Thank God he said nerd.
Nerd. So I thought I'd do a little bit of tech this week.
You may have heard, or if you're on Reddit or Twitter or any of these internet browsery things, of the Remarkable E-Ink Notepad. It's in version 2 now. Version 2 came out last year.
I think it was around about March or so last year. It was great for distraction-free writing, note-taking, drawing.
There's different sorts of types of pencils it can next to your computer so you can synchronise notes and all that sort of thing. And I did not fall in love with it.
I actually sold it.
You may have heard, or if you're on Reddit or Twitter or any of these internet browsery things, of the Remarkable E-Ink Notepad. It's in version 2 now. Version 2 came out last year.
I think it was around about March or so last year. It was great for distraction-free writing, note-taking, drawing.
There's different sorts of types of pencils it can next to your computer so you can synchronise notes and all that sort of thing. And I did not fall in love with it.
I actually sold it.
Does it feel like you're writing on paper though? Is that a similar sort of tactile experience?
Yeah, it has that kind of— I don't want to say scratchy feel, but that textured feel, I think is probably the right word. It's very good. It's very good.
Well, Alex, see, you can have a play with mine.
Well, Alex, see, you can have a play with mine.
I would love to play with yours, Thom.
One of the reasons I didn't like it was the software wasn't quite there. It was a bit slow and clunky. It didn't always connect, etc.
But I kept on reading that it was getting that it had massively improved. So I took the dive into it again and had it delivered a couple of weeks ago now. And I love it.
Really, really good. Far more responsive, much more intuitive. And you can, you know—
But I kept on reading that it was getting that it had massively improved. So I took the dive into it again and had it delivered a couple of weeks ago now. And I love it.
Really, really good. Far more responsive, much more intuitive. And you can, you know—
What do you do with it, Thom? It's not something you install apps on, is it?
No, no, absolutely not. And that's one of its features is it does one thing and it does it very, very well. And it's distraction-free.
So you're not going to get a little pop-up of an email, you know, coming in or a tweet or whatever.
It's literally a notepad and it comes with different types of, you know, virtual stationery. So different lines, items or layouts or whatever.
You can upload PDFs or ebooks to it and read those as well if you wish.
So you're not going to get a little pop-up of an email, you know, coming in or a tweet or whatever.
It's literally a notepad and it comes with different types of, you know, virtual stationery. So different lines, items or layouts or whatever.
You can upload PDFs or ebooks to it and read those as well if you wish.
Have you thought of buying a regular paper notepad? Have you tried one of those?
I have, you know, I used to be a fan of the old Moleskine books.
Oh, but I still am, as you well know, right, Carl?
But I have got cupboards full of them, and I can't find anything. With this, if you're writing in it, you can also convert your text, your handwriting, into text.
Unless, like me, you've got the handwriting of a prison doctor. But, you know, aside from that, two-week battery, very, very slim, very thin.
And actually, frankly, I think it's come of age.
It's that great balance between I want a notebook, but I don't want to be carrying around this thing that's, you know, I want to have all of my notes all the time, and I want to be able to read a book occasionally or read an article, etc.
But I don't want to carry my iPad because that's just going to be distracting. I'm not going to actually get the thing I need doing done.
Unless, like me, you've got the handwriting of a prison doctor. But, you know, aside from that, two-week battery, very, very slim, very thin.
And actually, frankly, I think it's come of age.
It's that great balance between I want a notebook, but I don't want to be carrying around this thing that's, you know, I want to have all of my notes all the time, and I want to be able to read a book occasionally or read an article, etc.
But I don't want to carry my iPad because that's just going to be distracting. I'm not going to actually get the thing I need doing done.
Yeah, I'm still in the old school. I like having sketchpads, notepads. I like all that, but I can see the value.
There is some benefit here. If you can turn it into text and make it searchable.
Yes.
That's—
But how often do you write stuff? Like, I write stuff every day. I do a little list. I do a little list with squares, you know, like with little checkboxes every morning.
Absolutely.
And I write down all the stuff I got to do. And then I do a number check of like, I got to do this one first. I got to do this one second. I'm going to, you know, whatever.
And then I go through my list. I'm an 80/20 normally, like I get no shit done, but not everything.
And then I go through my list. I'm an 80/20 normally, like I get no shit done, but not everything.
And because it's e-ink, it will work outside in the daylight as well, won't it?
Absolutely. Yeah, absolutely. There's no—
Like a pen.
Like a pen and a pad. That's right, and that was my pick of the week.
Carole, what's your pick of the week?
I actually chose this one for Thom, actually, because Graham will roll his eyes and fall asleep during this. It's a podcast, a 12-parter sci-fi podcast called Solar.
It's from a company called Kirkco, came out in April this year. And here's the gist: you're on a mission.
There's a manned solar research probe that is sent to explore temporal distortions around the sun. But disaster, of course, strikes, right?
And now the crew are both disconnected from Earth, trapped in separate parts of the spacecraft, and they're facing some dire crunches if they don't get their chickens in a line.
It's from a company called Kirkco, came out in April this year. And here's the gist: you're on a mission.
There's a manned solar research probe that is sent to explore temporal distortions around the sun. But disaster, of course, strikes, right?
And now the crew are both disconnected from Earth, trapped in separate parts of the spacecraft, and they're facing some dire crunches if they don't get their chickens in a line.
They took chickens with them?
What? I was going to say, why did they take chickens?
Actually, they don't take chickens. They take ants. They take ants. But it's a top drawer cast.
You've got Stephanie Beatriz from Brooklyn Nine-Nine.
Exactly. Alan Cumming, Helen Hunt, Jonathan Banks.
There's super strong writing, great soundscaping, and it's a bit of an emotional ride, which is why I wanted to bring it up today too, because we talked about emotional AI.
I wouldn't say it's as good as my all-time favorite podcast of this genre called The Hyacinth Project, but this one comes close. So it's called Solar. Graham, don't even bother.
There's super strong writing, great soundscaping, and it's a bit of an emotional ride, which is why I wanted to bring it up today too, because we talked about emotional AI.
I wouldn't say it's as good as my all-time favorite podcast of this genre called The Hyacinth Project, but this one comes close. So it's called Solar. Graham, don't even bother.
I'm going to give it a whirl.
Don't bother. There's time jumps in it. It will be complicated. You'll be like, I don't even know where I am. I don't know if I'm at the beginning. Why are there people?
I thought they were dead. I don't understand. It'll just be, just don't, just don't. Everyone but Graham can do this.
I thought they were dead. I don't understand. It'll just be, just don't, just don't. Everyone but Graham can do this.
Bit too timey-wimey for me.
Yeah.
But it's called Solar. You can find it wherever you get your podcasts. And it is my pick of the week.
Fantastic.
I think my kids would like that as well, by the sounds of it.
Now, Carole, you've been chatting to our good chums at Bitwarden this week, haven't you?
So I spoke with their founder and CTO, Kyle Spearrin, and he tells us all about how Bitwarden's approach to password management is maybe a bit cooler than everybody else's.
Take a listen.
So today, a treat, listeners. We have Kyle Spearrin, founder and chief technology officer at Bitwarden. Thanks for taking the time to speak to us today. I bet your schedule is busy.
Thanks, Carole.
So Kyle, you founded Bitwarden. Now, may I ask you to cast your mind way back and what was the problem that you spotted and that you wanted to fix? I basically want the origin story.
I was a user of other password management tools for many years.
Password management was not necessarily a new concept at this time, and I had been using those tools for quite a while.
There were things that I thought I could do better or improve upon, obviously, and many were doing certain things well. There were other things they maybe weren't doing so well.
Some had complicated installs and setup procedures, and they weren't across the platforms that I wanted.
There were open-source options, but they were fragmented a bit in their implementations, so you had to try to figure out which ones were quality and which ones could you trust.
So I set off to build Kyle's password manager, if you will. And this was back in 2015, 2016 timeframe.
And I wanted to really appease the desires of someone like myself, I guess, which is a developer and an engineer, a technologist, and while also bringing in some of the aspects that I saw in other tools that made them a bit more turnkey and simple to use, you know, for the greater audience.
Password management was not necessarily a new concept at this time, and I had been using those tools for quite a while.
There were things that I thought I could do better or improve upon, obviously, and many were doing certain things well. There were other things they maybe weren't doing so well.
Some had complicated installs and setup procedures, and they weren't across the platforms that I wanted.
There were open-source options, but they were fragmented a bit in their implementations, so you had to try to figure out which ones were quality and which ones could you trust.
So I set off to build Kyle's password manager, if you will. And this was back in 2015, 2016 timeframe.
And I wanted to really appease the desires of someone like myself, I guess, which is a developer and an engineer, a technologist, and while also bringing in some of the aspects that I saw in other tools that made them a bit more turnkey and simple to use, you know, for the greater audience.
It gives you a lot of flexibility to learn from predecessors who may have heavy-handed certain aspects where you could be much more light-footed.
Yeah, I don't think that I necessarily invented anything.
I saw a lot of what others were doing, and some were doing things well and some were doing things not so well in other areas.
And I thought that I could bring the best of both worlds together.
I guess it was about late 2015, early 2016 at this time, I set out to build the first iteration of what would become Bitwarden.
At the time, I was working for another company in a full-time role. So this was more of a side project, if you will, of an idea—
I saw a lot of what others were doing, and some were doing things well and some were doing things not so well in other areas.
And I thought that I could bring the best of both worlds together.
I guess it was about late 2015, early 2016 at this time, I set out to build the first iteration of what would become Bitwarden.
At the time, I was working for another company in a full-time role. So this was more of a side project, if you will, of an idea—
Project of love.
Yeah.
That I had. And also, my background was mostly in web development. In architecture at the time. I was building cloud-powered web apps and such.
And I had actually never built a browser extension or a mobile app or a desktop application before in my career.
So I think, in fact, Bitwarden is still the only mobile application I've ever built before, albeit two or three times over by now.
But I've always really also enjoyed opportunities to learn new technologies to solve a specific problem that I'm working towards.
So I think I was moonlighting it for, I don't know, I guess about 7 or 8 months building these apps. I was also a new father at the time. I had my first son during this time.
And I had actually never built a browser extension or a mobile app or a desktop application before in my career.
So I think, in fact, Bitwarden is still the only mobile application I've ever built before, albeit two or three times over by now.
But I've always really also enjoyed opportunities to learn new technologies to solve a specific problem that I'm working towards.
So I think I was moonlighting it for, I don't know, I guess about 7 or 8 months building these apps. I was also a new father at the time. I had my first son during this time.
So you had loads of free time.
I wasn't getting much sleep, I guess, if you want to put it that way.
Ended up launching the first iteration of Bitwarden, I guess it was in August of 2016 is when those first apps came out.
I posted it on Reddit and Hacker News and Product Hunt and other social outlets like that. To my surprise, it got really great traction right from the get-go.
I was getting great feedback right out of the gate from people.
But I guess it turns out that a lot of people viewed the problem in a very similar way, I guess, and what I had launched and how I had launched it, and it resonated with them.
Ended up launching the first iteration of Bitwarden, I guess it was in August of 2016 is when those first apps came out.
I posted it on Reddit and Hacker News and Product Hunt and other social outlets like that. To my surprise, it got really great traction right from the get-go.
I was getting great feedback right out of the gate from people.
But I guess it turns out that a lot of people viewed the problem in a very similar way, I guess, and what I had launched and how I had launched it, and it resonated with them.
Yeah, we doubt that a lot, right? When things really frustrate us, we should always remember at least 25% of other people out there feel exactly the same way.
Yeah, yeah.
So you coming out of the gates in 2016, you have 4 years to find your feet before the whole world does a little weird 180 and suddenly people are working from home and companies are suddenly facing new challenges all over your customer base, your prospects.
Were you guys prepared for that in a way that was better than others, do you think, because you were working in password management and remote access is key?
Were you guys prepared for that in a way that was better than others, do you think, because you were working in password management and remote access is key?
Yeah, so certainly the pandemic was a bit of a shock when it first all happened, and companies were scrambling to try to figure out the best way to adapt to the needs of what's happening and people staying home.
Although there was a bit of a freeze in trying to figure out what to do in the beginning, obviously tools that facilitated the use of remote work and how people operate in a remote fashion ultimately benefited somewhat from that kind of shift in the way people are operating.
And that was certainly the case for tools like ours.
As employees are now staying home and the threat level switches from being in the office all the time to now kind of being a lot more fragmented and people connecting outside of the company network and having to access a lot more tools and things where passwords are necessary.
It worked out a bit in our favor as opposed to what problems our tools were solving.
And I think that password management has certainly become a bit more of a focus for companies and the like to add another tool of mitigation towards the threats that they see as a business.
Although there was a bit of a freeze in trying to figure out what to do in the beginning, obviously tools that facilitated the use of remote work and how people operate in a remote fashion ultimately benefited somewhat from that kind of shift in the way people are operating.
And that was certainly the case for tools like ours.
As employees are now staying home and the threat level switches from being in the office all the time to now kind of being a lot more fragmented and people connecting outside of the company network and having to access a lot more tools and things where passwords are necessary.
It worked out a bit in our favor as opposed to what problems our tools were solving.
And I think that password management has certainly become a bit more of a focus for companies and the like to add another tool of mitigation towards the threats that they see as a business.
Yeah, it kind of made the whole idea of secure access, like put it in bold and double underlined for a lot of companies when all that happened.
So maybe you could tell us a little bit about Bitwarden services. So you guys have a password manager, but it's slightly different than everybody else's.
So maybe you could tell us a little bit about Bitwarden services. So you guys have a password manager, but it's slightly different than everybody else's.
Yeah, so we've tried to, as I mentioned, take the best— in the beginning, in the origin, I took a lot of the best things from the different tools that were out there, at least in my mind.
But we try to put a little bit of a spin in what we're offering that's a bit different than some of the other options that are out there.
I'm not some famous technologist on the internet with a huge Twitter following.
So I was looking for ways to— why should people trust our tool and this person that built this tool to store your sensitive data and passwords there?
But we try to put a little bit of a spin in what we're offering that's a bit different than some of the other options that are out there.
I'm not some famous technologist on the internet with a huge Twitter following.
So I was looking for ways to— why should people trust our tool and this person that built this tool to store your sensitive data and passwords there?
Ransomware.
And being a developer and a technologist, understanding some of those problems, I thought open source would be a really good way to approach that problem.
And to this day, open source is how we operate as a company. All the tools that we develop and build are all done in the open and transparent about what we're doing.
So I chose open source in the beginning to ensure transparency in what we're doing.
I believe that open-source transparency really is around security products like Bitwarden is somewhat of a requirement for these kinds of solutions.
And people should have the opportunity to vet how their tools and their sensitive data is being handled by a product.
And with open source, what I didn't really foresee was the community aspect that naturally came along with being an open-source product.
With open-source development, for an application like Bitwarden, you can't help to form a community of people who are interested in what's being built.
And we get a lot of feedback from our community and we listen to our community.
Much of the fundamentals of how Bitwarden was built are based on the feedback that we get from our community.
So open source really enables us to attack the problem from a different angle that really none of the other solutions or the leaders out there around our type of product are really doing.
And it's also enabled us to develop additional features because we're open source that naturally play into what we're doing.
So we're a SaaS-hosted platform turnkey solution that you can just sign up for.
But another great aspect of our product is that you can— it's bundled up in a way that you can host it yourself if you need to.
So our product is compiled and deployed to you through platforms that allow you to host it on your own internal network and infrastructure if that's the way that you operate and you don't want to use our hosted solution.
And to this day, open source is how we operate as a company. All the tools that we develop and build are all done in the open and transparent about what we're doing.
So I chose open source in the beginning to ensure transparency in what we're doing.
I believe that open-source transparency really is around security products like Bitwarden is somewhat of a requirement for these kinds of solutions.
And people should have the opportunity to vet how their tools and their sensitive data is being handled by a product.
And with open source, what I didn't really foresee was the community aspect that naturally came along with being an open-source product.
With open-source development, for an application like Bitwarden, you can't help to form a community of people who are interested in what's being built.
And we get a lot of feedback from our community and we listen to our community.
Much of the fundamentals of how Bitwarden was built are based on the feedback that we get from our community.
So open source really enables us to attack the problem from a different angle that really none of the other solutions or the leaders out there around our type of product are really doing.
And it's also enabled us to develop additional features because we're open source that naturally play into what we're doing.
So we're a SaaS-hosted platform turnkey solution that you can just sign up for.
But another great aspect of our product is that you can— it's bundled up in a way that you can host it yourself if you need to.
So our product is compiled and deployed to you through platforms that allow you to host it on your own internal network and infrastructure if that's the way that you operate and you don't want to use our hosted solution.
It's pretty amazing, I think, because there's still a lot of companies out there that— so this is a hard question for me because I'm totally bought into password management.
I think it's a key, key fundamental thing, and I can't believe there are businesses out there that haven't caught on to the magic.
And that literally it can make life easier for everybody, not just for the IT folks, not just for the high levels, but for the employees as well.
I think it's a key, key fundamental thing, and I can't believe there are businesses out there that haven't caught on to the magic.
And that literally it can make life easier for everybody, not just for the IT folks, not just for the high levels, but for the employees as well.
Yeah, so Bitwarden's goal is always to really meet you where you are. Adopting password management shouldn't be some life-altering decision that you have to make.
And we're humans and we're creatures of habit and we don't like change. And I think Bitwarden understands that. And in a perfect world, Bitwarden's not really getting in your way.
It's not really changing how you use the internet on a daily basis. It's there to help you when you need it, and when you don't need it, we're out of the way.
And there's a battle between convenience and security in the security world all the time.
And we're humans and we're creatures of habit and we don't like change. And I think Bitwarden understands that. And in a perfect world, Bitwarden's not really getting in your way.
It's not really changing how you use the internet on a daily basis. It's there to help you when you need it, and when you don't need it, we're out of the way.
And there's a battle between convenience and security in the security world all the time.
Yeah.
I'm of the opinion that convenience will always win. People will always choose convenience over security.
So as a security company and someone building security products, you have to really be mindful of that.
If it's not convenient, people don't want to adopt it and there's friction there, they're not going to use the tool and they're not going to do things in a secure way.
So there's always a trade-off you have to make, I feel, somewhat between security and convenience.
But with a tool like ours, it can also just be a big boost in productivity as well for people.
You know, just think about how much time you spend resetting passwords and trying to remember what your passwords were and talking to the IT admin to reset your password for this system and dealing with password changes all the time and things like that.
Once you get the hang of using our product, how it works itself into your flows that you already use, it can be a real boost in just general productivity as well for users.
So as a security company and someone building security products, you have to really be mindful of that.
If it's not convenient, people don't want to adopt it and there's friction there, they're not going to use the tool and they're not going to do things in a secure way.
So there's always a trade-off you have to make, I feel, somewhat between security and convenience.
But with a tool like ours, it can also just be a big boost in productivity as well for people.
You know, just think about how much time you spend resetting passwords and trying to remember what your passwords were and talking to the IT admin to reset your password for this system and dealing with password changes all the time and things like that.
Once you get the hang of using our product, how it works itself into your flows that you already use, it can be a real boost in just general productivity as well for users.
I couldn't agree more. Now, listeners, you can find out loads more information at bitwarden.com/smashing. You'll learn about Bitwarden's customizable features.
You will see Bitwarden's open-source password manager. Plus, you can unite your existing systems with Bitwarden using SSO authentication, directory services, or powerful APIs.
Why not get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing or just try it for free across devices as an individual user. Your choice.
That's bitwarden.com/smashing. Kyle, is there anything else you'd like to add before we close our chat?
You will see Bitwarden's open-source password manager. Plus, you can unite your existing systems with Bitwarden using SSO authentication, directory services, or powerful APIs.
Why not get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing or just try it for free across devices as an individual user. Your choice.
That's bitwarden.com/smashing. Kyle, is there anything else you'd like to add before we close our chat?
Yeah, so if you're not using a password management tool yet, or maybe you already are using a password management tool, I would suggest you check out Bitwarden.
You can go to our website and check out different client applications that we offer and our approach to how we build software and how we deliver that to you in the ways that we think work.
Give Bitwarden a try and see if it can make your life better.
You can go to our website and check out different client applications that we offer and our approach to how we build software and how we deliver that to you in the ways that we think work.
Give Bitwarden a try and see if it can make your life better.
Well, there you have it. Thank you so much, Kyle Spearrin, founder and CTO of Bitwarden. Thank you for your time today.
Thanks, Carole.
Terrific stuff. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
So you can get me on Twitter @ThomLangford. That's Thom with an H, because Twitter would let me have an H.
And you can also check us out at hostunknown.tv for podcasts, films, and a whole bunch of other stuff. So yeah, check me out.
And you can also check us out at hostunknown.tv for podcasts, films, and a whole bunch of other stuff. So yeah, check me out.
Super. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And we also have a Smashing Security subreddit.
Don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
Don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And of course, huge shout out to this episode's sponsors, Bitwarden, Collide, and Snyk. And of course, to our Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 280 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 280 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. Stay secure, my friends.
See-saw by day, see-saw by night.
No, I just love ripping off Jav's tagline.
Okay, we made it, man.
That was very good.
Bravo. It was very good.
Was that all right? You're not gonna have to cut too much of me out?
No. No.
Thom behaved himself.
It's a first.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
@thomlangford.bsky.social
@
Show notes:
- LockBit 3.0 introduces the first ransomware bug bounty program — Bleeping Computer.
- Fake copyright infringement emails install LockBit ransomware — Bleeping Computer.
- Why US women are deleting their period tracking apps — The Guardian.
- Privacy not included — Mozilla Foundation.
- The #1 Period Tracker on the App Store Will Hand Over Data Without a Warrant — Vice.
- Microsoft is removing emotion recognition features from its facial recognition tech — NBC News.
- Top 10 Emotional AI Examples in 2022 & Reasons for Success — AI Multiple.
- Analysis of Speech Features for Emotion Detection: A Review — IEEE Xplore.
- Microsoft's framework for building AI systems responsibly — Microsoft.
- Alley Cat — Wikipedia.
- Play Alley Cat — Internet Archive.
- Alley Cat Remeow Edition — Game Jolt.
- reMarkable.
- SOLAR podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Bitwarden
A password manager is an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Open source with published 3rd party security audits, Bitwarden is transparent and secure, utilizing end-to-end and zero knowledge encryption with source code that can be scrutinized by all.
Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today.
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Sponsor: Snyk
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.
Get started right now, with a free forever account, at snyk.co/smashing
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
