Smashing Security podcast #281: Debug ransomware and win $1,000,000, period-tracking apps, and AI gets emotional

You would be the sort of person who would beat to test gravity. You would jump off a cliff and say, let me test this for you, see if it works or not. And you'd go splatter at the bottom of the cliff.

Or the guy who jumped off the Eiffel Tower to test his flying suit.

You know what? My brother did that, although he was seven. So a little bit younger.

Your brother climbed, jumped off the Eiffel Tower?

No, he jumped off the roof of our house. My mum sewed him a Superman outfit when he was about six or seven, technically a flying suit, and he went up on the roof, launched himself and then fell promptly to the ground. Anyway, so you know he was seven though, so yeah.

Your genetics, girl, your genetics. Smashing Security episode 281: debug, Grand Somewhere, and win a million dollars. Period tracking apps and AI gets emotional with Carole Theriault and Graham Cluley. Hello and welcome to Smashing Security episode 281. My name's Graham Cluley.

And I'm Carole Theriault. And Carole, this week we've got a very special guest. Who have we got in the hot seat today?

The award-winning Thom Langford. Award-winning? I like the sound of that. Thank you very much.

Yes, well, Thom, and your podcast has recently won an award. Do you want to tell our audience about it?

Yes, please. The Host Unknown podcast releases every week. I don't remember the name. Yeah, I know you couldn't. I know you couldn't. I know because, you know, you don't give us a second thought, but you guys live rent-free in our heads, so.

We've appeared on the show. We've actually sponsored your podcast.

You have, I know. We actually gave you money. We've come on the show as well.

Yes. I think you give us less thought than we give you because you're all we ever think about. What would Smashing do? Is this like Chicago? Are we your inspiration?

Of course you are. We look up to you. We really enjoy it when we win awards, but you know.

Well congratulations.

Yes, thank you very much.

So what award did the Host Unknown podcast win, Thom?

From memory, the most entertaining podcast.

No, well that's incorrect, that's us obviously. Oh, was it? Yes, you've won the best non-vendor cyber security podcast.

Oh, that's right. That's right. You won the most entertaining blog, didn't you?

Yeah. Yes. Interesting. It's a stellar award system. Should we go to our sponsors? Let's thank this week's wonderful sponsors: Bitwarden, Snyk and Collide. It's their support that help us give you the show for free. I'm going to be talking about an unpopular software update that could earn you $1 million.

Okay, and Thom, what about you?

I'm going to talk about unintended digital consequences to laws.

And I'm calling mine, are you crying or just cutting onions? Plus, we have a featured interview this week with Kyle Spearin of Bitwarden. All this and much more coming up on this episode of Smashing Security.

Now, chums, do you love a software update?

That's the best thing ever. It's better than Christmas. I like doing them just before going live on a podcast.

You know what, Thom? That's exactly what I imagined you would do. I thought if there was a new version of macOS which came out 20 minutes before recording your podcast, you are the sort of, how can I put this politely, complete blithering idiot who would click apply.

Yeah, and done it. I've done it. In fact, we mentioned it on the show. Not the operating system, just my entire sound deck system for a podcast. Done it just before the show. Delayed us by about 45 minutes.

Of course you did.

But I got new free stuff.

Yes, but sometimes it can have unintended consequences. I mean, I must admit, I'm a slight addict to installing updates as well. I do have to resist. I think maybe some other people should be to test them before me.

Can I ask though, do you have it all set up automatically or do you jump the gun and go and get it before it's handed out for the automatic rollout?

Well, it depends. On my phone, they automatically install. Don't really care about that. On my desktop computer, where it's a little bit more work-oriented, I try to have some manual involvement, so I choose when to do it. And obviously in the workplace as well, people are staggering the rollout of patches and security updates to make sure they don't conflict with anything. You know, there can be a problem, can't they, security updates? Because they may introduce some sort of clash or a new vulnerability, or you may be thinking, well, I have to install this to protect against a vulnerability. Oh, my goodness, what am I going to do? Is it going to be worse to install the patch, or is that going to introduce a vulnerability, or is that going to fix a vulnerability? Dither, dither, dither.

Wow. Okay. I don't put that much thought in it. I mean, obviously things can go wrong, but I just think they're probably 99% good, so just rock on because it's better to have them than not. Do you do beta updates?

No. No. Really? Why not? Because I'm not an idiot.

Because they're bloody betas.

That's early free stuff.

I love that people like you exist, though, Thom. I'm not even kidding. I love that people go out and they're – because we need beta testers. We need alpha testers. We need those people. But no way would I do it. You know

What, Thom? If you'd been around when Isaac Newton was around, which possibly you were, and he invented gravity, of course. Gravity didn't exist before the apple fell on his head. You would be the sort of person who would beta test gravity. You would jump off a cliff and say, let me test this for you to see if it works or not. And you'd go splatter at the bottom of the cliff.

Or the guy who jumped off the Eiffel Tower to test his flying suit.

You know what? My brother did that, although he was seven. So a little bit younger. Your brother jumped off the Eiffel Tower? No, he jumped off the roof of our house. Yeah, my mom sewed him a Superman outfit when he was about six or seven. Technically a flying suit. Because he was in love with Christopher Reeves and Superman and it was all during that series. And he went up on the roof and it was not very high. It was a very low sloping roof at this stage. But still, he had a good six feet to fall. And when you're only three foot two, that's kind of a big deal. Right. Launched himself and then fell promptly to the ground and didn't understand it. And then everyone was like, Superman never had to go off buildings. And then he showed us in the VHS where he does, because he does go off a few buildings, doesn't he? Oh, yes. Yeah. Anyway, so, you know, he was seven, though. So, you know. Yeah.

Your genetics, girl. Your genetics. Anyway, I want to talk to you today about an update to a very unpopular piece of software. Not unpopular because hardly anyone runs it, but nobody wants it. I'm not talking about Clippy. Some people might even like Clippy. I'm talking about an update to a notorious piece of ransomware. LockBit, of course. LockBit has been at the heart of some 40% of all known ransomware attacks last month. 40%, really? 40%, according to reports. According to reports, yes. Reports, okay. Ransomware du jour. And a new version of LockBit has been beta testing for a while. Have you been running the beta test of LockBit on your computers?

It's costing me a fortune, but yes.

Well, LockBit 3.0 has now been officially released. Huzzah! Or maybe not. So what is new about LockBit 3.0? Well, Bleeping Computer reports that there are some interesting new developments in LockBit, aside from all the core stuff of encrypting your data and exfiltrating your data and demanding the money from you. So one of the new things is that the LockBit gang is now running a bug bounty program.

Oh, my freaking Lord. Of course they are. You know why? They're streamlined. It's very efficient. They're agile.

Yeah. It's really impressive. When you think of how many legitimate companies aren't running a bug bounty and now the criminals are running a bug bounty saying, if you find a bug in our software, in our ransomware, please let us know and you can earn anywhere from $1,000 up to $1 million.

Yeah, yeah. I'll wait to see that be paid out before. Do they take that off your bill as well?

That's right. You've hit us hard, but we found a spelling mistake. We found that your files were slightly correct. So in the announcement, the LockBit gang are saying that they are inviting all security researchers, ethical and unethical hackers on the planet to participate. So they want to know about bugs which are basically costing them money or bugs which are meaning maybe they're less efficient. And they've clearly got the funds they're claiming. So in theory, someone could find a vulnerability or a weakness in their encryption algorithm, maybe a way to get back the data without paying the gang. And you've then got a choice. Do you tell that to the good guys or do you tell it to the bad guys? And now the bad guys are saying, well, tell us and we'll pay you for it.

I guess that really depends on if you are an ethical or an unethical hacker or security researcher. Yes, exactly.

What would happen, though, if you do it ethically? Okay, so where do you go? So do you go to your local federal cops? Is that where you would go? Yeah. Or publish it publicly.

There's organizations like No More Ransomware, that group, different security companies and researchers.

I'd give it to Graham. He'd know what to do with it.

Are we saying we don't agree with responsible disclosure at this time?

It puts us in an awkward position here, isn't it? Because normally we're saying, well, you know, you should really tell the software vendor about the bugs so that they can fix them. But when the software is written by bad guys, maybe not.

And seriously, locking down hospitals and schools and, yeah.

Well, I was going to say we shouldn't be helping organizations that are ripping millions of dollars off of organizations globally. But that's not really a clear definition of whether they're a criminal enterprise or a regular enterprise really, is it?

I think globally you can add a B to that, not millions but billions, yeah.

Well, I think the other thing is, of course, if you help a criminal organization like the guys behind LockBit, you might be frowned upon by law enforcement in your particular country. They may think, well, you're basically in league with them, aren't you? You are part of their enterprise if you're assisting them making their software, quote, better. You're receiving stolen funds. Yes, I would imagine so as well.

And we're circling back to your argument, though, of should there be laws to prevent people from actually paying bad guys in these situations?

Well, this is the way of getting your money back, I suppose, isn't it? I wonder if there's any scams, which I wonder if it's possible to scam the ransomware guys. If you could somehow convince them that there is a vulnerability which isn't really as bad as they thought. Or if you say, look, I've looked at your code and I found a way to improve it. If you apply this patch to your ransomware, and in fact, the patch means that any funds people pay go into your Bitcoin wallet rather than theirs.

More glorious than that. You could just lock up their data and ask for payment for it and then return the payments to the people that it paid up in the first place going, don't do that again. So they're not just interested in bugs and vulnerabilities in their ransomware. They're also looking for brilliant ideas on improving their operations so if you've thought of a new way that they can make even more money they're interested in that and they will pay out they say for those and they're saying they will give out exactly one million dollars no more and no less for doxing their affiliate program boss so LockBit like other ransomware operations is ransomware as a service.

But you do have to set up a Bitcoin account, right?

Well, yes. You would need some sort of crypto. There's some costs. I think people would be able to work out how to do it.

And also, you're going to get paid a million dollars in Bitcoin, which tomorrow is going to be worth 800,000 in Bitcoin. Yes, move quickly. The day after that is going to be worth 750 and so on. It's not the most stable of currencies at the moment.

No. Anyway, ransomware is evolving and so are the campaigns to distribute it. There was a recent LockBit campaign which arrived as an email claiming copyright infringement. So if you were to run, for instance, a award-winning cybersecurity podcast and you regularly infringe the copyright of another cybersecurity podcast, maybe by using their jingles or something like that, yes, and you received an email from them, I would suggest, Thom, that you be very, very careful about opening the attachments.

Whoa, whoa. I'm glad we use open source music then.

Thom, what's your subject for us this week? This is talking about the very recent decision by the US Supreme Court to rescind the Roe versus Wade ruling, which allows for abortion rights for women in the US. And that's across the US. It's now down to individual states to decide. And that's broadly speaking, that's now made up upon party lines. So, you know, red versus blue parties and whichever states are run by which. The actual ethics, morals behind all of that is not what I'm going to be looking into in this point. That's for an entirely different show. What I want to look at is actually the impact that something, and I don't want to say something as innocuous as this because it's far from it, But something that feels very, very unrelated to technology can actually have some big technology impact. I don't know why you need an app to work out what's the best time to be pregnant. I would think normally probably about quarter past one in the morning would be my advice.

I can't believe you've reproduced. I was going to wonder where you would go with that, Graham. And I was thinking that's probably because you don't have a uterus.

Come on, Thom. You're not 51. You're much older than that. Exactly. And who is no longer able to sire children. This has got very little to do with me personally.

I would plug right now, if it's okay, I'd plug Firefox's privacy not included site. So you can put in different devices or apps because they do all the legwork for you by reading all the terms and looking at all the features and reading the website and giving you a kind of educated feel of how they're handling data.

That's a really good one. Yeah, and this is really a problem. I've been reading on Vice recently. They've been tracking some of the response to this, and they've been investigating some of the tech companies who run, for instance, period tracking apps. Wait until the law against being a short, bald, wok-smuggling male is going to come in.

Wok-smuggling? What were you smuggling woks?

Yeah, under my shirt.

I don't even know what that means.

If you were to put a wok up your shirt, what would it look like?

Like I had a great big chest, I suppose.

Well, it depends how high up you put it. Oh, I see. Oh, right. Okay. I see. Yes. This is great radio, guys. We start with me asking you guys a question in two different ways. And I want you to try and categorize each question based on what you hear. Okay.

Yeah, well, yes, the second one sounded rather aggressive, I thought. A little threatening?

Exactly. A little bit, yes. I was going for that. Well done, girl. And the first one?

I know where you live. It's kind of a bit sexy.

Yeah. But the whole point here is that it was easy for you to decipher between two emotional states. It's possible to get it wrong, right? Of course, we all get it occasionally wrong. But we have these built-in mechanisms to help us navigate the emotional tone of a speaker, right? Even if you don't speak a language, I suspect you can get the emotional tone because the tone goes beyond the language barrier. Like if you closed your eyes and thought of the Swedish chef, who's not even speaking any Swedish at all or any language at all, but on the Muppets, you would know whether he was having fun or whether he was freaking out just by his tone. Even if your eyes were closed, you'd know.

Yes. It would explain why I wasn't able to buy anything when I went on holiday in Sweden. I learned all my Swedish from the Muppets.

And with all things labeled artificial intelligence or AI, we also have a component called emotional AI. Do you guys know anything about this? Emotional artificial intelligence.

No.

Oh, tell me. Very interesting. So it's called emotional recognition technology, and it typically relies on software to look at loads of different qualities. So if it's visual, it would be facial expressions, or if it was audio, it would be speed of speech, tone of voice, word choice. You'd gather all this data to automatically detect an emotional state. It sounds awfully clever. It does sound awfully clever, and it is awfully clever. And in order for an AI to be able to classify this information it's getting, it needs a glut load of practice, doesn't it?

So it's going to need a huge amount of data of people looking angry or happy or smiling. Or sounding. Yes. Or suggested. Or orgasm face or whatever it might be. Vinegar strokes.

I don't want to know. I don't ask. I don't ask anymore.

Is it to do with the walk?

No. Don't tell us, Thom. Is it the face you pull when you've got a mouthful of vinegar?

Oh, right. Okay. But the thing is, emotions are a little bit more complicated than happy, sad, right? There's how happy, how sad. Or sarcasm. Or satirical happiness or fake sadness, right? Yes. Yes. Because, you know, we've all been, you know, if anyone has been in a failed relationship, we know this kind of... I'll take the bin out there. You're angry. No, I'm not. Yeah, you are. No, I'm not. I can tell you're angry. I am not angry. And it goes on and on and on.

Yep, that rings a bell. About 9,000 of them.

So why am I talking about this? Well, this week we learned that Microsoft is moving emotion recognition features from its facial recognition tech in Azure. And they're doing this because they say the science of emotion is far from settled. So Microsoft announced this change in a blog post last week. And while they kind of buried this news at the bottom, they had five points they were making, this was number five. So this was Natasha Crampton, a Microsoft chief responsible AI officer who wrote the post. She says, quote, finally, right, number five, finally, we recognize that for AI systems to be trustworthy, they need to be appropriate solutions to the problems they are designed to solve. As part of our work to align our Azure Face service to the requirements of responsible AI standard, which they've written, we are also retiring capabilities and for emotional states and identity attributes such as gender, age, smile, facial hair, hair and makeup. Because basically, I'm sure they were shit at it.

It's good to know, by the way, that Microsoft also have a responsible AI department, just like we've discovered last week. Google have one as well.

Makes the question, who heads up their irresponsible AI? Yes, indeed. Quote, unquote.

Yes. So Microsoft are kind of pulling away from it, saying there's basically a lack of scientific consensus on the definition of emotions, very similar to last week. and the challenges on how these inferences generalize across use cases, regions, demographics. So basically, we don't really know what we're doing is what they're saying. And they're pulling away from it. They're kind of going, we've played with this. It turns out we're going to get in hot water. We're pulling back. But it led me to think, there must be a lot of other firms maybe dabbling in this, right? Because there's a lot of wonga here. If you can target someone emotionally, we all know that we're more likely to be engaged and therefore more likely to pay attention to that service or buy that product or whatever. So NBC News writes that many companies and they had a few listed. So I just wanted to and I went around Googling. I got into a rabbit hole of who uses emotional AI and why. Can you think of any reasons why anyone would want to use it before I list any?

Okay, I'll kick off a few.

Give us a few seed ones. Yeah, I'll give you a few seed ones. Okay, hold on. Okay, so Cognito Dialogue. This is a call center emotional, intelligent, and customer service. And they claim to provide live analysis of the emotions of the caller, because you're obviously not listening, right? On customer service lines so that employees in call center can alter their behavior accordingly. So imagine I call up, right? And I'm labeled super pissed off, super pissed off. And it just turns out I've got a cold, right? And they couldn't read me properly. Oh, yeah. I might get some free stuff and I'd give it to you, Thom, because you love free stuff.

I do love free stuff. I mean, in essence, any kind of interaction with AI at the moment is a fairly flat experience. You know, it's all very discreet in the sense that it's very specific in what it does. I guess what this is doing is it's actually going to allow you to interact with an AI in a way that will respond to how you are behaving and talking and presenting and respond back in an appropriate manner. Maybe. Let me give you some more examples and see if you're still comfy, right? So Brazil's yellow line of Sao Paulo Metro deployed emotion AI analytics technology to optimize their subway interactive ads according to people's emotions. So you walk by feeling a little bit pissed off because someone with BO's armpit was in your face the whole ride, and they then show you a happy clappy ad to try and make you happy and therefore engage you. Oh, they can f right off. I think we're at the very beginning of this process. So right now this feels extraordinarily artificial and forced and not natural in the slightest, because that's not how we expect advertising hoardings to behave or for our school to be able to say, oh, you know, your child looked disengaged. No, his dog just died this morning. So it feels very unnatural. But I imagine in 10 to 15 years time, this is going to be rolled out in a way that is much more invisible and yet more effective.

At the moment, I think it's horrible. Yeah, exactly. As you say, right now, there are issues like, for example, that nasty bias thing going on. Right. So there have been studies from the University of Maryland that found that emotional AI is manipulative and discriminatory. So one AI would read black subjects as angrier than white subjects, and even Microsoft's AI read black subjects as betraying more contempt.

Oh my goodness. Well just when they put their AI onto Twitter and Twitter managed to turn it into a raging Nazi. A raving Nazi is quite a happy one because they're dancing, but a raging Nazi, subtle difference, but it's all one.

They did used to put their hands in the air didn't they, a bit like ravers.

They did.

They just didn't care. But this is the thing to your point though, Thom, you were saying okay when 10, 15 years this could happen, but Sandra Wachter, she's an associate professor and senior research fellow at University of Oxford, and she's saying there's no proven basis in science to what they're doing. At absolute worst, this is pseudoscience. And she says, quote, even if we were to find evidence, the AI is reliably able to infer emotions, that alone would still not justify its use. Our thoughts and emotions are the most intimate parts of our personality and are protected by human rights, such as the right to privacy. Let's not pave the road for it, because I don't like the idea that a camera can look at me and decide how I feel.

But you're all right with a human deciding that. I would them to go, how are you?

That's kind of the question we ask each other, right?

Yeah, but not everybody. A shop assistant won't ask you how you are, or at least not in a way that they... They do me. I obviously have a better relationship than you do. Well, yeah, but when they say, how are you, they really don't want to know. Well, I always tell them. I'm like, wow.

And sometimes people don't want to be told, oh, you know, smile, love, it may never happen or something, or they don't want to...

You don't have to do that. You don't have to say any of that. You could just say, can you get out of the way, please, so I can get into the store, for example. You don't have to go, how are you, to people you don't care about asking, but if you care and you want to understand that, you can ask them. Anyway, I agree with Sandra Wachter and emotional AI. Interesting but scary stuff.

When you opened with a Swedish chef, it reminded me of the Swedish chemist joke. Do you remember that one?

No.

Is it about the deodorant?

Yes, tell me. So a guy walks into this Swedish chemist, says do you have any deodorant? And the guy behind the...

Hang on, we both know it. We can do the parts of this Thom. We can do it between us. You be the customer, I'll...

Be the customer. Hello, do you have any deodorant?

Yes, a ball or aerosol?

No, it's for my armpits. It's so good, guys.

That's your favorite time of the show. Swedish listeners, please write in.

Snyk is a developer security platform integrating directly into development tools, workflows, and automation pipelines. Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit. Get started right now with a free forever account at snyk.co slash smashing. That's Snyk, which is S-N-Y-K dot co slash smashing. And thanks to Snyk for supporting the show.

Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com slash smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams enterprise plan. And the thing I like about this, a good password manager is robust and cost effective, as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com slash smashing. Start your free password manager trial today.

Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash kolide, that's smashingsecurity.com slash k-o-l-i-d-e. Enter your email when prompted and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com slash kolide. That's smashingsecurity.com slash k-o-l-i-d-e and thanks to Kolide for supporting the show. And welcome back and you join us at our favorite part of the show, the part of the show that we like to call pick of the week. Pick of the week. Pick of the week. Pick of the Week is the part of the show where everyone chooses to send a like. Could be a funny story, a book, whether they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. Super Mario, Legend of Zelda, Red Dead Redemption. These are all fantastic video games. And up there, right at the top of all of the greatest video games of all time, is, of course, Alley Cat. Have either of you played Alley Cat? No. I hardly play any video game, though. I've

not heard of this. What platform was it?

Well, it came out on the IBM PC. So the very fact I call it the IBM PC gives you a hint.

Yes. 1988, people. Also available for the Amstrad, 1640 and 1512.

Actually, a little bit earlier than 1988. It was, I think, about 1983 it came out. Written by the late Bill Williams. It has the best theme tune of any video game ever. Long live 8 bits. Alley Cat is a game where you are a cat and you want to make a bit of romance with a lovely lady cat who lives in an apartment complex and so you have to sort of avoid dogs and jump into windows. It's great fun game as listeners will be able to find out because you can play it on an emulator which I will link to at the internet archive. You can play the old MS-DOS version of Alley Cat even if you don't have MS-DOS. Now, why am I talking about Alley Cat other than it is one of the great games of all time is that there was a new imagination of Alley Cat which came out for Windows, released a few years ago for free, which I will also... I can't believe... Thom, I thought you were old. You must have played Alley Cat. I don't, you see I remember things like you're on the Spectrum 48k, you know Nodes of Yesod and Jet Set Willy and stuff like that. I don't remember this Manic Miner. Yeah yeah well those are all good too. Well anyway I am recommending Alley Cat as my pick of the week albeit being about 40 years old. You can also check out Alley Cat the Re-Meow Edition for Microsoft Windows. I haven't tried that one but I'm sure it's jolly good as well, written by true fans of Alley Cat and that is why it is my pick of the week. Thom, what's your pick of the week? So as you know I'm a bit of a raging nerd or even a raving nerd as well for that matter. Does it feel like you're writing on paper, though? Is it a similar sort of tactile experience? It

Does, yeah. It has that kind of, I don't want to say scratchy feel, but that textured feel I think is probably the right way to do it. It's very good. It's very good. You can have a play with mine.

I'd love to play with yours, Thom.

One of the reasons I didn't like it was the software wasn't quite there. It was a bit slow and clunky. It didn't always connect, et cetera. But I kept on reading that it had massively improved. So I took the dive into it again and had it delivered a couple of weeks ago now. And I love it. Really, really good. Far more responsive, much more intuitive. What do you do with it, Thom?

It's not something you install apps on, is it? No, no, absolutely not. And that's one of its features is it does one thing and it does it very, very well. And it's distraction free. So you're not going to get a little pop-up of an email coming in or a tweet or whatever. Have you thought of buying a regular paper notepad? Have you tried one of those?

I have. Do you know what? I used to be a fan of the old Moleskine books. Oh I still am as you well know right Carole but I have got cupboards full of them and I can't find anything with this. If you're writing in it you can also convert your text in your handwriting into text unless me you've got the handwriting of a prison doctor but you know aside from that two-week battery very very slim very thin. Yeah and actually frankly it's, I think it's come of age. It's that great balance between, I want a notebook, but I don't want to be carrying around this thing that's, you know, I want to have all of my notes all the time and I want to be able to read a book occasionally or read an article, etc. But I don't want to carry my iPad because that's just going to be distracting. I'm not going to actually get the thing I need doing done.

Yeah, I'm still in the old school. I write sketchpads, notepads, I all that, but I can see the values.

There is some benefit here, if you can turn it into text and you can search it, that's...

But how often do you write stuff? I write stuff every day, I do a little list, I do a little list with squares, you know with little checkboxes every morning. Absolutely. And I write down all the stuff I gotta do, and then I do a number check of I gotta do this one first, I gotta do this one second, you know, whatever, and then I go through my list. I'm at 80-20 normally I get most shit done but not everything.

And because it's e-ink it will work outside in the daylight as well won't it?

Absolutely, absolutely there's no like a pen well a pen and a pad that's right and that was my pick of the week.

Carole what's your pick of the week? I actually chose this one for Thom actually because Graham will roll his eyes and fall asleep during this but it's a podcast a 12-parter sci-fi podcast called Solar. It's from a company called Kirkco. It came out in April this year. Okay. They took chickens with them? What? So why did they take chickens? Actually, they don't take chickens. They take ants. They take ants. A bit too timey-wimey for me, yeah.

Yeah, but it's called Solar. You can find it wherever you get your podcasts, and it is my pick of the week. Fantastic. I think my kids would that as well, by the sounds of it.

Now, Carole, you've been chatting to our good chums at Bitwarden this week, haven't you? So I spoke with their founder and CTO, Kyle Spearin, and he tells us all about how Bitwarden's approach to password management is maybe a bit cooler than everybody else's. Take a listen.

I was a user of other password management tools for many years. Password management was not necessarily a new concept at this time. And I had been using those tools for quite a while. There were things that I thought I could do better or improve upon, obviously. And many were doing certain things well. There were other things they maybe weren't doing so well. Some had complicated installs and setup procedures, and they weren't across the platforms that I wanted. There were open source options, but they were fragmented a bit in their implementations. So you had to try to figure out which ones were quality and which ones could you trust. So I set off to build Kyle's password manager, if you will. And this was back in 2015, 2016 timeframe. And I kind of want to really appease the desires of someone like myself, I guess, which is a developer and an engineer, a technologist, and while also bringing in some of the aspects that I saw in other tools that made them a bit more turnkey and simple to use for kind of the greater audience.

It gives you a lot of flexibility to learn from predecessors who may have a heavy hand in certain aspects where you could be much more light-footed.

Yeah, I don't think that I necessarily invented anything. I saw a lot of what others were doing, and some were doing things well, and some were doing things not so well in other areas. And I thought that I could kind of bring the best of both worlds together. I guess it was about late 2015, early 2016, at this time, I set out to build the first iteration of what would become Bitwarden. At the time, I was working for another company in a full-time role. So, this was more of a side project, if you will, of an idea. A project of love. Yeah. that I had. And also my background was mostly in web development and architecture at the time. I was building cloud-powered web apps and such. And I had actually never built a browser extension or a mobile app or a desktop application before in my career. So I think, in fact, Bitwarden is still the only mobile application I've ever built before, I'll be at two or three times over by now. But I've always really also enjoyed opportunities to kind of learn new technologies to solve a specific problem that I'm working towards. So I think I was moonlighting it for, I don't know, I guess about seven or eight months building these apps. I was also a new father at the time. I had my first son during this time. So you

had loads of free time.

I wasn't getting much sleep, I guess, if you want to put it that way. But I ended up launching the first iteration of Bitwarden. And I guess it was in August of 2016 is when those first apps came out. I posted it on Reddit and Hacker News and Product Hunt and other social outlets like that. And to my surprise, it got really great traction right from the get-go. And I was getting great feedback right out of the gate from people. I guess it turns out that a lot of people viewed the problem in a very similar way, I guess, and what I had launched and how I had launched it. And it resonated with them.

Yeah. We doubt that a lot, right? When things really frustrate us, we should always remember at least 25% of other people out there that feel exactly the same way. Yeah, yeah. So you coming out of the gates in 2016, you have like four years to find your feet before the whole world does a little weird 180. And suddenly people are working from home and companies are suddenly facing new challenges all over your customer base, your prospects. Were you guys prepared for that in a way that was better than others, do you think? Because you were working in password management and remote access is key.

Yeah, yeah. So certainly the pandemic was a bit of a shock when it first all happened, you know, and companies were scrambling to try to figure out the best way to adapt to the needs of what's happening and people staying home. Although there was a bit of a, you know, freeze and trying to figure out what to do in the beginning, obviously tools that facilitated the use of remote work and what people and how people operate in a remote fashion, ultimately, you know, benefited somewhat from that kind of shift in the way people are operating. And that was certainly the case for tools like ours, as employees are now staying home and the threat level switches from being in the office all the time to now kind of being a lot more fragmented and people connecting outside of the company network and having to access a lot more tools and things where passwords are necessary. It worked out a bit in our favor as opposed to what problems our tools were solving. And I think that password management has certainly become a bit more of a focus for companies and the like to add another tool of mitigation towards the threats that they see as a business.

Yeah, it kind of made the whole idea of secure access, like put it in bold and double underlined for a lot of companies when all that happened. So maybe you could tell us a little bit about Bitwarden services. So you guys have a password manager, but it's slightly different than everybody else's.

Yeah. So, you know, we've tried to, as I mentioned, you know, take the best in the beginning, in the origin, I took a lot of the best things from the different tools that were out there, at least in my mind. But we try to put a little bit of a spin in what we're offering that's a bit different than some of the other options that are out there. I'm not some famous technologist on the internet with a huge Twitter following. So I was looking for ways to... Why should people trust our tool and this person that built this tool to store your sensitive data and passwords there? And being a developer and a technologist understanding some of those problems, I thought open source would be a really good way to approach that problem. And to this day, open source is how we operate as a company. All the tools that we develop and build are all done in the open and transparent about what we're doing. So I chose open source in the beginning to ensure transparency in what we're doing. I believe that open source transparency really is around security products like Bitwarden is somewhat of a requirement for these kinds of solutions. And people should have the opportunity to vet how their tools and their sense of data is being handled by a product. And with open source, what I didn't really foresee was the community aspect that naturally came along with being an open source product. With open source development, for an application like Bitwarden, you can't help to form a community of people who are interested in what's being built. And we get a lot of feedback from our community, and we listen to our community. Much of the fundamentals of how Bitwarden was built are based on the feedback that we get from our community. So open source really enables us to attack the problem from a different angle that really none of the other solutions or the leaders out there around our type of product are really doing. And it's also enabled us to develop additional features because we're open source that naturally play into what we're doing. So we're a SaaS hosted platform turnkey solution that you can just sign up for. But another great aspect of our product is that you can, it's bundled up in a way that you can host it yourself if you need to. So our product is compiled and deployed to you through platforms that allow you to host it on your own internal network and infrastructure. If that's the way that you operate, you don't want to use our hosted solution.

It's pretty amazing, I think, because there's still a lot of companies out there. So this is a hard question for me, because I'm totally bought into password management. I think it's a key, key fundamental thing. And I can't believe there are businesses out there that haven't caught on to the magic. And literally, it can make life easier for everybody, not just for the IT folks, not just for the high levels, but for the employees as well.

Yeah. So Bitwarden's goal is always to really meet you where you are. Adopting password management shouldn't be some life-altering decision that you have to make. And we're humans and we're creatures of habit and we don't change. I think Bitwarden understands that. In a perfect world, Bitwarden is not really getting in your way. It's not really changing how you use the internet on a daily basis. It's there to help you when you need it. When you don't need it, we're out of the way. There's a battle between convenience and security in the security world all the time. I'm of the opinion that convenience will always win. People will always choose convenience over security. So as a security company and someone building security products, you have to really be mindful of that. If it's not convenient, people don't want to adopt it. And there's friction there. They're not going to use the tool and they're not going to do things in a secure way. So there's always a trade-off you have to make, I feel, somewhat between security and convenience. But with a tool like ours, it can also just be a big boost in productivity as well for people. Just think about how much time you spend resetting passwords and trying to remember what your passwords were and talking to the IT admin to reset your password for this system and dealing with password changes all the time and things. Once you get the hang of using our product, kind of how it works itself into your flows that you already use, it can be a real boost in just general productivity as well for users.

I couldn't agree more. Now, listeners, you can find out loads more information at bitwarden.com/smashing. You'll learn about Bitwarden's customizable features. You will see Bitwarden's open source password manager. Plus, you can unite your existing systems with Bitwarden using SSO authentication, directory services, or powerful APIs. Why not get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. Or just try it for free across devices as an individual user. Your choice. That's bitwarden.com/smashing. Kyle, is there anything else you'd like to add before we close our chat?

Yeah, so if you're not using a password management tool yet, or maybe you already are using a password management tool, I would suggest you check out Bitwarden. You can go to our website and check out different client applications that we offer and our approach to how we build software and how we deliver that to you in the ways that we think work and give Bitwarden a try and see if it can make your life better. Well, there you have it. Thank you so much.

Terrific stuff. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

So you can get me on Twitter at Thom Langford, that's Thom with an H because Twitter wouldn't let me have an H and you can also check us out at hostunknown.tv for podcast, films and a whole bunch of other stuff so yeah, check me out.

Super, and you can follow us on Twitter at smashinsecurity, no G Twitter wouldn't allow us to have a G and we also have a smashinsecurity subreddit and don't forget to ensure you never miss another episode, follow smashinsecurity in your favourite podcast app such as Apple Podcasts, Spotify and Overcast.

And of course huge shout out to this episode sponsors Bitwarden, Collide and Snyk and of course to our Patreon community. It's thanks to them all this show is free for you. For episode show notes, sponsorship info, guest list and the entire back catalog of more than 280 episodes check out smashingsecurity.com.

Until next time cheerio bye bye.

Bye stay secure my friends. CISO by day, CISO by night.

No I just love ripping off Jav's tagline. Okay we made it man that was very good bravo it was very good. Was that alright you're not going to have to cut too much? No Thom behaved himself it's a first. Thank you.