A self-proclaimed “super hacker” causes problems in the Magic Kingdom, criminals regret trusting Anom phones, and lawsuits are filed against TikTok.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Plus don’t miss our featured interview with Scott McCrady, the CEO of SolCyber Managed Security Services.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Why do they think that's a good idea to blare the same song over and over again? Over and over again? Over and over again?
Smashing Security, Episode 283: Disney's Social Dumpster Fire.
An armful Ransomware, phishing, malware, darknet, LastPass, darknet, LastPass, darknet, LastPass, darknet, LastPass, Smartphones and TikTok Tragedies with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 283. Carole Theriault.
An armful Ransomware, phishing, malware, darknet, LastPass, darknet, LastPass, darknet, LastPass, darknet, LastPass, Smartphones and TikTok Tragedies with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 283. Carole Theriault.
And this week on the show, Carole, who do we have lined up?
We have the wonderful Anna Brading. Welcome, Anna.
Oh, hello. Thank you for having me.
Thank you for making the time out of your busy schedule.
Actually, I am very busy, but, you know, always make time for you two.
Do you have a busy schedule, really?
I know what I mean. I mean, I have to clean the house. I mean, basically don't do anything, Graham. I think you're fine. I do a lot.
She does do a lot. How about we get this show on the road and thank this week's sponsors, Bitwarden, Snyk, and SoulCyber. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about a super hacker living in a very small world.
Okay, Anna, what about you?
I'm gonna be talking about the Anom phone.
And I am gonna see how we can hold social media giants accountable. Plus, a great featured interview with Scott McCrady.
He's the CEO of SoulCyber, and he talks quite frankly about cyber problems specific to small and medium-sized organizations. Very interesting stuff.
All this and much more coming up on this episode of Smashing Security.
He's the CEO of SoulCyber, and he talks quite frankly about cyber problems specific to small and medium-sized organizations. Very interesting stuff.
All this and much more coming up on this episode of Smashing Security.
Now, chums, I'm going to start as I quite often like to start one of my sections with a little bit of a song or some poetry.
So hold on, I'll just get the mute button. I wouldn't actually change anything. That would just mute me, wouldn't it?
Just mute you. Stop you from joining in. It's a world of laughter, a world of tears. It's a world of hopes and a world of fears.
There's so much that we share that it's time we're aware. It's a small world after all. Was that the Shatner version? I couldn't remember the tune at first.
It's a song that will strike fear into the hearts of many.
I've often woken up in the middle of the night in a cold sweat, having a Vietnam-style flashback to the time I found myself at EuroDisney, tormented by that tune.
There's so much that we share that it's time we're aware. It's a small world after all. Was that the Shatner version? I couldn't remember the tune at first.
It's a song that will strike fear into the hearts of many.
I've often woken up in the middle of the night in a cold sweat, having a Vietnam-style flashback to the time I found myself at EuroDisney, tormented by that tune.
I was there. I was there with you.
You went to EuroDisney together.
We did.
Well, we went there for work, didn't we? Not for fun.
Yes.
We went there for work. We went to give a talk.
I see.
We had to give a talk in the amphitheatre, you know, where they— it was really quite scary because kids were all the way up, way above us, all around us. There were 1,500 of them.
You gave a talk to kids?
Yes. It was a steep incline, yes. It was like a Nuremberg-style rally that we were the guest stars at. And we had a bad experience.
Do you remember the bad experience I had, Carole, at Disneyland?
Do you remember the bad experience I had, Carole, at Disneyland?
What, that I talked you into coming on to a really cool roller coaster?
Yeah, so you said there's this thing called Space Mountain, and I didn't know what Space Mountain was.
I thought, oh, we're going to sit in a little train or something and we go chug, chug, chug. And it'll be just a gentle funicular is what I imagined.
I thought, oh, we're going to sit in a little train or something and we go chug, chug, chug. And it'll be just a gentle funicular is what I imagined.
I don't know what Space Mountain is. I've never been to Disneyland. Tell me, Graham.
It's hell.
It's hell.
It starts off pleasant enough, a funicular, you're in a little train going up a slope. And I think, well, this is fine, this is very nice, we're going up a mountain.
But then it careers inside the mountain in the dark, rollercoastering round upside down at high speed, and you don't know which direction to vomit in.
It is the most unpleasant experience ever.
But then it careers inside the mountain in the dark, rollercoastering round upside down at high speed, and you don't know which direction to vomit in.
It is the most unpleasant experience ever.
But memorable.
Well—
You're welcome for that memory that I gave you. Still vivid.
I had to have a sit-down with a fizzy drink in order to feel better afterwards, as I recall.
And that's not like you, is it? No, not—
No, exactly, it was extreme circumstances. So other people have had negative experiences at Disneyland, it's not just me there.
For instance, one chap who has is someone who's possibly the greatest hacker turned biological weapons engineer that the world has ever seen.
For instance, one chap who has is someone who's possibly the greatest hacker turned biological weapons engineer that the world has ever seen.
Mm, okay, carry on.
David Doe, or maybe it's David Doo, if that is his real name. He is, of course, as we all know, the person who created COVID-19.
I know he created COVID-19 because he posted a message on Instagram announcing that he was responsible for it. Yes, you remember this.
I know he created COVID-19 because he posted a message on Instagram announcing that he was responsible for it. Yes, you remember this.
I don't.
I don't. I was obviously doing something important at the time.
He's also posted on Instagram that he's now working on a follow-up virus, it's that difficult second album that he has called COVID-20. Now, despite being 2022. Yeah, exactly.
Despite being a biological weapons expert, he hasn't twigged that COVID-19 is called COVID-19 because it came out in 2019, rather than it being the 19th version.
Despite being a biological weapons expert, he hasn't twigged that COVID-19 is called COVID-19 because it came out in 2019, rather than it being the 19th version.
So maybe it is the 19th. Did he invent the other 18 before that?
And they just flopped, he just put them into beta but didn't fully release them. Maybe, who knows? But it's a bit Windows 95, it wasn't the 95th version of Windows.
Although Windows 3, you know, that didn't come out in 3 AD, so it's confusing sometimes, version numbering, isn't it? Companies can be inconsistent.
Although Windows 3, you know, that didn't come out in 3 AD, so it's confusing sometimes, version numbering, isn't it? Companies can be inconsistent.
Yeah.
Anyway, David Doe, he went to Disneyland, he says. And he claims that some of the staff were rude to him, maybe they mocked him for his version number for his virus, I don't know.
And he doesn't go into specifics as to how they were rude to him, but he got very upset.
And that is why he plans to release a brand new virus of the coronavirus pandemic, this is what he posted onto Instagram.
And he doesn't go into specifics as to how they were rude to him, but he got very upset.
And that is why he plans to release a brand new virus of the coronavirus pandemic, this is what he posted onto Instagram.
And he makes these claims on both Facebook and Instagram. And normally I'd tell you to ignore everything you read on Facebook and Instagram, right?
I'd tell you, look, it's probably not true because it's been posted on Facebook and Instagram. It's probably the reverse is true, whatever you're reading.
I'd tell you, look, it's probably not true because it's been posted on Facebook and Instagram. It's probably the reverse is true, whatever you're reading.
That's what you would say.
Yeah, that's what I would say.
You're part of the mainstream media.
Well, should you believe anything in a podcast?
In this particular case, he posts those messages, including some rather racist and homophobic things, not from his own Facebook and Instagram accounts, but instead the official social media account of Disneyland.
What?
In this particular case, he posts those messages, including some rather racist and homophobic things, not from his own Facebook and Instagram accounts, but instead the official social media account of Disneyland.
What?
So what, he hacked in?
Yes.
Oh.
He hacked into the official social media accounts of Disneyland on Facebook and Instagram, posting about Coronavirus 20, which he's been working on and is about to release, and how he was insulted in various unpleasant things of a racist and homophobic nature.
Now, it's very hard to know if David Doe or David Doo was really the person who did this. He claims his name is David Doe and David Doo, or David Doo. Probably not both, not Doo Doo.
Now, it's very hard to know if David Doe or David Doo was really the person who did this. He claims his name is David Doe and David Doo, or David Doo. Probably not both, not Doo Doo.
So what you're saying is poor David Doo Doo has been working on the next version of coronavirus, and someone has hacked in to the Disneyland social media accounts, and they're framing him.
Pre-announcing it. And they also posted a picture of someone who claims to be David Doe or David Du, but who knows who that is?
I mean, it's not the normal behavior of a hacker to post his photograph as well as his name when he does this.
So we have to be a little bit suspicious as to whether he's really the one responsible for the defacement.
It may be an innocent party who he's naming here, but it does provide a potential clue worthy of investigation should law enforcement agencies be so inclined.
I mean, they're probably busy, right? They're probably investigating who created coronavirus or who hacked the Instagram account of Disneyland. You know, maybe the same team.
Maybe the same team are working on it. I don't know.
I mean, it's not the normal behavior of a hacker to post his photograph as well as his name when he does this.
So we have to be a little bit suspicious as to whether he's really the one responsible for the defacement.
It may be an innocent party who he's naming here, but it does provide a potential clue worthy of investigation should law enforcement agencies be so inclined.
I mean, they're probably busy, right? They're probably investigating who created coronavirus or who hacked the Instagram account of Disneyland. You know, maybe the same team.
Maybe the same team are working on it. I don't know.
I kind of feel maybe David Doo is suffering from a bit of mental issues, perhaps.
Well, which can be caused, of course, by going to the Disney resort and hearing that doo-doo-doo-doo-doo-doo-doo.
Yeah, and maybe he went on Space Mountain as well.
Rattle. You know, my brain was fairly rattled by that. And I'm not sure—
Never recovered.
Yeah. I am also.
That's why I'm here. Explain that a lot.
That's why I'm here. I had this at Legoland.
Oh yes.
I had, so I don't know if you've seen The Lego Movie, Graham. But the Everything Is Awesome, that song.
Yeah.
Just over and over. And I stayed there when it was sweltering heat. I stayed in the hotel. And just for 48 hours, I just had that constantly. So I understand your pain.
Why do they think that's a good idea to blare the same song over and over again?
Because my child loved it.
Yeah.
I hated it.
They're making them addicts.
I've stayed in the Lego hotel as well. And it is—
Oh.
It's horrendous.
It's just a lot of stimulation at all times. It's just too much.
If you're over 4 foot tall, then you're not going to enjoy it.
I know.
What, do you have to crawl in everywhere?
Well, I don't know. It's just—
Yes, yes.
It's just all a bit bright and noisy.
Anyway, we digress, Graham.
We digress. Yes, yes, yes.
Sorry. So this attacker, he claims to be a super attacker. I think that's probably about as accurate as his claim that he created COVID-19.
It's much more likely someone at Disneyland was sloppy with their password. Maybe they got phished. Maybe they used the same password as somewhere else.
Maybe they hadn't enabled multifactor authentication.
It's much more likely someone at Disneyland was sloppy with their password. Maybe they got phished. Maybe they used the same password as somewhere else.
Maybe they hadn't enabled multifactor authentication.
I thought we were gonna play that game of guess what the password is. Password for the Disneyland account was.
It's disappointing, isn't it, that they haven't? It was probably something fairly goofy though. I think we can make—
Oh, probably goofy.
Yeah.
Stop taking the Mickey. Stop taking the Mickey.
Oh, good one. Yeah.
I've got nothing.
Millions of people follow these accounts and some of them weren't very happy and they were saying it's an outrageous— I've been grossly offended by these messages.
And Disney have now secured the accounts and they are conducting an investigation with their security team.
And you can imagine that Disney security team, they're going to be pretty shit hot, aren't they? Well, they probably aren't shit hot.
You can't use words like that on Disney, but they're going to be pretty tough. They're going to go in and try and get to the bottom of it.
So this can happen anywhere, even in the Magic Kingdom. Everyone needs to be on their guard for super hackers like David Doe or David Doo.
And Disney have now secured the accounts and they are conducting an investigation with their security team.
And you can imagine that Disney security team, they're going to be pretty shit hot, aren't they? Well, they probably aren't shit hot.
You can't use words like that on Disney, but they're going to be pretty tough. They're going to go in and try and get to the bottom of it.
So this can happen anywhere, even in the Magic Kingdom. Everyone needs to be on their guard for super hackers like David Doe or David Doo.
He doesn't sound like a super hacker.
He claims it, Carole. I mean, why would we disbelieve him? Why would we disbelieve him?
Maybe he just needs a hug and a sandwich or something.
I wouldn't always recommend hugging a hacker. I think—
Oh yeah, especially in COVID times. Especially.
Yeah, hug a hoodie.
Hug a hoodie hacker. Hashtag.
Anna, what have you got for us this week?
So Graham, Carole.
Yes.
Imagine that you're a master criminal. Are you in character? Yeah. So you need a way to get in touch with your other master criminal friends. Maybe you need to set up your drug deal.
Maybe you need to order a hit on someone. Carole, anyone you're thinking of?
Maybe you need to order a hit on someone. Carole, anyone you're thinking of?
Yep, yep, I am, definitely.
You got a picture in your mind? Yep. So how are you going to do that? You're not going to do it on your regular iPhone. Maybe your Nokia 3210.
That's not going to cut the mustard, is it? So you know what you need?
That's not going to cut the mustard, is it? So you know what you need?
A pigeon.
Do they— Can they order hits? I mean, yeah.
Carrier pigeons could carry the message over.
Yeah, they could send the message.
That's true. Okay, fine. So the end of my story. That's it. Done. No!
Carole, what have you got for us this week?
If there were no pigeons—
All the pigeons are dead. I don't know what I would do.
Imagine your pigeon, your carrier pigeon's died.
Okay.
You need an Anom phone. Except the Anom phone, this is not a non, Anom, isn't exactly what it seems. It looks very normal. So it could be a Google Pixel.
It can be unlocked with a PIN, just like all our phones are. It has apps on it like Tinder, Instagram, Netflix. Except the apps don't work, and tapping on them does nothing.
So they're more like a sort of wallpaper covering over a secret door.
So if you reset the phone and you type in a different PIN, it opens up the secret door into a separate section of the phone with different apps, like a clock and a calculator.
And the calculator is another front, and opening up that app takes you to another login screen. It's very—
It can be unlocked with a PIN, just like all our phones are. It has apps on it like Tinder, Instagram, Netflix. Except the apps don't work, and tapping on them does nothing.
So they're more like a sort of wallpaper covering over a secret door.
So if you reset the phone and you type in a different PIN, it opens up the secret door into a separate section of the phone with different apps, like a clock and a calculator.
And the calculator is another front, and opening up that app takes you to another login screen. It's very—
It's—
On the calculator, do you—
Yes.
Do you enter 5138008 and turn it upside down so it says boobies?
Yes.
Yes, yes, we do.
6006. 6006.
Yeah, which wouldn't work at all.
That's your boobies, girl. That's not gonna work.
Isn't it poo? Mine's more like 100— Oh no, hold on. Ignore that.
Can we stop entertaining the listeners with ASCII art of your breasts, please? It's not gonna work.
I'm sure there's an app where you can upload pictures and get it to turn into ASCII art. I'll do that.
Link's in the show notes.
On it, on it.
Back to the calculator. So, I think you do have to type in something, but to get it to open up the special login screen, which logs you into the Anom messaging app.
Very cool.
Yeah. So the app, it uses XMPP to communicate, which is pretty standard for instant messaging, but then wraps those messages in a layer of encryption.
And XMPP works by having each contact use a handle that looks like a sort of email address.
But one of the contacts in the Anom phone, handily for the criminals, for you, Carole, for a customer support channel that you can use if you're having problems with your phone.
But another contact is one called Bot, which works like a ghost contact and hides itself from the user's contact list. So they wouldn't even know it was there. And Bot is sneaky.
It does things like copy users' messages along with any location information it can gather.
So in many cases, that was actually the precise GPS location of the device when it sent the message.
And XMPP works by having each contact use a handle that looks like a sort of email address.
But one of the contacts in the Anom phone, handily for the criminals, for you, Carole, for a customer support channel that you can use if you're having problems with your phone.
But another contact is one called Bot, which works like a ghost contact and hides itself from the user's contact list. So they wouldn't even know it was there. And Bot is sneaky.
It does things like copy users' messages along with any location information it can gather.
So in many cases, that was actually the precise GPS location of the device when it sent the message.
What could possibly go wrong?
I know, right? So it's a bit like when those people were Zoom bombing at the beginning of COVID but just with fewer boobs and a bit more stealth.
It just sort of hangs out and listens and then sends everything back to the FBI.
And the end-to-end encryption doesn't need to be broken because Bot is inside the walls sending the information back.
It just sort of hangs out and listens and then sends everything back to the FBI.
And the end-to-end encryption doesn't need to be broken because Bot is inside the walls sending the information back.
So the FBI are running Anom, or they've compromised the Bot?
They're running Anom.
Right.
So Bot is what the FBI is using, and other law enforcement, to eavesdrop on the criminals, take their messages, and take the GPS location as well.
And so why do the bad guys get a hold of these phones? So they— what, they— well, word on the street is they're the best.
Yeah, I mean, I guess there are other phones like that that we've seen organized criminals using before, but I guess it's just one of many.
But last month the FBI announced hundreds of arrests as a result of the Anom phone, and said that they had intercepted 27 million messages from 11,800 devices.
So it's like big-time drug traffickers, and they seized a load of stuff like weapons, cash, drugs.
One of the drug deals apparently included smuggling cocaine in cans of tuna and hollowed-out pineapples. But other interesting things on the phone. So it allows for PIN scrambling.
So it rearranges the numbers. So it's much harder for someone watching you to work out what you're typing in, which I think all phones should have.
And there was a status bar at the top of the screen which had a shortcut to wipe your phone.
And you could also set a wipe code that you type in from the lock screen, which wipes the phone.
So when the police say, "Hey, what's your PIN?" You say the secret PIN code, and that wipes your phone.
But last month the FBI announced hundreds of arrests as a result of the Anom phone, and said that they had intercepted 27 million messages from 11,800 devices.
So it's like big-time drug traffickers, and they seized a load of stuff like weapons, cash, drugs.
One of the drug deals apparently included smuggling cocaine in cans of tuna and hollowed-out pineapples. But other interesting things on the phone. So it allows for PIN scrambling.
So it rearranges the numbers. So it's much harder for someone watching you to work out what you're typing in, which I think all phones should have.
And there was a status bar at the top of the screen which had a shortcut to wipe your phone.
And you could also set a wipe code that you type in from the lock screen, which wipes the phone.
So when the police say, "Hey, what's your PIN?" You say the secret PIN code, and that wipes your phone.
You know, yeah, I just did the maths on your numbers. For each phone, that's 2,500 messages or so on average.
So, I'm surprised they can do anything else but sit there on their phones.
So, I'm surprised they can do anything else but sit there on their phones.
Well, they probably have a similar screen time to me, Carole.
It would be quite fun to look at a criminal's phone, wouldn't it? Because even if they're drug dealers— Drugs?
Well, yes, because I suspect— I suspect we all imagine that it's always like, 'Have you got the hollowed-out pineapples?' or whatever.
You know, they're talking about the drugs deal or the smuggling.
Well, yes, because I suspect— I suspect we all imagine that it's always like, 'Have you got the hollowed-out pineapples?' or whatever.
You know, they're talking about the drugs deal or the smuggling.
Yeah, their secret language.
Yeah.
But I'm sure there's also a fair amount of sharing cat GIFs and just jokes and all the social media memes which are probably going— Texting their wife.
Right. Yeah.
Okay, so I'm guessing Anom is going to tank now with this news story. So they've lost that phone.
Well, the FBI will just rebrand it, I suppose, won't they? They'll just come up with some other name.
For all those people annoyed that the Anom Phone was run by the FBI, here's the new FBI Phone or something. They'll just give it a different name.
For all those people annoyed that the Anom Phone was run by the FBI, here's the new FBI Phone or something. They'll just give it a different name.
They'll never guess.
They'll run the same scam again. What a brilliant way it is to snoop on criminals and what they're up to.
Well, it means you don't have to break into the phone, doesn't it?
Very crafty. Very crafty. Have you bought one of these, Anna?
No, but you know—
Because you've always reminded me a bit of a gangster's mole. Because you know, you live down in Reading and things, which is a bit dodgy.
What was my nickname? Jugsy Malone?
Jugsy Malone. Links to the ASCII art in the show notes.
Anyway, moving on.
Carole, what have you got for us this week?
Last week, the New York Times reported that parents, two sets of parents, had just filed a lawsuit in a Los Angeles court calling out TikTok for how it affected their young daughters.
And the suit revolves around the blackout challenge videos. Do you know anything about those?
And the suit revolves around the blackout challenge videos. Do you know anything about those?
I don't know about them.
Oh, my goodness. I think I may have read something about this. Is this where kids are trying to encourage each other to sort of—
Do a Michael Hutchence?
Yeah, to asphyxiate themselves. And of course, some people actually hurt themselves as a consequence, or die even. Is that right?
Exactly. Exactly. So it encourages people to intentionally hold their breath until they pass out due to lack of oxygen.
Oh my God.
And now brace yourself. These girls, okay, these girls were 8 and 9.
Oh my God.
Okay.
And they both died.
For God's sake.
8 and 9. I was playing with my Lite-Brite toy and trying not to, you know.
I loved that.
The mind boggles what a Lite-Brite toy is, but yeah, okay.
It was lights alive here, I think.
Right, no, come on, Graham, don't make it gross.
I'm not, I don't know what a Lite-Brite toy is.
You had these little plastic coloured nibs that you would put in perforated paper, and then you'd light it from the back.
So it'd be on a dark background, you'd have these little lights, a bit like a Christmas tree, basically. Oh, cool. Yeah, it was very cool.
So it'd be on a dark background, you'd have these little lights, a bit like a Christmas tree, basically. Oh, cool. Yeah, it was very cool.
It was cool.
The light bulb was very hot and you'd burn yourself on it. So, you know, 1970s toy.
Fires all over the place.
Exactly. Now, the suit claims that TikTok knew or should have known that its product was addictive and that it was directing children to harmful content.
And the suit highlights this For You page on TikTok, saying that it showed a stream of videos selected by an algorithm developed by TikTok that is based on a user's demographic, likes, and prior activity on the app.
And the suit highlights this For You page on TikTok, saying that it showed a stream of videos selected by an algorithm developed by TikTok that is based on a user's demographic, likes, and prior activity on the app.
Yeah, it's the feed, isn't it? The For You page, I think.
Right. So how the heck does this get into an 8 or 9-year-old girl's feed?
So what's interesting is after one of the girls' death, the police looked at her device and told The Guardian that she did not commit suicide.
According to the lawsuit, a police officer showed the videos of the Blackout Challenge and said the girl had been watching the videos on repeat.
So what's interesting is after one of the girls' death, the police looked at her device and told The Guardian that she did not commit suicide.
According to the lawsuit, a police officer showed the videos of the Blackout Challenge and said the girl had been watching the videos on repeat.
Oh no.
She did seem to be online a lot. The article talks about a 20-hour car ride where she was effectively online the entire time, hoovering up things like TikTok.
So, okay, so right now at this point, I would say to you, what does your brain say? Do you feel TikTok is responsible in some way or not responsible at all?
So, okay, so right now at this point, I would say to you, what does your brain say? Do you feel TikTok is responsible in some way or not responsible at all?
I think TikTok is definitely responsible in some way. It's difficult. And I mean, they're obviously built to be addictive, aren't they?
A 20-hour car ride on TikTok is difficult, isn't it? But then also, kids are so annoying in the car.
A 20-hour car ride on TikTok is difficult, isn't it? But then also, kids are so annoying in the car.
Kids are so annoying, you know.
Oh yeah, sorry, that's what I meant. It's really hard. It's awful.
Just put them on Space Mountain for 20 hours. That's what I'd recommend.
Yeah, subject them to everything that's awesome.
Well, TikTok is kind of, I would say, ducking from blame. Let me see what you guys think. So according to the New York Times, this has been the response so far.
So quote, this disturbing challenge, which people seem to learn about from sources other than TikTok, long predates our platform and has never been a TikTok trend.
And it linked to a federal report about deaths from a choking game from 1995 to 2007.
Then they say, we remain vigilant in our commitment to user safety and would immediately remove related content if found.
Our deepest sympathies go out to the families for their tragic loss.
So quote, this disturbing challenge, which people seem to learn about from sources other than TikTok, long predates our platform and has never been a TikTok trend.
And it linked to a federal report about deaths from a choking game from 1995 to 2007.
Then they say, we remain vigilant in our commitment to user safety and would immediately remove related content if found.
Our deepest sympathies go out to the families for their tragic loss.
I feel like just because it happened all those years ago doesn't mean that you can sort of say wash your hands of it, if it's right.
Yeah, I was gonna ask you guys to rate the sincerity of their sympathies there.
Zero.
Yeah, exactly.
What's the age range for TikTok? Because Facebook and Instagram is 13, isn't it? I don't know what—
That's interesting. I don't even know that answer.
I would think you have to be 13+.
I was at a park the other day, and a dad was off to film his children that were very much younger than 13 to do TikTok, doing TikTok dancing.
I think you have to be over 13 and under 23. I think there should be an upper age limit for some of these apps, because I see grown men who are addicted to TikTok as well.
I just think, for God's sake, you know, really, I can't get into it.
I just think, for God's sake, you know, really, I can't get into it.
Yeah, it seems to be 13 and above, so that's interesting. I didn't consider that before. That's an interesting point. But I mean, parents are worried, right?
Parents are worried about their kids being online all the time.
And in fact, there's a new social media bill that California is currently working on, and it's kind of interesting because of how it's going to approach social media giants.
So the bill is aimed solely at social media companies that make more than $100 million in the previous year.
Parents are worried about their kids being online all the time.
And in fact, there's a new social media bill that California is currently working on, and it's kind of interesting because of how it's going to approach social media giants.
So the bill is aimed solely at social media companies that make more than $100 million in the previous year.
So the big guys.
Yeah, big guys. And the bill is trying not just to protect those under 13, but all kids. So what they're claiming under 18s.
And their argument is basically this, or one of their arguments certainly, is social media platforms earn substantially all of their revenue through ads.
And the more time users engage with the platform, the more ads the user sees, and the more valuable they become to the advertiser, right?
And ipso facto, addicted consumers are particularly profitable because of their consumption behavior.
For these profit-driven reasons, social media platform companies intentionally invent, design, and deploy features that are intended to make it hard for users to stop using the platform, which makes sense, right?
And their argument is basically this, or one of their arguments certainly, is social media platforms earn substantially all of their revenue through ads.
And the more time users engage with the platform, the more ads the user sees, and the more valuable they become to the advertiser, right?
And ipso facto, addicted consumers are particularly profitable because of their consumption behavior.
For these profit-driven reasons, social media platform companies intentionally invent, design, and deploy features that are intended to make it hard for users to stop using the platform, which makes sense, right?
Yeah, there was that research not that long ago about how Facebook intentionally designed it to be addictive. I'm sure they all do.
The Facebook Files. That's right.
Let's segue to that a bit, because the Facebook Files basically said that Facebook was absolutely aware that it had a negative impact on teenage users of Instagram, and harmful content had been known to be pushed through Facebook algorithms reaching young users.
They were aware of that, and that included anorexia posts and self-harm photos.
Let's segue to that a bit, because the Facebook Files basically said that Facebook was absolutely aware that it had a negative impact on teenage users of Instagram, and harmful content had been known to be pushed through Facebook algorithms reaching young users.
They were aware of that, and that included anorexia posts and self-harm photos.
Yeah.
So California is trying to deal with this by saying that when a social media platform creates designs or implements or maintains features for users, including child users, that the company knows is addictive to children, they should be held liable for the harms that result.
Yeah.
And that's interesting because there are other bills out in the States that are going on.
There's one in Minnesota that would prevent platforms from using recommendation algorithms when it's targeting children.
And in the US Senate, there's a sweeping bill called the Kids Online Safety Act, which would require social media companies to create tools that allow parents to monitor screen time or turn off features like autoplay.
But I think that the US Senate bill seems to make it the parents' problem.
There's one in Minnesota that would prevent platforms from using recommendation algorithms when it's targeting children.
And in the US Senate, there's a sweeping bill called the Kids Online Safety Act, which would require social media companies to create tools that allow parents to monitor screen time or turn off features like autoplay.
But I think that the US Senate bill seems to make it the parents' problem.
I think parents play their part, but so do the social media companies as well.
There's some social media sites, some video playing sites, YouTube for instance, there's a YouTube Kids, isn't there?
There's some social media sites, some video playing sites, YouTube for instance, there's a YouTube Kids, isn't there?
Yeah.
Which I think is supposed to be a more pleasant, friendly place for kids to hang out. I'm sure that occasionally some bad stuff might sneak through there.
But you know if there's ads there?
No, there isn't ads.
Oh, there's not?
All right.
No, but there was a video that we wrote about the other day. I think it was a horror show, but it was called something like 'for kids' or something.
And YouTube just passed it through. And then they couldn't reclassify it.
It was really hard to reclassify it as not for kids, even though the developer was like, 'Hey guys, this is not for kids.' So, yeah, it's all difficult.
And YouTube just passed it through. And then they couldn't reclassify it.
It was really hard to reclassify it as not for kids, even though the developer was like, 'Hey guys, this is not for kids.' So, yeah, it's all difficult.
It is.
There's this Child Advocacy Institute at the University of San Diego, and they say that parental controls can't be the answer to what effectively seems to be an addiction.
They compare it to tobacco companies giving parents nicotine patches to have them halt their kids' smoking.
They compare it to tobacco companies giving parents nicotine patches to have them halt their kids' smoking.
Yeah.
There's a bit of me which thinks, wouldn't it be great if these social media companies, rather than funding themselves through advertising, actually got you to buy a certain amount of access to their site.
So you might say, I would like to pay you $10 per month in order to access, I don't know, 20,000 videos or however many it is that you want.
So you buy that requirement and then once you hit that, in order to see more than however many videos, because TikTok, you can just swipe through them really quickly.
If you want to see more, then you're going to have to pay more and then you can control the addiction a bit. And I think that's a great idea.
Until you begin to think, well, hang on, what about people who don't have very much money and might feel like they're being excluded from social media and aren't able to get information because they cannot afford to pay?
I mean, we pay for our cell phone data, don't we? And we don't have a problem with that.
It's not like our cell phones are interrupted when we're on mid-call with an advert, or here are other similar phone calls you might have enjoyed.
Maybe you'd like to listen to other people's calls. There isn't anything like that. So you pay for however much data that you require.
So you might say, I would like to pay you $10 per month in order to access, I don't know, 20,000 videos or however many it is that you want.
So you buy that requirement and then once you hit that, in order to see more than however many videos, because TikTok, you can just swipe through them really quickly.
If you want to see more, then you're going to have to pay more and then you can control the addiction a bit. And I think that's a great idea.
Until you begin to think, well, hang on, what about people who don't have very much money and might feel like they're being excluded from social media and aren't able to get information because they cannot afford to pay?
I mean, we pay for our cell phone data, don't we? And we don't have a problem with that.
It's not like our cell phones are interrupted when we're on mid-call with an advert, or here are other similar phone calls you might have enjoyed.
Maybe you'd like to listen to other people's calls. There isn't anything like that. So you pay for however much data that you require.
Yeah, and you pay for Netflix, you pay for Disney+, you pay for all that. Yeah.
So it's an understandable subscription model.
So maybe something like that would be better, but how you'd enforce it and how you'd make sure there isn't some digital divide, meaning that people who don't have the funds can't participate, that's where it really gets problematical.
But ads generally, and what that causes these tech companies to do in terms of targeting, is really, really ugly.
So maybe something like that would be better, but how you'd enforce it and how you'd make sure there isn't some digital divide, meaning that people who don't have the funds can't participate, that's where it really gets problematical.
But ads generally, and what that causes these tech companies to do in terms of targeting, is really, really ugly.
You know, in the 2020 leaked document from Facebook, okay, they're inside the document, there's a question, why do we care about tweens?
And the answer to that question is they are a valuable but untapped audience. Right? So they're all over it because of money.
So in short, until there's legislation that can catch up with the social media kingpins who seem happy to make a buck, even if it's from a tween, parents might have to do their best to control the content flow, right?
Don't trust social media giants to do the right thing by you and more importantly your kids. No, because they're not going to do it unless they're forced. Just like Graham, right?
And the answer to that question is they are a valuable but untapped audience. Right? So they're all over it because of money.
So in short, until there's legislation that can catch up with the social media kingpins who seem happy to make a buck, even if it's from a tween, parents might have to do their best to control the content flow, right?
Don't trust social media giants to do the right thing by you and more importantly your kids. No, because they're not going to do it unless they're forced. Just like Graham, right?
Sorry, I'm not gonna do what unless I'm forced?
Be nice to me.
Oh well, go on, Graham, say something nice. Carole, I think you're fabulous. Thanks, man.
All of you out there, we love security podcasts and we want to bring one to your attention today that you may want to check out.
The Secure Developer is a conversational and insightful podcast that bridges the gap between dev and sec, hosted by Guy Pagani, one of the guys behind Snyk.
The Secure Developer is a security podcast that developers will enjoy listening to and learning from.
They've already released over 100 episodes, and I think many of you would like it too. So what are you waiting for?
Check out the Secure Developer podcast from Snyk at smashingsecurity.com/thesecuredeveloper. And thanks to Snyk for supporting the show.
The Secure Developer is a conversational and insightful podcast that bridges the gap between dev and sec, hosted by Guy Pagani, one of the guys behind Snyk.
The Secure Developer is a security podcast that developers will enjoy listening to and learning from.
They've already released over 100 episodes, and I think many of you would like it too. So what are you waiting for?
Check out the Secure Developer podcast from Snyk at smashingsecurity.com/thesecuredeveloper. And thanks to Snyk for supporting the show.
Bitwarden is an open-source, cross-platform password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards.
This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing.
Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.
Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards.
This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing.
Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.
Thanks this week to our sponsor, SoulCyber, who believe that it shouldn't just be the Fortune 500 that benefit from top-of-the-line cybersecurity.
They make managed security affordable and accessible to all small to medium-sized organizations. Check out SoulCyber's foundational coverage services.
They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability.
As a SoulCyber foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums.
Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SoulCyber's foundational coverage services.
Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/solcyber. And thanks to SoulCyber for sponsoring the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
They make managed security affordable and accessible to all small to medium-sized organizations. Check out SoulCyber's foundational coverage services.
They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability.
As a SoulCyber foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums.
Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SoulCyber's foundational coverage services.
Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/solcyber. And thanks to SoulCyber for sponsoring the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny storybook that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Could be a funny storybook that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. My pick of the week this week is all about the trolley problem.
We've spoken about the trolley problem before on past podcasts.
We've spoken about the trolley problem before on past podcasts.
Yep.
If you remember the trolley or the tram, as maybe we call it in the UK, you've got it coming down a line and it's about to run over someone and you've got a lever, which means that you can push the trolley or the tram onto another track and maybe there's a grandmother on the other track or something.
You've got a young person on one track, grandmother on another. Are you gonna pull the lever or not? And it gives you this interesting moral dilemma as to whether you do things well.
You've got a young person on one track, grandmother on another. Are you gonna pull the lever or not? And it gives you this interesting moral dilemma as to whether you do things well.
What, kill 6 people or kill 1 kind of thing?
For instance, is another kind of question you might get asked.
Now, if you go to the link I've included in the show notes to a site about absurd trolley problems, it will give you a selection of trolley scenarios.
And they start off— It's animated, so you see the trolley coming down the track, and you're given the opportunity to pull the lever.
So for instance, it may be the trolley's heading towards 5 people. You can pull the lever to divert it to the other track, killing 1 person instead. What do you do?
And it collects statistics. Can I just—
Now, if you go to the link I've included in the show notes to a site about absurd trolley problems, it will give you a selection of trolley scenarios.
And they start off— It's animated, so you see the trolley coming down the track, and you're given the opportunity to pull the lever.
So for instance, it may be the trolley's heading towards 5 people. You can pull the lever to divert it to the other track, killing 1 person instead. What do you do?
And it collects statistics. Can I just—
Yes?
Their little mouths. They're screaming. Their mouths are moving. It's so sad.
So you're given these scenarios, and then you see an animation of the trolley crossing over. And at first, it's fairly easy, and you'll probably go with the flow.
You know, I'll kill 1 person rather than 5. You know, that sort of thing.
But then the questions get— as you go through, it then says, for instance, a trolley's heading towards 5 people, but on the other track is the original copy of the Mona Lisa, which will be destroyed.
What do you do, Carole? Carole, you're an artist. Imagine it is one of your works.
You know, I'll kill 1 person rather than 5. You know, that sort of thing.
But then the questions get— as you go through, it then says, for instance, a trolley's heading towards 5 people, but on the other track is the original copy of the Mona Lisa, which will be destroyed.
What do you do, Carole? Carole, you're an artist. Imagine it is one of your works.
Yeah, one of my works.
Would you have 5 people killed or—
Can I choose who those people are?
Or is it random?
I'm at one right now, which is your life savings or 5 people.
Right.
Yeah.
What would you do, Carole?
I'm keeping my life savings, I think. Is that outrageous?
Would you?
I don't know.
There's another one which says a trolley's heading towards one guy. You can pull the lever to divert it to the other track, but then your Amazon package will be late. What do you do?
Oh, that one's obvious.
I've got one here where I'm on the track versus 5 other people on the other track.
Oh.
I'm definitely doing nothing. I'm not dying, no.
No.
No, I'm working on it.
So I was playing with this the other day, 'cause I saw it on Twitter. And I was surprised about how much I did nothing. Even—
Yeah. Just couldn't be arsed.
Story of my life.
When it was 5 versus 4, I just thought, well, you know, I don't— if I do nothing, I don't have to take any sort of responsibility for it, because I could just turn the other way.
When it was 5 versus 4, I just thought, well, you know, I don't— if I do nothing, I don't have to take any sort of responsibility for it, because I could just turn the other way.
I don't want my fingerprints on the lever.
Yeah. Exactly.
Ooh.
5 lobsters or a cat?
5 lobsters.
Obvious.
Yeah, what you rate. Yeah.
Obvious.
Bye, lobsters. See ya.
Dinner.
Give some to the cat.
Good one, Graham.
I like it. So Absurd Trolley Problems, link in the show notes, is my pick of the week. Anna, what's your pick of the week?
Okay, so also one in the show notes for you guys to click on. This is weirdorconfusing.com.
So I always try and find something interesting for pick of the week, especially since you criticised my TV programme choice once, Graham. I haven't got over that yet. Yeah, you did.
I think you said it was a rubbish choice. So yes, I thought I'd have a Google, see what I could find, and I found weirdorconfusing.com. So you can describe it.
So I've dropped it in the chat.
So I always try and find something interesting for pick of the week, especially since you criticised my TV programme choice once, Graham. I haven't got over that yet. Yeah, you did.
I think you said it was a rubbish choice. So yes, I thought I'd have a Google, see what I could find, and I found weirdorconfusing.com. So you can describe it.
So I've dropped it in the chat.
Yeah, do you want me to describe what I have, or—
Yeah, you describe it.
So I've got prism bed glasses to allow you to read or watch TV lying down. And the glasses—
First of all, when you go to the website, what it is—
Yes, you have to describe what weirdorconfusing.com is.
No, you go back.
You describe what happens first.
Why don't you go ahead? You go ahead, Graham.
So, what's happened? Let me jump in.
So, okay, so if I click on the link, weirdorconfusing.com, I'm taken to a webpage where it says, 'Sell me something weird or confusing.' And there's a little button, and it's going to take me to a random place to buy something weird or confusing.
Okay, so I'm clicking on it now. And I've been taken on eBay to a book which is called Crafting with Cat Hair: Cool Things You Can Make with the Hair of Cats.
So, okay, so if I click on the link, weirdorconfusing.com, I'm taken to a webpage where it says, 'Sell me something weird or confusing.' And there's a little button, and it's going to take me to a random place to buy something weird or confusing.
Okay, so I'm clicking on it now. And I've been taken on eBay to a book which is called Crafting with Cat Hair: Cool Things You Can Make with the Hair of Cats.
Perfect idea for Carole.
Perfect.
Perfect.
Okay, I've just got one, and I think this is just too marvellous. Very good, Anna. So this is Nose Aerobics Basketball Glasses Game.
Perfect. See? Present ideas galore.
Yeah, you are going to be spoiled on your birthday, which is coming up.
So I too liked the cat hair one because you can— you basically take the cat's stray hair and you can— it's a book that shows you how to put it into soft and adorable handicrafts.
And at this summer at the moment, cats are losing hair all over the place. Also, one for you, Graham, maybe: Subtle Butt.
And at this summer at the moment, cats are losing hair all over the place. Also, one for you, Graham, maybe: Subtle Butt.
What's Subtle Butt?
So it's a fart pad you put into your pants and it neutralises your bum odour.
Why would you—?
It says, "Simply stick one in the right place, and you're ready for a chilli cook-off or an all-you-can-eat Indian buffet." Why would you say that on the podcast, Anna?
Sorry, Graham, but it's— You know, we spent a lot of time working together. I just thought this might be handy for you. We— What?
Sorry, Graham, but it's— You know, we spent a lot of time working together. I just thought this might be handy for you. We— What?
Don't say any more.
It's activated carbon, Graham. It could be very useful. You're getting on in years. This is really age-friendly.
This is really— When's your birthday, Graham?
This is just a bit arsey. What year were you born?
Oh, oh.
There's 40,000-odd people listening to this podcast, and you've just told them that I go around farting.
You just don't like being the butt of a joke. Right.
Carole, what's your pick of the week?
Okay, I have a cute YouTube channel for you this week as my pick of the week. Well, actually, it's a subsection of a YouTube channel. This is Jay Foreman.
Okay, he's got this YouTube channel and the playlist is called Unfinished London, and he does these short vignettes looking at London's kind of design eccentricities, right?
So videos focus on the unfinished Northern Tube line—why hasn't it been finished? What happened? Or unfinished motorways that just stop, or why does London have so many airports?
He puts tons of work in these, right? They're scripted, punchy, funny, kind of a bit silly as well, but also informative.
I think it's something you could watch with your kid, Graham. Actually, I think he'd find it really good and he'd learn some stuff.
And he does loads of on-site videoing, and he also sources loads of historical visual content to underpin his essay. For example, there's one on why London has so many airports.
It has 6 airports, has more than any other city in the world, apparently.
Okay, he's got this YouTube channel and the playlist is called Unfinished London, and he does these short vignettes looking at London's kind of design eccentricities, right?
So videos focus on the unfinished Northern Tube line—why hasn't it been finished? What happened? Or unfinished motorways that just stop, or why does London have so many airports?
He puts tons of work in these, right? They're scripted, punchy, funny, kind of a bit silly as well, but also informative.
I think it's something you could watch with your kid, Graham. Actually, I think he'd find it really good and he'd learn some stuff.
And he does loads of on-site videoing, and he also sources loads of historical visual content to underpin his essay. For example, there's one on why London has so many airports.
It has 6 airports, has more than any other city in the world, apparently.
Yes, but some of London's airports aren't actually in London. There's an Oxford London Airport. There's Luton London Airport. And you think—Gatwick's quite far.
Yeah, and you know, it's—but isn't it basically to trick Americans into thinking they're flying into London? In fact, no, no, no, you've got another 3 hours to get into London.
Yeah, and you know, it's—but isn't it basically to trick Americans into thinking they're flying into London? In fact, no, no, no, you've got another 3 hours to get into London.
But he refers back to the 1930s where he calls what was going on was plane mania.
And he says there was even a suggestion of an aerodrome in the middle of London on top of King's Cross Station, right?
It would have 6 runways facing in all directions with planes taxiing around the edge like hamsters on a wheel.
And the idea behind it was everyone could commute to central London by plane. So, all kinds of funny, wacky things to learn. Wow.
And there are 13 of these videos currently on this playlist.
And it could be a very entertaining night in for someone who wanted to learn a bit more about London's planning and failures. I like this.
And he says there was even a suggestion of an aerodrome in the middle of London on top of King's Cross Station, right?
It would have 6 runways facing in all directions with planes taxiing around the edge like hamsters on a wheel.
And the idea behind it was everyone could commute to central London by plane. So, all kinds of funny, wacky things to learn. Wow.
And there are 13 of these videos currently on this playlist.
And it could be a very entertaining night in for someone who wanted to learn a bit more about London's planning and failures. I like this.
This sounds very interesting. I am gonna watch some of these videos.
I think you'll like it a lot. I think you'll like the guy too.
So his name is Jay Foreman.
Yeah, Jay Foreman, it's his YouTube channel and the playlist is called Unfinished London, and that is my pick of the week.
Well, Carole, you've been busy this week. You've been speaking to Scott McCready of SoulCyber.
I have. He talks about the massive problems with securing a network efficiently and effectively and the SoulCyber approach to streamlining the whole process. It's pretty interesting.
Check it out. So listeners, today we are speaking with Scott McCready. He is the CEO of SoulCyber, a managed security service. So Scott, let's start with you.
What can you tell us about you and how you became the CEO of SoulCyber?
Check it out. So listeners, today we are speaking with Scott McCready. He is the CEO of SoulCyber, a managed security service. So Scott, let's start with you.
What can you tell us about you and how you became the CEO of SoulCyber?
Sure. Hey, Carole. Hi. I've been in the managed security services space most of my career, I was an engineer actually, coming out of university.
So I was deploying networks and security devices, and I actually ended up spending a bunch of time overseas in London deploying security equipment way back in the early days.
And what they realized was the security devices generated a lot of information and the traditional sort of network operations center didn't have anything to process that.
And so the very first MSSP built was built out of the US in the DC area.
And having tried to get analytics going around these security devices, I got hired by them as a young guy, and that started my managed security services career about 20 years ago.
And through that time, I built out businesses in Europe, businesses in Asia, and then obviously I ran at one of the largest global MSSPs for a period of time as well.
So it's, it's been in the DNA for a while, I guess.
So I was deploying networks and security devices, and I actually ended up spending a bunch of time overseas in London deploying security equipment way back in the early days.
And what they realized was the security devices generated a lot of information and the traditional sort of network operations center didn't have anything to process that.
And so the very first MSSP built was built out of the US in the DC area.
And having tried to get analytics going around these security devices, I got hired by them as a young guy, and that started my managed security services career about 20 years ago.
And through that time, I built out businesses in Europe, businesses in Asia, and then obviously I ran at one of the largest global MSSPs for a period of time as well.
So it's, it's been in the DNA for a while, I guess.
Do you mind if I ask you to spell out MSSP for some of our listeners who haven't worked in managed services and all that stuff?
Sure. The traditional model around managed security services is the fact that organizations have an ability to get their IT operations handled.
That could be either from a service provider, their telco, or an MSP, a local provider that does break-fix, maybe ships laptops, deploys Gold Images, but there is usually a gap around the high-end 24/7 security analytics.
And so if you deploy even some basic security technologies, somebody has to gather the data that's being created by these technologies, right?
And you want to look at it and analyze it and then hopefully be able to detect when a bad guy is doing something so you can find them and you can stop them.
And that's a very traditional model. There are some gaps in that model, which we'll talk about why SoulCyber's here.
But yeah, you go out and buy— the customer goes out and buys a bunch of security technology.
Once they do all that, they deploy it, then an MSSP will monitor it, and they'll let the customer know when something bad's happening.
That could be either from a service provider, their telco, or an MSP, a local provider that does break-fix, maybe ships laptops, deploys Gold Images, but there is usually a gap around the high-end 24/7 security analytics.
And so if you deploy even some basic security technologies, somebody has to gather the data that's being created by these technologies, right?
And you want to look at it and analyze it and then hopefully be able to detect when a bad guy is doing something so you can find them and you can stop them.
And that's a very traditional model. There are some gaps in that model, which we'll talk about why SoulCyber's here.
But yeah, you go out and buy— the customer goes out and buys a bunch of security technology.
Once they do all that, they deploy it, then an MSSP will monitor it, and they'll let the customer know when something bad's happening.
What a perfect time to introduce SoulCyber and explain what services you provide.
So when I created SoulCyber, there was really, we believe, a really big gap in the market.
And the way I describe it was, I just felt like security, especially for the small medium enterprises, was stuck in the 1990s or the 2000s.
And what I mean by that is, imagine that you wanted on-demand video entertainment, right?
Well, the security model today is sort of like movies from 15, 20 years ago, you'd have to go out and buy 500 DVDs, you'd have to buy a storage network, you would have to buy a computer, you'd have to buy software, you have to buy TV, you have to buy cables, you'd have to string it all together, then you have to take your DVDs and put them onto your hardware.
And then you'd sort of have on-demand video. And then two years later, Blu-rays would come out. You'd have to literally upgrade everything because there's more storage, more space.
That's right. That is literally what we do in security. We tell a company, weave your way through the 3,500 vendors out there. You can consider those your DVDs.
Find the stuff that's interesting to you. Yeah. Build it all, deploy it all. Yeah. And once you're done, wrap a managed security service around it.
And we were like, that just doesn't work very well for mid-market companies. Sure, if you're Bank of America and you've got the tech stack and the people and the time, why not?
So our view was, we just sort of need to bring a security outcome into the 2020s, right?
And so we call it sort of the Netflix of security or your favorite streaming service of security, insomuch that what you get from SoulCyber is you get, just like Netflix, you get everything.
You get all the best top-tier security products, you get it all deployed. You get all monitored, you get it analyzed.
If we detect something bad happening, we'll respond to it for you. And we package that all up in a subscription model. That's just a monthly fee.
There's no install fee, there's no upfront fees. It's just a monthly fee for customers. And so that's really the goal here.
In the same way that Netflix didn't build their content originally, they went out and got, you know, let's go and get some Star Wars, some action, let's get some comedy, right?
Yeah. In the same way, we use best of breed technology.
So the things we use are literally Gartner Magic Quadrant technologies, but we just pull it all together into a seamless solution that gets you an outcome of amazing security.
And that concept seems to really resonate with customers.
And the way I describe it was, I just felt like security, especially for the small medium enterprises, was stuck in the 1990s or the 2000s.
And what I mean by that is, imagine that you wanted on-demand video entertainment, right?
Well, the security model today is sort of like movies from 15, 20 years ago, you'd have to go out and buy 500 DVDs, you'd have to buy a storage network, you would have to buy a computer, you'd have to buy software, you have to buy TV, you have to buy cables, you'd have to string it all together, then you have to take your DVDs and put them onto your hardware.
And then you'd sort of have on-demand video. And then two years later, Blu-rays would come out. You'd have to literally upgrade everything because there's more storage, more space.
That's right. That is literally what we do in security. We tell a company, weave your way through the 3,500 vendors out there. You can consider those your DVDs.
Find the stuff that's interesting to you. Yeah. Build it all, deploy it all. Yeah. And once you're done, wrap a managed security service around it.
And we were like, that just doesn't work very well for mid-market companies. Sure, if you're Bank of America and you've got the tech stack and the people and the time, why not?
So our view was, we just sort of need to bring a security outcome into the 2020s, right?
And so we call it sort of the Netflix of security or your favorite streaming service of security, insomuch that what you get from SoulCyber is you get, just like Netflix, you get everything.
You get all the best top-tier security products, you get it all deployed. You get all monitored, you get it analyzed.
If we detect something bad happening, we'll respond to it for you. And we package that all up in a subscription model. That's just a monthly fee.
There's no install fee, there's no upfront fees. It's just a monthly fee for customers. And so that's really the goal here.
In the same way that Netflix didn't build their content originally, they went out and got, you know, let's go and get some Star Wars, some action, let's get some comedy, right?
Yeah. In the same way, we use best of breed technology.
So the things we use are literally Gartner Magic Quadrant technologies, but we just pull it all together into a seamless solution that gets you an outcome of amazing security.
And that concept seems to really resonate with customers.
Yeah, because that's really interesting because, and of course a lot of larger enterprise really want the granularity and being able to configure things, you know, to just fit in within their very, very complex environment.
But if we're talking about your target market, which is the small to medium-sized business, they don't even necessarily have strong security, you know, knowledge within the firm, let alone, you know, know where to look.
So I really appreciate that point of yours of, you know, having to go out and hunt down the best thing when you're not an expert in the area. It's really frustrating, I imagine.
But if we're talking about your target market, which is the small to medium-sized business, they don't even necessarily have strong security, you know, knowledge within the firm, let alone, you know, know where to look.
So I really appreciate that point of yours of, you know, having to go out and hunt down the best thing when you're not an expert in the area. It's really frustrating, I imagine.
It is. And the other thing we find is we also find a set of customers that actually do have decent security expertise. They just don't have the time.
So if you just take one piece, which is, let's just call it endpoint, there's dozens of endpoint providers.
So a standard model for these midsize organizations would be to do a proof of concept amongst at least 3 that they whittle down from usually 10.
That process for most of these organizations is a 6 to 12 month process to actually get it, you know, go through, do your research, get POC contracts set up, get it deployed.
You have to deploy them independently. So even if they have the security expertise, just the time and the effort is not usually something they want to spend.
They've got a job of trying to be nimble and be fast to make sure their product that they're competing with on a very competitive market is working, right?
And customers are buying it. And so this spending tons of time trying to get your security working is very difficult.
And Carole, one of the other things, this is also really applicable to the mid-market when it comes to cyber insurance.
And so cyber insurance is really a challenge for the mid-market on two aspects.
It's very time-consuming to get cyber insurance, and there's about a 1 in 3 response rate that's negative, that they get denied.
And then two, prices are going up about 50% year on year. And so because of the fact that we pull everything into an outcome, the insurance companies love it.
And so as far as I know, we're the first company in the US anyway, that has a partnership with the insurance industry, where if you're using what we call our foundational coverage, you get pre-approved for your cyber insurance coverage, and you get a 30% discount on the cyber insurance price.
Wow. And the reason is, is they go, well, we know the stuff that we're doing is really top-tier level security, and it's all in one package.
So instead of having to recommend maybe 8 different pieces of technology, you can just use Swole Cyber's foundational coverage, and that's good, and we'll recognize that security effort that you're putting in as a customer, and we'll reward you with making this process easy and making your renewals or your new policy much, much more cost effective.
So if you just take one piece, which is, let's just call it endpoint, there's dozens of endpoint providers.
So a standard model for these midsize organizations would be to do a proof of concept amongst at least 3 that they whittle down from usually 10.
That process for most of these organizations is a 6 to 12 month process to actually get it, you know, go through, do your research, get POC contracts set up, get it deployed.
You have to deploy them independently. So even if they have the security expertise, just the time and the effort is not usually something they want to spend.
They've got a job of trying to be nimble and be fast to make sure their product that they're competing with on a very competitive market is working, right?
And customers are buying it. And so this spending tons of time trying to get your security working is very difficult.
And Carole, one of the other things, this is also really applicable to the mid-market when it comes to cyber insurance.
And so cyber insurance is really a challenge for the mid-market on two aspects.
It's very time-consuming to get cyber insurance, and there's about a 1 in 3 response rate that's negative, that they get denied.
And then two, prices are going up about 50% year on year. And so because of the fact that we pull everything into an outcome, the insurance companies love it.
And so as far as I know, we're the first company in the US anyway, that has a partnership with the insurance industry, where if you're using what we call our foundational coverage, you get pre-approved for your cyber insurance coverage, and you get a 30% discount on the cyber insurance price.
Wow. And the reason is, is they go, well, we know the stuff that we're doing is really top-tier level security, and it's all in one package.
So instead of having to recommend maybe 8 different pieces of technology, you can just use Swole Cyber's foundational coverage, and that's good, and we'll recognize that security effort that you're putting in as a customer, and we'll reward you with making this process easy and making your renewals or your new policy much, much more cost effective.
That's a really interesting angle that I haven't heard brought up before. The idea of cybersecurity insurance. Are most SMBs taking it seriously and taking out coverage?
We are seeing a significant uptake in the mid-market, the SMEs wanting cyber and needing cyber. As you know, they're there.
They recognize is that the threats against them have changed and that it's not uncommon anymore. Ransomware hits about 1 in 3 customers in the mid-market.
So you're, every year you're playing dice with the fact that, you know, this may be your year, right?
So the assumption is if you're not doing the right things around security, you're going to get a breach within the next, you know, 24 to 36 months.
They recognize is that the threats against them have changed and that it's not uncommon anymore. Ransomware hits about 1 in 3 customers in the mid-market.
So you're, every year you're playing dice with the fact that, you know, this may be your year, right?
So the assumption is if you're not doing the right things around security, you're going to get a breach within the next, you know, 24 to 36 months.
And I wonder if somebody was listening to you now and thinking, I like the sound of this, I want to learn more, what steps would they go through if they got in touch with you, or what would typically happen?
Sure.
Sure.
So one of the things we really try to do is we call it sort of modern, and modern to us is as transparent, as authentic as you can get.
So our website has a ridiculous amount of information about what we do, including our pricing. Our pricing is just right out front.
In the same way you wouldn't go to Netflix and say, well, I have to call a salesperson to figure out how much they're going to charge my family, you know, that's silly in today's world.
So our pricing is literally listed on our website. There's contact sales listed on the website. You don't even have to work through sales teams. You can actually do things online.
So we try to make it really simple. So one of the things that is not common in the managed security services space is what I call the business side.
So if you sign, you have to sign a contract, and then that contract gets put in the email or in your contract storage.
And of course, mid-market companies, they're ah, you know, tracking contracts often is in email and places that.
And so what we do is we just take all the information, stick it on the portal.
So you say, well, this is how much you're spending per month, and these are the services you purchased. And if you want more or less, you just click a button.
And so the easiest thing is to pop onto the website. You can check the pricing.
We describe what we do out there, and we're happy to have somebody contact you and walk you through the basics.
A lot of times it's a daunting thing to try to get your security program in place, and we do a lot of consulting just to make customers understand what's happening out in the world.
If there's anyone listening that's just "I need to get this problem taken care of," give us a call, contact us. We're incredibly non-pushy from a sales standpoint.
We try to be really helpful. Again, a lot of our information's on the website, and we can have this problem done and dusted for you in 14 to 30 days.
We get a lot of customers that are "Wow, Scott, I've had this on my plate for 6 months." I know I needed to take care of it.
It was just, I was building out these frameworks and walking through my plan.
And then when they found us, they just, you know, we just worked together and they were up and running in 2 weeks to 4 weeks.
And they're "and it's done." Now they have a good security program in place.
I mean, we're talking security awareness, phishing simulation, really a proper, fantastic ability to get you to some amazing security.
And then on top of that, if you're struggling with cyber insurance, ransomware insurance, if it's getting really expensive, or if you're getting, you know, your application rejected, we can really help with that as well.
So our website has a ridiculous amount of information about what we do, including our pricing. Our pricing is just right out front.
In the same way you wouldn't go to Netflix and say, well, I have to call a salesperson to figure out how much they're going to charge my family, you know, that's silly in today's world.
So our pricing is literally listed on our website. There's contact sales listed on the website. You don't even have to work through sales teams. You can actually do things online.
So we try to make it really simple. So one of the things that is not common in the managed security services space is what I call the business side.
So if you sign, you have to sign a contract, and then that contract gets put in the email or in your contract storage.
And of course, mid-market companies, they're ah, you know, tracking contracts often is in email and places that.
And so what we do is we just take all the information, stick it on the portal.
So you say, well, this is how much you're spending per month, and these are the services you purchased. And if you want more or less, you just click a button.
And so the easiest thing is to pop onto the website. You can check the pricing.
We describe what we do out there, and we're happy to have somebody contact you and walk you through the basics.
A lot of times it's a daunting thing to try to get your security program in place, and we do a lot of consulting just to make customers understand what's happening out in the world.
If there's anyone listening that's just "I need to get this problem taken care of," give us a call, contact us. We're incredibly non-pushy from a sales standpoint.
We try to be really helpful. Again, a lot of our information's on the website, and we can have this problem done and dusted for you in 14 to 30 days.
We get a lot of customers that are "Wow, Scott, I've had this on my plate for 6 months." I know I needed to take care of it.
It was just, I was building out these frameworks and walking through my plan.
And then when they found us, they just, you know, we just worked together and they were up and running in 2 weeks to 4 weeks.
And they're "and it's done." Now they have a good security program in place.
I mean, we're talking security awareness, phishing simulation, really a proper, fantastic ability to get you to some amazing security.
And then on top of that, if you're struggling with cyber insurance, ransomware insurance, if it's getting really expensive, or if you're getting, you know, your application rejected, we can really help with that as well.
Now listeners, you've heard Scott.
If you are a small to medium-sized business and you think you need a little tune-up, or you're excited by anything you heard here, please go to smashingsecurity.com/solcyber.
That's smashingsecurity.com/solcyber, S-O-L-C-Y-B-E-R. And Scott McCrady, CEO of SolCyber, thank you so much for talking to us today.
If you are a small to medium-sized business and you think you need a little tune-up, or you're excited by anything you heard here, please go to smashingsecurity.com/solcyber.
That's smashingsecurity.com/solcyber, S-O-L-C-Y-B-E-R. And Scott McCrady, CEO of SolCyber, thank you so much for talking to us today.
No, I appreciate it. Thanks as always to the listeners who tune in.
Brilliant.
And that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online, find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
You can get me on Twitter @AnnaBrading. Shugsy Malone, I'm gonna reserve that now.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows us to have a G. And we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And mega thank yous to this episode's sponsors, Bitwarden, Sneak, and SoulCyber. And of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 282 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 282 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye. Bye.
All right, marvelous. Okay, this site is so weird, Anna. What?
I know. I've also got another one, but I'll put in the show notes because I thought it wasn't interesting. It wasn't as funny. So you can, you might like this as well.
I don't know if it's old, Quick Draw with Google, but you draw and then it guesses. But I think it's quite—
I don't know if it's old, Quick Draw with Google, but you draw and then it guesses. But I think it's quite—
I think we've had that on the show before.
Oh, have you? Okay, good. That's good.
It's good. I have now a Chia Pet Bob. Bob Ross. Yep.
Black monster beast werewolf killer ape adult hand gloves. Oh, sexy.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Anna Brading – @annabrading
Show notes:
- Official Disneyland Instagram Account Hacked This Morning! — The Disney blog.
- Disneyland social media accounts hacked, offensive messages posted — Hot for Security.
- We Got the Phone the FBI Secretly Sold to Criminals — Vice.
- Parents Sue TikTok, Saying Children Died After Viewing ‘Blackout Challenge’ — The New York Times.
- Lawmakers Want Social Media Companies to Stop Getting Kids Hooked — Wired.
- How Social Media Tricks Us Into Thinking We Are Paying Attention — Forbes.
- Facebook could be sued for addicting children under California bill — Ars Technica.
- Kids Are Using Social Media More Than Ever, Study Finds — New York Times.
- 2021 Facebook leak — Wikipedia.
- California Parents Could Soon Sue for Social Media Addiction — Gizmodo.
- Absurd Trolley Problems.
- Weird or Confusing.
- Google Quick, Draw!
- Unfinished London — Jay Foreman on YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- The Secure Developer – A conversational and insightful podcast, that bridges the gap between dev and sec, from Snyk.
- SolCyber – SolCyber delivers Fortune 500 level cybersecurity for small and medium-sized enterprises. If the bad guys aren’t being discriminating about who they’re attacking, how can you settle for anything less?
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
