Smashing Security podcast #290: Uber, Rockstar, and crystal balls

If you think about it, you think of all the manufacturers from, you know, smart washing machines to ping pong sticks. What's a ping pong stick? Oh, I meant pogo stick. I was basically being polite for vibrator. I think. But I said ping pong.

And I thought I was going to be too rude for this show.

Hello, hello, and welcome to Smashing Security, episode 290. My name's Graham Cluley. And I'm Carole Theriault. And Carole, this week on the show, we've got someone who's returning to us after a five-year absence. Shut up. That long? He's upgraded his internet connectivity. He's on fibre. It's Iain Thomson from The Register. Hello, Iain. Hello, Graham. Hello, Carole. Hi.

Pleasure to be back. It's been a while. Yes, lovely to chat.

Well, thank you for joining us so early in the morning from your part of the world.

Well, the sun is shining. The sky is clear. We actually had rain yesterday, which was fantastic. We haven't had that in months. I know as a Brit, you really miss some things and rain is one of them.

And where are you just for our listeners?

Oh, I'm in the East Bay, just across the water from San Francisco. Nice. I've got to say it's pretty good. It's an interesting place to live.

Let's first thank this week's sponsors, Bitwarden, Collide and Pantera. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Zoom just one look and your privacy went boom.

You've missed your calling. What about you, Iain?

I just can't follow that. That's amazing. Well I mean for me it's the Uber rockstar hacks. It's an amazing issue to go into and there are some very weird things about this.

I'm excited. And with me, we will be gazing into the crystal ball cybersecurity style. Plus, we have a featured interview with cybersecurity kingpin from the University of Tulsa, Sal Orojima. And Sal will explain why password managers like that of our sponsor, Bitwarden, are so valuable. All this and much more coming up on this episode of Smashing Security.

Now, chums, we have emerged now, blinking from our self-imposed isolation during the pandemic. And we've ditched our caftans. We've hung those up. We've hitched up our trousers. We've tried to put a belt on if it still fits. We've deodorized ourselves because now we are interacting with humans. For months and months, we had been able to fool our colleagues, hadn't we, into believing we were fragrant smelling. All the time, we weren't even wearing underpants because they never saw us. We were wearing suitsies, weren't we? Is that what they call them? Suitsies?

It's like a onesie, like a baby onesie, but it actually has the finish of a suit. So you can actually just cuddle into it and look professional at the same time.

Oh, my word. No, I actually wore a kilt at one meeting. How did you prove that, Iain? When the lockdown first started, we figured it was going to be, what, two, three months? And the very first video conferencing meeting that we had, I was just out of bed wearing a sweatshirt. My hair was all a mess and comments were made. So the day after I got dressed up in full kilt and fig and held the meeting that way. And the response was really good. I mean, the essence of working as journalists is that you've got the news meeting, you know, everyone's knocking ideas off each other. And that was a real dislocation. So I figured, you know, keep the spirits up and ended up doing about 30, 35 different costumes at the start.

Yes, Iain, you've got to send us some of these pictures.

Oh, no need, Carole, because I remembered following Iain on Twitter at the time and I found a picture of you dressed as Joe Exotic, which was your homage to the Tiger King.

Yes, yes. Monica had some leopard skin stuff lying around and that whole weird cat people documentary was raging at the time. So I figured, why not?

Wow. I love it, Iain.

So links in the show notes if you want to go and check out Iain dressed up as Joe Exotic. But I never went that far. I might have occasionally donned a pair of glasses to appear more intelligent, even though I can't actually read my computer screen if I'm wearing glasses. But we're all of an age, I suspect. You know, we've been around the block a few times, haven't we? Be careful, Graham. Just, you know, I mean, Iain, do you ever wear glasses these days?

I've started wearing them in the last couple of years. I think, to be honest, having spent, you know, spending this amount of time on a laptop and monitor screen, it's going to happen. So, you know, and there's no shame in it. I am looking into LASIK, but at the same time, this very idea of someone cutting into your eyes or lasering them is such an anathema. I'll live with the glasses, thanks.

Carole, do you have to wear glasses for the computer screen?

No. I've had glasses since I was a teenager. But not for the computer. But they were for distance, yeah. I don't have nearsightedness issues yet because I am younger than you. Well, slightly. But you know what, Carole? That might have been a very sensible decision, not to wear glasses at the computer screen because there lies a danger. Tell me everything. Boffins at the University of Michigan, who've teamed up with their counterparts at the Zhejiang University in China, they have been exploring the security risks associated with wearing glasses at a computer. So my mind has just gone somewhere. For example, if you had maybe something not safe for work in the corner of your screen, your boss would be able to see it through your glasses in mirror vision.

Potentially. Or if the thing you were looking at on the screen was moving in a particular way, that may indicate what sort of action you were watching. Oh, my God. All sorts of – It's a pogo stick.

Just playing leapfrog exactly but I mean this is serious because they found that even a standard 720p camera you can get tech font sizes at about 50, 60 pixels. Now if you're looking at 4K camera then you could potentially get down to the kind of font sizes used in documents not just in headings but in the actual text itself.

This is the thing. So there's this paper that's been released. It's called Private Eye on the Limits of Textual Screen Peeking via Eyeglasses Reflection in Video Conferencing. That's the name of the paper. And yeah, as Iain says, around about 75% accuracy on reading some screen text. Now, I have to say some screen text. A few caveats.

All of you looking at fonts at 48p and above, you guys with glasses, you guys are the ones in trouble.

The effectiveness depends on the curvature of your lens. So if you have prescription glasses, that apparently works better than if you have those blue light blocking glasses some people like to use, if it's late at night or something to help them go to sleep. So those don't work so well. And the other thing, as Iain says, is the quality of the webcam as well. So they reckon they can read on-screen text that have heights as small as 10 millimetres with a 720p webcam. 10 millimetres is one centimetre. And that is on the reflection. That's not on the screen. So what they've done... Let me hear the science here. What they've done is it tends to work on quite big text. Now, I've put a link in the show notes. I've put a link in the show notes, which goes to a Twitch page, where you'll get an idea of the size of text which they can pick up.

I mean, we mock, but at the same time, technology advances. Stuff that was theoretical, breaking hashing functions that was considered theoretical at the time. Now we can do it with ease.

Yeah. So, Carole, you click through on that Twitch link, which I've put in the notes, just

Twitch is where millions of people come together that one

No, no, no above that above that

We save you we saved you a seat in chat

Can you just about see that text?

Right it is about 48 to 56 point font it's huge it's absolutely huge

I've never seen a web page with such large fonts as this one. I've never even seen a

Presentation given by a PowerPoint with this sized font. But as Iain says, if you had a 4K high definition webcam, which more and more people are beginning to do because they want to look their best when they're doing their video conferencing, then the potential does begin to creep in. And this technological advance, I mean, this isn't the first time that we've seen reflections leaking information. Jesus Christ, you cannot win. You cannot win. You use your eyeballs. They're using your eyeball reflections. You wear sunglasses with mirrors you're screwed there too. You have glasses with reflections. Well, it turns out you can win. It turns out you can win because there is a mitigation. There is a mitigation. Oh, my God. And that's...

You see, I don't know. Isn't that going to turn people off? Because, you know, if there's one thing about video conferencing, it's eye contact. And, you know, it's very important. That's true. What if we

wore those glasses with the fake eyes on them, little pieces of cardboard we used to get? You know, and it had little pinholes in the middle. So you wouldn't be able to, you know, they wouldn't be able to read your face. You would look natural.

You'd look completely normal. Yes. You'd look completely normal. Well, the boffins reckon that in time, maybe the video conferencing manufacturers will do some sort of artificial intelligence, work out where your eyes are, your glasses are, and apply a Gaussian filter to blur out that area. But I can understand if a politician were using these services, you might want to do that. Yeah, but do the rest of us have to really worry about this? It depends how much pogo sticking you want. That's your excuse and you're sticking to it, isn't it? Okay. Well, it's a doubleheader, really. Last week, Uber suffered yet another data breach. And I was talking to an ex-Uber security person. And they were just saying, we warned them about this in 2017. We warned them about this in 2020. And basically, apparently, and I can't confirm this, but the person who was responsible for dealing with the earlier big breach is now the global head of PR. That's a lateral move. I have seen on LinkedIn that they are currently looking for a large number of people to join their security department. It's the classic horse stable gate situation. And to be honest, with those job adverts, I think it's more down to the insurance company is insisting that they hire more people rather than they've suddenly found a newfound interest in security.

to see. Now, can you by any chance make out with your squinty little eyes, can you see what they're saying on that web page where it says

So maybe the hackers haven't thought of a way to actually monetize it. Maybe they can't think, well, who would we sell this data to?

Just because they don't ask for cash?

Well, at the very least, you'd think normally a criminal hack like this, they would attempt to extort some money, but maybe they're more... Maybe

But isn't it fun? It's a bit like the old LulzSec days, isn't it? Of doing it for the laughs and embarrassing the big corporation, which might suggest it is kids or people, at least, who have an immature attitude rather than a more entrepreneurial streak in them.

they're in the beta phase.

Well, I mean, maybe they're just trying it out. But I've got to say, that's two very high-profile targets and a lot of heat to bring down on the back of your neck. And, you know, if you're just doing this for the lulls, then it's going to be a very short career path.

So do we know that they were hacked in a similar fashion?

An external contractor, in fact, yes.

Because as I read it, Uber, one of the methods which was used was a sort of barrage of push to 2FA notifications going to maybe someone, one of their employees. Oh, was it?

Right. Yeah. So basically, they got into the contractor's account and then used that to get past two-factor and get into the network and look around that way. Yeah. That's at least what Uber is saying at the time. So, I mean, there was that and there's a strong element of social engineering in all of these attacks. Right. I mean, we remember Kevin Mitnick and one of the strongest things in his arsenal was social engineering. And it appears this has been done in the same way. But at the moment, you know what these companies are like. They're not going to tell anything because they're under liability, you know, actual liability at the moment.

But what we do know is there's a lot of information which, I mean, certainly the Uber database, I think, was being offered for sale on underground forums although I don't know if anyone's going to buy it or not. But the Grand Theft Auto thing that's interesting because it appears that maybe code and video source code I mean that's like yeah that's a that's a game a video game which hasn't come out yet isn't it but it's obviously going to be a big deal when it eventually does come out and it seems to be leaked online and so all the gaming mags are now talking about it.

Yes, I mean it's one of those franchises. It was a fantastic game just before the internet and then it's really glommed onto the internet and become this huge thing, so there's a massive amount of interest which again brings about why are they not trying to monetize this? Is this really kids? With the Uber thing, the most worrying thing for me out of that — I mean yeah everyone's going to get hacked, don't worry about it — but apparently it was 1.1 petabytes of data that they got. How the hell do you get that amount of data out of an organization without them noticing?

Yeah, it's kind of scary.

You can't call up IT and say, "Oi Bob, yeah, I'm just doing a quick backup so this network channel is going to be needed for the next couple of days." It's just insane.

That is extraordinary, isn't it?

So customers of Uber, right? People like the millions and millions of people who have the apps on their phone and they've shared their billing information — are they at risk in any way?

It doesn't appear so at this stage. And I was feeling kind of smug because I have never and will never use Uber. But yeah, the customer information appears to be okay. So they're saying, well what they said in the initial statement was location data hadn't been lost. Payment information at this stage doesn't appear to have been lost. But with that amount of data, there's going to be an awful lot of leakage if somebody has the time, patience and desperation to actually go through it.

And hard drive space as well, of course. Where are they going to store the information? That's the other challenge. Carole, what have you got for us this week?

Well gentlemen, it is Cybersecurity Month in October, so it's almost upon us. And since 2004, the president of the United States and Congress have declared October to be this month, helping individuals protect themselves online as threats to technology and all this become more commonplace. And we are always talking on this show about threats that are happening right now, like the Uber hack for example. We talk about crypto scams and ransomware and massive data leaks. So I thought I would have a snoop around to see if anyone has recently posted a kind of crystal ball article to warn us what's around the corner. And lo and behold, I found one written by Danny Palmer at ZDNet. So I wanted to see if you two — actually, we could start a game. What do you think is on the list? I've got four items on this list.

What, these are sort of new threats or things which are going to become a big deal?

Yeah, technologies that we're looking at that could be used for bad purposes. And we can see angles as to why that might be.

So would things like deepfakes — would that be a new thing?

Yes, let's start there. I think that's your starter for 10, to be quite frank.

Let's start with deepfakes. It's on the list. Okay, so of course we've already seen these in use. We've seen them used in political misinformation campaigns and pranks to fool politicians, and fraud attacks with cyber criminals using deepfake audio and even video to convince employees to authorize significant financial transfers to the accounts owned by the attackers. And they're getting more difficult to spot all the time. Like today, if one of you had a boss and you got a call from the boss and you recognized their actual voice telling you to do something, would you do it? And the answer is probably yes.

Well, I don't know. I, okay, the Register is highly security conscious and we've got a great IT manager. When I just after I joined, I left my laptop somewhere at the RSA Conference, ironically enough. Exactly. It's seriously — a month into the job I was freaking out, big stuff. Anyway, so I basically sent an email to our IT manager saying, "I've lost my laptop, locked down all my accounts," the rest of it, got an email back, "not a problem, done." However, I then went back, found the laptop. I'd left it at the EFF stand of all places. And they were just like, "We were expecting you. Here you go." Wow. Got in contact with the IT manager. And he was just like, "Look, I can't reactivate you because I've only met you once. I don't know the sound of your voice. You're going to need to go into the office and speak to our then editor Rik, and he's going to have to call me because I know who he is." It's that level of security. And it seems — he's like, companies aren't taking this.

He's one in a million though. That's rare.

Oh yeah, he was. Yeah, Marco — perfect example of a security manager. Hates people, just sits in his apartment in Italy and manages the Register IT network to like a dream.

Wow. Well, high five to Marco. But we can see that deepfakes are probably likely to become a big problem, especially in misinformation, right? For politicians. Yeah, it's really scary.

Particularly with, we're heading up to an election here in the US and the midterms are going to be very interesting. And this kind of stuff — yeah, Terry Pratchett had the wonderful phrase, "a lie can go around the world three times before the truth's got its boots on." I mean, these things are becoming more and more convincing. It's not just business email compromise, it's political campaigning — manipulated media.

Yeah. Alright, so we'll try for another one. What else is on the list? We've had deepfakes.

I said deepfakes, so it's your go.

Okay, one point to you Graham.

Yeah, okay. I was going to say, so, I don't know. I think business email compromise, if it isn't on the list, it damn well should be.

What's more technology? Oh, I would

say, in that case, I would say biometrics.

Interesting. Not on the list. Really? So, sorry.

We've been able to recreate fingerprints for, you know, plastic fingers from fingerprints for years now. Yeah, that's true. That's a very... Come on, Dani, why didn't you mention this in the article? And a huge botnet potential as well in terms of, you know, you don't have to take over anyone's computer. You just take over their so-called smart device. If you think about it and you think of all the manufacturers from, you know, smart washing machines to ping pong sticks, you know, they get smarter at including more robust security features into their devices. But there's millions and millions of IoT devices out there that lack security. thought I was going to be too rude for this show, but. Once again, Carole's trumped us. Okay, excellent.

it is, but in a different way. It's under quantum computing. Oh, yes. Quantum computing. take a few minutes just to explain it because it is fairly new technology, but it seems we're at the cusp of quantum computing, right? So Bob Sutor, and check out this guy's job title, Chief Quantum Exponent at IBM. I'm sorry. The minute you hear a title that, you just think, wanker. And he says, quote, quantum computing is our way of emulating nature to solve extraordinarily difficult problems and to make them tractable. So basically, quantum computers come in various shapes and forms, but they're all built on the same principle that they host a quantum processor where quantum particles can be isolated for engineers to manipulate. We are all well vested in current encryption and cryptography, and we don't want people being able to unlock that. However, how successful have we been so far in building quantum computers? really made any progress on that? We have made a lot of progress on it, but it is still extremely expensive. Because if no one's done it yet, if no one's actually cracked the encryption of all these things that we rely upon yet, then I could have suggested as, oh, what a threat in the future, and that is magic. I'm going to invent a device which can just do magical things which break security. I mean, maybe I'm not being quite empathetic enough, but I'm guessing you're a skeptic on this, Graham. He mostly moans these days. But if someone could get access to a quantum system, right? This is a big if. course, if. Sure. You know, I mean, it's one of those things which I honestly think will come, but isn't even close to being there. I think the real power from a security perspective with quantum computing is in point-to-point communications that are absolutely secure, because if anybody tries to get into those, it immediately changes the flow of data and it's instantly noticeable. No, exactly. They'll be able to break into your computer to stop you from reporting about it, Iain.

Well, I did go, Google reminded me of a photo from a few years back when we did work in the office. I'd gone away on holiday, left my laptop in the office, my work laptop in the office, locked down, came back and somebody had written NSA was here underneath the laptop. So when I moved it, it was just...

Hey, actually, sorry, I'm changing the subject slightly here. But Iain, you are right, actually. My last point does include business email compromise. So well done. And that's under the heading of machine learning and, of course, the infamous AI. So we talk a lot about that stuff. So we're not going to go into any background. But the idea is that once AI becomes more widely available, what would cyber criminals perhaps want to make use of it for? And Miko Hipponin. Oh,

Miko the absolute badass Finn. He's a marvelous bloke.

Isn't he? Yeah. So he was quoted as saying. Miko hip replacement. Ouch. Kitty has claws. We will start seeing malware campaigns, ransomware operations, and phishing campaigns being run totally automated by machine learning frameworks. So, think about what about a text-based generation algorithm to send out and reply to common spam emails or BECs, business email compromise campaigns.

Yeah, it's going to be a huge issue. And I think we're also missing on the personal side of it. I think a lot of people are going to be targeted. If you've got a lot of video online, it's like the sextortion campaigns all over again. If it would be relatively, if somebody, with a generation that's now putting their entire lives online, that data could be used to build a deep fake and then blackmail that person, particularly if they're a high earning Instagram influencer or whatever the job title is these days for being a public person.

Well, the good news is the US government is spending billions and billions on cyber. There are all these bills in to provide more funding for it. And according to Hacker News, collectively, the current bills that are making their way through the house allocate a staggering $15.6 billion to cybersecurity spending. Yes. There's a few winners here.

Well, the big winners of the security industry, the big losers are going to be the actual end users, because I honestly don't think this is going to do a thing. I mean, we saw Mudge's testimony about Twitter in Congress last week. And basically, the most telling thing for me from that was that companies, yeah, they talk the security game. But for them, if the SEC comes calling or the FTC, it's a cost of business issue if they suffer security failing. One of the things he said was they were terrified of French regulators because they followed up. But with American regulators, no teeth, nothing. So I think this is a huge government boondoggle to the security industry and the tech industry in general, but I can't see improving things until regulators get some teeth.

Yeah, but I think it does mean that there's going to be a lot of hiring out there and any company obviously already authorized to sell services and products to the government are going to have in for an excellent 2023 and 2024, I'm guessing. Well, kind

Of. There was an executive order and a follow-up piece by the US government saying, if you're selling to a federal agency, you need to give us an assurance that all this, your software is patched. If there is a problem, you have a remediation strategy in place. And if you're using open source software, it has been independently checked by a third party to make sure it's secure. So they are spending the money. They are being a little smarter in how they spend it. You've got to insist on a certain level of security. But at the end of the day, until companies are forced by regulation to actually sort this stuff out, then it's just going to be window dressing.

I agree. And anything that helps us navigate this new quantum-y, IoT-riddled, deepfake-rich world that we're screaming towards is good for me. I mean,

A quick question. Do either of you have so-called smart devices in your home? I do

Now I do yes really

Okay you gave in nothing like that nothing I have

One I can think of actually

I even have voice activation on my phone turned off so do I every time you said okay and the phone lit up for god's sake stop listening

He uses an android everybody

Show sponsor Pentera is taking a whole new approach to penetration testing allowing every organization to continuously test the integrity of all cyber security layers including against ransomware and leveraging leaked credentials by emulating real world attacks at scale. All day, every day. This approach helps security teams across the globe to cope with one of today's top security challenges, the growing digital footprint of the enterprise. To help out Pentera's security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number one. Pentera recommends always taking the adversarial perspective, the best way to find exploitable vulnerabilities is to, well, exploit them. From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com slash pentera. That's smashingsecurity.com slash p-e-n-t-e-r-a. And thanks to Pentera for sponsoring the show.

Smashing Security listeners, did you know that Bitwarden is the only open source cross platform password manager that can be used at home, on the go or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. Or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show. Collide sends employees important, timely and relevant security recommendations for Linux, Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/collide. That's smashingsecurity.com/k-o-l-i-d-e. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/collide. That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Collide for supporting the show.

No, absolutely not.

Blimey. It's that bad? Oh, it's so bad. I think it's the most expensive TV show ever made.

Oh, he found it boring as well.

Yes, yeah, he was going, "Oh, it's so boring." And I said, "Look, why don't you stop watching it if it's boring and find something else you'd rather watch?"

You'd have thought they could have afforded someone to actually write a script. It is so, it's the most tedious, boring thing imagined. Anyway, after about three and a half episodes, and I noticed he was beginning to eat the carpet just out of boredom.

Oh, was it hard being around someone who was moaning?

Cheeky. And what we did was we came across a show, a film, a movie I believe they're called, on Netflix called "The Mitchells vs. the Machines," which is much, much better than the new Lord of the Rings TV show.

Okay.

And "The Mitchells vs. the Machines" is one of these animated comedy movie things for all of the family. It's just standard robot apocalypse, putting the brakes on a family.

Standard robot apocalypse, fun for all the family!

The family in this case, the Mitchells, they're on a cross country road trip and the robot apocalypse gets in their way and tries to ruin it for them.

Some people do.

This one is quite adorable, to be fair, Iain. I think you have to see the movie first. There's an Elon Musk, Steve Jobs-like character at the heart of it all. And the robots obviously take over. Anyway, it's great fun. It has a lovely message behind it. It was very funny. And I think most people haven't heard of it. So I would recommend... Oh, it also has the Furbies. Remember Furbies?

And it's actually pretty funny and I enjoyed it greatly. It features a generation gap between a dad who's useless with technology and hates screens and his daughter who of course loves them. And there's a pug dog as well, we all like pug dogs.

Oh, good grief. They were a security risk at one point. Do you remember? They were banned.

A stupid security risk, but even so.

I mean, if Snowden can get data out of the NSA with

Anyway, I would recommend to people of all ages, if there's a child inside you, if you're a child at heart, you may enjoy this. My son said he enjoyed it, and I enjoyed it. "The Mitchells vs. the Machines" on Netflix is my pick of the week.

Cool.

Marvelous. My pick of the week is, okay, tangentially security related, but at the same time, I'm a huge space geek. And this is a really, really exciting story.

Be glued to this next in six days time?

a Rubik's Cube, then a Furby is the least of your problems. Well we're going to get images back but because of the distances involved and the hardware involved oh of course it's going to take weeks or months before we get the video back that's going to be absolutely on tenterhooks.

So that's NASA's DART mission people can read up more about that in the show notes. Carole what's your pick of the week?

I have a very unusual one this week so I was in the Cotswolds recently this is a lovely part of England near Oxford and I was on a hike and we were walking by a number of bus stops as one does, and every single bus stop in the area had a defibrillator in the bus stop.

Yeah. Is that because people would have a heart attack if a bus actually showed up in the Cotswolds?

Defibrillators save lives, right? The latest research showing that accessing these devices within three to five minutes of a cardiac arrest increases the chance of survival by 40%.

Could you buy a coffee first? Yeah. Anyway, so I looked around my neighborhood, didn't see any external defibrillators anywhere. That doesn't mean there isn't one, but I certainly couldn't find one.

I mean, I'm kind of on the fence about this because

CPAD ones seem to be like they can be run by any individual, right? And they have spoken instructions as they go through. And they can't—

Spoken instructions. Okay. I hadn't heard about those.

And they can't, you know, they will detect the anomaly before anything happens. So it's not like you can just go and charge it and run it on anybody. They are smart, almost like smart CPUDs.

I'm probably the only person on the podcast who's qualified to use one of these things because I've had to do training on it. I'm a member of the emergency response team here. And they do take training to use. Having the defibrillator itself is not enough.

Internet connected. I have no idea. I have no idea. But

Yeah, so there's, anyway, I have to do more research on this.

Defibrillators. Oh, interesting. So, Carole, you've been speaking to one of Bitwarden's customers. Yes, I spoke with Sal Orijemma from the University of Tulsa. Fascinating chat. And guys, take a listen. So gorgeous wonderful listeners of Smashing Security, we have the faculty director of the University of Tulsa's masters of cybersecurity degree program. What a title, Sal Orijemma. Welcome to the show, Sal. Could I say your last name properly? Help me. Not even close.

Orijemma. Yeah. Orijemma. See? Now, we should start with your background, Sal. So, maybe we should introduce you to all our listeners. So, how did you end up at the University of Tulsa? Tell us about your background. SPEAKER_00. Oh, okay. But it just seems to me this is a cost effective way. Well, I didn't plan on getting there. I joined the Navy right out of my undergraduate. I have an undergraduate degree in nuclear engineering. It's not a growth industry. So I graduated University of Florida nuclear engineering degree, went into the Navy as a submariner, spent about 10 years on active duty and then I transferred over to the intel community and then I was a reservist for another 10, 11 years. And if we had one nearby, so I'm going to look into And as I left active duty to go into civilian life, I would get my master's information system so I could transition the IT field thinking well that's a job that's never going away. And I was right on that one prediction. Pretty much if you're in IT, you have a job until you die. Although it could be the reason you die. After I worked for about a decade in IT and I did a lot of things, system architecture, project management, ended up doing a lot of network and security related projects and items. it and let you know how I get on. I actually was deployed to Afghanistan for a year. I didn't love it so much. When I came back, I said, you know, I'm going to do what I always wanted to do is go get my PhD. I did that at the University of Hawaii and graduated 2013. And then I went to the University of Tulsa, which is well known for their cybersecurity education. And that's my week of the week. I was really excited to join the faculty there. And that's where I've been since. And I just transitioned to the faculty director for our online master's in cybersecurity program. Wow. Okay. So now at the University of Tulsa, and you're working in cybersecurity, what are your main focuses? I just love this inside look. SPEAKER_00. Well, we have faculty that cover the entire spectrum of cybersecurity research. I primarily focus on behavioral information security. I really want to understand from the employee or the end user, like you and I, what motivates us to actually take those security actions that we know we should, or what stops us from doing it when we know we should. Now, if we don't know we should, that's a different scenario. That's an education and awareness thing. But if we're getting that education awareness or reading it in the news, why aren't we taking the steps that should be universally understood as necessary to protect ourselves? And then we have other faculty in the program that everything from both blockchain to network security to cybersecurity economics. We've got a very diverse, excellent faculty at University of Tulsa. Okay, so human behavior. Tell me about human behavior and the disconnect that we might have with technology. Have you seen any of those in your research?

Well, sure. And you know, what it comes down to is I can pretty much predict what a computer is going to do because I can tell it what to do. And then if it doesn't, I can reprogram it. Or if it really, really doesn't do what it's supposed to do, I throw it away and get a new one. Cannot do that with humans. That's illegal. Also, there's a whole lot more factors on the human perspective that aren't inputs, outputs and processing like you have for a computer. There's just a whole bunch of different variables that come from different parts of that end user or employee's life that can impact their ability to follow through on security-related actions. I mean, probably the biggest thing we hear when we talk to folks about, hey, so we just trained you on this use of, let's say, a password manager, 2FA, or some other security tool. How come we didn't use it? I don't say almost universally, I say very high up on the scale because I didn't have enough time to do it. And you go, well, are you sure you didn't have enough time to do it? They're like, oh yeah, I didn't have enough time to do it. Well, you were at work and they paid you to do it. And then when it's an end user, my students in my classes, I go, hey, why didn't you do it? Oh, I didn't have enough time. Oh, let's take time right now in class to do it. And when you take away that, I'll call it an excuse of not enough time, and then you start to get into, well, when I say I didn't have enough time, what I meant was, I really don't know how to do it. Or I'm not confident in this technology that this is something I should spend my time doing. And now you're getting into different types of reasons other than I don't have enough time. Now, that said, if your cybersecurity technology takes an awful lot of effort and time for the end user to bring into their life, well, that's a big problem. You've made it so hard no one wants to adopt it. That's a you problem as a technology. There's only so many hoops that we're all willing to go through. And you know, there's the younger generation. So we're talking the college age students, stuff like that. When I hear that they say, well, I don't have enough time, typically they have more of something what I call high threat apathy. And so what that means is they don't have the time to do something they don't think it really is important to them. In other words, yeah, I've heard about the threats out there, maybe even had some accounts compromised or heard bad things or other people, but whatevs, you know, I'm not going to do anything about them because it's just not really that pressing a matter. And those that do feel something bad can happen to them, you know, they're like, well, I'm too insignificant a target for cyber criminals to come after. If I got hacked, well, what are they going to get? My Insta account, my email. But, you know, we know what to tell those people. The problem is we have to understand that's part of the reason why they're not adopting this technology so we can formulate our messaging better, right? And if we ignore our demographic, if we just do the same old cybersecurity training we do at every organization I've ever been at, from the military and the government to my university, where we just go, here's your training, it's good enough for everybody and we check the box, well, then we're never really going to make progress. I think we need to understand our target audience and then tailor the message to it. And it's not really that hard. I mean, we do if then statements in our programs all the time. Why can't we do that in our training?

You know, so Kate, this is fascinating because I'm a huge password manager fan, have been for 10 years. And it's basically because I don't remember tons of passwords that are different from each other. I just don't have the skill. And I have a lot of different accounts.

And you're not alone. Science has proven that we humans, except for that small percentage of savants out there, we can't create random passwords and we sure as heck can't remember them.

Right. And then, so you've got people like me saying, oh, make sure every password is unique on every account. And someone who is not using that kind of tech will be like, well, how have you looked into that? What are your findings on that?

So there's a couple of fields of psychology, like there's negative biases that go into what people do based upon what they already know or what they think could possibly happen, right? We discussed a few of those things. What we're focusing on lately is trying to build up more on the positive psychology side where we're trying to build up the skills and resilience of end users to say, hey, if there's a problem, do I know what to do about it? Am I optimistic that I can overcome this? Because if the answer is, if I sit down with someone who's a retired couple and they're like, you know, I just don't understand the computer well enough, this isn't going to work for me. Well, maybe a password manager isn't the ideal thing for you, but maybe writing it down in a book is if you have that book available to you, but that's not the majority of people out there today. So really what we're trying to do is find out for different demographics and different user bases, okay, are you a constant user of technology? Then we know password managers. We are 100% certain password managers can work for you. We just got to get past the hurdles to get you to do it. And part of that is showing how easy it is to use. And then when there's a problem, do you have somewhere to go to? Do you have someone to talk to, to help you get through that problem? And that's part of the challenge too, right? Mine was I live on blah blah street right so it would be like I live on Google Street. And then it was, I live on Google One Street. I live on Google Two Street, literally. And I was a security professional.

Yes, so do I. So if you want to learn more about password managers and how to secure your private information, and I agree with Sal 100%, once it's set up, it's gold. Okay. Visit bitwarden.com slash smashing. That's bitwarden.com slash smashing.

Yeah, so it sounds kind of wishy-washy, but I'll just say that first and foremost, if you don't understand the audience you're talking to, whether it's your employees, and I'm not just saying, okay, these are the people in the accounting department. I'm talking about of the people in the accounting department, what are the individual factors? What is about those as individuals that is either going to help or hurt them in adopting these security technologies? Well, then you haven't done the proper work to understand what your messaging should be so that it will get through and then provide them the resources they need to succeed. And that's why I like tools like Bitwarden where, hey, it's open source, but they have really great user manuals online. And then they have videos that kind of help people walk through it. And whether it's that or it's two-factor authentication, I'm a huge fan of a couple of different technologies. I don't know if I'm allowed to say it on the podcast, am I? You say whatever you like, go for it. I love YubiKeys, right? I really do love YubiKeys because once you get them set up, then they are easy to use. Now you have to get past the whole, well, especially with college students, I would actually give them out. They'll be like, well, if I don't have my keys with me, I'm like, well, when you're an adult, that problem will solve itself because you'll need to get in and out of things easier. But with the password manager thing, we have it on our phones.

And Sal Orijema, did I do well there? Great job. Thank you. Faculty Director of the University of Tulsa's Master's of Cybersecurity degree program. I wish I could make that tighter.

Well, do they know that that's available to them? Do they know how seamless it works? So when you can show people how it works, but more importantly, don't just lie about the technology and say it solves all your problems. Show what problems it solves. Show what problems it maybe doesn't solve completely, but it's better than it was before. And then I always at the end come back to, well, if you're not going to use something like a password manager to deal with all of these hundreds of accounts you have, what else are you going to do? Because the bad guys will easily figure out if you reuse a password or if you use some awful pattern based upon, be careful. Ten years ago, I used a pattern. I did too. So here's a real life story. When I was working for a Department of Defense, it's a long time ago, I'm sure it's fixed. I had hundreds of systems that fell under me as a supervisor and my technicians, right? So, and we're talking about systems on different classification levels and then the DoD kept coming out with more and more ridiculous password change rules like first it was 90 days then it got all the way down to 45 days and then 24 characters can't change so what are you doing you're creating a pattern and you're going to computer number two and adding a two to the end right and then you go down right. I did, mine was—

Thank you so much for coming on the show. It was a total pleasure to speak with you. SPEAKER_00. Well, after the hundreds of shows I've listened to in the past, I'm super excited to have been part of your show.

Oh, what an answer. Thanks, Sal. Great stuff. Well, that just about wraps up the show for this week. Iain, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Oh, I'm old school, I'm afraid. So I'm Twitter, at Iain Thomson's Twitter. And it's a really odd spelling because my parents are bastards, but we've had words about this. So it's I-A-I-N and then Thompson without a P. And believe me, the jokes that were made at school about Thompson without a P is a weird, really quite savage.

And you can follow us on Twitter at Smash Insecurity, no G. Twitter wouldn't allow us to have a G. And we also have a Smash Insecurity subreddit. And don't forget, to ensure you never miss another episode, I recommend following Smash Insecurity in your favourite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And huge, huge thank you to this episode's sponsors. This is Collide, Pantera, and Bitwarden. and of course to our wonderful Patreon community. It's thanks to them all if this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 289 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. Bye.

Oh, Iain, it was so great having you on.

I have enjoyed it. I mean, it's been years since I've seen you. I think decades. Actually, God, yes, it is. Yeah, it is over a decade. Fuck world. Speak for yourself.