Smashing Security podcast #302: Lensa AI, and a dog called Bob

What they did was they noticed the dog had a dog collar. And so of course they're able to ring up Bob the dog and say, hey, who is your owner, Bob? Who's your world dog, Bob? Smashing Security, episode 302. Lensa AI and a dog collar. A Blog Called Bob with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 302. My name's Graham Cluley.

And I'm Carole Theriault.

Hello, Carole. Hi.

How you doing?

I'm all right. Not too bad. Just you and me in the podcast booth today. Yes.

And on a weird day.

A weird day of the week.

Yeah. I'm giving you my weekend right now.

Because we're a little bit busy next week.

You are, yeah.

And Christmas just around the corner. Well, you've been busy too, Carole. You've been exhibiting your art, haven't you?

Yes, I'm okay. I can juggle a few balls.

Okay, terrific. And well, shall we kick off then?

I think we should. And let's thank this week's sponsors, Bitwarden, Drata, and Kolide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about end-to-end conviction.

And I'm going to tell you everything you need to know right now about Lensa AI. Plus, we have a featured interview with Rico Acosta. He is head of IT at Bitwarden and tells us everything we need to learn about how to train staff. All this and much more coming up on this episode of Smashing Security.

Now, chum chum, the UK's National Crime Agency. Oh my goodness, they're puffing their chests out. They're feeling proud because they've had a success. They have bagged some baddies once again. They've caught some criminals and they've done it in an interesting way. Would you say yes? Say yes.

It's kind of a trap. Yeah, it's kind of a trap question. Yes, Graham. I would love to hear about it.

Well, they've secured convictions against a couple of drug traffickers. Now, if you roll back in time, you may remember, I think it was episode 229.

Excellently remembered.

We spoke about how law enforcement agencies Security Services across Europe had managed to crack into EncroChat, which was a secure encrypted messaging service, which was beloved by criminals around the world.

Yes, baddies loved it.

Yeah, so the cops, they hijacked it. They were able to read people's encrypted messages being sent by criminals, and they sort of lurked. A fascinating situation to be in, of course, because you're seeing crimes being committed or you're gathering information, and when do you play your cards? When does it become obvious that the communications are no longer secure? But EncroChat was a supposedly secure encrypted messaging service, a bit like Telegram or Signal, but it ran on modified Android phones. So bad guys could buy an especially modified Android phone with EncroChat. It'd cost you around about £900, and then you would pay a subscription to access the service, which would be probably about £3,000 for the entire year.

You've got to have a lot of pocket change to be a criminal these days, don't you?

Well, it's tough, isn't it? You feel sorry for them. They've been hit, of course, by the cost of living going up.

Inflation, exactly.

Exactly. And then they have things like the cops breaking their supposedly worry-free secure communications. The cops did it in an operation called Operation Venetic, or is it Venetic? I'm not sure.

Dunno.

I did some Googling to try and find out. Venetic apparently is an extinct language from northeast Italy, which makes sense, I suppose, because that's where Venice is and Venetian. So I suppose that's where it all comes from. Anyway, EncroChat was loved by the bad guys. Said to be about 60,000 users worldwide, 10,000 of them were in the UK. The app even had a panic button where if you entered a 4-digit code, it would delete all of your data. So if you thought the cops were going to collar you, you'd quickly go, you know, 1, 2, 3, 4, and it would delete all the data.

Oh.

And it would do it instantly. It wouldn't take 90 days or something.

No, no, it wouldn't be like—

That'll be relevant later. That'll be relevant later.

Oh, okay. So the cops had infiltrated EncroChat. We talked in the past about a guy who got caught after posting a picture of stinky Bishop cheese in his supermarket and his fingerprints were picked up by the police, and they were able to work out who he was. Anyway, they wanted to prove the identities of people who were involved in a particular drug dealing operation, because these guys had used pseudonyms.

On the channel? On the channel, right.

Exactly, on EncroChat. So, there was one guy, a 55-year-old called Danny Brown. He didn't use the pseudonym Danny Brown. That wasn't his username on EncroChat. He was ThrowTheDice. And there was another guy called BoldMove. His real name was Stefan Baldauf. And they had a plan.

Okay.

They planned to send 448 kilos of MDMA.

That's ecstasy, isn't it? Isn't it? Is that right? I don't know. I mean, you know, you live somewhere a bit more urban than me. Well, it's a pretty well-known clue.

Right.

Anyway, MDMA. They were sending 448 kilos of flat-pack furniture. No, no, of Class A drugs worth £45 million to Australia. And apparently you can make a lot more money out of MDMA in Australia than in the UK. It's got a higher street value.

Well, I'm sure everything has a higher street value over there. It takes that, you know, especially if it's imported. Do you think?

Well, sure.

Well, not—

Well, yes. Okay. So not kangaroo meat or something. That's going to be cheaper, I think, in Australia, isn't it?

What, than it's available here in the local Tesco?

Yes.

Right. You would think so. Although maybe we'll have some sort of trade deal with Australia. That'd be terribly convenient, doing trade with them on the other side of the planet. Anyway, the question is this: how do you sneak that amount of drugs into Australia?

Yeah.

How would you sneak drugs into Australia, Carole?

I would— Look, I watch a lot of cop shows, right? So I've seen that they've made boats out of actual cocaine or something. So actually the whole boat.

Oh, the entire boat?

Yeah, something they do. Yeah, no, I'm not— I'm gonna look at this. Would it not dissolve?

I'm gonna look at this right now.

I think it was—

Would it be like a soluble aspirin? Would it just begin to fizz and bubble?

Maybe I'm making this up.

Maybe. I don't know. Maybe you're not. I see, I was thinking nothing so adventurous. I was thinking maybe you'd have a false compartment in your suitcase. It'd have to be a big suitcase, of course. I don't know.

It'd have to be quite a big suitcase. Or you, I guess you just, yeah, you have to do it by boat, right?

Well.

They decided to hide it inside a 40-tonne digger. Now, they weren't going to drive the digger there.

Okay.

What they did was they bought a digger, a big digger, you know, with a big arm, you know, something digging up the road, that kind of thing.

Yes, I know what that is. Thank you.

Alright. So, and then they got a welder. They said to this welder, they said, hey mate, here, would you cut open the arm of this digger? And then we can hide the drugs inside the arm of the digger behind a lead lining.

How did the drugs get there?

This, no, this is in the UK. They're doing this from the— So they're smuggling from the UK to Australia.

Right, so in the UK, they're putting it into a digger.

Yes.

And then they're gonna send the digger over.

And they send the digger over, and they cover the digger with— They contact a sign-making company. They cover up all the mess they've made with stickers to cover the markings. They repaint the digger. It gets sent over to Australia. It looks all legit. And they— Well, before they send it to Australia, what they do is they put it up for sale on eBay. And they arrange with the intended recipients. They say, look, we're gonna put this digger on eBay. Make sure you buy it, right? You pay this much.

How much does a digger cost? So is that, was that the tip-off that a normal digger costs? I don't have no idea. A million quid? I don't know how much a digger costs.

Well, I don't know. I don't think it's that much.

Well, I don't know. Some are pretty—

But maybe it's a secondhand digger. Maybe it's £40,000 or something that.

But they want £24 million for it or something because they wanna pay for the drugs, right?

Well, that's the thing. That's the thing. You don't— And you don't want to make it too cheap.

No.

Do you? You don't want to make it too cheap because someone else might snipe in and buy the digger. And you think, oh God, you know, we've got the drugs going to the wrong place now. So they panicked apparently because 6 people were watching the auction on eBay who they thought were going to make bids. And it's, this is not good. We need only our mates to buy this. Anyway. Jeez. Their mates in Australia, they managed to buy the digger. And the digger finally arrives in Brisbane. But of course, EncroChat has been compromised. The cops are watching it. And so, the Australian police, they X-ray the digger. They remove the drugs. They reseal up the digger arm, and they install a tracker and a listening device inside the digger.

Yeah.

And apparently, the two guys who picked up the digger, when it eventually arrived, they spent two days looking, trying to find—

Removing rivets.

And they were probably saying, have we been diddled by these other guys? They've double-crossed us. What's going on? Now, the cops, of course, still want to know the identity of whoever it is who's done this. So, all they knew were the code names of these guys on EncroChat, who'd sent it from the UK. So they looked at all the messages that they'd sent. And one of them, the guy called— his name was Danny Brown. He had sent a photograph of his pet dog, Bob.

No way.

With a laundry basket in the background.

Did they do facial recon on the dog in social media to identify the owner?

They called up the guys at Clearview AI, and they said, "Look, we know that your technology works on humans. Could you use it on dogs as well?"

Just scrape their ear.

No, they didn't do that. What they did was they noticed the dog had a dog collar.

No.

And so of course, yes.

Oh, it's just old-school detective work, isn't it?

It's CSI style. They zoomed in.

Zoomed in.

They enhanced. Enhanced. Yeah.

Enhance, enhance.

And then they know the phone number for the dog. So they're able to ring up Bob the dog and say—

Hey, woof, woof, woof, woof.

Bob, Bob. "Who is your owner, Bob? Who do you belong to, Bob?" No, no, no, they didn't ring him on the dog and bone. What they did, it was of course the phone number of the owner, which was there. Now, that wasn't the only thing that these two guys had made a mistake when they'd posted up on EncroChat, thinking it was all end-to-end encrypted, thinking they were safe. They'd also accidentally sent selfies of themselves to each other. Accidental selfie.

How does that happen?

Right, so an accidental selfie. It's not when you butt dial someone. It's not a photograph of your bum. It's not saying that. But I've been in accidental selfie situations.

I don't even know what that is yet.

Well, it's when you take a photograph by accident of yourself.

On your phone and then send it to someone by accident?

Well—

A lot of mistakes.

Okay. Carole, do you remember when I was having a lot of trouble with my phone in the shower?

Yes. How could I forget that horrid time?

So I would take the phone into the shower and something about the resonance of the falling water would somehow tell my— by the way, I wasn't taking my phone into the actual water of the shower. I was sort of propping it up. As everyone does.

Yeah.

So I could listen to a podcast while I was having a shower. And something made my phone ring you up.

Yeah, not just once.

No, it was all—

Jesus.

And it was at ridiculous times.

Well, it was shower time.

Yeah, well.

Not hammer time. And it would sometimes initiate FaceTime video calls with you. And I remember one time when I realised it started a FaceTime video call with you, which you answered. In my panic, covered in soap, I dislodged the phone, which fell into the shower tray, pointing upwards.

I would have been scarred for life if I'd opened my eyes.

Oh my God. So accidental selfies can happen.

Now, the thing is, you never video call me, so I always know it's a video call. Eyes sealed shut until told otherwise. Yeah.

Now, they hadn't taken deliberate photos of themselves and sent them to each other. What they did was, in one case, Danny Brown of Bromley, Kent, he sent a photo to his fellow criminals of his TV, which he'd just bought.

Oh, great.

And the reflection—

Love it. Love it. Love this guy.

Displayed himself.

Brilliant.

And the other guy, the other guy, he sent a picture of a brass door sign.

Oh.

Which of course all—

So they were looking for a guy 3 times the size with the convex shape. Fantastic.

It's a bit like the nudes of eBay. People who put things up for sale on eBay and accidentally capture themselves in a mirror, normally in a state of undress. Have you ever encountered that phenomenon?

I've heard of it, but I've never— Yeah, no.

Right. Oh no, I'm not suggesting you've ever, you know—

What, trawled eBay looking for a reflection of a nudie? I think there's easier ways to see those online. Just saying. Anyway.

Anyway, I guess this is my public service announcement to criminals out there. You can't necessarily trust end-to-end encryption because who's in charge?

Well, let's remember that for my story as well.

Oh, okay.

All right.

What have you got for us this week, Carole?

Lensa AI. This is an app, despite having been around since 2018, has in the last week caused rather a lot of ruckus. This is because the company Prisma Labs added a new avatar generation tool based on Stable Diffusion.

Pardon?

So before they added Stable Diffusion, you basically, this app would let you retouch your pics, you know, add a nice background, whiten your teeth, add contrast to your eyes, Graham, put a border around your picture, whatever.

Remove parsley from between your teeth, get rid of zits.

That kind of thing.

That kind of thing.

Yeah.

Excellent. That's what I need.

Right? Yeah. And with Stable Diffusion, which they recently announced, the app rocketed to the number one spot with everyone trying to create these AI avatars.

Oh.

Stable Diffusion is a latent text-to-image diffusion model, which can generate photorealistic images given any text input. So we've played with this before on the show.

Yes.

I can't remember when.

Not very long ago. It was with Liz Truss, I think. You had her eating a cream cake or something, didn't you? Yes.

So that's the kind of thing, right? Kind of like DALL·E is another one. So the idea is it cultivates autonomous freedom to produce incredible imagery based on the text input.

Why can't they just speak English rather than autonomous freedom and stable diffusion? Why don't they just say it makes up pictures?

Yeah, so you write words, it then creates a picture based on that word. Huzzah.

Very clever stuff.

Very clever stuff.

Yeah.

The reason this kind of rocketed to the top was, of course, celebs. The reputable, I am sure, publication called Hello Giggles said that celebrities—

I read it every week. I get my copy of Hello Giggles.

Says that celebrities like Micaela Rodriguez from Pose, Chance the Rapper, and even Britney Spears' new hubby Sam Asghari— I don't know this guy.

Yeah, they're all celebrities. I've heard of all three of those girls. Exactly.

Yeah, they've all jumped on the lens bandwagon to AFI their selfies. This is according to Hello Giggles. I just want to repeat that.

Right, good. Hello Giggles.

And you can actually play around with Stable Diffusion a bit just to see.

Oh, you want me to do this now?

Yeah, yeah, why not?

All right.

I just want to show you how powerful it is, right? Ask for somebody. So anyone that's famous, like Diana Rigg.

What about her? Do I just type in her name?

Type in a prompt. So Diana Rigg on a horse.

Oh, I love the idea.

Put naked on a horse. See what happens.

No, I don't want to see Diana Rigg naked on a horse. Can I make the horse naked? No, on a horse which is wearing clothes. I'm going to ask for the horse to wear clothes. Okay, generate image. Here we go. Okay, it's thinking about it. Progress bar. All right. And oh, it's done. Okay. Poor Diana. That looks a very uncomfortable way to ride horse sidesaddle, I can tell you. But anyway. Not very gracious, but yes, it is Diana Rigg. The horse isn't wearing clothes. That may be my fault. She is wearing clothes though, thankfully.

So you can just see how it works. So what this company have done is they've taken this tech and put it into their Lensa AI product, and people are going nuts about it. Well, why don't we talk about maybe the issues that have come up with this huge slam of this? This product Lensa AI, okay?

Yeah.

It's number one, right? It improves facial recognition tech to speed up mass surveillance. Okay, so we know that mass surveillance can and is used in law enforcement and mass surveillance around the world.

Right.

We were able to fight it off in the country here in the UK for some time a few years ago, but how long can we keep that up? So that's a big issue. So do you want to help? By using something like this, you are helping to improve the tech.

So how do people help the tech by using Stable Diffusion? 'Cause they're just writing the words in, they're not uploading their photos, are they?

Well, good question. The way it works with Lensa AI so that you don't end up with these abysmal pictures of Diana Rigg or whatever is that you load 10 selfies up to its iteration of it. There you go. And from those 10, it will create a cute little avatar, sometimes up to 50 avatars. Right? Which you then can use on your socials or wherever.

Well, I can understand why people would want to play around with that and how that could have become very popular.

Let me tell you another problem that happened with someone who was trying to play around with this. Okay. So the rendering can be really bad. Journalist Olivia Snow wrote in Wired that she decided to test the app's limits. So she scrounged around to find 10 pics of herself as a kid. Right, she says, quote, I found a few photos of myself from childhood until my late teens. Between my unruly hair, uneven teeth, and the bifocals I started wearing at age 7, my appearance could most generously be described as mousy. I managed to piece together the minimum 10 photos required to run the app and wait to see how it transformed me from an awkward 6-year-old to a fairy princess. She says the results were horrifying. She says later in the article, for Lensa, which endeavors to beautify, as in whiten and sexualize, user-submitted content the lack of moderation similarly threatens to unleash a torrent of likewise horrifying content, in this case, child sexual exploitation material.

So there's two issues here that you've just raised here. One is obviously the sexualization and how that could be used to create child abuse material, maybe.

Yes, exactly. And interestingly, Prisma Labs CEO and co-founder told TechCrunch that this behavior only happened if the AI was intentionally provoked to create this type of content.

Well, yeah, that's—

Yeah. And he said, He says this represents a breach of our terms.

Oh, well then.

And if an individual is determined to engage in harmful behavior, any tool would have the potential to become a weapon, he said. So I thought about this, right? And I thought I'd take it as a challenge. So I'm going to name 3 tools and you tell me how you would use these as a weapon. Okay?

Okay. All right.

A button.

A button? How could I?

A button is a tool because it closes your clothes. It's very useful.

Oh, yes.

Does a thing.

You could shoot it out of a gun. Maybe you could choke someone with it in their windpipe. Perhaps if you got them to swallow it and it got stuck a bit, a bit like a fishbone with the Queen Mother. You know?

What about a tissue then? A tissue?

Bless you. Well, you could— a tissue, you could have chloroform on it.

True.

Or you could— Yeah. If it was a tissue which was hard to rip.

You're pretty good at this.

You could make it into a tourniquet for throttling somebody. I'm struggling here. I wasn't expecting all this, Carole.

Yes, yes. I would love to see that. So basically they are saying, not our problem, gov, it's the users that are coaxing it. It's blameless. Number 3 on my list, societal biases.

By the way, I'm not very happy about the fact that it's also whitening people to make them more beautiful as well.

Well, exactly. Societal biases. So you could whiten teeth, but also whiten people. So users of non-Anglo descent have also alleged Lensa whitens their skin and anglicizes their features. And this is a common complaint of image editing software on TikTok and Instagram.

Right.

The technology doesn't consciously apply representation biases, says the CEO. Again, the man-made unfiltered data sourced online introduced the model to the existing biases of humankind, he said. The creators acknowledge the possibility of societal biases. So do we. So again, it's a shitty answer in my book because they're providing a service and taking absolutely no responsibility for blocking certain requests, which surely is their job, as it is Facebook's job to weed out scams and hate comments and all that stuff, as it's YouTube's.

But to be devil's advocate for a moment, Carole, if you had bought, if you were a manufacturer of scissors, which obviously have plenty of lovely purposes, but—

It comes in a huge plastic, you know, difficult to open container. And I'm sure it has warnings, can't be sold to anyone under 18.

Well, and Lensa AI probably makes you click through some agreements to confirm.

Exactly. I read them actually. So yes, they do.

Did you? Right. You know, I mean, I can see them making that parallel.

Doesn't float my boat, but there you go.

Okay.

But you know, noted. Yeah. Number 4, anybody can use it on anyone's selfies or any images. So as explained in Artnet, Sarah Cascone wrote, I had no intention of using Lensa, but then my husband called my name excitedly across the apartment asking me to check out the 100 artworks the app had just created based on 20 images of my face. Neither my husband Nathan nor I had downloaded the Lensa photo editing app, but a friend had a trial period 50% discount on image packs which normally cost $12 for 100. He had offered to run our faces through the app, and without consulting me, Nathan eagerly sent over our photos.

Hey, my ugly friends, look, I've made you more attractive. Look what I've done. You've been cursed by being hit with the ugly tennis racket.

Yeah, they're just kind of annoying, right? So you can load up anything. I could have loaded up 10 pictures of you to find out what it made of you, but I'm then teaching the AI based on your images without your consent?

I think it would pretty much— It would break the machine, I agree. I think everyone would end up more attractive if I got uploaded to this.

If you want to look in the show notes, you can see some of the images that it actually has created.

Oh, okay.

So we have a girl here, but they've kind of rendered her differently, but all her features are a little bit more exaggerated.

Yes.

If you look at the second picture, you can see the girl was pretty much sexualized. And the last segment I got you, you can see the real photos that the person uploaded. Oh, you can see the pictures that they created. So it kind of airbrushes you and gives you this weird bigger eyes, fatter lips, bigger boobs.

It is very hypersexualized. Yeah.

Finally, copyright. So artists are claiming their work is being stolen.

Yeah.

So it's been noticed that artists' signatures are sometimes still visible, although scrambled, in some of the rendered images because the app uses the open-source Stable Diffusion model that makes the use of copyright art from artists around the world in order to work. And Prisma Labs responded on Twitter, "The AI learns to recognize the connections between the images and their descriptions, not the artworks. This way, the model develops operational principles that can be applied to content generation," basically saying the outputs cannot be described as exact replicas of any other artwork.

So let me get this straight. Prisma Labs, they are recompensing the artists, aren't they?

Of course they are. No, they're not. They went around the web, they scraped everything, including copyright art.

How do they justify that?

And then use that to generate images? Well, I just explained it to you. They're saying that the image that they've generated on your image is not an exact replica, and therefore, what's your point?

Yes, but if I'm making sausages and I'm filling them with bits of pig, I have to pay for those bits of pig which end up in the sausage.

That's a pretty gross way of describing it. Do you want to use another foodstuff, maybe?

The point is they're feeding one thing into the funnel, aren't they? That is the commodity, and they're selling the output.

Yes. Well, it's exactly the same as Clearview AI, which does a similar thing. It scraped everything off the web and then uses it. The other point is that they're selling this stuff cheap, right? So $8 gets you 50 avatars, takes seconds to use, and no artist can compete with that. And well, they can, but they won't probably be eating very much. They're profiting from stolen, uncompensated, and uncredited art. That's the way I would put that.

I'm not sure I Prisma Labs.

Well, then I think I've done my job.

Listeners know that a password manager is an important tool for generating and saving secure credentials for each of your online accounts, and podcast sponsor Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Now, what's nice is that it's open source with published third-party security audits. Bitwarden is transparent and secure. It utilizes end-to-end and zero-knowledge encryption with source code that can be scrutinized by all. And the team at Bitwarden are always introducing new features to make your life easier as well as more secure. For instance, they've just introduced passwordless login for the Web Vault, meaning you can authenticate into the Web Vault using your Bitwarden mobile app instead of entering your master password. Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today. That's bitwarden.com/smashing.

When do you have insight into your compliance, security, and risk postures? If it's right before an audit, you're in the same boat as many other organizations. With Drata, G2's highest-rated cloud compliance software, you'll have continuous monitoring and visibility into your risk security controls and audit readiness for standards like SOC 2, ISO 27001, GDPR, HIPAA, and more. Plus, Drata can streamline compliance for over 14 frameworks and even automate the custom frameworks and controls you create to meet your organization's unique security needs. With more than 75 native integrations and a risk management solution, you'll have a tool that will scale with you. Professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it has been to have Drata as their trusted compliance partner. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A.

The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing, and thanks to Kolide for supporting the show. And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Better not be.

Well, my Pick of the Week this week is not security related. I saw on the wires that everyone's talking about this new Netflix show, Wednesday. Have you heard of Wednesday?

Yes.

Wednesday Addams from The Addams Family is the main character in this thing. I haven't watched it.

My brother has, and my niece has, and they loved it.

They love it, do they?

They loved it, yeah.

Well, Wednesday, the strangely, gothically, darkly strange Wednesday Addams is played by Jenna Ortega. And she was in the news this week because she was talking about how she'd had a really hard time filming a dance sequence, which appears in one of the episodes. And I have seen the dance sequence. It's up on YouTube, and it's pretty cool. She does this kind of jerky, robotic, angular dance sort of thing. Have you seen that, Carole?

Yes, I have. Yeah, it looks good. It reminds me a lot, actually, of Pulp Fiction.

Oh yeah, yeah, a bit like Pulp Fiction.

It has that similar kind of Pulp Fiction-y— Yeah, Pulp Fiction-y movement does. She dances a little bit like she's a marionette, but the person who's doing the puppeteering is completely and utterly rat-arsed on MDA or something like that.

Oh, now you know what ecstasy does, you see?

But the reason why this is in the news this week is that Jenna Ortega says that, "Oh, I had such a hard time filming that sequence because I had COVID at the time and I had all these symptoms." And she was saying, "Oh God, I felt really bad. And as soon as the result came back positive, you know, I got whisked away, but you know, I was feeling so bad." And it's like, "Well, hang on, what? Hang on, so you were on a film set?" surrounded by all these other people.

It's not 2020 anymore, clearly.

No, but it wasn't filmed yesterday, Carole.

Oh, good point.

Right? And she had all the symptoms. And even if you do have the symptoms now, you're not supposed to be, you know, spluttering and dancing around. Anyway, I was thinking about dancing because I'd— admittedly, it's a good dance sequence. And I was thinking about dancing.

And I thought, well, this isn't the best dancing I've ever seen. And I was reminded— And I'd like to take you back to 1980 at the West Park Pavilion, which is the major entertainment venue on the island of Jersey in the English Channel. And in 1980, I think it was September 1980, they held the regional final of the EMI Disco Dancing Competition on Channel TV, the local TV station. And that has been immortalised in the form of a YouTube video where you can see all the best dancers from the best discos, not just in Jersey, which is a tiny island, but also Guernsey, and maybe Alderney as well, where there's about 3 people who live on Alderney.

I love that even if a tiny fraction of our listeners go and visit this, it's going to scream up these views because they only have a max of 3,800 views at the moment.

Well, I came across it and I thought, this is fantastic television from 40 years ago. It's half an hour.

It's beautiful.

Now, the competition was sponsored by the local hi-fi store.

Was it? Yes. If you watch to the end, third prize is a Ferguson clock radio. Brilliant. First prize winner, I'm not going to reveal who does win the prize, but the winner won £100, a hi-fi system, and entry into the UK Disco Dancing Championship. I have not yet discovered whether they went on to win nationally.

Yeah, yeah, it's really worth it. I've actually watched this right before the show on your request, and I found my favourite quite early.

Okay, which one did you like?

I—

Was it the guy in the film?

I really like the first guy. No, I really like the first guy with his gold socks and this kind of gold chain wrapped between his legs and wrapped around like a diaper.

His dangler.

And he's topless, of course.

Of course.

Everyone in disco time, we're all topless. But he moves like a real— Anyway, I think he should have won.

I quite liked the guy in the skimpy thong who'd sprayed himself silver like a robot.

Yeah, he could really move too.

There is some pretty impressive dancing.

This explained when I watched this that this explains my husband's dancing. Oh, this is who he is, isn't it?

Oh, I suppose so. Yeah, he is.

We just need to get him some flashy outfits and we're ready to rock.

Well, if he keeps on practicing, he could win himself a clock radio. And I'm sure he'd be— This is the kind of thing they used to put on television in the 1980s. And I loved it. It took me down a rabbit hole reading more about Channel TV on the internet. And that is why the regional final from the Channel Islands of the Disco Dancing Championship in 1980 is my pick of the week.

Definitely not a barrel scraper, right?

Definitely not. Crow, what's your pick of the week?

Well, my pick of the week is for fans of Maria, because we just recorded our last Sticky Pickles podcast of the season, season 5.

Yes.

And I worked hard to really blow Maria away because she has wonderful explosions of emotions, right? Outrage, or laughter, or shock. And I wanted to get the trifecta, all the emotions there in the story. And I had to craft it very carefully in order to get that. But boy, she lost it.

I have listened to the latest Sticky Pickles. I'm sorry to hear it's the last one of the season. I did laugh out loud in the car as I was listening to it.

Of course you did. You can't help it.

Not just at the sheer smuttiness and filth of your story, which was— it really was— well—

It had to be to make her on edge, right? I had to bring her to her most uncomfortable self.

It brought tears to my eyes, let me say that, without going into too much detail. But then Maria's story and your reaction to it was really— all I can say is hand cream and horses. That's, I think that's all we need to really say to sum up the episode.

Yeah, a trigger warning. If you don't like horses, this episode's not for you. Yeah, I love it. Yeah, and if you like your comedy clean and family friendly, this episode is definitely not for you.

Absolutely not, absolutely not. But yeah, Sticky Pickles, go and check it out. In all good podcast apps, I imagine.

Exactly, of course it is.

How many episodes have you done? You've been doing this for years, haven't you? This is, for people who don't know, this is the strange cousin of Smashing Security, the estranged cousin.

The estranged, yes. The cousin that didn't, yeah. So we've done 75 episodes.

Wow.

And we are approaching 100,000 listens of our show.

Yeah.

Right? And we have a solid base, which I'm sure there is some overlap with Smashing Security listeners.

Oh, I'm pretty sure there is because we both got that guy Turtle or whatever his name is listening to us. Both our shows.

Yes.

So newbies, if you want to check it out, you can find it at stickypickles.com. And if you're already fans of the show, this is a doozy. My hunksband, he's a regular listener, but only because I always want to have a second listen before I go live. He said after listening to it, pretty kick-ass beauty.

Did you call him hunksband?

Yeah, I always do.

Have you made up a new word? I haven't heard hunksband before.

Well, I tend to do it. Yeah.

You just do it to him. I understand. Well, well done, Carole, for sneaking in some free sponsorship and advertising for Sticky Pickles on the Smashing Security podcast. And in that vein, we have a featured interview this week, don't we, with the guys from Bitwarden? Yes, we do, with Rico Acosta from Bitwarden. He's the IT manager, and he also has an incredibly deep voice, probably the deepest I've ever encountered. Rico talks all about how to train people into being more secure online. Check this out.

Thank you very much for having me.

I don't know if you know this, but more than a decade ago, I too was responsible for security training all new employees at this global security firm I worked at.

Okay. So, I'm totally fascinated to hear about your approach to cyber training and employees at Bitwarden, because at the time, there was nothing for me to, you know, there's nothing I could copy. You know, it just didn't exist really at the time, or I couldn't find it. So, I had to make it up on the fly. Yeah. And I think that's something that's just more at the forefront now. You know, when I first started working on computers, when, you know, I was a young teenage boy, you know, the internet was still not an accessible thing to most households, right?

Yeah. Yeah. It makes total sense. I mean, even two-year-olds want to know why.

Right. Absolutely.

Absolutely.

Right. So, so it makes sense. And I remember, I think when I took over the training, the reason I did it is because IT at the time was responsible and they were basically scaring the poop out of new employees by giving them rules of, you cannot do this, do not do that.

Right.

So, so do you find that helps that you get a lot more engagement from those that are taking your training if you explain why?

Oh, absolutely. Understanding the importance of it is what creates that buy-in from people. It's not me just saying, hey, use a good password, right? Use a good password. Use this number of characters or this many phrases. It's, hey, you should use a good password because here's how easy it is to crack a weak one, right? And then showing an example. And that is much more eye-opening than just saying, hey, standard password length of whatever is insecure, whatever it may be. If you can explain that, they buy into that, because now they understand, oh, wow, if I use this password 123, it literally takes a computer 2 seconds to crack this, right? They can understand real-world applications, they can understand the real-world threats when they understand what we're doing here.

Yeah. A question I used to get a lot was not a question, but a challenge, I guess, was, 'Look, I'm nobody, right? I work in blah blah. I have nothing to do with, I'm not important. It's not, it's no big deal if my password is the name of my cat.' Sure. And I had trouble explaining that the weakest link, you're only as strong as the weakest link that you have. So how do you deal with that? Absolutely. Absolutely. First, you are special. You are important. That I only have $5 to my name.

Yeah. Right.

Yeah.

Right. They're making multiple attacks against multiple entities at all times. And the bad guys, they only need one opportunity, right? You may think, oh, I'm not this high-level person or whatever. But if your account grants access and it's inside the castle walls, now that person is inside, right?

Yeah. And they have lots of tools to help them find that one needle in the haystack as well, a good metal detector.

Sure. Sure.

Absolutely.

Yeah. Yeah. So tell me, how much do you focus on password management when you're doing cybersecurity training at Bitwarden, which specializes in password management?

That's something obviously we focused on. It's a component of that training. It's, I would argue, the easiest component for our team, because that's what we do all day. That's where our primary focus and development efforts are, password management. So I try and give everything equal weight. All of these things are important all the time. So we can't focus on just one area more the other, but it's definitely a strong component. It's one that the team is highly aware of. I would be flabbergasted to know that anyone on the team hadn't used a password manager. And there shouldn't be kind of this distinction, I think, between personal and business. You should have them for your personal accounts as well.

Yeah. And how could anyone actually manage their passwords? Or rather, how could anyone manage unique passwords today? I mean, even someone who uses computers only as a sideline, maybe they don't even do it for their job, will still have a dozen different accounts from healthcare to banks to everything that's vital for existence in society versus all the fun accounts. And obviously we would love for you to use Bitwarden, but if you're not using Bitwarden, use a password manager. There is no chance unless you have eidetic memory where you can memorize everything. Unless you have that, there is no chance that you remember all of your passwords. Exactly. Unless you, exactly as you say, unless you have a photographic memory and those of you out there that do, I am so jealous.

And even if you do, even if you do, save that part of your brain to memorize something else. That's right. Yeah. Don't waste it on these things, on 26-letter passwords. So I'm actually quite a big fan of Bitwarden. I've been using Bitwarden and I think it's quite a joy to use. It's just as easy. It's just as simple and straightforward. Obviously I use it personally. And I manage it for our entire organization as well. It's simple. It works. We can deploy quickly. There's lots of integrations that IT managers do every day and lots of backend configuration. And I certainly feel for anybody that is in that field doing that, you can understand how time-consuming those things can be. But Bitwarden has a very straightforward method of setup. And what was really impressive for me coming onto the team and then taking over the reins for IT management was the documentation. The team writes excellent documentation. It's all available online. And really, it's just well done. The team does write really great guides.

And that's super important, right?

Yeah, and if you're maybe junior in your career or just coming into the field, sometimes it can be daunting to try and set up a big enterprise-wide thing. So being able to have this kind of step-by-step guide that walks through, it actually works. It's very helpful.

I've had people ask questions, and I'd rather ask you because you know much more about it than I do. But typically when people are moving from one password manager over to Bitwarden, is that more complex than having someone who's never used a password manager before?

Sure. I think that's another blocker, right? Actually, a vendor of ours, they expressed an interest in moving, but the initial roadblock was gosh, but it's like, I'm gonna have to invest so much time. No, let me show you real quick. Let's hop on a quick call. 5 minutes, let's talk about this. And it's very easy. It's very easy. So prior to using Bitwarden, I was using a different password manager. And I thought the same thing. You know, what if everything doesn't transfer properly, and all this, but when you dive in, it's simple. I mean, it's straightforward. And I think that's part of the Bitwarden business model in a way, right? Let's make things that are easy. Get out of the way so the user can use it. That's so important. And that helps build that buy-in, helps build that use. Because if something is so complicated all the time, you're not going to use it, right?

Yeah.

If you had to go to your car and you had to tap the brake 3 times and touch another button 4 times.

Put the tires on.

Right.

You're not, you're like, I'll walk. I'll walk.

Yeah.

I'll walk 15 miles.

It's fine.

So having that ease of use is something that Bitwarden is very good at. And that includes everything, you know, switching over to it, you know, personally, or even switching for an entire organization. Enterprise situation. It's straightforward. It's simple. It helps your users get up and running quickly and be about their day.

Well, I think it's a darn good product. And that's been my experience as well. Rico, thank you so much for coming on the show. Is there anything you want to add?

But I just thank you very much for doing this. Thank you for making this an easy conversation. I'm really glad to hear that you're enjoying the product. You know, I think obviously with some bias, it's a really great product. If you're not using Bitwarden, that's okay. We'd love for you to try it out, obviously. But please use a password manager.

It's—

It will make not only your life easier, but it will make it a lot more secure.

I can jump in and say, listeners, you can learn more and try it out for yourself by visiting bitwarden.com/SmashingSecurity. That's bitwarden.com/smashing. And Rico Acosta, IT manager at Bitwarden, thank you so much for making time to talk to us today.

Of course. Thank you so much.

There you go. Not bad, eh?

Yeah, definitely not sweating through my shirt over here.

Well, he seems like a very nice chap to me. And thanks, as we've said, to the folks at Bitwarden for sponsoring the podcast. It's really terrific as an independent podcast to have support from brands such as Bitwarden. We really appreciate it. And if you want to check out Bitwarden, go to bitwarden.com/smashing. Well, that just about wraps up the show for this week. You can follow us on Twitter while Twitter still exists. We're @SmashingSecurity, no G, Twitter won't allow us to have a G. And we're also on Mastodon. If you want to find us on Mastodon, easiest thing to do is go to smashingsecurity.com/mastodon and it will take you to our account. And look up the Smashing Security subreddit on Reddit as well. And never forget, if you don't want to miss another episode of Smashing Security, sign up, follow us in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.

And massive shout out to this episode's sponsors, Bitwarden, Kolide, and Drata. And of course, to our wonderful wonderful Patreon community. It's thanks to them all that this show is free. Episodes, show notes, sponsorship info, guest list, and the entire back catalog of more than 301 episodes is all on smashingsecurity.com.

Until next time, cheerio, bye-bye, bye-bye.

Do you not think that we should stop asking people to follow us on Twitter?

Oh yeah, Elton John has just left Twitter. Did you hear that? I mean, why don't we just—

Why don't we do that? Not saying we have to kill the account, but we could just mention Mastodon, and then I don't have to hear that fucking T-word in a whole show. Wonderful. Just, you know, please, I'm putting it on the table.

You're putting it on the table and you're leaving it inside the minibar. There you go. In the fridge.