Scammers get pwned by a Canadian granny! Don’t be seduced in a bar by an iPhone thief! And will the US Marshals be able to track down the villains who stole their data?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Plus don’t miss our featured interview with Jason Meller of Kolide.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Imagine the effect of tears on a grandparent. Their heartstrings being plucked.
You don't know my grandmother. I tell you what, she would kneecap that person with her umbrella. She'd be like, I'll get out of here.
It's true, the Terriers are a dangerous lot. Smashing Security, episode 312: Super Grannies, Bar Trolls, and US Marshals. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 312. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 312. My name's Graham Cluley.
And I'm Carole Theriault.
And this week on the show, Carole, who are we joined by?
By the lovely Anna Brading.
Hi, I'm back. Thank you for having me.
Finally.
I know.
We used to all work together, listeners, the three of us at one time, and it's kind of nice to be all together.
We all used to not work together as well, as I remember. There were quite a few times where—
No, there was no messing about, Graham.
Well, you can speak for yourself. I work very, very hard.
Exactly.
Anna, what's new? It's been a while.
I know, I know. Well, what have I been doing? I'm still doing what I was doing before, so I'm sort of helping cybersecurity companies with their content.
And actually, thank you for asking, Carole. I have a tiny space for another client, so can I use this as a little promo?
And actually, thank you for asking, Carole. I have a tiny space for another client, so can I use this as a little promo?
Sure, sure.
If I need the invoice, we'll add the ads music underneath you talking. How about that?
If you could, well, just get me on LinkedIn or Twitter if you need help with your content or your social media. Thanks.
Okay, how about we get this show on the road? Before we kick off, let's thank this week's sponsors: Bitwarden, Kolide, and Drata.
It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?
It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?
All the older ladies, all the older ladies, all the older ladies. I'm going to be celebrating the older ladies.
Okay. Anna, what about you?
I'm talking about an iPhone theft that ends up with you losing more than your device.
And aren't going to be talking about ransomware everywhere? What are we going to do?
Plus, we have an interview with Kolide's CEO, Jason Meller, where he unveils some exciting news around end-user remediation.
All this and much more coming up on this episode of Smashing Security.
Plus, we have an interview with Kolide's CEO, Jason Meller, where he unveils some exciting news around end-user remediation.
All this and much more coming up on this episode of Smashing Security.
Now, chums, I don't think it will come as a surprise to either of you that I am well known for my love of the ladies.
Yes.
It's true, isn't it? It's true. I do. I especially like older ladies. Diana Rigg, Ingrid Bergman.
She's dead.
Yes.
Okay, well, she's dead.
So you like dead ladies?
The older, the better.
This got weird.
This got very weird. I'll get out of this room.
If I'm an archaeological diggy, all the better. No, it's true.
If I'm at a social thing and I feel a bit awkward and I don't know anyone, I gravitate towards the more ripe ladies for conversation and chit-chat.
If I'm at a social thing and I feel a bit awkward and I don't know anyone, I gravitate towards the more ripe ladies for conversation and chit-chat.
Ripe? Yes, yes, the older ones. The ones who've been, you know, the ones who've been around for a bit, because I feel more comfortable with them.
I don't want some young lady chatting to her, because I won't know—
I don't want some young lady chatting to her, because I won't know—
Is that why you don't speak to me, Graham?
When you say ripe, do you mean stinky?
You mean slightly squishy?
No, just—
Because I say that about, you know, if I'm near somebody and they're a little bit honky, I might go to Anne and go, bit ripe over there, aren't they?
I just like the more elderly lady, the more experienced lady, because— not because I'm gonna romance scam them or anything like that, not because I'm interested in the inheritance, because I feel more comfortable.
I feel there's less testosterone swishing around. There's less, you know— and they've got good stories, right?
I feel there's less testosterone swishing around. There's less, you know— and they've got good stories, right?
They could have some fun things to tell me.
Isn't there more?
Hold on, isn't there more with an older lady?
Yeah, and whose testosterone are we talking about? Basically you're saying you're not turned on by them, so it's much better for you, you can hold a conversation.
You're just ridiculous. I mean, when I was in my 20s and we worked together, your testosterone was just flying about.
I would say—
Hard to avoid it.
I would say the older lady, she's salt of the earth. But if you're ever in trouble, you can always try to find an older lady to help you out.
That's some piece of advice that I was given as a child. If you get lost, go and find an older lady. Who'll look after you. Go and find a mum or maybe a granny as well.
That's some piece of advice that I was given as a child. If you get lost, go and find an older lady. Who'll look after you. Go and find a mum or maybe a granny as well.
Actually, that is the advice I give. I give my son that.
Yeah, yeah. Don't go to the security guard. Go to an older lady. Go to a lady. Yeah. The older bit didn't ever feature in my mind.
That's a good point. I still live by this.
So if you're lost, you will go and find an older lady?
Absolutely. I definitely will. Okay. Which I suppose as I get older, it's going to become more and more difficult. And I may have to ask for ID.
Don't worry, just call up Diana Rigg.
Anyway, so imagine, for instance, imagine you are out with your mate Dave, right? You're in his car, you're driving around in the evening, and you have a car accident.
Crash, bang, wallop, right? Imagine, oh crumbs. So there I am, I've had a car accident. The cops come along and the cops say, "Yeah, okay, get out of vehicle," they say.
And you step out of the vehicle and they find some suspicious substances. Not easy to say with your teeth in. In the glove compartment. Okay?
And you get arrested because there are pills or some sort of narcotic possibly in there.
You get arrested, you get put in a little cell for a while, and you need bond money to get out.
Crash, bang, wallop, right? Imagine, oh crumbs. So there I am, I've had a car accident. The cops come along and the cops say, "Yeah, okay, get out of vehicle," they say.
And you step out of the vehicle and they find some suspicious substances. Not easy to say with your teeth in. In the glove compartment. Okay?
And you get arrested because there are pills or some sort of narcotic possibly in there.
You get arrested, you get put in a little cell for a while, and you need bond money to get out.
Right?
In order to—
So you're in jail. You're in jail and you need money. You're in jail.
You're in jail.
Yeah.
You're in a sticky pickle. And as we know, when you find yourself in a sticky pickle, Carole and Anna, yep, a respectful nod. You're right.
Respectful nod.
What do you do? What do you do? What do you do if you're stuck in a sticky pickle?
Well, you listen to a podcast, first of all.
They could have taken your earphones off you in case you try and hang yourself from the ceiling. They probably haven't let you do that.
You just go, "I have a phone call. Lawyer." Yeah.
Right? You could ring a lawyer.
Do I call an old lady?
I would call up Grandma. That's what I would do. I would ring up my Grandma. You definitely do not—
Is she still with us?
Well—
I don't think I could call mine.
No, okay, my grandma isn't still with me, but I'd ring up someone else's grandma, maybe. What you don't do is you don't ring up your parents, because they're your parents.
They're going to be furious with you. What are you doing out with Dave? You know Dave's a big drug head. Why are you doing that? You know what his car's like and his driving's like.
You know if he's been sniffing something or if he's been drinking stuff. So, because you don't want earache, you don't call up your parents, you ring up your granny.
And that is what happened to 74-year-old Bonnie Bednarik. She got a phone call out of the blue. She's a granny. And the person on the line said, "Oh, Granny, I'm in jail.
There's been a crash. Dave's car, pills in the glove compartment. I need some cash." Did she go, "Who's this?" She did. She said, "Who's this?" Oh.
And he said— and he got really upset. He said, "Granny! Granny, how can you not recognise me?
How can you not recognise my voice?" And so, Bonnie Bednarik, she said, 'Oh, is that Steve? Is that little Steve?' And he said, 'Yes, yes, it's Steve here, and I'm in jail.
I need you to get me out $9,300 Canadian. Can you get me $9,300 Canadian?' 'What'd you do there, Steve?' 'Well, what I did was I was just innocently in the car. Dave had a crash.
He had some pills in the glove compartment. I haven't done anything wrong. I just need to get out. I just need you to pay the bond so I can get out.'
They're going to be furious with you. What are you doing out with Dave? You know Dave's a big drug head. Why are you doing that? You know what his car's like and his driving's like.
You know if he's been sniffing something or if he's been drinking stuff. So, because you don't want earache, you don't call up your parents, you ring up your granny.
And that is what happened to 74-year-old Bonnie Bednarik. She got a phone call out of the blue. She's a granny. And the person on the line said, "Oh, Granny, I'm in jail.
There's been a crash. Dave's car, pills in the glove compartment. I need some cash." Did she go, "Who's this?" She did. She said, "Who's this?" Oh.
And he said— and he got really upset. He said, "Granny! Granny, how can you not recognise me?
How can you not recognise my voice?" And so, Bonnie Bednarik, she said, 'Oh, is that Steve? Is that little Steve?' And he said, 'Yes, yes, it's Steve here, and I'm in jail.
I need you to get me out $9,300 Canadian. Can you get me $9,300 Canadian?' 'What'd you do there, Steve?' 'Well, what I did was I was just innocently in the car. Dave had a crash.
He had some pills in the glove compartment. I haven't done anything wrong. I just need to get out. I just need you to pay the bond so I can get out.'
You know what, I'll come. Let me come to you. Let me come to you. You need a hug from Granny.
No, no, no, Granny, Granny, you stay there. You stay there, Granny. I'll send my mates round. I'll send my mates round and they'll go and pick up the money and they'll bring it to me.
All right?
All right?
Fuck off. Just fuck off.
Now this, this was the third time in the last year that Bonnie had received such a call from one of her grandchildren having a crash in Dave's car. So, the first couple—
How does Carole not recognise her grandkid's voice, first of all? Does she even have grandkids?
Well, this is the thing, Carole.
What?
She did. The first two calls she received over the course of the year, she hung up. But this time she was feeling mad that they'd rung her again.
She thought, I can tell that this is a fishy activity. And that's why—
She thought, I can tell that this is a fishy activity. And that's why—
Okay, she's on to them.
She's on to them.
So, when the person on the other end of the line acted all upset that she didn't recognise her voice, she said, and was saying, "Oh, come on, it's your grandson." She said a name that wasn't her grandson's.
Oh. And so the guy pretending to be the grandson said, "Yeah, yeah, Stevie here. Stevie here." And so what she said then was, "Look, okay, look, what, $9,300?
I'm gonna have to call up the bank," she said. "I'll call you back in 15 minutes," says Bonnie. So Bonnie picks up her phone. She hangs up on her so-called grandchild.
And instead of ringing the bank, she calls the police. And the police— this is in Canada, by the way.
So, when the person on the other end of the line acted all upset that she didn't recognise her voice, she said, and was saying, "Oh, come on, it's your grandson." She said a name that wasn't her grandson's.
Oh. And so the guy pretending to be the grandson said, "Yeah, yeah, Stevie here. Stevie here." And so what she said then was, "Look, okay, look, what, $9,300?
I'm gonna have to call up the bank," she said. "I'll call you back in 15 minutes," says Bonnie. So Bonnie picks up her phone. She hangs up on her so-called grandchild.
And instead of ringing the bank, she calls the police. And the police— this is in Canada, by the way.
Oh.
Yes, now I thought— now you're—
Piqued your interest?
Right.
It's a big country. Where, where, where?
Now you're interested. So the fraud unit at the police got mobilised instantly. So they've constantly got a fraud department waiting. They're on a trigger.
They're just waiting for the bat signal to go off. They will race out.
They're just waiting for the bat signal to go off. They will race out.
And go where?
To set up surveillance near Bonnie Bednarik's home.
Oh, really?
Because the people are coming over to pick it up in person?
Because Stevie, in the jail, he can't come round to pick it up, can he? Because he's, quote, "in jail." They're not going to let him out.
Yeah, sure, you go out and go and get some money. So he's using this ruse of, I'll send a couple of my mates round to do this instead.
Yeah, sure, you go out and go and get some money. So he's using this ruse of, I'll send a couple of my mates round to do this instead.
Right.
So the cops, they set everything up.
And they're dressed in plain clothes, right? So they've got fake moustaches.
Imagine how a normal Canadian looks, right?
Yep, plaid shirt.
Exactly.
Moustache.
Snowshoes.
Canadians are extremely fashionable and practical.
Yes.
And I'll have nothing said about it.
Plaid shirts are— I am wearing one right now. I look like Bryan Adams myself.
Canadians, remove them now. Something changed. No longer on trend.
So she kept him on the line, but then she needed to— She needed to keep him going for a little bit longer.
Then she said, "Oh, I have to ring my husband because I don't have the car in order to go out and get the cash from the bank." Because the cops said, "Waste his time." Exactly, waste his time, because we're going to be putting our shirts on and getting all comfy and buying the doughnuts, you know, for the stakeout.
But sure enough, after a while, these two goons showed up at Bonnie Bednarik's house.
Then she said, "Oh, I have to ring my husband because I don't have the car in order to go out and get the cash from the bank." Because the cops said, "Waste his time." Exactly, waste his time, because we're going to be putting our shirts on and getting all comfy and buying the doughnuts, you know, for the stakeout.
But sure enough, after a while, these two goons showed up at Bonnie Bednarik's house.
Asking for the $9,300 Canadian dollars. And the fraud cops swooped.
They collared them. And as a consequence, two men have been arrested. Apparently the police say they've picked up a fairly large quantity of money. I don't know what that means.
A fairly large— A few envelopes worth.
A fairly large— A few envelopes worth.
From our girl? From our granny?
No, no, not from the granny. The granny never got the money, Carole.
From the goons.
It was from the goons. Because they've been doing this on lots of grannies.
Oh. And keeping the money in their wallets.
Well, you know, or they went to their house. They went— I don't know. I don't know the exact details.
No demand research today.
Well, no, I've tried quite hard.
It does seem like you have.
And I haven't found out where the money was held in an envelope. I don't know exactly where the envelope was. But they captured these two chaps. This is in Windsor, by the way.
Windsor, which is— is that Ontario, Carole?
Windsor, which is— is that Ontario, Carole?
Yep, Windsor, Ontario. I went to university very close to there.
There you go. So, and they actually rolled out Bonnie Bednarik, the 74-year-old granny, at the press conference where she gave a warning to—
Does she—
Rolled her out?
Literally?
What's wrong? No, not on a gurney.
What?
No, no, no.
I meant in a wheelchair, carry on.
No, no, I mean— No, well, they brought her out in front of the microphone.
They invited her on stage.
She strode out like a conquering hero.
Yes, that's what we like.
Yep.
And she advised all of the senior Canadians that they need to be vigilant. And if you get a call like this, never ever release your grandson or granddaughter's name.
Make them say what it is. And maybe perhaps have a better relationship with your grandchild that you actually recognise their voice.
Make them say what it is. And maybe perhaps have a better relationship with your grandchild that you actually recognise their voice.
That could also be a good tip. Perhaps.
Yeah.
And call your family, call the police. But don't, you know, don't obviously have people coming round and picking up tens of thousands of Canadian dollars.
I can't imagine many older people would be like, oh yes, send round some guys I've never met. Well, because I live on my own and that feels great.
The boy was crying, Carole. Imagine the effect of tears on a grandparent.
Well, that is true.
Their heartstrings being plucked.
You don't know my grandmother. I tell you what, she would kneecap that person with her umbrella. She'd be like, "Get out of here." It's true.
The Terriers are a dangerous lot.
Anyway, I think so often you will hear people saying, "Oh, the elderly are getting scammed all the time." Well, sometimes the elderly are much, much smarter and much more on their toes.
So good for Bonnie. I think—
Anyway, I think so often you will hear people saying, "Oh, the elderly are getting scammed all the time." Well, sometimes the elderly are much, much smarter and much more on their toes.
So good for Bonnie. I think—
And good for you, Graham Cluley.
Well, thank you very much. If I am ever in Windsor, Ontario, I may look up Bonnie Bednarik and perhaps want to hang out with her.
No, I just meant you're getting older.
Well, yeah, well, thank you.
It's not long now.
Maybe not.
One day too, you will be bright on these things. Oh, fantastic.
Anna, what have you got for us this week?
Okay, so Graham, I need you to do a bit of roleplay with me for this one.
Okay, fine.
Okay, so can we just set the scene? So you're in a bar with your friend Carole.
Unlikely. Yeah, carry on.
Different tables.
Yeah.
Well, whatever works. And you're dancing, and a sexy lady comes up to you, okay?
Oh my God. Sexy older lady.
Whatever, yeah, fine.
Diana Rigg. Diana Rigg. Diana Rigg, A Weekend at Bernie's.
Oh, lovely.
Someone wheels out Diana Rigg. Okay, so I'm gonna be this sexy lady, okay? So, I'm sorry about this. Hey, I noticed you across the bar. Do you come here often?
Only in the mating season.
Gosh.
If you didn't get a drink in your face at that point.
This is— I think I would've given up. If I was this woman. But anyway, oh, look at my phone case! Look how cracked it is. I'm so, I'm so clumsy. Actually, I need a new one.
Oh hey, I bet you've got a cool case. Can I have a look? Show me your phone. What's your case?
Oh hey, I bet you've got a cool case. Can I have a look? Show me your phone. What's your case?
With pleasure, with pleasure. Let me bring out my iPhone. Oh, we have the same size iPhone. That's very handy.
Oh yes, and look at the case! That's so cool.
Does it have diamante on it? It's a little blingy.
Has a magnetic catch on it. Do you that?
Oh yes, I that you've got a little holder so that you can take a photo. Actually, is that your friend over there? Do you want me to take a photo of you?
Yeah, come on, give me your phone. Oh yeah, take a photo of you.
Yeah, come on, give me your phone. Oh yeah, take a photo of you.
Oh yeah, me and Carole. Yeah, why not? Yeah, we could use that on the website. Great, thanks.
Not too close.
Okay, not too close.
Ready? Oh, it's great. I love it. I love it. Oh, sorry, I turned your phone off. How did I manage that? I'm sorry, I said I was clumsy. Sorry about that. And cut.
Cut? What? What's happened? Can I have my phone back? Can I have my phone back?
You can have your phone back.
Oh, okay.
So you've had a great night, you've got your phone back, you've danced with your new sexy lady friend, and then you part ways because, you know, you don't put out on the first date.
And as you're leaving the club, you step out the door and your phone is swiped from your hand. What?
And as you're leaving the club, you step out the door and your phone is swiped from your hand. What?
Oh.
I know. However, disaster doesn't end there, Graham. It's not just your phone that's been stolen. Within seconds, your phone is gone, and the thief has changed your Apple ID.
They've taken money from you. They've stolen your contacts and your photos. Your whole digital life is gone. How?
They've taken money from you. They've stolen your contacts and your photos. Your whole digital life is gone. How?
That's very quick of them.
How have they done this so rapidly?
Well, Graham, thank you for asking.
When your lady friend accidentally turned your phone off, you, when you turned it back on, even if you've got Face ID or Touch ID enabled, you have to put your passcode back in.
Yeah, she was sneaky. She watched you put your passcode in.
When your lady friend accidentally turned your phone off, you, when you turned it back on, even if you've got Face ID or Touch ID enabled, you have to put your passcode back in.
Yeah, she was sneaky. She watched you put your passcode in.
So was she nuzzling his neck or something?
She was watching from afar, girl. But, you know, she could have eagle eyes.
Okay, so 1, 2, 3, 4, 5, 6. She saw me enter that, or whatever my code is, right?
Yeah. Shh, don't tell everyone. And, oh, better change it. So all that someone needs in order to change your Apple ID on your phone is your passcode.
So when the thief steals your phone, they can use your passcode to get into it, and then they immediately change your password, which is associated with your Apple ID, and then that gives them continuous access to your account because they can force a sign out for everywhere that you're logged in and also disable Find My iPhone.
So they've got your entire phone, the contents of your phone, and everything in the cloud.
So they can run charges to your Apple account, they can take anything that's in the cloud, they can change the Face ID and Touch ID, obviously.
And if you've stored passwords on your device, then the thief can access other accounts as well. So if your social media account is on there, they can get that too.
If you're using Apple Touch or whatever, your fingerprint or biometrics, you can't because when your phone turns off, when you turn it back on, you have to reenter the passcode.
So when the thief steals your phone, they can use your passcode to get into it, and then they immediately change your password, which is associated with your Apple ID, and then that gives them continuous access to your account because they can force a sign out for everywhere that you're logged in and also disable Find My iPhone.
So they've got your entire phone, the contents of your phone, and everything in the cloud.
So they can run charges to your Apple account, they can take anything that's in the cloud, they can change the Face ID and Touch ID, obviously.
And if you've stored passwords on your device, then the thief can access other accounts as well. So if your social media account is on there, they can get that too.
If you're using Apple Touch or whatever, your fingerprint or biometrics, you can't because when your phone turns off, when you turn it back on, you have to reenter the passcode.
You do. Yeah, that's right.
So they will have seen Graham putting his passcode in.
So, wouldn't it be good if Apple phones, when you switch them off and then switch them on again, rather than just asking for the passcode, if it actually said, "Okay, you've got the passcode right.
Now give me your fingerprint."
Now give me your fingerprint."
No, because people like me don't want to give our fingerprints to the phone. And that would be very stupid.
That's your choice, Carole, but I'm just saying, shouldn't— for those people who've—
That could be an option.
For those people who've set up Touch ID or Face ID, why doesn't it ask you then to do that? Just in case someone has shoulder surfed you for your passcode on your phone.
Yeah. Yeah, because Apple say it's rare that this is happening because it requires both the phone and the passcode. But police are saying it's much more common.
How do Apple know it's rare? What a load of old nonsense. How?
I just think.
Well, yeah, who's going to report it to Apple? Who's going to report that I had a woman nuzzling my neck while I entered my passcode? She seemed to like the cut of my cheek.
I find it— I mean, I don't know, maybe I just don't like people very much. I can't imagine it really happening in a bar, that type of thing.
But I can totally see it happening on public transport or planes or that kind of thing, or metro, subways, all that.
But I can totally see it happening on public transport or planes or that kind of thing, or metro, subways, all that.
Yeah, because when you're at an ATM or you're paying for something in the shop, everybody knows you cover your PIN, but you don't on your phone in the same way.
Because it's rare for you to put your— have to put it— well, for me, I use Face ID. Rare for me to have to put my passcode in.
And if I was doing it, especially if I had a drink, I'd probably just stick it in quickly.
Because it's rare for you to put your— have to put it— well, for me, I use Face ID. Rare for me to have to put my passcode in.
And if I was doing it, especially if I had a drink, I'd probably just stick it in quickly.
So do you know, my neighbors are— sorry, I'm digressing, but my neighbors are identical twins and they can open up each other's Face ID.
Can they?
Yep.
Have you identified which one of them is the evil one?
I can actually tell them apart and they're both actually lovely, but I can tell them apart. But maybe that's because I have twin brothers. I don't know. But I don't find it hard.
Weird. Anyway, there you go.
Weird. Anyway, there you go.
Yeah, so all is that—
I digress.
That's okay, that's fine. So just be careful when you're on a night out, because if you've got to put your passcode into your phone, then cover it. Yes.
And don't fall for the sexy ladies, Graham, even if they are over 80.
And don't fall for the sexy ladies, Graham, even if they are over 80.
Dead.
Yeah. So aside from the theft, there's still nothing going on with the lady, is that right? That's not going to go anywhere.
I'm sorry, that was the ruse.
Because now I'm imagining it's a sexy cat burglar lady, a sexy thief, sort of.
Are you available or something? You're talking a lot about, you know.
Carole, what have you got for us?
Well, pop quiz to start. Do you know what the oldest federal law enforcement agency might be? In the US?
Boston, Massachusetts?
No, more federal. Federal.
Oh, sorry. Oh, federal agency.
Yeah.
The CIA? The FBI?
No, it's the US Marshals Service.
No.
Of course it's the US Marshals Service.
Right?
Because I remember I watched cowboy movies where they'd be "I'm the US Marshal."
Oh, yes.
Yes.
Can you name some of the responsibilities of a US Marshal?
They marshal crowds if there is a lot of marshalling required.
Yeah, they do marshalling.
Do they pick up wrong 'uns on the street if there's someone doing something? I don't know. I'm not American.
Well, Anna, maybe, you know.
Do they patrol the streets late at night? I'm really shocked, guys. I have no idea what they do.
So they nab federal fugitives. So if someone crosses state lines, for instance, right? The state cops don't have control over that. And so, and they may not know what state.
So they may then get the US Marshal Service involved to help them track down these fugitives.
So they may then get the US Marshal Service involved to help them track down these fugitives.
That's why they have federal people who can sort of follow you across state, but you're not supposed to. I think cops aren't meant to follow you. Is that? Oh, I don't.
Can we have someone American on this show? Who understands these things.
Can we have someone American on this show? Who understands these things.
I'm just asking you. I know the answers, so don't worry about it.
Oh, okay, okay. You go ahead. You go ahead.
Carole's American.
Yeah, I'm American. They also manage and sell seized assets acquired by criminals through illegal activities.
Oh, okay.
So can you imagine the scene? You finally got some super duper rich dude who's gone across several states and he's finally arrested by the US Marshal.
Yeah.
And it's their job to manage the seizure and sale of all his assets. Exotic pets, superyachts, and tickets to outer space in some cases.
What? Has this actually happened? Have tickets to outer space been seized?
See, the same thing happened to me when I read that. So I went into this crazy wormhole of what millionaires spend money on. Let me put a link in the show notes for you.
Let's take a little break here from the serious stuff, shall we? Here you go. It's in my little section. Check that out.
Just do a little quick search of that page and see if there's anything that blows your mind.
Let's take a little break here from the serious stuff, shall we? Here you go. It's in my little section. Check that out.
Just do a little quick search of that page and see if there's anything that blows your mind.
So Lady Gaga has spent $50,000 on an electromagnetic field meter to detect ghosts. Nicolas Cage, he's spent $150,000 on a pet octopus.
It's just ridiculous, right?
Mike Tyson's got 3 tigers. $70,000 each.
And they must eat a lot of food, right? You really gotta— Anywho, back to the Marshals, back to the Marshals. So the reason we're talking about it is because the U.S.
Marshals have recently suffered a security breach where the attackers stole sensitive information, and it's being described as a major incident.
Now, what was very concerning for a lot of people is the U.S. Marshals also run the witness protection programs.
Marshals have recently suffered a security breach where the attackers stole sensitive information, and it's being described as a major incident.
Now, what was very concerning for a lot of people is the U.S. Marshals also run the witness protection programs.
Oh dear. Mm-hmm.
They believe this to be a ransomware attack on the U.S.
Marshals Service, affected a computer containing law enforcement sensitive information, including personal information belonging to targets of investigations.
So the service learned about the attack on February 17th, and that's when it discovered what it has described as a ransomware attack in which the hackers were actively exfiltrating sensitive files.
Marshals Service, affected a computer containing law enforcement sensitive information, including personal information belonging to targets of investigations.
So the service learned about the attack on February 17th, and that's when it discovered what it has described as a ransomware attack in which the hackers were actively exfiltrating sensitive files.
There's data on suspects.
Yes, but the Witness Security Program apparently has not been compromised.
Gosh.
They claim the system was not connected to the broader network and was quickly shut down when the breach was discovered.
Right.
But can you imagine that information getting in the wrong hands? Witness protection, that would be just horrific.
Oh my God, yeah.
Oh yeah.
But we know that the US Marshals Service is not the only organization to be affected by ransomware, right? There's been a whole slew of ransomware attacks.
Almost everywhere. Yes!
Even this week we had a Minnesota school district, Washington Public Bus System. All of these guys reported ransomware attacks.
And even the FBI and CISA issued a joint warning about the Royal ransomware attacks. They say that they've targeted numerous critical sectors.
So it's no surprise then when I was checking out IBM's most recent report that ransomware remains as the second most common action after getting network access. Right?
So baddies get in and the first thing they're likely to do is get some ransomware action going on.
And even the FBI and CISA issued a joint warning about the Royal ransomware attacks. They say that they've targeted numerous critical sectors.
So it's no surprise then when I was checking out IBM's most recent report that ransomware remains as the second most common action after getting network access. Right?
So baddies get in and the first thing they're likely to do is get some ransomware action going on.
Well, it works, doesn't it? It works for the criminals. They make money.
Yes.
And they're getting better at it.
So they warn that attackers are continuing to innovate, showing that the average time to complete a ransomware attack dropped from 2 months, you know, so 60 days, down to less than 4 days.
That's crazy.
So they warn that attackers are continuing to innovate, showing that the average time to complete a ransomware attack dropped from 2 months, you know, so 60 days, down to less than 4 days.
That's crazy.
What do you mean by complete? Do you mean complete as in they get their money?
Often it'll probably involve chatting up, getting the details, phishing someone for their account details, getting in, being able to load up your stuff so that you can then— apparently, they often put in vulnerabilities at this time before they start exfiltrating data, right?
Yeah. Because then they can come back again. Yeah.
Yeah.
Yeah. 'Cause they also lock up your data and then they use the data as part of the ransomware. And then if you don't pay up, they'll then post it on forums. Yeah.
Now, with the US Marshals, it isn't clear whether or not they're going to pay the ransom or if they're being threatened about the data being put online.
Hang on, I've had a thought.
If the US Marshals are impounding all of this criminal stuff like exotic pets and fast cars and large amounts of bitcoin, couldn't they use some of that to pay the ransom with?
If the US Marshals are impounding all of this criminal stuff like exotic pets and fast cars and large amounts of bitcoin, couldn't they use some of that to pay the ransom with?
I think it's quite unethical.
Could they say to the criminals, "We'll give you a leopard."
Isn't it in some cases it's illegal anyway, I think, to pay? I think they can't— I don't think they can pay that ransom, can they?
Yeah, I don't think a federal authority will be allowed to even pay. But interesting. Maybe that's what they're wanting to know. "Where's my tiger?"
Right. Don't want to lose that.
So I'm reading all this and I'm thinking, isn't it time for the powers to roll up their sleeves and get some real muscle? You know, put some real muscle into the ransomware problem.
You know, because otherwise the situation is looking pretty bleak, right? We're seeing more and more of it. But maybe the time has finally come, guys.
Maybe we're there, because last week the US released its new National Cybersecurity Strategy.
And there's one interesting tidbit that I thought I would share here, which is ransomware is now officially declared a national security threat.
And it says it'll be unlocking military intelligence-level cyber tools.
Okay, see, these are things that are typically used for state-backed attacks, you know, stuff that we might say Chinese spies or Russian code, and they're gonna be using against the ransomware gangs.
You know, because otherwise the situation is looking pretty bleak, right? We're seeing more and more of it. But maybe the time has finally come, guys.
Maybe we're there, because last week the US released its new National Cybersecurity Strategy.
And there's one interesting tidbit that I thought I would share here, which is ransomware is now officially declared a national security threat.
And it says it'll be unlocking military intelligence-level cyber tools.
Okay, see, these are things that are typically used for state-backed attacks, you know, stuff that we might say Chinese spies or Russian code, and they're gonna be using against the ransomware gangs.
Sounds like things are heating up.
Interesting.
Yeah, don't mess with the US Marshals, right?
So they're just getting heavier on them.
Yeah, it's like they had these tools all the time. They're like, "Oh, okay, fine, we'll dust them off and put them into action here." Yeah, is it going to stop them though?
I feel like they're always a step ahead.
The problem though, of course, is that we're trying to find out, well, what kind of stuff? Well, tell us about these tools. Tell us about this cyber offensive.
And they're like, oh, well, some of these operations are classified. So it's all very vague at the moment on that front.
But I'm thinking if all goes as planned, we should expect to hear about many more ransomware takedowns and arrests, right?
As this intelligence community gets more involved in the fight. And hey, that's good for us because we get to report some good news on this show for a change, right? That'd be nice.
And they're like, oh, well, some of these operations are classified. So it's all very vague at the moment on that front.
But I'm thinking if all goes as planned, we should expect to hear about many more ransomware takedowns and arrests, right?
As this intelligence community gets more involved in the fight. And hey, that's good for us because we get to report some good news on this show for a change, right? That'd be nice.
Yes.
Hooray.
Ah, they're doing it all for us.
That would be nice. We thank you.
Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it.
With over 14 frameworks, including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
With over 14 frameworks, including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.
How?
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Collide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Collide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Our friends at Bitwarden have been busy this month, adding some fab new features to their open-source password management solution.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more and try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
You join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more and try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
You join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, as I mentioned earlier on, I like older things. And what I don't like to do is—
Oh no.
I don't like to—
I'm afraid, Carole.
If only they liked him back is the problem, right?
I don't like to be—
This is a niche website that I'd like to recommend.
I don't like to be too trendy.
All right, Graham.
No danger.
I don't— when everyone's raving about the same thing, I think, oh, I don't really want to check that out because, you know—
You're a subversive.
I am. So I'd like to wait a few years. So I waited. You know that TV series Line of Duty? Everyone was talking about Line of Duty for years and years.
As you did.
Well, no, I didn't for years and years because I didn't watch it for years and years. I got on board on the very final series. And then I started watching number one. I am cool.
I'm cool.
I'm cool.
Is that cool?
No.
I'm a late adopter. And I have lately adopted, lately, a series called Happy Valley. Now, I've heard about Happy Valley in the past.
Jesus Christ.
Right.
And Happy Valley, I thought it was going to be some sort of gentle kind of northern, lovely bit of drama. Why?
Because there's a nice older lady running it?
No, no, because it's called—
That's why he likes it.
The title, Happy Valley makes you think it's going to be a bit like All Creatures Great and Small or something. And I thought, well, that's not going to appeal to me.
I thought, that's not going to be— it's going to be like slipping into a warm bath.
I thought, just, you know, very nice if you like that kind of thing, but, you know, not really my cup of tea.
Anyway, people kept on talking about it and I thought, oh really, is it such a big deal? So I thought, well, I'll just check out episode 1 of the first series.
So I turned on Happy Valley and it has this actress Sarah Lancashire used to be in—
I thought, that's not going to be— it's going to be like slipping into a warm bath.
I thought, just, you know, very nice if you like that kind of thing, but, you know, not really my cup of tea.
Anyway, people kept on talking about it and I thought, oh really, is it such a big deal? So I thought, well, I'll just check out episode 1 of the first series.
So I turned on Happy Valley and it has this actress Sarah Lancashire used to be in—
She's glorious.
Raquel.
She used to, yes. Coronation Street, I believe, right? Which is the top British soap, I think.
I'm gonna say EastEnders. Can you believe how bad?
They're all the same.
She was in a Doc Two episode as well. So she's been in, and so I just thought, oh yeah, I can imagine this all being cosy. No, it's not cosy. It's not cosy at all. Oh my giddy aunt.
And it starts off a little bit funny before the title sequence comes in, but then it gets really quite dark quite quickly, and I was like, oh my giddyup.
Anyway, I've watched the first series, and it's a police procedural. There are wronguns.
There are wronguns on the street, and they're doing naughty things, and the police are after them, headed up by an older lady who is a grandmother in the show, Sarah Lancashire.
And that is why my pick of the week is Happy Valley, which I'm quite enjoying.
And it starts off a little bit funny before the title sequence comes in, but then it gets really quite dark quite quickly, and I was like, oh my giddyup.
Anyway, I've watched the first series, and it's a police procedural. There are wronguns.
There are wronguns on the street, and they're doing naughty things, and the police are after them, headed up by an older lady who is a grandmother in the show, Sarah Lancashire.
And that is why my pick of the week is Happy Valley, which I'm quite enjoying.
It's so good.
Oh, I'll pretend to be Graham here. Anna, Carole, have you seen it?
Graham, thanks for asking. Yes, I have.
Oh, that's interesting.
It's very good. She is very good. He is very good. The sister, it's all brilliant.
The sister, the relationship between the sister and—
Yes.
It's just, what are their names and the characters' names? I can't remember now.
Catherine and—
Catherine.
Yeah, and I can't remember what the other one begins with C probably. The dialogue is very— I watch it obviously with subtitles because I'm of that sort of age.
And the dialogue is really quite witty, written by Sally Wainwright. And there are bits— it's not for the kids, I'd say that. There's some rather dark stuff going on.
I don't know what the next two series are going to be like, but the first series, it was quite dark.
And the dialogue is really quite witty, written by Sally Wainwright. And there are bits— it's not for the kids, I'd say that. There's some rather dark stuff going on.
I don't know what the next two series are going to be like, but the first series, it was quite dark.
Yeah.
Yeah, it's— I mean, obviously, you are ahead of the trend here, Graham, but the boy in it that— who's a tiny boy when you're watching the first series, it's the same boy, and he's in the last series, I think he's about 17 or something.
So it's good to see the progression.
Yeah, it's— I mean, obviously, you are ahead of the trend here, Graham, but the boy in it that— who's a tiny boy when you're watching the first series, it's the same boy, and he's in the last series, I think he's about 17 or something.
So it's good to see the progression.
That's interesting because he was very good in the first series, and I've only seen the first episode of series 2, and they had a couple of scenes where he's notably not in shot.
And they're sort of saying, "Stop kicking that ball against the wall," and you don't see him. And I thought maybe the actor's got too old, or he's not available.
So he is going to come back, is he? He was very good, I thought, in the first series. Right, that's interesting.
And they're sort of saying, "Stop kicking that ball against the wall," and you don't see him. And I thought maybe the actor's got too old, or he's not available.
So he is going to come back, is he? He was very good, I thought, in the first series. Right, that's interesting.
Yeah, he's very good.
Okay. Anyway, Happy Valley. You'll find it on BBC iPlayer and, I don't know, other places, I suppose.
Welcome to 2020, Graham.
Thank you.
Thank you.
Anna, what have you got for us this week?
Well, Carole, Graham, do you long for the simplicity of your childhood?
Yes, yes.
Do you—
Some aspects, yes.
Let's not go there. Maybe, do you look back fondly at the TV shows you used to watch after school? What were your favorite ones?
Jem, Truly, Truly, Truly Outrageous.
Oh, that was a song. I remember that.
She was some doll, some singer, pop singing cartoon something.
It was ridiculous, absolutely ridiculous, but I loved I liked The Magic Roundabout, John Craven's Newsround. Rent a Ghost was quite good.
Scooby-Doo.
Newsround was the most boring programme you could watch.
And actually, my son started watching CBBC, and he— Newsround came on, he was "this is the most boring show ever." And I said, I know how you feel. I felt that too.
So, but you know, we all have different interests. I preferred the, you know, kid dramas. Anyway, you've got to have a look at my80stv.com.
And actually, my son started watching CBBC, and he— Newsround came on, he was "this is the most boring show ever." And I said, I know how you feel. I felt that too.
So, but you know, we all have different interests. I preferred the, you know, kid dramas. Anyway, you've got to have a look at my80stv.com.
Ah, that'd be why I've got a problem then, because I'd probably be after my70stv.
Oh, sorry. I mean, I was looking at the my90s, but I meant my80s.
Sorry.
I was unaware of the gap.
I the user interface on this website.
Yes.
It's an old-style television with knobs.
Yes. And it says, welcome back to the 1980s. Click on the power button to begin the journey. Okay.
Bush.
Oh, cool.
And so you can— it will shuffle through a load of old videos and you can toggle on which ones you want.
So you can say you want comedy and you want cartoons, you can watch all of them. There's adverts, there's movies, and you can— it's not just '80s.
So if you go there, there's a— down the right-hand side you can see there's all the way from the '50s to the '90s, and it goes through all the TV from the decades.
And what I about them is that the TV shape changes with each decade, which is a nice little touch.
So you can say you want comedy and you want cartoons, you can watch all of them. There's adverts, there's movies, and you can— it's not just '80s.
So if you go there, there's a— down the right-hand side you can see there's all the way from the '50s to the '90s, and it goes through all the TV from the decades.
And what I about them is that the TV shape changes with each decade, which is a nice little touch.
Yes, I've gone back to the '70s because I saw that was an option. And it's glorious. I love this. This is great fun.
It's so nice. And you can add picture noise to it. I think if you press N, so you can see it, you can fuzz it up or less fuzz it. It's great.
I love how every time I change the channel, it goes, kshh, kshh. Yeah, it's gorgeous. Really good pick of the week.
Yes.
Ah, thank you.
It's perfect for a Friday. Procrastination.
Very good, very good. My80stv.com. Carole, what's your pick of the week?
Well, mine is also a visual thing, so it's a movie, one that is up for many awards right now, like 11 Oscar nominations.
So it's been kind of called the film to beat this year, and it's called Everything Everywhere All at Once. Have you guys heard of it or seen it?
So it's been kind of called the film to beat this year, and it's called Everything Everywhere All at Once. Have you guys heard of it or seen it?
Ah, well, it's tipped for the Oscars, isn't it? I think I've seen the trailer. It does seem a bit bonkers.
Were you distracted there for a second?
I think he was.
Oh, sorry. No, no, it's fine.
It's fine.
Did you say it was?
We'll keep that in. We'll just show that.
I was still watching the TV thing. I was, right. Yes, I've seen the trailer, Carole. It's bonkers. It's surreal. It's mad. Michelle Yeoh.
Yeah.
And how would you describe it? It's sci-fi. It's a comedy. It's martial-arty. It's actiony. It's thriller-y. And there's also this whole surreal business happening around that.
Yeah.
And yeah, it's Michelle Yeoh. She's the star of— Graham?
Wasn't she in Hidden Tiger, Crouching Panda or something? One of those.
Yeah.
Crouching Tiger, Hidden Dragon.
That's the thing.
Smashing.
Yeah.
Now, she plays Ling, who is the owner of a kind of rundown laundrette. But she discovers this ability to connect with parallel universes in order to fight evil.
Yeah, we've all been there.
Oh.
Yeah. And Ling does this by teaming up with her other parallel selves to combat a formidable threat, right? One that's kind of closer to her than she realizes.
So we have these umpteen different lives that Ling is a part of, you know?
When you go through all her different— in some she's glamorous, some are rather scary, some are humdrum, some are ridiculous. In one parallel world, we have Rackacoonie, okay?
Instead of Ratatouille. And so I was a raccoon, you know?
So we have these umpteen different lives that Ling is a part of, you know?
When you go through all her different— in some she's glamorous, some are rather scary, some are humdrum, some are ridiculous. In one parallel world, we have Rackacoonie, okay?
Instead of Ratatouille. And so I was a raccoon, you know?
Ratatouille Carole isn't made out of raccoon— rats, just so you know. No, I know! But Rackacoonie is. Rackacoonie is made out of raccoons, is it?
No, it's the same story, the same premise as Ratatouille, where a rat is helping you.
Oh, the film, not the food.
Oh, I see.
The movie. I'm sorry. I assume— I didn't even think that. Yes.
So it's Davy Crockett with a raccoon on his head, and he's directing him as to how to cook in Rackacoonie.
Yes, but no. In another weird world, there's people with sausage fingers. It's just so crazy. Another one, we have googly eyes showing up randomly.
It's kind of glorious, but it's nuts. As you say, Graham, if you— I haven't seen the trailer. I just watched it last night, but it's completely, utterly nuts.
It's kind of glorious, but it's nuts. As you say, Graham, if you— I haven't seen the trailer. I just watched it last night, but it's completely, utterly nuts.
And so fast. It's a cheese dream.
Yes.
And it's so crazy though. I had to keep pausing it every 5 minutes to kind of catch my brain, catch my breath and calm my brain. Catch my brain.
Yeah.
"Come on!" Calm your breath.
It's like an assault though, on the viewer. It's really, it's like a big, long roller coaster, much longer than you expect to be on it at that kind of pace.
Were you throwing up? Were you feeling sick at the end of this?
I think I paused it because it was too much.
Yeah.
Yeah.
Yeah, does it all come together at the— That sounds really mad.
I hate it when all this is going on and then it doesn't sort of, I need it to sort of have a nice ending for it to feel like it's worth it.
I hate it when all this is going on and then it doesn't sort of, I need it to sort of have a nice ending for it to feel like it's worth it.
I'm not gonna be able to answer that without giving anything away. I'm sorry. But I can say there's a good cast. Jamie Lee Curtis plays an incredible, horrible IRS agent.
Yes.
And Ke Huy Quan, he was from The Goonies. You remember that? He plays Ling's husband, Waymond, with a W. Waymond.
You know, if someone said, "Did you like it?" I'd be like, "I think so." But I'm really impressed by it.
And I recommend it just to get a glimpse of the insanity of it all, because now you can stream it, right?
You know, if someone said, "Did you like it?" I'd be like, "I think so." But I'm really impressed by it.
And I recommend it just to get a glimpse of the insanity of it all, because now you can stream it, right?
Oh, can you?
Yeah, it's on Amazon at the moment. That's where I found it. But you will be blown away by the amount of work that went into creating it.
But will you like it?
I don't know. So my pick of the week is the movie Everything Everywhere All at Once, which the movie does represent in its style. It lives up to its name.
Find it on Amazon streaming services.
Find it on Amazon streaming services.
Do they wake up at the end and it was all a dream? That's how I'd finish a movie like that. I'm sure that would go down well.
Yeah, I'm sure everyone would line up. You'd be getting all the awards as well. All the awards.
Now, Carole, you've been chatting to the people at Collide this week.
Yes, well, I caught up with Collide CEO Jason Meller. What a passionate guy. He shared some big news with us. So listen up, folks.
Listeners, today I am chatting about All Things Collide with its very own CEO, Jason Meller. Welcome again to Smashing Security, Jason.
Listeners, today I am chatting about All Things Collide with its very own CEO, Jason Meller. Welcome again to Smashing Security, Jason.
Oh, thank you so much for having me.
We chatted actually last year. Our interview is featured on episode 265 if listeners want to check that out. But yes, it's great to have you back.
Wow, it's been a year already. Feels like that was 3 weeks ago.
Time flies when you're busy.
That's right.
So just to kick things off, am I right in saying that Kolide champions a zero-trust model when it comes to security?
Yeah, absolutely. So this is something that you're going to hear us starting to talk about more and more. Originally, we really shied away from the term specifically zero-trust.
The reason why being is that we don't want to see that terminology be applied to individual people, but we do like the aspect of making sure that the devices that you connect to your most sensitive apps are trusted and that you initially don't trust them until they've been properly vetted and essentially we've been able to scan them.
So, you know, at the end of the day, Kolide is a zero trust model and we champion that access model not just by working directly with your organization, but through your existing SSO provider.
And today for us, that's Okta, and that's what we recently announced.
The reason why being is that we don't want to see that terminology be applied to individual people, but we do like the aspect of making sure that the devices that you connect to your most sensitive apps are trusted and that you initially don't trust them until they've been properly vetted and essentially we've been able to scan them.
So, you know, at the end of the day, Kolide is a zero trust model and we champion that access model not just by working directly with your organization, but through your existing SSO provider.
And today for us, that's Okta, and that's what we recently announced.
Okay. You beat me to the punch because I was going to give you— I was going to hand the floor over to you. So tell us about this news.
This is all about device trust integration, isn't it?
This is all about device trust integration, isn't it?
Yes. Yes. So let's take a step back and talk about what we were doing before we announced this integration.
So previously at Kolide, we were messaging end users on Slack when their device wasn't up to spec, if they were missing updates, if the firewall was off, or even deeper things like, oh, they have some unencrypted SSH keys or they have some sensitive data on their device.
So we would detect that with our endpoint agent and then we would message your end users directly on Slack. Now that works great, but it has a fatal flaw.
And that fatal flaw is pretty obvious once you start thinking about it, it's that the end users, they can actually ignore that Slack app if they want.
They could just sort of click mute. And I had talked about this. This isn't something that was a surprise to us. We actually talked about this in our Honest Security Guide.
We actually created this whole manifesto around how to actually encourage your end users and have them be a part of the conversation.
And we wrote about it at this website called honest.security. That's the whole URL. And in that guide, I talk about the importance of proportionate consequences.
So effectively tell users, give them clear expectations on what you really want them to do on their device.
And if they don't do them, you really need to have a proportionate, reasonable consequence.
So for example, let's say you're an engineer and you have the production database just in your downloads folder, like a backup. Well, that's really bad.
And if after 2 or 3 attempts of asking them to get rid of it, they don't do it, you cut off their hands.
Yeah, well, maybe not their hands, but at least don't let them log into AWS anymore to get another fresh copy of that backup. So that's a pretty reasonable stance.
So previously at Kolide, we were messaging end users on Slack when their device wasn't up to spec, if they were missing updates, if the firewall was off, or even deeper things like, oh, they have some unencrypted SSH keys or they have some sensitive data on their device.
So we would detect that with our endpoint agent and then we would message your end users directly on Slack. Now that works great, but it has a fatal flaw.
And that fatal flaw is pretty obvious once you start thinking about it, it's that the end users, they can actually ignore that Slack app if they want.
They could just sort of click mute. And I had talked about this. This isn't something that was a surprise to us. We actually talked about this in our Honest Security Guide.
We actually created this whole manifesto around how to actually encourage your end users and have them be a part of the conversation.
And we wrote about it at this website called honest.security. That's the whole URL. And in that guide, I talk about the importance of proportionate consequences.
So effectively tell users, give them clear expectations on what you really want them to do on their device.
And if they don't do them, you really need to have a proportionate, reasonable consequence.
So for example, let's say you're an engineer and you have the production database just in your downloads folder, like a backup. Well, that's really bad.
And if after 2 or 3 attempts of asking them to get rid of it, they don't do it, you cut off their hands.
Yeah, well, maybe not their hands, but at least don't let them log into AWS anymore to get another fresh copy of that backup. So that's a pretty reasonable stance.
Yeah.
The challenge is, though, is actually implementing that is really, really hard for organizations. They have to build a lot of stuff.
Yeah.
So Kolide was in this really interesting position where we already could detect the stuff on the computer. We already knew how to talk to the end user.
We now just needed a mechanism to prevent folks from getting access to these sensitive apps and services when their device wasn't in a good state.
We now just needed a mechanism to prevent folks from getting access to these sensitive apps and services when their device wasn't in a good state.
Right.
Yeah, exactly.
So to do that, we really wanted to partner with an SSO provider that would allow us not only to implement this sort of blocking capability, but also would allow us to tell the user why they were blocked in situ.
So to visualize it, imagine you're trying to sign in to any SaaS app you have. Let's just say for the sake of argument, something like GitHub.
So to do that, we really wanted to partner with an SSO provider that would allow us not only to implement this sort of blocking capability, but also would allow us to tell the user why they were blocked in situ.
So to visualize it, imagine you're trying to sign in to any SaaS app you have. Let's just say for the sake of argument, something like GitHub.
Okay, so I'm trying to get into GitHub, right? Okay.
Yep.
So you put in your— you go into GitHub, you click into your organization, and then what if you have Okta, you get prompted for your Okta username and for most people their password.
So you type again your Okta username, you put in your password, and then that's where Kolide starts to come in.
So we effectively are one of many potential two-factor authentication options in your organization and you can sequence them, right?
So if you're already using YubiKeys today, or if you're using some other thing like Okta Verify, you can do that part first and then the users get sent over to us.
We check their device right in the browser using the agent.
And then if their device isn't up to spec and you've set those checks to blocking if they're failing, then we stop the end user right then and there from accessing the resource.
But most importantly, we tell them why they're blocked and then we give them the path to redemption. So let's say your Chrome is out of date, right?
There was a zero-day exploit, we got to get all these Chrome browsers up to date, you can block people from accessing your SaaS apps until they restart their Chrome, which will apply the update.
And that can be enforced through this mechanism, and then users can do it.
And then once they do it, the screen lights up green, and then they can actually get through to the final app that they're trying to access.
And that's fundamentally, in our opinion, the most pure form of zero trust access that you can get is vetting the device every single time, but giving the end user context and step-by-step instructions on how to get in a better state.
So you put in your— you go into GitHub, you click into your organization, and then what if you have Okta, you get prompted for your Okta username and for most people their password.
So you type again your Okta username, you put in your password, and then that's where Kolide starts to come in.
So we effectively are one of many potential two-factor authentication options in your organization and you can sequence them, right?
So if you're already using YubiKeys today, or if you're using some other thing like Okta Verify, you can do that part first and then the users get sent over to us.
We check their device right in the browser using the agent.
And then if their device isn't up to spec and you've set those checks to blocking if they're failing, then we stop the end user right then and there from accessing the resource.
But most importantly, we tell them why they're blocked and then we give them the path to redemption. So let's say your Chrome is out of date, right?
There was a zero-day exploit, we got to get all these Chrome browsers up to date, you can block people from accessing your SaaS apps until they restart their Chrome, which will apply the update.
And that can be enforced through this mechanism, and then users can do it.
And then once they do it, the screen lights up green, and then they can actually get through to the final app that they're trying to access.
And that's fundamentally, in our opinion, the most pure form of zero trust access that you can get is vetting the device every single time, but giving the end user context and step-by-step instructions on how to get in a better state.
Yeah.
Here, here's the thing though, is this is something that what we've found now, because we've been running this as a pilot and a beta for several months.
And one of the things that we've learned is this isn't just something you should do for the benefit of just your end users, right?
I mean, there's obvious benefits of telling them why something is wrong, giving them a path to fix it.
But what we've learned is that this is actually more effective than the existing MDM solutions people employ at certain things like patching.
And one of the things that we've learned is this isn't just something you should do for the benefit of just your end users, right?
I mean, there's obvious benefits of telling them why something is wrong, giving them a path to fix it.
But what we've learned is that this is actually more effective than the existing MDM solutions people employ at certain things like patching.
Wow.
That was sort of surprising for us, right? So let's talk about patches specifically.
So 3 or 4 weeks ago, Apple had these major high-priority security patches that they wanted you to put out on macOS and iOS, really bad stuff.
I'm talking you go to the wrong website and then instantly there's malware on your computer level bad. That was sort of what happened 4 weeks ago.
And if you're a Mac admin, what are you really supposed to do? Well, you want to get your devices patched as quickly as possible.
And every Mac admin, when they need to do that, they reach for the tried and true MDM, you know, mobile device management solution. So they really have some choice in front of them.
Choice number 1 is, all right, I have all these devices under management.
The first thing I'm going to think about is I can deploy this update to all the devices and then force them to be rebooted right away. That's option one.
That's not a bad choice in an emergency, but the problem is if you do that and you do that at scale, let's say anybody over 200 employees knows when you do this, you have what typically is a really angry email at the end of that exercise, right?
It's "hey, just FYI, the CEO was in the middle of an investor pitch and then this computer rebooted right in the middle of it," right?
Every IT person listening to this has been in that scenario where you're doing the right thing, but then you create this massive data loss event. And that's just one person.
Of course, it's always the CEO. That's Murphy's Law. But it's also, you know, that engineer or whatever.
And that's the thing with updates, they don't work unless you reboot the computer. So rebooting is a really tough thing. So you don't do that.
You don't do the, let's just reboot everybody's computer in the middle of the day. What do you do?
You nag and nudge people for 3 or 4 days first and say, "hey, we're going to try to automatically apply this update.
Please let the system do its thing, but you can defer and ignore if it's not a good time to restart right now." And what do people do? They always ignore, they always defer.
And so now it's day 3, it's day 4, it's day 5, it's week 2, and you still don't have, you have 30, 40% of your fleet that doesn't have this emergency patch on it.
So 3 or 4 weeks ago, Apple had these major high-priority security patches that they wanted you to put out on macOS and iOS, really bad stuff.
I'm talking you go to the wrong website and then instantly there's malware on your computer level bad. That was sort of what happened 4 weeks ago.
And if you're a Mac admin, what are you really supposed to do? Well, you want to get your devices patched as quickly as possible.
And every Mac admin, when they need to do that, they reach for the tried and true MDM, you know, mobile device management solution. So they really have some choice in front of them.
Choice number 1 is, all right, I have all these devices under management.
The first thing I'm going to think about is I can deploy this update to all the devices and then force them to be rebooted right away. That's option one.
That's not a bad choice in an emergency, but the problem is if you do that and you do that at scale, let's say anybody over 200 employees knows when you do this, you have what typically is a really angry email at the end of that exercise, right?
It's "hey, just FYI, the CEO was in the middle of an investor pitch and then this computer rebooted right in the middle of it," right?
Every IT person listening to this has been in that scenario where you're doing the right thing, but then you create this massive data loss event. And that's just one person.
Of course, it's always the CEO. That's Murphy's Law. But it's also, you know, that engineer or whatever.
And that's the thing with updates, they don't work unless you reboot the computer. So rebooting is a really tough thing. So you don't do that.
You don't do the, let's just reboot everybody's computer in the middle of the day. What do you do?
You nag and nudge people for 3 or 4 days first and say, "hey, we're going to try to automatically apply this update.
Please let the system do its thing, but you can defer and ignore if it's not a good time to restart right now." And what do people do? They always ignore, they always defer.
And so now it's day 3, it's day 4, it's day 5, it's week 2, and you still don't have, you have 30, 40% of your fleet that doesn't have this emergency patch on it.
So that's, you're bringing back nightmares for me, really vivid nightmares, right?
And it's 2023. This is still the state of the art of how to do it, right?
And maybe the nudge screen has gotten a little bit more annoying and maybe the sound effects are a little bit more obvious to hear.
But at the end of the day, it's really still the same stuff. So let's go back to a zero trust access model.
Zero trust access and the blocking methodology I talked about a second ago, that provides us with a new methodology for being able to solve the same problem.
And the way that you do it is you just go into something like Kolide.
You create a check that says, "hey, this device is failing if it doesn't have this specific update applied, we're going to give folks a day to do it." And then when people start logging in, they'll see that message, "hey, you really need to get this update applied.
And if you don't by tomorrow, you're going to be blocked from all your SaaS apps."
And maybe the nudge screen has gotten a little bit more annoying and maybe the sound effects are a little bit more obvious to hear.
But at the end of the day, it's really still the same stuff. So let's go back to a zero trust access model.
Zero trust access and the blocking methodology I talked about a second ago, that provides us with a new methodology for being able to solve the same problem.
And the way that you do it is you just go into something like Kolide.
You create a check that says, "hey, this device is failing if it doesn't have this specific update applied, we're going to give folks a day to do it." And then when people start logging in, they'll see that message, "hey, you really need to get this update applied.
And if you don't by tomorrow, you're going to be blocked from all your SaaS apps."
They're significantly more encouraged to get it done.
It's not that they're just more encouraged, which they are, but the thing is they have the agency to decide when to take the disruption.
There's a clear consequence at the end of the road that's right on the horizon that they can see and they can visualize and they know is real because they've maybe been blocked before.
And now they have the agency to say, "All right, I need to take care of this tonight and I'm going to do that." And if I don't do it and I get blocked tomorrow, it's not the IT team's fault.
It's totally my responsibility.
So you've now taken what is really a responsibility of a small group of individuals, the IT and security team, and you've crowdsourced it out to your entire organization, and you've created a system that can work at scale.
So in practice, our customers who had this rolled out already when that patch event happened, they had 90 to 100% of their devices patched within 48 hours without a single complaint, no data loss events.
And that was just by handing the users the reins and giving them a proportionate consequence for not getting it done. That is huge. The efficacy of this is unbelievable.
And that's why we're so excited about that.
There's a clear consequence at the end of the road that's right on the horizon that they can see and they can visualize and they know is real because they've maybe been blocked before.
And now they have the agency to say, "All right, I need to take care of this tonight and I'm going to do that." And if I don't do it and I get blocked tomorrow, it's not the IT team's fault.
It's totally my responsibility.
So you've now taken what is really a responsibility of a small group of individuals, the IT and security team, and you've crowdsourced it out to your entire organization, and you've created a system that can work at scale.
So in practice, our customers who had this rolled out already when that patch event happened, they had 90 to 100% of their devices patched within 48 hours without a single complaint, no data loss events.
And that was just by handing the users the reins and giving them a proportionate consequence for not getting it done. That is huge. The efficacy of this is unbelievable.
And that's why we're so excited about that.
It's compliance is kind of key, and if you want to control the environment, and you're kind of doing that in a way that is involving everyone, and it's very cool.
It's been really exciting for me personally. You know, one of the things that I founded Kolide to do was to really get end users to be a part of the security solution.
I've always felt deep in my heart that because human beings are the ones that are really using the computer and they're the ones that are using it to further their career, to do something really exciting, they needed to be part of whatever the security story was.
These computers that we use every day, they started out— what were they called? They were called PCs, personal computers.
They were never meant to really be managed centrally in the way that we try to manage them centrally at organizations.
They're meant to be used by a single person sitting in front of them, driving them.
That is really how they've been designed from the ground up, especially Macs, which they've really bucked the trend of becoming an enterprise-friendly operating system since its inception.
And only very recently, in the last 5 to 10 years, administrators have tried to embrace this idea of centralized management, but it doesn't work very well.
And if you've been an IT administrator the last 10 years, you know that. And so how can we get the end users involved? That's always been something I wanted to do.
And what we finally stumbled upon is a way to do that that works at scale, even with the most stubborn end users who really aren't going to do it out of the goodness of their heart.
That's why this is so exciting because even if I meet the most cynical IT person in the world, I can show them that regardless of what you think about the end user and their capability, this is what the numbers show us.
This is what the efficacy of this new way of doing it is, and it is just objectively better.
That's sort of the pitch, and that's why it's so exciting to me personally is we found a way to not just make the end users part of it, but to make it better than the status quo.
I've always felt deep in my heart that because human beings are the ones that are really using the computer and they're the ones that are using it to further their career, to do something really exciting, they needed to be part of whatever the security story was.
These computers that we use every day, they started out— what were they called? They were called PCs, personal computers.
They were never meant to really be managed centrally in the way that we try to manage them centrally at organizations.
They're meant to be used by a single person sitting in front of them, driving them.
That is really how they've been designed from the ground up, especially Macs, which they've really bucked the trend of becoming an enterprise-friendly operating system since its inception.
And only very recently, in the last 5 to 10 years, administrators have tried to embrace this idea of centralized management, but it doesn't work very well.
And if you've been an IT administrator the last 10 years, you know that. And so how can we get the end users involved? That's always been something I wanted to do.
And what we finally stumbled upon is a way to do that that works at scale, even with the most stubborn end users who really aren't going to do it out of the goodness of their heart.
That's why this is so exciting because even if I meet the most cynical IT person in the world, I can show them that regardless of what you think about the end user and their capability, this is what the numbers show us.
This is what the efficacy of this new way of doing it is, and it is just objectively better.
That's sort of the pitch, and that's why it's so exciting to me personally is we found a way to not just make the end users part of it, but to make it better than the status quo.
Yeah, and you get rid of all the politics, all the office politics of begging a department to do stuff. It's brilliant. It's brilliant.
I'm sure our listeners think so too, and they can see it in action if they go to kolide.com/smashing. That's kolide.com/smashing.
It's Kolide with one L, K-O-L-I-D-E, and Kolide CEO Jason Meller, thank you so much for chatting to us and sharing this news.
I'm sure our listeners think so too, and they can see it in action if they go to kolide.com/smashing. That's kolide.com/smashing.
It's Kolide with one L, K-O-L-I-D-E, and Kolide CEO Jason Meller, thank you so much for chatting to us and sharing this news.
Go to the website. This is a show, not a tell product. You'll actually be able to watch videos of what it looks like when folks are signing in.
So there's a lot of information on there. I highly encourage you.
This is something we've sweated over for months and months and months, getting the end user experience exactly right.
And if you're someone who uses Okta today and you have zero trust on your roadmap, you should reach out to us. This isn't just some fringe startup thing.
This is the best zero trust access solution for people who have Okta. It's better than what Okta has built in. It works on Linux where we have mobile support.
So you should really reach out if this is on your roadmap this year and we will get in touch with you right away and make this happen for you.
So there's a lot of information on there. I highly encourage you.
This is something we've sweated over for months and months and months, getting the end user experience exactly right.
And if you're someone who uses Okta today and you have zero trust on your roadmap, you should reach out to us. This isn't just some fringe startup thing.
This is the best zero trust access solution for people who have Okta. It's better than what Okta has built in. It works on Linux where we have mobile support.
So you should really reach out if this is on your roadmap this year and we will get in touch with you right away and make this happen for you.
There you go.
Awesome.
Thanks so much, Jason.
Jason.
Thank you.
Terrific stuff. And that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What is the best way for folks to do that?
What is the best way for folks to do that?
I am @AnnaBrading on Twitter. And if you want to give me some work, LinkedIn.
Not desperate or anything. Hashtag desperate.
Oh, actually, no, but I just—
And you can follow us on Twitter @SmashingSecurity. No G. We also have a Mastodon account. You can find that at smashingsecurity.com/mastodon. That'll take you there.
And look up the Smashing Security subreddit on Reddit. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.
And look up the Smashing Security subreddit on Reddit. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.
And huge, huge thank you to this episode's sponsors, Kolide, Bitwarden, AndratA, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 311 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 311 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye.
Bye.
Toodaloo.
Anna, thank you so much for coming on the show.
Thank you for having me. My question is, are you doing something with Apple Podcasts?
Because I went to the Smashing Security podcast, your stream, and it asked me if I want to pay more.
Because I went to the Smashing Security podcast, your stream, and it asked me if I want to pay more.
Well, no, no, no. So you can now rather than just go to Patreon, you can also pay via Apple Podcasts and get the episodes early and get them without ads.
Oh, okay.
No, but we haven't really publicised this yet.
Well, you should.
I agree, we should. We'll work out the best way to do it.
Anna, you're a rock star.
Thank you.
Good story. Very cute.
Lovely, lovely.
Oh, it's fun.
Right, I'm going to stop.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Anna Brading – @annabrading
Episode links:
- They thought they could scam this Windsor grandmother of nearly $10K. She turned the tables on them – CBC.
- Canada grandma helps stop fraud scheme targeting senior citizens – BBC News.
- A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life – Wall Street Journal.
- Ransomware attack on US Marshals Service affects ‘law enforcement sensitive information’ – CNN.
- Hackers steal sensitive law enforcement data in a breach of the U.S. Marshals Service – NPR.
- 9 millionaires and billionaires with the most bizarre spending habits – Business Insider.
- Phishing still the leading way attackers breach security controls: IBM – IT World Canada.
- New White House cyber strategy picks a fight with ransomware – AXIOS.
- Happy Valley – BBC.
- My 80s TV.
- Everything Everywhere All at Once – IMDB.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!.
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
