Smashing Security podcast #324: .ZIP domains, AI lies, and did social media inflame a riot?

Piss off. If you had done 5 years of study to achieve a PhD, trust me, you'd have it tattooed across your forehead.

I would not put it in my username.

You know, you'd make a fucking t-shirt. Oh, by the way, did you know? We all know it's true.

I might do that. But I wouldn't—

Where is your 11th greatest Britain in cybersecurity tattoo, by the way?

Let's move on. Smashing Security, episode 324..zip domains, AI lies, and did social media inflame a riot? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 324. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we're joined by a special guest, someone who's been on the show numerous times before. Please introduce him.

Mark Stockley!

I just ran out of steam.

You forgot, didn't you? What's-his-face has come back.

Wow.

How you doing, Mark?

I'm good.

I'm good.

We have a massive show. Should we get it kicked off now?

No.

Nah. Nah.

Well, yes we are. Let's thank this week's sponsors, Bitwarden, Kolide, and Centripetal. It's their support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?

I'm gonna be talking about domains for the tragically zip.

Mark, what about you?

I've got a story about your worst colleague ever.

Ooh. And Carole, I guess, over to you then.

And I'm going to talk about how social media might have ensued a riot. Plus, we have a featured interview with Dave Ahn. He's the chief architect at Centripetal. All this and much more coming up on this episode of Smashing Security.

Chums, chums, do either of you have a PhD? Maybe you're too embarrassed to mention it. You know, some people are, they hide it under a bushel.

I know people who say they have a PhD and—

Oh, just the one.

Maybe don't have one. No, I do not have a PhD.

Okay. I—

That's weird, 'cause I also know someone that says they have a PhD but doesn't. Isn't that strange? What's the opposite of someone who's got a PhD?

What are you gonna tell us, Dr. Cluley?

I don't have— I'm not a doctor.

I know you're not, yeah.

But I want to say well done to those people who are doctors, those people who've worked hard. I would be very proud if my son, admittedly he's only age 12, but if he came home from school one day and said that he'd managed to get the PhD. He did once say that in chemistry, I think they'd split the atom or something is what he claimed. And I looked at him, I suspect not. I suspect you just turned on a Bunsen burner. But if he had, if a child of mine or a child of either of yours were to come home one day, maybe as, you know, in their mid-20s, saying, so finally, after all that hard work and study, I've managed to get the PhD. You would want to celebrate, wouldn't you? You would want to make them a cake. You would want to buy them some beer or bring in the Deliveroo or whatever it might be. Maybe you're thinking, what could be the— what could I give them? What could I give my child I'm so proud of after getting their PhD? Oh, I know. I could get them a domain name. But here's the problem, right? My son, little Markie, Mark, we call him Mark, right? Mark.com has already been snapped up. Mark.org, I had a look. Mark.org has gone as well. Mark.org is advertising a 4-bedroom house in Virginia with a secluded hot tub.

Mark WTF, Mark.wpf must be still available.

Mark.wtf, Carole.wtf, we know that one's gone. Very good website.

That one's gone.

But you know what is available? Mark.phd. So if you were the kind of person who had a PhD and didn't want people to forget that you had a PhD, which I suspect is most people who choose to tell people they have a PhD, then—

Oh, stop it.

No.

That's not true. No, people who choose, people who choose, a bit like John Barrowman, MBE, people who change their Twitter name to include the accolade they've been given by the king or queen.

Piss off! If you had done 5 years of study to achieve a PhD, trust me, you'd have it tattooed across your forehead.

I would not put it in my username.

You know, you'd make a fucking t-shirt. Oh, by the way, did you know? We all know it's true.

I might do that.

But I wouldn't— Where is your 11th greatest Britain in cybersecurity tattoo, by the way.

Let's move on. Anyway, the thing is, I think it's a little bit showy, isn't it? I mean, wonderful. Well done on achieving it. But do you want to keep on reminding people about it? Do you actually want to own the domain name? I'm not sure if you do, but now if you wanted, if you wanted to be carole.phd, you could. Well, do you know what, Carole? I've been to the website. I've been to Google Domains. I've typed in your name. And you can buy one and it's only going to cost you about $20 a year. And get this, you don't even have to prove that you have a PhD.

No, of course not. Because it's just the fuck—

Well, you don't have to. Anyone can do it. Wow.

Anyone could buy a website with com at the end and not own a company.

Well, right. Now, in the old days, the only way you used to be able to get a PhD other than studying was from a spammer because you'd get spam emails saying, would you like a PhD? Would you like a degree? Would you like this? Would you like that?

Didn't someone close to you purchase a PhD online?

No, I think they became ordained as a religious— I think—

I'm sure they told my husband they had a PhD. I think we know who we're talking about. Oh yes. At a dinner party at your house.

Oh yes. An elderly lady.

An older person.

Yeah. I think she bought it from Tony Robbins. I don't think that counts. But moving on. So, she also revealed some other things about herself, didn't she?

A pair of problems, yeah.

Moving on. Right. So, you can buy a .phd domain from your local friendly internet domain company, because at the beginning of May, our chums at Google Domains they rolled out not just .phd top-level domains, but also 7 others: .dad, .prof, for presumably professor, .esq for esquire, .foo, .zip, .mov, and .nexus. Bizarre combination.

What's foo for? Is foo for food?

Oh, it's a programming thing.

I love that. Blah blah.foo.

Why not .mum, you're wondering? Why not mum, right?

Oh, good one.

'Cause it already exists, Carole. It already exists. So they finally added .dad as well as .mum.

Finally. They bowed to consumer demand and finally released .nexus. And .dad. And .foo.

And .cool and .love and .pizza and .photography. 'Cause that's really nippy to put on the side of a van. And literally hundreds of others you can buy.

I wonder if anyone's bought photography.photography.

And have a subdomain called photography? So photography.photography.

Hey, good SEO.

Absolutely nailed the SEO on that one.

Yeah. So Carole, you are one of these people who's bought a bizarre domain, 'cause of course your art site, everybody go and visit it, carole.wtf, where you can see a wonderful selection of watercolours and ink. Blotches and things and vote your favourites.

Yeah.

Yeah.

Yeah, why did I do that? Purely because any .com domain I could get had a ridiculous name. It's like we've run out of name combos that actually make any sense that I could find.

Because there are lots. There's a .paris. I found a .london, a .sydney, a .tokyo. No .rome, no .washingtondc. For some reason there's a .irish.

Oh, you researched this story in depth, didn't you?

Mm-hmm. Oh yeah, I did a lot of research.

Mm-hmm.

I think one of the reasons that .com has run out, inverted commas, is because there's so much cachet in having a .com that lots of people have just speculatively purchased a bunch of .com domains, which they will now happily resell to you at vastly inflated prices. So like, you normally, you spend, you know, maybe $10 a year on a .com. But you can go and spend millions on a name that nobody actually uses, but somebody owns.

If it's a dictionary word in particular, or a combination of words, or a short, you know, maybe 4 or 5 letters or something, then it's going to be probably being sold for an awful lot of money. So there's lots of these weird top-level domains. There's some which I think are a bit confusing, but there's a .work and a .works. Now that seems to me like there's an opportunity there for some mix-ups, you know, if you wanted to create a phishing site, if anyone did actually run a .work website. There's .review and .reviews, there's .sex and .sexy.

Are domains run by one single entity or not? Is it a collaboration amongst many tech companies? I don't know how it works.

There is this organization ICANN.

Yeah.

Who sort of, I think, are supposed to oversee these things, but I also think money talks.

Yeah, yeah.

And yeah, it also smells. Money smells. There used to be like 6 top-level domains in the beginning. And it was like .edu, that's for education, .com, that's for commerce. And then at some point, I can't remember when it was, it was like 10, 15 years ago, ICANN went, what if we just allow people to have anything they want, provided they spend an absolute fortune?

Yeah.

And that brilliant idea gave us .nexus and .prof and .sexy.

And .wtf.

And now .zip. And you may think—

Oh!

Oh, hello, Crow. Have you spotted a problem with a .zip domain? Mm-hmm. Yep. Right. Because I think .zip means something to many computer users, as does .mov, M-O-V. Maybe make you think of a movie file. A zip might make you think of an archive file containing other files. Now, according to Google, the reason why you might want a .zip domain is, they said, well, zip, that's really about having a secure domain for tying things together, moving really fast. So if you've got a really fast website, call it .zip. And it's like, well— Uh-oh.

I don't think that they believe that for a second.

Nope.

They absolutely phoned that one in.

Can you imagine searching for .zip on your computer as well? You'd find a million files. Yes. Yeah. Yeah.

And .mov, they argue, is for whatever moves you. They've said, that's why you'd want— That's why you'd want a .mov domain.

Now—

Some engineers made a decision. And then they threw it over to the marketing department and said, you've got two minutes to come up with a reason why these domains now exist. And the marketing department ran around for two minutes and they went, ah, it moves you.

So it turns out some people I'm very happy about this.

I'm one of them.

Typically, people are a bit security conscious. People are a bit grumpy because people are saying, is it in any way possible that cybercriminals and fraudsters might exploit the confusion between what we've known for the last thirty years to be ZIP and MOV files and what you've now decided to make a domain name instead?

Yep.

Yep. Now it means fast. Yep, sorry about the last thirty years.

No, you mean whatever moves you.

Whatever moves you. Because—

Well, if it's fast, I guess it would move you.

So the problem, simply put, is that you might receive an email saying, hey boss, here's that report you asked for, report.zip. Click on that. And when you click on it, you get taken to some sort of dialog box which looks like your company's single sign-on page to validate the file or access the file in some mechanism. And of course, you're then handing over your credentials to a phishing person, a phishing person, fisherman. I don't know what they call it. A fisherman.

I love that.

I think that's going in the title, The Fisherman.

Now, this isn't, of course, the first time we've had this kind of confusion because, of course, we all know .com. .com to most people now means website, doesn't it? It means commercial website, or at least website, if not commercial website.

I think it does.

And back in ye olde days, .com files were the programs you run under 64K on MS-DOS. They were the little programs. They had .com extensions. I remember at the time thinking, it might just be rather confusing with the internet coming along because now .com files— My voice hasn't changed. Hasn't broken since.

I was gonna say.

Listen, I've come to terms with this now, because of course .com executable files aren't really used anymore, because everyone's moved on to Windows and other operating systems, and you know, they've become obsolete. People aren't using DOS any longer. So maybe it's not much of an issue. But there have been other confusions as well. For instance, if you're a Perl developer, you might deal with .pl files.

Mm.

And .pl is the Polish top-level domain. I think that's right. And, you know, or shellscript.sh, another legitimate domain. So there has been a sort of move to this, but I think going to .zip and .mov websites which move you is still another jump entirely.

I've got a bone to pick with you.

Okay, go ahead.

I want to speak to your proto-nerdy self about these .com.

Right, yes.

So the .com TLD was actually created on January 1st, 1985.

Okay, when was MS-DOS out?

Come on. I'm expecting you to know that.

Surely it was about '82, wasn't it, the IBM PC? Okay, MS-DOS. First came out?

'81.

August 1981.

Yep.

I think you're fined, Mark. I think you're fined.

I'll concede if you give me a well, actually.

Well, actually. So people are a little bit worried about this. A chap from Citizen Lab told his Twitter followers, just block all .zip domains. Just block them all. Any .zip and .mov domain, just block them all. He said these are going to get used 100% for malware attacks. I don't know if it will be 100%. That seems a little bit excessive.

I think mostly right now, most of these domains are probably being purchased by security researchers. Yeah, proving what a stupid idea it was. At the moment, that's about 100%. I don't know. I don't know. I bet people are buying them because they're probably cheap.

I'll tell you who isn't buying them.

Okay.

People who want you to think their website is fast. It's just criminals and cybersecurity researchers. And at the moment, it's mostly cybersecurity researchers.

Well, one researcher who's done it is a chap called Mr. Dox. I don't think he's got multiple doctorates. It's D-O-X rather than D-O-C-S. Mr. Dox.

Ho ho ho. Thank you. He's shared details of a phishing technique that emulates file archive software. Right.

When you search for it, the search results come back by opening the web page if it can't find—

Exactly, exactly, exactly, exactly.

Doesn't Twitter now also automatically convert anything that ends in .zip into a link? Right. So if you've posted, you know, find the following file and you give the file name of something .zip or .mov, you'll actually have a clickable link to something potentially malicious, which isn't what the people—

It's not like Google are going to make oodles and oodles of money out of this, is it? I don't understand why they've done this at all. What was the requirement?

And what do you do?

What do you do? So let's say, let's say 10,000 people have bought this domain, right? And you're suddenly going, actually, you know what? Graham's right, this is a stupid idea. Let's roll back, let's go back. What do you do for them? You go, look, we're going to offer you Zaz instead. What? What?

There did used to be Jazz drives, didn't there? Maybe .jazz. Do you remember?

It's an upgrade.

Zip drives became Jazz drives. Anyway, I mean, I think maybe you should block access to these things. I can't see any legitimate company is going to require them. So maybe, but what's going to come next? Are they going to do .html domains? How about doing that? Why not? Why not just go for it? Oh, is that your end joke? Why don't they do .fuckyou? Mark, what's your topic for this week?

Well, you know I like to start with a question. So I've got a question for you, Carole Theriault. So you're a woman working in tech. Have you ever found yourself working with someone whose unearned confidence was completely disconnected from their actual ability?

Hang on. Yes.

Perhaps you've met someone who lectured you about a subject that you actually knew more about than them.

I got explained.

Have you ever come across that?

I got explained, yes. I've been explained many times.

Anyone you want to mention? Anyone?

Nope.

Anyone? Anyone on this podcast?

No, no, everyone in this podcast are very intelligent, lovely people.

Yeah, you've always been wonderful, Mark.

Yeah, nice trap, Skirden.

Anyway, so that's what my story is about today. It's about the dangers of a brash and overconfident colleague. Now, before I begin, I'm just going to make an apology to any lawyers who are listening. Because I am about to leave the safe confines of cybersecurity just for a minute or two, and I'm going to enter the world of legal machinations. And it's come to my attention that lawyers are very particular about stuff, particularly things like contracts.

Get your words right.

Yep.

I think it's very important that any lawyers listening realize that under the terms and conditions of this podcast, lawyers and members of the legal profession are not allowed to listen to this podcast. Just a safety net for us.

I'm sure that's legally watertight. I'm sure there are loads of lawyers listening right now going, "Well, he's got us there. He's absolutely stitched us up. Damn him." Anyway, this concerns a case that went before the Southern District of New York. Started earlier this year. The case was brought by a chap called Roberto Matter. And he claims that he was injured in 2019 by a serving cart on an Avianca Airlines flight. Avianca is Colombia's biggest airline. And it's not hard to believe, for me at least, that he might have been injured by one of those carts.

Yeah.

Because, I mean—

Haven't we all?

It's funny, isn't it? Because they move so slowly down the aisle, particularly if you need the toilet. They just roll slowly towards you. And every time, I've nearly lost a foot, I've nearly lost a shoulder, I've nearly lost an elbow.

'Cause they have the mass of a neutron star.

Yeah.

They carry a lot of stuff, you know?

7,000 tiny bottles of vodka.

Yeah, and dinners.

Yeah.

Only about 3 dinners. They always run out of the dinners. They never ever run out of alcohol. The number of times I've seen somebody say, 'Oh, can I have the sandwich?' And during the case, Matter's lawyer, a man called Stephen Schwartz, is a man who's been licensed to practice law in New York for 3 decades, filed an affidavit in opposition to the defendant's motion to dismiss. So basically, Avianca tried to get the case thrown out. Yeah. And Matter's lawyer wrote a legal document saying, "Nah, no, no, no, don't do that. Don't do that." Right. And in rebutting the motion to dismiss, Schwartz cited 8 different legal cases.

Mm-hmm.

Because that's what lawyers do.

Yeah. Yeah, they say, "This is a precedent here. You can't do this."

Now there was just one small problem. Avianca's lawyers read the affidavit, and they went back to the judge, and they said, these cases don't exist.

No one expects that people are going to check your references, surely.

So these things have reference numbers and stuff and case numbers and all that stuff.

Yes, they're always somebody versus somebody and there's a, I don't know the term, there is a code, a docket number or a case number or something like that. And so the judge ordered Schwartz to provide another affidavit annexing copies of the actual judicial opinions. So rather than just saying, a judicial opinion exists, and it's called, you know, somebody versus somebody, Schwartz actually had to provide, here is the text of the legal judgment that we're— of the legal opinion.

He's gonna have to find it at the printer.

Shouldn't be that hard, should it? Just photocopy it, right? Chuck it in.

They're surprisingly short. I think they may be excerpts. But they're the meaty bit. This is the thing that proves our case. And so anyway, so Schwartz did that. In fact, and if you go to the website courtlistener.com, you can actually see these responses. And I read them yesterday. And there are 8 attached judgments, I think, including Varghese versus China Southern Airlines, Shabu versus EgyptAir, Martinez versus Delta Airlines, and a bunch of others.

Oh, these are specifically cases involving trolleys on aeroplanes. This is the little food cart from the service.

Yeah, saying this is not the first time. This has happened before.

Food carts, famously vicious. I think, and again, I'm going to get in trouble here, but I think what they are is they're cases where the defendant made a motion to dismiss and it was denied. So I think Schwartz is basically saying, no, you need to deny the motion to dismiss because in these other cases, the judge denied a motion to dismiss.

Alright, yadda yadda yadda. Okay, yeah, right, okay. Yeah, yeah. Legal stuff.

Nothing to do with munching cards.

Okay.

There was just one small problem. At least 6 of the cases are pure fiction. They never existed. They were, in the words of the judge, bogus judicial decisions with bogus quotes and bogus internal citations. They were completely made up. So understandably, the court then demanded to know why Schwartz shouldn't be sanctioned. They basically say, "Look, you've made up a bunch of stuff."

Outrageous.

"Why shouldn't we punish you?" "You're making a mockery of this court!" Yes, but this is a legal case. Obviously, the judge wrote that down. And then Schwartz had to then produce a document with numbers in it to explain himself. And he did. He explained what had happened. And he explained in his document that he'd actually been relying on the work of another lawyer.

Okay.

And it turns out that that lawyer had been doing what every lazy English-speaking student has been doing since November 30th, 2022. And he'd actually used ChatGPT to do his research.

You see, the thing I don't get about these flipping cases, right? I get ChatGPT, great, great, great, great, great, great, right? AI, go have fun. Why wouldn't you double-check? If you're a freaking lawyer, right? Why wouldn't you just go and do a rando double-check on one of them? Just say, let's just check this out, let's just see.

Well, he's got an answer for that. So according to Schwartz, because again, you know, he had to write this down, he said the citations and opinions in question were provided by ChatGPT, which also provided its legal source and assured the reliability of its content.

That's fair enough. So it said this is reliable.

And they went, okay.

You could actually ask ChatGPT, is this reliable info? Yes, it is. Thank you very much.

Actually, that is exactly what he did.

Oh, okay.

I would forgive an 11-year-old. An 11-year-old going, "Are you lying to me?" And ChatGPT going, "No, it's totally the truth." I would get that they would go for that. But, you know, come on.

ChatGPT couldn't have its fingers crossed when it lies. So it would appear plausible and truthful.

From what I read, it's not lying, it's helping. It's helping provide information.

Yeah, sure, sure, sure. So this is what it actually did. So the document actually contains excerpts. And at one point, Schwartz actually says, "Is Varghese a real case?" He asks ChatGPT. "Yes," says ChatGPT, "it's a real case." "Of course it is." And that is how you check your sources, children. So he also asked ChatGPT if any of the other cases were fake, and it replied that they were all real and that they could be found in reputable legal databases. And then it named the reputable legal databases where they could be found.

I wonder if ChatGPT sends sniggers in a way that we don't understand. Like, there may be a little—

A digital snigger.

Tee-hee-hee. Tee-hee-hee.

Oh, see, there you go.

ChatGPT, tee-hee-hee-hee.

Oh yeah, ChatGPT-hee. Yeah, very good.

So anyway, so Schwartz had fallen for what artificial intelligence researchers euphemistically call hallucinations. Which is what AI researchers call it when a large language model just flat out lies.

That's unfair, that word. That's very human appropriation there. But anyway, okay.

I'm still amused that his Schwartz have fallen.

Sorry. I'm not even laughing at that.

Carry on. So this isn't even an isolated case. I mean, Schwartz is never going to do this again. For what it's worth as well, I think the judge and everybody involved basically said, okay, well, you acted in good faith. I mean, they didn't say you were dumb, but, you know, that's implied, I think. But he's— I think he's going to be okay. Like, he's not going to do this again, right? He's learned— he's learned a valuable lesson about ChatGPT.

You don't think he should be disbarred for this? Like, shouldn't— no, literally going to ChatGPT is like me going to the web and going, hi, how do I make some trousers? And just clicking on the first link and then just following that and then being surprised they're not perfect.

Well, I think it makes a difference that he didn't go to ChatGPT and say, "Could you make up some legal cases?" 'Cause he would surely know, as a lawyer, that the other lawyers are gonna check what he'd put in the document. It seems a poor strategy to just make stuff up.

Are the other lawyers going to check though, or are the other lawyers just gonna ask ChatGPT?

He was trying to cut corners.

He was. He said it was very quick. I bet.

Then you went out to dinner, had a great time.

Making stuff up much quicker than doing the work. Anyway, just yesterday I was reading a Twitter thread by a law professor who was also using ChatGPT to find sources and quotes, and he said it was saving him hours of work. And this is how it sucks you in. He said, so he was thinking, wow, this is fantastic. This is a brilliant research tool. What have we been doing? Then at one point, one of the quotes struck him as odd. He was reading a quote by noted Republican Supreme Court Justice Judge Scalia, and he thought, "That doesn't sound much like something Scalia would say." So he asked ChatGPT, he said, "Can you give me a link to that so I can check the source?" And so ChatGPT did give him a link. It just didn't work. It looked good. It looked like a link that might work, but it didn't work. So then he asked again. And this is charming, ChatGPT apologized. And you see that in the other legal case I was mentioning as well, that it does actually say, "Oh, I'm really sorry. Here's another lie." So anyway, he asked again. ChatGPT apologized and it gave him a link to a news story. And the news story did exist. It was just about something completely unrelated to the thing that he was asking about.

What?

So then he said, "All right, well, if you can't give me a link to it, just give me the full text of the speech." So ChatGPT did it, just gave him the full text of the speech. It was just the whole thing was completely made up. And that, ladies and gentlemen, is the real risk of AI. I mean, set aside future concerns about whether or not it's gonna keep us as pets, for now—

It's made up of all the flipping garbage we've slapped up on the internet for the last 15, 20 years. So yeah.

And making up its own garbage, from the sound of things.

Yes, it's now generating garbage that future versions of ChatGPT will eat.

Yep.

In order to generate further garbage.

More concentrated garbage.

As time goes on, the proportion of ChatGPT garbage in its own diet is only gonna go up.

Thanks.

Thanks, Mark.

Cheery. Good.

No, no, it's okay.

I'm here to bring some sunshine into your life.

Carole, what have you got for us this week?

Well, I have two teenage boys, longtime pals, these two, okay? Into football, electric vehicles, you know, live in the little suburb outside Cardiff in Wales, about 5 miles from the center of town. Not deluxe suburb. So the town's called Ely. I don't know how to say it actually, guys. E-L-Y.

Oh, E-L-Y. Could be Eely, could be Ellie.

Yeah.

Hang on, it's in Wales, isn't it? It could be anything.

I'm going to say Eely. I'm just going to say Eely.

Okay. Apologies, Welsh people.

I'm going to ask ChatGPT.

So this isn't a deluxe suburb. This is known as Ely, if I'm pronouncing it correctly, I hope. And the area, someone said it has a lot of deprivation, but also a very warm community. That's how it's been described. So it's late spring afternoon last Monday, just before 6:00 PM. And one of the boys just had a haircut, bite to eat, and went outside and met his friend and started messing around on an electric bike. Not just your e-bike here. This is a Sur-Ron electric motorcycle. And it was a recent birthday present. And one of them's driving, the other one's holding on perched on the back. But something goes wrong and there's a crash. And both boys, just 15 and 16, die as a result of this crash. And it happened in their neighborhood, almost basically right near their house. So within minutes of this happening, the crash is reported to the cops and there's a police vehicle and they respond. And officers reported that they started doing CPR upon arriving at the scene. But to no avail. Now, obviously, this is a pretty harrowing scene. You have two neighborhood boys who've been laughing and mucking about just 10 minutes ago. Crash is loud. People hear it, come out to see what's happened, right? I mean, parents and neighborhood friends, they all come out to see what's going on. It's a community's worst nightmare. I can't think of anything much worse. And for the cops, it's got to be a nightmare too, right? I mean, these are kids. And there's probably a bunch of protocols that you've got to follow when something happens. And they know it's community's worst nightmare. So you've got a lot of tension going on. So the problem is this, a riot ensued until 3:00 AM the following morning. And the BBC reported that cars were set alight, fireworks were thrown at police as 100 to 150 people gathered in Ely on Monday night. Missiles were aimed at officers. 15 officers were injured, though none of the injuries were life-threatening. A local resident said he'd heard threats from rioters saying kill police officers at the scene. Quote, they said they would not stop until they killed a police officer, unquote. Around 8 o'clock that night, police tweet, right? They say they're still at the scene of the collision, but they're also working to de-escalate the ongoing disorder. It was even reported that one person was attacked because rioters thought they were an undercover officer, according to an officer at the scene. So just chaos.

Yeah, sounds like it's completely out of control.

It's completely out of control. And so the question is what kicked this off? Well, from my reading, this is what I've got, right? So one, it could have been how the cops handled the situation upon arriving at the scene, because according to reports, they wouldn't allow the parents to see their kids. You know, perhaps they are trying to preserve the scene to ensure there is no malicious intent or third-party involvement or anything. But according to some reports, the cops didn't handle the growing crowds with maybe compassion. And considering they were looking at their own kids lying dead, or their neighbor's kids on the road, that must be a hugely difficult situation.

It must be. But at the same time, if you're trying to save someone's life you don't necessarily want the relatives all around, do you? Possibly making the situation more complicated, or they might be fainting, or that, you know.

Totally.

If you're in a hospital, I understand. I understand. Absolutely, absolutely. So you can just see, it's just very—

It's not easy for the police, is all I'm saying from that point of view. Is that—

I agree.

It's one of those situations that pops up from time to time where you can put yourself in anybody's shoes in that scenario, and everybody can be acting in good faith and what they think are the best interests of the children. You can still come to — I was going to say disagreement, but clearly it was escalated beyond that — but you can end up with very, very different answers to the same question by being in different people's shoes.

But you can even feel the feeling here. This is a quote of someone, an onlooker: "they wouldn't let the parents do nothing. It was disgusting how they treated them. And they made them walk home and give them the news in the house. Didn't give them any sort of news at the scene. They were there for hours waiting and waiting, and they wouldn't let them through to see if their son was okay. It was really, really bad." Jane said she and her family had watched from their window as rioters set fire to her car. And she's saying "I'm disabled, so now I'm trapped without a car." So this is a video, and it's very short. The video basically was reportedly taken at a house where a relative of one of the boys lives. And it shows a bike traveling along Frank Road in Ely at 5:59 PM on Monday, the night of the fatal accident. And it's less than 1 mile from the suspected crash site. You see this bike go by, and there's 2 boys on the bike, and then you see a police van about 15 meters behind it.

Yeah, I've seen this video. It kind of zips past the house, doesn't it? And I don't know if it's a security camera from the house or whether it's someone actually recording from inside the house — I wasn't clear about that. But it appears that the police van is in pursuit of these two kids on their e-bike.

Exactly. If I'd seen that, I'd be thinking okay, so these kids are having fun, whatever, and they've pissed off the cops somehow, and they're trying to bring them to an arrest, perhaps. And then suddenly—

Fifteen meters is very close.

Yeah, fifteen meters, sorry. But still super close. And then you hear the crash in the video — you hear this thing happen. But here's the weird thing: police officers say that none of their vehicles were on Snowden Road when the crash happened. "The investigation has involved studying CCTV and tracking data from the police vehicle. And at this stage, we do not believe that any other vehicle was involved in the crash."

The news story I read said that the video was taken maybe in the street where they lived or something, and the crash was a few streets away when the police claimed they were no longer in pursuit of the vehicle, of this £5,000 e-bike which the kids were on. So it is possible maybe the kids on the bike lost the police who were chasing them and the police went the wrong way or something. And then they came a cropper.

Yeah, there's so much involved. So the South Wales Police and Crime Commissioner said it appeared that incorrect rumors on social media that a police pursuit had led to the crash that killed the teenagers was wrong. So they're saying that never happened. And they say, quote, it appears there were rumors and those rumors became rife of a police chase, which wasn't the case. This is from the crime commissioner. I think it illustrates the speed which rumors can go around with the activity that goes on social media these days and how things can get out of hand. So he's saying the riot was a result of false information traveling on socials.

I think what the police are saying is that their data shows that the cyclist took a shortcut, which the police were unable to follow them down or had lost them by that point. So they ended up at the time of the crash, which was at 6:03 or something, they were some distance away from the kids who were having the crash. Although initially the problem was that initially the police said there wasn't any pursuit at all.

Exactly.

They gave that suggestion, but when the video emerged, they then went, well, maybe we had been, but we weren't at the time of the crash. So the crash took place a few minutes later.

But all this does not— so there's confusion that's come up. So it makes sense to me, if you were already in a place where you don't trust cops, right? You're in a community where there's distrust between cops, for instance, that may be existing in this place, and your initial reaction is to deny it and then admit it, I'm worried that it only served to inflame the situation.

And I think one of the things that social media has given us is there is so much information on so many things all of the time that it's very, very difficult to deal with people and things in their entirety. And so, I think one of the most pernicious effects is that we now have a way of looking at organizations as if they are monolithic, as if they are individuals, and that they have perfect recall and perfect lines of instant communication. So, we have all worked in organizations I mean, I've worked in an organization of two and had problems with miscommunication. It happens as soon as there's more than one of you. And if you're in a large organization, it's not at all outlandish to suggest that one part of the organization might say something, believing it to be true, and it later turns out that it's not true, particularly when you're in a highly emotive, fast-moving situation.

Let's not forget at 10 Downing Street when we had senior politicians dealing with the COVID epidemic and plenty of people accused them of having parties and breaking swings and bringing alcohol to karaoke machines.

This is the other side of it.

Other people had a completely different impression of what was going on. I mean, they were doing important essential work and some people thought this was a problem.

I wonder whether this situation may be more about how the cops arriving at the scene may have handled family members and onlookers as they arrive. It's obviously a super stressful situation, but surely dealing with that kind of immediate shock and grief should be in police training, right? To be able to do it in a way that somehow de-escalates intense feelings of hate.

I don't know enough about police training to comment on whether or not they include that kind of thing or not.

Yeah, no, me neither.

Fair.

But I do feel sorry for, whatever training you have, you then have to map it to a real-world situation, and you can't train for every possible scenario. And if you're a police officer, then you're training for scenarios where you turn up and somebody might be trying to kill you, or somebody's having a mental health crisis, or somebody's had a terrible accident. And there will never be enough training, so you will always have people in a situation where they are trying to extrapolate from the training they have to the situation that's in front of them. Now, maybe they turned up and they did a terrible job. Maybe they turned up and they did a decent job, but it wasn't to the satisfaction of the people around them. If I was in that crowd, if my children were involved in an accident, nothing would be getting between me and my children. I imagine that any parent in that crowd would feel the same way. So to me, it just sounds like a flashpoint that you have all the ingredients for something to kick off. You know, bad things can happen to good people, unfortunately.

100%. And the two other main takeaways here is from that, the kids were not wearing helmets on the bike according to reports and according to the visual I saw. So please always wear a helmet. And two, I was thanking God that guns are illegal in the UK. Because after watching this, I don't know what would have happened in a place where guns were allowed. No one died in the riot that ensued.

So Carole, I hope you haven't inflamed any of our listenership by bringing the gun debate into this.

Of course I haven't. They're just rolling their eyes and going, she knows nothing. Smashing Security is brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity. The company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every known cyber threat. Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on-premise, remote, or in the cloud, removing the need for a more costly cybersecurity infrastructure. Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show.

Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log in to your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in Zero Trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked. Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. Easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

And welcome back. Can you join us? Our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week was recommended to me by an avid listener to the podcast who said, "Have you seen this show on Netflix? It's called Black Butterflies. You might like it." And it is called Black Butterflies, or in the original French, Les Papillons Noirs. And let me give you the central premise. There is a novelist with writer's block. He is invited to visit a dying man who wants his memoirs ghostwritten, and he begins to tell this writer the story of his life. And it starts off as a lovely sort of romance between this old man when he was young and the love of his life and their career around the French Riviera in the 1970s. And then it begins to turn rapidly into a tale of rather twisted serial killing. And most of the show is taking place in different timelines, two different timelines, '70s and the present day. But you never feel lost. It's very well done. It's a psychological thriller. It's definitely not for kids, so there are some very graphic scenes, but I have to say, it was brilliant. Really well acted, lots of surprising twists, great music.

I'm sure I've seen this. Is this old?

This is old. I think it may have come out last year. I mean, you may be more up to date on the Netflix shows than me. So, it's very imaginative cinematographically. And it kept me gripped until the end because there's lots of twists. And I thought it was rather good. It's definitely— can I underline again? It's not for kids. The person who recommended to me told me that their son walked in while they were watching it and they had some difficult explaining to do as to what on earth they were watching. So be careful. Don't watch it with kids.

Even though it's about butterflies.

Black Butterflies.

I watched this with John. I'm sure we did watch it, but I can't remember.

It seems like the kind of thing you would have watched, Carole. Yeah, I can believe it. Anyway, I would really recommend it. So go and check it out. You can either watch it dubbed or with subtitles depending on your particular persuasion. I greatly enjoyed it. So that is my pick of the week. Mark, what's your pick of the week?

So you know that I come on here, and normally my Pick of the Week has some sort of environmental theme. Ocean cleanup, I think I did trees once. Soil. Nature. Soil, yeah. Generally sort of climate apocalypse. Wouldn't it be great if we didn't all die and burn to death? Chickens.

Things about chickens.

You're quite keen on chickens. My book today is not about that. Well, I have discovered an entirely different form of apocalypse to worry about. And so my pick of the week today is about that. And it's a book, it's called The End of the World is Just the Beginning: Mapping the Collapse of Global Civilization. And it's by Peter Zeihan. Peter Zeihan does fantastic YouTube videos. If you want a sort of intro, he releases one a day, they're about 5 minutes long, go look for him. Fascinating stuff. And he is a geopolitical strategist. But his real thing is demographics. So his shtick is all about the demographics of the world and how the demographics, essentially global demographics, are going to change the way the world is made up over the course of the next 20 years. So according to him, we're in a very interesting situation at the moment whereby birth rates across the world have collapsed. So broadly speaking, the earlier you industrialize, the slower your birth rate collapses. And the quicker you industrialize, the quicker your birth rate collapses. Because when you industrialize, when you have an agrarian economy, you generally have as many children as you can because children are free labor. And then when you move into an urban environment, you have many, many fewer children because children are incredibly expensive until they leave home in an urban setting. And also you get things like Social Security coming. You don't need children to look after you in old age. So the net result is always a reduction in birth rates. And what's happened is that the countries, the UK, which industrialized first, its birth rate has been declining very, very slowly. And countries that industrialized after, say, World War II, South Korea, their birth rate has been collapsing very, very quickly. And what's happened is that everybody's birth rate has synchronized at a point where right now, the largest generation is about to tick over into retirement. And that has all sorts of effects on things global capital and employment, because you think, well, suddenly you're going from a situation where you have a large, knowledgeable workforce with lots of capital to spend on things to a large group of retirees who want to hold on to their money being supported by a much, much smaller group of employees. And that small group of employees is being followed by an even smaller group. Each generation has had fewer children. So, you know, you get a small generation, it has a small generation of children. And so we are just now tipping over into this very interesting world. And his conjecture is that that is going to have all kinds of very, very dramatic effects. And the TL;DR is, unless you live in the US, Argentina or France or one of a very small number of other countries, it's going to be a very rough couple of decades.

Oh great, sounds an interesting book, Mark. Are there any jokes in it at all? Any jokes?

Yeah, there is no good news in this book at all. Oh no! Literally none.

I'm very sorry, but it's just a—

Thanks for bringing it to our attention. It's a shit show. Thanks!

Maybe next time we'll have the chicken in the soil and the cleaning up the oceans.

What's the name of the book again?

It's called The End of the World Is Just the Beginning.

By Peter Zeihan. Thank you very much. Carole, what's your Pick of the Week?

Well, I'll bring us out of the doldrums. Do either of you know what a proven hangover cure is?

Yes. What? Not drinking.

Not drinking.

I've been doing it 50 years.

Yeah, yes, that's very good. Boom, boom. Okay, if you were to perhaps imbibe—

Is it a lobotomy? Is it death?

Okay, so the answer— When you don't know, Cluley, it's really easy. You just say no. Oh, okay. No, I don't know.

I can tell you what it isn't. It isn't trying to watch the Wimbledon final on TV. I've tried that tip. Really doesn't help.

What about flossing and brushing? Is that good for your teeth?

Oh, it's meant to be good for everything, isn't it? Having a good floss.

Oh, interesting. And what about anti-aging creams? Do they really work?

Just look at us, Carole. I think that tells you everything.

See, these are interesting questions. You can discover all these answers and tidbits on a podcast called Science Versus. It's from Gimlet Media and a show hosted by Wendy Zuckerman, who has the most charming Australian accent to my mind. She's super bubbly, funny, and smart.

Hmm, how do they find out these answers? Do they go to ChatGPT by any chance and ask it these questions?

No, no, they take on fads and trends, opinions and stuff, and then they find out what's real and what's maybe somewhere in between. It's friendly fact-checkers is what they call themselves, and I think that's a fair statement. That's quite cute. So, for example, when they go for hangover cures, they talk to loads of experts, and the end result of that was basically eat a huge meal before you start drinking. And flossing and brushing, not necessarily good for your teeth. Fluoride is good for your teeth. Fluoride is the only thing that protects your teeth. Everything else is good for your gums, which are obviously important.

Trick question, right?

A bit of a trick question, I agree. And anti-aging creams is really interesting because a lot of it is because the molecules inside the creams are too big because they're not fat-based, they're water-based. So they don't go into your skin at all. The only one that can is retinol, and you need to get it by prescription to have any effect at all. So this is the kind of stuff I've learned. You may agree, disagree. I loved it.

Are you saying that those graphics on the skincare adverts where they have pink blobs crossing the skin barrier and info, are you saying that that isn't strictly accurate?

They actually did a test because they said, well, how do they get these results on these makeup ads, you know, these kind of things. So they just made up some of their own concoction, sent it off for $1,000 to get tested, and it came back saying, "Amazing, 100%, works like a charm, amazing, amazing." So they just go in to maybe show how things may not be as you think.

So we could set up an aging cream testing organization. They could send it to us, give us $1,000, and we say, "Yes, brilliant, I look gorgeous." Yes, if you want to be a schmuck.

It's exactly what we would do.

Would you like to know what ChatGPT thinks you can do about a hangover? Oh, come on, please. Because while we were talking, I asked what's a good hangover cure? And have you ever used ChatGPT? Because you'll know it does like to give wordy answers. So anyway, several strategies can alleviate the symptoms. No magical cure. Anyway, there's a list of 8 things: hydration, rest, nutritious food—I think you mentioned that one—electrolytes, ginger and peppermint can alleviate nausea and soothe an upset stomach, apparently, according to ChatGPT. Pain relievers—genius, oh that is clever—light exercise, and here's the kicker: avoid caffeine. Well, so this is essentially basically what's happened here is ChatGPT has just watched me on a Sunday morning when I was at college and turn off Wimbledon.

You know, the podcast Science vs. has changed its name to Science vs. ChatGPT. They've got a whole new show there. It's a great show, check it out. It's fun and it has a bit of a light-hearted feel, but you know, you come away with a few little cute tidbits. So Science vs., find it wherever you get your podcasts—that's my pick.

Thank you very much, Carole. Now, you've had a very busy week this week—you've been chatting to our friends at Centripetal.

Yes, I chatted with Dave Ahn, and we talk about the cloud and how it revolutionized how we work, but it also has changed how the attackers come and find us. Take a listen. Well, listeners, we have the pleasure of chatting with Centripetal's chief architect, David Ahn. Centripetal focuses on threat prevention using real-time intelligence with automated enforcement, and today we are talking to the guy who builds and ships this stuff. Thank you so much for coming on and taking the time to speak with us today, Dave.

Wow, Carole, what an intro. Thank you so much—it's a pleasure to be here.

Well, it gets worse because you, out of all the job titles that I know in the tech sector, my favorite one is Chief Architect because it's got gravitas, right? It's serious. And I'd love to know about some of your responsibilities, but maybe you could first tell us: how did you end up at Centripetal as their chief architect?

So the journey actually started quite a while ago. I actually started a number of startups, so I innovate a lot of technology around healthcare and cybersecurity and computer algorithms and things like that. And one of the companies that I helped to start was a cybersecurity company, and we developed this amazing filtering technology. And that technology was great, but there wasn't a strong product synergy around it. And so when I met with Stephen Rogers, Centripetal CEO at the time, he really put forth his vision of putting intelligence as a driving force around cybersecurity. And Centripetal needed a capability to do that enforcement, and so it was a great marriage in terms of technology in two different companies. And so I came to Centripetal in the very beginning as part of an acquisition, and I stayed through to really commercialize that technology and bring it to the product that it is today. So it's been an amazing journey.

Yeah, it sounds like a marriage made in heaven. Tell me, so tell me, do you spend your day in meetings, or do you have other responsibilities other than guiding and helping everyone do their jobs?

Well, yes, there are lots of meetings. But I run one of the divisions here at Centripetal, Intelligence Services. And so my group is responsible for really identifying that intelligence, kind of figuring out what to do, and helping to ingest it and produce really actionable portions of it for the rest of our products. So that's a big area around data, data science, analytics, and so forth, informatics. And then kind of mapping that into how do you design systems — there are many different systems, systems that make the solution possible. And so I help to lead with a lot of my colleagues who are leaders in this space to build an end-to-end solution. It's very challenging, very diverse, lots of exposure. And you're probably right, lots of meetings.

But it must have changed a lot over the years because most businesses today, from the tiny ones to midsize to the massive, massive internationals, they're all reliant on cloud to function. Can I say even function today? Is that fair? I think that's fair.

I mean, it's just so ingrained and kind of permeating through all of IT and technology today. So I think you're right.

I would say that the shift must also — it changes how organizations have to operate, obviously, but it must also change how the malicious hacker approaches a target.

Oh, absolutely. So cloud technologies and platforms and services have just been so transformative. I mean, it's well over a decade old now in terms of the beginnings. But it's just in the last maybe decade or so where it just has gotten so much adoption. I think it's gotten really mature. So if you think about how even that coffee shop to a larger enterprise where they can really shift the burden of managing hardware, data centers, maybe infrastructure software, and focusing on how do they deliver solutions, how do they create product, or how do they solve internal challenges. And they're able to do this through the cloud because the cloud makes these computing resources so accessible and also scalable, right? I mean, you don't have to worry about patching OSs or patching this or that and figuring out how to deploy and setting up data centers and things like that. It is transformative. And all it takes is an individual with a credit card to stand up a website or put up a video or anything like that. And it's just amazing in terms of accessibility of technology to enterprises. And that in and of itself, of course, that power ends up being accessible to all the malicious actors and the complexity around that. And there are cloud providers who may be a bit more accommodating or maybe tolerant of malicious activity in certain areas of the world. But having said that, most of these cloud services are meant to be accessible. I mean, as I mentioned, all you need is a credit card, and a lot of times for free accounts. And certainly, they're very cheap. So when you think about these malicious actors, they're becoming more sophisticated. So they know how to write programs. They know how to modify malware. They know how to carry out campaigns and social engineering and so forth. And so they're adapting to the fact that because so many organizations are adopting cloud infrastructure, then that's where the value is, that's where the opportunity is. Because if all the data is in the cloud, if all the services are in the cloud, then that's where they need to attack to get the most, let's say, return for their efforts.

Yeah, good old ROI. So, okay, how has this changed things for you from the security side, because of course, you as Centripetal's chief architect had to adapt in order to properly protect organizations. So, can you talk a little bit about how you guys approach security in this new world?

Yeah, absolutely. So, I think one of the biggest challenges for organizations around cloud security is just difficulty in visibility and difficulty in understanding. So, it's not that there isn't understanding, it's just that if you think about roles or access controls or things like that, it's very easy to say, well, you've got to put those controls in. However, when you have hundreds to thousands of options and it just gets explosively combinatoric when it comes to the infrastructure, the virtualization, the containers, and the software, the gazillions of things that are running in the cloud, then it's so difficult for normal organizations or typical organizations to get a handle on what the repercussions are, right? So if they have a setting in terms of user access or application access, what does that really mean throughout the cloud infrastructure? Because everything is being managed by these cloud providers, and therefore, there isn't as much visibility understanding. And so to attack this problem, I mean, in cybersecurity, it's a big challenge. I mean, if you look at all the breaches, a lot of the breaches that have occurred in recent years, so many of them have some sort of cloud component to it. And it just lends itself to the gaps in knowledge and gaps in visibility and gaps in control that exist that are really hard to fill. And so it's a challenge for us in cybersecurity.

Yeah, because, you know, I used to work at a technology firm and even back then, this is basically pre-cloud days, but the tech staff were overburdened with servers going down or machine equipment going down and now that's not the problem so much. There's just so many accounts and so many ways for people to access data. How does someone responsible for allowing network access and information access not feel overburdened? I think that's a key problem.

It's just overburdening of that information overload or complexity overload. And so there are tools that have kind of started to fill this niche over the years where they give you observability, telemetry and these kind of things. And one of the challenges I see with a lot of these products is that sometimes they actually end up producing even more work, right? So they give you unbelievable visibility into every activity that's happening across the entire cloud infrastructure for a customer, right? And now we're talking about unbelievable amounts of log data, how do you interpret it, and how do you do audits, and how do you do an analysis of all this data? And so this is where a lot of— of course, in recent months, there's been this trend around leveraging AI and automation and these advanced techniques to kind of manage the interpretation of that volume. But that doesn't take away the fact that there is that volume. So it is a significant challenge. And I hope that even cloud providers and cybersecurity vendors are kind of stepping— are able to step up to the plate and make those cybersecurity controls a little bit more easier to understand and easier to manage. I mean, let's not place the burden on the enterprise, that poor person who's dealing with so much of the data.

So how do you guys do that at Centripetal?

How do you guys manage that? So we've taken the approach that sometimes information should just be interpreted by those with that knowledge, right? So instead of attacking this from the angle of let's give another tool, let's give more information, let's give more capacity, and then saying, well, you enterprise, you need to go figure out how to use this tool, have to figure out how to choose the data and how to interpret it and how to analyze it and then figure out the reporting aspects of it. And instead, we bring that as a service. And I think you've seen this a lot in the industry with maybe the growth of the managed security service providers where they're bringing in that expertise to fill that gap. So at Centripetal, we're working towards that where we're bringing in the intelligence, we're bringing in the enforcement capability, and we're bringing in the analysts who can help to interpret and really shift that burden away from the customer.

And the whole plus side of it is you get some— you're using real-time intelligence to block unwanted traffic before it gets to the network? I mean, that's the endgame, right?

Oh, that is the endgame. So if you think about intelligence, it tells you what all those malicious actors— where they are, what infrastructure they're using, what methodologies that they are leveraging. And today, these malicious campaigns are becoming so much faster. So as I mentioned before, we talked about before, they're leveraging cloud infrastructure and they're automating and they're able to carry out these attacks in a matter of minutes to an hour, you know, or so. And so when that happens, then, you know, if you have this information, but you don't have it at the moment that you need it, which is maybe right now when you're under attack or 15 minutes from now when you're getting scanned, then that intelligence doesn't do you any good. So whether it's Centripetal or others, this concept of leveraging that intelligence as soon as you can, as real time as you can, that is really the differentiator in terms of elevating the security posture.

It makes perfect sense. Is there anything you'd like to add?

I really encourage everyone to take a proactive stance. And I understand that a lot of the time, there's just so much technology and so many products and solutions. And everybody is saying that they can solve the problem. But I encourage everyone to look at it from the perspective of, what are my pain points? What can I do proactively to help reduce the work that I have to do? Because if you don't reduce that workload, then all the security in the world may be producing all those alerts and things like that, but it doesn't help you when you don't see it in front of you, and it's not helping you to actually protect your enterprise.

I think that's such a good point. And I think actually being able to identify your pain points is key because the security market now is a bit like walking into Walmart and there's only cola on sale, and you're walking down these aisles going, I don't know which one. So if you know exactly what you want, it helps narrow the field.

Yeah, I absolutely agree. I think you have to start with owning that cybersecurity a little bit and saying, all right, these are my pain points, and just be objective about how difficult it is because it is. It's difficult. And what can you do? The maximum return for the steps that you take forward. I think that's the only practical way to really go about doing this.

Well, I think a very good step for our listeners is to check out Centripetal's webpage, which we have linked, because you can learn much more about their technology and services. And you can do that by visiting smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L. That's smashingsecurity.com/centripetal. And huge thank you, David Ahn, Centripetal's chief architect, for coming on the show.

Thank you so much. It's been a pleasure.

Yeah, have a good day. Not too many meetings, I hope.

Fascinating stuff. Well, that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would love to follow you online and find out what you're ranting about. What is the best way for folks to do that?

Well, you can find me @MarkStockley on Twitter. You can also find me @InternetOfHens on Twitter if you prefer the sort of trees and general apocalypse preparation type stuff.

Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G. We also have a Mastodon account. Find us at smashingsecurity.com/mastodon and make sure never to miss another episode. Follow Smashing Security on your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And massive shout out to this episode's sponsors, Kolide, Centripetal, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 323 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye.

Bye-bye.

We dealt with some pretty serious issues this week.

Bloody hell, did we? Yeah, I know.

Goodness. But, you know, shit happens.

Well, yes. I know.

Sometimes we gotta talk about it. Thank God we have you to just bring a bit of lightness to our life.

That's what my purpose is really, isn't it? To bring a little bit of joy in this miserable world.

On this miserable podcast.

Miserable world. Thank you very much, Mark.

Thank you, Mark. You're welcome. It was lovely. Look after yourself.

Thank you very much. And you.